Applies To:
Show VersionsBIG-IP AAM
- 13.1.3
BIG-IP APM
- 13.1.3
BIG-IP Analytics
- 13.1.3
BIG-IP Link Controller
- 13.1.3
BIG-IP LTM
- 13.1.3
BIG-IP AFM
- 13.1.3
BIG-IP PEM
- 13.1.3
BIG-IP DNS
- 13.1.3
BIG-IP FPS
- 13.1.3
BIG-IP ASM
- 13.1.3
BIG-IP Release Information
Version: 13.1.3.2
Build: 4.0
Cumulative fixes from BIG-IP v13.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.8 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.7 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.6 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.1 that are included in this release
Known Issues in BIG-IP v13.1.x
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
805837-4 | CVE-2019-6657 | K22441651 | REST does not follow current design best practices |
795197-3 | CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 | K26618426 | Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 |
769589-4 | CVE-2019-6974 | K11186236 | CVE-2019-6974: Linux Kernel Vulnerability |
795797-4 | CVE-2019-6658 | K21121741 | AFM WebUI Hardening |
788773-4 | CVE-2019-9515 | K50233772 | HTTP/2 Vulnerability: CVE-2019-9515 |
788769-4 | CVE-2019-9514 | K01988340 | HTTP/2 Vulnerability: CVE-2019-9514 |
773673-4 | CVE-2019-9512 | K98053339 | HTTP/2 Vulnerability: CVE-2019-9512 |
636453-9 | CVE-2016-10009 | K31440025 | OpenSSH vulnerability CVE-2016-10009 |
749324-2 | CVE-2012-6708 | K62532311 | jQuery Vulnerability: CVE-2012-6708 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
782529-4 | 2-Critical | iRules does not follow current design best practices | |
724556-2 | 2-Critical | icrd_child spawns more than maximum allowed times (zombie processes) | |
769193-1 | 3-Major | Added support for faster congestion window increase in slow-start for stretch ACKs | |
759135-5 | 3-Major | AVR report limits are locked at 1000 transactions | |
788269-1 | 4-Minor | Adding toggle to disable AVR widgets on device-groups |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
725950 | 1-Blocking | Regcomp() leaks memory if passed an invalid regex. | |
831549 | 2-Critical | Marketing name does not display properly for BIG-IP i10010 (C127) | |
781377-1 | 2-Critical | tmrouted may crash while processing Multicast Forwarding Cache messages | |
765533-4 | 2-Critical | K58243048 | Sensitive information logged when DEBUG logging enabled |
762453 | 2-Critical | Hardware cryptography acceleration may fail | |
757357 | 2-Critical | TMM may crash while processing traffic | |
749388 | 2-Critical | 'table delete' iRule command can cause TMM to crash | |
747203-4 | 2-Critical | Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding | |
686996-1 | 2-Critical | TMM core under heavy load with PEM | |
809205-3 | 3-Major | CVE-2019-3855: libssh2 Vulnerability | |
794501-4 | 3-Major | Duplicate if_indexes and OIDs between interfaces and tunnels | |
793121-1 | 3-Major | Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication | |
788557 | 3-Major | BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior | |
788301-3 | 3-Major | K58243048 | SNMPv3 Hardening |
780601-4 | 3-Major | SCP file transfer hardening | |
777261-2 | 3-Major | When SNMP cannot locate a file it logs messages repeatedly | |
768981-4 | 3-Major | vCMP Hypervisor Hardening | |
764873-4 | 3-Major | An accelerated flow transmits packets to a dated, down pool member. | |
761993-4 | 3-Major | The nsm process may crash if it detects a nexthop mismatch | |
761144-6 | 3-Major | Broadcast frames may be dropped | |
759735-1 | 3-Major | OSPF ASE route calculation for new external-LSA delayed | |
758781-1 | 3-Major | iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates | |
758527-4 | 3-Major | BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode | |
758119-4 | 3-Major | K58243048 | qkview may contain sensitive information |
747592-2 | 3-Major | PHP vulnerability CVE-2018-17082 | |
745825-3 | 3-Major | The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading | |
741902-3 | 3-Major | sod does not validate message length vs. received packet length | |
740413-3 | 3-Major | Sod not logging Failover Condition messages | |
738445-2 | 3-Major | IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup | |
738236-2 | 3-Major | UCS does not follow current best practices | |
724109-4 | 3-Major | Manual config-sync fails after pool with FQDN pool members is deleted | |
700712-1 | 3-Major | MariaDB binary logging takes up disk space | |
687115-2 | 3-Major | SNMP performance can be impacted by a long list of allowed-addresses | |
683135-2 | 3-Major | Hardware syncookies number for virtual server stats is unrealistically high | |
680917-1 | 3-Major | Invalid monitor rule instance identifier | |
815425 | 4-Minor | RAID status is shown <undefined> after upgrade from 12.1.3.5 to 13.1.1.5★ | |
789893-4 | 4-Minor | SCP file transfer hardening | |
755018-4 | 4-Minor | Traffic processing may be stopped on VE trunk after tmm restart | |
484683-3 | 4-Minor | Certificate_summary is not created at peer when the chain certificate is synced to HA peer. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
810537-3 | 2-Critical | TMM may consume excessive resources while processing iRules | |
809165-4 | 2-Critical | TMM may crash will processing connector traffic | |
808301-1 | 2-Critical | TMM may crash while processing IP traffic | |
787825-3 | 2-Critical | K58243048 | Database monitors debug logs have plaintext password printed in the log file |
739927-3 | 2-Critical | Bigd crashes after a specific combination of logging operations | |
693491-1 | 2-Critical | ASM with Web Acceleration Profile can rarely cause TMM to core | |
818429-2 | 3-Major | TMM may crash while processing HTTP traffic | |
813673-1 | 3-Major | The HTTP Explicit proxy does not work correctly with IPv6 clients connecting to IPv4 destinations over CONNECT | |
795437-2 | 3-Major | Improve handling of TCP traffic for iRules | |
788325-4 | 3-Major | Header continuation rule is applied to request/response line | |
781753-1 | 3-Major | WebSocket traffic is transmitted with unknown opcodes | |
777737-2 | 3-Major | TMM may consume excessive resources when processing IP traffic | |
773421-2 | 3-Major | Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied | |
770477-3 | 3-Major | SSL aborted when client_hello includes both renegotiation info extension and SCSV | |
761030-1 | 3-Major | tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route | |
761014-4 | 3-Major | TMM may crash while processing local traffic | |
758992-1 | 3-Major | The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address | |
757827-3 | 3-Major | Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution | |
755727-3 | 3-Major | Ephemeral pool members not created after DNS flap and address record changes | |
749294-2 | 3-Major | TMM cores when query session index is out of boundary | |
747907-1 | 3-Major | Persistence records leak while the HA mirror connection is down | |
743257-1 | 3-Major | Fix block size insecurity init and assign | |
742237-2 | 3-Major | CPU spikes appear wider than actual in graphs | |
739638-2 | 3-Major | BGP failed to connect with neighbor when pool route is used | |
726734-1 | 3-Major | DAGv2 port lookup stringent may fail | |
726176-4 | 3-Major | platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve | |
716952-2 | 3-Major | With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete. | |
704450-3 | 3-Major | bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration | |
693582-1 | 3-Major | Monitor node log not rotated for certain monitor types | |
687887-1 | 3-Major | Unexpected result from multiple changes to a monitor-related object in a single transaction | |
676990-2 | 3-Major | No way to enable SNAT of host traffic | |
676557-1 | 3-Major | Binary data marshalled to TCL may be converted to UTF8 | |
636842-3 | 3-Major | K51472519 | A FastL4 virtual server may drop a FIN packet when mirroring is enabled |
601189-3 | 3-Major | The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode | |
769309-3 | 4-Minor | DB monitor reconnects to server on every probe when count = 0 | |
760683-2 | 4-Minor | RST from non-floating self-ip may use floating self-ip source mac-address | |
754003-1 | 4-Minor | K73202036 | Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate |
747628-3 | 4-Minor | BIG-IP sends spurious ICMP PMTU message to server | |
744210-1 | 4-Minor | DHCPv6 does not have the ability to override the hop limit from the client. |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
772233-1 | 3-Major | IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV. | |
761032-4 | 3-Major | TMSH displays TSIG keys | |
699512-1 | 3-Major | DNS request can be dropped when queued in parallel with another request | |
672491-5 | 3-Major | K10990182 | net resolver uses internal IP as source if matching wildcard forwarding virtual server |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
813945-1 | 2-Critical | PB core dump while processing many entities | |
775105-1 | 2-Critical | False positive on bot defense logs | |
636400-1 | 2-Critical | CPB (BIGIP->BIGIQ log node) Hardening | |
812341-1 | 3-Major | Patch or Delete commands take a long time to complete when modifying an ASM signature set. | |
800453-1 | 3-Major | False positive virus violations | |
783513-1 | 3-Major | ASU is very slow on device with hundreds of policies due to logging profile handling | |
739618-1 | 3-Major | When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy | |
727107-2 | 3-Major | Request Logs are not stored locally due to shmem pipe blockage | |
725551-4 | 3-Major | ASM may consume excessive resources |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
756102-3 | 2-Critical | TMM can crash with core on ABORT signal due to non-responsive AVR code | |
797785-3 | 3-Major | AVR reports no ASM-Anomalies data. | |
792265-1 | 3-Major | Traffic logs does not include the BIG-IQ tags | |
787677-1 | 3-Major | AVRD stays at 100% CPU constantly on some systems | |
781581-4 | 3-Major | Monpd uses excessive memory on requests for network_log data | |
703196-5 | 3-Major | Reports for AVR are missing data | |
696191-1 | 3-Major | AVR-related disk partitions can get full during upgrade★ |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
811145-4 | 2-Critical | VMware View resources with SAML SSO are not working | |
784989-4 | 2-Critical | TMM may crash with panic message: Assertion 'cookie name exists' failed | |
779177-4 | 2-Critical | Apmd logs "client-session-id" when access-policy debug log level is enabled | |
777173-4 | 2-Critical | Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error | |
725505-2 | 2-Critical | SNAT settings in network resource are not applied after FastL4 profile is updated | |
618641-1 | 2-Critical | In rare cases VDI plugin might leak memory or crash while processing client connections | |
815753-4 | 3-Major | TMM leaks memory when explicit SWG is configured with Kerberos authentication | |
799149 | 3-Major | Authentication fails with empty password | |
798261-4 | 3-Major | APMD fails to create session variables if spanning is enabled on SWG transparent virtual server | |
788417-3 | 3-Major | Remote Desktop client on macOS may show resource auth token on credentials prompt | |
787477-1 | 3-Major | Export fails from partitions with '-' as second character | |
768025-1 | 3-Major | SAML requests/responses fail with "failed to find certificate" | |
766577-4 | 3-Major | APMD fails to send response to client and it already closed connection. | |
758018-3 | 3-Major | APD/APMD may consume excessive resources | |
725040-3 | 3-Major | Auto-update fails for F5 Helper Applications on Linux | |
723278-1 | 3-Major | Radius Accounting-Request (STOP) always includes AVP Framed-IP-Address=0.16.0.0 when Network Access rescource configured with IPv4 & IPv6 | |
697590-4 | 3-Major | APM iRule ACCESS::session remove fails outside of Access events | |
653210-1 | 3-Major | Rare resets during the login process | |
643935-2 | 3-Major | Rewriting may cause an infinite loop while processing some objects | |
719589-3 | 4-Minor | GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic | |
684414-2 | 4-Minor | Retrieving too many groups is causing out of memory errors in TMUI and VPE |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
808525-4 | 2-Critical | TMM may crash while processing Diameter traffic | |
813657 | 3-Major | MRF SIP ALG with SNAT incorrectly detects ingress queue full | |
811745-4 | 3-Major | Failover between clustered DIAMETER devices can cause mirror connections to be disconnected |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
787901 | 2-Critical | While deleting a DoS profile, tmm might core in sPVA | |
778869-1 | 2-Critical | ACLs and other AFM features (e.g., IPI) may not function as designed | |
747922-2 | 2-Critical | With AFM enabled, during bootup, there is a small possibility of a tmm crash | |
781449-4 | 3-Major | Increase efficiency of sPVA DoS protection on wildcard virtual servers | |
761345-1 | 3-Major | Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode | |
738284-4 | 3-Major | Creating or deleting rule list results in warning message: Schema object encode failed | |
679722-1 | 3-Major | Configuration sync failure involving self IP references |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
753014-1 | 3-Major | PEM iRule action with RULE_INIT event fails to attach to PEM policy | |
747065-3 | 3-Major | PEM iRule burst of session ADDs leads to missing sessions |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
804185-3 | 3-Major | Some WebSafe request signatures may not work as expected |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
803477-1 | 3-Major | BaDoS State file load failure when signature protection is off | |
767045 | 4-Minor | TMM cores while applying policy | |
711708-1 | 4-Minor | Default disabled DoS profile cannot be attached to virtual server because of BADOS '2 virtual servers limitation' |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
674795-2 | 4-Minor | tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours. |
Cumulative fixes from BIG-IP v13.1.3.1 that are included in this release
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
688627-1 | 3-Major | OPT-0043 40G optical transceiver cannot be unbundled into 4x10G |
Cumulative fixes from BIG-IP v13.1.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
809377-4 | CVE-2019-6649 | K05123525 | AFM ConfigSync Hardening |
771873-3 | CVE-2019-6642 | K40378764 | TMSH Hardening |
757023-4 | CVE-2018-5743 | K74009656 | BIND vulnerability CVE-2018-5743 |
756538-1 | CVE-2019-6645 | K15759349 | Failure to open data channel for active FTP connections mirrored across an HA pair. |
754103-2 | CVE-2019-6644 | K75532331 | iRulesLX NodeJS daemon does not follow best security practices |
739971-2 | CVE-2018-5391 | K95343321 | Linux kernel vulnerability: CVE-2018-5391 |
726393-4 | CVE-2019-6643 | K36228121 | DHCPRELAY6 can lead to a tmm crash |
715923-1 | CVE-2018-15317 | K43625118 | When processing TLS traffic TMM may terminate connections unexpectedly |
757455-1 | CVE-2019-6647 | K87920510 | Excessive resource consumption when processing REST requests |
773649-4 | CVE-2019-6656 | K23876153 | APM Client Logging |
767653-2 | CVE-2019-6660 | K23860356 | Malformed HTTP request can result in endless loop in an iRule script |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
749704-3 | 4-Minor | GTPv2 Serving-Network field with mixed MNC digits |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
774445-3 | 1-Blocking | K74921042 | BIG-IP VE does not pass traffic on ESXi 6.7 Update 2 |
769809-2 | 2-Critical | vCMP guests 'INOPERATIVE' after upgrade | |
760408-1 | 2-Critical | K23438711 | System Integrity Status: Invalid after BIOS update★ |
757722-1 | 2-Critical | Unknown notify message types unsupported in IKEv2 | |
756402-1 | 2-Critical | Re-transmitted IPsec packets can have garbled contents | |
756071-1 | 2-Critical | MCPD crash | |
753650 | 2-Critical | The BIG-IP system reports frequent kernel page allocation failures. | |
748205-1 | 2-Critical | SSD bay identification incorrect for RAID drive replacement★ | |
734539-3 | 2-Critical | The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads | |
708968-2 | 2-Critical | OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address | |
671741-3 | 2-Critical | LCD on iSeries devices can lock at red 'loading' screen. | |
648270-3 | 2-Critical | mcpd can crash if viewing a fast-growing log file through the GUI | |
756153-2 | 3-Major | Add diskmonitor support for MySQL /var/lib/mysql | |
749785-1 | 3-Major | nsm can become unresponsive when processing recursive routes | |
746266-1 | 3-Major | Vcmp guest vlan mac mismatch across blades. | |
735565-1 | 3-Major | BGP neighbor peer-group config element not persisting | |
723553-1 | 3-Major | BIG-IP installations on RAID systems (old style) may not boot★ | |
720610 | 3-Major | Updatecheck logs bogus 'Update Server unavailable' on every run | |
716166-4 | 3-Major | Dynamic routing not added when conflicting self IPs exist | |
709544-2 | 3-Major | VCMP guests in HA configuration become Active/Active during upgrade★ | |
705037-2 | 3-Major | K32332000 | System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart |
702310-1 | 3-Major | The ':l' and ':h' options are not available on the tmm interface in tcpdump | |
693388-2 | 3-Major | Log additional HSB registers when device becomes unresponsive | |
667618-1 | 3-Major | Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts | |
620954-5 | 3-Major | Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable | |
721526-2 | 4-Minor | tcpdump fails to write verbose packet data to file | |
691171-1 | 4-Minor | static and dynamically learned blackhole route from ZebOS cannot be deleted |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
759968 | 1-Blocking | Distinct vCMP guests are able to cluster with each other. | |
757441-2 | 2-Critical | Specific sequence of packets causes Fast Open to be effectively disabled | |
757391-3 | 2-Critical | Datagroup iRule command class can lead to memory corruption | |
756450-2 | 2-Critical | Traffic using route entry that's more specific than existing blackhole route can cause core | |
755585-3 | 2-Critical | mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction | |
746710-2 | 2-Critical | Use of HTTP::cookie after HTTP:disable causes TMM core | |
742184-1 | 2-Critical | TMM memory leak | |
724214-3 | 2-Critical | TMM core when using Multipath TCP | |
667779-1 | 2-Critical | iRule commands may cause the TMM to crash in very rare situations. | |
794493 | 3-Major | Cannot modify chain certificate in parent profile via iApp | |
790205-2 | 3-Major | Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core | |
760771-3 | 3-Major | FastL4-steered traffic might cause SSL resume handshake delay | |
760550-3 | 3-Major | Retransmitted TCP packet has FIN bit set | |
757442-1 | 3-Major | A missed SYN cookie check causes crash at the standby TMM in HA mirroring system | |
754349 | 3-Major | FTP connections to virtual server drop when both sides of data channel are offloaded via FastL4 | |
753594-3 | 3-Major | In-TMM monitors may have duplicate instances or stop monitoring | |
753514-1 | 3-Major | Large configurations containing LTM Policies load slowly | |
749414-2 | 3-Major | Invalid monitor rule instance identifier error | |
746922-4 | 3-Major | When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain. | |
726001-1 | 3-Major | Rapid datagroup updates can cause type corruption | |
720219 | 3-Major | K13109068 | HSL::log command can fail to pick new pool member if last picked member is 'checking' |
719304-2 | 3-Major | Inconsistent node ICMP monitor operation for IPv6 nodes | |
712919-1 | 3-Major | Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server. | |
705112-2 | 3-Major | DHCP server flows are not re-established after expiration | |
675367-2 | 3-Major | K95393925 | The IMAP and POP3 monitors might fail if the mail server supports GSSAPI authentication |
604811-2 | 3-Major | Under certain conditions TMM may crash while processing OneConnect traffic | |
273104-1 | 3-Major | Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
759721-4 | 3-Major | K03332436 | DNS GUI does not follow best practices |
754901-3 | 3-Major | Frequent zone update notifications may cause TMM to restart | |
750213-2 | 3-Major | K25351434 | DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records. |
726412-2 | 4-Minor | Virtual server drop down missing objects on pool creation |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
781637-4 | 3-Major | ASM brute force counts unnecessary failed logins for NTLM | |
781605-1 | 3-Major | Fix RFC issue with the multipart parser | |
781069-4 | 3-Major | Bot Defense challenge blocks requests with long Referer headers | |
773553-4 | 3-Major | ASM JSON parser false positive. | |
769981-3 | 3-Major | bd crashes in a specific scenario | |
764373-1 | 3-Major | 'Modified domain cookie' violation with multiple enforced domain cookies with different paths | |
763001-2 | 3-Major | Web-socket enforcement might lead to a false negative | |
761941-3 | 3-Major | ASM does not remove CSRT token query parameter before forwarding a request to the backend server | |
761231-4 | 3-Major | Bot Defense Search Engines getting blocked after configuring DNS correctly | |
739900-1 | 3-Major | All Policies are created with 3 new Signature Sets After Creation of a Policy using Application Ready Templates | |
713051 | 3-Major | PB generates a suggestion to add a disallowed filtetype with empty name. | |
686763-1 | 3-Major | asm_start is consuming too much memory | |
686500-1 | 3-Major | Adding user defined signature on device with many policies is very slow | |
675673-1 | 3-Major | Policy history files should be limited by settings in a configuration file. | |
768761-4 | 4-Minor | Improved accept action description for suggestions to disable signature/enable metacharacter in policy | |
761553-4 | 4-Minor | Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic | |
761549-4 | 4-Minor | Traffic Learning: Accept and Stage action is shown only in case entity is not in staging | |
750689-1 | 4-Minor | Request Log: Accept Request button available when not needed | |
749184-4 | 4-Minor | Added description of subviolation for the suggestions that enabled/disabled them | |
747560-3 | 4-Minor | ASM REST: Unable to download Whitehat vulnerabilities | |
695878-4 | 4-Minor | Signature enforcement issue on specific requests | |
613728-2 | 4-Minor | Import/Activate Security policy with 'Replace policy associated with virtual server' option fails | |
769061-4 | 5-Cosmetic | Improved details for learning suggestions to enable violation/sub-violation |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
753485-2 | 2-Critical | AVR global settings are being overridden by HA peers | |
771025-2 | 3-Major | AVR send domain names as an aggregate | |
688544-1 | 3-Major | SWG reports on BIG-IQ show same series as 'Allowed' and 'Blocked' at the same time |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
760130-1 | 2-Critical | [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK | |
753370-1 | 2-Critical | RADIUS auth might not be working as configured when there is change in RADIUS auth config name. | |
745600-3 | 2-Critical | Removal of timer object from tmm timer-ring when a tcl context is released. | |
741535-1 | 2-Critical | Memory leak when using SAML or Form-based Client-initiated SSO | |
723402-2 | 2-Critical | Apmd crashes running command: tmsh restart sys service all | |
686282-2 | 2-Critical | APMD intermittently crash when processing access policies | |
783817-4 | 3-Major | UI becomes unresponsive when accessing Access active session information | |
775621-4 | 3-Major | urldb memory grows past the expected ~3.5GB | |
765621-1 | 3-Major | POST request being rejected when using OAuth Resource Server mode | |
760974-1 | 3-Major | TMM SIGABRT while evaluating access policy | |
759638-1 | 3-Major | APM current active and established session counts out of sync after failover | |
754542-4 | 3-Major | TMM may crash when using RADIUS Accounting agent | |
750823-3 | 3-Major | Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD | |
750631-1 | 3-Major | There may be a latency between session termination and deletion of its associated IP address mapping | |
750170-1 | 3-Major | SP Connector config changes causes BIG-IP tmm core sometimes during handling of SAML SLO request | |
749161-1 | 3-Major | Problem sync policy contains non-ASCII characters | |
747725-2 | 3-Major | Kerberos Auth agent may override settings that manually made to krb5.conf | |
744532-2 | 3-Major | Websso fails to decrypt secured session variables | |
600985-3 | 3-Major | Network access tunnel data stalls | |
770621-1 | 4-Minor | [Portal Access] HTTP 308 redirect does not get rewritten | |
737603-1 | 4-Minor | Apmd leaks memory when executing per-session policy via iRule |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
759077-4 | 3-Major | MRF SIP filter queue sizes not configurable | |
758065-2 | 3-Major | TMM may consume excessive resources while processing FIX traffic | |
748253-3 | 3-Major | Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection | |
745628-3 | 3-Major | MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message | |
745514-3 | 3-Major | MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message | |
745404-2 | 3-Major | MRF SIP ALG does not reparse SDP payload if replaced | |
701680-2 | 3-Major | MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds | |
747909-3 | 4-Minor | GTPv2 MEI and Serving-Network fields decoded incorrectly |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
763121-1 | 2-Critical | Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM. | |
757359-3 | 2-Critical | pccd crashes when deleting a nested Address List | |
752363 | 2-Critical | Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled | |
777733-1 | 3-Major | DoS profile default values cause config load failure on upgrade | |
771173-1 | 3-Major | FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.★ | |
757306-2 | 3-Major | SNMP MIBS for AFM NAT do not yet exist |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
740228-1 | 2-Critical | TMM crash while sending a DHCP Lease Query to a DHCP server | |
726665-2 | 2-Critical | tmm core dump due to SEGFAULT | |
760438-1 | 3-Major | PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions | |
759192-1 | 3-Major | TMM core during display of PEM session under some specific conditions | |
756311-1 | 3-Major | High CPU during erroneous deletion | |
753163-2 | 3-Major | PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
775013-4 | 3-Major | TIME EXCEEDED alert has insufficient data for analysis |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
752803-2 | 2-Critical | CLASSIFICATION_DETECTED running reject can lead to a tmm core |
Cumulative fixes from BIG-IP v13.1.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
807477-9 | CVE-2019-6650 | K04280042 | ConfigSync Hardening |
797885-4 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
796469-2 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
810557-9 | CVE-2019-6649 | K05123525 | ASM ConfigSync Hardening |
799617-4 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
799589-4 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
794389-9 | CVE-2019-6651 | K89509323 | iControl REST endpoint response inconsistency |
794413-9 | CVE-2019-6471 | K10092301 | BIND vulnerability CVE-2019-6471 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
744937-9 | 3-Major | K00724442 | BIG-IP DNS and GTM DNSSEC security exposure |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
760622-2 | 3-Major | Allow Device Certificate renewal from BIG-IP Configuration Utility | |
760363-2 | 3-Major | Update Alias Address field with default placeholder text |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
807445 | 3-Major | Replaced ISC_TRUE and ISC_FALSE with true and false |
Cumulative fixes from BIG-IP v13.1.1.5 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
757025-3 | CVE-2018-5744 | K00040234 | BIND Update |
754944-3 | CVE-2019-6626 | K00432398 | AVR reporting UI does not follow best practices |
754345-3 | CVE-2019-6625 | K79902360 | WebUI does not follow best security practices |
753776-1 | CVE-2019-6624 | K07127032 | TMM may consume excessive resources when processing UDP traffic |
749879-4 | CVE-2019-6611 | K47527163 | Possible interruption while processing VPN traffic |
748502-3 | CVE-2019-6623 | K72335002 | TMM may crash when processing iSession traffic |
737731-2 | CVE-2019-6622 | K44885536 | iControl REST input sanitization |
737574-2 | CVE-2019-6621 | K20541896 | iControl REST input sanitization★ |
737565-2 | CVE-2019-6620 | K20445457 | iControl REST input sanitization |
726327-2 | CVE-2018-12120 | K37111863 | NodeJS debugger accepts connections from any host |
757027-3 | CVE-2019-6465 | K01713115 | BIND Update |
753796-2 | CVE-2019-6640 | K40443301 | SNMP does not follow best security practices |
750460-3 | CVE-2019-6639 | K61002104 | Subscriber management configuration GUI |
750187-3 | CVE-2019-6637 | K29149494 | ASM REST may consume excessive resources |
745713-1 | CVE-2019-6619 | K94563344 | TMM may crash when processing HTTP/2 traffic |
745371-2 | CVE-2019-6636 | K68151373 | AFM GUI does not follow best security practices |
745257-3 | CVE-2018-14634 | K20934447 | Linux kernel vulnerability: CVE-2018-14634 |
745165-3 | CVE-2019-6617 | K38941195 | Users without Advanced Shell Access are not allowed SFTP access |
742226-2 | CVE-2019-6635 | K11330536 | TMSH platform_check utility does not follow best security practices |
710857-2 | CVE-2019-6634 | K64855220 | iControl requests may cause excessive resource usage |
703835-2 | CVE-2019-6616 | K82814400 | When using SCP into BIG-IP systems, you must specify the target filename |
702472-3 | CVE-2019-6615 | K87659521 | Appliance Mode Security Hardening |
702469-3 | CVE-2019-6633 | K73522927 | Appliance mode hardening in scp |
673842-4 | CVE-2019-6632 | K01413496 | vCMP does not follow best security practices |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
745387-3 | 3-Major | Resource-admin user roles can no longer get bash access | |
698376-3 | 3-Major | Non-admin users have limited bash commands and can only write to certain directories |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
752835-3 | 2-Critical | K46971044 | Mitigate mcpd out of memory error with auto-sync enabled. |
750586-1 | 2-Critical | HSL may incorrectly handle pending TCP connections with elongated handshake time. | |
707013 | 2-Critical | vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest | |
699515-1 | 2-Critical | nsm cores during update of nexthop for ECMP recursive route | |
621260-4 | 2-Critical | mcpd core on iControl REST reference to non-existing pool | |
760222-5 | 3-Major | SCP fails unexpected when FIPS mode is enabled | |
757414 | 3-Major | GUI Network Map slow page load with large configuration | |
757026-3 | 3-Major | BIND Update | |
756088-1 | 3-Major | The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address | |
754567 | 3-Major | Child clientSSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file | |
751011-1 | 3-Major | ihealth.sh script and qkview locking mechanism not working | |
750447-1 | 3-Major | GUI VLAN list page loading slowly with 50 records per screen | |
750318-1 | 3-Major | HTTPS monitor does not appear to be using cert from server-ssl profile | |
748187-2 | 3-Major | 'Transaction Not Found' Error on PATCH after Transaction has been Created | |
740345-1 | 3-Major | TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled. | |
725791-4 | 3-Major | Potential HW/HSB issue detected | |
723794-3 | 3-Major | PTI (Meltdown) mitigation should be disabled on AMD-based platforms | |
722380-2 | 3-Major | The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core. | |
721805 | 3-Major | Traffic Policy edit to datagroup errors on adding ASM disable action | |
720819-2 | 3-Major | Certain platforms may take longer than expected to detect and recover from HSB lock-ups | |
720269-2 | 3-Major | TACACS audit logging may append garbage characters to the end of log strings | |
714626-2 | 3-Major | K30491022 | When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect. |
701898-1 | 3-Major | Certain virtual address route-advertisement settings break upgrades from 13.0.0 hotfix rollups | |
698619-2 | 3-Major | Disable port bridging on HSB ports for non-vCMP systems | |
681009-1 | 3-Major | Large configurations can cause memory exhaustion during live-install★ | |
581921-3 | 3-Major | K22327083 | Required files under /etc/ssh are not moved during a UCS restore |
697766-1 | 4-Minor | Cisco IOS XR ISIS routers may report 'Authentication TLV not found' | |
687368-1 | 4-Minor | The Configuration utility may calculate and display an incorrect HA Group Score | |
686111-1 | 4-Minor | K89363245 | Searching and Reseting Audit Logs not working as expected |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
753975 | 2-Critical | TMM may crash while processing HTTP traffic with AAM | |
753912 | 2-Critical | K44385170 | UDP flows may not be swept |
752930-1 | 2-Critical | Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state | |
745533-4 | 2-Critical | NodeJS Vulnerability: CVE-2016-5325 | |
680564-1 | 2-Critical | "MCP Message:" seen on boot up with Best License | |
756270-2 | 3-Major | SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle | |
750843-1 | 3-Major | HTTP data re-ordering when receiving data while iRule parked | |
750200-1 | 3-Major | DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode | |
749689-1 | 3-Major | HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart | |
747968-2 | 3-Major | DNS64 stats not increasing when requests go through DNS cache resolver | |
747617-1 | 3-Major | TMM core when processing invalid timer | |
742078-2 | 3-Major | Incoming SYNs are dropped and the connection does not time out. | |
738523-2 | 3-Major | SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages | |
727292-1 | 3-Major | SSL in proxy shutdown case does not deliver server TCP FIN | |
712664-2 | 3-Major | IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address | |
710564 | 3-Major | DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0 | |
709952-1 | 3-Major | Disallow DHCP relay traffic to traverse between route domains | |
699979-2 | 3-Major | Support for Safenet Client Software v7.x | |
698437-1 | 3-Major | Internal capacity increase | |
688553-3 | 3-Major | SASP GWM monitor may not mark member UP as expected | |
599567-3 | 3-Major | APM assumes SNAT automap, does not use SNAT pool | |
746077-1 | 4-Minor | If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified | |
664618-1 | 4-Minor | Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block' | |
658382-2 | 5-Cosmetic | Large numbers of ERR_UNKNOWN appearing in the logs |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
735832-1 | 2-Critical | RAM Cache traffic fails on B2150 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
756774-4 | 2-Critical | Aborted DNS queries to a cache may cause a TMM crash | |
756094-3 | 2-Critical | DNS express in restart loop, 'Error writing scratch database' in ltm log | |
749508-3 | 3-Major | LDNS and DNSSEC: Various OOM conditions need to be handled properly | |
749222-3 | 3-Major | dname compression offset overflow causes bad compression pointer | |
748902-7 | 3-Major | Incorrect handling of memory allocations while processing DNSSEC queries | |
746877-3 | 3-Major | Omitted check for success of memory allocation for DNSSEC resource record | |
737332-3 | 3-Major | It is possible for DNSX to serve partial zone information for a short period of time | |
748177-3 | 4-Minor | Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
759360 | 2-Critical | Apply Policy fails due to policy corruption from previously enforced signature | |
758961 | 2-Critical | K58243048 | During brute force attack, the attempted passwords may be logged |
723790-1 | 2-Critical | Idle asm_config_server handlers consumes a lot of memory | |
760878-2 | 3-Major | Incorrect enforcement of explicit global parameters | |
755005-3 | 3-Major | Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations | |
754365-3 | 3-Major | Updated flags for countries that changed their flags since 2010 | |
751710-2 | 3-Major | False positive cookie hijacking violation | |
749109-1 | 3-Major | CSRF situation on BIGIP-ASM GUI | |
746146-2 | 3-Major | AVRD can crash with core when disconnecting/reconnecting on HTTPS connection | |
739945-2 | 3-Major | JavaScript challenge on POST with 307 breaks application | |
738647-2 | 3-Major | Add the login detection criteria of 'status code is not X' | |
721399-2 | 3-Major | Signature Set cannot be modified to Accuracy = 'All' after another value | |
717525-1 | 3-Major | Behavior for classification in manual learning mode | |
691945-1 | 3-Major | Security Policy Configuration Changes When Disabling Learning | |
761921-3 | 4-Minor | avrd high CPU utilization due to perpetual connection attempts | |
758336-1 | 4-Minor | Incorrect recommendation in Online Help of Proactive Bot Defense |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
763349-1 | 2-Critical | AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out | |
756205-3 | 2-Critical | TMSTAT offbox statistics are not continuous | |
764665-1 | 3-Major | AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change | |
763005-2 | 3-Major | Aggregated Domain Names in DNS statistics are shown as random domain name | |
760356-4 | 3-Major | Users with Application Security Administrator role cannot delete Scheduled Reports | |
753446-1 | 3-Major | avrd process crash during shutdown if connected to BIG-IQ | |
738614-2 | 3-Major | 'Internal error' appears on Goodput GUI page | |
738197-2 | 3-Major | IP address from XFF header is not taken into account when there are trailing spaces after IP address | |
737863-1 | 3-Major | Advanced Filters for Captured Transactions not working on Multi-Blade Platforms | |
718655 | 3-Major | DNS profile measurement unit name is incorrect. | |
700322-2 | 3-Major | Upgrade may fail on a multi blade system when there are scheduled reports in configuration★ | |
754330-1 | 4-Minor | Monpd might load many CSV files such that stats for AVR are not loaded to the database as quickly as expected |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
752592-2 | 2-Critical | VMware Horizon PCoIP clients may fail to connect shortly after logout | |
704587-2 | 2-Critical | Authentication with UTF-8 chars in password or handling of IP addresses fail due to byte-array processing in iRules | |
660826-3 | 2-Critical | BIG-IQ Deployment fails with customization-templates | |
758764-4 | 3-Major | APMD Core when CRLDP Auth fails to download revoked certificate | |
757992-1 | 3-Major | RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup | |
757781-1 | 3-Major | Portal Access: cookie exchange may be broken sometimes | |
755507-3 | 3-Major | [App Tunnel] 'URI sanitization' error | |
755475-3 | 3-Major | Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync | |
749057-3 | 3-Major | VMware Horizon idle timeout is ignored when connecting via APM | |
738430-1 | 3-Major | APM is not able to do compliance check on iOS devices running F5 Access VPN client | |
734291-2 | 3-Major | Logon page modification fails to sync to standby | |
696835-1 | 3-Major | Secondary Authentication or SSO fail after changing AD or LDAP password | |
695985-2 | 3-Major | Access HUD filter has URL length limit (4096 bytes) | |
656784-1 | 3-Major | K98510679 | Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
704555-2 | 2-Critical | Core occurs if DIAMETER::persist reset is called if no persistence key is set. | |
752822-3 | 3-Major | SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type | |
751179-3 | 3-Major | MRF: Race condition may create to many outgoing connections to a peer | |
749603-3 | 3-Major | MRF SIP ALG: Potential to end wrong call when BYE received | |
748043-3 | 3-Major | MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP | |
747187-3 | 3-Major | SIP falsely detects media flow collision when SDP is in both 183 and 200 response | |
744949-3 | 3-Major | MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
751869 | 2-Critical | Possible tmm crash when using manual mode mitigation in DoS Profile | |
757279 | 3-Major | LDAP authenticated Firewall Manager role cannot edit firewall policies | |
753893-1 | 3-Major | Inconsistent validation for firewall address-list's nested address-list causes load failure | |
748081-2 | 3-Major | Memory leak in Behavioral DoS module | |
710262-1 | 3-Major | Firewall is not updated when adding new rules |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
739272-1 | 3-Major | Incorrect zombie counts in PBA stats with long PBA block-lifetimes |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
752782-3 | 3-Major | 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe' |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
760961 | 2-Critical | TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts | |
757088-3 | 2-Critical | TMM clock advances and cluster failover happens during webroot db nightly updates | |
752047-2 | 2-Critical | iRule running reject in CLASSIFICATION_DETECTED event can cause core | |
761273-1 | 3-Major | wr_urldbd creates sparse log files by writing from the previous position after logrotate. |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
791369-4 | 3-Major | The REST framework may reflect client data in error logs | |
761300 | 3-Major | Errors in REST token requests may log sensitive data |
Cumulative fixes from BIG-IP v13.1.1.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
744035-4 | CVE-2018-15332 | K12130880 | APM Client Vulnerability: CVE-2018-15332 |
739970-2 | CVE-2018-5390 | K95343321 | Linux kernel vulnerability: CVE-2018-5390 |
738119-2 | CVE-2019-6589 | K23566124 | SIP routing UI does not follow best practices |
745358-3 | CVE-2019-6607 | K14812883 | ASM GUI does not follow best practices |
737910-2 | CVE-2019-6609 | K18535734 | Security hardening on the following platforms |
737442-2 | CVE-2019-6591 | K32840424 | Error in APM Hosted Content when set to public access |
658557-3 | CVE-2019-6606 | K35209601 | The snmpd daemon may leak memory when processing requests. |
530775-3 | CVE-2019-6600 | K23734425 | Login page may generate unexpected HTML output |
701785-2 | CVE-2017-18017 | K18352029 | Linux kernel vulnerability: CVE-2017-18017 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
744685-1 | 2-Critical | BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension | |
744188 | 2-Critical | First successful auth iControl REST requests will now be logged in audit and secure log files | |
748851-1 | 3-Major | Bot Detection injection include tags which may cause faulty display of application | |
725878-2 | 3-Major | AVR does not collect all of APM TMStats | |
700827-4 | 3-Major | B2250 blades may lose efficiency when source ports form an arithmetic sequence. | |
667257-4 | 3-Major | CPU Usage Reaches 100% With High FastL4 Traffic |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
682837-2 | 1-Blocking | Compression watchdog period too brief. | |
744331 | 2-Critical | OpenSSH hardening | |
743790-3 | 2-Critical | BIG-IP system should trigger a high availability (HA) failover event when expected HSB device is missing from PCI bus | |
741423-2 | 2-Critical | Secondary blade goes offline when provisioning ASM/FPS on already established config-sync | |
738887-3 | 2-Critical | The snmpd daemon may leak memory when processing requests. | |
726487-2 | 2-Critical | MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change. | |
723298-2 | 2-Critical | BIND upgrade to version 9.11.4 | |
713380 | 2-Critical | K23331143 | Multiple B4450 blades in the same chassis run into inconsistent DAG state |
712738-1 | 2-Critical | fpdd may core dump when the system is going down | |
710277-1 | 2-Critical | IKEv2 further child_sa validity checks | |
697424-1 | 2-Critical | iControl-REST crashes on /example for firewall address-lists | |
688148-3 | 2-Critical | IKEv1 racoon daemon SEGV during phase-two SA list iteration | |
680556-1 | 2-Critical | Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted | |
677937-3 | 2-Critical | K41517253 | APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets |
668041-2 | 2-Critical | K27535157 | Config load fails when an iRule comment ends with backslash in a config where there is also a policy.★ |
751009-1 | 3-Major | Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out | |
748206 | 3-Major | Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position | |
743803-2 | 3-Major | IKEv2 potential double free of object when async request queueing fails | |
737536-1 | 3-Major | Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others. | |
737437-2 | 3-Major | IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages | |
737397-3 | 3-Major | User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP | |
724143-1 | 3-Major | IKEv2 connflow expiration upon ike-peer change | |
723579-4 | 3-Major | OSPF routes missing | |
722691 | 3-Major | Available datagroup list does not contain datagroups with the correct type. | |
721016 | 3-Major | vcmpd fails updating VLAN information on vcmp guest | |
720110-2 | 3-Major | 0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session. | |
718817-2 | 3-Major | Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail. | |
718405-1 | 3-Major | RSA signature PAYLOAD_AUTH mismatch with certificates | |
718397-1 | 3-Major | IKEv2: racoon2 appends spurious trailing null byte to ID payloads | |
710666-1 | 3-Major | VE with interface(s) marked down may report high cpu usage | |
706104-3 | 3-Major | Dynamically advertised route may flap | |
705442-1 | 3-Major | GUI Network Map objects search on Virtual Server IP Address and Port does not work | |
698947-2 | 3-Major | BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled. | |
693884-1 | 3-Major | ospfd core on secondary blade during network unstability | |
693106-1 | 3-Major | IKEv1 newest established phase-one SAs should be found first in a search | |
686926-2 | 3-Major | IPsec: responder N(cookie) in SA_INIT response handled incorrectly | |
686124-1 | 3-Major | K83576240 | IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs |
680838-2 | 3-Major | IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator | |
678925-1 | 3-Major | Using a multicast VXLAN tunnel without a proper route may cause a TMM crash. | |
678380-2 | 3-Major | K26023811 | Deleting an IKEv1 peer in current use could SEGV on race conditions. |
676897-3 | 3-Major | K25082113 | IPsec keeps failing to reconnect |
676092-3 | 3-Major | IPsec keeps failing to reconnect | |
674145-1 | 3-Major | chmand error log message missing data | |
670197-1 | 3-Major | IPsec: ASSERT 'BIG-IP_conn tag' failed | |
652502-2 | 3-Major | snmpd returns 'No Such Object available' for ltm OIDs | |
639619-5 | 3-Major | UCS may fail to load due to Master key decryption failure on EEPROM-less systems★ | |
598085-1 | 3-Major | Expected telemetry is not transmitted by sFlow on the standby-mode unit. | |
491560-2 | 3-Major | Using proxy for IP intelligence updates | |
738985-2 | 4-Minor | BIND vulnerability: CVE-2018-5740 | |
689491 | 4-Minor | cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled | |
689211-3 | 4-Minor | IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 } | |
680856-2 | 4-Minor | IPsec config via REST scripts may require post-definition touch of both policy and traffic selector | |
713491-2 | 5-Cosmetic | IKEv1 logging shows spi of deleted SA with opposite endianess |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
744269-2 | 2-Critical | dynconfd restarts if FQDN template node deleted while IP address change in progress | |
744117-5 | 2-Critical | K18263026 | The HTTP URI is not always parsed correctly |
743857 | 2-Critical | K21942600 | Clientssl accepts non-SSL traffic when cipher-group is configured |
742627-2 | 2-Critical | SSL session mirroring may cause memory leakage if HA channel is down | |
741919 | 2-Critical | HTTP response may be dropped following a 100 continue message. | |
740963-2 | 2-Critical | VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart | |
740490-1 | 2-Critical | Configuration changes involving HTTP2 or SPDY may leak memory | |
739003-1 | 2-Critical | TMM may crash when fastl4 is used on epva-capable BIG-IP | |
738945-2 | 2-Critical | SSL persistence does not work when there are multiple handshakes present in a single record | |
738046-2 | 2-Critical | SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby | |
737758-2 | 2-Critical | MPTCP Passthrough and VIP-on-VIP can lead to TMM core | |
734276-2 | 2-Critical | TMM may leak memory when SSL certificates with VDI or EAM in use | |
727206 | 2-Critical | Memory corruption when using SSL Forward Proxy on certain platforms | |
720136-1 | 2-Critical | Upgrade may fail on mcpd when external netHSM is used | |
718210-2 | 2-Critical | Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused | |
716714-1 | 2-Critical | OCSP should be configured to avoid TMM crash. | |
702792-1 | 2-Critical | K82327396 | Upgrade creates Server SSL profiles with invalid cipher strings |
685254-2 | 2-Critical | K14013100 | RAM Cache Exceeding Watchdog Timeout in Header Field Search |
513310-5 | 2-Critical | TMM might core when a profile is changed. | |
752078 | 3-Major | Header Field Value String Corruption | |
739963-2 | 3-Major | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup | |
739379-2 | 3-Major | Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error | |
739349-1 | 3-Major | LRO segments might be erroneously VLAN-tagged. | |
738521-1 | 3-Major | i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag. | |
726319-2 | 3-Major | 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses | |
724564-1 | 3-Major | A FastL4 connection can fail with loose-init and hash persistence enabled | |
724327-1 | 3-Major | Changes to a cipher rule do not immediately have an effect | |
721621-1 | 3-Major | Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node | |
720799-2 | 3-Major | Virtual Server/VIP flaps with FQDN pool members when all IP addresses change | |
717896-2 | 3-Major | Monitor instances deleted in peer unit after sync | |
717100-3 | 3-Major | FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member | |
716716-2 | 3-Major | Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core | |
714559-2 | 3-Major | Removal of HTTP hash persistence cookie when a pool member goes down. | |
713690-3 | 3-Major | IPv6 cache route metrics are locked | |
711981-5 | 3-Major | BIG-IP system accepts larger-than-egress MTU, PMTU update | |
710028-2 | 3-Major | LTM SQL monitors may stop monitoring if multiple monitors querying same database | |
708068-2 | 3-Major | Tcl commands like "HTTP::path -normalize" do not return normalized path. | |
707691-4 | 3-Major | BIG-IP handles some pathmtu messages incorrectly | |
706102-2 | 3-Major | SMTP monitor does not handle all multi-line banner use cases | |
701678-2 | 3-Major | Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded | |
685519-1 | 3-Major | Mirrored connections ignore the handshake timeout | |
683697-1 | 3-Major | K00647240 | SASP monitor may use the same UID for multiple HA device group members |
674591-3 | 3-Major | K37975308 | Packets with payload smaller than MSS are being marked to be TSOed |
504522-1 | 3-Major | Trailing space present after 'tmsh ltm pool members monitor' attribute value | |
719247-2 | 4-Minor | K10845686 | HTTP::path and HTTP::query iRule functions cannot be set to a blank string |
618884-6 | 4-Minor | Behavior when using VLAN-Group and STP |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
739846-3 | 2-Critical | Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection | |
749774-3 | 3-Major | EDNS0 client subnet behavior inconsistent when DNS Caching is enabled | |
749675-3 | 3-Major | DNS cache resolver may return a malformed truncated response with multiple OPT records | |
744707-4 | 3-Major | Crash related to DNSSEC key rollover | |
726255-2 | 3-Major | dns_path lingering in memory with last_access 0 causing high memory usage | |
723288-2 | 3-Major | DNS cache replication between TMMs does not always work for net dns-resolver | |
710246-2 | 3-Major | DNS-Express was not sending out NOTIFY messages on VE | |
702457-2 | 3-Major | DNS Cache connections remain open indefinitely | |
717113-2 | 4-Minor | It is possible to add the same GSLB Pool monitor multiple times |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
750922-3 | 2-Critical | BD crash when content profile used for login page has no parse parameters set | |
726537-1 | 2-Critical | Rare TMM crash when Single Page Application is enabled on DoSL7 | |
576123-4 | 2-Critical | K23221623 | ASM policies are created as inactive policies on the peer device |
750356-3 | 3-Major | Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted | |
747777-1 | 3-Major | Extractions are learned in manual learning mode | |
747550-1 | 3-Major | Error 'This Logout URL already exists!' when updating logout page via GUI | |
745802-3 | 3-Major | Brute Force CAPTCHA response page truncates last digit in the support id | |
744347-2 | 3-Major | Protocol Security logging profiles cause slow ASM upgrade and apply policy | |
743961-3 | 3-Major | Signature Overrides for Content Profiles do not work after signature update | |
738864-1 | 3-Major | javascript functions in href are learned from response as new URLs | |
738211-3 | 3-Major | pabnagd core when centralized learning is turned on | |
734228-1 | 3-Major | False-positive illegal-length violation can appear | |
726377-1 | 3-Major | False-positive cookie hijacking violation | |
721752-2 | 3-Major | Null char returned in REST for Suggestion with more than MAX_INT occurrences | |
705925-1 | 3-Major | Websocket Message Type not displayed in Request Log | |
701792-2 | 3-Major | JS Injection into cached HTML response causes TCP RST on the fictive URLs | |
696333-1 | 3-Major | Threat campaign filter does not return campaign if filter contains quotation marks | |
690215-2 | 3-Major | Missing requests in request log | |
676416-4 | 3-Major | BD restart when switching FTP profiles | |
676223-4 | 3-Major | Internal parameter in order not to sign allowed cookies | |
663535-2 | 3-Major | Sending ASM cookies with "secure" attribute even without client-ssl profile | |
605649-2 | 3-Major | K28782793 | The cbrd daemon runs at 100% CPU utilization |
748999-1 | 4-Minor | invalid inactivity timeout suggestion for cookies | |
747905-1 | 4-Minor | 'Illegal Query String Length' violation displays wrong length | |
745531-1 | 4-Minor | Puffin Browser gets blocked by Bot Defense | |
739345 | 4-Minor | Reporting invalid signature id after specific signature upgrade | |
685743-5 | 4-Minor | When changing internal parameter 'request_buffer_size' in large request violations might not be reported | |
665470-3 | 4-Minor | Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
746941 | 2-Critical | avrd memory leak when BIG-IQ fails to receive stats information | |
739446-2 | 2-Critical | Resetting SSL-socket correctly for AVR connection | |
737813-1 | 2-Critical | BIG-IP is unable to send statistics to BIG-IQ DCD node using IPv6 address | |
749464 | 3-Major | Race condition while BIG-IQ updates common file | |
749461 | 3-Major | Race condition while modifying analytics global-settings | |
746823 | 3-Major | AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members | |
745027 | 3-Major | AVR is doing extra activity of DNS data collection even when it should not | |
744595-1 | 3-Major | DoS-related reports might not contain some of the activity that took place | |
744589-1 | 3-Major | Missing data for Firewall Events Statistics | |
741767-2 | 3-Major | ASM Resource :: CPU Utilization statistics are in wrong scale | |
740086 | 3-Major | AVR report ignore partitions for Admin users | |
716782-2 | 3-Major | AVR should add new field to the events it sends: Microtimestamp |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
753368 | 1-Blocking | Unable to import access policy with pool | |
747621-2 | 2-Critical | Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used | |
744556-1 | 2-Critical | K01226413 | Upgrade PingAccess SDK used by BIG-IP APM to v1.1.3 |
714716-2 | 2-Critical | K10248311 | Apmd logs password for acp messages when in debug mode |
754346-1 | 3-Major | Access policy was not found while creating configuration snapshot. | |
750496-1 | 3-Major | TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP | |
746771-1 | 3-Major | APMD recreates config snapshots for all access profiles every minute | |
746768-1 | 3-Major | APMD leaks memory if access policy policy contains variable/resource assign policy items | |
745654-2 | 3-Major | Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server | |
745574-3 | 3-Major | URL is not removed from custom category when deleted | |
743437-1 | 3-Major | Portal Access: Issue with long 'data:' URL | |
743150-1 | 3-Major | Increase the limit of the maximum allowed timestamp for OAuth token processing for OAuth Client | |
739744-1 | 3-Major | Import of Policy using Pool with members is failing | |
719079-1 | 3-Major | Portal Access: same-origin AJAX request may fail under some conditions. | |
718136-2 | 3-Major | 32-bit F5 VPN and Endpoint Inspector apps are discontinued on Linux |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
742829-3 | 3-Major | SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0 | |
741951-2 | 3-Major | Multiple extensions in SIP NOTIFY request cause message to be dropped. | |
699431-3 | 3-Major | Possible memory leak in MRF under low memory |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
747104-3 | 1-Blocking | K52868493 | LibSSH: CVE-2018-10933 |
753028-1 | 3-Major | AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule | |
747926 | 3-Major | Rare TMM restart due to NULL pointer access during AFM ACL logging | |
745809 | 3-Major | The /var partition may become 100% full requiring manual intervention to clear space |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
744516-1 | 2-Critical | TMM panics after a large number of LSN remote picks | |
744959-1 | 3-Major | SNMP OID for sysLsnPoolStatTotal not incremented in stats | |
727212-1 | 3-Major | Subscriber-id query using full length IPv6 address fails. |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
748976 | 3-Major | DataSafe Logging Settings page is missing when DataSafe license is active | |
742037-3 | 3-Major | FPS live updates do not install when minor version is different | |
741449-1 | 4-Minor | alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts | |
726039 | 5-Cosmetic | Information is not updated after installing FPS live update via GUI |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
748813-1 | 2-Critical | tmm cores under stress test on virtual server with DoS profile with admd enabled | |
748121-1 | 2-Critical | admd livelock under CPU starvation | |
741761-1 | 2-Critical | admd might fail the heartbeat, resulting in a core | |
704236-1 | 2-Critical | TMM crash when attaching FastL4 profile | |
702936-1 | 2-Critical | TMM SIGSEGV under specific conditions. | |
653573-4 | 2-Critical | ADMd not cleaning up child rsync processes | |
741993-1 | 3-Major | The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured. | |
741752-1 | 3-Major | [BADOS] state file is not saved when virtual server reuses a self IP of the device |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
724847 | 3-Major | K95010813 | DNS traffic does not get classified for AFM port misuse case |
Cumulative fixes from BIG-IP v13.1.1.3 that are included in this release
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
745783-3 | 3-Major | Anti-fraud: remote logging of login attempts |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
684370-1 | 3-Major | APM now supports VMware Workspace ONE integration with VIDM as ID Provider | |
683741-1 | 3-Major | APM now supports VMware Workspace ONE integration with vIDM as ID Provider | |
635509-1 | 3-Major | APM does not support Vmware'e Blast UDP |
Cumulative fixes from BIG-IP v13.1.1.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
739947-1 | CVE-2019-6610 | K42465020 | TMM may crash while processing APM traffic |
737443-5 | CVE-2018-5546 | K54431371 | BIG-IP APM client for Linux and macOS vulnerability CVE-2018-5546 |
737441-5 | CVE-2018-5546 | K54431371 | Disallow hard links to svpn log files |
726089-2 | CVE-2018-15312 | K44462254 | Modifications to AVR metrics page |
725815-1 | CVE-2018-15320 | K72442354 | vlangroup usage may cause a excessive resource consumption |
724339-1 | CVE-2018-15314 | K04524282 | Unexpected TMUI output in AFM |
724335-1 | CVE-2018-15313 | K21042153 | Unexpected TMUI output in AFM |
722677-4 | CVE-2019-6604 | K26455071 | High-Speed Bridge may lock up |
722387-3 | CVE-2019-6596 | K97241515 | TMM may crash when processing APM DTLS traffic |
722091-3 | CVE-2018-15319 | K64208870 | TMM may crash while processing HTTP traffic |
717888 | CVE-2018-15323 | K26583415 | TMM may leak memory when a virtual server uses the MQTT profile. |
717742-5 | CVE-2018-2798, CVE-2018-2811, CVE-2018-2795, CVE-2018-2790, CVE-2018-2783, CVE-2018-2825, CVE-2018-2826, CVE-2018-2796, CVE-2018-2799, CVE-2018-2815, CVE-2018-2800, CVE-2018-2814, CVE-2018-2797, CVE-2018-2794 | K44923228 | Oracle Java SE vulnerability CVE-2018-2783 |
707990-2 | CVE-2018-15315 | K41704442 | Unexpected TMUI output in SSL Certificate Instance page |
704184-6 | CVE-2018-5529 | K52171282 | APM MAC Client create files with owner only read write permissions |
701253-5 | CVE-2018-15318 | K16248201 | TMM core when using MPTCP |
693810-6 | CVE-2018-5529 | K52171282 | CVE-2018-5529: APM Linux Client Vulnerability |
741858-1 | CVE-2018-15324 | K52206731 | TMM may crash while processing Portal Access requests |
734822-3 | CVE-2018-15325 | K77313277 | TMSH improvements |
725801-4 | CVE-2017-7889 | K80440915 | CVE-2017-7889: Kernel Vulnerability |
725635-2 | CVE-2018-3665 | K21344224 | CVE-2018-3665: Intel Lazy FPU Vulnerability |
721924-2 | 2018-17539 | K17264695 | bgpd may crash processing extended ASNs |
719554-2 | CVE-2018-8897 | K17403481 | Linux Kernel Vulnerability: CVE-2018-8897 |
716900-2 | CVE-2019-6594 | K91026261 | TMM core when using MPTCP |
710705-2 | CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421 | K34035645 | Multiple Wireshark vulnerabilities |
705799-2 | CVE-2018-15325 | K77313277 | TMSH improvements |
699453-4 | CVE-2018-15327 | K20222812 | Web UI does not follow current best coding practices |
699452-4 | CVE-2019-6597 | K29280193 | Web UI does not follow current best coding practices |
712876-2 | CVE-2017-8824 | K15526101 | CVE-2017-8824: Kernel Vulnerability |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
734527-1 | 3-Major | BGP 'capability graceful-restart' for peer-group not properly advertised when configured | |
715750-2 | 3-Major | K41515225 | The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
693611-3 | 1-Blocking | K76313256 | IKEv2 ike-peer might crash on stats object during peer modification update |
743810-1 | 2-Critical | AWS: Disk resizing in m5/c5 instances fails silently. | |
743082-1 | 2-Critical | Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members★ | |
739507 | 2-Critical | How to recover from a failed state due to FIPS integrity check | |
739505 | 2-Critical | Automatic ISO digital signature checking not required when FIPS license active★ | |
739285-1 | 2-Critical | GUI partially missing when VCMP is provisioned | |
725696-1 | 2-Critical | A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted | |
724680-4 | 2-Critical | OpenSSL Vulnerability: CVE-2018-0732 | |
723722-2 | 2-Critical | MCPD crashes if several thousand files are created between config syncs. | |
721350-2 | 2-Critical | The size of the icrd_child process is steadily growing | |
717785-1 | 2-Critical | Interface-cos shows no egress stats for CoS configurations | |
716391-2 | 2-Critical | K76031538 | High priority for MySQL on 2 core vCMP may lead to control plane process starvation |
711683-2 | 2-Critical | bcm56xxd crash with empty trunk in QinQ VLAN | |
707003-3 | 2-Critical | Unexpected syntax error in TMSH AVR | |
706423-1 | 2-Critical | tmm may restart if an IKEv2 child SA expires during an async encryption or decryption | |
703669-2 | 2-Critical | Eventd restarts on NULL pointer access | |
703045-1 | 2-Critical | If using TMSH commands with deprecated attributes in iApp, the upgrade will fail. | |
700386-2 | 2-Critical | mcpd may dump core on startup | |
693996-5 | 2-Critical | K42285625 | MCPD sync errors and restart after multiple modifications to file object in chassis |
692158-1 | 2-Critical | iCall and CLI script memory leak when saving configuration | |
691589-4 | 2-Critical | When using LDAP client auth, tamd may become stuck | |
690819-1 | 2-Critical | Using an iRule module after a 'session lookup' may result in crash | |
689437-1 | 2-Critical | K49554067 | icrd_child cores due to infinite recursion caused by incorrect group name handling |
689002-3 | 2-Critical | Stackoverflow when JSON is deeply nested | |
658410-2 | 2-Critical | icrd_child generates a core when calling PUT on ltm/data-group/internal/ | |
652877-5 | 2-Critical | Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades | |
638091-6 | 2-Critical | Config sync after changing named pool members can cause mcpd on secondary blades to restart | |
739126 | 3-Major | Multiple VE installations may have different sized volumes | |
733585-3 | 3-Major | Merged can use %100 of CPU if all stats snapshot files are in the future | |
727467-1 | 3-Major | Some iSeries appliances can experience traffic disruption when the high availability (HA) peer is upgraded from 12.1.3 and earlier to 13.1.0 or later. | |
726409-4 | 3-Major | Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 | |
722682-2 | 3-Major | Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load★ | |
721740-2 | 3-Major | CPU stats are not correctly recorded when snapshot files have timestamps in the future | |
720713-2 | 3-Major | TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail | |
720461-2 | 3-Major | qkview prompts for password on chassis | |
718525-1 | 3-Major | PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting | |
714974-2 | 3-Major | Platform-migrate of UCS containing QinQ fails on VE★ | |
714903-2 | 3-Major | Errors in chmand | |
714654-2 | 3-Major | Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM | |
713813-2 | 3-Major | Node monitor instances not showing up in GUI | |
712102-2 | 3-Major | K11430165 | customizing or changing the HTTP Profile's IPv6 field hides the field or the row |
710232-2 | 3-Major | platform-migrate fails when LACP trunks are in use | |
709444-2 | 3-Major | "NTP not configured on device" warning seen when NTP symmetric key authentication is configured | |
709192-1 | 3-Major | GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart | |
707740-4 | 3-Major | Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination | |
707509-1 | 3-Major | Initial vCMP guest creations can fail if certain hotfixes are used | |
707391-2 | 3-Major | BGP may keep announcing routes after disabling route health injection | |
706804-1 | 3-Major | SNMP trap destination configuration of network option is missing "default" keyword | |
706354-2 | 3-Major | OPT-0045 optic unable to link | |
706169-3 | 3-Major | tmsh memory leak | |
705456-1 | 3-Major | Enabling HTTP-to-HTTPS redirection in a vCMP guest can prevent some Host-Guest Management features from working | |
704755-1 | 3-Major | EUD_M package could not be installed on 800 platforms | |
704512-1 | 3-Major | Automated upload of qkview to iHealth can time out resulting in error | |
704336-1 | 3-Major | Updating 3rd party device cert not copied correctly to trusted certificate store | |
702227-3 | 3-Major | Memory leak in TMSH load sys config | |
700757-1 | 3-Major | vcmpd may crash when it is exiting | |
700576-1 | 3-Major | GUI - Server SSL Profile shows irrelevant options when "Server Certificate" is set to "Ignore" | |
700426 | 3-Major | K58033284 | Switching partitions while viewing objects in GUI can result in empty list |
700250-3 | 3-Major | K59327012 | qkviews for secondary blade appear to be corrupt |
698875-1 | 3-Major | Qkview Security Hardening | |
698084-3 | 3-Major | K03776801 | IPsec log messages in /var/log/ltm missing module ID to reach bigiq logs |
696731-3 | 3-Major | K94062594 | The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled |
693578-2 | 3-Major | switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0 | |
692189-1 | 3-Major | errdefsd fails to generate a core file on request. | |
692179-1 | 3-Major | Potential high memory usage from errdefsd. | |
691609-1 | 3-Major | 1NIC: Configuration error: Clearing IP on interface mgmt failed - Cannot assign requested address★ | |
690890-1 | 3-Major | Running sod manually can cause issues/failover | |
689375-1 | 3-Major | K01512833 | Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled |
688406-1 | 3-Major | K14513346 | HA-Group Score showing 0 |
687905-2 | 3-Major | K72040312 | OneConnect profile causes CMP redirected connections on the HA standby |
687534-1 | 3-Major | If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page | |
684391-3 | 3-Major | Existing IPsec tunnels reload. tmipsecd creates a core file. | |
684218-1 | 3-Major | vADC 'live-install' Downgrade from v13.1.0 is not possible | |
681782-6 | 3-Major | Unicast IP address can be configured in a failover multicast configuration | |
679347-2 | 3-Major | K44117473 | ECP does not work for PFS in IKEv2 child SAs |
678488-1 | 3-Major | K59332320 | BGP default-originate not announced to peers if several are peering over different VLANs |
677485-1 | 3-Major | Discovery of DSC clustered BIG-IP systems fails due to secure value decryption error | |
671712-2 | 3-Major | The values returned for the ltmUserStatProfileStat table are incorrect. | |
670528-4 | 3-Major | K20251354 | Warnings during vCMP host upgrade. |
651413-4 | 3-Major | K34042229 | tmsh list ltm node does not return an error when node does not exist |
642923-6 | 3-Major | MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system | |
617643-2 | 3-Major | iControl.ForceSessions enabled results in GUI error on certain pages | |
551925-4 | 3-Major | Misdirected UDP traffic with hardware acceleration | |
464650-6 | 3-Major | Failure of mcpd with invalid authentication context. | |
727297-3 | 4-Minor | GUI TACACS+ remote server list should accept hostname | |
725612-1 | 4-Minor | syslog-ng does not send any messages to the remote servers after reconfiguration | |
719770-2 | 4-Minor | tmctl -H -V and -l options without values crashed | |
714749-2 | 4-Minor | cURL Vulnerability: CVE-2018-1000120 | |
713947-1 | 4-Minor | stpd repeatedly logs "hal sendMessage failed" | |
713932-1 | 4-Minor | Commands are replicated to PostgreSQL even when not in use. | |
707631-2 | 4-Minor | The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI | |
707267 | 4-Minor | REST Framework HTTP header limit size increased to 8 KB | |
701826 | 4-Minor | qkview upload to ihealth fails or unable to untar qkview file | |
691491-5 | 4-Minor | K13841403 | 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces |
685582-7 | 4-Minor | Incorrect output of b64 unit key hash by command f5mku -f | |
683029-1 | 4-Minor | Sync of virtual address and self IP traffic groups only happens in one direction | |
679135-2 | 4-Minor | IKEv1 and IKEv2 cannot share common local address in tunnels | |
678388-1 | 4-Minor | K00050055 | IKEv1 racoon daemon is not restarted when killed multiple times |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
722594-2 | 1-Blocking | TCP flow may not work as expected if double tagging is used | |
737445-2 | 2-Critical | Use of TCP Verified Accept can disable server-side flow control | |
727044-2 | 2-Critical | TMM may crash while processing compressed data | |
726239-4 | 2-Critical | interruption of traffic handling as sod daemon restarts TMM | |
725545-1 | 2-Critical | Ephemeral listener might not be set up correctly | |
724906-1 | 2-Critical | sasp_gwm monitor leaks memory over time | |
724868-1 | 2-Critical | dynconfd memory usage increases over time | |
724213-1 | 2-Critical | K74431483 | Modified ssl_profile monitor param not synced correctly |
722893-1 | 2-Critical | K30764018 | TMM can restart without a stack trace or core file after becoming disconnected from MCPD. |
716213-1 | 2-Critical | BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic | |
713612-1 | 2-Critical | tmm might restart if the HTTP passthrough on pipeline option is used | |
710221-2 | 2-Critical | K67352313 | Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled |
673664-1 | 2-Critical | TMM crashes when sys db Crypto.HwAcceleration is disabled.★ | |
635191-2 | 2-Critical | Under rare circumstances TMM may crash | |
727222-1 | 3-Major | 206 Partial Content responses from ramcache have malformed Content-Range header | |
723300-2 | 3-Major | TMM may crash when tracing iRules containing nameless listeners on internal virtual servers | |
722363-2 | 3-Major | Client fails to connect to server when using PVA offload at Established | |
721261-1 | 3-Major | v12.x Policy rule names containing slashes are not migrated properly | |
720293-3 | 3-Major | HTTP2 IPv4 to IPv6 fails | |
719600-2 | 3-Major | TCP::collect iRule with L7 policy present may result in connection reset | |
717346-2 | 3-Major | K13040347 | [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total |
715883 | 3-Major | Tmm crash due to invalid cookie attribute | |
715785-2 | 3-Major | Incorrect encryption error for monitors during sync or upgrade | |
715756-2 | 3-Major | Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only | |
715467-2 | 3-Major | Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY | |
714384-3 | 3-Major | DHCP traffic may not be forwarded when BWC is configured | |
707951-2 | 3-Major | Stalled mirrored flows on HA next-active when OneConnect is used. | |
704764-3 | 3-Major | SASP monitor marks members down with non-default route domains | |
703580-1 | 3-Major | TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host. | |
703266-2 | 3-Major | Potential MCP memory leak in LTM policy compile code | |
702450-1 | 3-Major | The validation error message generated by deleting certain object types referenced by a policy action is incorrect | |
701690-1 | 3-Major | K53819652 | Fragmented ICMP forwarded with incorrect icmp checksum |
700696-1 | 3-Major | SSID does not cache fragmented Client Certificates correctly via iRule | |
699273-1 | 3-Major | TMM Core During FTP Monitor Use | |
695925-1 | 3-Major | Tmm crash when showing connections for a CMP disabled virtual server | |
691785-1 | 3-Major | The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes | |
691224-3 | 3-Major | K59327001 | Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled |
690778-1 | 3-Major | K53531153 | Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule |
688629-1 | 3-Major | K52334096 | Deleting data-group in use by iRule does not trigger validation error |
685110-1 | 3-Major | K05430133 | With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members. |
681757-3 | 3-Major | K32521651 | Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member' |
681673-4 | 3-Major | tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results | |
679613-1 | 3-Major | K23531420 | i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1' |
672312-3 | 3-Major | IP ToS may not be forwarded to serverside with syncookie activated | |
602708-4 | 3-Major | K84837413 | Traffic may not passthrough CoS by default |
716922-2 | 4-Minor | Reduction in PUSH flags when Nagle Enabled | |
712637-2 | 4-Minor | Host header persistence not implemented | |
700433-1 | 4-Minor | K10870739 | Memory leak when attaching an LTM policy to a virtual server |
697988-3 | 4-Minor | K34554754 | During config sync, if many client-ssl profiles are on a virtual server the CPU may briefly spike to 100% |
693966-1 | 4-Minor | TCP sndpack not reset along with other tcp profile stats | |
688557-1 | 4-Minor | K50462482 | Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull' |
495242-4 | 4-Minor | mcpd log messages: Failed to unpublish LOIPC object |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
718885-3 | 2-Critical | K25348242 | Under certain conditions, monitor probes may not be sent at the configured interval |
723792-2 | 3-Major | GTM regex handling of some escape characters renders it invalid | |
719644-2 | 3-Major | If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★ |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
737500-2 | 2-Critical | Apply Policy and Upgrade time degradation when there are previous enforced rules | |
726090-1 | 2-Critical | No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense | |
724414-2 | 2-Critical | ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled | |
724032-1 | 2-Critical | Searching Request Log for value containing backslash does not return expected result | |
721741-3 | 2-Critical | BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative | |
704143-1 | 2-Critical | BD memory leak | |
701856-1 | 2-Critical | Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart | |
740719-2 | 3-Major | ASM CSP header parser does not honor unsafe-inline attribute within script-src directive |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
737867-1 | 3-Major | Scheduled reports are being incorrectly displayed in different partitions |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
739716-2 | 1-Blocking | APM Subroutine loops without finishing | |
740777-1 | 2-Critical | Secondary blades mcp daemon restart when subroutine properties are configured | |
739674-1 | 2-Critical | TMM might core in SWG scenario with per-request policy. | |
722013 | 2-Critical | MCPD restarts on all secondary blades post config-sync involving APM customization group | |
713820-1 | 2-Critical | Pass in IP address to urldb categorization engine | |
739939-1 | 3-Major | Ping Access Agent Module leaks memory in TMM. | |
739190 | 3-Major | Policies could be exported with not patched /Common partition | |
738582-1 | 3-Major | Ping Access Agent Module leaks memory in TMM. | |
738397-1 | 3-Major | SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails. | |
737355-1 | 3-Major | HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files | |
737064-2 | 3-Major | ACCESS::session iRule commands may not work in serverside events | |
726895 | 3-Major | K02205915 | VPE cannot modify subroutine settings |
726616-1 | 3-Major | TMM crashes when a session is terminated | |
726592-1 | 3-Major | Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop | |
725867-2 | 3-Major | ADFS proxy does not fetch configuration for non-floating virtual servers | |
725412-1 | 3-Major | APM does not follow current best practices for HTTP headers | |
724571-1 | 3-Major | Importing access profile takes a long time | |
722969-2 | 3-Major | Access Policy import with 'reuse' enabled instead rewrites shared objects | |
722423-1 | 3-Major | Analytics agent always resets when Category Lookup is of type custom only | |
720757-1 | 3-Major | Without proper licenses Category Lookup always fails with license error in Allow Ending | |
713655-2 | 3-Major | RouteDomainSelectionAgent might fail under heavy control plane traffic/activities | |
711427-2 | 3-Major | Edge Browser does not launch F5 VPN App | |
710884-1 | 3-Major | Portal Access might omit some valid cookies when rewriting HTTP request. | |
701800-2 | 3-Major | K29064506 | SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x |
701056-1 | 3-Major | User is not able to reset their Active Directory password | |
698984-1 | 3-Major | Auto-disable TMM.HTTP.TCL.Validation when APM is provisioned | |
696669-1 | 3-Major | Users cannot change or reset RSA PIN | |
696544-1 | 3-Major | APM end users can not change/reset password when auth agents are included in per-req policy | |
671323-1 | 3-Major | Reset PIN Fail if Token input field is not 'password' field | |
734595-2 | 4-Minor | sp-connector is not being deleted together with profile | |
721375-1 | 4-Minor | Export then import of config with RSA server in it might fail |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
706642-2 | 2-Critical | wamd may leak memory during configuration changes and cluster events |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
709383-2 | 3-Major | DIAMETER::persist reset non-functional | |
706750-1 | 3-Major | Changing CGNAT SIP ALG profile log settings while handling traffic may cause tmm crash. | |
691048-1 | 3-Major | K34553736 | Support DIAMETER Experimental-Result AVP response |
688942-5 | 3-Major | ICAP: Chunk parser performs poorly with very large chunk |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
724532-2 | 2-Critical | SIG SEGV during IP intelligence category match in TMM | |
720045-1 | 2-Critical | IP fragmented UDP DNS request and response packets dropped as DNS Malformed | |
710755-1 | 2-Critical | Crash when cached route information becomes stale and the system accesses the information from it. | |
698333-1 | 2-Critical | K43392052 | TMM core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families) |
694849-1 | 2-Critical | TMM crash when packet sampling is turned for DNS BDOS signatures. | |
672514-1 | 2-Critical | Local Traffic/Virtual Server/Security page crashed | |
630137-2 | 2-Critical | Dynamic Signatures feature can fill up /config partition impacting system stability | |
726154-2 | 3-Major | TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies | |
704528-2 | 3-Major | tmm may run out of memory during IP shunning | |
704369-2 | 3-Major | TMM on BIG-IP restarts if a dos profile is attached to a virtual with sip-routing enabled | |
696201-1 | 3-Major | Anomaly threshold floor calculation (for bins with very low learnt threshold) during signature generation | |
686376-2 | 3-Major | Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon | |
707054-1 | 4-Minor | SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162 | |
699454-4 | 4-Minor | Web UI does not follow current best coding practices |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
726647-3 | 3-Major | PEM content insertion in a compressed response may truncate some data | |
721704-1 | 3-Major | UDP flows are not deleted after subscriber deletion | |
709670-2 | 3-Major | iRule triggered from RADIUS occasionally fails to create subscribers. |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
721570-1 | 1-Blocking | K20285019 | TMM core when trying to log an unknown subscriber |
734446-2 | 2-Critical | TMM crash after changing LSN pool mode from PBA to NAPT | |
688246-1 | 2-Critical | An invalid mode in the LSN::persistence command causes TMM crash | |
708830-2 | 3-Major | Inbound or hairpin connections may get stuck consuming memory. |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
738669-2 | 3-Major | Login validation may fail for a large request with early server response | |
737368-1 | 3-Major | Fingerprint cookie large value may result in tmm core. |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
739277 | 2-Critical | TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode | |
720585-1 | 3-Major | Signatures generated by Behavioral DOS algorithm can create false-positive signatures | |
689540-1 | 3-Major | The same DOS attack generates new signatures even if there are signatures generated during previous attacks. |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
726303-1 | 3-Major | Unlock 10 million custom db entry limit |
iApp Technology Fixes
ID Number | Severity | Solution Article(s) | Description |
726872-2 | 3-Major | iApp LX directory disappears after upgrade or restoring from UCS★ |
Cumulative fixes from BIG-IP v13.1.1.1 that are included in this release
Functional Change Fixes
None
Cumulative fixes from BIG-IP v13.1.1 that are included in this release
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
693359-1 | 1-Blocking | AWS M5 and C5 instance families are supported |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
721364 | 1-Blocking | BIG-IP per-application VE BYOL license does not support three wildcard virtual servers | |
716469 | 1-Blocking | OpenSSL 1.0.1l fails with 512 bit DSA keys | |
697615-1 | 1-Blocking | K65013424 | Neurond may restart indefinitely after boot, with neurond_i2c_config message |
675921-2 | 1-Blocking | Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running | |
723130-1 | 2-Critical | K13996 | Invalid-certificate warning displayed when deploying BIG-IP VE OVA file |
700086-1 | 2-Critical | AWS C5/M5 Instances do not support BIG-IP VE | |
696732-3 | 2-Critical | K54431534 | tmm may crash in a compression provider |
721985 | 3-Major | PAYG License remains inactive as dossier verification fails. | |
721512 | 3-Major | Config tool fails to configure management-ip when default routes exist for both IPv4 and IPv6. | |
721342 | 3-Major | No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments. | |
720961-1 | 3-Major | Upgrading in Intelligence Community AWS environment may fail | |
720756-1 | 3-Major | SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS | |
720651-2 | 3-Major | Running Guest Changed to Provisioned Never Stops | |
720104-1 | 3-Major | BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware' | |
719396-1 | 3-Major | K34339214 | DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot. |
717832 | 3-Major | Remove unneeded files from UCS backup directories | |
714303-1 | 3-Major | K25057050 | X520 virtual functions do not support MAC masquerading |
712266-1 | 3-Major | Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware | |
697616-2 | 3-Major | Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests | |
680086 | 3-Major | md5sum check on BMC firmware fails | |
673996-2 | 3-Major | Unable to set 'media-fixed' on management port on BIG-IP i15000 platforms | |
680388-1 | 4-Minor | f5optics should not show function name in non-debug log messages | |
653759-1 | 4-Minor | Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update★ | |
720391-2 | 5-Cosmetic | BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
737550 | 2-Critical | State Mirroring between BIG-IP 13.0.x and 13.1.x systems may cause TMM core on standby system during upgrade★ | |
701538-2 | 2-Critical | SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured | |
720460-1 | 3-Major | Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly | |
694778-1 | 3-Major | Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size | |
686631-2 | 3-Major | Deselect a compression provider at the end of a job and reselect a provider for a new job | |
679494-1 | 3-Major | Change the default compression strategy to speed | |
495443-9 | 3-Major | K16621 | ECDH negotiation failures logged as critical errors. |
679496-2 | 4-Minor | Add 'comp_req' to the output of 'tmctl compress' |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
717909 | 2-Critical | tmm can abort on sPVA flush if the HSB flush does not succeed | |
701637 | 2-Critical | Crash in bcm56xxd during TMM failover | |
644822 | 2-Critical | K19245372 | FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned |
702738-1 | 3-Major | K32181540 | Tmm might crash activating new blob when changing firewall rules |
698182 | 3-Major | Upgrading from 13.1.1 to newer release might cause config to not be copied over★ | |
697516 | 3-Major | Upgrading using a ucs or scf file does not autogenerate uuids when current config has the uuid-default-autogenerate flag enabled |
Cumulative fixes from BIG-IP v13.1.0.8 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
716992-2 | CVE-2018-5539 | K75432956 | The ASM bd process may crash |
710244-3 | CVE-2018-5536 | K27391542 | Memory Leak of access policy execution objects |
710140-1 | CVE-2018-5527 | K20134942 | TMM may consume excessive resources when processing SSL Intercept traffic |
709688-3 | CVE-2017-3144 CVE-2018-5732 CVE-2018-5733 |
K08306700 | dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733 |
695072-2 | CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558 |
K23030550 | CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558 |
693744-4 | CVE-2018-5531 | K64721111 | CVE-2018-5531: vCMP vulnerability |
651741-2 | CVE-2017-5970, | K60104355 | CVE-2017-5970 kernel.el7: ipv4: Invalid IP options could cause skb->dst drop |
717900-2 | CVE-2018-5528 | K27044729 | TMM crash while processing APM data |
710827-2 | CVE-2019-6598 | K44603900 | TMUI dashboard daemon stability issue |
710148-2 | CVE-2017-1000111 CVE-2017-1000112 |
K60250153 | CVE-2017-1000111 & CVE-2017-1000112 |
709256-2 | CVE-2017-9074 CVE-2017-7542 |
K61223103 | CVE-2017-9074: Local Linux Kernel Vulnerability |
705476-2 | CVE-2018-15322 | K28003839 | Appliance Mode does not follow design best practices |
698813-2 | CVE-2018-5538 | K45435121 | When processing DNSX transfers ZoneRunner does not enforce best practices |
688625-5 | CVE-2017-11628 | K75543432 | PHP Vulnerability CVE-2017-11628 |
662850-6 | CVE-2015-2716 | K50459349 | Expat XML library vulnerability CVE-2015-2716 |
714879-3 | CVE-2018-15326 | K34652116 | APM CRLDP Auth passes all certs |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
685020-3 | 3-Major | Enhancement to SessionDB provides timeout |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
708956-1 | 1-Blocking | K51206433 | During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform' |
719597 | 2-Critical | HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0 | |
715820-1 | 2-Critical | vCMP in HA configuration with VIPRION chassis might cause unstable data plane | |
712401-1 | 2-Critical | Enhanced administrator lock/unlock for Common Criteria compliance | |
676203-3 | 2-Critical | Inter-blade mpi connection fails, does not recover, and eventually all memory consumed. | |
665362-2 | 2-Critical | MCPD might crash if the AOM restarts | |
581851-6 | 2-Critical | K16234725 | mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands |
711249-1 | 3-Major | NAS-IP-Address added to RADIUS packet unexpectedly | |
710976-1 | 3-Major | Network Map might take a long time to load | |
708484-2 | 3-Major | Network Map might take a long time to load | |
707445-3 | 3-Major | K47025244 | Nitrox 3 compression hangs/unable to recover |
705818-1 | 3-Major | GUI Network Map Policy with forward Rule to Pool, Pool does not show up | |
704804-1 | 3-Major | The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address | |
704733-1 | 3-Major | NAS-IP-Address is sent with the bytes in reverse order | |
704247-2 | 3-Major | BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted | |
701249-1 | 3-Major | RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1 | |
700895-1 | 3-Major | K34944451 | GUI Network Map objects in subfolders are not being shown |
696260-1 | 3-Major | K53103420 | GUI Network Map as Start Screen presents database error |
694696-5 | 3-Major | On multiblade Viprion, creating a new traffic-group causes the device to go Offline | |
694547-2 | 3-Major | K74203532 | TMSH save sys config creates unneeded generate_config processes. |
689730-3 | 3-Major | Software installations from v13.1.0 might fail★ | |
687658 | 3-Major | Monitor operations in transaction will cause it to stay unchecked | |
686906-2 | 3-Major | Fragmented IPv6 packets not handled correctly on Virtual Edition | |
674455-5 | 3-Major | Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS | |
678254-1 | 4-Minor | Error logged when restarting Tomcat |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
721571-1 | 2-Critical | State Mirroring between BIG-IP 12.1.3.* and 13.* or 14.* systems may cause TMM core on standby system during upgrade★ | |
718071-1 | 2-Critical | HTTP2 with ASM policy not passing traffic | |
715747 | 2-Critical | TMM may restart when running traffic through custom SSLO deployments. | |
709828-2 | 2-Critical | fasthttp can crash with Large Receive Offload enabled | |
707244-3 | 2-Critical | iRule command clientside and serverside may crash tmm | |
707207-1 | 2-Critical | iRuleLx returning undefined value may cause TMM restart | |
700597-1 | 2-Critical | Local Traffic Policy on HTTP/2 virtual server no longer matches | |
700056-1 | 2-Critical | MCPD process may lock up and restart when applying Local Traffic Policy to virtual server | |
690756-1 | 2-Critical | APM depends on undocumented internal behavior of HTTP iRule commands after a retry is initiated | |
571651-4 | 2-Critical | Reset Nitrox3 crypto accelerator queue if it becomes stuck. | |
713951-5 | 3-Major | tmm core files produced by nitrox_diag may be missing data | |
713934-2 | 3-Major | Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response | |
712819-2 | 3-Major | 'HTTP::hsts preload' iRule command cannot be used | |
712475-3 | 3-Major | K56479945 | DNS zones without servers will prevent DNS Express reading zone data |
712437-3 | 3-Major | K20355559 | Records containing hyphens (-) will prevent child zone from loading correctly |
711281-5 | 3-Major | nitrox_diag may run out of space on /shared | |
710996-2 | 3-Major | VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP | |
709133-2 | 3-Major | When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur | |
709132-1 | 3-Major | When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur | |
707961-2 | 3-Major | K50013510 | Unable to add policy to virtual server; error = Failed to compile the combined policies |
707109-1 | 3-Major | Memory leak when using C3D | |
704381-5 | 3-Major | SSL/TLS handshake failures and terminations are logged at too low a level | |
702151-1 | 3-Major | HTTP/2 can garble large headers | |
700889-3 | 3-Major | K07330445 | Software syncookies without TCP TS improperly include TCP options that are not encoded |
700061-4 | 3-Major | Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file | |
699598-2 | 3-Major | HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR | |
696755 | 3-Major | HTTP/2 may truncate a response body when served from cache | |
693308-1 | 3-Major | SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain | |
689089-1 | 3-Major | VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot | |
688744-1 | 3-Major | K11793920 | LTM Policy does not correctly handle multiple datagroups |
686890-1 | 3-Major | X509_EXTENSION memory blocks leak when C3D forges the certificate. | |
682944-1 | 3-Major | key-id missing for installed netHSM key for standby BIG-IP system in high availability (HA) setup | |
682283-2 | 3-Major | Malformed HTTP/2 request with invalid Content-Length value is served against RFC | |
678872-3 | 3-Major | Inconsistent behavior for virtual-address and selfip on the same ip-address | |
673399-3 | 3-Major | HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server. | |
653201-2 | 3-Major | Update the default CA certificate bundle file to the latest version and remove expiring certificates from it | |
713533-2 | 4-Minor | list self-ip with queries does not work | |
708249-2 | 4-Minor | nitrox_diag utility generates QKView files with 5 MB maximum file size limit | |
692095-1 | 4-Minor | K65311501 | bigd logs monitor status unknown for FQDN Node/Pool Member |
678801-4 | 4-Minor | WS::enabled returned empty string | |
677958-4 | 4-Minor | WS::frame prepend and WS::frame append do not insert string in the right place. |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
698992-1 | 3-Major | Performance degraded |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
713066-1 | 2-Critical | K10620131 | Connection failure during DNS lookup to disabled nameserver can crash TMM |
707310-2 | 2-Critical | DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs) | |
721895 | 3-Major | Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery) | |
715448-2 | 3-Major | Providing LB::status with a GTM Pool name in a variable caused validation issues | |
710032-1 | 3-Major | 'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system. | |
706128-2 | 3-Major | DNSSEC Signed Zone Transfers Can Leak Memory | |
703545-1 | 3-Major | DNS::return iRule "loop" checking disabled |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
718152 | 2-Critical | K14591455 | ASM GUI request log does not load on cluster |
716788-2 | 2-Critical | TMM may crash while response modifications are being performed within DoSL7 filter | |
713390-1 | 2-Critical | ASM Signature Update cannot be performed on hourly billing cloud instance | |
685230-3 | 2-Critical | memory leak on a specific server scenario | |
606983-2 | 2-Critical | ASM errors during policy import | |
719459-2 | 3-Major | Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled | |
719005-1 | 3-Major | Login request may arrive corrupted to the backend server after CAPTCHA or CSID mitigation | |
717756-2 | 3-Major | High CPU usage from asm_config_server | |
716940-2 | 3-Major | Traffic Learning screen graphs shows data for the last day only | |
715128-1 | 3-Major | Simple mode Signature edit does not escape semicolon | |
713282-1 | 3-Major | Remote logger violation_details field does not appear when virtual server has more than one remote logger | |
712362-3 | 3-Major | ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase | |
711405-1 | 3-Major | K14770331 | ASM GUI Fails to Display Policy List After Upgrade |
710327-1 | 3-Major | Remote logger message is truncated at NULL character. | |
707147-1 | 3-Major | High CPU consumed by asm_config_server_rpc_handler_async.pl | |
706845-2 | 3-Major | False positive illegal multipart violation | |
706665-2 | 3-Major | ASM policy is modified after pabnagd restart | |
704643-1 | 3-Major | Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule | |
702008-1 | 3-Major | ASM REST: Missing DB Cleanup for some tables | |
700143-2 | 3-Major | ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages | |
691897-3 | 3-Major | Names of the modified cookies do not appear in the event log | |
687759-1 | 3-Major | bd crash | |
686765-2 | 3-Major | Database cleaning failure may allow MySQL space to fill the disk entirely | |
674256-2 | 3-Major | K60745057 | False positive cookie hijacking violation |
675232-6 | 4-Minor | Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
710315-1 | 2-Critical | AVR-profile might cause issues when loading a configuration or when using config sync | |
698226-1 | 2-Critical | Filters under Security :: Reports :: DoS :: URL Latencies work incorrectly | |
696642-1 | 2-Critical | monpd core is sometimes created when the system is under heavy load. | |
721474-1 | 3-Major | AVR does not send all SSLO statistics to offbox machine. | |
715110 | 3-Major | AVR should report 'resolutions' in module GtmWideip | |
712118 | 3-Major | AVR should report on all 'global tags' in external logs | |
706361 | 3-Major | IPS stats tables are empty after upgrade from 13.1.0 to 14.0.0★ | |
696212-1 | 3-Major | monpd does not return data for multi-dimension query | |
648242-2 | 3-Major | K73521040 | Administrator users unable to access all partition via TMSH for AVR reports |
649161-2 | 4-Minor | K42340304 | AVR caching mechanism not working properly |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
720214-1 | 2-Critical | NTLM Authentication might fail if Strict Update in iApp is modified | |
720189-1 | 2-Critical | VDI settings in APM Webtop have the incorrect URL for Citrix Receiver client download | |
719149-2 | 2-Critical | VDI plugin might hang while processing native RDP connections | |
716747-2 | 2-Critical | TMM my crash while processing APM or SWG traffic | |
715250-1 | 2-Critical | TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED | |
713156-1 | 2-Critical | AGC cannot do redeploy in Exchange and ADFS use cases | |
710116-1 | 2-Critical | VPN clients experience packet loss/disconnection | |
694078-1 | 2-Critical | In rare cases, TMM may crash with high APM traffic | |
720695-1 | 3-Major | Export then import of APM access Profile/Policy with advanced customization is failing | |
719192 | 3-Major | In VPE Agent VMware View Policy shows no properties | |
715207-3 | 3-Major | coapi errors while modifying per-request policy in VPE | |
714961-1 | 3-Major | antserver creates large temporary file in /tmp directory | |
714700-2 | 3-Major | SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy | |
713111-1 | 3-Major | When ASM and APM are configured on the same virtual server, ASM might report some errors in its logging. | |
710305-1 | 3-Major | When ASM and APM are configured on the same virtual server, ASM could throw some errors in its logging. | |
709274-1 | 3-Major | RADIUS Accounting requests egress on different Self IP addresses than they did pre-v13.1.0 | |
699267-2 | 3-Major | LDAP Query may fail to resolve nested groups | |
658278-1 | 3-Major | Network Access configuration with Layered-VS does not work with Edge Client |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
703515-3 | 2-Critical | K44933323 | MRF SIP LB - Message corruption when using custom persistence key |
692310-2 | 3-Major | K69250459 | ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
677473-3 | 2-Critical | MCPD core is generated on multiple add/remove of Mgmt-Rules |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
711570-3 | 3-Major | PEM iRule subscriber policy name query using subscriber ID, may not return applied policies | |
663874-2 | 3-Major | K77173309 | Off-box HSL logging does not work with PEM in SPAN mode. |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
719186-2 | 3-Major | Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts | |
716318-2 | 3-Major | Engine/Signatures automatic update check may fail to find/download the latest update |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
714334-1 | 2-Critical | admd stops responding and generates a core while under stress. | |
718772-2 | 3-Major | The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists) | |
718685-1 | 3-Major | The measured number of pending requests is two times higher than actual one | |
701288-1 | 3-Major | Server health significantly increases during DoSL7 TPS prevention |
iApp Technology Fixes
ID Number | Severity | Solution Article(s) | Description |
693694-1 | 3-Major | tmsh::load within IApp template results in unpredicted behavior |
Cumulative fixes from BIG-IP v13.1.0.7 that are included in this release
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
716392-1 | 1-Blocking | Support for 24 vCMP guests on a single 4450 blade | |
712429 | 1-Blocking | Serverside packets excluded from DoS stats | |
704552 | 3-Major | Support for ONAP site licensing |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
707100 | 2-Critical | Potentially fail to create user in AzureStack | |
706688 | 2-Critical | Automatically add additional certificates to BIG-IP system in C2S and IC environments | |
709936 | 3-Major | Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration. | |
707585-1 | 3-Major | Use native driver for 82599 NICs instead of UNIC | |
703869 | 3-Major | Waagent updated to 2.2.21 |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
713273 | 2-Critical | BIG-IP sys db variable avr.stats.internal.maxentitiespertable resets back to default value on services restart | |
715153-1 | 3-Major | AVR can generate many files in /var/avr/loader folder, which might cause disk-usage problem |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
716746 | 3-Major | Possible tmm restart when disabling single endpoint vector while attack is ongoing | |
712710 | 3-Major | TMM may halt and restart when threshold mode is set to stress-based mitigation |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
699103-1 | 3-Major | tmm continuously restarts after provisioning AFM |
Cumulative fixes from BIG-IP v13.1.0.6 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
709972-6 | CVE-2017-12613 | K52319810 | CVE-2017-12613: APR Vulnerability |
707186-1 | CVE-2018-5514 | K45320419 | TMM may crash while processing HTTP/2 traffic |
702232-1 | CVE-2018-5517 | K25573437 | TMM may crash while processing FastL4 TCP traffic |
693312-1 | CVE-2018-5518 | K03165684 | vCMPd may crash when processing bridged network traffic |
688516-1 | CVE-2018-5518 | K03165684 | vCMPd may crash when processing bridged network traffic |
686305-1 | CVE-2018-5534 | K64552448 | TMM may crash while processing SSL forward proxy traffic |
589233-2 | CVE-2018-5518 | K03165684 | vCMPd may crash when processing bridged network traffic |
714369 | CVE-2018-5526 | K62201098 | ADM may fail when processing HTTP traffic |
714350 | CVE-2018-5526 | K62201098 | BADOS mitigation may fail |
710314-1 | CVE-2018-5537 | K94105051 | TMM may crash while processing HTML traffic |
706176-1 | CVE-2018-5512 | K51754851 | TMM crash can occur when using LRO |
706086-3 | CVE-2018-5515 | K62750376 | PAM RADIUS authentication subsystem hardening |
703940-2 | CVE-2018-5530 | K45611803 | Malformed HTTP/2 frame consumes excessive system resources |
699346-3 | CVE-2018-5524 | K53931245 | NetHSM capacity reduces when handling errors |
688011-7 | CVE-2018-5520 | K02043709 | Dig utility does not apply best practices |
688009-7 | CVE-2018-5519 | K46121888 | Appliance Mode TMSH hardening |
677088-2 | CVE-2018-15321 | K01067037 | BIG-IP tmsh vulnerability CVE-2018-15321 |
708653-1 | CVE-2018-15311 | K07550539 | TMM may crash while processing TCP traffic |
632875-5 | CVE-2018-5516 | K37442533 | Non-Administrator TMSH users no longer allowed to run dig |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
708389 | 3-Major | BADOS monitoring with Grafana requires admin privilege | |
680850-2 | 3-Major | K48342409 | Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
694897-2 | 1-Blocking | Unsupported Copper SFP can trigger a crash on i4x00 platforms. | |
708054-1 | 2-Critical | Web Acceleration: TMM may crash on very large HTML files with conditional comments | |
706305-1 | 2-Critical | bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled | |
706087 | 2-Critical | Entry for SSL key replaced by config-sync causes tmsh load config to fail | |
703761-2 | 2-Critical | Disable DSA keys for public-key and host-based authentication in Common Criteria mode | |
696113-3 | 2-Critical | Extra IPsec reference added per crypto operation overflows connflow refcount | |
692683-1 | 2-Critical | Core with /usr/bin/tmm.debug at qa_device_mgr_uninit | |
690793-1 | 2-Critical | K25263287 | TMM may crash and dump core due to improper connflow tracking |
689577-3 | 2-Critical | K45800333 | ospf6d may crash when processing specific LSAs |
688911-1 | 2-Critical | K94296004 | LTM Policy GUI incorrectly shows conditions with datagroups |
563661-1 | 2-Critical | Datastor may crash | |
704282-2 | 3-Major | TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy | |
703298-2 | 3-Major | Licensing and phonehome_upload are not using the sync'd key/certificate | |
701626-2 | 3-Major | K16465222 | GUI resets custom Certificate Key Chain in child client SSL profile |
698429-1 | 3-Major | Misleading log error message: Store Read invalid store addr 0x3800, len 10 | |
693964-1 | 3-Major | Qkview utility may generate invalid XML in files contained in Qkview | |
691497-2 | 3-Major | tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions | |
691210-1 | 3-Major | Traffic stops on tmm restart when guest VLAN tagging is used for BIG-IP VE. | |
687353-1 | 3-Major | K35595105 | Qkview truncates tmstat snapshot files |
631316-2 | 3-Major | K62532020 | Unable to load config with client-SSL profile error★ |
514703-3 | 4-Minor | gtm listener cannot be listed across partitions |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
709334-1 | 2-Critical | Memory leak when SSL Forward proxy is used and ssl re-negotiates | |
708114-1 | 2-Critical | K33319853 | TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed |
707447-1 | 2-Critical | Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles. | |
707246-1 | 2-Critical | TMM would crash if SSL Client profile could not load cert-key-chain successfully | |
706631-2 | 2-Critical | A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured. | |
705611-2 | 2-Critical | The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used | |
704666-1 | 2-Critical | memory corruption can occur when using certain certificates | |
704435-1 | 2-Critical | Client connection may hang when NTLM and OneConnect profiles used together | |
703914-2 | 2-Critical | TMM SIGSEGV crash in poolmbr_conn_dec. | |
703191-2 | 2-Critical | HTTP2 requests may contain invalid headers when sent to servers | |
701244-1 | 2-Critical | K81742541 | An incorrect data manipulation in cipher encrypt and decrypt could cause TMM crash with SIGABRT |
701202-3 | 2-Critical | K35023432 | SSL memory corruption |
700393-3 | 2-Critical | K53464344 | Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash |
697259-2 | 2-Critical | K14023450 | Different versioned vCMP guests on the same chassis may crash. |
694656-1 | 2-Critical | K05186205 | Routing changes may cause TMM to restart |
686228-1 | 2-Critical | K23243525 | TMM may crash in some circumstances with VLAN failsafe |
680074-2 | 2-Critical | TMM crashes when serverssl cannot provide certificate to backend server. | |
667770-1 | 2-Critical | K12472293 | SIGSEGV to tmm when performing multiple, repeated SSL profile updates, or during UCS restore |
648320-5 | 2-Critical | K38159538 | Downloading via APM tunnels could experience performance downgrade. |
705794-2 | 3-Major | Under certain circumstances a stale HTTP/2 stream might cause a tmm crash | |
701147-2 | 3-Major | K36563645 | ProxySSL does not work properly with Extended Master Secret and OCSP |
700057-4 | 3-Major | LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved | |
693910-4 | 3-Major | Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series) | |
693244-2 | 3-Major | BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned | |
690042-1 | 3-Major | K43412307 | Potential Tcl leak during iRule suspend operation |
689561-1 | 3-Major | HTTPS request hangs when multiple virtual https servers shares the same ip address | |
686972-4 | 3-Major | The change of APM log settings will reset the SSL session cache. | |
685615-4 | 3-Major | K24447043 | Incorrect source mac for TCP Reset with vlangroup for host traffic |
677525-2 | 3-Major | Translucent VLAN group may use unexpected source MAC address | |
663821-1 | 3-Major | K41344010 | SNAT Stats may not include port FTP traffic |
653976-4 | 3-Major | K00610259 | SSL handshake fails if server certificate contains multiple CommonNames |
594751-1 | 3-Major | K90535529 | LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
710424-2 | 2-Critical | K00874337 | Possible SIGSEGV in GTMD when GTM persistence is enabled. |
678861-1 | 2-Critical | DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★ |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
710870 | 2-Critical | Temporary browser challenge failure after installing older ASU | |
711011-2 | 3-Major | 'API Security' security policy template changes | |
683241-1 | 3-Major | K70517410 | Improve CSRF token handling |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
710947-1 | 2-Critical | AVR does not send errdef for entity DosIpLogReporting. | |
710110-1 | 2-Critical | AVR does not publish DNS statistics to external log when usr-offbox is enabled. | |
711929-1 | 3-Major | AVR should not send statistic on hidden rows for module InterfaceTraffic and module InterfaceHealth |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
679221-2 | 1-Blocking | APMD may generate core file or appears locked up after APM configuration changed | |
708005-1 | 2-Critical | K12423316 | Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources |
703208-1 | 2-Critical | PingAccessAgent causes TMM core | |
702278-2 | 2-Critical | Potential XSS security exposure on APM logon page. | |
700522-1 | 2-Critical | APMD may unexpectedly restart when worker threads are stuck | |
700090-2 | 2-Critical | tmm crash during execution of a per-request policy when modified during execution. | |
699686-1 | 2-Critical | localdbmgr can occasionally crash during shutdown | |
697452-1 | 2-Critical | Websso crashes because of bad argument in logging | |
712924-1 | 3-Major | In VPE SecurID servers list are not being displayed in SecurID authentication dialogue | |
703793-3 | 3-Major | tmm restarts when using ACCESS::perflow get' in certain events | |
703171-1 | 3-Major | High CPU usage for apmd, localdbmgr and oauth processes | |
702487-3 | 3-Major | AD/LDAP admins with spaces in names are not supported | |
684937-3 | 3-Major | K26451305 | [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users |
683113-3 | 3-Major | K22904904 | [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users |
681415-3 | 3-Major | Copying of profile with advanced customization or images might fail | |
678427-1 | 3-Major | K03138339 | Safari 11 displays F5 EPI and F5 VPN launch confirmation dialogs twice |
675775-4 | 3-Major | TMM crashes inside dynamic ACL building session db callback | |
671597-3 | 3-Major | Import, export, copy and delete is taking too long on 1000 entries policy | |
673717-3 | 4-Minor | VPE loading times can be very long |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
701889-1 | 2-Critical | Setting log.ivs.level or log-config filter level to informational causes crash | |
679114-4 | 3-Major | Persistence record expires early if an error is returned for a BYE command |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
708888-1 | 2-Critical | K79814103 | Some DNS truncated responses may not be processed by BIG-IP |
667353 | 2-Critical | Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
702705-2 | 2-Critical | Core observed during lease query testing when RADIUS Authentication is configured in DHCP profile | |
699531-1 | 2-Critical | Potential TMM crash due to incorrect number of attributes in a PEM iRule command | |
696294-1 | 2-Critical | TMM core may be seen when using Application reporting with flow filter in PEM | |
711093-1 | 3-Major | PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled | |
709610-3 | 3-Major | Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM | |
697718-1 | 3-Major | Increase PEM HSL reporting buffer size to 4K. | |
677494-1 | 3-Major | Flow filter with Periodic content insertion action could leak insert content record | |
677148-1 | 3-Major | Periodic content insertion creates duplicate records if same policy is added to Global high and subscriber specific | |
676346-2 | 3-Major | PEM displays incorrect policy action counters when the gate status is disabled. | |
648802-1 | 3-Major | Required custom AVPs are not included in an RAA when reporting an error. |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
710701-1 | 3-Major | "Application Layer Encryption" option is not saved in DataSafe GUI | |
709319-2 | 3-Major | Post-login client-side alerts are missing username in bigIQ | |
706835 | 3-Major | When cloning a profile, URL parameters are not shown | |
706771-1 | 3-Major | FPS ajax-mapping property may be set even when it should be blocked | |
706651-1 | 3-Major | Cloning URL does not clone "Description" field | |
706276-1 | 4-Minor | Unnecessary pop-up appears |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
708305-2 | 3-Major | Discover task may get stuck in CHECK_IS_ACTIVE step | |
705593-5 | 4-Minor | CVE-2015-7940: Bouncy Castle Java Vulnerability |
Cumulative fixes from BIG-IP v13.1.0.5 that are included in this release
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
633441-1 | 3-Major | Datasync Background Tasks running even without features requiring it |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
708189 | 4-Minor | OAuth Discovery Auto Pilot is implemented |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
708840 | 3-Major | 13.0.0-to-13.1.0 upgrade operation on VIPRION 2250 blades might fail if global whitelist is configured |
Cumulative fixes from BIG-IP v13.1.0.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
700556-1 | CVE-2018-5504 | K11718033 | TMM may crash when processing WebSockets data |
699012-1 | CVE-2018-5502 | K43121447 | TMM may crash when processing SSL/TLS data |
698080-3 | CVE-2018-5503 | K54562183 | TMM may consume excessive resources when processing with PEM |
695901-1 | CVE-2018-5513 | K46940010 | TMM may crash when processing ProxySSL data |
691504-1 | CVE-2018-5503 | K54562183 | PEM content insertion in a compressed response may cause a crash. |
704580-1 | CVE-2018-5549 | K05018525 | apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP |
701447-1 | CVE-2017-5754 | K91229003 | CVE-2017-5754 (Meltdown) |
701445-1 | CVE-2017-5753 CVE-2017-9074 CVE-2017-7542 CVE-2017-11176 |
K91229003 | CVE-2017-5753 (Spectre Variant 1) |
701359-4 | CVE-2017-3145 | K08613310 | BIND vulnerability CVE-2017-3145 |
699455-4 | CVE-2018-5523 | K50254952 | SAML export does not follow best practices |
699451-3 | CVE-2018-5511 | K30500703 | OAuth reports do not follow best practices |
676457-5 | CVE-2017-6153 | K52167636 | TMM may consume excessive resource when processing compressed data |
640766-2 | CVE-2016-10088 CVE-2016-9576 |
K05513373 | Linux kernel vulnerability: CVE-2016-10088 CVE-2016-9576 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
686389-1 | 3-Major | APM does not honor per-farm HTML5 client disabling at the View Connection Server | |
678524-1 | 3-Major | Join FF02::2 multicast group when router-advertisement is configured | |
693007-1 | 4-Minor | Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
707226 | 1-Blocking | DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations | |
700315-2 | 1-Blocking | K26130444 | Ctrl+C does not terminate TShark |
667148-3 | 1-Blocking | K02500042 | Config load or upgrade can fail when loading GTM objects from a non-/Common partition |
706998-3 | 2-Critical | Memory leak when OCSP is configured in clientSSL profile for C3D, or in serverSSL profile for server authentication | |
692890-3 | 2-Critical | Adding support for BIG-IP 800 in 13.1.x | |
685458-7 | 2-Critical | K44738140 | merged fails merging a table when a table row has incomplete keys defined. |
665354-1 | 2-Critical | K31190471 | Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log |
703848-1 | 3-Major | Possible memory leak when reusing statistics rows in tables | |
702520-2 | 3-Major | K53330514 | Same AZ failover in AWS fails in some configurations with two or more objects sharing the same IP address. |
694740-3 | 3-Major | BIG-IP reboot during a TMM core results in an incomplete core dump | |
692753-1 | 3-Major | shutting down trap not sent when shutdown -r or shutdown -h issued from shell | |
689691-2 | 3-Major | iStats line length greater than 4032 bytes results in corrupted statistics or merge errors | |
686029-2 | 3-Major | A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces | |
669462-2 | 3-Major | Error adding /Common/WideIPs as members to GTM Pool in non-Common partition | |
589083-6 | 3-Major | TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors. | |
699281-1 | 4-Minor | Version format of hypervisor bundle matches Version format of ISO | |
685475-1 | 4-Minor | K93145012 | Unexpected error when applying hotfix |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
706534-1 | 1-Blocking | L7 connection mirroring may not be fully mirrored on standby BigIP | |
698424-1 | 1-Blocking | K11906514 | Traffic over a QinQ VLAN (double tagged) will not pass |
700862-1 | 2-Critical | K15130240 | tmm SIGFPE 'valid node' |
699298-2 | 2-Critical | 13.0.0 Hotfix HF3 3.0.1679 TMM CORED due to SIGSEGV. | |
698461-1 | 2-Critical | Tmm may crash in fastl4 TCP | |
692970-2 | 2-Critical | Using UDP port 67 for purposes other than DHCP might cause TMM to crash | |
691095-1 | 2-Critical | CA bundle manager loses certificates in the CA bundle if the serial number is longer than 4 bytes | |
687635-1 | 2-Critical | K58002142 | Tmm becomes unresponsive and might restart |
687205-2 | 2-Critical | Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart | |
681175-3 | 2-Critical | K32153360 | TMM may crash during routing updates |
674576-3 | 2-Critical | Outage may occur with VIP-VIP configurations | |
452283-5 | 2-Critical | An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows | |
440620-1 | 2-Critical | New connections may be reset when a client reuses the same port as it used for a recently closed connection | |
704073-1 | 3-Major | K24233427 | Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm |
702439 | 3-Major | K04964898 | Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset |
698916-1 | 3-Major | TMM crash with HTTP/2 under specific condition | |
698379-2 | 3-Major | K61238215 | HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR( |
698000-3 | 3-Major | K04473510 | Connections may stop passing traffic after a route update |
695707-5 | 3-Major | BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection | |
691806-1 | 3-Major | K61815412 | RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state |
689449-1 | 3-Major | Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured | |
688571-2 | 3-Major | K40332712 | Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile. |
688570-5 | 3-Major | BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes | |
686307-3 | 3-Major | K10665315 | Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later |
686065-2 | 3-Major | RESOLV::lookup iRule command can trigger crash with slow resolver | |
682104-3 | 3-Major | HTTP PSM leaks memory when looking up evasion descriptions | |
680264-2 | 3-Major | HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags | |
677666-2 | 3-Major | /var/tmstat/blades/scripts segment grows in size. | |
664528-2 | 3-Major | K53282793 | SSL record can be larger than maximum fragment size (16384 bytes) |
251162-1 | 3-Major | K11564 | The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name |
685467-1 | 4-Minor | K12933087 | Certain header manipulations in HTTP profile may result in losing connection. |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
699135-1 | 2-Critical | tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip | |
692941-1 | 2-Critical | GTMD and TMM SIGSEGV when changing wide IP pool in GTMD | |
691287-1 | 2-Critical | tmm crashes on iRule with GTM pool command | |
682335-1 | 2-Critical | TMM can establish multiple connections to the same gtmd | |
580537-3 | 2-Critical | The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data | |
562921-5 | 2-Critical | Cipher 3DES and iQuery encrypting traffic between BIG-IP systems | |
705503-3 | 3-Major | Context leaked from iRule DNS lookup | |
703702 | 3-Major | Fixed iControl REST not listing GTM Listeners | |
700527-3 | 3-Major | cmp-hash change can cause repeated iRule DNS-lookup hang | |
699339-3 | 3-Major | K24634702 | Geolocation upgrade files fail to replicate to secondary blades |
696808-1 | 3-Major | Disabling a single pool member removes all GTM persistence records | |
691498-3 | 3-Major | Connection failure during iRule DNS lookup can crash TMM | |
690166-1 | 3-Major | ZoneRunner create new stub zone when creating a SRV WIP with more subdomains | |
687128-1 | 3-Major | gtm::host iRule validation for ipv4 and ipv6 addresses | |
680069-1 | 3-Major | K81834254 | zxfrd core during transfer while network failure and DNS server removed from DNS zone config★ |
679149-1 | 3-Major | TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0] | |
667469-3 | 3-Major | K35324588 | Higher than expected CPU usage when using DNS Cache |
636997-1 | 4-Minor | big3d may crash | |
636994-1 | 4-Minor | big3d may crash | |
636992-1 | 4-Minor | big3d may crash | |
636986-1 | 4-Minor | big3d may crash | |
636982-1 | 4-Minor | big3d may crash |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
705774-1 | 3-Major | Add a set of disallowed file types to RDP template | |
703833-1 | 3-Major | Some bot detected features might not work as expected on Single Page Applications | |
702946-3 | 3-Major | Added option to reset staging period for signatures | |
701841-2 | 3-Major | Unnecessary file recovery_db/conf.tar.gz consumes /var disk space | |
701327-2 | 3-Major | failed configuration deletion may cause unwanted bd exit | |
700812-1 | 3-Major | asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview | |
700726-2 | 3-Major | Search engine list was updated, and fixing case of multiple entries | |
698919-3 | 3-Major | Anti virus false positive detection on long XML uploads | |
697756-1 | 3-Major | Policy with CSRF URL parameter cannot be imported as binary policy file | |
697303-1 | 3-Major | BD crash | |
696265-5 | 3-Major | K60985582 | BD crash |
696073-2 | 3-Major | BD core on a specific scenario | |
695563-1 | 3-Major | Improve speed of ASM initialization on first startup | |
694922-5 | 3-Major | ASM Auto-Sync Device Group Does Not Sync | |
693780-1 | 3-Major | Proactive Bot Defense sends CAPTCHA to the UC browser on iOS devices | |
693663-1 | 3-Major | Proactive Bot Defense sends CAPTCHA to the Firefox browser on iOS only in desktop mode | |
691477-2 | 3-Major | ASM standby unit showing future date and high version count for ASM Device Group | |
679384-3 | 3-Major | K85153939 | The policy builder is not getting updates about the newly added signatures. |
678293-2 | 3-Major | K25066531 | Uncleaned policy history files cause /var disk exhaustion |
665992-2 | 3-Major | K40510140 | Live Update via Proxy No Longer Works |
608988-1 | 3-Major | Error when deleting multiple ASM Policies |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
703233 | 3-Major | Some filters don't work in Security->Reporting->URL Latencies page |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
707676-1 | 2-Critical | Memory leak in Machine Certificate Check agent of the apmd process | |
700724-2 | 2-Critical | Client connection with large number of HTTP requests may cause tmm to restart | |
692557-1 | 2-Critical | When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted. | |
690116-1 | 2-Critical | websso daemon might crash when logging set to debug | |
689591-2 | 2-Critical | When pingaccess SDK processes certain POST requests from the client, the TMM may restart | |
677368-2 | 2-Critical | Websso crash due to uninitialized member in websso context object while processing a log message | |
631286-3 | 2-Critical | TMM Memory leak caused by APM URI cache entries | |
703429-2 | 3-Major | Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services | |
702263-1 | 3-Major | An access profile with large number of SAML Resources (greater than 200) causes APM error ERR_TOOBIG while loading. | |
702222-1 | 3-Major | RADIUS and SecurID Auth fails with empty password | |
701740-1 | 3-Major | apmd leaks memory when updating Access V2 policy | |
701737-1 | 3-Major | apmd may leak memory on destroying Kerberos cache | |
701736-1 | 3-Major | Memory leak in Machine Certificate Check agent of the apmd process | |
701639-1 | 3-Major | Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by BIG-IP as SP. | |
697636-3 | 3-Major | ACCESS is not replacing headers while replacing POST body | |
695953-1 | 3-Major | Custom URL Filter object is missing after load sys config TMSH command | |
694624-1 | 3-Major | SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor | |
693844-1 | 3-Major | K58335157 | APMD may restart continuously and cannot come up |
692307-3 | 3-Major | User with 'operator' role may not be able to view some session variables | |
687937-1 | 3-Major | RDP URIs generated by APM Webtop are not properly encoded | |
685862-1 | 3-Major | BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message | |
684583-1 | 3-Major | Buitin Okta Scopes Request object uses client -id and client-secret | |
684325-1 | 3-Major | APMD Memory leak when applying a specific access profile | |
683389-3 | 3-Major | Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file | |
683297-2 | 3-Major | Portal Access may use incorrect back-end for resources referenced by CSS | |
682500-2 | 3-Major | VDI Profile and Storefront Portal Access resource do not work together | |
678851-3 | 3-Major | Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase() | |
675866-4 | 3-Major | WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO | |
671627-3 | 3-Major | K06424790 | HTTP responces without body may contain chunked body with empty payload being processed by Portal Access. |
632646-1 | 3-Major | APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server. | |
629334-1 | 3-Major | Portal Access: JavaScript expressions in parentheses may be rewritten incorrectly | |
612792-1 | 3-Major | Support RDP redirection for connections launched from APM Webtop on iOS | |
612118-2 | 3-Major | Nexthop explicit proxy is not used for the very first connection to communicate with the backend. | |
536831-1 | 3-Major | APM PAM module does not handle local-only users list correctly |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
698338-1 | 2-Critical | Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection | |
689343-2 | 2-Critical | Diameter persistence entries with bi-directional flag created with 10 sec timeout | |
685708-4 | 2-Critical | Routing via iRule to a host without providing a transport from a transport-config created connection cores | |
700571-4 | 3-Major | SIP MR profile, setting incorrect branch param for CANCEL to INVITE | |
696049-1 | 3-Major | High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running | |
674747-4 | 3-Major | K30837366 | sipdb cannot delete custom bidirectional persistence entries. |
656901-3 | 3-Major | MRF add 'existing_connection_only' and 'outgoing_connection_instance_seed' two iRule commands |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
704207-1 | 2-Critical | DNS query name is not showing up in DNS AVR reporting | |
703517 | 2-Critical | K23520761 | TMM may crash when processing TCP DNS traffic |
692328-1 | 2-Critical | Tmm core due to incorrect memory allocation | |
705161-1 | 3-Major | K23520761 | TMM may crash when processing TCP DNS traffic |
703959 | 3-Major | Manual thresholds for DoS Protection Dynamic Signatures are not accepted via TMUI | |
631418-1 | 3-Major | Packets dropped by HW grey list may not be counted toward AVR. |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
696383-1 | 2-Critical | PEM Diameter incomplete flow crashes when sweeped | |
694717-1 | 2-Critical | Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup. | |
616008-1 | 2-Critical | K23164003 | TMM core may be seen when using an HSL format script for HSL reporting in PEM |
696789-1 | 3-Major | PEM Diameter incomplete flow crashes when TCL resumed | |
695968-1 | 3-Major | Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues. | |
694319-1 | 3-Major | CCA without a request type AVP cannot be tracked in PEM. | |
694318-1 | 3-Major | PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP. | |
684333-1 | 3-Major | PEM session created by Gx may get deleted across HA multiple switchover with CLI command | |
678820-1 | 3-Major | Potential memory leak if PEM Diameter sessions are not created successfully. | |
642068-4 | 3-Major | PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens | |
624231-4 | 3-Major | No flow control when using content-insertion with compression | |
680729-1 | 4-Minor | K64307999 | DHCP Trace log incorrectly marked as an Error log. |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
697363-1 | 2-Critical | FPS should forward all XFF header values | |
705559-1 | 3-Major | FPS: false positive "no strong integrity param" when none of the configured data-integrity params are present in request | |
662311-1 | 3-Major | CS alerts should contain actual client IP address in XFF header |
Protocol Inspection Fixes
ID Number | Severity | Solution Article(s) | Description |
671716-1 | 3-Major | UCS version check was too strict for IPS hitless upgrade |
Cumulative fixes from BIG-IP v13.1.0.3 that are included in this release
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
702419 | 3-Major | Protocol Inspection needs add-on license to work |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
660239-6 | 4-Minor | When accessing the dashboard, invalid HTTP headers may be present |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
677919-4 | 3-Major | Enhanced Data Manipulation AJAX Support |
Cumulative fixes from BIG-IP v13.1.0.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
681955-1 | CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 | K23565223 | Apache CVE-2017-9788 |
673595-9 | CVE-2017-3167 CVE-2017-3169 | K34125394 | Apache CVE-2017-3167 |
694274-1 | CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798 | K23565223 | [RHSA-2017:3195-01] Important: httpd security update - EL6.7 |
672124-6 | CVE-2018-5541 | K12403422 | Excessive resource usage when BD is processing requests |
679861 | CVE-2019-6655 | K31152411 | Weak Access Restrictions on the AVR Reporting Interface |
673607-9 | CVE-2017-3169 | K83043359 | Apache CVE-2017-3169 |
672667-6 | CVE-2017-7679 | K75429050 | CVE-2017-7679: Apache vulnerability |
641101-7 | CVE-2016-8743 | K00373024 | httpd security and bug fix update CVE-2016-8743 |
684033-3 | CVE-2017-9798 | K70084351 | CVE-2017-9798 : Apache Vulnerability (OptionsBleed) |
661939-2 | CVE-2017-2647 | K32115847 | Linux kernel vulnerability CVE-2017-2647 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
685056 | 3-Major | VE OVAs is not the supported platform to run VMware guest OS customization | |
670103-1 | 3-Major | No way to query logins to BIG-IP in TMUI | |
681385-2 | 4-Minor | Forward proxy forged cert lifespan can be configured from days into hours. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
700247 | 2-Critical | K60053504 | APM Client Software may be missing after doing fresh install of BIG-IP VE |
693979 | 3-Major | Autoscale is not functional because of the change in file permission of the /shared/vadc/aws/iid-document document | |
683131-1 | 3-Major | Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present★ | |
682213-1 | 3-Major | K31623549 | TLS v1.2 support in IP reputation daemon |
669585-1 | 3-Major | The tmsh sys log filter is unable to display information in uncompressed log files. | |
668826-1 | 3-Major | File named /root/.ssh/bigip.a.k.bak is present but should not be | |
668276-1 | 3-Major | BIG-IP does not display failed login attempts since last login in GUI | |
668273-1 | 3-Major | K12541531 | Logout button not available in Configuration Utility when using Client Cert LDAP |
471237-4 | 3-Major | K12155235 | BIG-IP VE instances do not work with an encrypted disk in AWS. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
699624-1 | 2-Critical | Config with custom 'SIP' or 'Firepass' monitor fails to load after upgrade★ | |
463097-5 | 3-Major | Clock advanced messages with large amount of data maintained in DNS Express zones |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
672504-2 | 2-Critical | K52325625 | Deleting zones from large databases can take excessive amounts of time. |
667542-6 | 2-Critical | DNS Express does not correctly process multi-message DNS IXFR updates. | |
645615-6 | 2-Critical | K70543226 | zxfrd may fail and restart after multiple failovers between blades in a chassis. |
655233-2 | 3-Major | K93338593 | DNS Express using wrong TTL for SOA RRSIG record in NoData response |
648766-2 | 3-Major | K57853542 | DNS Express responses missing SOA record in NoData responses if CNAMEs present |
646615-2 | 4-Minor | Improved default storage size for DNS Express database |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
699720-1 | 2-Critical | ASM crash when configuring remote logger for WebSocket traffic with response-logging:all | |
691670-5 | 2-Critical | Rare BD crash in a specific scenario | |
686108-1 | 2-Critical | User gets blocking page instead of captcha during brute force attack | |
684312-1 | 2-Critical | K54140729 | During Apply Policy action, bd agent crashes, causing the machine to go Offline |
698940-1 | 3-Major | Add new security policy template for API driven systems - "API Security" | |
690883-1 | 3-Major | BIG-IQ: Changing learning mode for elements does not always take effect | |
686517-2 | 3-Major | Changes to a parent policy that has no active children are not synced to the secondary chassis slots. | |
686470-1 | 3-Major | Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load. | |
686452-1 | 3-Major | File Content Detection Formats are not exported in Policy XML | |
685964-1 | 3-Major | cs_qualified_urls bigdb does not cause configured URLs to be qualified. | |
685771-1 | 3-Major | Policies cannot be created with SAP, OWA, or SharePoint templates | |
685207-1 | 3-Major | DoS client side challenge does not encode the Referer header. | |
685164-1 | 3-Major | K34646484 | In partitions with default route domain != 0 request log is not showing requests |
683508-1 | 3-Major | K00152663 | WebSockets: umu memory leak of binary frames when remote logger is configured |
680353-1 | 3-Major | Brute force sourced based mitigation is not working as expected | |
674494-4 | 3-Major | K77993010 | BD memory leak on specific configuration and specific traffic |
668184-2 | 3-Major | Huge values are shown in the AVR statistics for ASM violations | |
694073-3 | 4-Minor | All signature update details are shown in 'View update history from previous BIG-IP versions' popup | |
685193-1 | 4-Minor | If Inheritance is None in the Parent Policy and there are at least 1 child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
697421 | 3-Major | Monpd core when trying to restart | |
688813-2 | 3-Major | K23345645 | Some ASM tables can massively grow in size. |
686510-1 | 3-Major | If tmm was restarted during an attack, the attack might appear ongoing in GUI | |
683474 | 3-Major | The case-sensitive problem during comparison of 2 Virtual Servers | |
679088-1 | 3-Major | Avr reporting and analytics does not display statistics of many source regions |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
684852-1 | 2-Critical | Obfuscator not producing deterministic output | |
692123 | 3-Major | GET parameter is grayed out if MobileSafe is not licensed |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
700320 | 2-Critical | tmm core under stress when BADOS configured and attack signatures enabled | |
691462-1 | 3-Major | Bad actors detection might not work when signature mitigation blocks bad traffic | |
687987 | 3-Major | Presentation of signatures in human-readable format | |
687986 | 3-Major | High CPU consumption during signature generation, not limited number of signatures per virtual server | |
687984 | 3-Major | Attacks with randomization of HTTP headers parameters generates too many signatures |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
698396-1 | 2-Critical | Config load failed after upgrade from 12.1.2 to 13.x or 14.x★ |
Cumulative fixes from BIG-IP v13.1.0.1 that are included in this release
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
686190-1 | 2-Critical | LRO performance impact with BWC and FastL4 virtual server | |
667173-1 | 2-Critical | 13.1.0 cannot join a device group with 13.1.0.1 | |
683114-2 | 3-Major | Need support for 4th element version in Update Check |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
685628-1 | 1-Blocking | Performance regression on B4450 blade★ | |
673832-1 | 1-Blocking | Performance impact for certain platforms after upgrading to 13.1.0. | |
696525-1 | 2-Critical | B2250 blades experience degraded performance. |
Cumulative fix details for BIG-IP v13.1.3.2 that are included in this release
831549 : Marketing name does not display properly for BIG-IP i10010 (C127)
Component: TMOS
Symptoms:
The /var/log/ltm log includes error messages about the marketing names errors:
Invalid marketing name.
Conditions:
-- Running BIG-IP software version 13.1.3.1.
-- Using BIG-IP i10010 (C127) platform.
Impact:
This causes errors in the logs, and affects the tmsh and LCD displays. The LCD displays C127 for the Platform Name instead of the actual platform name. The TMSH command, tmsh show sys hw, displays C127 for the Platform Name instead of the actual platform name.
Workaround:
None.
Fix:
This is fixed in version 13.1.3.2.
818429-2 : TMM may crash while processing HTTP traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing HTTP traffic.
Conditions:
HTTP profile active.
Impact:
TMM crash, leading to a failover event.
Workaround:
None.
Fix:
TMM now processes HTTP traffic as expected.
815753-4 : TMM leaks memory when explicit SWG is configured with Kerberos authentication
Component: Access Policy Manager
Symptoms:
Memory usage of filter keeps increasing over time and becomes one of major consumers of the TMM memory.
Conditions:
This issue happens if the following conditions are met:
1. Access profile type is SWG-explicit.
2. Access policy contains HTTP 407 Response policy item with HTTP Auth Level being Negotiate.
3. Kerberos is used to authenticate a user.
Impact:
TMM sweeper enters aggressive mode and reaps connections.
Workaround:
None.
815425 : RAID status is shown <undefined> after upgrade from 12.1.3.5 to 13.1.1.5★
Component: TMOS
Symptoms:
On RAID supported BIG-IP platforms, upgrade from BIG-IP v12.1.3.5 to BIG-IP v13.1.1.5, RAID array member state is shown as 'undefined' in below commands, though actual RAID status is 'up'.
- array
- tmsh show sys raid
Conditions:
On RAID supported platforms, clean install of BIG-IP 12.1.x version followed by upgrade to BIG-IP 13.1.x version.
Impact:
RAID information is reported wrongly.
Fix:
RAID information is retrieved and parsed according to the new mdadm supported in BIG-IP 13.1.x version.
813945-1 : PB core dump while processing many entities
Component: Application Security Manager
Symptoms:
PB core dump.
Conditions:
This may happen when the system is strained and PB is processing large policies (updating many entities may happen during periodic processing, response analysis).
This is a very rarely occurring scenario.
Impact:
PB core dump and restart.
Workaround:
None.
Fix:
PB core dump no longer occurs.
813673-1 : The HTTP Explicit proxy does not work correctly with IPv6 clients connecting to IPv4 destinations over CONNECT
Component: Local Traffic Manager
Symptoms:
A typical configuration of the HTTP Explicit Proxy includes four virtual servers:
-- Two virtual servers for the Explicit Proxy, one IPv4, one IPv6.
-- Two general-purpose virtual servers: one IPv4, one IPv6.
The general-purpose virtual servers allow handling of CONNECT tunneling over the HTTP-tunnel interface.
Unfortunately, if an IPv6 client tries to CONNECT to an IPv4 destination, it fails, returning a 503 status error.
This is due to the IPv6 general-purpose virtual server not being found when performing the destination lookup.
Conditions:
-- The HTTP explicit proxy is used on an IPv6 address.
-- 'default-connect-handling deny' is configured on the explicit proxy HTTP profile.
-- IPv4 and IPv6 general-purpose virtual servers exist on the HTTP-tunnel interface.
-- The client connects, and uses CONNECT to proxy to an IPv4 address.
Impact:
The client will not be able to CONNECT through the explicit proxy to an IPv4 address.
Workaround:
None.
Fix:
Mismatched IPv6 to IPv4 scenarios are supported with the HTTP Explicit Proxy.
813657 : MRF SIP ALG with SNAT incorrectly detects ingress queue full
Component: Service Provider
Symptoms:
When SIP ALG processes a non-registered subscriber SIP outbound call, the ingress queue counter may underflow. This is interpreted as ingress queue full and the rest of message will be dropped.
Conditions:
SIP ALG processes non registered subscriber SIP outbound calls (nonregister-subscriber-callout option is enabled in SIP session profile).
Impact:
SIP ALG incorrectly detects the ingress queue is full and stops processing the rest of SIP ALG traffic.
Workaround:
None
Fix:
When SIP ALG processes non registered subscriber SIP call, the ingress queue counter is handled correctly.
812341-1 : Patch or Delete commands take a long time to complete when modifying an ASM signature set.
Component: Application Security Manager
Symptoms:
When modifying an ASM signature set that is not attached to any security policy using iControl REST Patch or Delete commands, the command takes a long time to complete.
Conditions:
-- ASM provisioned.
-- Using REST API Patch or Delete command to modify an ASM signature set.
Impact:
Command takes longer (several seconds) to process on detached ASM signature sets than it takes to complete on attached signature sets.
Workaround:
None.
Fix:
Changes to signatures and signatures sets now only recompile policies that are affected by the change.
811745-4 : Failover between clustered DIAMETER devices can cause mirror connections to be disconnected
Component: Service Provider
Symptoms:
When using DIAMETER with certain settings, a failover might cause mirror connections to get disconnected.
Conditions:
-- Two or more BIG-IP systems in a high availability (HA) configuration.
-- Aggressive settings for the DIAMETER watchdog timeout and max failures.
Impact:
Loss of mirroring between BIG-IP systems.
Workaround:
None.
Fix:
Mirror connections no longer disconnect during a failover.
811145-4 : VMware View resources with SAML SSO are not working
Component: Access Policy Manager
Symptoms:
Connections to SAML-enabled VMware View resources fail with following error in /var/log/apm:
err vdi[18581]: 019cffff:3: /pathname: {a7.C} Failed to handle View request: Can't find 'artifact' parameter.
Conditions:
VMware View resource is configured with SAML SSO method.
Impact:
Users cannot launch VMware View apps/desktops via SAML-enabled resource.
Workaround:
None.
Fix:
Can now successfully use VMware View resources with SAML SSO.
810557-9 : ASM ConfigSync Hardening
Solution Article: K05123525
810537-3 : TMM may consume excessive resources while processing iRules
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may consume excessive resources while processing iRules.
Conditions:
HTTP VS enabled.
iRule using HTTP_PROXY_REQUEST configured.
Impact:
Excessive resource consumption, potentially leading to a failover event.
Workaround:
None.
Fix:
TMM now consumes resources as expected.
809377-4 : AFM ConfigSync Hardening
Solution Article: K05123525
809205-3 : CVE-2019-3855: libssh2 Vulnerability
Component: TMOS
Symptoms:
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server.
Conditions:
-- Authenticated administrative user with Advanced Shell Access.
-- Use of cURL from the command line to connect to a compromised SSH server.
Impact:
A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
Workaround:
None.
Fix:
libcurl updated
809165-4 : TMM may crash will processing connector traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions TMM may crash will processing connector traffic.
Conditions:
Virtual service with Connector profile enabled.
Impact:
TMM crash leading to a failover event.
Workaround:
None.
Fix:
TMM now handles connector traffic as expected.
808525-4 : TMM may crash while processing Diameter traffic
Component: Service Provider
Symptoms:
Under certain conditions, TMM may crash while processing Diameter traffic.
Conditions:
Virtual server with Diameter profile enabled.
Impact:
TMM crash leading to a failover event.
Workaround:
None.
Fix:
TMM now processes Diameter traffic as expected.
808301-1 : TMM may crash while processing IP traffic
Component: Local Traffic Manager
Symptoms:
TMM crash with 'Assertion "l4hdr set" failed' panic message in /var/log/tmm* log.
Conditions:
Packet filter is enabled.
Impact:
TMM crash leading to a failover event.
Workaround:
Disable the packet filter.
Fix:
TMM handles IP traffic as expected.
807477-9 : ConfigSync Hardening
Solution Article: K04280042
807445 : Replaced ISC_TRUE and ISC_FALSE with true and false
Component: Global Traffic Manager (DNS)
Symptoms:
Updated the zrd code to remove references to ISC_TRUE and ISC_FALSE since the software is upgraded BIND to 9.11.8 and those macros do not exist anymore.
Conditions:
BIND version is earlier than 9.11.8.
Impact:
There is no functional impact.
Workaround:
None.
Fix:
Removed references to ISC_TRUE and ISC_FALSE zrd since the software has been upgraded to BIND to 9.11.8 and those macros do not exist anymore.
805837-4 : REST does not follow current design best practices
Solution Article: K22441651
804185-3 : Some WebSafe request signatures may not work as expected
Component: Fraud Protection Services
Symptoms:
Request signatures are part of the WebSafe signature mechanism. The request signature is achieved by configuring an FPS-protected URL and a corresponding custom-alert. If the URL is a wildcard, a priority must be assigned to determine the order of matching. URL matching by priority is not working properly. As a result, the signature do not work as expected
Conditions:
There is at least one wildcard URL configured by the request signature update file.
Impact:
A portion of WebSafe request signature do not work as expected:
-- An alert is sent, though it should not be (false-positive).
-- An alert was not sent, though it should be (false-negative).
Workaround:
Configure the same signature manually in the BIG-IP system's GUI/tmsh.
Fix:
FPS now correctly handles signature-based wildcard URL's priority.
803477-1 : BaDoS State file load failure when signature protection is off
Component: Anomaly Detection Services
Symptoms:
Behavioral DoS (BADoS) loses its learned thresholds.
Conditions:
Restart of admd when signature protection is off.
Impact:
The system must relearn the thresholds, BADoS protection is not available during the learning time.
Workaround:
Turn on signatures detection.
Fix:
BADoS State file successfully loads after admd restart, even without signatures detection.
800453-1 : False positive virus violations
Component: Application Security Manager
Symptoms:
False positive ASM virus violations.
Conditions:
Specific connection characteristics between ASM and the antivirus server may cause replies from the antivirus server to be missed by the ASM. ASM reports a virus when the antivirus reply is timed out.
Impact:
False positive blocking or violation reporting.
Workaround:
The EnableASMByPass internal parameter setting can be configured to allow the antivirus server to not reply, so it won't issue a violation when it occurs.
/usr/share/ts/bin/add_del_internal add EnableASMByPass 1
bigstart restart asm
Notes:
When the internal is enabled, asm will also bypass huge HTTP requests (when they come on multiple connections) instead of reseting them.
799617-4 : ConfigSync Hardening
Solution Article: K05123525
799589-4 : ConfigSync Hardening
Solution Article: K05123525
799149 : Authentication fails with empty password
Component: Access Policy Manager
Symptoms:
Per-req policy authentication fails when an empty password is detected. Following errors are seen in apm logs:
-- err apmd[13930]: 01490301:3: /Common/test_sp::abcdef78/Common/test_auth/XXXXXXX==: Empty session variable value received from tmm.
-- err apmd[13930]: 01490302:3: /Common/test_sp::abcdef78/Common/test_auth/XXXXXXX==: Failed to decrypt session variable 'subsession.logon.last.password' from tmm with error code: 3.
Conditions:
-- APM is licensed and provisioned.
-- Per-req policy is created with at least one Auth agent.
Impact:
APM end users cannot change a password/token or access backend resources.
Workaround:
None.
Fix:
Per-request policy auth no longer complains about empty password. If the backend server accepts an empty password, auth should work fine.
798261-4 : APMD fails to create session variables if spanning is enabled on SWG transparent virtual server
Component: Access Policy Manager
Symptoms:
The following logs showed up in APM log and user session was terminated.
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_finish_set_pipeline()" line: 720 Msg: Error: Set pipeline: While receiving response to 0 cmd set /.*/tmm.session.6833364e.session.assigned.uuid 0 0 32 s
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_server_disconnect()" line: 2533 Msg: Error: bad memcache connection (tmm:1), (fd:205)
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.
The SET command failed because it incorrectly attempted to create session variable in all traffic groups.
Conditions:
1. Virtual address for SWG transparent is 0.0.0.0
2. Spanning on the virtual address is enabled.
Impact:
User sessions will be terminated
Workaround:
Disable virtual address spanning.
Fix:
N/A
797885-4 : ConfigSync Hardening
Solution Article: K05123525
797785-3 : AVR reports no ASM-Anomalies data.
Component: Application Visibility and Reporting
Symptoms:
AVR collects data for ASM-Anomalies, which include Brute-Force and Web-Scraping activities. When reported, all metrics and dimensions are hidden. AVR output looks like this:
errdefs_msgno=\"22282253\",Entity=\"ASM_ANOMALIES\
Conditions:
When gathering statistics reporting a Brute-Force or Web-Scraping attack.
Impact:
AVR reports no ASM-Anomalies data.
Workaround:
None.
796469-2 : ConfigSync Hardening
Solution Article: K05123525
795797-4 : AFM WebUI Hardening
Solution Article: K21121741
795437-2 : Improve handling of TCP traffic for iRules
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM stops processing TCP traffic when processed by an iRule
Conditions:
-- TCP profile is configured
-- Invalid packet construction
Impact:
TMM may crash, leading to a failover event.
Workaround:
None.
Fix:
TMM handles TCP traffic for iRule as expected.
795197-3 : Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Solution Article: K26618426
794501-4 : Duplicate if_indexes and OIDs between interfaces and tunnels
Component: TMOS
Symptoms:
In certain instances, having a configuration with both tunnels and interfaces can result in duplicate if_indexes between a tunnel and an interface, which also results in duplicate OIDs for SNMP.
Conditions:
There is no completely predictable trigger, but at a minimum, a configuration with at least one interface and at least one tunnel is needed.
Impact:
Duplicate if_indexes and duplicate OIDs. SNMP logs error messages:
# tmsh list net interface all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net vlan all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net tunnel all-properties | egrep "(^net)|(if-index)"
net interface 0.10 {
if-index 64 <-------------------------------
net interface mgmt {
if-index 32
net vlan external {
if-index 96
net vlan internal {
if-index 112
net vlan test {
if-index 128
net vlan tmm_bp {
if-index 48
net tunnels tunnel http-tunnel {
if-index 64 <-------------------------------
net tunnels tunnel socks-tunnel {
if-index 80
# snmpwalk -c public -v 2c localhost >/dev/null; tail /var/log/ltm
-- notice sod[4258]: 010c0044:5: Command: running disable zrd bigstart.
-- notice zxfrd[6556]: 01530007:5: /usr/bin/zxfrd started
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID ZXFRD_Publisher and filterType 1024
-- info bigd[11158]: 0114002b:6: high availability (HA) daemon_heartbeat bigd enabled.
-- info cbrd[6106]: 0114002b:6: high availability (HA) daemon_heartbeat cbrd enabled.
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID cbrd and filterType 1152921504606846976
-- info runsm1_named[6104]: 0114002b:6: high availability (HA) proc_running named enabled.
=========================
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if_x.c:289
Workaround:
No workaround currently known.
Fix:
Duplicate if_indexes are no longer assigned to tunnels and interfaces. The resulting duplicate SNMP OIDs are prevented.
794493 : Cannot modify chain certificate in parent profile via iApp
Component: Local Traffic Manager
Symptoms:
Modifying a parent profile via iApp results in error message:
err mcpd[5352]: 0107149e:3: Virtual server /Common/vs_test has more than one clientssl/serverssl profile with same server name.
Conditions:
1. Parent profile created via iApp.
2. Create a child profile from parent profile.
3. Assign child profile to a virtual server.
3. Modify the parent profile certificate key chain via iApp.
Impact:
Not able to modify SSL profile certificate key chain from iApp. Failure error message is reported on iApp and in ltm log.
Workaround:
None.
Fix:
You can now modify SSL profile certificate key chain from iApp without error.
794413-9 : BIND vulnerability CVE-2019-6471
Solution Article: K10092301
794389-9 : iControl REST endpoint response inconsistency
Solution Article: K89509323
793121-1 : Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication
Component: TMOS
Symptoms:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, high availability (HA) status, provisioning, and installed software information.
Conditions:
The TMUI redirect-http-to-https is enabled.
Impact:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, HA status, provisioning, and installed software information.
Workaround:
On the vCMP guest, disable sys httpd redirect-http-to-https.
792265-1 : Traffic logs does not include the BIG-IQ tags
Component: Application Visibility and Reporting
Symptoms:
AVR collects traffic data. When that data is reported to BIG-IQ, it omits the BIG-IQ tags which are required by BIG-IQ.
Conditions:
When AVR collects traffic data and sending it BIG-IQ.
Impact:
There are no BIG-IQ tags in the traffic logs. BIG-IQ is unable to map traffic-capturing logs to applications.
Workaround:
None.
Fix:
Traffic logs now include the BIG-IQ tags.
791369-4 : The REST framework may reflect client data in error logs
Component: Device Management
Symptoms:
Under certain conditions, the REST framework may reflect client-provided data into error logs.
Conditions:
REST framework error condition.
Logging enabled.
Impact:
Client-provided data present in REST error logs.
Workaround:
None.
Fix:
REST framework now sanitizes error log output.
790205-2 : Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core
Component: Local Traffic Manager
Symptoms:
TMM cores when adding a route (either statically or dynamically) to a child route domain.
Conditions:
Adding a more-specific route to a child domain that overrides a route in the default domain.
Impact:
TMM cores. A failover or outage. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores when adding routes to child domains.
789893-4 : SCP file transfer hardening
Component: TMOS
Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.
Conditions:
Administrative user with SCP access.
Impact:
Under certain conditions, the SCP file transfer system does not follow current best practices.
Workaround:
None.
Fix:
The SCP file transfer system now follows current best practices.
788773-4 : HTTP/2 Vulnerability: CVE-2019-9515
Solution Article: K50233772
788769-4 : HTTP/2 Vulnerability: CVE-2019-9514
Solution Article: K01988340
788557 : BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior
Component: TMOS
Symptoms:
GRST - BGP graceful reset.
The problem occurs when the routing daemon bgpd restarts/starts (e.g., by terminating the bgpd daemon) its distribution of a process and is not supported. Another way we've found is to call "bigstart restart" command on a primary blade on chassis with more than one blade.
After the new primary blade takes over, BGP and BFD sessions are recreated at around the 'graceful restart' timeout interval.
Conditions:
-- BGP and BFD are configured.
-- BGP router's 'graceful restart' option is configured, enabled (set to 120 by default).
-- The bgpd daemon is terminated.
Another way to trigger the issue is to run 'bigstart restart' on a primary blade on a chassis with more than one blade.
Impact:
If BGP peering is reset, it causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocol from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.
In most cases, unexpected routing decisions come from networks learnt by affected routing protocol when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system, typically, the routing convergence period, which includes setting the peering and exchanging routing information and routes.
Workaround:
None.
Fix:
BGP and BFD peering is not recreated in GRST timeout anymore.
788417-3 : Remote Desktop client on macOS may show resource auth token on credentials prompt
Component: Access Policy Manager
Symptoms:
APM uses the 'username' attribute to pass auth token for SSO enabled native RDP resources on macOS. In case Windows policy forces the user to provide credentials, or if Single Sign-on fails, the end user may see a credentials prompt containing the base 64-encoded auth token in the username field.
This behavior is observed only with Remote Desktop Client v10.x for macOS.
Conditions:
-- APM Webtop is configured with Single Sign-on enabled native RDP resource.
-- Try to access the RDP resource from macOS using RDP client v10.x.
Note: This issue is known to occur when Microsoft Group Policy 'Always prompt for password upon connection' is enabled on the target RDP server: Computer Configuration \ Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Security \ Always prompt for password upon connection.
Impact:
Prompt for credentials (contains auth token in username field) causing APM end user confusion.
Workaround:
Apply the following iRule:
Note: With the following iRule implemented, users running RDP client v8 for macOS may see an empty credentials prompt when launching APM native RDP resources.
when HTTP_RESPONSE_RELEASE {
catch {
set locationUri [HTTP::header Location]
if { [HTTP::status] == 302 && $locationUri starts_with "rdp://" &&
$locationUri contains "username=s:f5_apm"} {
HTTP::header Location \
[string map {"username=s:f5_apm" "gatewayaccesstoken=s:"} $locationUri]
}
}
}
Fix:
Remote Desktop client on macOS does not show resource auth token on credentials prompt.
788325-4 : Header continuation rule is applied to request/response line
Component: Local Traffic Manager
Symptoms:
When a browser communicates with a server over HTTP, it can split a long header into several lines, prepending continuation lines with leading whitespace symbols. This rule does not apply to request or response line, so having leading whitespace in a first header line is invalid. The BIG-IP system parses such line a header with empty value.
Conditions:
A virtual server is configured on the BIG-IP system with HTTP profile.
Impact:
The BIG-IP system can hide some important HTTP headers either passing those to the pool member or failing to properly handle the request (or response) or failing to correctly load balance a connection (or request in case of OneConnect profile).
Workaround:
None.
Fix:
Now, when the BIG-IP system receives an invalid request or response with leading whitespace in first header line, it properly parses the header and handles it correctly.
788301-3 : SNMPv3 Hardening
Solution Article: K58243048
Component: TMOS
Symptoms:
SNMPv3 agents do not follow current best practices.
Conditions:
SNMPv3 agents enabled.
Impact:
SNMPv3 agents do not follow current best practices.
Fix:
SNMPv3 features now follow current best practices.
788269-1 : Adding toggle to disable AVR widgets on device-groups
Component: Application Visibility and Reporting
Symptoms:
Devices on device-group get into state of not-synced when AVR-related widgets are created or modified.
It occurs more frequently when manual config sync is enabled.
It can also occur when visiting a widgets page for the first time that automatically creates default widgets on the first page visit, such as Security :: Overview : Application : Traffic. This can make it appear that a 'read-only' user visiting the page has triggered the need for a config sync.
Conditions:
-- Two or more devices are in a device-group.
-- AVR-related widgets are created or modified.
Impact:
Devices go into a non-synced state.
Workaround:
None.
Fix:
A DB-variable called avr.gui.widgets.sync has been added to disable widgets syncing. Possible values are 'disable' or 'enable', it is enabled by default.
Behavior Change:
This release adds a DB-variable, avr.gui.widgets.sync, to disable widget syncing. Possible values are 'disable' or 'enable'. It is enabled by default.
787901 : While deleting a DoS profile, tmm might core in sPVA
Component: Advanced Firewall Manager
Symptoms:
When trying to delete a DoS profile attached to a virtual server, it is possible that tmm might core and restart.
Conditions:
-- An AFM DoS profile is attached to a virtual server.
-- Some of the DoS attacks are programmed into hardware (HW) through sPVA.
-- That DoS profile is deleted.
Impact:
tmm might generate a core and restart. Traffic disrupted while tmm restarts.
Workaround:
Use software (SW) DoS only.
Fix:
The tmm process no longer generates a core and restarts when deleting a profile that is attached to a virtual server.
787825-3 : Database monitors debug logs have plaintext password printed in the log file
Solution Article: K58243048
Component: Local Traffic Manager
Symptoms:
When monitor instance is in "debug" logging enabled mode for certain monitor types, the resulting monitor instance logs may contain sensitive details like password
Conditions:
When debug mode is enabled for following monitoring types
1. mssql
2. mysql
3. oracle
4. postgresql
Impact:
The user-account password configured in the health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors/.
Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected monitor types. 2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes , remove the resulting log files from the BIG-IP system after troubleshooting is completed.
Fix:
The password filed for monitor will now be redacted by external monitors when monitor debugging is enabled.
787677-1 : AVRD stays at 100% CPU constantly on some systems
Component: Application Visibility and Reporting
Symptoms:
One thread of the avrd process spontaneously starts to consume 100% CPU.
Conditions:
The exact conditions under which this occurs are unknown, but might occur only on vCMP configurations.
Impact:
System performance degrades.
Workaround:
Restart TMM:
bigstart restart tmm
Fix:
Added processing that prevents AVRD from entering endless loops.
787477-1 : Export fails from partitions with '-' as second character
Component: Access Policy Manager
Symptoms:
Attempting to export a profile/policy from partition using the hyphen/dash (-) as the second character results in error message:
'Incorrect arguments: <partition> is not specified' error.
Conditions:
Partition with '-' as second character in the name.
Impact:
Unable to export policy from given partition
Workaround:
Rename partition without '-' as the second character.
Fix:
Export is working as expected in this scenario.
784989-4 : TMM may crash with panic message: Assertion 'cookie name exists' failed
Component: Access Policy Manager
Symptoms:
TMM crashes with SIGFPE panic
panic: ../modules/hudfilter/http/http_cookie.c:489: Assertion 'cookie name exists' failed.
Conditions:
-- Virtual server with remote desktop or VDI profile attached.
-- VDI logging level is set to Debug.
-- iRule that modifies/reads HTTP cookies.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Increase the log-level for VDI from 'Debug' to a higher level.
Fix:
Fixed TMM crash, which occurred when remotedesktop/VDI profile was used together with custom iRule and Debug level logging.
783817-4 : UI becomes unresponsive when accessing Access active session information
Component: Access Policy Manager
Symptoms:
When accessing Admin UI Access :: Overview :: Active Sessions page, the page status is stuck in 'Receiving configuration data from your device'. TMSH command 'show apm access-info' also hangs.
The following error messages shows up in TMM log:
-- notice mcp error: 0x1020002 at ../mcp/db_access.c:831
-- notice mcp error: 0x1020031 at ../mcp/mcp_config.c:588
Conditions:
-- Two vCMP guests or two chassis are set up in high availability mode.
-- If Network Mirroring is toggled between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.
Impact:
Some session variables may be lost, which results in UI hang. Admin UI becomes unusable.
Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.
783513-1 : ASU is very slow on device with hundreds of policies due to logging profile handling
Component: Application Security Manager
Symptoms:
Signature Update (ASU) is very slow on devices with hundreds of policies due to logging profile handling.
Conditions:
-- There are hundreds of ASM policies on the device.
-- ASU is performed.
-- The BIG-IP is configured for logging profile handling.
Impact:
The ASU process takes hours to complete.
Workaround:
None.
782529-4 : iRules does not follow current design best practices
Component: Local Traffic Manager
Symptoms:
iRules does not follow current design best practices.
Conditions:
iRules does not follow current design best practices.
Impact:
iRules does not follow current design best practices.
Workaround:
None.
Fix:
iRules now follows current design best practices.
Behavior Change:
Database variable 'tmm.tcl.rule.connect.allow_loopback_addresses' was created to toggle whether or not to allow loopback addresses; TRUE will restore previous behavior and enable loopback connections.
Default value is FALSE.
781753-1 : WebSocket traffic is transmitted with unknown opcodes
Component: Local Traffic Manager
Symptoms:
The BIG-IP system does not preserve WebSocket frames. Frame headers and payload may be reordered such that a header for a second frame may be sent out in the middle of a first frame's payload. Frame boundaries get skewed and payload gets interpreted as headers.
Conditions:
A request logging profile is configured on a WebSocket virtual server.
Impact:
WebSocket frames are not preserved such that traffic appears to be garbage.
-- If request logging is enabled, client frames may not be preserved.
-- If response logging is enabled, server frames may not be preserved.
Workaround:
Remove the request logging profile.
781637-4 : ASM brute force counts unnecessary failed logins for NTLM
Component: Application Security Manager
Symptoms:
False positive brute force violation raised and login request is blocked
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM Brute force protection enabled for NTLM login type
Impact:
login request blocked by asm policy
Workaround:
Define higher thresholds in brute force protection settings
Fix:
asm code has been fixed and do not count unnecessary failed logins for NTLM
781605-1 : Fix RFC issue with the multipart parser
Component: Application Security Manager
Symptoms:
false positive or false negative attack signature match on multipart payload.
Conditions:
very specific parsing issue.
Impact:
A parameter specific excluded signature may be matched or un-matched.
Workaround:
N/A
Fix:
Multi part parser issue was fixed.
781581-4 : Monpd uses excessive memory on requests for network_log data
Component: Application Visibility and Reporting
Symptoms:
Monpd allocates excessive memory on multi-blade devices, and in some cases the kernel may kill monpd. The following log signature may be encountered in /var/log/kern.log:
err kernel: : [1537424.588160] Out of memory: Kill process 28371 (monpd) score 117 or sacrifice child
Conditions:
This can occur in a multi-blade BIG-IP environment when you are displaying pages that query for network_log data, for example Bot Defense requests in the event log, or realtime AVR data.
Impact:
Large fluctuations in host memory usage, occasionally leading to OOM events.
Workaround:
None.
Fix:
A db variable has been added: avr.eventlogsreportrownumber, which controls the number of logs displayed. The db variable default is 10000, and supports a range from 100 through 1000000.
Note: Using the maximum value may trigger the behavior described here. The system behavior depends on the specific machine hardware.
781449-4 : Increase efficiency of sPVA DoS protection on wildcard virtual servers
Component: Advanced Firewall Manager
Symptoms:
Certain characteristics of received packets can reduce the efficiency of filtering during a denial-of-service attack
Conditions:
-- AFM using hardware-based sPVA DoS protection.
-- bad-actor filtering configured on a wildcard virtual server.
Impact:
CPU usage increases, which might result in legitimate packets being dropped or delayed.
Workaround:
Configure bad-actor at the global-level instead of at the wildcard-virtual-server level.
Fix:
This release provides increased efficiency of sPVA DoS protection on wildcard virtual servers.
781377-1 : tmrouted may crash while processing Multicast Forwarding Cache messages
Component: TMOS
Symptoms:
Under certain conditions, tmrouted may crash while processing Multicast Forwarding Cache (MFC) messages.
Conditions:
tmrouted processing MFC messages.
Impact:
tmrouted crash, leading to a failover event.
Workaround:
None.
Fix:
tmrouted now processes MFC messages as expected.
781069-4 : Bot Defense challenge blocks requests with long Referer headers
Component: Application Security Manager
Symptoms:
The Bot Defense challenge may block the client if the Referer header is between about 1400 characters and 3072 characters long.
This client may get blocked by TCP RST, or suffer from a challenge loop.
Conditions:
-- Bot Defense with Verify before Access, or Proactive Bot Defense are configured
-- Request has a Referer header that is between ~1400 and 3072 characters long
Impact:
Legitimate browsers may get blocked or suffer from a challenge loop
Workaround:
Use an iRule to override the Referer header from the HTTP_REQUEST event, to make it shorter.
Fix:
Challenges with long Referer headers no longer block legitimate clients.
780601-4 : SCP file transfer hardening
Component: TMOS
Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.
Conditions:
Administrative user with SCP access.
Impact:
Under certain conditions, the SCP file transfer system does not follow current best practices.
Workaround:
None.
Fix:
The SCP file transfer system now follows current best practices.
779177-4 : Apmd logs "client-session-id" when access-policy debug log level is enabled
Component: Access Policy Manager
Symptoms:
Apmd logs the "client-session-id" when access-policy debug log level is enabled.
Conditions:
-- APM is provisioned and licensed.
-- Per-session policy is attached to virtual server.
-- Access-policy log level set to Debug.
Impact:
Client session ID is available in debug log files and may be visible to authenticated administrators
Workaround:
None.
Fix:
Apmd now no longer logs the client-session-id when access-policy debug log level is enabled.
778869-1 : ACLs and other AFM features (e.g., IPI) may not function as designed
Component: Advanced Firewall Manager
Symptoms:
Under certain conditions, ACLs, IPI and other AFM features may not function as designed.
Conditions:
AFM provisioned and configured.
TCP mitigations active.
Impact:
AFM features do not function as designed.
Workaround:
None.
Fix:
ACLs and other AFM rules (e.g., IPI) features now function as designed.
777737-2 : TMM may consume excessive resources when processing IP traffic
Component: Local Traffic Manager
Symptoms:
Under certain condition, TMM may consume excessive resources when processing IP traffic
Conditions:
CMP forwarding
Impact:
Excessive resource consumption, potentially leading to a failover event.
Workaround:
None.
Fix:
TMM now consumes resources as expected while processing IP traffic2
777733-1 : DoS profile default values cause config load failure on upgrade
Component: Advanced Firewall Manager
Symptoms:
Upon upgrading from 12.1.x, the config fails to load with an error similar to the following:
01071aa6:3: Dos DNS query data bad actor can not be enabled if per-source detection/limit pps is less than 1% of the Dos vector (a) rate threshold setting for sub-profile (PROFILE_DOS_NETWORK_VS-ADIB-GTM-ID177_53_UDP) of Dos profile (/Common/PROFILE_DOS_NETWORK_VS-ADIB-GTM-ID177_53_UDP).
Conditions:
-- AFM configured.
-- One or more SIP or DNS vectors are configured with the rate_threshold values set to the default in 12.x.
+ For SIP, the rate_threshold value in 12.x is 30000.
+ For DNS, the rate_threshold value in 12.x is 50000.
Impact:
During upgrade, the BIG-IP system fails to convert these thresholds to the new default value of 'infinite'. After upgrade, the configuration fails to load.
Workaround:
Manually edit the profile to disable bad-actor, or change the DNS and SIP default rate_threshold value to 'infinite', then config can be loaded.
For example, in this affected configuration for DNS:
dns-query-vector {
a {
allow-advertisement disabled
...
rate-increase 500
rate-limit 250000
rate-threshold 50000 <<---
}
Change it to this:
dns-query-vector {
a {
allow-advertisement disabled
...
rate-increase 500
rate-limit 250000
rate-threshold infinite
}
At that point, the configuration should load successfully.
Fix:
DNS and SIP default rate_threshold value of 50000 and 30000 of 12.1.x are now converted to default value of 'infinite' during upgrade, so the configuration loads as expected.
777261-2 : When SNMP cannot locate a file it logs messages repeatedly
Component: TMOS
Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.
Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.
Impact:
This can fill up the log with errors.
Fix:
The SNMP daemon has been fixed to log this error once.
777173-4 : Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error
Component: Access Policy Manager
Symptoms:
When administrator runs Citrix vdi iApp in APM standalone deployment (LTM is not licensed), iApp fails with the following error:
01070356:3: HTTP header transformation feature not licensed
This is result of a license check added for HTTP header transformation.
Conditions:
- APM is licensed as stand alone (no LTM license)
- Admin tries to run Citrix vdi iApp
Impact:
Administrator is not able to use the iApp to configure Citrix vdi access
Workaround:
Adding LTM module license will resolve the error.
Fix:
Citrix vdi iApp now can be used to configure Citrix vdi access in an APM standalone deployment.
775621-4 : urldb memory grows past the expected ~3.5GB
Component: Access Policy Manager
Symptoms:
When using the categorization engine (urldb), memory may increase when real-time update databases are downloaded (once every ten minutes, as available).
Conditions:
-- SWG provisioned.
-- Using urldb.
-- Real-time database updates occurring.
Impact:
Memory increases, and if there is not enough room on the BIG-IP system, urldb can core.
Workaround:
None.
Fix:
The system no longer preloads the database into memory, so memory no longer grows past what is expected.
775105-1 : False positive on bot defense logs
Component: Application Security Manager
Symptoms:
Remote log entries suggest that blocking events have occurred although their DoS profile is not set to block any traffic.
Conditions:
DoS profile is not set to block any traffic.
Impact:
False positives where remote log entries which suggest blocking events have occurred.
Workaround:
None.
Fix:
Bot defense remote logging profile attached to virtual servers and some bot signatures is be set to 'Report'.
775013-4 : TIME EXCEEDED alert has insufficient data for analysis
Component: Fraud Protection Services
Symptoms:
The time-exceeded alert does not include sufficient alert details to troubleshoot the process. It is difficult to determine whether or not the alert is valid, or how long past the request time the alert occurred.
Conditions:
Viewing alert logs for time-exceeded messages.
Impact:
Makes troubleshooting and/or analysis difficult.
Workaround:
None.
Fix:
All encryption failures alert now provides additional details to assist in troubleshooting the process.
774445-3 : BIG-IP VE does not pass traffic on ESXi 6.7 Update 2
Solution Article: K74921042
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) does not pass traffic when deployed on ESXi 6.7 Update 2 hypervisors, when the VE is using VMXNET 3 network interfaces (VMXNET 3 interfaces are the default).
Conditions:
-- BIG-IP VE running on VMware ESXi 6.7 Update 2 (build number 13006603) hypervisor.
-- VMXNET 3 NICs.
Impact:
Traffic does not pass through non-mgmt interfaces.
Workaround:
You can use the following workarounds:
-- Until this issue is fixed in a Point-Release for your software branch, you can contact F5 Networks Technical Support to obtain an Engineering Hotfix to address the issue. This workaround allows TMM to continue to use the VMXNET3 driver, which is preferable.
-- On BIG-IP version 14.1.0, you can switch to the 'sock' driver.
-- On BIG-IP versions earlier than 14.1.0, you can switch to the 'unic' driver.
Note: The workarounds that switch driver must be applied individually to devices, as they do not synchronize via ConfigSync.
To switch driver:
1. Add a line to /config/tmm_init.tcl that reads 'device driver vendor_dev 15ad:07b0 DRIVER' (replacing DRIVER with 'unic' or 'sock', as appropriate). For example:
echo "device driver vendor_dev 15ad:07b0 sock" >> /config/tmm_init.tcl
2. Restart tmm for the changes to take effect (restarting tmm disrupts traffic):
bigstart restart tmm
3. After tmm restarts, confirm the driver in use by examining the output of:
tmctl -d blade tmm/device_probed
Fix:
BIG-IP VE now passes traffic on ESXi 6.7 Update 2.
773673-4 : HTTP/2 Vulnerability: CVE-2019-9512
Solution Article: K98053339
773649-4 : APM Client Logging
Solution Article: K23876153
773553-4 : ASM JSON parser false positive.
Component: Application Security Manager
Symptoms:
False positive JSON malformed violation.
Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.
Impact:
HTTP request is blocked or an alarm is raised.
Workaround:
There is no workaround other than disabling the JSON profile.
Fix:
JSON parser has been fixed as per RFC8259.
773421-2 : Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied
Component: Local Traffic Manager
Symptoms:
When OneConnect is applied to a virtual server, the server-side packets larger than the client-side MTU may be dropped.
Conditions:
-- If the client-side MTU is smaller than server-side (either via Path MTU Discovery (PMTUD), or by manually configuring the client-side VLAN).
-- OneConnect is applied.
-- proxy-mss is enabled (the default value starting in v12.0.0).
Impact:
The BIG-IP system rejects server-side ingress packets larger than the client-side MTU, with an ICMP fragmentation needed message. Connections could hang if the server ignores ICMP fragmentation needed and still sends TCP packets with larger size.
Workaround:
Disable proxy-mss in the configured TCP profile.
Fix:
OneConnect prevents sending ICMP fragmentation needed messages to servers.
772233-1 : IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.
Component: Global Traffic Manager (DNS)
Symptoms:
When probing DNS Path, the metric round trip time (RTT) is not set correctly if the collection protocols used are NDS_DOT or DNS_REV.
The problem occurs only if the Path involves an IPv6 address; IPv4 address works fine.
Conditions:
-- Path involves IPv6 addresses.
-- Collection protocol used is either DNS_DOT or DNS_REV.
Impact:
RTT metric is not set at all.
Workaround:
Use collection protocols - ICMP instead.
Fix:
The problem for both collection protocols - DNS_DOT and DNS_REV no longer occurs, and the RTT is set correctly.
771873-3 : TMSH Hardening
Solution Article: K40378764
771173-1 : FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.★
Component: Advanced Firewall Manager
Symptoms:
The system does not roll forward the FastL4 profile syn-cookie-enable attribute after upgrading from 12.x to 13.x and beyond.
Conditions:
This happens when upgrading from 12.x to 13.x and beyond.
Impact:
If syn cookies are explicitly disabled on a FastL4 profile prior to upgrading, they may be enabled.
Workaround:
You can fix the configuration by modifying it manually after upgrading.
In tmsh:
tmsh modify ltm profile fastl4 <profile_name> syn-cookie-enable <enabled|disabled>
771025-2 : AVR send domain names as an aggregate
Component: Application Visibility and Reporting
Symptoms:
AVR sends domain name as an aggregate of a number of domain names.
Conditions:
-- AVR receives more than the number of domain names it can handle.
-- After AVR gets DNS calls with different domain name, it no longer clears the domain name.
-- When AVR receives the maximum number of total domain names, it start to aggregate all the new domain names.
Impact:
Cannot see the correct domain name.
Workaround:
None.
Fix:
AVR now removes old domain names, so it can add new ones and send the actual domain names it collected.
770621-1 : [Portal Access] HTTP 308 redirect does not get rewritten
Component: Access Policy Manager
Symptoms:
Requests with URLs that are not rewritten in web application.
Conditions:
HTTP response from the backend with 308 redirect.
Impact:
HTTP Status Code 308 (Permanent Redirect) is not supported. Unexpected web application operation.
Workaround:
Use a custom iRule to rewrite the request.
Fix:
HTTP Status Code 308 (Permanent Redirect) is now supported; Location header is now rewritten.
770477-3 : SSL aborted when client_hello includes both renegotiation info extension and SCSV
Component: Local Traffic Manager
Symptoms:
Client SSL reports an error and terminates handshake.
Conditions:
Initial client_hello message includes both signaling mechanism for secure renegotiation: empty renegotiation_info extension and TLS_EMPTY_RENEGOTIATION_INFO_SCSV.
Impact:
Unable to connect with SSL.
Workaround:
None.
Fix:
Allow both signaling mechanism in client_hello.
769981-3 : bd crashes in a specific scenario
Component: Application Security Manager
Symptoms:
bd crash with a core file.
Conditions:
-- XML profile with schema validation is attached to a security policy.
-- The bd.log shows out-of-memory messages relating to XML.
Impact:
Failover; traffic disruption.
Workaround:
Increase the memory XML uses by using the internal parameters total_xml_memory and/or additional_xml_memory_in_mb. For more information, see K10803: Customizing the amount of memory allocated to the BIG-IP ASM XML processing engine available at https://support.f5.com/csp/article/K10803
769809-2 : vCMP guests 'INOPERATIVE' after upgrade
Component: TMOS
Symptoms:
After upgrading the host or creating new vCMP guests, the prompt in the vCMP guests report as INOPERATIVE.
Conditions:
-- The system truncates the unit key. (Note: This occurs because the unit key is designed to be a certain length, and the internally generated unit key for the guest has a NULL in it.)
-- Upgrading the host.
-- Creating new guests.
Impact:
vCMP guests are sent a truncated unit key and fail to decrypt the master key needed to load the config. vCMP Guests report 'INOPERATIVE' after upgrade.
Workaround:
None.
Fix:
The system now handles a guest unit key that has a NULL in it, so vCMP guests are no longer 'INOPERATIVE' after upgrade
769589-4 : CVE-2019-6974: Linux Kernel Vulnerability
Solution Article: K11186236
769309-3 : DB monitor reconnects to server on every probe when count = 0
Component: Local Traffic Manager
Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.
Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).
Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.
Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.
Fix:
The LTM database monitor keeps the network connection to the monitored database server open indefinitely when configured with the default 'count' value of 0 (zero).
769193-1 : Added support for faster congestion window increase in slow-start for stretch ACKs
Component: Local Traffic Manager
Symptoms:
When Appropriate Byte Counting is enabled (the default), TCP's congestion window increases slower in slow-start when the data receiver sends stretch ACKs.
Conditions:
-- TCP data sender receives stretch ACKs (ACKs that acknowledges more than 2*MSS bytes of data).
-- Appropriate Byte Counting (ABC) is enabled in slow-start.
Impact:
ABC limits the increase of congestion window by 2*MSS bytes per ACK. TCP's congestion window is increased slower in slow-start, which may lead to longer transfer times.
Workaround:
There is no workaround at this time.
Fix:
A new sys db (TM.TcpABCssLimit) is provided to set TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received. If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.
Behavior Change:
There is a new db variable, TM.TcpABCssLimit for specifying TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received.
Note: If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.
769061-4 : Improved details for learning suggestions to enable violation/sub-violation
Component: Application Security Manager
Symptoms:
The title for the entity in suggestions to enable violation/sub-violation is 'Match violation'/'Matched HTTP Check', though these suggestions are created when there is no match in the observed traffic.
Conditions:
There are learning suggestions to enable violations/sub-violation in the policy
Impact:
Misleading suggestion details.
Workaround:
None.
Fix:
The misleading word 'Matched' was removed from the title.
768981-4 : vCMP Hypervisor Hardening
Component: TMOS
Symptoms:
The vCMP hypervisor does not apply current design best practices.
Conditions:
vCMP hypervisor enabled.
Impact:
The vCMP hypervisor does not apply current design best practices.
Workaround:
None.
Fix:
The vCMP hypervisor now applies current best practices.
768761-4 : Improved accept action description for suggestions to disable signature/enable metacharacter in policy
Component: Application Security Manager
Symptoms:
It is difficult to understand the description for suggestions to disable signature or enable metacharacter on parameter/URL alternative action (accept for all entities).
Conditions:
There are suggestions to disable signature or enable metacharacter on parameter/URL.
Impact:
Action description can be difficult to understand.
Workaround:
None.
Fix:
'Accept for Any Entity' action has been renamed to 'Accept Globally'. The 'Charset' type is now mentioned in the action description for better understanding of the applied action.
768025-1 : SAML requests/responses fail with "failed to find certificate"
Component: Access Policy Manager
Symptoms:
BIG-IP as SP and BIG-IP as IdP fail to generate signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after the certificate that is used for signing is modified.
Conditions:
The certificate used for signing SAML requests/responses or SAML SLO requests/responses is modified or re-imported.
Impact:
When this issue occurs, SAML services are impacted when BIG-IP is configured as SP or IdP. Subsequent SAML/SAML SLO requests/responses fail with the error 'failed to find certificate'.
-- When BIG-IP is configured as IdP, then SAML Authentication fails and SAML/SAML SLO services do not work.
-- When BIG-IP is configured as SP, resources that need SAML Authentication cannot be accessed. Also, SAML SLO service does not work.
Workaround:
-- When BIG-IP as IdP is affected, configure a different certificate associated with SAML IdP configuration that is used for signing, change it back to the original certificate, and then the apply policy.
-- Similarly, when BIG-IP as SP is affected, configure a different certificate associated with SAML SP configuration that is used for signing, change it back to the original certificate, and then apply the policy.
Fix:
BIG-IP as SP and BIG-IP as IdP works as expected while generating signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after certificate that is used for signing is modified.
767653-2 : Malformed HTTP request can result in endless loop in an iRule script
Solution Article: K23860356
767045 : TMM cores while applying policy
Component: Anomaly Detection Services
Symptoms:
TMM core and possible cores of other daemons.
Conditions:
The exact conditions are unknown.
Occurrences have been seen during specialized internal testing and while applying a copied and edited ASM policy.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
766577-4 : APMD fails to send response to client and it already closed connection.
Component: Access Policy Manager
Symptoms:
APMD fails to send response to client and produces error message:
err apmd[8353]: 01490085:3: /pt-qp-campus/apm-cdp-qp-qa:pt-qp-campus:bb651ae6: Response could not be sent to remote client. Socket error: Connection reset by peer
APMD does most of its action with backend authentication servers (e.g., AD, LDAP, RADIUS). If the backend server response is very slow (because of various reasons such as network issues), it might cause slow apmd client response. Sometimes, the client has already closed the connection to the virtual server, so the client connection is no longer valid.
Conditions:
Backend server is slow, causing longer-than-usual response times.
Impact:
This causes the client to close the connection. APMD fails to respond to the client.
The cumulative slowness of the backend server causes delay in response. Most of the time, the client connection is already closed. As a result, the request queue gets full. When apmd starts processing the request from the queue, the client connection is already closed for some of them, and processing those requests still continues, which is unnecessary and causes more delay.
Fix:
The system now tests the client connection after picking up the request from the request queue and before processing.
-- If the connection is already closed, the system drops the request.
-- If the request is already in progress, the system checks the client connection before saving the session variables and sending the response to client.
765621-1 : POST request being rejected when using OAuth Resource Server mode
Component: Access Policy Manager
Symptoms:
POST request is rejected.
Conditions:
-- Using OAuth Resource Server access type.
-- Client sends a large POST body.
Impact:
The request is rejected.
Workaround:
Increase the tmm.access.maxrequestbodysize sys db variable to be larger than the POST body size.
Fix:
The system now supports larger POST requests in OAuth Resource Server mode.
765533-4 : Sensitive information logged when DEBUG logging enabled
Solution Article: K58243048
Component: TMOS
Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048
Conditions:
For more information see: https://support.f5.com/csp/article/K58243048
Impact:
For more information see: https://support.f5.com/csp/article/K58243048
Workaround:
For more information see: https://support.f5.com/csp/article/K58243048
Fix:
For more information see: https://support.f5.com/csp/article/K58243048
764873-4 : An accelerated flow transmits packets to a dated, down pool member.
Component: TMOS
Symptoms:
Normally, when a pool member becomes unavailable, the flow is redirected towards another available pool member. However, an accelerated flow can continue to send traffic to the dated pool member rather than the updated one.
Conditions:
A flow changes the pool member it goes to while the flow is accelerated.
Impact:
The traffic continues to target the dated pool member that is not available.
Workaround:
Disable HW acceleration.
Or on BIG-IP v14.1.0 and later, if a pool member goes away, run the following command to flush all accelerated flow to be handled correctly by software:
tmsh modify sys conn flow-accel-type software-only
764665-1 : AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change
Component: Application Visibility and Reporting
Symptoms:
When BIG-IP is registered on BIG-IQ system, sometimes avrd crashes with core.
Conditions:
-- BIG-IP is registered at BIG-IQ.
-- BIG-IQ sends configuration update to BIG-IP.
Impact:
Avrd cores and restarts. Functionality is not impacted, stats data are sent to BIG-IQ.
Workaround:
None.
Fix:
Corrected issue in setting value for internal flag.
764373-1 : 'Modified domain cookie' violation with multiple enforced domain cookies with different paths
Component: Application Security Manager
Symptoms:
When the server sends enforced cookies with the same name for different paths, a false-positive 'Modified domain cookie' violation is reported.
Conditions:
Server sends enforced cookies with the same name but with different paths.
Impact:
A valid request might be rejected.
Workaround:
None.
Fix:
The system now checks all enforced cookies correctly, so this issue no longer includes.
763349-1 : AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out
Component: Application Visibility and Reporting
Symptoms:
avrd application on BIG-IP crashes; core is generated.
Conditions:
-- The BIG-IP is configured to send data to BIG-IQ DCD node via the HTTPS protocol.
-- Connection to DCD is established but response does not arrive within the timeout interval, so the connection times out.
Impact:
avrd crashes, and a core is generated.
Workaround:
None.
Fix:
avrd now reconnects to BIG-IQ DCD in a different sequence so this issue no longer occurs.
763121-1 : Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM.
Component: Advanced Firewall Manager
Symptoms:
TMM crashes and produces a core file. The crash is a SIGFPE accompanied by the following panic string:
Assertion "packet must already have an ethernet header" failed.
Conditions:
This issue occurs when all of the following conditions are met:
- The system is provisioned for AFM.
- A TCP Half Open attack to the system is underway.
- A BIG-IP Administrator attempts to use the AFM Packet Tester tool, and simulates sending a TCP segment with the SYN flag set.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use the AFM Packet Tester tool while a TCP Half Open attack is underway.
Fix:
TMM no longer crashes when utilizing the AFM Packet Tester tool.
763005-2 : Aggregated Domain Names in DNS statistics are shown as random domain name
Component: Application Visibility and Reporting
Symptoms:
Many DNS queries (e.g., 50000) with different query domain names are sent and AVR aggregates data it shows aggregated names using a random name taken from the first lookup table record.
Conditions:
-- Run 50000 DNS queries, all with different domain names.
-- View Statistics :: Analytics :: DNS, and choose View By : Domain Names.
Impact:
There is one random domain name with a high counter value, other domains are shown with counter 1.
Workaround:
None.
763001-2 : Web-socket enforcement might lead to a false negative
Component: Application Security Manager
Symptoms:
A request that should be blocked will be passed to server.
Conditions:
Parse parameters flag in json profile is enabled.
Requests are sent in json websocket.
Impact:
Bad requests may be passed to the server
Workaround:
Disable parse parameters flag in json profile
Fix:
Web-socket enforcement now filters requests as expected.
762453 : Hardware cryptography acceleration may fail
Component: TMOS
Symptoms:
Host reports the following error message:
Device error: crypto codec qat-cryptoXX-Y queue is stuck.
Conditions:
Platform with access to Intel QAT cryptography hardware
Hardware cryptography acceleration enabled
Impact:
Hardware cryptography acceleration failure, leading to a failover event.
Workaround:
Disable hardware crypto acceleration for impacted device.
Fix:
Platforms with QAT accelerators now function as expected.
761993-4 : The nsm process may crash if it detects a nexthop mismatch
Component: TMOS
Symptoms:
If there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop, nsm may crash and restart.
Conditions:
-- Dynamic routing is in use.
-- A mismatch between tmrouted and nsm for the interface index or gateway of a nexthop exists.
Impact:
There is a temporary interruption to dynamic routing while nsm is restarted.
Workaround:
None.
Fix:
Prevented nsm crashing when there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop.
761941-3 : ASM does not remove CSRT token query parameter before forwarding a request to the backend server
Component: Application Security Manager
Symptoms:
CSRT query parameter observed in tcpdump on the BIG-IP system's server side.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- CSRF enabled in ASM policy.
Impact:
Backend app gets CSRT parameter, which might impact its business logic.
Workaround:
You can remove a CSRT query parameter using a URI modification iRule on the server side.
Fix:
The system now removes the csrt query parameter before forwarding a request to the backend server
761921-3 : avrd high CPU utilization due to perpetual connection attempts
Component: Application Security Manager
Symptoms:
avrd shows high CPU utilization. Repeated retries on auth token client failed connection attempts.
Conditions:
-- The BIG-IQ system is not available (even though it is configured).
-- Frequent connection retries.
Impact:
avrd consumes a large amount of CPU.
Workaround:
Correct BIG-IQ availability and restart avrd.
Fix:
avrd now waits between connection retries, so this issue does not occur.
761553-4 : Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic
Component: Application Security Manager
Symptoms:
Text for analyzed requests might be misleading for suggestions that are created as result of an absence of violations in traffic:
X requests triggered this suggestion from date:time until date:time.
Actually:
-- 'X requests' did not trigger a violation, and no sampled are requests provided.
-- The format of the time in 'from date:time until date:time' is difficult to parse.
Conditions:
There are suggestions that were created as result of an absence of violations in traffic in the policy.
Impact:
Text might be misleading.
Workaround:
None.
Fix:
Improved text for analyzed requests for suggestions that were created as result of absence of violations in traffic
761549-4 : Traffic Learning: Accept and Stage action is shown only in case entity is not in staging
Component: Application Security Manager
Symptoms:
Accept and Stage action is available, even for entities that are in staging already.
Conditions:
Create suggestion for the entity (e.g., Attack signature on parameter) that is in staging.
Impact:
Action that is not relevant is shown.
Workaround:
None.
Fix:
Accept and Stage action is available only for suggestions on entities that are not in staging
761345-1 : Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode
Component: Advanced Firewall Manager
Symptoms:
When manual config-sync mode is enabled for a HA setup, additional config-sync may be required after firewall blob compilation.
Conditions:
Firewall rule configuration modified on a high availability (HA) setup with manual config-sync mode enabled.
Impact:
Additional config-sync may be required after compilation completion.
A warning may be given: "There is a possible change conflict between <device1> and <device2>.", and full sync may be forced.
Workaround:
Enable auto config-sync instead of manual config-sync.
Fix:
Additional config-sync is not required in these conditions.
761300 : Errors in REST token requests may log sensitive data
Component: Device Management
Symptoms:
When requests for REST tokens generate a parsing error the logged message may contain sensitive data present in the request, including passwords.
Conditions:
Error in token request parsing. Typically causes include a typo or other JSON syntax error in the POST body of the REST request.
Impact:
Restlogs record sensitive data. Properly formatted requests do not generate this error logging and do not record sensitive data.
Workaround:
None.
Fix:
Sensitive data is now filtered from logging.
761273-1 : wr_urldbd creates sparse log files by writing from the previous position after logrotate.
Component: Traffic Classification Engine
Symptoms:
After log rotation, the wr_urldbd daemon continues to write at the pre-rotate offset into the file, so the next message is written at offset N, making the file sparse, with all characters prior to position being read as nulls.
Conditions:
System rotates log files.
Impact:
Some automated systems might not be able to read log file.
Workaround:
None.
Fix:
Log file preserves text file type after log rotation.
761231-4 : Bot Defense Search Engines getting blocked after configuring DNS correctly
Component: Application Security Manager
Symptoms:
Bot Defense performs a reverse DNS for requests with User-Agents of known Search Engines.
A cache is stored for legal / illegal requests to prevent querying the DNS again.
This cache never expires, so in case of an initial misconfiguration, after fixing the DNS configuration, or routing or networking issue, the Search Engines may still be blocked until TMM is restarted.
Conditions:
-- Initial misconfiguration of DNS or routing or networking issue.
-- Cache stores requests to prevent future queries to DNS.
-- Correct the misconfiguration.
Impact:
Cache does not expire and is never updated, so it retains the misconfigured requests. As a result, valid Search Engines are getting blocked by Bot Defense.
Workaround:
Restart TMM by running the following command:
bigstart restart tmm
Fix:
The internal DNS cache within Bot Defense and DoSL7 now expires after five minutes.
761144-6 : Broadcast frames may be dropped
Component: TMOS
Symptoms:
Under certain conditions, broadcast Ethernet frames may be dropped.
Conditions:
Multi-blade systems.
Stand-alone appliances and VE systems are not affected.
Single-blade vCMP guests are not affected.
Impact:
Dropped Ethernet frames.
Workaround:
None.
Fix:
Broadcast frames are now processed as expected.
761032-4 : TMSH displays TSIG keys
Component: Global Traffic Manager (DNS)
Symptoms:
TSIG key is displayed when related configuration is listed in TMSH.
Conditions:
Authenticated administrative user.
Listing TSIG keys using TMSH.
Impact:
Displaying TSIG keys is a security exposure.
Workaround:
None.
Fix:
TMSH no longer displays TSIG keys when listing configuration.
761030-1 : tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route
Component: Local Traffic Manager
Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not shown using the show net route lookup command.
Conditions:
-- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.
-- Dynamic Routing protocols such as OSPFv3 configured.
Impact:
Cannot see any dynamic routes added while IPv4-mapped IPv6 addresses are configured.
Workaround:
None.
Fix:
The query for IPv4-mapped IPv6 addresses now shows dynamic routes added while IPv4-mapped IPv6 is configured.
761014-4 : TMM may crash while processing local traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing local network traffic.
Conditions:
Multi-blade chassis, including multi-blade vCMP guests.
Impact:
TMM crash leading to a failover event.
Workaround:
None.
Fix:
TMM now processes local network traffic as expected.
760974-1 : TMM SIGABRT while evaluating access policy
Component: Access Policy Manager
Symptoms:
TMM cores while evaluating access policy.
Conditions:
-- Secure Web Gateway is configured and in use.
-- An access policy is being evaluated.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use an iRule similar to the following:
when ACCESS_POLICY_COMPLETED {
set res [ACCESS::session data get "session.policy.result"]
if {[string compare $res "in_progress"] == 0} {
log local0.notice "rejecting"
reject
}
log local0.notice "result :$res"
}
Fix:
TMM no longer cores under these conditions.
760961 : TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts
Component: Traffic Classification Engine
Symptoms:
Webroot daemon (wr_urldbd) crashes because of a socket handler issue that occurs when sending the URI categorization request to the BrightCloud server.
Wr_urldbd daemon restarts, and during startup, it loads the downloaded database to the shared memory channel. This shared memory channel is being used by the TMM, which has no information about the wr_urldbd restart, so tmm restarts.
Conditions:
-- Wr_urldbd restarts (which occurs due to an issue in socket handler when sending URL categorization requests to the BrightCloud server).
-- During wr_urldbd startup, the daemon starts loading the downloaded webroot database to the shared memory channel set up between the wr_urldbd and TMM.
-- TMM accesses this shared memory channel to perform a URL category lookup (due to traffic).
Impact:
TMM restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes under these conditions.
760878-2 : Incorrect enforcement of explicit global parameters
Component: Application Security Manager
Symptoms:
A false positive or false negative enforcement of explicit global parameter.
Conditions:
-- A configuration with more than 255 security policies.
-- Policies configured with an explicit parameter that is unique (for example, 'static', a disabled signature, etc.).
-- Attempt to enforce that parameter.
Impact:
Wrong blocking/violations. The parameter is not found, and the wildcard * parameter is enforced instead.
Workaround:
Make the explicit parameters a wildcard parameter.
Fix:
Explicit parameters are enforced correctly on all parameters.
760771-3 : FastL4-steered traffic might cause SSL resume handshake delay
Component: Local Traffic Manager
Symptoms:
When a FastL4 virtual server steers traffic to another SSL-enabled virtual server, there can be a delay on SSL session resumption because SSL is unable to identify the connection flow.
Additionally, it has been observed that if fallback persistence is configured, the BIG-IP system might fail to start the connection serverside.
Conditions:
-- FastL4 virtual server.
-- iRule is used to steer traffic to another virtual server with client SSL enabled.
-- Multiple tmm's.
Impact:
-- Potential impact to SSL performance.
-- Possible connection failure.
Workaround:
To workaround this issue:
-- Disable FastL4.
-- Enable OneConnect.
Fix:
FastL4-steered traffic no longer causes SSL resume handshake delay.
760683-2 : RST from non-floating self-ip may use floating self-ip source mac-address
Component: Local Traffic Manager
Symptoms:
A RST from non-floating self-ip may use floating self-ip source mac-address when AFM or ASM is enabled.
Conditions:
-- AFM or ASM is enabled.
-- RST generated from non-floating self-ip address.
Impact:
An L2 switch may update the fwd table incorrectly.
Workaround:
None.
Fix:
The system now uses the correct source mac-address under these conditions.
760622-2 : Allow Device Certificate renewal from BIG-IP Configuration Utility
Component: TMOS
Symptoms:
Unable to renew Device Certificate from System :: Certificate Management : Device Certificate Management : Device Certificate :: server.crt in non-English BIG-IP configurations.
Conditions:
Attempting to renew a device certificate on the System :: Certificate Management : Device Certificate Management : Device Certificate :: using the server.crt-equivalent on a non-English BIG-IP system.
Impact:
Unable to renew Device Certificate from the BIG-IP Configuration Utility.
Workaround:
Use a command of the following syntax, replacing key name, cert name, and # of days with your values:
openssl req -new -x509 -key ../ssl.key/server.key -days <# of days> -out server.crt
For example, to renew the siteserver.key and siteserver.crt for 90 days, use the following command:
openssl req -new -x509 -key ../ssl.key/siteserver.key -days 90 -out siteserver.crt
Fix:
The system now allows Device Certificate renewal from BIG-IP Configuration Utility.
760550-3 : Retransmitted TCP packet has FIN bit set
Component: Local Traffic Manager
Symptoms:
After TCP sends a packet with FIN, retransmitted data earlier in the sequence space might also have the FIN bit set.
Conditions:
-- Nagle is enabled.
-- TCP has already sent a FIN.
-- A packet is retransmitted with less than MSS bytes in the send queue.
Impact:
The retransmitted packet has the FIN bit set even if it does not contain the end of the data stream. This might cause the connection to stall near the end.
Workaround:
Set Nagle to disabled in the TCP profile.
Fix:
The incorrect FIN bit is removed.
760438-1 : PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions
Component: Policy Enforcement Manager
Symptoms:
tmm coredump
Conditions:
-- Using an iRule to apply a referential policy in a rigorous loop.
-- This is a rarely occurring timing issue.
Impact:
Traffic impact due to tmm coredump. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The BIG-IP system now validates session presence before applying the policy.
760408-1 : System Integrity Status: Invalid after BIOS update★
Solution Article: K23438711
Component: TMOS
Symptoms:
When BIG-IP system boots, it performs a System Integrity Check. The System Integrity Status may return one of three states: Valid, Unavailable, or Invalid.
This issue causes the System Integrity Status to return a value of 'Invalid'.
Conditions:
-- BIG-IP systems that have been manufactured using a earlier BIOS version.
-- Updating to a newer BIOS version.
Impact:
The System Integrity Status returns a status of Invalid, which may falsely indicate that the system BIOS or OS has been compromised.
Workaround:
Install the new BIOS, which fixes the issue that causes the 'Invalid' status to be reported, and, on systems where the BIOS and OS have not been compromised, returns a status of 'Valid'.
Fix:
The System Integrity Status check now return 'Valid' for systems that have not been compromised.
760363-2 : Update Alias Address field with default placeholder text
Component: TMOS
Symptoms:
Unable to update Alias Address field with the default value under Local Traffic :: Monitors :: [MonitorName] after removing everything from the input field and updating again with the placeholder text.
Conditions:
-- Using a system running software in which the GUI supports Chinese characters.
-- Remove content from the Alias Address field under Local Traffic :: Monitors:: [MonitorName].
-- Enter the default placeholder text.
Impact:
Unable to update the Alias Address input field with default placeholder text after replacing the said field with blank text or a valid value.
Workaround:
Pass empty value or ::
Fix:
Allow monitors to update with default placeholder text for Alias Address
760356-4 : Users with Application Security Administrator role cannot delete Scheduled Reports
Component: Application Visibility and Reporting
Symptoms:
User accounts configured with the Application Security Administrator role cannot delete scheduled reports, while they can create/view/edit them.
Conditions:
-- Logged on with a user account configured as an Application Security Administrator.
-- Attempting to delete a scheduled report.
Impact:
Cannot complete the delete operation. Deleting scheduled reports requires root/admin intervention.
Workaround:
Use root or a user account configured as Administrator to delete scheduled reports.
Fix:
User accounts configured with the Application Security Administrator role can now delete Scheduled Reports
760222-5 : SCP fails unexpected when FIPS mode is enabled
Component: TMOS
Symptoms:
Secure Copy (scp) to some locations fails with the following message:
Path not allowed.
Conditions:
-- FIPS mode is enabled.
-- Copying a file to a restricted location using SCP.
Impact:
Cannot use SCP to copy to restricted locations on the BIG-IP system.
Workaround:
None.
Fix:
This scp issue no longer occurs when FIPS cards are installed.
760130-1 : [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK
Component: Access Policy Manager
Symptoms:
-- Increased overall TMM memory usage, which eventually forces TMM to start closing connections to reduce memory usage.
-- connflow memory usage keeps increasing. Memory usage can be observed with this command:
# tmctl -f /var/tmstat/blade/tmm0 memory_usage_stat -w200
Conditions:
1. Using PingAccess.
2. Errors are being logged in /var/log/paa.
Impact:
-- Memory leak.
-- Eventually TMM starts closing connections randomly.
Workaround:
None.
Fix:
When PingAccess encounters an error after sending traffic data to PingAccess SDK, TMM no longer leaks memory.
759968 : Distinct vCMP guests are able to cluster with each other.
Component: Local Traffic Manager
Symptoms:
-- Distinct vCMP guests are able to cluster with each other.
-- Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:
clsh tmctl -d blade tmm/vcmp -w 200 -s vcmp_name,tmid,rebroad_mac
Check the 'rebroad_mac' field for duplicate mac addresses.
vcmp_name tmid rebroad_mac
--------- ---- -----------------
default 0 02:01:23:45:01:00
vcmp1 0 00:00:00:00:00:00
vcmp5 0 02:01:23:45:01:04
vcmp6 0 00:00:00:00:00:00
vcmp7 0 02:01:23:45:01:06
vcmp8 0 00:00:00:00:00:00
vcmp9 0 02:01:23:45:01:08
vcmp10 0 02:01:23:45:01:0A <--------------
vcmp11 0 02:01:23:45:01:0A <--------------
Conditions:
-- It is not yet clear under what circumstances the issue occurs.
-- One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate 'rebroad_mac' on one or more slots.
Impact:
Only the vCMP guest acting as primary will be operative.
Workaround:
-- Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:
modify sys db clusterd.communicateovertmmbp value false.
To disable the db variable on the affected guest use the following procedure:
1. stop sys service clusterd
2. modify sys db clusterd.communicateovertmmbp value false
3. start sys service clusterd
4. save sys conf
Afterwards, the affected guest may still have the wrong management IP address. To resolve that, log into the vCMP Hypervisor and force a management IP update such as changing the netmask.
Fix:
The vCMP guests no longer end up having a non-null and duplicate 'rebroad_mac' on one or more slots. Distinct vCMP guests are no longer able to cluster with each other.
759735-1 : OSPF ASE route calculation for new external-LSA delayed
Component: TMOS
Symptoms:
External link-state advertisement (LSA) update does not trigger OSPF ASE route calculation, resulting in delay for route state changes from external LSA.
Conditions:
-- OSPF enabled.
-- More than 20 updated external LSA.
-- No updated router and network LSA.
Impact:
Delay of route update from external LSA.
Workaround:
Manually clear ip ospf process.
Fix:
OSPF ASE route calculation from external LSA are happening as normal.
759721-4 : DNS GUI does not follow best practices
Solution Article: K03332436
Component: Global Traffic Manager (DNS)
Symptoms:
The DNS WebUI does not follow best security practices.
Conditions:
DNS services provisioned, enabled, and configured
Impact:
The DNS WebUI does not follow best security practices.
Workaround:
None.
Fix:
The DNS WebUI now follows best security practices.
759638-1 : APM current active and established session counts out of sync after failover
Component: Access Policy Manager
Symptoms:
The 'tmsh show apm license' command shows that the current established session count is much larger than the current active session count. In the extreme case, current established session count can reach the maximum allowed, and the system reports the ERR_TOOBIG error in the apm log.
err tmm3[12351]: 01490581:3: (null):Common:00000000: Access stats encountered error: SessionDB operation failed (key: tmm.license.global_estab_stats.f26de3c7, ret: ERR_TOOBIG).
Conditions:
This counter out-of-sync period happens right after failover and lasts for five minutes.
Impact:
There is no impact to user sessions. Only the connection counts are impacted.
Workaround:
None.
759360 : Apply Policy fails due to policy corruption from previously enforced signature
Component: Application Security Manager
Symptoms:
Apply Policy fails due to policy corruption in PLC database from a previously enforced signature.
Conditions:
1. Export a policy containing a signature with an enforced rule.
2. Update ASM Signatures (ASU).
3. Import that previously exported policy.
4. Apply the newly imported policy.
Impact:
Apply policy fails.
Workaround:
As a workaround, run the following SQL, and then apply the policy:
----------------------------------------------------------------------
UPDATE PLC.PL_POLICY_NEGSIG_SIGNATURES SET previous_enforced_rule_md5 = '' WHERE previous_enforced_rule = '' and previous_enforced_rule_md5 != ''
----------------------------------------------------------------------
759192-1 : TMM core during display of PEM session under some specific conditions
Component: Policy Enforcement Manager
Symptoms:
TMM crashes during display of PEM session if the session has multiple IP addresses added under certain conditions.
Conditions:
-- Session has multiple IP addresses added.
-- When the session was created, addition of multiple IP addresses was not allowed.
Impact:
TMM restart. Traffic disrupted while tmm restarts.
Workaround:
Do not change the value of sys db variable tmm.pem.session.ip.addr.max while some sessions are already created.
Fix:
TMM core during display of PEM session no longer occurs.
759135-5 : AVR report limits are locked at 1000 transactions
Component: Application Visibility and Reporting
Symptoms:
AVR reports are limited to 1000 transactions. This is due to a hard-coded limit.
Conditions:
Using AVR reports for more than 1000 transactions.
Impact:
Unable to create reports with more than 1000 rows.
Workaround:
None.
Fix:
A db variable avr.stats.reportrownumberlimit has been added, that can be controlled via TMSH. The variable controls the number of rows in report within the range of 1 to 100000.
For example, for a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:
tmsh modify sys db avr.stats.reportrownumberlimit value 10000
Behavior Change:
There is a new db variable avr.stats.reportrownumberlimit available in TMSH, which controls the number of rows in an AVR report. Valid values are from 1 to 100000.
For example, to create a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:
tmsh modify sys db avr.stats.reportrownumberlimit value 10000
759077-4 : MRF SIP filter queue sizes not configurable
Component: Service Provider
Symptoms:
The ingress and egress queues of the MRF SIP filter have fixed sizes that cannot be configured.
Conditions:
If the hard-coded queue size of 512 messages or 65535 bytes are exceeded, the filter enables its flow control logic.
Impact:
Messages may be dropped.
Workaround:
None.
Fix:
The max-pending-messages and max-pending-bytes values in the SIP router profile will be used as the limits for the SIP filter's queues. If the configured value is less than the existing hard-coded limits (512 bytes or 65535 bytes), the hard-coded limits will be used.
758992-1 : The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address
Component: Local Traffic Manager
Symptoms:
tmm may use a combination of the traffic-group MAC address and the per-VLAN MAC address for traffic associated with the traffic-group.
Conditions:
All of the following:
-- The traffic-group has a MAC address set.
-- The sys db variable 'tm.macmasqaddr_per_vlan' is set to true.
-- There are multiple tmm processes running on the BIG-IP system.
Note: BIG-IP Virtual Edition is not affected since there is only one tmm process.
Impact:
Incorrect MAC address used for traffic associated with the traffic-group.
Workaround:
None.
Fix:
tmm uses the proper MAC address when there is a traffic-group mac address defined and 'tm.macmasqaddr_per_vlan' is set to true.
758961 : During brute force attack, the attempted passwords may be logged
Solution Article: K58243048
Component: Application Security Manager
Symptoms:
Request data potentially included passwords is not masked in the ASM local and remote logger.
Conditions:
A brute force attack is in progress and login traffic is blocked from the suspicious IPs.
Impact:
An exposure of potentially sensitive data to the BIG-IP logger.
Workaround:
N/A
Fix:
Potentially sensitive data from brute force blocked requests is no longer logged.
758781-1 : iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates
Component: TMOS
Symptoms:
The following commands take a long time to complete when there are a large number of certificates:
get_certificate_list()
get_certificate_list_v2()
get_certificate_list_v3()
Conditions:
-- Using the get_certificate_list(), get_certificate_list_v2(), and get_certificate_list_v3() commands to get certificate information.
-- A large number of certificates (typically in the thousands) are installed on the BIG-IP system.
Impact:
Slowness might cause timeouts in applications that are calling these functions.
Workaround:
Use iControl REST API corresponding to sys/file/ssl-cert.
758764-4 : APMD Core when CRLDP Auth fails to download revoked certificate
Component: Access Policy Manager
Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.
Conditions:
Empty revoked-certificate list handling.
Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.
Workaround:
None.
Fix:
The system now checks for empty revoked certificate lists (for NULL) and lets the validation OK (because there is nothing to validate against).
758527-4 : BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode
Component: TMOS
Symptoms:
Under certain conditions BIG-IP may forward VLAN-tagged frames even if the VLAN is not defined on the ingress interface.
Conditions:
Tagged VLANs in use.
STP pass-through mode enabled.
Impact:
Frames not delivered as expected.
Workaround:
Disable global STP.
Fix:
Frames now delivered as expected.
758336-1 : Incorrect recommendation in Online Help of Proactive Bot Defense
Component: Application Security Manager
Symptoms:
The online help of Proactive Bot Defense within the DoS profile shows the following under the 'Cross-Domain Requests' section:
Allow configured domains; validate in bulk: ... We recommend this option if your web site has many cross-domain resources.
Allow configured domains; validate upon request: ... We recommend this option if your web site does not have many cross-domain resources.
The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.
Conditions:
Application has multiple cross-domain resources.
Impact:
Confusing documentation. The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.
Workaround:
For many cross-domain resources, it is better to use 'validate upon request'.
Fix:
The online help of Proactive Bot Defense has been corrected under the 'Cross-Domain Requests' section.
758119-4 : qkview may contain sensitive information
Solution Article: K58243048
Component: TMOS
Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048
Conditions:
For more information see: https://support.f5.com/csp/article/K58243048
Impact:
For more information see: https://support.f5.com/csp/article/K58243048
Workaround:
For more information see: https://support.f5.com/csp/article/K58243048
Fix:
For more information see: https://support.f5.com/csp/article/K58243048
758065-2 : TMM may consume excessive resources while processing FIX traffic
Component: Service Provider
Symptoms:
Under certain conditions, the TMM may consume excessive resources when processing traffic for a Virtual Server with FIX profile applied.
Conditions:
Virtual Server with FIX profile.
Impact:
Excessive resource consumption, potentially leading to a failover event.
Workaround:
None.
Fix:
TMM now processes FIX traffic as expected.
758018-3 : APD/APMD may consume excessive resources
Component: Access Policy Manager
Symptoms:
APD/APMD may consume excessive resources when processing certain requests
Conditions:
-- APM provisioned and enabled.
-- The service type is either SWG Explicit or Clientless Mode 3.
Impact:
Excessive resource consumption, potentially degrading overall throughput or leading to a failover event.
Workaround:
For Clientless Mode 3, replace with Clientless Mode 1 to work around the issue.
Fix:
APD/APMD now consumes the expected resources when processing requests
757992-1 : RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup
Component: Access Policy Manager
Symptoms:
RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup
Conditions:
-- Configure Floating IP with route domain.
-- Configure RADIUS accounting server with Pool Setup.
-- Configure the virtual server containing the access policy to use the RADIUS Accounting server.
-- Access the virtual server.
Impact:
-- START message is being sent through proper egress floating IP address.
-- STOP message is not sent, and the system logs the following error message:
-- err tmm1[11193]: 01490586:3: (null):Common:8a505e8c: Processing radius acct stop message failed, connection failure.
-- err tmm1[11193]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_RTE. File: ../modules/hudfilter/access/access_session.c, Function: access_session_final_callback, Line: 4439.
Workaround:
This issue is present only when the floating IP address is configured with a non-default route domain. It works fine with the default route domain. Use of default route domain is recommended.
Fix:
RADIUS Acct STOP message is now sent as expected.
757827-3 : Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution
Component: Local Traffic Manager
Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP reboot operation.
Conditions:
This may occur on affected BIG-IP versions when:
1. Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
2. DNS queries to resolve these FQDN names occur almost simultaneously.
3. The BIG-IP version in use contains the fix for ID 726319.
The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.
Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.
As a result, some pools may not have any active pool members, and will not pass traffic.
This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default fqdn interval value of 3600 seconds, such downtime would last approximately one hour.
Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter fqdn interval value for the FQDN nodes:
tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.
Fix:
When using FQDN nodes and pool members, ephemeral pool members will be created as expected following a configuration-load or BIG-IP reboot operation.
However, messages similar to the following may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name:
err mcpd[20479]: 01020066:3: The requested Node (****) already exists in partition ****.
err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.
757781-1 : Portal Access: cookie exchange may be broken sometimes
Component: Access Policy Manager
Symptoms:
Portal Access uses special HTTP request with URL '/private/fm/volatile.html' to exchange cookie data between client and BIG-IP. Sometimes the BIG-IP system might send an invalid response to such a request. As a result, no cookie data can be sent from the backend server to the client.
Conditions:
Invalid response to HTTP requests with the following URL:
/private/fm/volatile.html.
Impact:
Portal Access client cannot see cookies set by the backend server. Backend server does not send cookie data to the client.
Workaround:
None.
Fix:
Portal Access now sends correct HTTP responses with backend cookie data to the client.
757722-1 : Unknown notify message types unsupported in IKEv2
Component: TMOS
Symptoms:
IKE negotiation fails when an unrecognized notify payload type is seen in a message processed by IKEv2.
Conditions:
Receiving an IKE message that contains a notify payload whose numeric type value is unrecognized by IKEv2.
Impact:
Negotiation fails with an aborted connection, preventing tunnel creation.
Workaround:
A peer can suppress notification payloads with advisory values that get rejected by IKEv2 within the BIG-IP system.
Fix:
All unknown notify types are now logged and then ignored.
757455-1 : Excessive resource consumption when processing REST requests
Solution Article: K87920510
757442-1 : A missed SYN cookie check causes crash at the standby TMM in HA mirroring system
Component: Local Traffic Manager
Symptoms:
In a high availability (HA) mirroring configuration, an L7 packet SYN cookie check may be skipped on the standby unit and eventually causes TMM to crash.
Conditions:
-- L7 traffic being passed to an HA configuration that is configured for mirroring traffic.
-- Failover occurs.
Impact:
TMM crashes on the standby device. No connections shown on the standby unit even when mirroring isenabled.
Workaround:
Do not use HA mirroring.
Fix:
The system now provides SYN cookie checks for L7 mirrored packets on the standby system.
757441-2 : Specific sequence of packets causes Fast Open to be effectively disabled
Component: Local Traffic Manager
Symptoms:
You see this warning in the logs:
warning tmm[21063]: 01010055:4: Syncookie embryonic connection counter -1 exceeded sys threshold 64000.
Conditions:
-- TCP Fast Open and ECN are both enabled.
-- There are multiple RST segments from the receive window received in SYN_RECEIVED state.
Impact:
TCP Fast open is disabled, as the pre_established_connections becomes very large (greater than a threshold).
Workaround:
TCP ECN option can be disabled.
Fix:
TCP Fast Open is prevented from being disabled when some conditions are met.
757414 : GUI Network Map slow page load with large configuration
Component: TMOS
Symptoms:
Network Map loads very slowly when displaying large configurations.
Conditions:
Open Network Map page with a large configuration, for example, 2500 or more virtual servers, pools, and pool members.
Impact:
The Network Map page loads too slowly to be usable.
Workaround:
None.
Fix:
Network Map no longer loads very slowly when displaying large configurations.
757391-3 : Datagroup iRule command class can lead to memory corruption
Component: Local Traffic Manager
Symptoms:
When using the iRule command to access datagroups within a foreach loop, memory can be corrupted and tmm can crash.
Conditions:
A [class] command used within a foreach loop.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround aside from removing that iRule.
Fix:
tmm no longer crashes under these conditions.
757359-3 : pccd crashes when deleting a nested Address List
Component: Advanced Firewall Manager
Symptoms:
When removing a nested Address List or Port List, the pccd process might crash.
Conditions:
This might occur under the following conditions:
-- Removing a nested Address List or Port List using a tmsh transaction with an incorrect tmsh command order consistently results in this crash.
-- A high availability (HA) setup with config-sync enabled and there are intermittent problems with HA-connections, or out-of-memory system state, might intermittently result in this crash.
Impact:
pccd crashes with core, restarts, and correctly compiles the new configuration. There is a resulting, small delay in applying the new configuration due to the pccd restart.
Workaround:
-- If the crash occurs as a result of incorrect tmsh commands in a transaction, reorder commands to the parent list is modified or deleted before deleting the nested list.
-- If the crash is an intermittent issue due to problems with HA-connections, or an out-of-memory system state, no action is necessary; pccd correctly compiles new configuration after it restarts.
Fix:
pccd no longer crashes under these conditions, and correctly compiles the new configuration.
757357 : TMM may crash while processing traffic
Component: TMOS
Symptoms:
Under certain conditions, TMM may crash while processing traffic.
Conditions:
-- BIG-IP Virtual Edition (VE) using virtio interfaces with direct descriptors.
Impact:
TMM crash, leading to a failover event.
Workaround:
To work around this issue, use this procedure:
1a. For BIG-IP systems running versions earlier than 14.1.0, add the following line to /config/tmm_init.tcl:
device driver vendor_dev 1af4:1000 unic
1b. For BIG-IP systems running v14.1.0 and later, add the following line to /config/tmm_init.tcl:
device driver vendor_dev 1d0f:ec20 sock
2. Restart tmm using the following command:
bigstart restart tmm
Note: You might need to manually remove that line from /config/tmm_init.tcl after upgrading.
Fix:
TMM now processes traffic as expected.
757306-2 : SNMP MIBS for AFM NAT do not yet exist
Component: Advanced Firewall Manager
Symptoms:
SNMP MIBS for AFM NAT do not yet exist.
Conditions:
This occurs in normal operation.
Impact:
Unable to read values that do not exist in SNMP, meaning that you cannot access information that you need.
Workaround:
None.
757279 : LDAP authenticated Firewall Manager role cannot edit firewall policies
Component: Advanced Firewall Manager
Symptoms:
The system posts the following message when the LDAP authenticated Firewall Manager role creates/modifies a firewall policy with rules or upgrading existing firewall policy:
User does not have modify access to object (fw_uuid_config).
Conditions:
-- Log in using an account with the Firewall Manager role.
-- Create/modify firewall policy with rules or upgrade existing firewall policy.
Impact:
Firewall modification operations fail with access to object (fw_uuid_config) error.
Workaround:
None.
Fix:
Firewall manager can now edit firewall policies.
757088-3 : TMM clock advances and cluster failover happens during webroot db nightly updates
Component: Traffic Classification Engine
Symptoms:
Webroot database mapping and unmapping takes a very long amount of time on TMM, so you might see clock advances occur. The long interval might result in a failover/state-transition in clustered environment.
Conditions:
-- Webroot database is downloaded.
-- TMM needs to swap to the new instance.
Impact:
TMM does not process traffic because of the long delay in mapping and unmapping, and failover might happen in a clustered environment.
Workaround:
You can avoid this issue by disabling BrightCloud updates, however, your environments will miss the latest updates as a result.
#vi /etc/wr_urldbd/bcsdk.cfg
DoBcap=true
DoRtu=false
DownloadDatabase=false
Fix:
Mapping/Unmapping the database is done asynchronously and the delay is reduced so that the CDP failover does not happen.
757027-3 : BIND Update
Solution Article: K01713115
757026-3 : BIND Update
Component: TMOS
Symptoms:
Upgrade BIND to 9.11.5-P4 per recommendation from ISC
Conditions:
GTM provisioned.
Impact:
BIND not up-to-date
Workaround:
None.
Fix:
Upgrade to BIND 9.11.5-P4
757025-3 : BIND Update
Solution Article: K00040234
757023-4 : BIND vulnerability CVE-2018-5743
Solution Article: K74009656
756774-4 : Aborted DNS queries to a cache may cause a TMM crash
Component: Global Traffic Manager (DNS)
Symptoms:
TMM may crash if an attempt is made to send a response to a TCP connection that has already been torn down.
Conditions:
TCP connections that are aborted before receiving a RESPONSE from a cache.
Impact:
Loss of service until TMM is restarted. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Aborted DNS queries to a cache no longer cause a TMM crash.
756538-1 : Failure to open data channel for active FTP connections mirrored across an HA pair.
Solution Article: K15759349
756450-2 : Traffic using route entry that's more specific than existing blackhole route can cause core
Component: Local Traffic Manager
Symptoms:
TMM asserts with 'Attempting to free loopback interface'message.
Conditions:
- Using blackhole routes.
- Have a route entry that is more specific than the existing blackhole route.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use /32 blackhole routes.
Fix:
TMM no longer cores when using blackhole routes that are less specific than non-blackhole routes.
756402-1 : Re-transmitted IPsec packets can have garbled contents
Component: TMOS
Symptoms:
Before re-transmitting a packet, it is discovered to be garbled, mainly in the form of having physical length that no longer matches the logical length recorded inside the packet.
Conditions:
Possibly rare condition that might cause packet freeing while still in use.
Impact:
Likely tunnel outage until re-established.
Workaround:
No workaround is known at this time.
Fix:
This release adds checksums to verify IPsec packets are not altered between first creation and later re-transmission.
756311-1 : High CPU during erroneous deletion
Component: Policy Enforcement Manager
Symptoms:
The utilization of some CPU cores increases and remains high for a long time. Rebooting just one blade can cause the high CPU usage to move to another blade in the chassis.
There might be messages similar to the following in tmm logs:
-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.10.10%0-4a89723e; Instance ID mismatch ERR_OK for subscriber id 310012348494 with 10.1.10.10-0-4a8987ea.
-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.18.10%0-4a8b850c; Look up returned err ERR_OK for subscriber id 3101512411557
Conditions:
The exact conditions under which this occurs are not fully understood, but one way it can be triggered is when a single TMM is crashing on a chassis system.
Impact:
The CPU usage is coming from an erroneous cleanup function, which is only running on a TMM when it's not busy; traffic is not expected to have a significant impact. However, recovering may result in a cluster-wide TMM restart, if the CPU usage does not subside. Traffic disrupted while tmm restarts.
Workaround:
Delete all subscribers from the CLI.
756270-2 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
Component: Local Traffic Manager
Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.
Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.
Impact:
Handshake failure.
Workaround:
None.
Fix:
This has been fixed to check for the issuer among all certificates that have the same subject name as the CRL issuer.
756205-3 : TMSTAT offbox statistics are not continuous
Component: Application Visibility and Reporting
Symptoms:
When BIG-IP systems are manged by BIG-IQ, the device health statistics have gaps (missing samples).
Conditions:
BIG-IP systems managed by BIG-IQ,
Impact:
Missing data on device health, such as CPU load and memory occupancy.
Workaround:
None.
Fix:
Functionality restored - BIG-IP systems send all the data as expected.
756153-2 : Add diskmonitor support for MySQL /var/lib/mysql
Component: TMOS
Symptoms:
If the disk partition /var/lib/mysql is filled to 100%, diskmonitor does not notify that the partition is nearly exhausted.
Conditions:
The disk partition /var/lib/mysql is filled to 100%.
Impact:
diskmonitor does not notify that disk partition /var/lib/mysql is nearly exhausted.
Workaround:
None.
756102-3 : TMM can crash with core on ABORT signal due to non-responsive AVR code
Component: Application Visibility and Reporting
Symptoms:
ABORT signal is sent to TMM by SOD; TMM aborts with a core.
Conditions:
Non-responsive AVR code. No other special conditions.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
756094-3 : DNS express in restart loop, 'Error writing scratch database' in ltm log
Component: Global Traffic Manager (DNS)
Symptoms:
DNS express (zxfrd) daemon gets stuck in a restart loop with the messages:
-- In /var/log/ltm:
Error writing scratch database (no error information available), serving database is unchanged. zxfrd will exit and restart.
-- The system posts the following message on the command line every few seconds:
emerg logger: Re-starting zxfrd
Conditions:
An update to an SOA record (and only an SOA) is received through a incremental zone transfer update (IXFR).
Impact:
Zone updates from the DNS master servers are not processed.
Workaround:
As a partial workaround, the DNS express cache files can be removed, forcing zxfrd to pull the entire zone using an AXFR request. To do so, use the following commands, in sequence:
bigstart stop zxfrd
rm /shared/zxfrd/*
bigstart start zxfrd
Note: DNS express will not be able to service DNS responses until the zone transfers have completed. For this reason, this procedure should be carried out on the standby device, if possible.
Fix:
The system now properly handles IXFRs that contain only starting and ending SOA RRs, and no other RRs.
756088-1 : The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address
Component: TMOS
Symptoms:
The BIG-IP system unexpectedly responds to ICMP echo requests to a virtual-address that is unavailable, or unexpectedly does not respond to ICMP echo requests to a virtual-address that is available.
The BIG-IP system fails to remove a dynamic route for a virtual-address that is unavailable or fails to add a dynamic route for a virtual-address that is available.
Conditions:
-- There are multiple virtual servers associated with a virtual address.
-- The virtual-address icmp-echo is set to 'all' or 'any'.
-- The virtual-address route-advertisement is set to 'all' or 'any'.
Impact:
The BIG-IP might respond incorrectly to ICMP echo requests sent to a virtual-address.
-- If the virtual-address icmp-echo is set to 'all' or 'any', the BIG-IP may not respond correctly after a virtual-address availability change.
-- If the virtual-address route-advertisement is set to 'all' or 'any', the route for the virtual-address may not advertise properly after a virtual-address availability change.
The BIG-IP might fail to insert or remove a dynamic route for a virtual-address. This might cause the network to direct traffic to a down virtual-address or alternatively, not direct traffic to an up virtual-address.
Workaround:
None.
Fix:
The BIG-IP system now responds correctly to ICMP echo requests and correctly adds/removes dynamic routes to a virtual-address, as appropriate.
756071-1 : MCPD crash
Component: TMOS
Symptoms:
mcpd crashes on out of memory.
Conditions:
MCPD experiences a memory leak under one of the following conditions:
- A tmsh command such as the following is run:
tmsh reset-stats ltm virtual
- The ASM or AVR module is provisioned.
In both circumstances, the 'cur_allocs' for one of MCPD's internal memory allocation types generally increases and becomes very high (e.g., millions):
tmctl -I --select cur_allocs memory_stat program=mcpd name=umem_alloc_40
Impact:
MCPD can run out of memory and crash. Traffic disrupted while mcpd restarts.
Workaround:
None.
Fix:
A memory leak that occurred in the MCPD process has been fixed.
755727-3 : Ephemeral pool members not created after DNS flap and address record changes
Component: Local Traffic Manager
Symptoms:
When using FQDN node/pool members, ephemeral pool members may not be created for one or more pools after address records change on the DNS server.
Once this condition occurs, ephemeral pool members are no longer created for a given FQDN name in the affected pool.
Conditions:
This issue may occur under rare timing conditions when the following factors are present:
-- Using FQDN nodes/pool members.
-- Changes occur in the address records on the DNS server, causing new ephemeral nodes/pool members to be created and old ephemeral nodes/pool members to be deleted.
-- There is a temporary loss of connectivity to/responsiveness from the DNS server.
Impact:
When this issue occurs, the affected pool may be left with no active pool members. In that case, virtual servers targeting the affected pool become unavailable and stop passing traffic.
Workaround:
When this issue occurs, the ability to create ephemeral pool members can be restored by either of the following actions:
1. Restart the dynconfd daemon:
bigstart restart dynconfd
2. Delete and re-create the FQDN template pool member using the following two commands:
tmsh mod ltm pool affected_pool members del { fqdn_pool_member:port }
tmsh mod ltm pool affected_pool members add { fqdn_pool_member:port { additional field values } }
To ensure that a pool contains active members even if this issue occurs, populate each pool with more than one FQDN pool member, or with an additional non-FQDN pool member.
755585-3 : mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction
Component: Local Traffic Manager
Symptoms:
On a VIPRION cluster, if a single transaction creates a policy with the name Drafts/NAME, publishes the policy, and attaches the policy to a virtual server, mcpd restarts on the secondary blades.
Conditions:
-- VIPRION chassis with more than one blade.
-- Single mcp transaction that:
* Creates a policy with 'Drafts/' as part of the policy name.
* Publishes that policy.
* Attaches that policy to a virtual server, either in the same transaction or a later transaction.
Impact:
mcpd restarts on all secondary blades of a cluster.
Workaround:
You can use either of the following workarounds:
-- Do not create policies with 'Drafts/' in the name.
-- Do not create and publish a policy in the same transaction.
755507-3 : [App Tunnel] 'URI sanitization' error
Component: Access Policy Manager
Symptoms:
URI sanitization error with app tunnel (application tunnel). The system posts messages similar to the following:
-- APM log: warning tmm[19703]: 01490586:4: /Common/AP-AD:Common:ff776e4a: Invalid Resource Access For RESOURCENAME. RST due to URI sanitization
-- LTM log: err tmm[19703]: 01230140:3: RST sent from 10.0.0.1:80 to 10.0.0.1:228, [0x2263e2c:7382] Unrecognized resource access (RESOURCENAME)
Conditions:
Access Policy that includes a 'Logon Page' and 'Advanced Resource Assign' (full webtop and app tunnel).
Impact:
APM does not send a response after receiving a request to 'GET /vdesk/resource_app_tunnels_info.xml'.
Workaround:
None.
755475-3 : Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync
Component: Access Policy Manager
Symptoms:
After making changes to the logon page agent field, performing config sync to another device and opening the logon agent in VPE on the sync target device encounters an error. Though this problem described to the logon page agent, this is applicable to any agent that is tied to customization group.
Conditions:
1. Form a failover device group with two devices.
2. On one device, create an access policy with logon page agent. Initiate config sync to sync the policy to other devices. Verify everything is correct on target device (specifically: open VPE for the policy, Logon Page is in the policy, click on the agent, and edit box appears without issue).
3. On source device, launch VPE for the policy, click on Logon Page agent, make changes to Agent (e.g., choose 'password' type for field3. Save the change and make a config sync again.
4. Go to target device, open VPE for the policy, and click on Logon Page is in the policy.
Impact:
Config is not synced properly to another device in the device group.
Workaround:
- Workaround 1:
Step1. On Standby (where the problem happens): delete the policy in question.
Step2. On Active: modify the access policy and Sync it.
* Problem with this workaround: sometimes, you cannot properly delete the access policy in question on the standby (as customization is corrupted, some related config deletion fails).
- Workaround 2:
Step 1. On Standby (where the problem happens): try to open up access policy item using VPE. Error will show the exact location of the file that is missing, for example:
"An error 'customization::getMessages: Unable to get xml dom from /config/filestore/files_d/Common_d/customization_group_d/:Common:MyAccessPolicy_act_logon_page_ag_5678_4' has occured on server... Dialogue loading has failed."
Step 2. On Standby: copy the exact file from active unit to standby unit, change the permission (ownership/group, permission flags) of the file so that it looks similar to active.
Fix:
Target device receives identical configuration as source one after config sync after user updates logon page field in logon agent editing dialog.
755018-4 : Traffic processing may be stopped on VE trunk after tmm restart
Component: TMOS
Symptoms:
Trunk interface members might be missing from tmm after tmm restart on BIG-IP Virtual Edition (VE).
Conditions:
-- Using trunks on VE.
-- tmm restarts.
Impact:
No traffic processing after tmm restart.
Workaround:
Remove the interfaces from the trunk and re-add them:
# tmsh modify net trunk <trunk name> interfaces none
# tmsh modify net trunk <trunk name> interfaces add { <interface1> <interface2> }
Fix:
Traffic processing on trunks is stable after tmm restart.
755005-3 : Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations
Component: Application Security Manager
Symptoms:
Illegal Request Length uses Illegal Query String Length template and vice versa, so the incorrect titles are shown in violation details.
Conditions:
Open details of Illegal Request Length or Illegal Query String Length violation in request log.
Impact:
Illegal Request Length uses Illegal Query String Length template and vice versa. Only the titles are wrong. The actual requests are recorded correctly.
Workaround:
None.
Fix:
Correct templates are now used for Illegal Request Length and Illegal Query String Length violations, so the correct titles show.
754944-3 : AVR reporting UI does not follow best practices
Solution Article: K00432398
754901-3 : Frequent zone update notifications may cause TMM to restart
Component: Global Traffic Manager (DNS)
Symptoms:
When there are frequent zone update notifications, the watchdog for TMM may trip and TMM crash/restarts. There may also be 'clock advanced' messages in /var/log/ltm.
Conditions:
- Using DNS express.
- DNS zone with allow notify.
- Frequent zone NOTIFY messages resulting in zone transfers.
Impact:
TMM restart potentially resulting in failing or impacting services. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Frequent zone update notifications no longer cause TMM to restart.
754567 : Child clientSSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file
Component: TMOS
Symptoms:
Child client SSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file used by the profile.
Conditions:
The issue is seen intermittently when all of the following conditions are met.
-- The client SSL profile is a child client SSL profile profile, i.e., it has a parent client SSL profile.
-- The child and the parent profile are using the same certificate.
-- The certificate file is updated, for example, by using a command similar to the following:
tmsh modify sys file ssl-cert child.crt { source-path file:///config/ssl/ssl.crt/default.crt app-service none cert-validation-options { } issuer-cert none }
Impact:
The child client SSL profile may unexpectedly end up using a different cert-key-chain from its parent profile.
Workaround:
The inherit-certkeychain flag can be set only in the GUI location: Local Traffic :: Profiles : SSL : Client :: child_profile.
In the row 'Configuration: \ Certificate Key Chain', uncheck the checkbox on the right side. That sets inherit-certkeychain to true (or does not customize the cert-key-chain for the child profile). Once the box is unchecked, the Certificate Key Chain field appears greyed out and filled with parent profile's cert-key-chain.
Fix:
The child profile's inherit-certkeychain flag is no longer unexpectedly set to false after updating the certificate file.
754542-4 : TMM may crash when using RADIUS Accounting agent
Component: Access Policy Manager
Symptoms:
TMM may crash when using RADIUS Accounting agent in either per-session or per-request policy.
Conditions:
- APM is provisioned and licensed.
- RADIUS Accounting agent is used in either per-session or per-request policy.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when RADIUS Accounting agent is used in the access policy.
754365-3 : Updated flags for countries that changed their flags since 2010
Component: Application Security Manager
Symptoms:
Old flags for countries that changed their flags since 2010.
Conditions:
Requests from one of the following counties:
-- Myanmar
-- Iraq
-- Libya
Impact:
Old flag is shown.
Workaround:
None.
Fix:
The three flags are now updated in ASM.
754349 : FTP connections to virtual server drop when both sides of data channel are offloaded via FastL4
Component: Local Traffic Manager
Symptoms:
FTP uploads that are offloaded on both sides drop after the idle timeout period, even though data is flowing.
Conditions:
-- FTP virtual server set up with a standard profile and FastL4 offloading.
-- Attempt a file upload to the virtual server where both client and server side of the data channel are offloaded.
Impact:
Dropped connections; data loss.
Workaround:
You can do either of the following:
-- Enable Inherit Parent Profile on the FTP profile.
-- Turn off FastL4 offloading.
Fix:
-- FTP connections to virtual servers no longer drop when both sides of data channel are offloaded via FastL4.
-- The output of the following command displays the correct acceleration state: tmsh show sys conn all-properties.
754346-1 : Access policy was not found while creating configuration snapshot.
Component: Access Policy Manager
Symptoms:
APMD fails to create configuration snapshot with the following error:
--err apmd[16675]: 01490000:3: AccessPolicyProcessor/AccessPolicyProcessor.cpp func: "dispatchEvent()" line: 1195 Msg: EXCEPTION AccessPolicyProcessor/ProfileAccess.cpp line:234 function: snapshotConfigVariables - AccessPolicy ("/Common/myPolicy") not found while creating configuration snapshot!!!!
If you attempt to modify the policy in question, the system reports a second error:
-- err apmd[16675]: 01490089:3: 00000000: Configuration change notification received for an unknown access profile: /Common/myPolicy
Conditions:
If TMM restarts and new access policy is added before TMM is fully up and running.
Impact:
Configuration snapshot is not created, and users cannot log on.
Workaround:
Recreate the access profile when TMM is stable.
754345-3 : WebUI does not follow best security practices
Solution Article: K79902360
754330-1 : Monpd might load many CSV files such that stats for AVR are not loaded to the database as quickly as expected
Component: Application Visibility and Reporting
Symptoms:
Monpd attempts to load a batch of CSV files that exceed the partition threshold. This might cause Monpd to falsely detect a corrupted database.
Conditions:
-- Monpd is down for a given interval, and needs to load a batch of CSV files.
-- Monpd gets lower priority for CPU and does not manage loading CSV files within a specific timeframe.
-- Some of the reports are more demanding than others, and create CSV files more often, which makes it harder for Monpd to load efficiently.
Impact:
Stats for AVR might not be loaded to the database within an expected interval.
Workaround:
None.
Fix:
Monpd now checks whether a new partition is required after each CSV file load. When needed, it creates one and aggregates data in the database to avoid this issue.
754103-2 : iRulesLX NodeJS daemon does not follow best security practices
Solution Article: K75532331
754003-1 : Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate
Solution Article: K73202036
Component: Local Traffic Manager
Symptoms:
For more information please see: https://support.f5.com/csp/article/K73202036
Conditions:
For more information please see: https://support.f5.com/csp/article/K73202036
Impact:
For more information please see: https://support.f5.com/csp/article/K73202036
Workaround:
None.
Fix:
For more information please see: https://support.f5.com/csp/article/K73202036
753975 : TMM may crash while processing HTTP traffic with AAM
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing HTTP traffic with AAM.
Conditions:
An active virtual server with an AAM profile and RAM cache enabled.
Impact:
TMM crash leading to a failover event.
Workaround:
None.
Fix:
TMM now processes AAM traffic as expected.
753912 : UDP flows may not be swept
Solution Article: K44385170
Component: Local Traffic Manager
Symptoms:
Some UDP connection flows do not show in connection table but do show up in stats. This might occur with datagram_lb mode is enabled on the UDP profile under heavy load.
Conditions:
-- UDP profile with datagram_lb mode enabled.
-- System under heavy load.
Impact:
Increased memory utilization of TMM.
Workaround:
None.
Fix:
The system now correctly manages all expired flows.
753893-1 : Inconsistent validation for firewall address-list's nested address-list causes load failure
Component: Advanced Firewall Manager
Symptoms:
Inconsistent validation for firewall address-list's nested address-lists causes load failure. The operation validates 'addresses' in the address-list but misses the case of modifying the address-list nested in the address-list. The system posts a message similar to the following:
01071a5a:3: Cannot configure mix of IPv4 and IPv6 address(es) in this object.
Unexpected Error: Loading configuration process failed.
Conditions:
-- Modify an address-list's address-lists to contain mixed IPv4 and IPv6 addresses.
-- Save the configuration.
-- Load the configuration.
Impact:
Missing validation for nested address-list modification allows an invalid configuration to be specified and saved into bigip*.conf, which causes load failure.
Note: This might cause upgrade from v12.1.x to fail when the configuration contains a mix of IPv4 and IPv6 within an address-list.
Workaround:
Edit the bigip*.conf file to remove the mix of IPv4 and IPv6 addresses in the nested address-lists.
Fix:
This release contains validation to nested address-lists to check for overlapping IP addresses in the same address family.
753796-2 : SNMP does not follow best security practices
Solution Article: K40443301
753776-1 : TMM may consume excessive resources when processing UDP traffic
Solution Article: K07127032
753650 : The BIG-IP system reports frequent kernel page allocation failures.
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:
swapper/16: page allocation failure: order:2, mode:0x104020
After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This issue is known to occur on the following VIPRION blade models:
- B2250 (A112)
- B4450 (A114)
Please note the issue is known to occur regardless of whether the system is running in vCMP mode or not, and regardless of whether the system is Active or Standby.
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.
It is recommend to increase this to either 64 MB (65536 KB for 2250 blades) or 128 MB (131072 KB for 4450 blades). You must do this on each blades installed in the system.
When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the primary blade only and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
Fix:
The BIG-IP system no longer experiences kernel page allocation failures.
753594-3 : In-TMM monitors may have duplicate instances or stop monitoring
Component: Local Traffic Manager
Symptoms:
Most monitored resources (such as pools) report messages similar to the following:
Availability : unknown
Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet.
A fraction of the monitored resources report the correct status based on the state of the resource.
Enabling bigdlog may show instances of messaging containing 'tmm_mid=x:0' (where x can be values like 0, 1, 2 etc.), for example, it is tmm_mid=1:0 in the following example:
[0][11288] 2019-03-08 10:03:04.608: ID 10859 :(_do_ping): post ping, status=UNKNOWN [ tmm?=true td=true tr=false tmm_mid=1:0 addr=::ffff:1.2.37.44:443 mon=/Common/https fd=-1 pend=0 #conn=0 up_intvl=5 dn_intvl=5 timeout=16 time_until_up=0 immed=0 next_ping=[1552068189.684126][2019-03-08 10:03:09] last_ping=[1552068184.684909][2019-03-08 10:03:04] deadline=[1552067610.048558][2019-03-08 09:53:30] on_service_list=True snd_cnt=119 rcv_cnt=0 ]
The following error might appear in /var/log/ltm:
-- failed to handle TMA_MSG_DELETE message: MID 0, error TMA_ERR_INVALID_MID(Monitor ID is invalid or unused)
Conditions:
-- Configure In-TMM monitoring with a sufficiently large number of monitored objects.
-- Modify monitors while pool members are in an offline state or perform rapid modification of In-TMM monitors.
Impact:
Some monitors may be executed multiple times per configured interval on a resource, and some monitors may not be executed at all against resources.
Workaround:
Switch to traditional bigd monitoring instead of In-TMM:
tmsh modify sys db bigd.tmm value disable
Fix:
Rapid modification of in-TMM monitors no longer leaves old monitor instances behind.
753514-1 : Large configurations containing LTM Policies load slowly
Component: Local Traffic Manager
Symptoms:
Very slow performance when loading a configuration, for example, at system start up. During this time, the tmsh process shows high CPU usage.
Conditions:
Big IP 13.1.x, 14.x. Large configuration (1 MB or larger) and at least one, but more likely tens or hundreds of LTM policies defined in the configuration.
Impact:
Slow configuration loading, or in cases with very large configurations, full config load may fail after a long wait. Slowness increases with overall configuration size and number of LTM policies defined.
Workaround:
None.
Fix:
Large configurations containing LTM Policies load normally.
753485-2 : AVR global settings are being overridden by HA peers
Component: Application Visibility and Reporting
Symptoms:
Configuration of AVR global settings is being overridden by high availability (HA) peers, and thus report incorrectly to BIG-IQ Data Collection Devices (DCDs).
Conditions:
Configuring HA for systems connected to BIG-IQ.
Impact:
Configuration of BIG-IP systems in HA configuration can override each other. This might result in the following behavior:
-- A common symptom is the 'Stats Last Collection Date' shows up as Dec 31, 1969 or Jan 01, 1970, depending the timezone configuration of the device
-- The 'Stats Last Collection Date' shows up as '--'
-- The BIG-IP systems incorrectly identify themselves to BIG-IQ.
-- The BIG-IP systems report to the wrong DCD.
-- The BIG-IP systems report to DCD, even if they are not configured to report at all.
-- The BIG-IP systems do not report at all, even if they are configured to report.
Note: This bug is tightly related to BIG-IQ Bug ID 757423.
Workaround:
None.
Fix:
Synchronization of relevant fields on AVR global settings are disabled, so this issue no longer occurs.
753446-1 : avrd process crash during shutdown if connected to BIG-IQ
Component: Application Visibility and Reporting
Symptoms:
During shutdown of BIG-IP, if it is connected to BIG-IQ then avrd might crash.
Conditions:
BIG-IP is set to shutdown and configured to send statistics to BIG-IQ.
Impact:
No serious impact, since the BIG-IP is already instructed to shutdown, so the process crash is not causing any damage.
Workaround:
N/A
Fix:
Issue is fixed, avrd does not crash during shutdown
753370-1 : RADIUS auth might not be working as configured when there is change in RADIUS auth config name.
Component: Access Policy Manager
Symptoms:
RADIUS auth might not be working as configured when there is change in RADIUS auth config name. You might also see an error:
err apmd[14182]: 01490108:3: /Common/:Common:cc55b9e2: RADIUS module: authentication with 'testuser@example' failed: no response from server (0).
Conditions:
In an LTM pool that uses APM AAA RADIUS to authenticate, change (modify/delete) the name of the RADIUS authentication server in config file.
Impact:
When using tmm.default version, intermittently MCP error messages in tmm logs indicate that the RADIUS server cannot be found, and RADIUS authentication does not work as expected.
Workaround:
None.
753368 : Unable to import access policy with pool
Component: Access Policy Manager
Symptoms:
If your exported policy contains a pool object (e.g., Active Directory (AD) or LDAP Auth object) import of such a policy fails.
Conditions:
-- Exported policy contains a pool.
-- Attempt to import that policy.
Impact:
Unable to import certain configurations.
Workaround:
None.
Fix:
Policies with pools are imported successfully.
753163-2 : PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days
Component: Policy Enforcement Manager
Symptoms:
No connection request with PCRF/OCS if high availability (HA) failover occurs after 26 days. tmm crash
Conditions:
-- Using PEM.
-- high availability (HA) failover occurs after 26 days.
Impact:
PEM does send the reconnect request within the configured reconnect, so there is no connection initiated with PCRF/OCS.
Workaround:
To restart the connection, restart tmm restart using the following command:
tmm restart
Note: Traffic disrupted while tmm restarts.
Fix:
PEM now initiates the connection with PCRF/OCS under these conditions.
753028-1 : AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule
Component: Advanced Firewall Manager
Symptoms:
When Proxy ARP is enabled for destination addresses in an FW NAT rule performing destination NAT (static-nat/static-pat), forwarding ICMP traffic matching that rule is incorrectly dropped by AFM instead of being forwarded through the BIG-IP system.
Conditions:
-- Proxy ARP is enabled for destination addresses in an FW NAT rule.
-- The BIG-IP system (AFM) receives forwarding ICMP traffic for these (untranslated) destination addresses.
Impact:
Forwarding ICMP traffic is dropped by the BIG-IP system.
Workaround:
You can disable Proxy ARP functionality for FW NAT rules to cause the BIG-IP system (AFM) to handle forwarding ICMP traffic correctly and pass it through the system to the backend.
However, this causes the BIG-IP system to not respond to ARP requests anymore for destination addresses in such rules. As a further mitigation action, you can configure static ARP entries to handle this.
Fix:
The BIG-IP system (AFM) now correctly forwards ICMP traffic through to the backend when Proxy ARP is enabled on destination addresses in the matching FW NAT rule.
753014-1 : PEM iRule action with RULE_INIT event fails to attach to PEM policy
Component: Policy Enforcement Manager
Symptoms:
PEM iRule action with RULE_INIT event fails to attach to PEM policy.
Conditions:
Attaching PEM policy with PEM iRule action that contains a RULE_INIT event.
Impact:
PEM fails to update the new iRule action.
Workaround:
Force mcpd to reload the BIG-IP configuration.
To do so, follow the steps in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.
Fix:
The system now continues processing PEM iRule actions if RULE_INIT event is present, so this issue no longer occurs.
752930-1 : Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state
Component: Local Traffic Manager
Symptoms:
Virtual Servers left in unknown state. Blade keeps restarting.
Conditions:
Change default route domain (RD) of partition with wildcard Virtual Servers.
Impact:
-- Cannot persist the wildcard virtual server RD configuration.
-- Changing virtual server description after moving route-domain fails.
-- Secondary blade in constant reboot loop.
Workaround:
1. Delete wildcard virtual servers before changing default route-domain on partition.
2. Execute the following commands, in sequence, substituting your values for the configuration-specific ones in this example:
# ssh slot2 bigstart stop
# modify auth partition pa-1098-blkbbsi0000csa21ad1142 default-route-domain 109
# save sys config
# clsh rm -f /var/db/mcpdb.bin
# ssh slot2 bigstart start
Note: This recovery method might have to be executed multiple times to restore a working setup.
752835-3 : Mitigate mcpd out of memory error with auto-sync enabled.
Solution Article: K46971044
Component: TMOS
Symptoms:
If auto-sync is enabled and many configuration changes are sent quickly, it is possible for a peer system to fall behind in syncs. Once it does, it will exponentially get further behind due to extra sync data, leading to the sending mcpd running out of memory and core dumping.
Conditions:
-- Auto-sync enabled in an high availability (HA) pair.
-- High volume of configuration changes made in rapid succession. Typically, this requires hundreds or thousands of changes per minute for several minutes to encounter this condition.
Impact:
Mcpd crashes.
Workaround:
There are no workarounds other than not using auto-sync, or reducing the frequency of system configuration changes.
Fix:
This is not a complete fix. It is still possible for mcpd to run out of memory due to a peer not processing sync messages quickly enough. It does, however, make it more difficult for this scenario to happen, so configuration changes with auto-sync on can be sent somewhat more quickly without crashing mcpd as often.
752822-3 : SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type
Component: Service Provider
Symptoms:
SIP ALG calls that fail translation during ingress are not cleaned up by the system, which might result in memory being leaked inside the TMM processes.
Conditions:
SIP ALG calls that fail translation during ingress.
Impact:
TMM leaks memory, which can slow down performance and eventually cause TMM to run out of memory and restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now cleans up SIP ALG calls that fail translation during ingress, so this issue no longer occurs.
752803-2 : CLASSIFICATION_DETECTED running reject can lead to a tmm core
Component: Traffic Classification Engine
Symptoms:
When the CLASSIFICATION_DETECTED event is run on a serverside flow, and then an iRule command (e.g., to reject a flow) is run, tmm crashes.
Conditions:
-- CLASSIFICATION_DETECTED event runs on a serverside flow.
-- An iRule command runs (e.g., reject a flow).
Impact:
tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm no longer crashes under these conditions.
752782-3 : 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'
Component: Fraud Protection Services
Symptoms:
The 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'.
Conditions:
FPS Provisioning and a DataSafe license.
Impact:
The menu name has changed in this release.
Workaround:
None.
Fix:
'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'.
752592-2 : VMware Horizon PCoIP clients may fail to connect shortly after logout
Component: Access Policy Manager
Symptoms:
Sometimes if user closes opened PCoIP desktop and logs out and then logs in again, he can't launch the same desktop anymore.
Conditions:
PCoIP UDP VS has "vdi" profile assigned.
Impact:
User can't open PCoIP remote desktop during short time period (1 minute).
Workaround:
Remove "vdi" profile and assign "remotedesktop" profile to the PCoIP UDP VS:
# tmsh modify ltm virtual <PCoIP UDP VS> profiles delete { vdi }
# tmsh modify ltm virtual <PCoIP UDP VS> profiles add { remotedesktop }
In admin UI the assignment of "remotedesktop" profile can be controlled via "Application Tunnels (Java & Per-App VPN)" checkbox (right under "VDI Profile" dropdown).
Fix:
Assignment of "vdi" profile to PCoIP UDP VS does not cause intermittent connection problems anymore.
752363 : Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled
Component: Advanced Firewall Manager
Symptoms:
Client request fails, due to being dropped on the BIG-IP system.
Conditions:
-- The BIG-IP AFM L4 BDoS feature is enabled.
-- Virtual server setup is such that the client-facing virtual server's destination is forwarded through another virtual server, which is an internally forwarded flow.
Impact:
Client request gets dropped due to BIG-IP AFM dropping the flow.
Workaround:
Disable BDoS feature. The feature can be disabled using the following commands:
-- To disable BDoS globally, run the following command:
modify security dos device-config dos-device-config dynamic-signatures { network { detection disabled mitigation none }}
To disable BDoS globally per-profile, run the following command:
modify security dos profile <profile-name> dos-network modify { test { dynamic-signatures { detection disabled mitigation none } } }
modify security dos profile test protocol-dns modify { test { dynamic-signatures { detection disabled mitigation none } } }
Fix:
The system now handles the looped flows properly, so the BDoS module does not incorrectly cause the packet to be dropped.
752078 : Header Field Value String Corruption
Component: Local Traffic Manager
Symptoms:
This is specific to HTTP/2.
In some rare cases, the header field value string can have one or more of its prefix characters removed by the BIG-IP system.
Conditions:
-- The header field value string is exceptionally long, and has embedded whitespace characters.
-- HTTP/2 is used.
Impact:
A header such as:
x-info: very_long_string that has whitespace characters
may be sent to the client as:
x-info: ery_long_string that has whitespace characters
Workaround:
None.
Fix:
The BIG-IP system no longer removes the prefix characters from very long HTTP/2 header field value strings containing embedded whitespace characters.
752047-2 : iRule running reject in CLASSIFICATION_DETECTED event can cause core
Component: Traffic Classification Engine
Symptoms:
The CLASSIFICATION_DETECTED iRule event can run very early when classification happens in the classification database (srdb). If the iRule then issues a reject command, tmm cores.
Conditions:
CLASSIFICATION_DETECTED on L4 executing reject command.
Impact:
tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
iRule running reject in CLASSIFICATION_DETECTED event no longer causes tmm core.
751869 : Possible tmm crash when using manual mode mitigation in DoS Profile
Component: Advanced Firewall Manager
Symptoms:
tmm crash and restart is possible when using manual mode mitigation in DoS Profile.
Conditions:
When manual mode mitigation is used for any vector that is enabled in the DoS Profile that is attached to a Protected Object.
Impact:
tmm crash and restart is possible. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm crash and restart no longer occurs when using manual mode mitigation in DoS Profile.
751710-2 : False positive cookie hijacking violation
Component: Application Security Manager
Symptoms:
A false positive cookie hijacking violation.
Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.
Impact:
False positive violation / blocking.
Workaround:
N/A
751179-3 : MRF: Race condition may create to many outgoing connections to a peer
Component: Service Provider
Symptoms:
If two different connections attempt to create an outgoing connection to a peer at the same time, multiple connections may be created, even if the peer object is configured for one connection per peer. This is due to a race condition in message routing framework during connection creation.
Conditions:
-- Two different connections attempt to create an outgoing connection to a peer at the same time.
-- The peer is configured for one connection per peer.
Impact:
More than one connection to a peer is created.
Workaround:
None.
Fix:
Only one connection is created under these conditions.
751011-1 : ihealth.sh script and qkview locking mechanism not working
Component: TMOS
Symptoms:
Two qkviews can be started up on a system at the same time, which results in conflicts for each.
Conditions:
Running qkview on one terminal and then ihealth.sh in another.
Impact:
Running of two qkviews at the same time breaks both qkviews since they compete for the same files.
Workaround:
Run either qkview or ihealth.sh, not both simultaneously.
Fix:
Starting a qkview and then running ihealth.sh halts immediately as the system detects that qkview is running.
751009-1 : Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out
Component: TMOS
Symptoms:
After generating a Qkview or collecting a tcpdump via the BIG-IP GUI, or using the 'tmsh run util ihealth' command to do the equivalent, the /var/tmp/mcpd.out file is missing.
Conditions:
-- Generating a Qkview or collecting a tcpdump via the BIG-IP GUI.
-- Using the 'tmsh run util ihealth' command to do the equivalent operation.
Impact:
The file /var/tmp/mpcd.out is a debug file used by mcpd, primarily for collecting debug-level log information from MCPD.
The file being deleted causes challenges with trying to collect diagnostic information from a BIG-IP system (turning on mcpd debug logging), because it now requires a service impact (restarting mcpd).
Additionally, may cause challenges in managing disk space on /shared filesystem, as mcpd keeps writing to a deleted file, and it cannot be truncated.
Workaround:
Generating Qkviews by invoking the 'qkview' command directly avoids this issue.
Edit the /usr/bin/ihealth.sh script to remove the corresponding line.
From a bash shell:
1. mount -o remount,rw /usr
2. /bin/cp /usr/bin/ihealth.sh{,751009.bak}
3. sed -i '/\/bin\/rm -f \/var\/tmp\/mcpd.out/d' /usr/bin/ihealth.sh
4. mount -o remount,ro /usr
Note: This workaround does not persist across software installs/upgrades, nor does it ConfigSync or replicate across blades in a VIPRION chassis.
Fix:
The problem line has been removed from the script, so this mcpd debug file is left alone (not deleted) after running ihealth.sh. Note that the GUI version of running qkview uses ihealth.sh script.
750922-3 : BD crash when content profile used for login page has no parse parameters set
Component: Application Security Manager
Symptoms:
Bd crashes. No traffic goes through ASM.
Conditions:
-- A Json Login page is configured.
-- The content profile used for the login page does not have parse parameters set.
Impact:
No traffic goes through ASM. Bd crashes.
Workaround:
Set the parse parameters setting.
Fix:
BD no longer crashes when the content profile used for login page has no parse parameters set.
750843-1 : HTTP data re-ordering when receiving data while iRule parked
Component: Local Traffic Manager
Symptoms:
Under certain circumstances tmm can reorder or omit HTTP data segments when they are received while processing an iRule which is parked.
Conditions:
- HTTP iRule execution suspended, e.g., waiting for a table command to return.
- Ingress data is processed during this state.
Impact:
Data corruption or loss can occur.
Workaround:
There is no workaround other than not using iRule suspend commands in HTTP_* events.
Fix:
tmm now handles ingress data correctly when in the parked iRule state.
750823-3 : Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD
Component: Access Policy Manager
Symptoms:
Memory usage in TMM keeps going up.
Conditions:
Access::policy evaluate command fails with error message in /var/log/ltm:
TCL error: ... - Failed to forward request to apmd.
Impact:
Memory leaks in TMM, which cause a TMM crash eventually.
Workaround:
Limit the amount of data that will be forwarded to APMD.
750689-1 : Request Log: Accept Request button available when not needed
Component: Application Security Manager
Symptoms:
There are several violations that make requests unlearnable, but the Accept Request Button is still enabled.
Conditions:
This occurs in the following scenarios:
1. Request log has requests with following violations that make requests unlearnable:
- Threat Campaign detected.
- Null character found in WebSocket text message.
- Access from disallowed User/Session/IP/Device ID.
- Failed to convert character.
2. Subviolations of HTTP protocol compliance fails violation:
- Unparsable request content.
- Null in request.
- Bad HTTP version.
3. Only the following violations are detected:
- Access from malicious IP address.
- IP address is blacklisted.
- CSRF attack detected.
- Brute Force: Maximum login attempts are exceeded.
Impact:
Accept Request button is available, but pressing it does not change the policy.
Workaround:
None.
Fix:
The Accept Request button is now disabled when there is nothing to be learned from request.
750631-1 : There may be a latency between session termination and deletion of its associated IP address mapping
Component: Access Policy Manager
Symptoms:
In SWG, if a new request from a client executes iRule command "ACCESS::session exists" when the session has expired previously, the command will return false. However, if command "ACCESS::session create" is executed following the exist command, the session ID of the previous session may be returned.
Conditions:
In SWG, if a new request from a client IP comes into the system right after its previous session has expired.
Impact:
The Access filter will determine that the session ID is stale and, therefore, will redirect the client to /my.policy
Fix:
N/A
750586-1 : HSL may incorrectly handle pending TCP connections with elongated handshake time.
Component: TMOS
Symptoms:
HSL may incorrectly handle TCP connections that are pending 3-way handshake completion that exceed default handshake timeout.
Conditions:
-- HSL or ReqLog configured to send logging data to pool via TCP protocol.
-- TCP 3-way handshake takes longer than 20 seconds (the default handshake timeout) to complete.
Impact:
-- Service interruption while TMM restarts.
-- Failover event.
Workaround:
None.
Fix:
HSL handles unusually long pending TCP handshakes gracefully and does not cause outage.
750496-1 : TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP
Component: Access Policy Manager
Symptoms:
TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP.
Conditions:
Create a basic SSO item.
Create a PRP that has the SSO Assign in it and select the basic SSO item.
Create a PSP that is Start->Allow
Create a VS that uses the PRP, PSP, and an pool.
Delete the SSO item in the UI.
Run traffic through the VS
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not delete the SSO config object referenced by SSO Configuration Select agent in PRP.
Fix:
SSO Configuration Select agent should fail with error code when sso_config cannot be found (i.e. NULL).
750460-3 : Subscriber management configuration GUI
Solution Article: K61002104
750447-1 : GUI VLAN list page loading slowly with 50 records per screen
Component: TMOS
Symptoms:
GUI VLAN list page is loading slowly with there are 3200+ VLANs with the Records Per Screen Preference set to 50.
Conditions:
-- Using a VIPRION system.
-- Configuration containing 3200 or more VLANs.
-- System Preferences Records Per Screen set to 50.
Impact:
Cannot use the page.
Workaround:
Use tmsh or guishell tool to see the VLANs.
You can also try using a smaller value for the Records Per Screen option in System :: Preferences.
Fix:
Improved data retrieval and rendering for the VLAN list page.
750356-3 : Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted
Component: Application Security Manager
Symptoms:
In any Split View page (Request Log, Learning, etc.): All user-defined filters are removed if you delete a newly created filter without reloading the page first.
Conditions:
-- Create a new filter.
-- Remove the new filter.
Impact:
The system removes all user-defined filters.
Workaround:
Before you delete a newly created filter, reload the page.
Fix:
Filter removal now completes successfully for all scenarios.
750318-1 : HTTPS monitor does not appear to be using cert from server-ssl profile
Component: TMOS
Symptoms:
An HTTPS monitor using a client certificate configured in the server-ssl profile fails to send the certificate during the SSL handshake.
A tcpdump shows a 0-byte certificate being sent.
Conditions:
-- In-tmm monitoring is disabled (default).
-- The server-ssl profile has been modified but without changing the configured certificate or key.
The resulting message passed from mcpd to bigd will contain only the incremental modification to the profile, which bigd treats as a complete profile, meaning that it is possible for the certificate and key parameters to be lost.
Impact:
SSL handshake might fail to complete and the HTTPS monitor fails.
Workaround:
Restart bigd process by running the following command:
bigstart restart bigd
Fix:
mcpd now sends the full profile configuration to bigd upon modification.
750213-2 : DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.
Solution Article: K25351434
Component: Global Traffic Manager (DNS)
Symptoms:
FPGA hardware-accelerated DNS Cache can respond improperly to DNS queries that contain EDNS OPT Records. This improper response can take several forms, ranging from not responding with an OPT record, to a query timeout, to a badvers response.
Conditions:
-- Using VIPRION B2250 blades.
-- This may occur if a client sends a query with an EDNS OPT record that has an unknown version or other values that the Hardware-accelerated Cache does not understand. These errors only occur when matching the query to a hardware cached response.
Note: If the response is not in the hardware cache, then the query should be properly handled.
Impact:
Hardware-accelerated DNS Cache drops the request. Clients will experience a timeout for that query.
This is occurring now because of the changes coming to software from certain DNS software vendors that remove specific workarounds on February 1st, 2019. This is known as DNS Flag Day.
Workaround:
None.
750200-1 : DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode
Component: Local Traffic Manager
Symptoms:
DHCP requests from the client are sent only to the first member in the DHCP server pool.
Conditions:
- BIG-IP system configured as a DHCP Relay.
- DHCP server pool contains more than one DHCP server.
Impact:
- DHCP server load balancing is not achieved.
- If the first DHCP server in the DHCP server pool does not respond or is unreachable, the DHCP client will not be assigned an IP address.
Workaround:
None.
750187-3 : ASM REST may consume excessive resources
Solution Article: K29149494
750170-1 : SP Connector config changes causes BIG-IP tmm core sometimes during handling of SAML SLO request
Component: Access Policy Manager
Symptoms:
tmm crashes.
Conditions:
This occurs when BIG-IP handles SAML SLO requests, and SP Configuration is changed by the admin around the same time.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fix:
When SP configuration is changed by the admin, and when BIG-IP handles SLO requests correctly without any BIG-IP tmm core.
749879-4 : Possible interruption while processing VPN traffic
Solution Article: K47527163
749785-1 : nsm can become unresponsive when processing recursive routes
Component: TMOS
Symptoms:
imish hangs, and the BIG-IP Network Services Module (nsm) daemon consuming 100% CPU.
Conditions:
-- Dynamic routing enabled
-- Processing recursive routes from a BGP peer with different prefixlen values.
Impact:
Dynamic routing, and services using dynamic routes do not operate. nsm does not recover and must be restarted.
Workaround:
None.
Fix:
nsm now processes recursive route without issues.
749774-3 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
Component: Global Traffic Manager (DNS)
Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.
Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.
Impact:
Inconsistent behavior.
Workaround:
None.
Fix:
In this release, responses are now consistent when caching is enabled.
749704-3 : GTPv2 Serving-Network field with mixed MNC digits
Component: Service Provider
Symptoms:
iRules command 'GTP::ie get value' incorrectly decodes Serving-Network field, putting the least significant digit of mobile network codes (MNC) value before the other two.
Conditions:
Using the iRule command 'GTP::ie get value' to retrieve the Serving-Network field from a GTP message (the iRule construction: GTP::ie get value -message $gtp_message 83).
Impact:
The operation returns results in which the least significant digit is inserted before the other two, resulting in incorrect data being returned.
Workaround:
None.
Fix:
The iRule command 'GTP::ie get -message $gtp_message 83' that retrieves the Serving-Network now returns the correctly ordered, three-digit values for mobile country codes (MCC) and mobile network codes (MNC) as a two-element list: {{<MCC> <MNC>} <optional data>}, where the first element is another list containing actual MCC and MNC values, while the second element is optional binary data which follows MCC and MNC. It is the same format as used for ULI field decoding.
Behavior Change:
The iRule command 'GTP::ie get -message $gtp_message 83' that retrieves the Serving-Network now returns the correctly ordered, three-digit values for mobile country codes (MCC) and mobile network codes (MNC) as a two-element list: {{<MCC> <MNC>} <optional data>}, where the first element is another list containing actual MCC and MNC values, while the second element is optional binary data which follows MCC and MNC. It is the same format as used for ULI field decoding.
749689-1 : HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart
Component: Local Traffic Manager
Symptoms:
HTTPS monitor sends different amount of cipher suites in client hello during SSL handshake and sometimes back end server fails to find a desired cipher suite from client hello. As a result, sometimes SSL handshake fails and monitor wrongly marks pool member down.
Conditions:
-- Have an SSL profile to be used by an HTTPS monitor.
-- Load the same config more than once.
Impact:
HTTPS monitor might incorrectly mark pool member down because of a failed SSL handshake.
Workaround:
Restart bigd using the following command:
bigstart restart bigd
Fix:
HTTPS monitor now sends a consistent number of cipher suites in the client hello message during the SSL handshake.
749675-3 : DNS cache resolver may return a malformed truncated response with multiple OPT records
Component: Global Traffic Manager (DNS)
Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.
Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).
Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.
Workaround:
A second query will return the cached record, which will only have one OPT record.
Fix:
DNS cache resolver now returns the correct response under these conditions.
749603-3 : MRF SIP ALG: Potential to end wrong call when BYE received
Component: Service Provider
Symptoms:
When a BYE is received, the media flows for a different call might be closed in error.
Conditions:
If the hash of the call-id (masked to 12 bits) matches the hash of another's call-id.
Impact:
The media flows for both calls will be closed when one receives a BYE command. A call may be incorrectly terminated early.
Workaround:
None.
Fix:
Entire call-id checked before terminating media flows.
749508-3 : LDNS and DNSSEC: Various OOM conditions need to be handled properly
Component: Global Traffic Manager (DNS)
Symptoms:
Some LDNS and DNSSEC out-of-memory (OOM) conditions are not handled properly.
Conditions:
LDNS and DNSSEC OOM conditions.
Impact:
Various traffic-processing issue, for example, TMM panic during processing of DNSSEC activity.
Workaround:
None.
Fix:
The system contains improvements for handling OOM conditions properly.
749464 : Race condition while BIG-IQ updates common file
Component: Application Visibility and Reporting
Symptoms:
The file /var/config/rest/downloads/app_mapping.json is being used by two processes: BIG-IQ and avrd.
This can cause a race-condition between the two and in some rare cases can cause avrd to crash.
Conditions:
BIG-IQ updating /var/config/rest/downloads/app_mapping.json while avrd is reading it.
Impact:
avrd might read incomplete data, and can even core in some rare cases.
Workaround:
None.
Fix:
This race condition no longer occurs.
749461 : Race condition while modifying analytics global-settings
Component: Application Visibility and Reporting
Symptoms:
Updating the analytics global-settings might cause a core for avrd.
The avrd.log contains the following record:
AVRD_CONFIG|NOTICE... 13931|lib/avrpublisher/infrastructure/avr_mcp_msg_parser.cpp:2985| Modified Analytics Global Settings, added "0" offbox TCP addresses
Conditions:
Analytics global-settings are updated either explicitly, using a tmsh command, or implicitly, by internal process script.
Impact:
Might cause a core for avrd. After coring once, avrd is expected to start normally without any additional cores. The configuration change is expected to be applied correctly after restart is complete.
Workaround:
None.
Fix:
This represents a partial fix. See bug 764665 for an additional fix.
749414-2 : Invalid monitor rule instance identifier error
Component: Local Traffic Manager
Symptoms:
Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects.
Conditions:
-- BIG-IP system is configured with nodes, pool-members, and pools with monitors.
-- Modify one of the nodes that is in a pool.
-- Run the following command: tmsh load /sys config
-- Loading UCS/SCF file can trigger the issue also.
-- Nodes share the same monitor instance.
-- default-node-monitor is not configured.
Impact:
-- The system might delete monitor rule instances for unrelated nodes/pool-members.
-- Pool members are incorrectly marked down.
Workaround:
You can use either of the following:
-- Failover or failback traffic to the affected device.
-- Run the following command: tmsh load sys config.
749388 : 'table delete' iRule command can cause TMM to crash
Component: TMOS
Symptoms:
TMM SegFaults and restarts.
Conditions:
'table delete' gets called after another iRule command.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
Call 'table lookup' on any key before performing a 'table delete'.
Whether or not the key was added into the database beforehand does not matter.
Fix:
Fixed code to prevent invalid use of internal data structure.
749324-2 : jQuery Vulnerability: CVE-2012-6708
Solution Article: K62532311
749294-2 : TMM cores when query session index is out of boundary
Component: Local Traffic Manager
Symptoms:
TMM cores when the queried session index is out of boundary. This is not a usual case. It is most likely caused by the memory corrupted issue.
Conditions:
When session index equals the size of session caches.
Impact:
TMM cores. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The index boundary check now operates correctly in this situation, so tmm no longer cores.
749222-3 : dname compression offset overflow causes bad compression pointer
Component: Global Traffic Manager (DNS)
Symptoms:
DNS requests receive error response:
-- Got bad packet: bad compression pointer.
-- Got bad packet: bad label type.
Conditions:
When the DNS response is large enough so that dname redirects to an offset larger than 0x3f ff.
Impact:
DNS response is malformed. Because the DNS record is corrupted, zone transfer fails.
Workaround:
None.
Fix:
dname compression offset overflow no longer causes bad compression pointer.
749184-4 : Added description of subviolation for the suggestions that enabled/disabled them
Component: Application Security Manager
Symptoms:
Missing description of subviolation for the suggestions that enabled/disabled them.
Conditions:
There are suggestions that enabled/disabled subviolations in the security policy.
Impact:
Cannot determine the subviolation for the suggestions that enabled/disabled them.
Workaround:
Open Description in an additional tab in Learning and Blocking settings screen.
Fix:
Added description of subviolation for the suggestions that enabled/disabled them.
749161-1 : Problem sync policy contains non-ASCII characters
Component: Access Policy Manager
Symptoms:
When access policy contain non-ASCII characters, policy sync either fails or the characters are not sync'ed properly on the target.
Conditions:
-- Using an access profile.
-- Access profile contains non-ASCII characters (code point greater than 0x7f), e.g.,in VPE, add an 'Advanced Resource Assign' agent and specify an expression similar to the following in addition to the resource:
expr { [string tolower [mcget -decode {session.ad.last.attr.memberOf}]] contains [string tolower "CN=Suporte_TransmissãČo,"] || [string tolower [mcget -decodde {session.ad.last.attr.memberOf}]] contains [string tolower "CN=suporte_tx,"]}
-- Start policy sync on the profile.
Impact:
Policy sync fails or does not complete properly for the non-ASCII characters.
Workaround:
None.
Fix:
Policy sync now works properly when the policy contains non-ASCII characters.
749109-1 : CSRF situation on BIGIP-ASM GUI
Component: Application Security Manager
Symptoms:
CSRF situation on the BIG-IP ASM GUI that might potentially lead to resource exhaustion on the device for the moment it is being run.
Conditions:
The following URL accepts a wildcard in the parameter id, making it a heavy URL:
https://BIG-IP/dms/policy/pl_negsig.php?id=*
Impact:
Once multiple requests are sent to the target GUI, it is possible to see httpd process spiking even in core 0 (VMWare).
Workaround:
None.
Fix:
If the query string parameter has a string value the query is not executed.
749057-3 : VMware Horizon idle timeout is ignored when connecting via APM
Component: Access Policy Manager
Symptoms:
VMware Horizon has an option to set idle timeout under "View Configuration\Global Settings\General\Client-dependent settings\For clients that support applications". When there is no keyboard or mouse activity for the given time, application sessions should be disconnected (desktop sessions are staying, though).
This settings has no effect when connecting via APM.
Conditions:
VMware Horizon idle timeout setting for applications is configured and remote application is launched via APM.
Impact:
VMware Horizon idle timeout setting for applications has no effect.
Workaround:
None.
Fix:
VMware Horizon idle timeout "For clients that support applications" is now honored when connecting via APM.
748999-1 : invalid inactivity timeout suggestion for cookies
Component: Application Security Manager
Symptoms:
ASM will report "invalid inactivity timeout" suggestions to delete a cookie, even though the cookies are being sent and are valid.
Conditions:
- Inactivity timeout feature is configured in Policy Builder
- Cookie entity is configured in the policy
- Valid, non-violating traffic containing cookies is passed
Impact:
Since non-violating traffic is not sent to the policy engine, the inactivity timeout timer is never reset, which will eventually lead to suggestions to delete the inactive cookie entities. These suggestions are erroneous because valid cookies are being sent in the traffic.
Workaround:
Ignore the inactive entity suggestions for cookies
Fix:
Inactivity learning for cookies has been deprecated, the feature does not cover cookies anymore.
748976 : DataSafe Logging Settings page is missing when DataSafe license is active
Component: Fraud Protection Services
Symptoms:
DataSafe Logging Settings page is missing when DataSafe license is active
Conditions:
1. DataSafe license is active
2. Logging of Login attempts feature enabled
Impact:
DataSafe Logging Settings page is missing in GUI.
Workaround:
Use tmsh to configure the logging of Login attempts feature.
Fix:
FPS GUI should display Logging Settings page also when DataSafe license is active.
748902-7 : Incorrect handling of memory allocations while processing DNSSEC queries
Component: Global Traffic Manager (DNS)
Symptoms:
tmm crashes.
Conditions:
-- Heavy DNS traffic using DNS security signatures.
-- Use of external HSM may aggravate the problem.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release corrects the handling of memory allocations while processing DNSSEC queries.
748851-1 : Bot Detection injection include tags which may cause faulty display of application
Component: Application Security Manager
Symptoms:
The Bot Detection feature / Bot Defense profile includes JavaScript which is injected within <APM_DO_NOT_TOUCH> tags. Some web applications may be displayed incorrectly due to these tags.
Conditions:
- Your application includes JavaScript which dynamically adds HTML elements and expects a certain set of tags in the <head> section of the HTML.
- Bot Detection / Bot Defense are enabled.
Impact:
Some web applications may be displayed incorrectly.
Workaround:
None
Fix:
There is now an ASM Internal Parameter 'inject_apm_do_not_touch' and a db variable 'asm.inject_apm_do_not_touch', which can be disabled (modify sys db asm.inject_apm_do_not_touch value false) to prevent the <APM_DO_NOT_TOUCH> tag from being injected, thus allowing the application to be displayed correctly.
Behavior Change:
This release provides an ASM Internal Parameter 'inject_apm_do_not_touch', and a db variable 'asm.inject_apm_do_not_touch', which can be disabled (the default is enabled) to prevent the <APM_DO_NOT_TOUCH> tag from being injected, thus allowing the application to be displayed correctly.
To disable db variable, run the following command:
modify sys db asm.inject_apm_do_not_touch value false
748813-1 : tmm cores under stress test on virtual server with DoS profile with admd enabled
Component: Anomaly Detection Services
Symptoms:
tmm cores
Conditions:
-- Systems under stress testing.
-- Virtual server with DoS profile with admd enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Turn off Behavioral DOS.
Fix:
This tmm core no longer occurs under these conditions.
748502-3 : TMM may crash when processing iSession traffic
Solution Article: K72335002
748253-3 : Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection
Component: Service Provider
Symptoms:
Depending on the DIAMETER settings of the BIG-IP system, there can be a race condition in a mirrored device cluster where the standby BIG-IP system resets its mirror connection to the active device.
Conditions:
-- MRF DIAMETER in use.
-- The DIAMETER session profile on the BIG-IP system is configured to use a non-zero watchdog timeout.
-- The DIAMETER session profile on the BIG-IP system is configured to use Reset on Timeout.
-- This is more likely to happen if (in the DIAMETER session profile) the Maximum Watchdog Failures is set to 1, and the Watchdog Timeout is configured to be the same value as the remote DIAMETER system.
Impact:
The standby is no longer mirroring the active system, and gets out of sync with it. There may be connections lost if a failover occurs.
Workaround:
To mitigate this issue:
1. Configure the Maximum Watchdog Failures to a value greater than 1.
2. Configure the Watchdog Timeout as something different from the same timeout on the remote peer, preferably to something that will have little overlap (i.e., the two timers should fire at the exact same time very infrequently).
Fix:
Prevented the standby from sending DWR packets to the active device, so that it no longer expects DWA responses that never arrive.
748206 : Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position
Component: TMOS
Symptoms:
Browser becomes unresponsive.
Conditions:
Loading the network map with a virtual server that contains a forwarding rule policy in the second position.
Impact:
Browser becomes unresponsive and must be restarted.
Workaround:
Change the position of the forwarding rule policy.
Fix:
The browser now behaves as expected when loading the network map with a virtual server that contains a forwarding rule policy in the second position.
748205-1 : SSD bay identification incorrect for RAID drive replacement★
Component: TMOS
Symptoms:
On iSeries platforms with dual SSDs, the 'bay' of a given SSD indicated in the 'tmsh show sys raid' command may be incorrect. If a drive fails, or for some other reason it is intended to be replaced, and you are using the bay number listed from the tmsh command, the wrong drive could be removed from the system resulting in system failure to operate or boot.
Conditions:
iSeries platform with dual SSDs.
Impact:
Removal of the one working drive could result in system failure and subsequent failure to boot
Workaround:
If you discover that you removed the incorrect drive, you can attempt to recover by re-inserting the drive into the bay that it was in, and powering on the device.
The following steps will help to avoid inadvertently removing the wrong drive:
As a rule for systems with this issue:
-- Power should be off when you remove a drive. This makes it possible to safely check the serial number of the removed drive.
-- Power should be on, and the system should be completely 'up' before you add a new drive.
Here are some steps to follow to prevent this issue from occurring.
1. Identify the failed drive, taking careful note of its serial number (SN). You can use any of the following commands to get the serial number:
• tmsh show sys raid
• tmsh show sys raid array
• array
2. Logically remove the failed drive using the following command: tmsh modify sys raid array MD1 remove HD<>
3. Power down the unit.
4. Remove the fan tray and physically remove the failed drive.
5. Manually inspect the SN on the failed drive to ensure that the correct drive was removed.
6. Replace the fan tray.
7. Power on the unit with the remaining, single drive.
8. Once booted, wait for the system to identify the remaining (good) drive. You can confirm that this has happened when it appears in the 'array' command output.
9. Remove fan tray again (with the system running).
10. Install the new drive.
11. Use the 'array' command to determine that the new drive is recognized (Note: the tmsh commands do not show new drive at this stage.)
12. Logically add the new drive using the command command: tmsh modify sys raid array MD1 add HD<>
13. Monitor the rebuild using any of the commands shown in step 1.
Note: You must follow these steps exactly. If you insert the new drive while the system is off, and you then boot the system with the previously existing working drive and the new blank drive present, the system recognizes the blank drive as the working Array member, and you cannot add it to the array. That means system responds and replicates as if 'HD already exists'.
748187-2 : 'Transaction Not Found' Error on PATCH after Transaction has been Created
Component: TMOS
Symptoms:
In systems under heavy load of transactions with multiple icrd_child processes, the system might post an erroneous 'Transaction Not Found' response after the transaction has definitely been created.
Conditions:
Systems under heavy load of transactions with multiple icrd_child processes.
Impact:
Failure to provide PATCH to a transaction whose ID has been created and logged as created.
Workaround:
If transaction is not very large, configure icrd_child to only run single-threaded.
Fix:
Erroneous 'Transaction Not Found' messages no longer occur under these conditions.
748177-3 : Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character
Component: Global Traffic Manager (DNS)
Symptoms:
Multiple wildcards not matched to the most specific WideIP.
Conditions:
Two wildcard WideIPs differ on a '?' and a non-wildcard character.
Impact:
DNS request gets wrong answer.
Workaround:
There is no workaround at this time.
Fix:
Multiple wildcards are now matched to the most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character.
748121-1 : admd livelock under CPU starvation
Component: Anomaly Detection Services
Symptoms:
Due to the resources starvation the worker thread of admd does not get CPU for more than two minutes. At the same time, the configuration thread does get CPU.
The admd heartbeat failure occurs at 120 seconds. The SOD daemon kills admd.
The system posts messages similar to the following:
-- notice sod[6783]: 01140041:5: Killing /usr/bin/admd pid 6732
-- warning sod[6783]: 01140029:4: high availability (HA) daemon_heartbeat ADMD.Anomaly0 fails action is restart.
-- warning sod[6783]: 01140029:4: high availability (HA) daemon_heartbeat ADMD.Publisher0 fails action is restart.
Conditions:
-- High CPU / memory utilization,
-- Very large configuration.
Note: There are no known special configuration requirements to have this occur.
Impact:
admd restarts.
Behavioral DoS does not work.
Workaround:
Reboot the BIG-IP system.
Fix:
admd livelock event no longer occurs in response to CPU starvation in very large configurations.
748081-2 : Memory leak in Behavioral DoS module
Component: Advanced Firewall Manager
Symptoms:
TMM runs out of memory and restarts.
The memory usage as shown in "tmctl memory_usage_stat", under module line tag "session" is noticed to be high, and keeps growing.
Conditions:
The issue is seen when BDoS feature is configured, and if there exits Custom or Auto Generated BDoS Signatures. When such signatures exist, the BDoS one second timer callback leaks memory.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
1. Disable BDoS feature.
2. Disable all configured and auto generated BDoS signatures using TMSH command:
# cd dos-common
# modify security dos dos-signature all { state disabled }
748043-3 : MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP
Component: Service Provider
Symptoms:
SIP Server sends SIP Request to the client.
The SIP Server inserts a different port, so that response are received on a different port.
The Client sends the response on the new requested port.
BIG-IP drops the packet
Conditions:
SIP Server wants the SIP Response to be coming on a different port.
Impact:
SIP Request will not receive the SIP Response
Workaround:
There is no workaround.
Fix:
Fix BIG-IP to process the SIP Response and send it to the SIP Server
747968-2 : DNS64 stats not increasing when requests go through DNS cache resolver
Component: Local Traffic Manager
Symptoms:
DNS64 stats are not incrementing when running the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands if responses are coming from DNS cache resolver.
Conditions:
-- DNS responses are coming from DNS cache resolver.
-- Viewing statistics using the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands.
Impact:
DNS64 stats are not correct.
Workaround:
There is no workaround at this time.
747926 : Rare TMM restart due to NULL pointer access during AFM ACL logging
Component: Advanced Firewall Manager
Symptoms:
Tmm crashes while performing log ACL match logging.
Conditions:
The problem can happen only with the following configuration:
1) AFM Logging for ACLs enabled.
2) Security Network Logging profile has the property "log-translation-fields enabled"
The problem happens under extremely rare circumstances.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Defensive error handling to avoid the scenario of NULL pointer access.
747922-2 : With AFM enabled, during bootup, there is a small possibility of a tmm crash
Component: Advanced Firewall Manager
Symptoms:
During bootup, with AFM enabled, there is a small possibility of a tmm crash. The tmm process generates a core file and then automatically restart.
Conditions:
-- AFM enabled.
-- sPVA-capable hardware platform.
-- Boot up the system.
Impact:
tmm crashes, coredumps, and then restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The race-condition has been fixed, so this issue no longer occurs.
747909-3 : GTPv2 MEI and Serving-Network fields decoded incorrectly
Component: Service Provider
Symptoms:
MEI and Serving-Network vales obtained with GTP::ie get iRule command contains digits swapped in pairs, first digit missing and a random digit added at the back.
Conditions:
Processing GTP traffic with iRules.
Impact:
It is impossible to obtain correct value of MEI and Serving-Network fields of the GTPv2 packets when processing with iRules.
Workaround:
No workaround.
Fix:
Decoding of GTPv2 MEI and Serving-Network fields corrected.
747907-1 : Persistence records leak while the HA mirror connection is down
Component: Local Traffic Manager
Symptoms:
Memory might leak on the active unit while the high availability (HA) mirror connection is down.
Conditions:
-- The persistence configured that requires its state to be stored stored on the BIG-IP system.
-- Mirroring is configured on the persistence profile or the virtual server.
-- Mirror connection is down, for example, next active is down/offline/unavailable.
Impact:
Memory leak until the HA mirror connection is up. Once mirror connection is up, the system releases the memory.
Workaround:
-- Disable persistence while HA mirror connection is down (e.g., performing maintenance).
-- Disable session mirroring for iRules.
-- Use persistence that does not requires its state to be stored on the BIG-IP system.
-- Restore HA connection.
Fix:
Persistence records no longer leak memory while the HA mirror connection is down.
747905-1 : 'Illegal Query String Length' violation displays wrong length
Component: Application Security Manager
Symptoms:
When the system decodes a query string that exceeds the allowed query string length, the system reports the incorrect 'Illegal Query String Length' violation string length.
Conditions:
-- 'Illegal Query String Length' violation is encountered.
-- The query string is decoded and reported.
Impact:
The system reports the decoded character count rather than bytes. For example, for a Detected Query String Length = 3391, the system posts a Detected Query String Length = 1995.
Workaround:
None.
747777-1 : Extractions are learned in manual learning mode
Component: Application Security Manager
Symptoms:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"
Conditions:
Direct cause: Policy contains parameters with dynamic type
Indirect cause: Policy Builder is configured to classify parameters as dynamic (related to bug 717525)
Impact:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"
Workaround:
- Change all dynamic parameters value types to User Input with Alpha Numeric data type
- Unset parameters' dynamic value type (or uncheck all parameters' dynamic classification options in 'Learning And Blocking Settings').
Fix:
Policy Builder does not set extractions for dynamic parameters in manual mode
747725-2 : Kerberos Auth agent may override settings that manually made to krb5.conf
Component: Access Policy Manager
Symptoms:
when apmd starts up, it can override settings in krb5.conf file with those required for Kerberos Auth agent
Conditions:
- Kerberos Auth is configured in an Access Policy,
- administrator made changes to krb5.conf manually
to the section [realms] of the configured realm
Impact:
Kerberos Auth agent behavior is not what administrator expects with the changes.
it may also affect websso(kerberos) to behave properly
Workaround:
None
Fix:
after fix, the configuration file changes are merged.
Kerberos Auth agent adds the lines it requires and does not override existing settings
747628-3 : BIG-IP sends spurious ICMP PMTU message to server
Component: Local Traffic Manager
Symptoms:
After negotiating an MSS in the TCP handshake, the BIG-IP system then sends an ICMP PMTU message because the packet is too large.
Conditions:
-- The server side allows timestamps and the client side does not negotiate them.
-- The client-side MTU is lower than the server-side MTU.
-- There is no ICMP message on the client-side connection.
Impact:
Unnecessary retransmission by server; suboptimal xfrag sizes (and possibly packet sizes).
Workaround:
Disable timestamps or proxy-mss on the server-side TCP profile.
747621-2 : Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used
Component: Access Policy Manager
Symptoms:
Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used, e.g. RADIUS server performs two factor authentication.
Conditions:
1. Native VMware Horizon client is used to connect via APM.
2. RADIUS authentication agent is present in Access Policy.
3. RADIUS server asks for challenge response (e.g. 2FA).
Impact:
Authentication fails. User can't get access to VMware Horizon resources.
Workaround:
None.
Fix:
Fixed issue preventing native VMware Horizon client to authenticate with RADIUS challenge.
747617-1 : TMM core when processing invalid timer
Component: Local Traffic Manager
Symptoms:
TMM crashes while processing an SSLO iRules that enables the SSL filter on an aborted flow.
Conditions:
SSLO is configured and passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround
Fix:
SSL filter will no longer be enabled after connection close.
747592-2 : PHP vulnerability CVE-2018-17082
Component: TMOS
Symptoms:
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.
Conditions:
This exploit doesn't need any authentication and can be exploited via POST request. Because of 'Transfer-Encoding: Chunked' header php is echoing the body as response.
Impact:
F5 products not affected by this vulnerability. Actual impact of this vulnerability is possible XSS attack.
Workaround:
No known workaround.
Fix:
The brigade seems to end up in a messed up state if something fails in shutdown, so we clean it up.
747560-3 : ASM REST: Unable to download Whitehat vulnerabilities
Component: Application Security Manager
Symptoms:
When using the Whitehat Sentinel scanner, the REST endpoint for importing vulnerabilities (/mgmt/tm/asm/tasks/import-vulnerabilities) does not download the vulnerabilities from the server automatically when no file is provided.
Conditions:
The ASM REST API (/mgmt/tm/asm/tasks/import-vulnerabilities) is used to download vulnerabilities from the server when a Whitehat Sentinel Scanner is configured.
Impact:
Vulnerabilities from the Whitehat server are not automatically downloaded when no file is provided, and it must be downloaded manually, or the GUI must be used.
Workaround:
The ASM GUI can be used to download the vulnerabilities from the Whitehat Server, or the file can be downloaded separately, and provided to the REST endpoint directly.
Fix:
The REST endpoint for importing Scanner Vulnerabilities for the Whitehat Scanner now correctly downloads the vulnerability file automatically when no file is provided.
747550-1 : Error 'This Logout URL already exists!' when updating logout page via GUI
Component: Application Security Manager
Symptoms:
When you try to update the Logout Page, you get an error about the URL existence: Error 'This Logout URL already exists!'
Conditions:
1. Create any Logout page.
2. Try to update it.
Impact:
The properties of the Logout Page cannot be updated.
Workaround:
Delete the logout page and create a new one.
Fix:
This release addresses the issue, so that no error is reported when updating the Logout Page.
747203-4 : Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding
Component: TMOS
Symptoms:
-- SYN/ACK packets arriving on a tunnel fail to be matched to an existing flow followed by a RST issued by the BIG-IP system.
-- The BIG-IP system reports 'no flow found'.
-- MAC addresses can contain random values, or fe:fe:fe:fe:fe:fe.
Conditions:
-- Using IKEv2 with both NAT-T and interface mode.
-- The BIG-IP is configured to use several tmm instances.
-- The combination of IP addresses and port numbers result in distributing legs of processing one flow across several tmm instances.
Impact:
NATT/ESP tunnel flows can end with a RST reset.
Workaround:
None.
Fix:
In the ESP proxy, The system now clears a bit in packet metainformation related to forwarding, so a decrypted packet such as SYN/ACK can reach the last tmm needed.
747187-3 : SIP falsely detects media flow collision when SDP is in both 183 and 200 response
Component: Service Provider
Symptoms:
A spurious error message is logged ("MR SIP: Media flow creation (...) failed due to collision") and media does not flow.
Conditions:
A SIP server responds to an INVITE with both a 183 "Session Progress" and later a "200 OK" for a single SIP call, and both responses contain an SDP with the same media info.
Impact:
Media does not flow on pinholes for which a collision was detected and reported.
Workaround:
None
Fix:
No collision is detected or logged when multiple messages with SDP recreate the same flows in the same call.
747104-3 : LibSSH: CVE-2018-10933
Solution Article: K52868493
Component: Advanced Firewall Manager
Symptoms:
For more information see: https://support.f5.com/csp/article/K52868493
Conditions:
For more information see: https://support.f5.com/csp/article/K52868493
Impact:
For more information see: https://support.f5.com/csp/article/K52868493
Fix:
For more information see: https://support.f5.com/csp/article/K52868493
747065-3 : PEM iRule burst of session ADDs leads to missing sessions
Component: Policy Enforcement Manager
Symptoms:
Some PEM sessions that were originally added, later disappear and cannot be added back.
Conditions:
-- Subscriber addition is done by iRule on UDP virtual servers.
-- The sessions are added in a burst.
-- A small fraction of such sessions cannot be added back after delete.
Impact:
Policies available in the missing session cannot be accessed.
Workaround:
Add a delay of at least a few milliseconds between adding multiple session with same subscriber-id and IP address.
Fix:
The release handles the issue that prevented the addition of the new subscriber. Now, even after the bursts of iRule additions, no re-additions fail.
746941 : avrd memory leak when BIG-IQ fails to receive stats information
Component: Application Visibility and Reporting
Symptoms:
AVRD has memory leak when it is failing to send statistical information to BIG-IQ.
Conditions:
BIG-IP is used by BIG-IQ version 6.0.0 or higher, and stats collection is enabled.
Plus, BIG-IQ has some malfunction that prevents it from receiving the statistical information that BIG-IP is sending (for example: all DCDs are down, or not network connection between BIG-IP and BIG-IQ).
Impact:
avrd memory is increased over time, leading to avrd restart when it is getting too large
Workaround:
Connectivity issue between BIG-IP and BIG-IQ should be fixed, not just in order to prevent this memory leak, but for more important functionality such as visibility and alerts features in BIG-IQ.
Fix:
Memory leak is fixed.
746922-4 : When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
Component: Local Traffic Manager
Symptoms:
In a situation when a routing entity belonging to the child route domain is searching for an egress point for a traffic flow, it's searching for a routing entry in the child domain first, then if nothing is found, it searches for it in the parent route domain and returns the best found routing entry.
If the best routing entry from the parent route domain is selected, then it is held by a routing entity and is used to forward a traffic flow. Later, a new route entry is added to the child route domain's routing table and this route entry might be better than the current, previously selected, routing entry. But the previously selected entry doesn't get invalidated, thus the routing entity that is holding this entry is forwarding traffic to a less-preferable egress point.
#Example:
RD0(parent) -> RD1(child)
routing table: default gw for RD0 is 0.0.0.0/0%0
pool member is 1.1.1.1/32%1
-
Pool member searches for the best egress point and finds nothing in the routing table for route domain 1, and then later finds a routing entry, but from the parent route domain - 0.0.0.0/0%0.
Later a new gw for RD1 was added - 0.0.0.0/0%1, it's preferable for the 1.1.1.1/32%1 pool member. 0.0.0.0/0%0 should be (but is not) invalidated to force the pool member to search for a new routing entry and find a better one if it exists, as in this case, with - 0.0.0.0/0%1.
Conditions:
1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. New routing entry for child route domain is added.
Impact:
If a new added route is preferable to an existing one in a different route domain, the new, preferable, route is not going to be used by a routing object that has previously selected a route. Thus, traffic flows through these routing objects to an unexpected/incorrect egress point. This might result in undesirable behavior:
-- The route might be unreachable, and all traffic for a specific pool member is dropped.
-- The virtual server cannot find an available SNAT address.
-- Simply, the wrong egress interface is being used.
Workaround:
Use either of these workaround after a new route in child domain is added.
-- Recreate a route.
Recreate a parent route domain's routes. Restart tmrouted daemon if routes are gathered via routing protocols.
-- Recreate a routing object.
- If a pool member is affected, recreate the pool member.
- If a SNAT pool list is affected, recreate it.
- And so on.
Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table.
746877-3 : Omitted check for success of memory allocation for DNSSEC resource record
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM may panic from SIGABRT while logging this message:
./rdata.c:25: ldns_rdf_size: Assertion `rd != ((void *)0)' failed.
Conditions:
During memory stress while handling DNSSEC traffic.
Impact:
TMM panic and subsequent interruption of network traffic.
Workaround:
Keeping the workload within normal ranges reduces the probability of encounter.
Fix:
The system now checks for success of memory allocation for DNSSEC resource record, so this issue no longer occurs.
746823 : AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members
Component: Application Visibility and Reporting
Symptoms:
In a configuration that AVR is set to send telemetry data to external source (like connection with BIG-IQ), and there is large number of config objects in the system, such as virtual servers and pool-members. AVRD is constantly crashing.
Conditions:
1. AVR is set to send telemetry data to external source (like connection with BIG-IQ).
2. Large number of config objects in the system, such as virtual servers and pool-members.
Impact:
AVRD process is crashing and telemetry data is not collected.
Workaround:
N/A
Fix:
The issue is fixed, AVR can handle any number of virtuals/pool-members when sending its telemetry.
746771-1 : APMD recreates config snapshots for all access profiles every minute
Component: Access Policy Manager
Symptoms:
When the access profile configurations in APMD and MCPD are out of sync, APMD detects that the config snapshot for one access profile is missing. This triggers AMPD to recreates the config snapshots for all access profiles. The detect-recreate cycle repeats every minute, posting log messages:
-- err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...
-- notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
...
-- err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...
-- notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
Conditions:
The conditions under which the access profile configurations in APMD and MCPD become out of sync is unknown.
Impact:
TMM memory usage increases due to excessive config snapshots being created.
Workaround:
Restart APMD to clear the APMD and MCPD out-of-sync condition.
Fix:
This issue has been fixed.
746768-1 : APMD leaks memory if access policy policy contains variable/resource assign policy items
Component: Access Policy Manager
Symptoms:
If an access policy contains variable/resource assign policy items, APMD will leak memory every time the policy is modified and applied.
Conditions:
1. Access policy has variable/resource assign policy items.
2. The access policy is modified and applied.
Impact:
APMD's memory footprint will increase whenever the access policy is applied.
Workaround:
There is no workaround.
Fix:
Memory growth has been addressed.
746710-2 : Use of HTTP::cookie after HTTP:disable causes TMM core
Component: Local Traffic Manager
Symptoms:
When an iRule disables HTTP with HTTP:disable, subsequent use of HTTP::cookie for that request will cause a TMM core dump.
Conditions:
1) HTTP profile is configured on the virtual.
2) HTTP:disable is called on request.
3) HTTP:cookie is then called on that request.
Impact:
Use of iRules in the above mentioned order will result in a TMM core. Traffic disrupted while tmm restarts.
Workaround:
Do not call HTTP:cookie on requests that have had HTTP disabled by HTTP:disable
746266-1 : Vcmp guest vlan mac mismatch across blades.
Component: TMOS
Symptoms:
Guests running on blades in a single chassis report different MAC addresses on a single vlan upon host reboot for vcmp guest.
Conditions:
This issue may be seen when all of the following conditions are met:
- One (or more) blade(s) are turned off completely via AOM.
- Create two vlans.
- Deploy a multi-slot guest with the higher lexicographic vlan.
- Now, assign the smaller vlan to the guest.
- Reboot the host
Impact:
Incorrect MAC addresses are reported by some blades.
Workaround:
There is no workaround at this time.
746146-2 : AVRD can crash with core when disconnecting/reconnecting on HTTPS connection
Component: Application Security Manager
Symptoms:
AVRD crashes repeatedly when the BIG-IP system is configured to work with BIG-IQ.
Conditions:
-- BIG-IP system is connected to BIG-IQ.
-- Disconnecting/reconnecting on HTTPS connection.
Impact:
Statistics collection is unstable : some stats data are lost during avrd crash.
Workaround:
None.
Fix:
Object associated with HTTPS connection was deleted before the last event on this connection arrived. Object deletion is now deferred, so this issue no longer occurs..
746077-1 : If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified
Component: Local Traffic Manager
Symptoms:
DHCP-RELAY overwrites the 'giaddr' field containing a non-zero value. This violates RFC 1542.
Conditions:
DHCP-RELAY processing a message with the 'giaddr' field containing a non-zero value,
Impact:
RFC 1542 violation
Workaround:
None.
Fix:
DHCP-RELAY no longer overwrites the 'giaddr' field containing a non-zero value.
745825-3 : The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading
Component: TMOS
Symptoms:
This message may be logged while the audit_forwarder is loading the configuration:
audit_forwarder is disabled as the configuration is incomplete. Please define the following db variables: config.auditing.forward.sharedsecret, config.auditing.forward.destination and config.auditing.forward.type. And make sure config.auditing.forward.destination is not set to "::".
These DB variables may all be actually configured correctly, but since the configuration has not loaded yet this message may be logged multiple times.
Conditions:
The audit_forwarder process is starting up and loading the configuration.
Impact:
Confusing error messages in /var/log/ltm. Logging will still work as configured.
Workaround:
There is no workaround.
Fix:
Message has been modified to indicate the possibility of loading the configuration. Message is now logged only once. A new messages is logged indicating when audit_forwarder is enabled.
745809 : The /var partition may become 100% full requiring manual intervention to clear space
Component: Advanced Firewall Manager
Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free
Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.
Conditions:
Process traffic while DoS Dashboard is open.
Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition
Workaround:
This workaround is temporary in nature, and may need to be periodically performed either manually or from a script. While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.
Run the following commands, in sequence:
bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad
Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.
745802-3 : Brute Force CAPTCHA response page truncates last digit in the support id
Component: Application Security Manager
Symptoms:
Brute Force CAPTCHA response page shown to an end-user has a support id and the last digit is truncated.
Conditions:
- ASM Provisioned
- ASM policy attached to a virtual server
- ASM Brute Force Protection enabled in the asm policy
- ASM Brute Force sends captcha mitigation page when a website is under brute force attack.
Impact:
The support id presented to an end-user won't be matched to the one shown in the asm logs
Workaround:
There is no workaround at this time.
Fix:
The code is fixed, correct support id is shown in the captcha response page.
745783-3 : Anti-fraud: remote logging of login attempts
Component: Fraud Protection Services
Symptoms:
There is no support for logging of login attempts to a remote service.
Conditions:
Using high speed logging (HSL) to log login attempts.
Impact:
There is no support for logging of login attempts.
Workaround:
None.
Fix:
FPS now uses HSL to report login attempts using configured templates, rate-limit, and publisher to a remote service.
To enable this feature:
# via tmsh only
tmsh modify sys db antifraud.riskengine.reportlogins value enable
# via tmsh or GUI
tmsh modify sys db antifraud.internalconfig.string1 value "<login attempt log template>"
tmsh modify sys db antifraud.internalconfig.string2 value "<log-rate-exceeded log template>"
tmsh modify sys db antifraud.internalconfig.number1 value "<log-rate-exceeded threshold>"
tmsh modify security anti-fraud profile <fps profile> risk-engine-publisher <publisher>
It is recommended that you use encoding when composing an HTTP template. The default encoding level is 0, meaning 'never encode'.
To change encoding level:
tmsh modify sys db antifraud.internalconfig.number2 value <0/1/2>
Behavior Change:
FPS now includes the ability to perform High Speed Logging (HSL) of all login attempts to specific protected URLs. These events can be forwarded to remote services (e.g. SIEM Server), and, when enabled, can help indicate whether applications are under attack.
745713-1 : TMM may crash when processing HTTP/2 traffic
Solution Article: K94563344
745654-2 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
Component: Access Policy Manager
Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.
Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.
Impact:
Low throughput and slow responses from Virtual server.
Workaround:
There is no workaround at this time.
Fix:
Increase the size of websso worker queue, so that tmm and websso process can communicate effectively. This eliminates VS slowness and hence increase throughput.
745628-3 : MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message
Component: Service Provider
Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a NOTIFY message has been processed.
Conditions:
This occurs because the NOTIFY message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.
Impact:
Media addresses in the SDP payload are not translated.
Workaround:
There is no workaround.
Fix:
Hairpin mode is not entered when processing NOTIFY messages
745600-3 : Removal of timer object from tmm timer-ring when a tcl context is released.
Component: Access Policy Manager
Symptoms:
If a tcl context is associated with a tmm-timer (while creating access session) using iRule, the timer object is removed during tcl context release but its association remains. When the timer fires, it tries to access a memory which is already freed, causing tmm to crash and generate a core.
Conditions:
Creating access session using iRule.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
Now the timer object created under tcl context is tied with tcl command context and a callback function. This function will be called every time a tcl context is released. This will allow any additional cleanup (e.g. removal of timer from timer ring) and freeing the tcl command context.
745574-3 : URL is not removed from custom category when deleted
Component: Access Policy Manager
Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.
Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.
Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.
Workaround:
"bigstart restart tmm" will resolve the issue.
Fix:
Made sure that the deletion takes effect properly and SSL traffic is no longer miscategorized after removal of the URL from the custom category.
745533-4 : NodeJS Vulnerability: CVE-2016-5325
Component: Local Traffic Manager
Symptoms:
It was found that the reason argument in ServerResponse#writeHead() was not properly validated.
Conditions:
iRules LX is running at the BigIP.
Impact:
A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request.
Workaround:
N/A.
Fix:
NodeJS updated to patch for CVE-2016-5325
745531-1 : Puffin Browser gets blocked by Bot Defense
Component: Application Security Manager
Symptoms:
Users using the Puffin Browser are blocked when accessing the Virtual Server when it is protected with either Proactive Bot Defense (within DoSL7 profile) or with the Bot Defense profile.
This applies to all version of the Puffin Browsers: Desktop, Android, iOS.
Conditions:
- Users using the Puffin Browser on Desktop, Android, iOS
- Bot Defense Profile, or: DoSL7 profile with Proactive Bot Defense is used while the "Block Suspicious Browsers" checkbox is enabled
Impact:
Users of the Puffin Browser cannot access the website
Workaround:
None
Fix:
Users of the Puffin Browser can now access the website that is protected by Bot Defense without getting blocked.
For the fix to be applied, both BIG-IP Release and ASU must be installed which contain the fix. Also, it is recommended to enable the following DB variables:
tmsh modify sys db dosl7.proactive_defense_validate_ip value disable
tmsh modify sys db dosl7.cs_validate_ip value disable
745514-3 : MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message
Component: Service Provider
Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a SUBSCRIBE message has been processed.
Conditions:
This occurs because the SUBSCRIBE message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.
Impact:
Media addresses in the SDP payload are not translated.
Workaround:
There is no workaround.
Fix:
Hairpin mode is not entered when processing SUBSCRIBE messages
745404-2 : MRF SIP ALG does not reparse SDP payload if replaced
Component: Service Provider
Symptoms:
When a SIP message is loaded, the SDP is parsed. If modified or replaced, the system does not reparse the modified payload.
Conditions:
This occurs internally while processing SDP in a SIP message.
Impact:
Changes to the SDP are ignored when creating media pinhole flows
Workaround:
None.
Fix:
The SDP payload is now reparsed if modified or replaced.
745387-3 : Resource-admin user roles can no longer get bash access
Component: TMOS
Symptoms:
Resource-admin users with bash access may write to system files beyond the scope of their assigned access.
Conditions:
Resource-admin users configured with bash shell access.
Impact:
Resource-admin users with bash access may write to system files causing security risks.
Workaround:
Do not assign bash access for resource-admin users.
Fix:
Resource-admin users restricted to tmsh access now. If a resource-admin user had bash access in a prior version and upgrades to this version, that user will get converted to tmsh access automatically after the upgrade process.
Behavior Change:
Resource-admin roles can no longer have bash shell access. And upon upgrade, resource-admin users with bash access will get converted to tmsh shell access.
745371-2 : AFM GUI does not follow best security practices
Solution Article: K68151373
745358-3 : ASM GUI does not follow best practices
Solution Article: K14812883
745257-3 : Linux kernel vulnerability: CVE-2018-14634
Solution Article: K20934447
745165-3 : Users without Advanced Shell Access are not allowed SFTP access
Solution Article: K38941195
745027 : AVR is doing extra activity of DNS data collection even when it should not
Component: Application Visibility and Reporting
Symptoms:
When collecting DNS data, AVR generates data that is used only for BIG-IQ, even if not connected to BIG-IQ.
Conditions:
DNS Statistics collection or DNS-DoS is configured.
Impact:
avrd process is taking more CPU cycles for activity that is not needed. There is no impact to functionality.
Workaround:
None.
Fix:
The system no longer performs extra computation that is not needed in this case.
744959-1 : SNMP OID for sysLsnPoolStatTotal not incremented in stats
Component: Carrier-Grade NAT
Symptoms:
SNMP OID for sysLsnPoolStatTotal is not incremented in stats totals.
Conditions:
This affects all of the global port block allocation (PBA) counters.
Impact:
SNMP OID for sysLsnPoolStatTotal is not incremented when it should be. Stats are not accurate.
Workaround:
None.
Fix:
SNMP OID for sysLsnPoolStatTotal is now incremented in stats totals.
744949-3 : MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix
Component: Service Provider
Symptoms:
SIP response messages have the wrong IP address in the FROM header when using NAT64.
Conditions:
If the client's IPv6 address does not match the virtual server's configured IPv6 prefix, the FROM header on a response message will have a different IP address that the request message.
Impact:
The SIP ALG with SNAT system will be unable to establish a call for the client.
Workaround:
There is no workaround at this time.
Fix:
The FROM header will now contain the client's IP address.
744937-9 : BIG-IP DNS and GTM DNSSEC security exposure
Solution Article: K00724442
Component: Global Traffic Manager (DNS)
Symptoms:
For more information please see: https://support.f5.com/csp/article/K00724442
Conditions:
For more information please see: https://support.f5.com/csp/article/K00724442
Impact:
For more information please see: https://support.f5.com/csp/article/K00724442
Workaround:
None.
Fix:
For more information please see: https://support.f5.com/csp/article/K00724442
Behavior Change:
Note: After installing a version of the software that includes the fix for this issue, you must set the following db variables:
-- dnssec.nsec3apextypesbitmap
-- dnssec.nsec3underapextypesbitmap.
These two db variables are used globally (i.e., not per-DNSSEC zone) to configure the NSEC3 types bitmap returned in one-off NODATA responses for apex and under-apex responses, respectively.
When the BIG-IP system is queried for a DNS name in which the DNS name exists and is not of the RR type requested, the NSEC3 types bitmap on the response reflects what you configure for the db variable, minus the queried-for type.
When using these variables:
-- Configure type values as all lowercase.
-- Enclose multiple types in quotation marks (e.g., "txt rrsig").
-- Understand that there is likely no need to change the apex type setting; do so with extreme care. The under-apex settings are what you will find helpful in addressing the negative caching issue.
744707-4 : Crash related to DNSSEC key rollover
Component: Global Traffic Manager (DNS)
Symptoms:
When running out of memory, a DNSSKEY rollover event might cause a tmm crash and core dump.
Conditions:
-- System has low memory or is out of memory.
-- DNSSKEY rollover event occurs.
Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround.
Fix:
Fixed an issue in DNSSEC Key Rollover event that could cause a crash.
744685-1 : BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension
Component: Local Traffic Manager
Symptoms:
An intermediate CA certificate should be considered invalid if the certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension. The BIG-IP system does not enforce this.
Conditions:
The SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop.
Impact:
The system might unexpectedly accept the SSL connection while the peer is using an inappropriate certificate.
Workaround:
None.
Fix:
With this fix, if the SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the SSL handshake if the peer's CA certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension.
Behavior Change:
When authenticating a peer's SSL certificate, the system requires a CA certificate to have the 'Basic Constraints' and 'CA:True' in its extension, like this:
X509v3 Basic Constraints: critical
CA:TRUE
If an SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the handshake if the peer's CA certificate does not satisfy this requirement.
744595-1 : DoS-related reports might not contain some of the activity that took place
Component: Application Visibility and Reporting
Symptoms:
Occasionally, some telemetry data of DoS related activity is lost.
Conditions:
No specific condition other than using the BIG-IP system anti-DDoS feature.
Impact:
DoS related reports might not contain some of the activity that takes place.
Workaround:
None.
Fix:
Issue was fixed, all telemetry data is collected without errors.
744589-1 : Missing data for Firewall Events Statistics
Component: Application Visibility and Reporting
Symptoms:
Statistical information that is collected for Firewall event, has some data that is getting lost and not reported.
When this is taking place, the following message appears at avrd log:
Some rows of load_stat_firewall_events_<some number> not loaded
Conditions:
AFM is used, no particular condition that leads to this situation of losing some of the stats, usually takes place under heavy activity.
Impact:
Statistical reports of Firewall Events are missing some the the activity that actually took place.
Workaround:
There is no workaround at this time.
Fix:
Issue with missing data was fixed.
744556-1 : Upgrade PingAccess SDK used by BIG-IP APM to v1.1.3
Solution Article: K01226413
Component: Access Policy Manager
Symptoms:
Upgrading PingAccess SDK from v1.0.0 to v1.1.3
Conditions:
The SDK is upgraded during system upgrade.
Impact:
BIG-IP APM will internally use PingAccess SDK v1.1.3 when interacting with PingAccess servers.
Workaround:
Not Applicable.
Fix:
Upgraded PingAccess SDK used by BIG-IP APM to the v1.1.3, applicable when BIG-IP APM interacts with PingAccess servers.
744532-2 : Websso fails to decrypt secured session variables
Component: Access Policy Manager
Symptoms:
Whenever websso tries to decrypt secure session variables, the following error is seen /var/log/apm:
Aug 15 21:36:25 abcd err websso.0[20421]: 014d0028:3: /Common/Test_PRP:Common:2b8e7abc: Master Decrypt failed for user test with error 'ckDecrypt: invalid ciphertext'
Aug 15 21:36:25 abcd info websso.0[20421]: 014d0009:6: /Common/Test_PRP:Common:2b8e7abc: Websso basic authentication for user 'test' using config '/Common/sso_test_obj'
Conditions:
- Per-req policy is attached to virtual server.
- Secure subsession variables are assigned to session variables using Variable Assign Agent in per-req policy.
- SSO Configuration Select agent is used in per-req policy.
Impact:
Single Sign-On (SSO) won't work correctly.
Workaround:
There is no workaround at this time.
744516-1 : TMM panics after a large number of LSN remote picks
Component: Carrier-Grade NAT
Symptoms:
TMM panics with the assertion 'nexthop ref valid' failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.
Conditions:
An LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.
Impact:
TMM restarts. Traffic is interrupted.
Workaround:
There is no workaround.
Fix:
TMM no longer panics regardless of the number of remote picks.
744347-2 : Protocol Security logging profiles cause slow ASM upgrade and apply policy
Component: Application Security Manager
Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.
Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.
Impact:
ASM upgrade and apply policy are delayed.
Workaround:
There is no workaround at this time.
744331 : OpenSSH hardening
Component: TMOS
Symptoms:
The default OpenSSH configuration does not follow best practices for security hardening.
Conditions:
Administrative SSH access enabled.
Impact:
OpenSSH does not follow best practices.
Fix:
The default OpenSSH configuration includes best practices for security hardening.
744269-2 : dynconfd restarts if FQDN template node deleted while IP address change in progress
Component: Local Traffic Manager
Symptoms:
The dynconfd daemon may crash and restart if an FQDN template node is deleted (by user action or config sync) while ephemeral nodes are in the process of being created, and deleted as the result of new IP addresses being returned by a recent DNS query.
Conditions:
This may occur on BIG-IP version 14.0.0.3 (and BIG-IP versions 13.1.x or v12.1.x with engineering hotfixes for ID 720799, ID 721621 and ID 726319), under the following conditions:
1. A DNS query returns a different set of IP addresses for one or more FQDN names.
2. While new ephemeral node(s) are being created (for new IP addresses and deleted (for old IP addresses), an FQDN template node is deleted (either by user action or config sync).
Impact:
The dynconfd daemon crashes and restarts.
Ephemeral nodes may not be updated in a timely manner while the dynconfd daemon is restarting.
Fix:
The dynconfd daemon does not crash and restart if an FQDN template node is deleted while ephemeral nodes are in the process of being created and deleted as the result of new IP addresses being returned by a recent DNS query.
744210-1 : DHCPv6 does not have the ability to override the hop limit from the client.
Component: Local Traffic Manager
Symptoms:
DHCPv6 packet may be dropped by a device after the DHCP relay if the client provided hop limit is 1.
Conditions:
DHCPv6 Relay configured on the BIG-IP.
Impact:
Loss of DHCPv6 service.
Workaround:
There is no workaround at this time.
Fix:
Configurable hop limit over-ride capabilities provided for client sent DHCPv6 packets.
744188 : First successful auth iControl REST requests will now be logged in audit and secure log files
Component: TMOS
Symptoms:
Previously, when making a REST request from a client for the first time and it is successful, this action was not logged.
Just subsequent REST calls were logged or initial failed REST calls from a client were logged.
Conditions:
Making a successfully auth-ed initial REST request from a new client to BIG-IP.
Impact:
BIG-IP admins would not know when a new client first made a successful REST call to BIG-IP.
Workaround:
None.
Fix:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.
Here's an example of what shows in audit log:
-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user bart2 - RAW: httpd(pam_audit): user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
Here's an example of what shows in secure log:
-- info httpd(pam_audit)[26561]: user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user usr2 - RAW: httpd(pam_audit): user=usr2(usr2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
Subsequent REST calls will continue to be logged normally.
Behavior Change:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.
Subsequent REST calls will continue to be logged normally.
744117-5 : The HTTP URI is not always parsed correctly
Solution Article: K18263026
Component: Local Traffic Manager
Symptoms:
The HTTP URI exposed by the HTTP::uri iRule command, Traffic Policies, or used by ASM is incorrect.
Conditions:
-- HTTP profile is configured.
-- The URI is inspected.
Impact:
If the URI is used for security checks, then those checks might be bypassed.
Workaround:
None.
Fix:
The HTTP URI is parsed in a more robust manner.
744035-4 : APM Client Vulnerability: CVE-2018-15332
Solution Article: K12130880
743961-3 : Signature Overrides for Content Profiles do not work after signature update
Component: Application Security Manager
Symptoms:
JSON profile signature override does not include legacy signature after Automatic Signature Update (ASU).
Conditions:
Signature override on content profile ASU with major update to targeted sig.
Impact:
-- Unexpected block on a previously white-listed signature.
-- Confusing logging for why the signature was blocked (should indicate it was due to using an old signature version).
Workaround:
-- Create the signature override at higher context, e.g., the URL. Removing the URL context override again keeps it fixed.
-- Enforce new version of sig globally.
Fix:
Signature Overrides for Content Profiles now work after signature update.
743857 : Clientssl accepts non-SSL traffic when cipher-group is configured
Solution Article: K21942600
Component: Local Traffic Manager
Symptoms:
Clientssl accepts Non-SSL traffic even when "Non-SSL Connections" is disabled.
Conditions:
In clientssl profile, Cipher Group is configured and one of the "No SSL/TLS/DTLS" option is enabled.
Impact:
Connections to VIP with clientssl profile are not encrypted.
If SSL client authentication is enabled, plaintext request is successful meaning that client can get access to resources otherwise requiring a valid client certificate.
Workaround:
Use Cipher String instead of Cipher Group when configuring clientssl profile.
Fix:
Properly validate cipher suites in a cipher group before use.
743810-1 : AWS: Disk resizing in m5/c5 instances fails silently.
Component: TMOS
Symptoms:
Resizing the disk in an m5/c5 instance in AWS has no impact on the disk size, and this operation fails silently.
Conditions:
BIG-IP system deployed in AWS with m5/c5 instance type that uses NVME disks instead of the usual native paravirt disks.
Impact:
Disk resizing fails; administrators cannot grow the instance disk in response to their requirements and instance utilization post-deployment.
Workaround:
There is no workaround.
Fix:
AWS: Disk resizing now works as expected.
743803-2 : IKEv2 potential double free of object when async request queueing fails
Component: TMOS
Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.
Conditions:
When an async IPsec crypto operation fails to queue.
Impact:
Restart of tmm. All tunnels lost must be re-established.
Workaround:
No workaround known at this time.
743790-3 : BIG-IP system should trigger a high availability (HA) failover event when expected HSB device is missing from PCI bus
Component: TMOS
Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might drop off the PCI bus, resulting in the BIG-IP system not being able to pass traffic. However, no high availability (HA) failover condition is triggered, so the BIG-IP system stays active.
Conditions:
HSB drops off the PCI bus. This is caused in response to certain traffic patterns (FPGA issue) that are yet to be determined.
Impact:
No failover to standby unit after this error condition, causing site outage.
Workaround:
None.
Fix:
Now the active BIG-IP system fails over to the standby when HSB on the active unit drops off the PCI bus.
743437-1 : Portal Access: Issue with long 'data:' URL
Component: Access Policy Manager
Symptoms:
HTML page may contain a very long 'data:' URL. Portal Access cannot handle such URLs correctly.
Conditions:
HTML page with very long 'data:' similar to the following example:
data:image/png;base64,...
Such URLs might be several megabytes long.
Impact:
The rewrite plugin cannot process HTML pages with very long URLs and restarts. The page is not sent to the end user client; web application may not work correctly.
Workaround:
There is no workaround at this time.
Fix:
Now Portal Access handles very long 'data:' URLs correctly.
743257-1 : Fix block size insecurity init and assign
Component: Local Traffic Manager
Symptoms:
After an HA failover the block size insecurity checks were creating conditions for an infinite loop. This causes tmm to be killed by sod daemon via SIGABRT.
Conditions:
Rare not reproducible.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround.
Fix:
The init and assign of block size insecurity were modified and debug checks added. A possible loop condition in ssl renegotiation was removed.
743150-1 : Increase the limit of the maximum allowed timestamp for OAuth token processing for OAuth Client
Component: Access Policy Manager
Symptoms:
During OAuth token processing for OAuth Client, if the timestamp is set to a value greater than INT32_MAX (2147483647), the BIG-IP system posts an error message, but the error is not descriptive enough to assist in troubleshooting. The error message appears similar to the following:
err apmd[14229]: 01490290:3: /Internet/Oauth_OpenAM_Preprod:Internet:46ea50d9:/Internet/server_act_oauth_client_ag: OAuth Client: failed for server '/Internet/server1' using 'authorization_code' grant type (client_id=oidc), error: stoi
Conditions:
-- OAuth token processing for OAuth Client.
-- Timestamp value greater than INT32_MAX.
Impact:
The APM end user is not granted access because the the policy does not complete successfully.
Workaround:
None.
Fix:
The maximum allowed timestamp is increased from INT32_MAX (2147483647) to 6249223209600, and now includes more descriptive error messages for better troubleshooting when the BIG-IP system receives invalid timestamps.
743082-1 : Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members★
Component: TMOS
Symptoms:
Upgrading to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 might result a configuration that fails to load due to a stray colon-character that gets added to the configuration file.
Conditions:
-- Upgrade from pre-12.1.3 to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2.
-- GTM Pool Members.
Impact:
Configuration fails to load.
Workaround:
Remove stray colon-character from bigip_gtm.conf.
Fix:
Fixed an issue preventing configurations from loading into 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from a version before 12.1.3.
742829-3 : SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0
Component: Service Provider
Symptoms:
The BIG-IP system incorrectly handles SDP media ports. UAC sends SDP message body publishing capable of handling voice, text, and video. UAS responds, publishing voice, text and video not desired by setting video port to '0'. The BIG-IP system does not honor the fact that UAS does not want video, and translates video port '0' to an ephemeral port, causing the UAC to believe it must open a video channel. When the UAC sends a video connection request, the BIG-IP system sends the request to the wrong port, i.e., to the media port for text, which causes the connection to fail.
Conditions:
RTP media port defined in the SIP message is set to 0.
Impact:
Improper media channel creation.
Workaround:
You can use an iRule workaround to remove the media attributes with ports set to 0 at the ingress, and update the message body size accordingly.
742627-2 : SSL session mirroring may cause memory leakage if HA channel is down
Component: Local Traffic Manager
Symptoms:
If SSL session mirroring is enabled, but the HA channel is down, attempts to mirror may result in memory leakage.
Conditions:
- SSL session mirroring enabled
- HA channel is down
Impact:
Memory leakage over time resulting in eventual memory pressure leading to performance degradation and possible TMOS restart.
Workaround:
Ensuring that the HA peer is present and connected will avoid the leakage. Otherwise, no reasonable workaround exists short of disabling SSL session mirroring.
Fix:
SSL session mirroring no longer leaks memory when the HA channel is down.
742237-2 : CPU spikes appear wider than actual in graphs
Component: Local Traffic Manager
Symptoms:
Graphs of CPU usage show spikes that are wider than actual CPU usage.
Conditions:
CPU usage has spikes.
Impact:
Graphs of CPU spikes appear to last longer than they actually last.
Workaround:
Perform the following procedure:
1. Run the following command to record the 5-second average rather than the 1-second average:
sed -i.bak 's/TMCOLNAME "ratio"/TMCOLNAME "five_sec_avg.ratio"/;s/TMCOLNAME "cpu_ratio_curr"/TMCOLNAME "cpu_ratio_5sec"/g' /config/statsd.conf
2. Restart statsd to load the new configuration:
bigstart restart statsd
Fix:
CPU samples for graphs are averaged over longer time to more closely represent actual time between samples.
742226-2 : TMSH platform_check utility does not follow best security practices
Solution Article: K11330536
742184-1 : TMM memory leak
Component: Local Traffic Manager
Symptoms:
-- High TMM memory utilization;
-- Aggressive sweeper activated;
-- the 'packet', 'xdata' and 'xhead' caches in the memory_usage_stat tmstat table have high 'allocated' and 'curr_allocs' numbers with a steadily increasing profile.
Conditions:
A fastL4 and a L7 profile (e.g. HTTP) are assigned to a virtual server.
Impact:
Degraded performance, possible TMM crash due to out-of-memory condition.
Workaround:
Do not add a L7 profile to a fastL4 virtual server.
Fix:
No memory leak in the TMM.
742078-2 : Incoming SYNs are dropped and the connection does not time out.
Component: Local Traffic Manager
Symptoms:
There is a hard-coded limit on the number of SYNs forwarded on a FastL4 connection. This might cause a problem when a connection is reused, for example, if a connection is not correctly closed.
Conditions:
-- SYN forwarding on FastL4 connections.
-- The number of SYNs on a single connection reaches the hard-coded limit.
Impact:
If the number of SYNs on a single connection reaches this limit, subsequent incoming SYNs are dropped and the connection might not time out.
Workaround:
There is no workaround.
Fix:
The following command enables the forwarding of an an unlimited number of SYNs:
tmsh modify sys db tm.dupsynenforce value disable
742037-3 : FPS live updates do not install when minor version is different
Component: Fraud Protection Services
Symptoms:
Install update file with a different minor version.
For example, install update file versioned 13.1.1 on BIG-IP version 13.1.0.
Conditions:
FPS is licensed and provisioned.
Impact:
FPS engine and signature cannot be updated.
Workaround:
N/A
Fix:
The minor version in update file is now ignored and only the major version is validated.
741993-1 : The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured.
Component: Anomaly Detection Services
Symptoms:
The BIG-IP system does not answer the request matching the L7 policy that disabled DOSL7 when BADOS is configured. The connection hangs.
Conditions:
1. Create a DoS profile Behavioral & Stress-based (D)DoS Detection.
2. Create an L7 policy to disable DoS profile (even on all URLs).
3. Attach both to a virtual server.
4. Send a request to the virtual server.
Impact:
Connection hangs.
Workaround:
There is no workaround other than disabling the Behavioral & Stress-based (D)DoS Detection from the DoS profile.
Fix:
The system now correctly handles a disabled DOSL7 policy.
741951-2 : Multiple extensions in SIP NOTIFY request cause message to be dropped.
Component: Service Provider
Symptoms:
When SIP NOTIFY messages are sent with a request URI that contains multiple client extensions, the system does not forward the message as expected.
Conditions:
SIP NOTIFY messages sent with a request URI that contains multiple client extensions.
Impact:
NOTIFY message is not forwarded.
Workaround:
None.
Fix:
Improved SIP URI parser now correctly handles multiple extensions in a URI.
741919 : HTTP response may be dropped following a 100 continue message.
Component: Local Traffic Manager
Symptoms:
When a 100 response a quickly followed by another HTTP response (2xx/4xx), the second response might be dropped.
Conditions:
When a 100 response is quickly followed by another HTTP response (i.e., a 2xx/4xx response arrives within a few microseconds).
Impact:
The second response might be dropped, so the end user client might not receive all the HTTP responses coming from the server.
Note: This does not happen all the time, and depends on how the underlying data packets are formed and delivered to the HTTP filter.
Workaround:
You can use either of the following workarounds:
-- Use an iRule to disable the HTTP filter in the HTTP_REQUEST event.
-- Disable LRO by running the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable
741902-3 : sod does not validate message length vs. received packet length
Component: TMOS
Symptoms:
sod may crash or produce unexpected behavior.
Conditions:
If a malformed network failover packet is received by sod, it may cause an invalid memory access.
Impact:
sod may crash, causing a failover.
Workaround:
None.
Fix:
sod validates the received packet length and does not reference invalid memory.
741858-1 : TMM may crash while processing Portal Access requests
Solution Article: K52206731
741767-2 : ASM Resource :: CPU Utilization statistics are in wrong scale
Component: Application Visibility and Reporting
Symptoms:
Security :: Reporting : ASM Resources : CPU Utilization have the wrong scale for statistics.
Conditions:
Having the 'CPU Utilization' statistics under 'ASM Resources' available.
Impact:
Wrong scale of statistics.
Workaround:
To work around this issue:
1. Edit the following file: /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
2. Remove all division by 100 on 'formula' of each entity.
3. Save the change and restart monpd (bigstart restart monpd).
Fix:
Scale is now fixed and is not pre-divided by 100.
741761-1 : admd might fail the heartbeat, resulting in a core
Component: Anomaly Detection Services
Symptoms:
When the system is under heavy I/O stress, admd might fail the heartbeat (which is required by sod, the failover daemon), so sod kills the admd daemon, resulting in a core.
Conditions:
-- System is under heavy I/O stress.
-- admd fails the heartbeat.
Impact:
The system generates an admd core file. Traffic disrupted while admd restarts.
Workaround:
None.
741752-1 : [BADOS] state file is not saved when virtual server reuses a self IP of the device
Component: Anomaly Detection Services
Symptoms:
BADOS state file is not saved.
Conditions:
Virtual server reuses a self IP of the device.
Impact:
After admd restarts, learned information - baseline and good dataset can disappear.
Workaround:
None.
Fix:
This system now handles this situation without impact, so the state file is saved as expected.
741535-1 : Memory leak when using SAML or Form-based Client-initiated SSO
Component: Access Policy Manager
Symptoms:
With SAML or Form-based Client-initiated SSO configured, BIG-IP system memory usage increases with every HTTP request that is proxied to the backend. The type of memory that increases is tmjail. You can view memory usage using the following command: tmsh sys show memory.
At some point, the BIG-IP system enables connection evictions in order to reduce the memory pressure, which causes service disruptions. You might see the following warning log messages.
-- warning tmm[20537]: 011e0002:4: sweeper_segment_cb_any: Aggressive mode /Common/default-eviction-policy activated (0) (global memory).
-- warning tmm1[20537]: 01010290:4: TCP: Memory pressure activated.
-- err tmm1[20537]: 011e0003:3: Aggressive mode sweeper: /Common/default-eviction-policy (100000000000b) (global memory) 413 Connections killed.
Conditions:
SAML or Form-based Client-initiated SSO is used.
Impact:
Potential service disruption.
Workaround:
No workaround other than not using SAML or Form-based Client-initiated SSO.
Fix:
The memory leak associated with SAML or Form-based Client-initiated SSO no longer occurs.
741449-1 : alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts
Component: Fraud Protection Services
Symptoms:
JAVASCRIPT_THRESHOLD alert should contain 2 timestamps:
1. component-validation cookie timestamp (set on cookie creation)
2. current BIG-IP timestamp
currently, these timestamps are not available in the alert details
Conditions:
JAVASCRIPT_THRESHOLD alert is triggered
Impact:
it is impossible to analyze the alert
Workaround:
There is no workaround at this time.
Fix:
FPS should always include both timestamps when triggering the JAVASCRIPT_THRESHOLD alert
741423-2 : Secondary blade goes offline when provisioning ASM/FPS on already established config-sync
Component: TMOS
Symptoms:
When provisioning ASM for the first time on a device that is already linked in a high availability (HA) config-sync configuration, any other cluster device that is on the trust domain experiences mcpd restarting on all secondary blades due to a configuration error.
The system logs messages similar to the following in /var/log/ltm:
-- notice mcpd[12369]: 010718ed:5: DATASYNC: Done initializing datasync configuration for provisioned modules [ none ].
-- err mcpd[9791]: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.
-- err mcpd[9791]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.... failed validation with error 16908342.
-- notice mcpd[12369]: 0107092a:5: Secondary slot 2 disconnected.
Conditions:
-- Cluster devices are joined in the trust for high availability (HA) or config-sync.
-- Provisioning ASM or FPS on clusters which are already joined in a trust.
-- ASM and FPS have not been provisioned on any of the devices: this is the first ASM/FPS provisioning in the trust.
Impact:
Traffic on all secondary blades is interrupted while mcpd restarts. Then, traffic is resumed.
Workaround:
Before provisioning ASM/FPS (but after setting up a trust configuration):
1. On the device on which ASM/FPS is about to be provisioned, create the datasync-global-dg device group and add all of the available devices.
For example, if there are two devices in the Trust Domain: test1.lab.com and test2.lab.com, and you plan to provision ASM/FPS for the first time on test1.lab.com, first run the following command from test1.lab.com:
tmsh create cm device-group datasync-global-dg devices add { test1.lab.com test2.lab.com }
2. Do not sync the device group.
3. Then on test1.lab.com, you can provision ASM/FPS.
Fix:
Secondary blades no longer go offline when provisioning ASM/FPS on already established high availability (HA) or config-sync configurations.
740963-2 : VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart
Component: Local Traffic Manager
Symptoms:
VIP-on-VIP traffic might cause TCP retransmit bursts, which in certain situations can cause tmm to restart.
Conditions:
- Virtual server handling TCP traffic.
- iRule using the 'virtual' command.
Impact:
Temporary memory consumption and potential for tmm to restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TCP retransmit bursts are now handled gracefully.
740777-1 : Secondary blades mcp daemon restart when subroutine properties are configured
Component: Access Policy Manager
Symptoms:
Secondary blades' MCP daemons restart with the following error messages:
-- err mcpd[26818]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested Subroutine Properties (/Common/confirm_10 /Common/confirm_10) was not found.... failed validation with error 16908342.
Conditions:
When a subroutine is configured in the access policy.
Impact:
The secondary blade MCP daemon restarts. Cannot use subroutine in the access policy.
Workaround:
There is no workaround other than to not use subroutine in the access policy.
Fix:
You can now use subroutines in the access policy.
740719-2 : ASM CSP header parser does not honor unsafe-inline attribute within script-src directive
Component: Application Security Manager
Symptoms:
Browser reports Content-Security-Policy error when ASM modifies the 'Content-Security-Policy' (CSP) header.
Conditions:
1. ASM provisioned.
2. ASM policy attached to a virtual server.
3. CSRF or Ajax blocking page enabled within ASM policy
4. Backend server sends 'Content-Security-Policy' header with 'script-src' 'unsafe-inline' directive.
Impact:
Browser posts 'Content-Security-Policy' error and stops JavaScript execution.
Workaround:
Disable 'Content-Security-Policy' header parsing for ASM policies. To do so, follow these steps:
1. In /usr/share/ts/bin/add_del_internal, run the following command:
add csp_enabled 0
2. Restart ASM by running the following command:
bigstart restart asm
Fix:
ASM 'Content-Security-Policy' header parser no longer modifies the 'Content-Security-Policy' header when there is 'script-src' 'unsafe-inline' directive arriving from a backend server. This is correct behavior.
740490-1 : Configuration changes involving HTTP2 or SPDY may leak memory
Component: Local Traffic Manager
Symptoms:
If virtual servers which have HTTP2 or SPDY profiles are updated, then the TMM may leak memory.
Conditions:
-- A virtual server has a HTTP2 or SPDY profile.
-- Any configuration object attached to that virtual server changes.
Impact:
The TMM leaks memory, and may take longer to execute future configuration changes. If the configuration changes take too long, the TMM may be restarted by SOD.
Workaround:
None.
Fix:
The TMM no longer leaks memory when virtual servers that contain a HTTP2 or SPDY profile are reconfigured.
740413-3 : Sod not logging Failover Condition messages
Component: TMOS
Symptoms:
When a failsafe fault occurs, sod does not log a message indicating that the device is unable to become Active.
Conditions:
Failsafe fault.
Impact:
No 'Failover Condition'messages logged in /var/log/ltm.
Workaround:
None.
740345-1 : TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled.
Component: TMOS
Symptoms:
TMM generates cores files on the device.
Conditions:
Issue is seen when connection mirroring, session mirroring and OCSP stapling is enabled.
Impact:
If a failover happens when a SSL handshake is in progress,
TMM restarts and a core file is generated on the standby device. Traffic disrupted while tmm restarts.
Workaround:
None.
740228-1 : TMM crash while sending a DHCP Lease Query to a DHCP server
Component: Policy Enforcement Manager
Symptoms:
TMM crashes.
Conditions:
- DHCP Lease Query is enabled on the BIG-IP system.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes while sending a DHCP Lease Query to a DHCP server.
740086 : AVR report ignore partitions for Admin users
Component: Application Visibility and Reporting
Symptoms:
The behavior of AVR's reporting feature changed after an upgrade.
Reports generated for specific partition include data from all partitions.
Conditions:
-- Users with Admin role.
-- AVR provisioned.
-- AVR profile configured and attached to a virtual server.
-- User with Admin role creates Scheduled Reports or uses GUI to view AVR reports.
Impact:
AVR GUI pages or Scheduled Reports defined for one partition include AVR data from other partitions.
Workaround:
One workaround is to have non-Admin users generate reports.
For non-Admin users, the partition is honored.
Fix:
AVR GUI pages or Scheduled Reports defined for one partition now show all users AVR data from only that partition.
739971-2 : Linux kernel vulnerability: CVE-2018-5391
Solution Article: K95343321
739970-2 : Linux kernel vulnerability: CVE-2018-5390
Solution Article: K95343321
739963-2 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
Component: Local Traffic Manager
Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.
Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.
Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.
Workaround:
To restore the state of the member, remove it and add it back to the pool.
739947-1 : TMM may crash while processing APM traffic
Solution Article: K42465020
739945-2 : JavaScript challenge on POST with 307 breaks application
Component: Application Security Manager
Symptoms:
A JavaScript whitepage challenge does not reconstruct when the challenge is on a POST request and the response from the back-end server is 307 Redirect. This happens only if the challenged URL is on a different path than the redirected URL. This prevents the application flow from completing.
Conditions:
- JavaScript challenge / CAPTCHA is enabled from either Bot Defense, Proactive Bot Defense, Web Scraping, DoSL7 Mitigation or Brute Force Mitigation.
- The challenge is happening on a POST request on which the response from the server is a 307 Redirect to a different path.
Impact:
Server is not able to parse the request payload and application does not work. This issue occurs because the TS*75 cookie is set on the path of the challenged URL, so the redirected URL does not contain the cookie, and the payload is not reconstructed properly to the server.
Workaround:
As a workaround, you can construct an iRule to identify that the response from the server is 307 Redirect, retrieve the TS*75 cookie from the request, and add to the response a Set-Cookie header, setting the TS*75 cookie on the '/' path.
Fix:
Having a JavaScript challenge on a POST request with 307 Response no longer prevents the application from working.
739939-1 : Ping Access Agent Module leaks memory in TMM.
Component: Access Policy Manager
Symptoms:
Whenever a ping access request traverses through apm_ivs (internal virtual server) to the Ping Access Agent (e.g., Cache-Miss), a memory leak occurs.
Conditions:
Ping Access Agent request that is not served from local cache (e.g., in the Cache-Miss case).
Impact:
The slow memory leak might eventually cause TMM to restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Ping Access Agent Module no longer leaks memory in TMM.
739927-3 : Bigd crashes after a specific combination of logging operations
Component: Local Traffic Manager
Symptoms:
Bigd crashes. Bigd core will be generated.
Conditions:
1. Boot the system and set up any monitor.
2. Enable and disable bigd.debug:
-- tmsh modify sys db bigd.debug value enable
-- tmsh modify sys db bigd.debug value disable
3. Enable monitor logging.
Impact:
Bigd crashes.
Workaround:
None.
Fix:
Bigd no longer crashes under these conditions.
739900-1 : All Policies are created with 3 new Signature Sets After Creation of a Policy using Application Ready Templates
Component: Application Security Manager
Symptoms:
When a Security Policy is created using new versions of some Application Ready Templates, three new Signature Sets are created that are set to automatically be added to policies subsequently created.
Conditions:
A Security Policy is created using one of the following updated Application Ready Templates:
* Drupal
* Joomla
* SAP Netweaver
* Sharepoint
* Wordpress
Impact:
Three new Signature Sets are created with the option 'Assign To Policy By Default' enabled. As a result, the system adds these Signature Sets to subsequently created policies. This may provide enforcement for unexpected or undesired Attack Signatures.
Workaround:
To prevent the newly created signature being added to subsequently created policies, disable 'Assign To Policy By Default'.
You can also remove the signatures from new policies after they have been created.
Fix:
The Application Ready Templates now create the new signatures with the option 'Assign To Policy By Default' disabled, so they are no longer automatically added to subsequently created policies.
739846-3 : Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection
Component: Global Traffic Manager (DNS)
Symptoms:
When the big3d runs out of memory for iQuery connections, a segmentation fault might occur.
Conditions:
-- Not enough memory to create additional iQuery connections.
-- Receive an new iQuery connection.
Impact:
Segmentation fault and big3d restarts. No statistics collection or auto-discovery while big3d restarts.
Workaround:
None.
Fix:
The big3d process no longer gets a segmentation fault when reaching the limits of the memory footprint while trying to establish iQuery connections.
739744-1 : Import of Policy using Pool with members is failing
Component: Access Policy Manager
Symptoms:
Import of Policy using Pool with members is failing with an error Pool member node (/Common/u.x.y.z%0) and existing node (/Common/u.x.y.z) cannot use the same IP Address (u.x.y.z)
Conditions:
Policy has pool attached to it with resource assign or chained objects
Impact:
Policy is not being imported on the same box
Workaround:
There is no workaround at this time.
Fix:
ng-import is now importing policy correctly.
739716-2 : APM Subroutine loops without finishing
Component: Access Policy Manager
Symptoms:
Some APM subroutines never finish. In authentication use cases, the end-users will continue to see logon pages, even after submitting correct credentials. In SWG confirm-and-continue use cases, the end-users will continue to see confirm boxes, even if they had already clicked "continue".
Conditions:
APM with a subroutine. Reproducibility will vary by platform and deployment.
Impact:
Subroutines never finish. End-users are not able to access resources.
Workaround:
TMM restart does resolve the issue.
Fix:
The memory corruption issue was resolved and the subroutines now correctly finish.
739674-1 : TMM might core in SWG scenario with per-request policy.
Component: Access Policy Manager
Symptoms:
TMM can core when Secure Web Gateway (SWG) is configured, and SSL is resumed through per-request policy.
Conditions:
-- SWG is configured.
-- SSL is resumed through per-request policy.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM does not core now when using SWG scenario with per-request policy.
739638-2 : BGP failed to connect with neighbor when pool route is used
Component: Local Traffic Manager
Symptoms:
BGP peering fails to be established.
Conditions:
- Dynamic routing enabled.
- BGP peer connect through a pool route or ECMP route.
Impact:
BGP dynamic route paths are not created.
Workaround:
Use a gateway route.
Fix:
BGP peering can be properly established through a pool route.
739618-1 : When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy
Component: Application Security Manager
Symptoms:
When using AWAF or MSP license, you cannot use the BIG-IP Configuration Utility to set rule to control ASM in an LTM policy.
Conditions:
- AWAF or MSP license
Impact:
Admin cannot use the BIG-IP Configuration Utility create LTM policy that controls ASM, and must use TMSH.
Workaround:
Use TMSH to create the rule instead of GUI:
For example:
create ltm policy Drafts/test99 controls add { asm } requires add { http } rules add { rule1 { actions add { 0 { asm enable policy dummy2 }} ordinal 1 }}
Fix:
Users can now create LTM rule in the BIG-IP Configuration Utility that controls ASM if have AWAF or MSP license.
739507 : How to recover from a failed state due to FIPS integrity check
Component: TMOS
Symptoms:
After FIPS 140-2 license is installed on FIPS-certified hardware devices, and the device rebooted, the system halts upon performing FIPS integrity check.
Conditions:
[1] Some system applications, monitored by FIPS 140-2, get routinely changed.
[2] The device was containing a FIPS 140-2 enabled license installed.
[3] The device operator installs a FIPS 140-2 enabled license
[4] The device is rebooted
Impact:
The device is halted and cannot be used.
Workaround:
Workaround:
[1] The device needs to have serial console access (Telnet).
[2] From the Telnet console, enter the GRUB menu and boot into a different partition not having a FIPS 140-2 enabled license.
[3] Examine the contents of file /config/fipserr which will show the files that were changed, leading to failure of the FIPS 140-2 license-enabled partition.
[4] Restore those files to their original ones and reboot.
If system still halts, repeat from Step [1] above, until this no longer happens.
Fix:
Here are the steps, in summary form.
[1] Connect a terminal to the BIG-IP serial console port
[2] From the Telnet console, enter the GRUB menu.
[3] Before the countdown expires, use the Up Arrow and Down Arrow keys to stop the countdown, and select the appropriate boot image.
[4] Press the key 'E' to start the edit options. A new GRUB menu displays.
[5] Use the Up Arrow and Down Arrow keys to navigate to the line that contains the keyword "module".
[6] Add a space, followed by NO_FIPS_INTEGRITY=1. DO NOT press ENTER.
[7] Press the Ctrl-X sequence or the F10 key to restart the system using the modified options.
The machine will boot into the partition containing FIPS 140-2-enabled license.
[8] Examine the content of file /config/f5_public/fipserr to ascertain the cause of the FIPS module startup error.
[9] Fix the problem reported in the aforementioned error file.
[10] Run the test tool /usr/libexec/sys-eicheck.py to ensure that no fatal error is reported, such as:
Integrity Check Result: [ FAIL ]
If fatal error persists, DO NOT REBOOT (otherwise the system will go into the halt state, and the steps starting from Step [1] will need to be repeated). Instead, fix the problematic files reported. Re-run the test tool until no error is seen.
739505 : Automatic ISO digital signature checking not required when FIPS license active★
Component: TMOS
Symptoms:
Automatic ISO digital signature checking occurs but is not required when FIPS license active.
The system logs an error message upon an attempt to install or update the BIG-IP system:
failed (Signature file not found - /shared/images/BIGIP-13.1.0.0.0.1868.iso.sig)
Conditions:
When the FIPS license is active, digital signature checking of the ISO is automatically performed. This requires that both the ISO and the digital signature (.sig) file are uploaded to the system.
Impact:
Installation does not complete if the .sig file is not present or not valid. Installation failure.
Workaround:
To validate the ISO on the BIG-IP system, follow the procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140.
Fix:
The restriction of requiring automatic signature checking of the ISO is removed. The procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140 to perform the checks on or off the BIG-IP system is still valid, but that checking is optional.
739446-2 : Resetting SSL-socket correctly for AVR connection
Component: Application Visibility and Reporting
Symptoms:
SSL socket is being corrupted.
Conditions:
The conditions under which this occurs have not been fully identified.
Impact:
AVR fails to make an SSL connection and report externally correctly.
Workaround:
None.
Fix:
Resetting the SSL-connection whenever required.
739379-2 : Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error
Component: Local Traffic Manager
Symptoms:
In situation where multiple SSL forward proxies are connected via virtual targeting, the SNI value extracted from ClientHello and saved in 1st layer of SSL forward proxy may get overwritten by the 2nd layer of SSL forward proxy. When this happens, certification verification will fail when 1st layer of SSL forward proxy attempts to validate certificate.
Conditions:
Two SSL forward proxies connected via virtual command in iRule.
Impact:
Client traffic gets random reset.
Workaround:
None.
Fix:
The search scope of storing parsed SNI is now local to each SSL forward proxy.
739349-1 : LRO segments might be erroneously VLAN-tagged.
Component: Local Traffic Manager
Symptoms:
Segments being processed for large receive offload (LRO) (the action the system performs to aggregate multiple incoming packets within a buffer before passing them up)
might be erroneously VLAN-tagged when LRO is enabled.
Conditions:
-- TCP LRO enabled.
-- Egress VLAN untagged.
Impact:
Egress traffic might sometimes be tagged.
Workaround:
Disable TCP LRO. To enable or disable LRO functionality, you can use the following command syntax:
tmsh modify sys db tm.tcplargereceiveoffload value <enable | disable>
Fix:
The system now ensures that fragment packet flags are correctly set.
739345 : Reporting invalid signature id after specific signature upgrade
Component: Application Security Manager
Symptoms:
An incorrect/invalid signature id is reported.
Conditions:
The signature was changed in an upgrade.
Impact:
Not able to confirm successful signature update.
Workaround:
When the signature id prefix is 6, replace it with 2 when looking for the actual signature.
Fix:
Fixed a reporting issue with signature ids after upgrade.
739285-1 : GUI partially missing when VCMP is provisioned
Component: TMOS
Symptoms:
GUI may be partially missing.
Conditions:
VCMP must be provisioned.
Impact:
GUI may be partially missing.
Workaround:
Use tmsh or deprovision VCMP.
Fix:
the GUI now works as expected when VCMP is provisioned.
739277 : TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode
Component: Anomaly Detection Services
Symptoms:
TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode
Conditions:
-- The virtual server is deleted during POST data.
-- BADOS configured in standard/aggressive mode.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can work around this issue using either of the following options if you plan to delete a virtual server:
-- First detach the DoS protection profile.
-- Remove BADOS configuration or change BADOS mitigation to Conservative.
Fix:
This release corrects an TMM crash that occurred when the virtual server was deleted during POST data and BADOS was in standard/aggressive mode.
739272-1 : Incorrect zombie counts in PBA stats with long PBA block-lifetimes
Component: Carrier-Grade NAT
Symptoms:
Due to a truncation error, a long Port Block Allocation (PBA) block lifetime can cause the PBA zombie stats to get incremented before the block lifetime expires and even though a zombie block has not been created.
Conditions:
Large Scale NAT (LSN) pool or Firewall NAT source-translation with a Port Block Allocation Block Lifetime greater than 65535.
Impact:
This bug affects only the 'Active Zombie Port Blocks', 'Total Zombie Port Blocks Created', and 'Total Zombie Port Blocks Deleted' counters. It does not convert active blocks to zombie blocks before the block lifetime expires.
Workaround:
There is no workaround.
Fix:
The 'Active Zombie Port Blocks', 'Total Zombie Port Blocks Created' counters are now incremented only when the PBA block lifetime expires.
739190 : Policies could be exported with not patched /Common partition
Component: Access Policy Manager
Symptoms:
Policies could be exported with not patched /Common partition and it's heading to profiles that are not being imported.
Conditions:
Policy has objects outside of partition of the policy.
Impact:
Policy cannot be imported on the same system it was exported from.
Workaround:
There is no workaround.
Fix:
Proper naming of partitions has been restored, import is back to working.
739126 : Multiple VE installations may have different sized volumes
Component: TMOS
Symptoms:
When installing a 2nd, 3rd, (or more) version of BIG-IP to a Virtual Edition (VE) instance, the sizes of the non-shared volumes may be smaller than the first. This can be an issue if, for example, /var is smaller and fills up due to UCS archives, data gathered during troubleshooting, etc.
Conditions:
Install an additional version of BIG-IP to an existing VE instance.
Impact:
Disk volumes may run out of space sooner than expected, leading to issues when that space is needed for other operations.
Workaround:
Provision additional disk space to expand the available storage.
Fix:
In this release, the installer handles this condition without issue.
739003-1 : TMM may crash when fastl4 is used on epva-capable BIG-IP
Component: Local Traffic Manager
Symptoms:
TMM may crash when fastl4 is used on epva-capable BIG-IP.
Conditions:
The virtual server has fastl4 profile installed, has iRule installed and the iRule uses SERVER_CONNECTED event. The pool member is route-able but does not exist.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
The issue is fixed.
738985-2 : BIND vulnerability: CVE-2018-5740
Component: TMOS
Symptoms:
deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c.
Conditions:
"deny-answer-aliases" feature is explicitly enabled
Impact:
Crash of the BIND process and loss of service while the process is restarted
Workaround:
Only servers which have explicitly enabled the "deny-answer-aliases" feature are at risk and disabling the feature prevents exploitation.
Fix:
BIND patched to correct CVE-2018-5740
738945-2 : SSL persistence does not work when there are multiple handshakes present in a single record
Component: Local Traffic Manager
Symptoms:
SSL persistence hangs while parsing SSL records comprising multiple handshake messages.
Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.
Impact:
SSL persistence parser fails to parse such messages correctly. The start of the record may be forwarded on to server but then connection will stall and eventually idle timeout.
Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.
After changing or disabling persistence, the transaction succeeds and no longer hangs.
738887-3 : The snmpd daemon may leak memory when processing requests.
Component: TMOS
Symptoms:
Under certain conditions, the snmpd daemon may leak memory when processing requests.
Conditions:
This issue is known to occur on a multi-blade vCMP guest after specific maintenance operations have been carried out by an Administrator on the guest.
Impact:
Once enough memory has leaked, the system may become unstable and fail unpredictably.
Workaround:
If the snmpd daemon is consuming excessive memory, restart it with the following command:
bigstart restart snmpd
Fix:
The snmpd daemon no longer leaks memory when a multi-blade vCMP guest reaches a certain condition.
738864-1 : javascript functions in href are learned from response as new URLs
Component: Application Security Manager
Symptoms:
New urls representing javascript functions are learned from response.
Conditions:
Learn from response is turned on and URLs learning set to 'Always'
Impact:
Wrong URLs are created and added to the policy (not really interfering with enforcement but adds redundant noise to the policy)
Workaround:
Either:
- Change URL learning from 'Always' to any of the other learning options (Compact \ Selective \ Never).
- Disable learn from response
Fix:
javacript functions are no longer learned from responses as new URLs.
738669-2 : Login validation may fail for a large request with early server response
Component: Fraud Protection Services
Symptoms:
in case of large request/response, if FPS needs to store ingress and ingress chunks in buffer for additional processing (ingress :: for parameter parsing, egress :: for login validation's banned/mandatory strings check or scripts injection), if the server responds fast enough, the buffer may contain mixed parts of request/response. This may have several effects, from incorrectly performing login-validation to generating a tmm core file.
Conditions:
-- Login validation is enabled and configured to check for banned/mandatory string.
-- A username parameter is configured.
-- There are no parameters configured for encrypt/HTML Field Obfuscation (HFO), and no decoy parameters.
-- There is a large request and response.
-- The system response very quickly.
Impact:
This results in one or more of the following:
-- Login validation failure/skip.
-- Bad response/script injection.
-- tmm core. In this case, traffic is disrupted while tmm restarts.
Workaround:
None.
Fix:
FPS now handles ingress/egress buffers separately, so this issue no longer occurs.
738647-2 : Add the login detection criteria of 'status code is not X'
Component: Application Security Manager
Symptoms:
There is a criterion needed to detect successful login.
Conditions:
Attempting to detect successful login when the response code is not X (where 'x' = some code).
Impact:
Cannot configure login criteria.
Workaround:
None.
Fix:
This release adds a new criterion to the login criteria.
738614-2 : 'Internal error' appears on Goodput GUI page
Component: Application Visibility and Reporting
Symptoms:
The Statistics :: Analytics : TCP : Goodput GUI page displays 'Internal Error', and data does not display.
Conditions:
This can occur on multi-blade VIPRION systems.
Impact:
You are unable to see statistics for TCP Goodput on a multi-blade system.
Workaround:
1. Edit /etc/avr/monpd/monp_tcp_measures.cfg file:
-- In [cs_avg_conn_goodput_rcv_m] section replace existing value of merge_formula parameter with the following one:
merge_formula=IF(SUM(cs_avg_conn_goodput_rcv_m)=0,"N/A",ROUND(SUM(cs_numendings_m*cs_avg_conn_goodput_rcv_m)/SUM(cs_numendings_m),2))
-- In [cs_avg_conn_goodput_snt_m]section replace existing value of merge_formula parameter with the following one:
merge_formula=IF(SUM(cs_avg_conn_goodput_snt_m)=0,"N/A",ROUND(SUM(cs_numendings_m*cs_avg_conn_goodput_snt_m)/SUM(cs_numendings_m),2))
-- In both aforementioned sections add the following parameter:
merge_deps=cs_numendings_m
2. Restart the monpd daemon:
tmsh restart sys service monpd
Fix:
Fixed an issue with Goodput statistics on multi-blade systems.
738582-1 : Ping Access Agent Module leaks memory in TMM.
Component: Access Policy Manager
Symptoms:
While handling Ping Access Request, if the internal events passing between modules fail, it might cause a memory leak inside TMM.
Conditions:
Internal events passing between Ping Access Request processing modules fail.
Impact:
Ping Access Agent Module leaks memory in TMM.
Workaround:
None.
738523-2 : SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages
Component: Local Traffic Manager
Symptoms:
When monitoring an SMTP server that emits multi-line '250' responses to the initial 'HELO' message, the monitor fails. If monitor logging is enabled on the pool member, the system posts an error similar to the following in the monitor log:
09:50:08.580145:(_Tcl /Common/mysmtp): ERROR: failed to complete the transfer, Failed to identify domain.
Conditions:
-- Monitoring an SMTP server.
-- SMTP server is configured to return a multi-line '250' response to the initial 'HELO' message.
Impact:
The pool member is marked down even though it is actually up.
Workaround:
None.
Fix:
The system now handles multi-line '250' responses to the initial 'HELO' message.
738521-1 : i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.
Component: Local Traffic Manager
Symptoms:
A trunk configured between a BIG-IP i4x00/i2x00 platform and an upstream switch may go down due to the presence of the VLAN tag.
Conditions:
LACP configured between a BIG-IP i4x00/i2x00 platform and an upstream switch.
Impact:
Trunks are brought down by upstream switch.
Workaround:
There are two workarounds:
-- Configure the trunk as 'untagged' in one of the VLANs in which it's configured.
-- Disable LACP.
Fix:
The system no longer transmits a VLAN tag for LACP PDUs, so this issue no longer occurs.
738445-2 : IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup
Component: TMOS
Symptoms:
INVALID_SPI notification does not delete the IPsec-SA with the SPI value that appears in the notify payload. This occurs because the handler of INVALID-SPI notifications performs the following incorrect actions:
-- Fetches SPI from payload as if it's a string, rather than the network byte order integer it actually is.
-- Attempts phase 2 lookup via selector ID (reqid) rather than SPI.
Either alone prevents finding the SA to delete.
Conditions:
An IKEv1 IPsec peer sends an INVALID-SPI notification to the BIG-IP system.
Impact:
The IPsec-SA with that SPI cannot be found and is not deleted.
Workaround:
From the BIG-IP command line, you can still manually delete any IPsec-SA, including the invalid SPI, using the following command:
# tmsh delete net ipsec ipsec-sa spi <spi number>
Fix:
SPI is now extracted correctly from the payload as a binary integer, and the phase 2 SA lookup is done with a proper SPI search, which also requires a match in the peer address.
738430-1 : APM is not able to do compliance check on iOS devices running F5 Access VPN client
Component: Access Policy Manager
Symptoms:
Compliance check against Microsoft Intune fails when an APM end user attempts a VPN connection from a managed iOS device running the F5 Access VPN client.
Conditions:
-- APM policy is configured to use Microsoft Intune for device compliance check.
-- APM end user is attempting VPN connection using the F5 Access VPN client on an iOS device.
Impact:
APM is not able to do compliance checks on the device, and VPN connection fails.
Workaround:
None.
Fix:
APM can now check iOS devices for compliance against Microsoft Intune.
738397-1 : SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.
Component: Access Policy Manager
Symptoms:
For a BIG-IP system configured as IdP, in the SAML-IdP-initiated case: If the IdP has a Per-Request policy (in addition to a V1 policy), such that the Per-Request policy has a subroutine or a subroutine macro with a logon page, the system reports access failure on running the policy.
The error logged is similar to the following: '/Common/sso_access:Common:218f759e: Authorization failure: Denied request for SAML resource /Common/saml_resource_obj1&state=000fffff032db022'.
Conditions:
-- BIG-IP system configured as IdP.
-- SAML IdP initiated case in which the following is true:
+ The IdP has a Per-Request policy (in addition to a V1 policy).
+ That Per-Request policy has a subroutine or a subroutine macro with a logon page.
Impact:
Access is denied. The request URI has '&state=<per-flow-id>' appended to the SAML Resource name.
Workaround:
None.
Fix:
The system now checks for additional query parameters in the request_uri while extracting Resource name so it is not incorrectly set to 'ResourceName&state=<per-flow-id>' which causes the access failure.
738284-4 : Creating or deleting rule list results in warning message: Schema object encode failed
Component: Advanced Firewall Manager
Symptoms:
"Schema object encode failed: No foreign keys found for nested object" warning message is logged into /var/log/ltm while creating or deleting the rule list.
Jul 25 05:44:49 localhost.localdomain warning icr_eventd[4778]: 01a10008:4: Schema object encode failed: No foreign keys found for nested object with tag 17547
Conditions:
Observed when creating or deleting rule list in /var/log/ltm
tmsh create security firewall rule-list rule-list1
tmsh delete security firewall rule-list rule-list1
Impact:
The warning message has no impact on functionality and can be ignored.
Fix:
Log message has been changed to log at the debug level.
738236-2 : UCS does not follow current best practices
Component: TMOS
Symptoms:
Under certain conditions,
Conditions:
Administrative access to system status data
Impact:
UCS save operations do not follow current best practices.
Workaround:
None.
Fix:
UCS save operations now follow current best practices.
738211-3 : pabnagd core when centralized learning is turned on
Component: Application Security Manager
Symptoms:
pabnagd (the process responsible for automated and manual policy building operations) restarts and generates a core file. This might result in a loss of learning progress.
Note: This is a very rarely occurring issue.
Conditions:
Centralized learning is enabled for a policy.
Impact:
If there are locally learned policies, the system might lose some number of hours of learning progress. How many hours might be lost depends on the version, as follows:
-- For 13.1.0: 24 hours (12 hours, on average).
-- For 14.0.0: 1 hour (1/2 hour, on average).
Workaround:
None.
Fix:
The pabnagd process no longer restarts/cores when centralized learning is enabled.
738197-2 : IP address from XFF header is not taken into account when there are trailing spaces after IP address
Component: Application Visibility and Reporting
Symptoms:
X-FORWARDED-FOR (XFF) header is ignored by BIG-IP ASM even though usage of XFF is enabled in HTTP profile.
In DoS statistics, the original source IP is reported (instead of one taken from XFF).
Conditions:
There are spaces after IP address in the XFF header.
Impact:
Source IP is not reported as expected in all BIG-IP reports.
Workaround:
Configure the proxy server to not add trailing spaces after the IP address in the XFF header.
Fix:
Trailing spaces are now ignored when extracting IP addresses from XFF headers in AVR.
738119-2 : SIP routing UI does not follow best practices
Solution Article: K23566124
738046-2 : SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby
Component: Local Traffic Manager
Symptoms:
For FastL4 connections, SERVER_CONNECTED currently doesn't fire on the standby device. If the standby device then becomes active, the first packet from the server on an existing FastL4 connection causes SERVER_CONNECTED to fire. Depending on what the iRule does in SERVER_CONNECTED, a variety of results can occur, including TMM coring due to commands being executed in unexpected states.
Conditions:
-- High availability configuration.
-- Mirrored FastL4 virtual server.
-- Attached iRule contains a SERVER_CONNECTED event.
Impact:
SERVER_CONNECTED does not fire when expected on standby device. When the standby device becomes active, the SERVER_CONNECTED iRule may cause TMM to core with traffic being disrupted while TMM restarts.
Workaround:
None.
Fix:
SERVER_CONNECTED now fires when expected on the standby device.
737910-2 : Security hardening on the following platforms
Solution Article: K18535734
737867-1 : Scheduled reports are being incorrectly displayed in different partitions
Component: Application Visibility and Reporting
Symptoms:
Scheduled analytics reports are being displayed in the list regardless of selected partition. However, you can only open reports belonging to the selected partition, even if they belong to 'Common'.
Conditions:
System configured with multiple partitions.
Impact:
It makes it difficult to modify reports from different partitions.
Workaround:
Switch to the report's partition before editing it.
Fix:
Report's partition is now indicated in the list and correct handling is performed according to standard partition rules.
737863-1 : Advanced Filters for Captured Transactions not working on Multi-Blade Platforms
Component: Application Visibility and Reporting
Symptoms:
On multi-blade systems, when you navigates to System :: Logs : Captured Transactions, click on Expand Advanced Filters, choose something, and click Update, the GUI reports a 'Could not get captured events' message.
Conditions:
-- Multi-blade systems.
-- AVR provisioned.
-- AVR HTTP Analytics Profile configured with 'Internal Traffic Capturing Logging Type' option enabled.
Impact:
The Captured Transactions filter does not work.
Workaround:
None.
Fix:
The Captured Transactions filter now works as expected.
737813-1 : BIG-IP is unable to send statistics to BIG-IQ DCD node using IPv6 address
Component: Application Visibility and Reporting
Symptoms:
When IPv6 is used for transferring data from BIG-IP systems to BIG-IQ DCD nodes, no traffic arrives to the BIG-IQ.
Conditions:
-- DCD node uses IPv6 interface for collecting data from BIG-IP systems.
-- BIG-IP is registered on BIG-IQ as 'BIG-IP device' the regular way (not necessary via IPv6 management interface).
Impact:
No statistics from BIG-IP systems are collected.
Workaround:
Use IPv4 addresses instead.
Fix:
You can now use IPv6 addresses in BIG-IP systems, and statistics arrive to the BIG-IQ.
737758-2 : MPTCP Passthrough and VIP-on-VIP can lead to TMM core
Component: Local Traffic Manager
Symptoms:
If a FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled, TMM may produce a core upon receiving certain traffic.
Conditions:
A FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with a TCP profile attached that has MPTCP passthrough enabled, and certain traffic is received.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than not using an iRule with the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled.
Fix:
If MPTCP passthrough is enabled, the system now processes incoming MPTCP connections coming from the loop device as if MPTCP is disabled.
737731-2 : iControl REST input sanitization
Solution Article: K44885536
737603-1 : Apmd leaks memory when executing per-session policy via iRule
Component: Access Policy Manager
Symptoms:
Apmd leaks memory when executing per-session policy via iRule.
Conditions:
-- APM is licensed and provisioned.
-- Per-session policy is executed via iRules or APM-based System Authentication is used.
Impact:
Apmd leaks memory.
Workaround:
None.
Fix:
Apmd no longer leaks memory when per-session policy is executed via Rules.
737574-2 : iControl REST input sanitization★
Solution Article: K20541896
737565-2 : iControl REST input sanitization
Solution Article: K20445457
737550 : State Mirroring between BIG-IP 13.0.x and 13.1.x systems may cause TMM core on standby system during upgrade★
Component: Local Traffic Manager
Symptoms:
BIG-IP devices running 13.0.x (13.0.x or a 13.0.x point release) and 13.1.x software versions in a High-Availability (HA) configuration with state mirroring enabled may cause a standby system to produce a TMM core file.
Conditions:
-- State mirroring configured on two or more BIG-IP systems (state mirroring is enabled by default).
-- For VIPRION clusters or VIPRION-based vCMP guests, the systems are configured to mirror 'Between Clusters'.
-- The active system is running v13.0.x, and the standby system is running v13.1.x, e.g., as a result of an in-progress upgrade.
Impact:
TMM may crash on a standby system during upgrade.
This issue should not disrupt traffic, because the TMM is coring only on the standby unit.
Workaround:
To workaround this issue, disable State Mirroring prior to upgrading, and re-enable it once both devices are running v13.1.x, or complete the upgrade of both devices to v13.1.x.
1. You can disable mirroring using either the GUI or the command line.
1a. In the GUI:
-- Set the Primary and Secondary Local Mirror Address configurations to 'None' under Device Management :: Devices :: [Self] device :: Mirroring Configuration.
1b. From the command-line:
-- Run the following command:
tmsh modify cm device <name-of-self-device> mirror-ip any6 mirror-secondary-ip any6 && tmsh save sys config
Important: This action results in connection state loss on failover.
2. Once all devices are running the same software version, re-enable state mirroring by re-adding the device mirror IPs removed previously.
Note: F5 recommends that BIG-IP systems run with the same software version on all devices.
Fix:
TMM on standby no longer cores during upgrade.
737536-1 : Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
Component: TMOS
Symptoms:
The use case is the following:
|OSPF 1|---|Network1|------[|OSPF process 1|---BIG-IP system---|OSPF process 2|]-----|Network2|---|OSPF 2|
Attempting to redistribute default route received from OSPF process that is peering with the Internet to OSPF process 2. However, if that route is removed (e.g., an Internet link goes down), OSPF process 2 removes the associated route and the 'default-information originate' command is the ideal choice, because as long as the OSPF process 1 default route is in the routing table, the default route is redistributed into OSPF process 2. If that route is gone, OSPF process 2 immediately removes it from routing table. Enabling 'default-information originate' on OSPF process 2 does not affect the outcome, and a default route is not injected like it should be.
Conditions:
-- On the BIG-IP system, OSPF routing protocol is enabled on a route-domain.
-- Routing configuration example:
OSPF router config examples:
***
OSPF 1:
!router ospf 1
ospf router-id 10.13.0.7
redistribute ospf
network 10.13.0.0/16 area 0.0.0.1
default-information originate
OSPF 2:
router ospf 1
ospf router-id 10.14.0.5
redistribute ospf
network 10.14.0.0/16 area 0.0.0.1
BIG-IP system:
router ospf 1
ospf router-id 10.13.0.2
network 10.13.0.0/16 area 0.0.0.1
router ospf 2
ospf router-id 10.14.0.9
network 10.14.0.0/16 area 0.0.0.1
***
-- Enable 'default-information originate' on BIG-IP OSPF process 2 should allow OSPF process 2 to receive advertised default route from BIG-IP OSPF process 1 if such exists.
# expected OSPF routers configuration on the BIG-IP system:
router ospf 1
ospf router-id 10.13.0.2
network 10.13.0.0/16 area 0.0.0.1
router ospf 2
ospf router-id 10.14.0.9
network 10.14.0.0/16 area 0.0.0.1
default-information originate
Impact:
A default route from OSPF process 1 is not advertised into OSPF process 2 routing table.
Workaround:
None.
Fix:
Enabling 'default-information originate' on OSPF process 2 forces OSPF process 2 to receive a default route from OSPF process 1 if such exists.
737500-2 : Apply Policy and Upgrade time degradation when there are previous enforced rules
Component: Application Security Manager
Symptoms:
When there are previously enforced rules present in the system, the time to apply changes made to a policy, and the time to upgrade the configuration to a new version suffers.
Conditions:
-- Signature Staging is enabled.
-- Updated Signature Enforcement is set to 'Retain previous rule enforcement and place updated rule in staging'.
-- Signatures are enforced on a policy.
-- A new ASM Signature Update is installed, which modifies the matching rule for some enforced signatures.
Impact:
The time to apply changes made to a policy, and the time to upgrade the configuration to a new version, suffers from a inefficiently performing query related to the existence of previously enforced rules.
Workaround:
There is no workaround at this time.
Fix:
Query indexing and performance is fixed: Apply Policy executes in the same time whether there are previously enforced rules in the system or not.
Enforcing all signatures in a set now correctly removes the previously enforced rule from the signature.
737445-2 : Use of TCP Verified Accept can disable server-side flow control
Component: Local Traffic Manager
Symptoms:
Unexpectedly high memory usage, aggressive sweeper messages, TCP memory pressure messages in logs.
Conditions:
Verified Accept is enabled in TCP profiles that are associated with virtual servers.
Impact:
Excessive memory usage.
Workaround:
There is no workaround other than disabling Verified Accept.
Fix:
Fixed server-side flow control.
737443-5 : BIG-IP APM client for Linux and macOS vulnerability CVE-2018-5546
Solution Article: K54431371
737442-2 : Error in APM Hosted Content when set to public access
Solution Article: K32840424
737441-5 : Disallow hard links to svpn log files
Solution Article: K54431371
737437-2 : IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages
Component: TMOS
Symptoms:
The BIG-IP system might fail to re-establish an IKEv1 phase 1 security association (ISAKMP-SA) when the Initiator starts the exchange using UDP port 4500. The exchange progresses to the point of NAT detection, whereupon the BIG-IP system stops using the Non-ESP marker and sends malformatted ISAKMP.
Conditions:
All of the following must be true:
-- The BIG-IP system is an IKEv1 Responder.
-- ISAKMP phase 1 negotiation starts on UDP port 4500.
-- NAT is detected on only one side during the phase 1 exchange.
Impact:
-- Establishment of an ISAKMP-SA will fail until the peer device switches to UDP port 500.
-- The remote peer may send INVALID-SPI messages quoting SPI numbers that do not exist.
Workaround:
To help workaround this issue, you can try the following:
-- Make sure the BIG-IP system is always the Initiator.
-- Bypass NAT.
-- Configure both the BIG-IP system and remote peer to use address IDs that are not the same as the IP addresses used in the ISAKMP exchange, thus causing the BIG-IP system to think there is NAT on both sides.
Fix:
The BIG-IP system now keeps the Non-ESP marker when NAT is detected.
737397-3 : User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP
Component: TMOS
Symptoms:
Unable to archive certificates or keys using GUI and iControlSOAP.
Conditions:
When the user is in Certificate Manager role.
Impact:
Unable to backup certificates or keys.
Workaround:
The user in Certificate Manager role is still be able to export the key and see its PEM string. So you can manually create an archive file by copying the PEM string into a file.
737368-1 : Fingerprint cookie large value may result in tmm core.
Component: Fraud Protection Services
Symptoms:
The JavaScript component calculates part of the fingerprint cookie value. In some rare cases, large values are generated and may result in tmm core.
Conditions:
A large value (more than 35 characters) inside the fingerprint cookie.
Impact:
Memory overrun, tmm core in some cases. Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
FPS will check the value and truncate it if it exceeds the maximum length.
737355-1 : HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files
Component: Access Policy Manager
Symptoms:
HTTP Strict-Transport-Security (HSTS) headers are missing for some APM-generated files.
Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS enabled.
-- HTTP GET requests for APM renderer files, including CSS, JS, and image files from the webtop.
Impact:
Without these headers, the user agent (browser) may switch to non-secure communication.
Workaround:
None.
Fix:
When the HTTP profile is configured with HSTS enabled, all APM renderer files are now sent with HSTS headers.
737332-3 : It is possible for DNSX to serve partial zone information for a short period of time
Component: Global Traffic Manager (DNS)
Symptoms:
During zone transfers into DNS Express, partial zone data may be available until the transfer completes.
Conditions:
-- Two zones being transferred during the same time period
+ zone1.example.net
+ zone2.example.net
-- Transfer of zone1 has started, but not finished.
-- zone2 starts a transfer and finishes before zone1 finishes, meaning that the database might be updated with all of the zone2 data, and only part of the zone1 data.
Impact:
Partial zone data will be served, including possible NXDOMAIN or NODATA messages. This happens until zone1 finishes and saves to the database, at which time both zones' data will be complete and correct.
Workaround:
The workaround is to limit the number of concurrent transfers to 1. However this severely limits the ability of DNS Express to update zones in a timely fashion if there are many zones and many updates.
Fix:
All zone transfers are now staged until they are complete. The zone transfer data is then saved to the database. Only when the zone data has completed updating to the database will the data be available to queries.
737064-2 : ACCESS::session iRule commands may not work in serverside events
Component: Access Policy Manager
Symptoms:
-- 'ACCESS::session sid' will returns empty.
-- 'ACCESS::session data get <varname>' returns empty.
Conditions:
-- Using IP-based sessions
-- ACCESS::session iRule commands in a serverside iRule event, such as HTTP_PROXY_CONNECT.
-- Using SSL Bypass. Note: This issue is known to occur when using SSL Bypass, but this is not the only configuration that exhibits the problem.
Impact:
iRules may not work as expected.
Workaround:
There is no workaround at this time.
Fix:
The ACCESS::session iRules now work in serverside events when doing IP-based sessions.
735832-1 : RAM Cache traffic fails on B2150
Component: Performance
Symptoms:
Rendering pages from RAM Cache fails. System does not pass RAM Cache traffic on B2150 platform.
Conditions:
-- VIPRION B2150 blade.
-- Attempting to pass traffic from RAM Cache.
Impact:
B2150 does not pass any RAM Cache traffic.
Workaround:
None.
Fix:
RAM Cache traffic now succeeds on B2150.
735565-1 : BGP neighbor peer-group config element not persisting
Component: TMOS
Symptoms:
neighbor peer-group configuration element not persisting after restart
Conditions:
- dynamic routing enabled
- BGP neighbor configured with peer-group
- BIG-IP or tmrouted daemon restart
Impact:
BGP peer-group configuration elements don't persist
Workaround:
Reconfigure BGP neighbor peer-group after restart
Fix:
BGP neighbor peer-group configuration is properly save to configuration, and persists after restart
734822-3 : TMSH improvements
Solution Article: K77313277
734595-2 : sp-connector is not being deleted together with profile
Component: Access Policy Manager
Symptoms:
If a profile is connected to an SSO SAML IdP configuration with an SP connector, the sp-connector is not available for delete when the profile is deleted.
Conditions:
-- Profile is connected to an SSO SAML IdP configuration with an SP connector.
-- Deleting the profile and attempting to delete the sp-connector.
Impact:
The SP connector is not listed for delete when the profile is deleted.
Workaround:
To delete the SP connector, run the following command:
tmsh delete apm sso saml-sp-connector NAME
Fix:
SP connectors are now available for delete when profile is deleted.
734539-3 : The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads
Component: TMOS
Symptoms:
When an IKEv1 peer sends an INVALID-SPI payload, and BIG-IP system cannot find the phase-two Security Association (SA) for that SPI but can find phase-one SA involved; the racoon daemon may crash if there are additional INVALID-SPI payloads afterward.
Conditions:
-- An INVALID-SPI notification is received.
-- That phase-two SA is already gone.
-- The phase-one parent SA is still around.
-- Subsequent notification INVALID-SPI payloads involve the same phase-one SA.
Impact:
The v1 racoon daemon cores, interrupting traffic until new tunnels can be established after racoon restarts.
Workaround:
There is no workaround at this time.
Fix:
The system no longer destroys the parent phase-one SA when an INVALID-SPI notification cannot find the target phase-two SA, so this issue does not occur.
734527-1 : BGP 'capability graceful-restart' for peer-group not properly advertised when configured
Component: TMOS
Symptoms:
BGP neighbor using peer-group with 'capability graceful-restart' enabled (which is the default). However, on the system, peer-group defaults to disable. Because there is no config statement to enable 'capability graceful-restart' after restart, it gets turned off after config load, which also turns it off for any BGP neighbor using it.
Conditions:
- Neighbor configured to use peer-group.
- Peer-group configured with capability graceful-restart, but with the default: disabled.
Impact:
Because peer-group is set to disable by default, and there is no operation to enable it after restart, 'capability graceful-restart' gets turned off after config load, and neighbors using it from peer-group get turned off as well.
Workaround:
Re-issue the commands to set peer-group 'capability graceful-restart' and 'clear ip bgp *' to reset BGP neighbors.
Fix:
The peer-group now has 'capability graceful-restart' enabled by default, so this issue no longer occurs.
Behavior Change:
In this release, peer-group has 'capability graceful-restart' enabled by default.
734446-2 : TMM crash after changing LSN pool mode from PBA to NAPT
Component: Carrier-Grade NAT
Symptoms:
TMM crashes after changing LSN pool mode from PBA to NAPT when long lived connections are killed due to the PBA block lifetime and zombie timeout expiring.
Conditions:
An LSN pool using PBA mode with a block lifetime and zombie timeout set and long lived connections.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Instead of changing the LSN pool mode from PBA to NAPT, create a new LSN pool configured for NAPT and change the source-address-translation pool on the virtual servers that use the PBA pool.
The PBA pool can be deleted after the virtual servers are no longer using it.
Fix:
TMM no longer crashes after changing LSN pool mode from PBA to NAPT.
734291-2 : Logon page modification fails to sync to standby
Component: Access Policy Manager
Symptoms:
Changes in the login page of VPE do not sync to standby.
Conditions:
1. You make changes to the logon page on the active device, making changes to the username or any other field on the login page of VPE.
2. You sync to standby, and it succeeds.
Impact:
When you access in standby device, the customization error failure message appears, and the dialog fails to open in VPE. You cannot see the changes made on the active device from standby device.
Workaround:
Do not make changes to fields on the login page.
Fix:
Changes in the login page of VPE now sync to standby.
734276-2 : TMM may leak memory when SSL certificates with VDI or EAM in use
Component: Local Traffic Manager
Symptoms:
TMM 'method' memory usage grows over time when VDI and serverssl *or* EAM and clientssl are configured on the same VIP.
Conditions:
One or both of the following:
-- VDI and serverssl are configured on the same VIP
-- EAM and clientssl are configured on the same VIP
Impact:
TMM memory usage grows over time leading to eventual performance degradation and potential traffic outage if TMM cores.
Workaround:
No workaround short of not using these combinations of features.
Fix:
TMM no longer leaks memory when VDI and serverssl *or* EAM and clientssl are configured together on the same VIP.
734228-1 : False-positive illegal-length violation can appear
Component: Application Security Manager
Symptoms:
A false-positive illegal-length violation.
Conditions:
A chunked request where the request length is more than half of the configured max-request length.
Impact:
False-positive illegal-length violation.
Workaround:
Configure a higher max request length violation.
Fix:
Fixed a false-positive request-length violation.
733585-3 : Merged can use %100 of CPU if all stats snapshot files are in the future
Component: TMOS
Symptoms:
Merged uses %100 of CPU if it cannot remove the oldest snapshot file, due to all snapshot files having timestamps in the future.
Conditions:
All stats snapshot file having timestamps in the future, release has the fix for issue 721740, but not this issue.
Impact:
Merged using %100 of the CPU.
Workaround:
Remove snapshot stats files that have timestamps in the future and restart merged.
Fix:
Correctly exit cleanup logic when all stats snapshot files have timestamps in the future.
727467-1 : Some iSeries appliances can experience traffic disruption when the high availability (HA) peer is upgraded from 12.1.3 and earlier to 13.1.0 or later.
Component: TMOS
Symptoms:
-- CPU core 0 can be seen utilizing 100% CPU.
-- Other even cores may show a 40% increase in CPU usage.
-- Pool monitors are seen flapping in /var/log/ltm.
-- System posts the following messages:
+ In /var/log/ltm:
- err tmm4[21025]: 01340004:3: high availability (HA) Connection detected dissimilar peer: local npgs 1, remote npgs 1, local npus 8, remote npus 8, local pg 0, remote pg 0, local pu 4, remote pu 0. Connection will be aborted.
+ In /var/log/tmm:
- notice DAGLIB: Invalid table size 12
- notice DAG: Failed to consume DAG data
Conditions:
-- Active unit on a pre-12.1.3.1 release.
-- Standby peer upgraded to a 13.1.0 or later release.
-- Device is an iSeries device (i5600 or later).
Important: This issue may also affect iSeries high availability (HA) peers on the same software version if the devices do not share the same model number.
Note: Although this also occurs when upgrading to 12.1.3.8 and 13.0.x, the issue is not as severe.
Impact:
- High CPU usage.
- Traffic disruption.
Workaround:
Minimize impact on affected active devices by keeping the upgraded post-13.1.0 unit offline as long as possible before going directly to Active.
For example, on a 12.1.3 unit to be upgraded (pre-upgrade):
-- Run the following command: tmsh run sys failover offline persist
-- Run the following command: tmsh save sys config
-- Upgrade to 13.1.0.8.
-- Unit comes back up on 13.1.0.8 as 'Forced Offline' and does not communicate with the active unit running 12.1.3 at all.
-- Set up high availability (HA) group and make sure the 12.1.3 Active unit's high availability (HA) score is lower than 13.1.0.8.
-- To cause the 13.1.0.8 unit to go directly to Active and take over traffic, run the following command on the unit running 13.1.0.8:
tmsh run sys failover online
At this point, the 12.1.3 unit starts to show symptoms of this issue, however, because it is no longer processing traffic, there is no cause for concern.
Fix:
This release introduces a new bigdb variable DAG.OverrideTableSize. To prevent the issue on an upgraded post-13.1.0 unit, set DAG.OverrideTableSize to 3.
In order to return the system to typical CPU usage, you must set the db variable, and then restart tmm by running the following command:
bigstart restart tmm
(Restarting tmm is required for 13.1.1.2 and newer 13.1.1.x releases.)
Note: Because the restart is occurring on the Standby unit, no traffic is disrupted while tmm restarts.
727297-3 : GUI TACACS+ remote server list should accept hostname
Component: TMOS
Symptoms:
Cannot add hostnames to the Remote - TACACS+ server list in the GUI.
Conditions:
-- On the System :: Users : Authentication page with Remote - TACACS+ specified.
-- Add hostname to the server list.
Impact:
Validation does not accept a hostname. Cannot add hostname as a server.
Workaround:
Use tmsh to add a hostname.
Fix:
The system now allows hostname to be added with proper validation in this case.
727292-1 : SSL in proxy shutdown case does not deliver server TCP FIN
Component: Local Traffic Manager
Symptoms:
Connection is not torn down.
Conditions:
HTTPS server disconnects connection when in handshake.
Impact:
Potential resource exhaustion.
Workaround:
You can mitigate this condition in either of the following ways:
-- Wait for system to clean up lingering connections.
-- Use tmsh to clean up connections. (Note: Sometimes this might not work as expected depending on conditions.)
-- If this happens on the config-sync channel, use a different self-ip for config-sync on the affected device.
Fix:
SSL server side handles this error situation by sending out all remaining egress data and sending a shutdown signal to lower filters.
727222-1 : 206 Partial Content responses from ramcache have malformed Content-Range header
Component: Local Traffic Manager
Symptoms:
When ramcache serves a 206 Partial Content response from cache, the Content-Range header repeats the name:
Content-Range: Content-Range: bytes 0-5/28
Conditions:
Request from client for partial document (Range header) against a virtual server with a web-acceleration profile having no applications (ramcache), where the requested document is present in ramcache.
Impact:
The client may mishandle the response, as the Content-Range header is malformed. This may cause additional traffic as the client may retrieve the entire document in a subsequent request due to the malformed response.
Workaround:
Remove the duplicate portion of the Content-Range header using an iRule at HTTP_RESPONSE_RELEASE time.
Fix:
The Content-Range header is now correctly formed for 206 Partial Content responses served from ramcache.
727212-1 : Subscriber-id query using full length IPv6 address fails.
Component: Carrier-Grade NAT
Symptoms:
FW NAT / CGNAT modules query the subscriber ID using IPv6 address. If the query is done using the IPv6 mask, under some circumstances the query fails.
Conditions:
The network is using an IPv6 mask other than 128. Subscribers are created using the masked IP address as the key. If NAT module uses the complete IP address as the query key, the subscriber will not be found.
Impact:
Logs contain UNKNOWN subscriber-id.
Workaround:
There is no workaround at this time.
Fix:
Subscriber ID queries using IPv6 address are now returning the subscriber-id.
727206 : Memory corruption when using SSL Forward Proxy on certain platforms
Component: Local Traffic Manager
Symptoms:
When using SSL Forward proxy, memory corruption can occur, which can eventually lead to a tmm crash.
Conditions:
Client SSL profile on a virtual server with SSL Forward proxy enabled.
-- Using the following platforms:
- vCMP host
- 2000s / 2200s
- 5000s / 5200v
- 5050s / 5250v / 5250v-F
- 10350V-F
Impact:
TMM crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes under these conditions.
727107-2 : Request Logs are not stored locally due to shmem pipe blockage
Component: Application Security Manager
Symptoms:
An unknown issue causes the communication layer between pabnagd and asmlogd to be become stuck. Messages similar to the following appear in pabnagd.log:
----------------------------------------------------------------------
account |NOTICE|... src/Account.cpp:183|Skipped 36 repeated messages. Request Log protobuf subscription queue is full. Message dropped.
rqlgwriter |WARNIN|... src/RequestLogWriter.cpp:137|Skipped 599 repeated messages. No space to write in shmem.
Messages similar to the following appear in pabnagd.log:
Conditions:
Request Logs are not stored locally due to shmem pipe blockage.
Impact:
Event logs stop logging locally.
Workaround:
Restart policy builder with:
killall -s SIGHUP pabnagd
Fix:
The policy builder now detects the blockage, and restarts the connection with the request logger.
727044-2 : TMM may crash while processing compressed data
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing compressed data.
Conditions:
Compression enabled
Hardware compression disabled
Impact:
TMM crash leading to a failover event.
Workaround:
No workaround.
Fix:
TMM now correctly processes compressed traffic
726895 : VPE cannot modify subroutine settings
Solution Article: K02205915
Component: Access Policy Manager
Symptoms:
Open per-request policy in Visual Policy Editor (VPE) that has a subroutine. Click 'Subroutine Settings / Rename.
Numeric values like the inactivity timeout are displayed as 'NaN. Attempts to modify the values results in MCP validation errors such as one of these:
- Unable to execute transaction because of:
- Unable to execute transaction because of: 01020036:3: The requested user role partition (admin Common) was not found.
Conditions:
-- Per-request policy in the VPE.
-- Subroutine in the per-request policy.
-- Attempt to change the values.
Impact:
All fields say 'NaN', and error when trying to modify properties. Subroutine settings like the Inactivity Timeout and Gating Criteria cannot be modified through the VPE
Workaround:
Use tmsh to modify these values, for example:
tmsh modify apm policy access-policy <policy_name> subroutine properties modify { all { inactivity-timeout 301 } }
Fix:
The issue has been fixed; it is now possible to view and modify subroutine settings in the VPE.
726872-2 : iApp LX directory disappears after upgrade or restoring from UCS★
Component: iApp Technology
Symptoms:
After BIG-IP version upgrade or restoring from UCS, iApps/Application Services/Applications LX screen displays instances of iApps LX, but their UI is not functional. That is caused by the software defect causing iApp LX directory to disappear from /var/config/rest/iapps.
Conditions:
Initial startup after BIG-IP version upgrade or restoring from UCS.
The more iApps LX instances and the more configuration they use, the more likely this issue is to occur, for example, this issue occurs with 90 or more instances of f5-ddos-hybrid-defender iApp LX.
Impact:
The iAppLX code is removed from the system, which makes iAppLX UI unusable. The configuration deployed by iApp LX instances remains in effect. The iApp LX configuration data remain intact, and the UI can be completely restored after manual installation of iApp LX code.
Workaround:
To workaround this issue, follow these steps:
1. Copy iAppLX code from an unaffected BIG-IP system to the BIG-IP system impacted by this defect, for example,
/var/config/rest/iapps/f5-ddos-hybrid-defender
2. Create a symlink to the UI code for UI to work, for example:
ln -sfvn /var/config/rest/iapps/f5-ddos-hybrid-defender/presentation /var/iapps/www/f5-ddos-hybrid-defender
3. Restart restjavad:
bigstart restart restjavad
4. Restart restnoded:
bigstart restart restnoded
Fix:
iApp LX directory no longer disappears after upgrading or restoring from UCS
726734-1 : DAGv2 port lookup stringent may fail
Component: Local Traffic Manager
Symptoms:
Under certain circumstances tmm might not be able to find a local port, and the connection may fail. This happens, for example, for active FTP with mirroring enabled.
Conditions:
Active FTP with mirroring enabled.
Impact:
Connection cannot get established.
Workaround:
There is no workaround other than to disable mirroring.
Fix:
TMM is now always able to find a local port.
726665-2 : tmm core dump due to SEGFAULT
Component: Policy Enforcement Manager
Symptoms:
tmm core dump due to SEGFAULT.
Conditions:
System under load in network. Other conditions required to recreate this are unknown, but indicated a potential memory-handling issue.
Impact:
The blade reboots resulting in failover. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The apparent memory-handling issue leading to the SEGFAULT has been corrected, so the tmm core and failover no longer occur.
726647-3 : PEM content insertion in a compressed response may truncate some data
Component: Policy Enforcement Manager
Symptoms:
HTTP compressed response with content insert action can truncate data.
Conditions:
PEM content insertion action with compressed HTTP response.
Impact:
Data might be truncated.
Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.
Fix:
HTTP compressed response with content insert action no longer truncates data.
726616-1 : TMM crashes when a session is terminated
Component: Access Policy Manager
Symptoms:
TMM crashes when it is releasing the memory used by a session that is terminated. Either one of the following error messages might appear in the TMM log:
-- notice panic: ../kern/umem.c:4166: Assertion "valid type" failed.
-- notice panic: ../kern/page_alloc.c:705: Assertion "vmem_hashlist_remove not found" failed.
Conditions:
The memory used by a session is corrupted during the lifetime of the session. This issue happens infrequently.
Impact:
TMM restarts, causing service interruption if the BIG-IP system is not part of a high-availability setup.
Workaround:
There is no workaround at this time.
Fix:
TMM no longer crashes when removing an access session.
726592-1 : Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop
Component: Access Policy Manager
Symptoms:
Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop. This could be triggered by invalid state of our control plane daemons.
Conditions:
This is an extremely rare situation that can be caused by invalid logsetting config messaging between our daemons. However, once it happens it can impact multiple daemons at the same time causing all of them to hang.
Impact:
Once this happens it can impact multiple daemons (apmd, apm_websso, localdbmgr) at the same time causing all of them to hang.
Workaround:
There is no workaround at this time, you can recover by restarting the daemons that hang.
Fix:
We have fixed a memory corruption that can break the linkages in our data structure which would cause certain traversals to loop indefinitely.
726537-1 : Rare TMM crash when Single Page Application is enabled on DoSL7
Component: Application Security Manager
Symptoms:
There is a rare TMM crash that may happen when Single Page Application is enabled on the DoS Application profile.
Conditions:
Single Page Application is enabled on the DoS Application profile.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Rare TMM crash no longer occurs when Single Page Application is enabled on DoSL7.
726487-2 : MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
Component: TMOS
Symptoms:
The MCPD daemon on secondary VIPRION or vCMP blades exits and restarts, logging errors similar to the following:
-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.
-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.
Or:
--- err mcpd[8320]: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).
--- err mcpd[8320]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).... failed validation with error 17236027.
Conditions:
This issue occurs when all of the following conditions are met:
-- VIPRION or vCMP platform with more than one blade.
-- A partition with a non-default route domain.
-- Creating a pool member in the aforementioned partition while a configuration save is taking place at the same time (either system or user initiated).
Impact:
If the system is Active, traffic will be disrupted as the secondary blades restart. The capacity of the system will be reduced until all blades are on-line again. Additionally, depending on the system configuration, the system may fail over to its peer (if one exists).
Workaround:
There is no workaround other than not to create pool members from a different client while saving configuration changes in another client. However, this does not help if the configuration save operation was system-initiated.
Fix:
MCPD on secondary blades no longer restarts if a pool member is created in a partition that uses a non-default route domain at the same as the configuration is being saved.
726412-2 : Virtual server drop down missing objects on pool creation
Component: Global Traffic Manager (DNS)
Symptoms:
Available virtual servers are not populated in the drop down list during Pool creation.
Conditions:
Virtual server names containing single quote, backslash, or greater-than and less-than signs: ' \ < >.
Impact:
Unable to add available virtual servers to pools.
Workaround:
After pool creation, go into that newly created pool, click 'Members', and then click 'Manage', and use the Virtual Server drop-down list to add any virtual servers.
Fix:
Fixed the drop down for virtual servers. Now virtual servers get loaded in the drop-down list during pool creation.
726409-4 : Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
Component: TMOS
Symptoms:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or
possibly have unspecified other impact by leveraging use of the accept system call.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.
Conditions:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439
Impact:
denial of service
Workaround:
don't allow login
Fix:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439
726393-4 : DHCPRELAY6 can lead to a tmm crash
Solution Article: K36228121
726377-1 : False-positive cookie hijacking violation
Component: Application Security Manager
Symptoms:
A false-positive cookie hijacking violation.
Conditions:
-- Several sites are configured on the policy, without subdomains.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.
Impact:
False positive violation / blocking.
Workaround:
Cookie hijacking violation when the device ID feature is turned off is almost never relevant, as it should be able to detect only cases where some of the TS cookies were taken. The suggestion is to turn off this violation.
Fix:
False-positive cookie hijacking violation no longer happens working with multiple domains on some scenarios.
726327-2 : NodeJS debugger accepts connections from any host
Solution Article: K37111863
726319-2 : 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses
Component: Local Traffic Manager
Symptoms:
When FQDN nodes and pool members are used in LTM pools, a message similar to the following may be logged if the DNS server returns a different set of IP address records to resolve the FQDN name:
err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.
Conditions:
This message may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name, and new ephemeral pool members are created corresponding to the new IP addresses.
This may occur intermittently depending on timing conditions.
Impact:
These log messages are cosmetic and do not indicate any impact to traffic or BIG-IP operations.
Workaround:
None.
Fix:
'The requested Pool Member ... already exists' messages are no longer logged occasionally when an FQDN pool member name resolves to different IP addresses.
726303-1 : Unlock 10 million custom db entry limit
Component: Traffic Classification Engine
Symptoms:
Cannot add more than 10 million custom db entries.
Conditions:
This happens when you try to add more than 10 million custom db entries.
Impact:
Not able to add more than 10 million entries.
Workaround:
There is no workaround at this time.
Fix:
This release provides a sys db var, tmm.urlcat.no_db_limit, to allow growth beyond the existing limit of 10 million custom db entries.
726255-2 : dns_path lingering in memory with last_access 0 causing high memory usage
Component: Global Traffic Manager (DNS)
Symptoms:
dns_path not released after exceeding the inactive path ttl.
Conditions:
1. Multiple tmm's in sync group
2. Multiple dns paths per GTM needed for load balancing.
Impact:
High memory usage.
Workaround:
There is no workaround at this time.
Fix:
dns_path memory will be released after ttl.
726239-4 : interruption of traffic handling as sod daemon restarts TMM
Component: Local Traffic Manager
Symptoms:
When the receiving host in a TCP connection has set its send window to zero (stopping the flow of data), following certain unusual protocol sequences, the logic in the TMM that persists in probing the zero window may enter an endless loop.
Conditions:
When the TCP implementation is probing a zero-window connection under control of a persist timer.
Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This fix handles a rare TMM crash when TCP persist timer is active.
726176-4 : platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
Component: Local Traffic Manager
Symptoms:
The BIG-IP system running RSS DAG hash attempts to reuse ports while pool members remain in a TIME_WAIT state and are unable to process new connections.
Conditions:
This issue occurs when all of the following conditions are met:
-- You are running on a BIG-IP platform using RSS DAG hash, for instance, z100 and 2000 or 4000 series hardware platform.
-- You have the FastL4 profile associated with a virtual server.
-- The virtual server is configured with source-port preserve.
Impact:
Traffic throughput may be degraded.
Workaround:
Set source-port to change.
Fix:
Platforms running RSS DAG hash now reuse source port at the correct rate when virtual server sets source-port preserve.
726154-2 : TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies
Component: Advanced Firewall Manager
Symptoms:
TMM might restart when changing firewall or NAT configurations on a virtual server with the same name as a route-domain.
Conditions:
- There is a virtual server and a route-domain that have the same name in the configuration.
- A firewall or NAT policy is being attached or removed from one or both of the virtual server or route-domain.
Impact:
TMM might halt and traffic processing temporarily ceases. TMM restarts and traffic processing resumes.
Workaround:
There is no workaround other than not to use the same name for virtual server and route-domain objects.
Fix:
TMM no longer crashes under the conditions described. Firewall and NAT configurations are applied correctly on virtual servers with the same names as route-domains.
726090-1 : No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense
Component: Application Security Manager
Symptoms:
Device ID challenges are not logged in the Bot Defense Request Log (local and remote) when associating the Bot Defense logging profile to the virtual server.
Conditions:
-- Device ID is enabled on the ASM Policy.
-- DoS profile with Proactive Bot Defense is not associated with the virtual server.
Impact:
There are no logs to show the browser challenges and the requests from clients that do not support JavaScript.
Workaround:
There is no workaround at this time.
Fix:
Requests are now logged to the Bot Defense Request Log with Device ID enabled on the ASM Policy and no associated DoS profile.
726089-2 : Modifications to AVR metrics page
Solution Article: K44462254
726039 : Information is not updated after installing FPS live update via GUI
Component: Fraud Protection Services
Symptoms:
The GUI does not display the updated information after installing an update.
Conditions:
FPS is licensed and provisioned.
Impact:
Cosmetic only.
Workaround:
Refreshing the page.
Fix:
The information is updated after installing an update.
726001-1 : Rapid datagroup updates can cause type corruption
Component: Local Traffic Manager
Symptoms:
'invalid class type" error message in /var/log/ltm.
Conditions:
Using external datagroups and updating them before the previous update has finished, such as with:
-- Executing config-sync.
-- echo "create sys file data-group dg-test source-path file:///var/tmp/dg_test type string separator :=; create ltm data-group external dg-test external-file-name dg-test; modify sys file data-group dg-test source-path file:///var/tmp/dg_test" | tmsh -a
Impact:
iRule fails.
Workaround:
Ensure that changes to a datagroup are done processing (by looking for the 'finished' message in the LTM logs) before updating them again.
Fix:
Rapid updates no longer cause type corruption.
725950 : Regcomp() leaks memory if passed an invalid regex.
Component: TMOS
Symptoms:
Because of memory leak, big3d's memory usage increased over time
Conditions:
Pass invalid expression to regcomp.
Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory.
Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}
Fix:
Fixed a memory leak in big3d
725878-2 : AVR does not collect all of APM TMStats
Component: Application Visibility and Reporting
Symptoms:
AVR does not collect all of APM TMStats
Conditions:
Using AVR to view APM stats.
Impact:
Cannot view all values.
Workaround:
None.
Fix:
This release now provides stats for the following:
-- License Stats :: show apm license
-- Session Stats (ACL Stats) :: show apm acl
-- Access Profile Stats :: show apm profile access
-- OAuth Client Stats :: show apm aaa oauth-server
-- OAuth Profile Stats :: show apm profile oauth
-- Network Access Stats :: show net tunnels ppp
Behavior Change:
This release now provides stats for the following:
-- License Stats :: show apm license
-- Session Stats (ACL Stats) :: show apm acl
-- Access Profile Stats :: show apm profile access
-- OAuth Client Stats :: show apm aaa oauth-server
-- OAuth Profile Stats :: show apm profile oauth
-- Network Access Stats :: show net tunnels ppp
725867-2 : ADFS proxy does not fetch configuration for non-floating virtual servers
Component: Access Policy Manager
Symptoms:
If the virtual address of a virtual server has a non-floating traffic group (e.g., traffic-group-local-only), ADFS proxy does not perform periodic configuration updates, including listing allowed URIs from ADFS, and thus blocks all the requests (by responding with 404).
Conditions:
-- Virtual address of virtual server has non-floating traffic group.
-- ADFS proxy feature is enabled on the virtual server.
Impact:
All the requests to ADFS are blocked.
Workaround:
Set floating traffic group for virtual address (e.g., traffic-group-1).
Fix:
ADFS proxy now fetches configuration from ADFS for non-floating virtual servers.
725815-1 : vlangroup usage may cause a excessive resource consumption
Solution Article: K72442354
725801-4 : CVE-2017-7889: Kernel Vulnerability
Solution Article: K80440915
725791-4 : Potential HW/HSB issue detected
Component: TMOS
Symptoms:
There are a number of High-Speed Bridge (HSB) stats registers that monitor the errors in HSB SRAM that are critical for passing traffic, for example, RQM_CRC_ERROR Count 0, RQM_CRC_ERROR count 1, RQM_CRC_ERROR Count 2, etc. Any errors in any of these registers may indicate a hardware error in the HSB SRAM that impedes traffic through embedded Packet Velocity Acceleration (ePVA). In that case, ePVA-accelerated flow might fail.
With a burst of CRC errors in the SRAM for ePVA transformation cache, it does not trigger a failover and causes a silent traffic outage on the FastL4 VIP with hardware traffic acceleration. This occurs because the health check watchdog packets are still functioning correctly, and the current TMOS software primarily monitors watchdog packets tx/rx failures to trigger failover.
In these cases, there might be the following messages in /var/log/tmm*:
Device error: hsb_lbb* tre2_crc_errs count *
Conditions:
Traffic is offloaded to HSB hardware for acceleration.
Impact:
Hardware accelerated traffic drop.
Workaround:
Switch traffic to software acceleration.
Fix:
Including traffic-critical registers in failover triggers, helps failover happen quickly with minimum disruption to traffic in the case of SRAM hardware failures.
725696-1 : A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted
Component: TMOS
Symptoms:
When OCSP Stapling is enabled on a client SSL profile, certain uncommon operations might result in a tmm timer queue getting into a loop, which results in tmm being aborted by sod. tmm restart
Conditions:
-- There are SSL handshakes waiting for an OCSP response, and one of the following:
+ There is a CMP transition.
+ There are changes made to the OCSP object.
Impact:
tmm restarts. Traffic interrupted while tmm restarts.
Workaround:
There is no workaround other than disabling OCSP stapling.
Fix:
The timer issue has been corrected.
725635-2 : CVE-2018-3665: Intel Lazy FPU Vulnerability
Solution Article: K21344224
725612-1 : syslog-ng does not send any messages to the remote servers after reconfiguration
Component: TMOS
Symptoms:
Changing syslog remote server IP address (tmsh sys syslog remote-servers) requires a syslog-ng process restart to take effect. Syslog operations do not use the new remote destination address on syslog service reconfiguration.
Conditions:
1. Add a Remote Syslog server (Server A) using System :: Logs :: Configuration :: Remote Syslog.
2. Click Update (Syslog messages go out toward Server A).
3. Remove Server A from configuration.
4. Add new Server B (different IP address).
5. Click Update.
Impact:
After reconfiguring remote syslog host IP addresses, syslog messages continue to be sent to the previously configured addresses.
Workaround:
Restart the syslog service using the following command:
bigstart restart syslog-ng
Messages will now properly be sent toward Server B (the new IP address).
Fix:
Syslog operations now use the new remote destination address on syslog service reconfiguration.
725551-4 : ASM may consume excessive resources
Component: Application Security Manager
Symptoms:
While processing certain types of responses, ASM may consume excessive resources.
Conditions:
-- ASM provisioned and enabled.
-- Response-side features are enabled (e.g., the default learn from responses and learn server tech or data guard is Enforced, etc.).
Impact:
Excessive resource consumption, potentially leading to a delay in traffic processing or a failover event.
Workaround:
None.
Fix:
ASM now processes traffic as expected.
725545-1 : Ephemeral listener might not be set up correctly
Component: Local Traffic Manager
Symptoms:
When ephemeral listeners are set up across a cluster, the transaction might fail.
Conditions:
When using Network Access tunnel with proxy ARP and no SNAT.
Impact:
The client-assigned IP address might intermittently fail to be resolved via ARP on the serverside/leasepool VLAN.
Workaround:
None.
Fix:
The ephemeral listener is now set up correctly.
725505-2 : SNAT settings in network resource are not applied after FastL4 profile is updated
Component: Access Policy Manager
Symptoms:
When the admin updates a FastL4 profile, the iRule associated with the internal virtual server (the APM forward virtual server) is removed.
This iRule sets up the SNAT setting, however, since the iRule is removed, the SNAT setting is not applied to new network access connections.
Conditions:
-- Using network access.
-- FastL4 profile is updated.
Impact:
When accessing the backend resource, the BIG-IP system uses the self IP address as the source IP address instead of the IP address configured under the network access resource. Traffic disrupted while tmm restarts.
Workaround:
Restart tmm.
Restarting tmm re-creates the forward virtual servers and attach the relevant iRule.
725412-1 : APM does not follow current best practices for HTTP headers
Component: Access Policy Manager
Symptoms:
APM does not follow current best practices for HTTP headers
Conditions:
APM enabled
Impact:
HTTP headers not generated as intended
Workaround:
None.
Fix:
APM now follows current best practices for HTTP headers
725040-3 : Auto-update fails for F5 Helper Applications on Linux
Component: Access Policy Manager
Symptoms:
A pop-up error message is displayed for failed auto-update for F5 Helper Applications on Linux.
Conditions:
Linux users using F5 Helper Applications (f5epi and f5vpn) to establish a VPN tunnel.
Impact:
Linux users are not updated to the new releases.
Workaround:
Reinstall F5 Helper Applications manually.
Fix:
Auto-update succeeds for F5 Helper Applications on Linux
724906-1 : sasp_gwm monitor leaks memory over time
Component: Local Traffic Manager
Symptoms:
The Server/Application State Protocol (SASP) monitor, sasp_gwm memory usage slowly increases over time.
Conditions:
The Server/Application State Protocol (SASP) monitor is configured.
The leakage occurs during normal operation of the monitor and is not tied to any specific user or traffic action.
Impact:
sasp_gwm grows over time and eventually the system may be pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.
Workaround:
Periodic restarts of sasp_gwm processes avoids the growth affecting the system.
Fix:
The sasp_gwm monitor no longer leaks memory when processing messages.
724868-1 : dynconfd memory usage increases over time
Component: Local Traffic Manager
Symptoms:
dynconfd memory usage slowly increases over time as it processes various state-related messages.
Conditions:
No special conditions as dynconfd is a core LTM process. Large numbers of pool members combined with flapping might increase the rate of memory usage increase.
Impact:
dynconfd grows over time and eventually the system is pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.
Workaround:
Periodic restarts of dynconfd avoids the growth affecting the system.
Fix:
dynconfd no longer leaks memory when processing messages.
724847 : DNS traffic does not get classified for AFM port misuse case
Solution Article: K95010813
Component: Traffic Classification Engine
Symptoms:
When DNS query name has a label length of greater than 23 bytes, it does not get classified as DNS.
Conditions:
-- AFM provisioned.
-- A port misuse policy for DNS and a service policy configured.
-- DNS query name with label length of greater than 23 bytes.
Impact:
DNS does not get classified properly for some cases.
Workaround:
There is no workaround at this time.
Fix:
Allowed DNS label length is now 64 bytes, so any DNS query name where each label name is fewer than 64 byes is now properly classified.
724680-4 : OpenSSL Vulnerability: CVE-2018-0732
Component: TMOS
Symptoms:
For more information see: https://support.f5.com/csp/article/K21665601
Conditions:
For more information see: https://support.f5.com/csp/article/K21665601
Impact:
For more information see: https://support.f5.com/csp/article/K21665601
Workaround:
None.
Fix:
For more information see: https://support.f5.com/csp/article/K21665601
724571-1 : Importing access profile takes a long time
Component: Access Policy Manager
Symptoms:
It takes a long time for the 'Apply Access Policy' link to show up on the admin UI after importing an access profile.
Conditions:
-- Access policy with many macros.
-- Import exported profile multiple times with Reuse Existing Objects checked
-- As the number of imports increases, so does the latency.
Impact:
The imported access policy takes a long time to be imported and ready to use.
Workaround:
None.
724564-1 : A FastL4 connection can fail with loose-init and hash persistence enabled
Component: Local Traffic Manager
Symptoms:
The BIG-IP system fails to create a connection after 3WHS when using loose-init and hash persistence.
This can happen if traffic is redirected from one BIG-IP system to another, with the second BIG-IP system failing to create the connection, causing an interruption of traffic on that connection.
Conditions:
-- Virtual server configured with hash persistence.
-- FastL4 profile with loose-init enabled.
Impact:
Traffic fails when redirected from one BIG-IP system to another.
Workaround:
There is no workaround other than to disable hash persistence.
Fix:
A FastL4 connection no longer fails with loose-init and hash persistence enabled.
724556-2 : icrd_child spawns more than maximum allowed times (zombie processes)
Component: TMOS
Symptoms:
icrd_child is issued a SIGTERM. The SIGTERM might not succeed in destroying the process, especially if the system is under a lot of load. This leads to zombie processes.
Conditions:
-- The icrd_child process is issued a SIGTERM that does not successfully destroy the icrd_child process.
-- System under heavy load.
Impact:
There are zombie icrd_child processes consuming memory.
Workaround:
Restart the system.
Fix:
Introduced the following configuration in /etc/icrd.conf: sigkillDelaySeconds
If set to 0, or if missing from icrd.conf, SIGKILL will not be issued after SIGTERM is issued to the icrd_child process.
If set to greater than 0, after the specified delay, SIGKILL will be issued after SIGTERM is issued to the icrd_child process if icrd_child process is not terminated.
A 'safe' number for the delay may be 3 seconds, but will depend on your configuration.
Behavior Change:
Introduced the following configuration in /etc/icrd.conf: sigkillDelaySeconds
If set to 0, or if missing from icrd.conf, SIGKILL will not be issued after SIGTERM is issued to the icrd_child process.
If set to greater than 0, after the specified delay, SIGKILL will be issued after SIGTERM is issued to the icrd_child process if icrd_child process is not terminated.
A 'safe' number for the delay may be 3 seconds, but will depend on your configuration.
724532-2 : SIG SEGV during IP intelligence category match in TMM
Component: Advanced Firewall Manager
Symptoms:
TMM restart while matching traffic from source IP to IP Intelligence category.
Conditions:
Multiple configuration changes that include deleting the custom IP intelligence categories.
Impact:
TMM restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer restarts while matching traffic from source IP to IP Intelligence category.
724414-2 : ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled
Component: Application Security Manager
Symptoms:
When ASM inspects WebSocket frames, the bd daemon memory is leaking; eventually ASM stops inspecting traffic and sends resets or bypass requests.
Conditions:
ASM module is provisioned.
-- ASM policy and WebSocket profile are attached to a virtual server.
-- WebSocket URL has JSON profile attached to it.
-- JSON profile has parse parameters flag enabled (this is the default).
Impact:
ASM may reset connections; failover might occur.
Workaround:
There are two workarounds:
-- Remove JSON profile from WebSocket URL in the ASM policy.
-- Disable parse parameters flag in the json profile.
Fix:
The system now frees the allocated memory when it finishes the inspect of a WebSocket frame.
724339-1 : Unexpected TMUI output in AFM
Solution Article: K04524282
724335-1 : Unexpected TMUI output in AFM
Solution Article: K21042153
724327-1 : Changes to a cipher rule do not immediately have an effect
Component: Local Traffic Manager
Symptoms:
If a cipher rule is changed, and a cipher group that uses the rule is attached to an SSL profile, the change does not take effect until something else on the SSL profile changes.
Conditions:
-- A cipher group is used by an SSL profile.
-- One of its cipher rules changes.
Impact:
Unexpected behavior occurs because the cipher rule change does not take effect immediately.
Workaround:
After changing the cipher rule that's used by a cipher group, make a change to any SSL profile that uses the associated cipher group.
Fix:
Any changes to a cipher rule or cipher group now takes immediate effect.
724214-3 : TMM core when using Multipath TCP
Component: Local Traffic Manager
Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.
Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.
Impact:
Traffic interrupted while TMM restarts.
Workaround:
There is no workaround other than to disable MPTCP.
Fix:
TMM no longer produces a core.
724213-1 : Modified ssl_profile monitor param not synced correctly
Solution Article: K74431483
Component: Local Traffic Manager
Symptoms:
After modifying the ssl_profile attribute on an HTTPS monitor on a device in a high availability (HA) configuration, and after performing a full ConfigSync, the corresponding monitor on the peer-sync unit does not have the updated value.
Conditions:
-- An HTTPS monitor is used on BIG-IP systems in an high availability (HA) configuration.
-- The ssl_profile field is modified on an HTTPS monitor.
-- A sync-to-peer (full ConfigSync, not incremental sync) is attempted to propagate the modified ssl_profile value to the peer units.
Impact:
The ssl_profile value for the HTTPS monitor on the peer unit is set to none, resulting in the two devices reporting themselves as in-sync, but having potentially different HTTPS monitor configurations.
Workaround:
-- Do not run HTTPS monitors using in-tmm monitors,
-- Use the traditional HTTPS monitor configuration for SSL-attributes (cipherlist, key, cert, and compatibility attributes on HTTPS monitor).
Note: Using these attributes generates deprecation warnings, but the configuration still takes effect.
Fix:
After modifying the ssl_profile attribute on an HTTPS monitor on a system within an high availability (HA) configuration, and after performing a full ConfigSync, the corresponding monitor on the peer unit now receives the updated monitor attribute, as expected.
724143-1 : IKEv2 connflow expiration upon ike-peer change
Component: TMOS
Symptoms:
Altering the definition of an ike-peer does not expire the connflow used for the tunnel, so it remains in use for the tunnel.
Conditions:
-- Making any change to an IKEv2 ike-peer, even insignificant changes such as a description change.
-- Running a system version that has new attribute auth-rule inside ike-peer.
Note: This is not likely to occur in older system versions where no ike-peer state exists inside a connflow, because any ike-peer changes do replace the associated objects. In those cases, even though the same connflow is used, the system uses new algorithms for the ike-peer.
Impact:
In effect, you cannot change the configuration of the flow by changing the peer definition.
Workaround:
There is no workaround at this time.
Fix:
Changes in ike-peer now expire any existing connflow for that ike-peer. This affects only a system version that has new attribute auth-rule inside ike-peer.
724109-4 : Manual config-sync fails after pool with FQDN pool members is deleted
Component: TMOS
Symptoms:
If a user, deletes a fqdn pool on one BIG-IP in a cluster and then run a manual config sync with another BIG-IP, the change fails to sync with the other BIG-IPs in the cluster.
Conditions:
- Create fqdn pool in one BIG-IP
- Save sys config
- Run config sync
- Delete fqdn pool
- Save sys config
- Run config sync manually
Result: After deleting fqdn pool in BIG-IP and config sync with another BIG-IP, Manual config sync failed. Still, we can see the deleted fqdn pool in another BIG-IP
Impact:
FQDN pool delete failed in another BIG-IP and manual config sync operation is failed.
Workaround:
The workaround for this issue is to use auto-sync.
724032-1 : Searching Request Log for value containing backslash does not return expected result
Component: Application Security Manager
Symptoms:
Searching within Request Log for a value containing backslash does not return the expected result. This happens because escaping of backslashes in REST API access is handled differently with 'eq' and 'contains' filters.
Conditions:
Searching within Request Log for a value containing backslash.
Impact:
Search within Request Log record containing backslash does not return the expected result.
Workaround:
Backslashes in REST API requests should be doubled when searching using 'contains' filter, but must not be doubled when searching with 'eq' filter.
Fix:
Searching within Request Log for a value containing backslash returns the expected result.
723794-3 : PTI (Meltdown) mitigation should be disabled on AMD-based platforms
Component: TMOS
Symptoms:
Platforms with AMD processors freeze when the PTI (Page Table Isolation) mitigation is enabled, after a period ranging from several hours to several days.
You can find information about which versions have the PTI (Meltdown) mitigations enabled in the AskF5 Article: Bug ID 707226: DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations :: https://cdn.f5.com/product/bugtracker/ID707226.html.
Conditions:
-- AMD-based platforms:
+ BIG-IP B4100 blades
+ BIG-IP B4200 blades
+ BIG-IP 6900 and NEBS appliances
+ BIG-IP 89x0 appliances
+ BIG-IP 6400 FIPS and NEBS platforms
+ BIG-IP 110x0 appliances
-- The database variable kernel.pti is set to enable (to address PTI (Meltdown)).
Impact:
System locks up and is rebooted by the watchdog timer.
Workaround:
Set the database variable kernel.pti to disable by running the following command:
tmsh modify sys db kernel.pti value disable
According to AMD, these AMD processors are not vulnerable to PTI (Meltdown), so there is no reason to leave the db variable enabled.
Fix:
PTI (Page Table Isolation) mitigation is no longer enabled on AMD-based platforms.
723792-2 : GTM regex handling of some escape characters renders it invalid
Component: Global Traffic Manager (DNS)
Symptoms:
The memory footprint of big3d increases.
Conditions:
GTM monitor recv string such as the following: ^http\/\d\.\d[23]\d\d
Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory. The monitor marks the server it is monitoring UP as long as the server returns any response.
Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}
Fix:
Fixed handling of escape characters. Recv strings that previously failed to compile will now compile.
723790-1 : Idle asm_config_server handlers consumes a lot of memory
Component: Application Security Manager
Symptoms:
Idle asm_config_server handlers needlessly uses a large amount of memory.
Conditions:
This issue might result from several sets of conditions. Here is one:
Exporting a big XML ASM policy and then leaving the BIG-IP system idle. Relevant asm_config_server handler process increases its memory consumption and stays that way, holding on to the memory until it is released with a restart.
Impact:
Unnecessary memory consumption.
Workaround:
1) Lower the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server:
---------------
# perl -pi.bak -e 's/MaxMemorySize=471859200/MaxMemorySize=262144000/' /etc/ts/tools/asm_config_server.cfg
---------------
2) Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
Notes:
-- The provided workaround does not permanently fix the issue. Instead it alleviates the symptoms of memory pressure, by (1) lowering the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server, and (2) freeing up all the memory that is currently taken by all asm_config_server processes.
-- This workaround does not cause any down time; the asm_config_server processes automatically start within ~30 seconds.
723722-2 : MCPD crashes if several thousand files are created between config syncs.
Component: TMOS
Symptoms:
If more than several thousand (typically 20,000, but number varies by platform) files, for example SSL certificates or keys, are created between config syncs, the next config sync operation will take too long and mcpd will be killed by sod.
Conditions:
Creation of several thousand SSL certificates or keys followed by a config sync operation.
Impact:
Traffic is disrupted while the MCPD process restarts.
Workaround:
Run a config sync operation after every ~5000 files created.
Fix:
MCPD no longer crashes if several thousand files are created between config sync operations.
723579-4 : OSPF routes missing
Component: TMOS
Symptoms:
When newer link-state advertisement (LSA) (with greater seq) comes in, the Open Shortest Path First (OSPF) discards the old one by marking it DISCARD. The SPF calculation function suspends the calculation every 100 vertexes. If the discard happens during such a suspend, then after the calculation resumes, the discarded LSAs are ignored,n which can cause route unreachable, and eventually route withdraws.
Conditions:
A very large number (~500, beyond best practices) of routers in a single OSPF area.
Impact:
Intermittent route flaps occur that might cause unreachable destination or increased network traffic due to the non-optimal route choice.
Workaround:
There is no workaround.
Fix:
The 'vertex threshold' IMISH parameter is now provided for OSPF/OSPF6, and it is meant to control the amount of vertexes calculated in one bunch (the default value is 100). This value can be increased to prevent LSA discards. The value of 0 means that SPF calculation is not suspended at all, and in case of large areas this may cause slow responsiveness of OSPF and LSA drops, eventually.
723553-1 : BIG-IP installations on RAID systems (old style) may not boot★
Component: TMOS
Symptoms:
Kernel panic at boot time with specific message similar to the following:
mdadm: Devices UUID-<...> and UUID-<...> have the same name: /dev/md<X>.
Conditions:
-- System is a RAID platform, with an an earlier style RAID configuration such as the following:
+ 10000s / 10200v
+ 10050s / 10250v
+ 10055s / 10255v
-- System has been upgraded through v14.1.0 and then downgraded to v14.0.0 or earlier.
Note: For RAID platforms such as i15600 / i15800 and newer, this is not an issue.
Impact:
The downgraded v14.0.0 or earlier version does not boot.
Workaround:
To downgrade, boot and install the desired software version from external media.
Fix:
The duplicate device error no longer occurs during installation; the failure no longer occurs.
723402-2 : Apmd crashes running command: tmsh restart sys service all
Component: Access Policy Manager
Symptoms:
Rarely occurring apmd crash.
Conditions:
-- APM is licensed and provisioned.
-- Running the command: tmsh restart sys service all.
Impact:
Apmd crashes and cenerates a core file. Traffic may be disrupted while apmd restarts.
Workaround:
None.
Fix:
Apmd no longer crashes during tmsh restart sys service all.
723300-2 : TMM may crash when tracing iRules containing nameless listeners on internal virtual servers
Component: Local Traffic Manager
Symptoms:
TMM may crash when tracing iRules containing nameless listeners on internal virtual servers.
Conditions:
-- Using iRule tracing.
-- Internal virtual servers.
-- Listener iRule, where the listener has no name.
Impact:
TMM crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when tracing iRules containing nameless listeners on internal virtual servers.
723298-2 : BIND upgrade to version 9.11.4
Component: TMOS
Symptoms:
The BIG-IP system is running BIND version 9.9.9.
Conditions:
BIND on BIG-IP system.
Impact:
BIND 9.9 Extended Support Version was supported until June, 2018.
Workaround:
None.
Fix:
BIND version has been upgraded to 9.11.4.
723288-2 : DNS cache replication between TMMs does not always work for net dns-resolver
Component: Global Traffic Manager (DNS)
Symptoms:
System DNS resolvers (net dns-resolver objects) do not share DNS reply information between the dns resolver instances across TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.
Conditions:
There are no LTM DNS *cache* objects present in the BIG-IP configuration.
Impact:
A performance impact resulting from each TMM having to perform unnecessary DNS lookups.
Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.
Note: This workaround is effective even without a DNS license (although in that case, the placeholder object must be created using tmsh, as the GUI menu would not be available without a DNS license.)
723278-1 : Radius Accounting-Request (STOP) always includes AVP Framed-IP-Address=0.16.0.0 when Network Access rescource configured with IPv4 & IPv6
Component: Access Policy Manager
Symptoms:
When VPN tunnel is terminated, 'Radius Accounting-Request (STOP)' always includes AVP Framed-IP-Address=0.16.0.0 instead of the assigned IPv4 addr to the PPP tunnel.
Conditions:
-- Network Access resource is configured with both IPv4 and IPv6.
-- PPP IP address can be either static (obtained from RADIUS) or dynamic (obtained from the lease pool).
-- Using an Edge client or a browser.
-- VPN tunnel is terminated.
Impact:
APM sends 'Radius Accounting-Request (STOP)' that includes the AVP Framed-IP-Address=0.16.0.0 value instead of the assigned IPv4 client IP address.
Workaround:
Configure only IPv4 IP addresses for the Network Access resource.
Fix:
Include Framed IP Address in RADIUS Acct STOP message only when it is a valid IPv4 address.
723130-1 : Invalid-certificate warning displayed when deploying BIG-IP VE OVA file
Solution Article: K13996
Component: TMOS
Symptoms:
The OVA signing certificate that signs BIG-IP Virtual Edition (VE) OVA files expired. When deploying a BIG-IP VE from an OVA file, an invalid-certificate warning might be displayed due to the expired OVA signing certificate.
Conditions:
This issue may be encountered during the creation of new instances of BIG-IP VE in clients that check the validity of the OVA signing certificate (e.g., VMware).
Note: Existing BIG-IP VE instances are not subject to this issue.
Impact:
There might be questions about the integrity of the OVA file, and in some cases, might not be able to deploy a new instance from an OVA file.
Workaround:
None.
Fix:
The expired OVA signing certificate has been replaced with a valid signing certificate.
722969-2 : Access Policy import with 'reuse' enabled instead rewrites shared objects
Component: Access Policy Manager
Symptoms:
If a policy is exported and then imported with 'reuse' it rewrites objects on the server instead of simply reusing them.
Conditions:
-- Exporting profile A.
-- Importing profile B, with 'reuse' configured.
-- The objects in both profiles are named the same and are the same type.
Impact:
-- 'Reused' objects on the system are modified.
-- Policy A requires 'apply', because objects shared with Policy B are overwritten.
Workaround:
None.
Fix:
Access policy import with 'reuse' option enabled no longer rewrites shared objects
722893-1 : TMM can restart without a stack trace or core file after becoming disconnected from MCPD.
Solution Article: K30764018
Component: Local Traffic Manager
Symptoms:
The TMM - Host interface may stall when the kernel memory is fragmented, causing TMM and MCPD to become disconnected with one another.
MCPD logs 'Removed publication with publisher id TMM<x>' and TMM restarts cleanly.
TMM often logs '01010020:2: MCP Connection aborted, exiting' after a delay of seconds to minutes or more with a timestamp at time of event.
If this issue occurs during early TMM startup, then TMM logs 'MCP connection expired early in startup; retrying'.
Note that it is possible for TMM not to be able to properly restart after encountering this issue until the underlying memory condition has cleared. This can potentially carry on indefinitely.
Conditions:
This occurs when the following conditions are met:
-- Linux kernel memory fragmentation exists.
-- Another operation is occurring, including (among others):
+ Config-Sync with full reload is initiated.
+ Running tcpdump.
Impact:
The system will be inoperative and unable to pass traffic while TMM restarts. A redundant system will fail over to its peer.
Workaround:
If TMM fails to properly start for a prolonged period of time as a result of this issue, you can try to recover the system by restarting TMM (bigstart restart tmm), restarting the services (bigstart restart), or rebooting the system (reboot).
IMPORTANT: This is not a permanent workaround, just a way to temporarily recover the system until you can upgrade to a version of the software that contains a fix for this issue.
Fix:
The internal interface driver has been improved, allowing it to work in low and/or fragmented-memory conditions.
722691 : Available datagroup list does not contain datagroups with the correct type.
Component: TMOS
Symptoms:
Available datagroup list contains only datagroups with type string and is not repopulated with datagroups that have a different type to match when the operand/selector changes.
Conditions:
-- Using the GUI.
-- Operand or selector in a condition is changed to a combination that is not compatible with string-type datagroups.
Impact:
Cannot assign a non string-type datagroup to a condition.
Workaround:
Use TMSH to configure the policy rule condition.
Fix:
Datagroups list is repopulated with datagroups of the appropriate type when its rule condition's operand or selector is changed.
722682-2 : Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load★
Component: TMOS
Symptoms:
Loading configuration process failed after upgrade when pool member names contain colons. The system posts errors similar to the following:
01070226:3: Pool Member 443:10.10.10.10 references a nonexistent Virtual Server
Unexpected Error: Loading configuration process failed.
Conditions:
-- GTM pool member has colon in its name.
-- Upgrade to any of the following versions:
+ 12.1.3.x
+ Any 13.0.x
+ All 13.1.x earlier than 13.1.1.2
+ 14.0.x earlier than 14.0.0.3
Impact:
The system removes the part of the pool member name that precedes the colon, and configuration load fails. For example, when the configuration contains a pool member named example_pm:443:10:10:10:10, the system removes the part of the pool member name that precedes the first colon, in this case, example_pm, leaving the pool member name 443:10.10.10.10.
Workaround:
After upgrade, add two backslash characters, \\ before the first colon, : character.
1. Upgrade the BIG-IP DNS system to the new version of software.
2. SSH to log into the bash prompt of the BIG-IP DNS system.
3. Run the following command to add the string \\ in front of the first colon character, : in the name of each affected GTM pool member:
for j in $(find /config/ -name bigip_gtm.conf); do for i in $(awk '$0 ~ /^gtm server.*:/ {gsub("[/:]"," ",$0); print $4}' ${j}); do sed -i "s, /Common/${i}, /Common/${i}\\\\\\\,g" ${j} | grep " /Common/${i}"; done; done
4. Run the following command: load sys config gtm-only
Fix:
Configuration load no longer fails when upgrading with a configuration that contains BIG-IP DNS pools with members whose names contain colon characters.
722677-4 : High-Speed Bridge may lock up
Solution Article: K26455071
722594-2 : TCP flow may not work as expected if double tagging is used
Component: Local Traffic Manager
Symptoms:
TCP flow may have an incorrect ACK number, and the flow may stall or reset. The BIG-IP system sends an ACK that is higher than it should be based on the data received from the client.
Conditions:
Double tagging is used.
Impact:
TCP connection fails.
Workaround:
Change the db variable tm.tcplargereceiveoffload value to disable.
Fix:
TCP flow now has the correct ACK number when double tagging is used.
722423-1 : Analytics agent always resets when Category Lookup is of type custom only
Component: Access Policy Manager
Symptoms:
Analytics errors out with a log that says you cannot use custom lookup only along with analytics (/var/log/apm). Even if the Analytics agent is set to disable RST on failure, the agent will send a RST.
Conditions:
In the per-request policy, Category Lookup agent is set to custom lookup only.
Impact:
This configuration leads to an Analytics agent with 'RST on Failure' disabled. The BIG-IP Admin cannot make the choice to disable RST on failure for this particular setup (even though it is a misconfiguration).
Workaround:
You can avoid the RST and error by modifying the configuration to use a standard category lookup before the analytics agent.
Using a custom-only 'Category Lookup' immediately followed by 'Response Analytics' is not a valid configuration. In this configuration, Analytics cannot run the way it is supposed to because it does not have the right information. 'Response Analytics' gives the option to choose what to do on error: RST, or continue on, implying that the non-RST option is valid. If the admin chooses to not reset, the system should log the error and continue. In this case, the system actually does send a RST, even though the RST is not what the BIG-IP admin intended to configure.
Fix:
Disabling RST on failure now works properly in this scenario now. The configuration is still technically incorrect, but now the system takes the correct specified action-upon-error.
722387-3 : TMM may crash when processing APM DTLS traffic
Solution Article: K97241515
722380-2 : The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.
Component: TMOS
Symptoms:
On platforms with HSB, if an HSB lockup occurs, then TMM panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. In certain cases, the reboot occurs before the core file is fully written, resulting in a truncated core.
Conditions:
-- Any platform with HSB.
-- An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.
Impact:
The reboot happens after the core dump begins before it completes, resulting in a truncated core dump, which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Reboot is delayed until TMM core file is completed.
722363-2 : Client fails to connect to server when using PVA offload at Established
Component: Local Traffic Manager
Symptoms:
A client can fail to connect to the server on subsequent attempts if using FastL4 with hardware (HW) acceleration.
When this issue occurs, the profile_bigproto_stat/rxsynatestablished stat is non-zero.
Conditions:
A FastL4 virtual server is configured with offload_state = EST.
Impact:
Clients fail to connect to the server.
Workaround:
There is no workaround other than to disable PVA acceleration.
722091-3 : TMM may crash while processing HTTP traffic
Solution Article: K64208870
722013 : MCPD restarts on all secondary blades post config-sync involving APM customization group
Component: Access Policy Manager
Symptoms:
After performing a series of specific config-sync operations between multi-blade systems, the MCPD daemon restarts on all secondary blades of one of the systems.
Each affected blade will log an error message similar to the following example:
-- err mcpd[5038]: 01070711:3: Caught runtime exception, Failed to collect files (snapshot path () req (7853) pmgr (7853) not valid msg (create_if { customization_group { customization_group_name "/Common/Test-A_secure_access_client_customization" customization_group_app_id "" customization_group_config_source 0 customization_group_cache_path "/config/filestore/files_d/Common_d/customization_group_d/:Common:Test-A_secure_access_client_customization_66596_1" customization_group_system_path "" customization_group_is_system 0 customization_group_access 3 customization_group_is_dynamic 0 customization_group_checksum "SHA1:62:fd61541c1097d460e42c50904684def2794ba70d" customization_group_create_time 1524643393 customization_group_last_update_time 1524643393 customization_group_created_by "admin" customization_group_last_updated_by "admin" customization_group_size 62 customization_group_mode 33188 customization_group_update_revision 1
Conditions:
This issue occurs when all of the following conditions are met:
- You have configured a device-group consisting of multi-blade systems (such as VIPRION devices or vCMP guests).
- Systems are provisioned for APM.
- The device-group is configured for incremental manual synchronizations.
- On one system (for example, source_system), you create an APM configuration object (for example, a connectivity profile) that causes the automatic creation of an associated customization group.
- You synchronize the configuration from the source_system to the device-group.
- On the source_system, you create a new configuration object of any kind (for example, an LTM node).
- Instead of synchronizing the newest configuration to the device-group, you synchronize the configuration from another device in the device-group to the source_system (which effectively undoes your recent change).
- The MCPD daemon restarts on all secondary blades of the source_system.
Impact:
While the MCPD daemon restarts, the blade is offline, and many other BIG-IP daemons need to restart along with MCPD.
-- If the source_system is Active, the load capacity of the system temporarily decreases proportionally to the number of blades restarting. Additionally, if the systems use the min-up-members or HA-Group features, losing a certain number of secondary blades may trigger a failover.
-- If the source_system is Standby, some of the previously mirrored information may become lost as TMM on secondary blades restarts along with MCPD. Should this system later become the Active system, traffic may be impacted by the lack of previously mirrored information.
Workaround:
None.
Fix:
The MCPD daemon no longer restarts on secondary blades after config-sync of APM.
721985 : PAYG License remains inactive as dossier verification fails.
Component: TMOS
Symptoms:
- BIG-IP is deployed in a cloud environment (AWS/Azure/GCE) with PAYG licenses. The license won't activate on the startup.
Conditions:
- There are multiple ways this can happen but all of those come down to user networking issue where the http calls to the cloud metadata service fails.
- This can be a simple routing issue to the metadata service or a firewall issue.
Impact:
As license activation fails, the instance becomes unusable.
Workaround:
User should look at /var/log/ltm to determine the networking issue that is causing the dossier verification failure. This would be typically printed in the following way:
Curl request to metadata service failed with error(<error-code>): '<error-message>'
By resolving this networking error, license activation should succeed.
Fix:
PAYG License remains inactive as dossier verification fails.
721924-2 : bgpd may crash processing extended ASNs
Solution Article: K17264695
Component: TMOS
Symptoms:
Under certain conditions bgpd may crash while processing extended ASNs.
Conditions:
Dynamic routing enabled.
Extended ASP capabilities enabled: bgp extended-asn-cap enabled
Impact:
Dynamic routing disrupted while bgpd restarts.
Fix:
bgpd now processes extended ASNs as expected.
721895 : Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)
Component: Global Traffic Manager (DNS)
Symptoms:
big3d advertises a TLSv1.0 version. Even though big3d requires previously exchanged certificates to validate a connection request, the TLSv1.0 advertisement triggers various vulnerability scanners and is flagged.
Conditions:
Running a vulnerability scanner or other SSL test tool.
Impact:
The scanner or tool reports that big3d might potentially accept a TLSv1.0 connection request (which is considered insecure). Vulnerability scanners then flag the BIG-IP system as vulnerable.
Workaround:
Although there is no workaround, because big3d accepts connections only from clients that match the certificates on the BIG-IP system, the risk is minimal.
In addition, you can deploy firewall rules to accept connections only on port 4353 from know BIG-IP systems.
Fix:
This version adds a db variable for the big3d
big3d.minimum.tls.version. By default the value is 'TLSv1'. You can also specify TLSV1.1 or TLSV1.2 (the setting is case insensitive).
After changing the DB variable, restart big3d. Change the value on all BIG-IP systems that are subject to scans. This includes GTM as well as LTM configurations.
721805 : Traffic Policy edit to datagroup errors on adding ASM disable action
Component: TMOS
Symptoms:
Adding an ASM disable action will trigger a message similar to the following:
transaction failed:010716de:3: Policy '/Common/Drafts/TD180420-07', rule 'test'; target 'asm' action 'disable' does not support parameter of type 'policy'.
Conditions:
Using the GUI to submit a rule with a 'disable asm' action and a condition with datagroup.
Impact:
Cannot create a 'disable asm' action.
Workaround:
Create the rule using tmsh.
Fix:
You can now use the GUI to submit a rule with a 'disable asm' action and a condition with datagroup.
721752-2 : Null char returned in REST for Suggestion with more than MAX_INT occurrences
Component: Application Security Manager
Symptoms:
Unable to view ASM event log details for a majority of violations.
Conditions:
Suggestion with more than MAX_INT (2,147,483,647) occurrences.
Impact:
Null char returned in REST for Suggestion with more than MAX_INT occurrences.
Workaround:
Use the following sql command:
UPDATE PLC.PL_SUGGESTIONS set occurrence_count = 2147483647 where occurrence_count < 0;
Fix:
Null char is no longer returned in REST for Suggestion with more than MAX_INT occurrences.
721741-3 : BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
Component: Application Security Manager
Symptoms:
bd log spits this error.
-------
ECARD_POLICY|NOTICE|May 24 04:49:42.035|4143|table.h:2408|IPTableList::del_object key not found in table
ECARD|ERR |May 24 04:49:42.035|4143|table.h:0398|KEY_UPDATE: Failed to REMOVE data will continue to add
-------
Conditions:
Configuring IP Address Exceptions in certain order - w/ and w/o route domain.
Impact:
BD and BD_Agent out-of-sync for IP Address Exception, causes false positives / false negatives
Workaround:
There is no workaround at this time.
Fix:
System no longer generates these false positive/negative log entries.
721740-2 : CPU stats are not correctly recorded when snapshot files have timestamps in the future
Component: TMOS
Symptoms:
One symptom is that a message similar to the following comes out in the log files frequently.
May 24 16:31:53 lusia_60.F5.COM warning merged[6940]: 011b0914:4: No individual CPU information is available.
Merged CPU stats will be 0.
Conditions:
If all of the snapshot stats files have timestamps in the future, CPU stats will not be correctly merged.
Impact:
Frequent error messages in the logs, and incorrect merged CPU stats.
Workaround:
Remove all of the stats snapshot files that have timestamps in the future and restart merged.
Fix:
Merged has been update to correctly deal with the case where all of the stats snapshot file have timestamps in the future, and will correctly merge the CPU stats.
721704-1 : UDP flows are not deleted after subscriber deletion
Component: Policy Enforcement Manager
Symptoms:
UDP flows continue to live till UDP idle time occurs, even after the subscriber is gone and the option for immediate deletion of the flow is enabled.
Conditions:
-- The option to delete flows upon subscriber deletion is enabled.
-- The UDP flow is established with an idle time greater than the re-evaluate timeout.
Impact:
The UDP flows continue to be alive after the required time, but only act to drop the traffic.
Workaround:
To work around this issue:
1. Modify the UDP idle timer to a suitable value.
2. Force delete the UDP flow from CLI.
Fix:
UDP flows are now deleted after subscriber deletion.
721621-1 : Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node
Component: Local Traffic Manager
Symptoms:
If an LTM pool is configured with only FQDN members, the DNS server resolves the FQDN to IP addresses that match statically-configured LTM nodes, and the IP address records returned by the DNS server change, an ephemeral pool member may not be added to the pool for the new IP address.
When in this state, if the FQDN template pool member is deleted from the pool, a new ephemeral pool member may be added corresponding to the last IP address record returned by the DNS server.
Conditions:
This may occur when:
1. Static nodes are configured which match addresses that may be returned in the DNS query for a given FQDN name.
2. An FQDN node is created with autopopulate disabled, for an address which may resolve to the same address as one of the static nodes.
3. This FQDN node is added (as a pool member) with autopopulate disabled, to a pool with no other non-FQDN members.
4. The DNS server resolves the FQDN name to an address that matches one of the static nodes.
5. A subsequent DNS query resolves the FQDN name to a different address that matches a different static node.
Impact:
In this case:
-- The original ephemeral member is removed from the pool.
-- A new ephemeral member for the new address may NOT be added to the pool.
-- In this state, if the FQDN template member is deleted from the pool, a new ephemeral member (i.e., the missing ephemeral with new IP address) is re-added to the pool.
Note. This symptom can occur only if the statically-configured node is created prior to an ephemeral pool member being created for the same IP address. If an ephemeral pool member and node are created first, it is not possible to create a statically-configured node or pool member using the same IP address.
Overall, traffic for the affected pool may not be sent to correct pool member (new ephemeral address).
If no other members are defined in the pool, traffic will be interrupted.
Workaround:
This issue can be prevented by:
-- Avoiding configuring a static (non-FQDN) node with an IP address that matches any address that might be returned by the DNS server when resolving the FQDN.
-- Adding a statically-configured pool member to the pool in addition to the FQDN template member.
Once the symptom occurs, recovery is possible by performing either of the following actions:
-- Delete the statically-configured node with the conflicting IP address.
-- Recreate the node using the following procedure:
1. Delete the FQDN template member from the pool.
2. Delete the orphaned ephemeral member from the pool.
3. Re-add the FQDN template member to the pool.
Fix:
When an FQDN pool member address resolves to the same IP address as an existing static node, the corresponding ephemeral pool member is successfully created and deleted as expected, including when the IP address returned by the DNS query changes.
721571-1 : State Mirroring between BIG-IP 12.1.3.* and 13.* or 14.* systems may cause TMM core on standby system during upgrade★
Component: Local Traffic Manager
Symptoms:
BIG-IP devices running 12.1.3.x (12.1.3 or a 12.1.3 point release) and 13.x or 14.x software versions in a high-availability (HA) configuration with state mirroring enabled may cause a standby system to produce a TMM core file.
Conditions:
-- The HA configuration is one of the following:
+ The active system is running v12.1.3.x, and the standby system is running v13.x or v14.x, as a result of an in-progress upgrade.
+ The active system is running v13.x or v14.x and the standby system is running v12.1.3.x.
-- State mirroring configured on two or more BIG-IP systems.
-- For VIPRION clusters or VIPRION-based vCMP guests, the systems are configured to mirror 'Between Clusters'.
Impact:
TMM may crash on a standby system during upgrade.
This issue should not disrupt traffic, because the TMM is coring only on the standby unit.
Workaround:
To workaround this issue, disable State Mirroring prior to upgrading, and re-enable it once both devices are running v13.x or v14.x, or complete the upgrade of both devices to v13.x or v14.x.
1. You can disable mirroring using either the GUI or the command line.
1a. In the GUI: -- Set the Primary and Secondary Local Mirror Address configurations to 'None' under Device Management :: Devices :: [Self] device :: Mirroring Configuration.
1b. From the command-line: -- Run the following command:
tmsh modify cm device <name-of-self-device> mirror-ip any6 mirror-secondary-ip any6 && tmsh save sys config
Important: This action results in connection state loss on failover.
2. Once all devices are running the same software version, re-enable state mirroring by re-adding the device mirror IP addresses removed previously.
Note: F5 recommends that BIG-IP systems in HA configurations run with the same software version on all devices.
Fix:
Tmm no longer crashes on a standby device when upgrading from 12.1.3.x.
721570-1 : TMM core when trying to log an unknown subscriber
Solution Article: K20285019
Component: Carrier-Grade NAT
Symptoms:
Using CGNAT or FW-NAT with subscriber-id logging enabled can cause a TMM core when the subscriber ID is unknown.
Conditions:
-- A LSN pool or FW-NAT source translation that has a logging profile with subscriber-id enabled.
-- A PEM profile that allows unknown subscribers.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Config PEM to deny connections from unknown subscribers.
Fix:
The system no longer crashes. It logs 'unknown' for unknown subscribers.
721526-2 : tcpdump fails to write verbose packet data to file
Component: TMOS
Symptoms:
On some BIG-IP platforms, tcpdump is unable to write verbose packet data to a file (e.g., 'tcpdump -nni 2.1:nn -e -vvv -s 0 -w /tmp/dump.pcap').
Conditions:
Use tcpdump with -w and -v options on a front panel interface that is actively sending/receiving traffic.
This occurs on the following hardware:
-- BIG-IP 5000,7000, 10000, i5000, i7000, i10000, i11000, and i15000 platforms.
-- VIPRION B4400, B4300, B2200, and B2100 blades.
Impact:
Cannot use tcpdump to write verbose packet data to file.
Workaround:
There is no workaround at this time.
Fix:
The tcpdump operation is now able to write verbose packet data to file.
721512 : Config tool fails to configure management-ip when default routes exist for both IPv4 and IPv6.
Component: TMOS
Symptoms:
Configuration tool fails to configure management-ip when default routes exist for both IPv4 and IPv6.
Conditions:
This can happen in following two scenarios:
-- A configured IPv4 management-ip that is switched to IPv6.
-- A configured IPv6 management-ip that is switched to IPv4.
Impact:
Cannot successfully change an IPv4 or IPv6 management-ip address using config.
For either of the above cases, if the IP addresses are switched back to IPv4/IPv6, the config tools fails to configure management-ip with this error:
ERROR: route_mgmt_entry count is 2
Workaround:
Manually delete the default6 (if current management-ip is IPv4) or default (if current management-ip is IPv6) management-route by running the following command:
tmsh delete sys management-route <default/default6>
Fix:
Config tool now works to configure management-ip when default routes exist for both IPv4 and IPv6, so you can switch back and forth between IPv4 and IPv6 IP addresses without error.
721474-1 : AVR does not send all SSLO statistics to offbox machine.
Component: Application Visibility and Reporting
Symptoms:
When using the 'use-offbox' option, AVR does not send SSLO statistics to the offbox system.
Conditions:
-- AVR provisioned.
-- Use-offbox is enabled.
Impact:
SSLO statistics are not available for BIG-IQ analytics.
Workaround:
There is no workaround.
Fix:
AVR now sends SSLO statistics to offbox systems when the 'use-offbox' option is enabled.
721399-2 : Signature Set cannot be modified to Accuracy = 'All' after another value
Component: Application Security Manager
Symptoms:
ASM Signature Set cannot be modified to Accuracy = 'All' after another value was used previously.
Conditions:
-- ASM Signature Set has a value set for Accuracy filter.
-- Accuracy is subsequently set to 'All'.
Impact:
The change to Accuracy = 'All' does not take effect. ASM Signature Set cannot be modified to Accuracy = 'All'.
Workaround:
You can use either of the following workarounds:
-- Delete and re-create the Signature Set with the desired value.
-- Modify the filter to a value that will match all results (such as Accuracy is greater than or equal to 'Low').
Fix:
ASM Signature Set can now be set to Accuracy = 'All' after a value was previously set.
721375-1 : Export then import of config with RSA server in it might fail
Component: Access Policy Manager
Symptoms:
If an exported policy configuration contains both an RSA server as well as the RSA-provided sdconf.rec and sdstatus.12 config files, policy import might fail.
Conditions:
-- RSA server and access profile are in the same, non-Common partition.
-- Exported policy contains an RSA server as well as both the RSA-provided sdconf.rec and sdstatus.12 config files.
Impact:
Unable to import the exported configuration. This occurs because of how the names for the files are resolved in the exported configuration.
Workaround:
Although there is no actual workaround, you can avoid this issue if the profile is outside of the partition. That case uses a different name resolution during the export, so import works as expected.
Fix:
You can now successfully import an exported policy containing an RSA server as well as both sdconf.rec and sdstatus.12 files.
721364 : BIG-IP per-application VE BYOL license does not support three wildcard virtual servers
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) admin can create only 1 wildcard virtual servers for per-application BYOL license.
Note: If you are using BIG-IQ 6.0.0 or 6.0.1 to manage AWS-based, per-app BIG-IP VE systems running versions 13.1.0.5 through 13.1.0.8, you must use the following AWS templates:
-- Default-AWS-f5-HTTPS-WAF-lb-template
-- Default-AWS-f5-HTTPS-offload-lb-template
For these two templates, ports 443 and 80 (for HTTP redirect) are hard-coded in an iRule, which enable this functionality.
Conditions:
Per-app VE with BYOL license.
Impact:
Per-app VE with BYOL license does not work as expected.
Workaround:
N/A
Fix:
Per-app VE BYOL license now supports three wildcard virtual servers.
721350-2 : The size of the icrd_child process is steadily growing
Component: TMOS
Symptoms:
The resident segment size (rss) for the icrd_child process continues to increase on issuing iCR GET requests. This increase is permanent and the rss does not drop back to its original size.
Conditions:
The following is an example config under which this issue occurs. Note this is an illustrative example; the actual issue might occur for various config objects.
GET tm/ltm/virtual?expandSubcollections=true wherein the virtual has some profiles associated with it.
ltm pool p-http { }
ltm virtual novel-1000 {
...
pool p-http
profiles {
analytics { }
http { }
tcp { }
}
....
}
# tmctl proc_pid_stat 'proc_name=icrd_child' -s proc_name,ppid,vsize,rss
On subsequent GET requests the rss size continues to increase.
Impact:
Increase in the rss of the icrd_child process. This increase could lead to icrd_child core or swapping of processes into the rss due to limited memory left for other processes.
Workaround:
There is no workaround.
Fix:
The memory leak was identified and fixed.
721342 : No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments.
Component: TMOS
Symptoms:
No Per-App Virtual Edition (VE) LTM or Per-App VE WAF images for various cloud environments.
Conditions:
Various Cloud environments (i.e., Azure, Google, AWS).
Impact:
No options to use various Per-App VE features.
Workaround:
None.
Fix:
There are now offerings for various cloud environments (Azure, Google, AWS). There are two types of Per-App VE LTM and two of Per-App VE WAF images.
721261-1 : v12.x Policy rule names containing slashes are not migrated properly
Component: Local Traffic Manager
Symptoms:
When migrating from v12.x to v13.0.x, 13.1.x, or 14.0.x, LTM polices that have rules containing the slash character will not migrate properly, and roll-forward migration will fail.
Conditions:
-- BIG-IP systems running v12.x.
-- Configuration contains LTM Policy rules whose names include the slash (/) character.
-- Upgrading to v13.0.x, 13.1.x, or 14.0.x.
Impact:
Roll-forward migration fails with the error: illegal characters in rule name.
Workaround:
Edit the rule names within LTM Policies, replacing the now-illegal slash (/) character with a legal alternative, such as the underscore (_).
Alternately, prior to migration, rename the rules on the v12.x system, and then perform the upgrade.
Fix:
BIG-IP software v12.x Policy rule names containing slashes are properly migrated.
721016 : vcmpd fails updating VLAN information on vcmp guest
Component: TMOS
Symptoms:
VLANs are not properly attached to a vCMP guest. They are absent from the VLAN shared memory segment.
In the host /var/log/ltm, this message is observed:
err vcmpd[7839]: 01510004:3: Error updating vlan shm seg: -39
In the guest, these messages are observed:
warning chmand[8827]: 012a0004:4: VcmpShmIntf::querySeg: err code -30
warning chmand[8827]: 012a0004:4: readShmData: vCmpShmIntf: Query segment error
warning chmand[8827]: 012a0004:4: VcmpShmIntf::querySeg: err code -30
Conditions:
-- vCMPd provisioned on a BIG-IP system.
-- vCMP guests deployed.
-- More than 3259 VLANs attached to guests from host.
Impact:
Cannot use newly deployed VLAN in the guest. Running the following command does not show the attached VLANs.
$ tmsh list net vlan in the guest
Workaround:
None.
720961-1 : Upgrading in Intelligence Community AWS environment may fail
Component: TMOS
Symptoms:
After importing an AWS instance into the Intelligence Community (IC) AWS environment you cannot upgrade to 13.1.0.2 (or later) because their license fails to validate afterwards.
Conditions:
-- Manually imported BIG-IP image into AWS IC.
-- Upgraded to 13.1.0.2 or newer.
Impact:
The system fails to validate the license after rebooting into the new software. Licenses are inoperative after the upgrade.
Workaround:
To work around this issue, perform the following procedure:
1. Redeploy a BYOL image from the IC marketplace.
2. Move over the license.
3. Configure the system.
Fix:
This release provides improved license validation to address this situation by detecting the IC environment, but allowing prior licenses to function.
720819-2 : Certain platforms may take longer than expected to detect and recover from HSB lock-ups
Component: TMOS
Symptoms:
In the unlikely event of a HSB lock-up, certain BIG-IP platforms may take longer than expected to detect and recover from the condition.
For instance, it may take several minutes for an affected unit to detect the condition and initiate the predefined failsafe action.
Instead, the recovery mechanism should trigger almost instantaneously.
Conditions:
This issue occurs when all of the following conditions are met:
-- The BIG-IP system is an i56xx/i58xx, i76xx/i78xx, or i106xx/i108xx platform.
-- The HSB locks-up due to a different issue.
Impact:
Traffic is negatively impacted until the BIG-IP system detects and remedies the condition. This might take up to 15 minutes before remedied by a reboot, depending on other traffic being processed.
Workaround:
None.
Fix:
The HSB lock-up is now promptly detected and remedied.
720799-2 : Virtual Server/VIP flaps with FQDN pool members when all IP addresses change
Component: Local Traffic Manager
Symptoms:
When using FQDN pool members, if all ephemeral members are removed and replaced by a DNS query that returns an entirely new set of IP addresses (no overlap with previous DNS query results), all ephemeral pool members are removed before the new ephemeral pool members are created.
This results in a brief moment when there are no ephemeral members (that can receive traffic) in the pool.
Conditions:
A DNS query for the FQDN node in which the pool members belong, returns an entirely new set of IP addresses (no overlap with previous DNS query results).
Impact:
The brief moment during which there are no ephemeral members (that can receive traffic) in the pool can cause a Virtual Server or Virtual Address using that pool to flap.
Workaround:
It is possible to work around this issue by:
1. Adding a pool member with a statically-configured IP address.
2. Including multiple FQDN pool members in the pool, to limit the effect of the ephemeral members changing for a single FQDN pool member.
Fix:
When using FQDN pool members, ephemeral members whose IP addresses are not present in the most DNS query results are not immediately deleted from the pool.
To prevent the brief condition in which there are no ephemeral members in the pool (which can cause a Virtual Server or Virtual Address using that pool to flap), creation of new ephemeral nodes and pool members occurs immediately, but deletion of old new ephemeral nodes and pool members occurs after a delay.
The duration of the delay follows the fqdn 'down-interval' value configured for the associated FQDN template node.
720757-1 : Without proper licenses Category Lookup always fails with license error in Allow Ending
Component: Access Policy Manager
Symptoms:
When a per-request policy's Category Lookup agent queries Standard Categories with an expired SWG/URLF license (and has 'RST on failure' disabled), the execution always ends with the following log messages:
Error: Global concurrent url filter session limit reached
The connection is aborted.
Conditions:
Category Lookup agent set to query the urldb engine (standard categories) with either no SWG/URLF license or an expired license.
Impact:
Even if 'RST on failure' is disabled, traffic cannot reach the allow ending successfully.
Workaround:
Remove the Category Lookup with standard category lookup from the per-request policy if the licenses do not allow for its use.
Fix:
The allow ending is now reached successfully and does not error out if Category Lookup fails due to licensing errors but is set to disable 'RST on failure'.
720756-1 : SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS
Component: TMOS
Symptoms:
The SNMP query for platform marketing name is 'unknown' for i11400-DS/i11600-DS/i11800-DS.
Conditions:
-- On licensed system, check OID marketing name.
-- Using i11400-DS/i11600-DS/i11800-DS platforms.
Impact:
Cannot tell the actual platform name in the SNMP query.
Workaround:
There is no workaround at this time.
Fix:
SNMP platform name is now reported correctly on BIG-IP i11400-DS/i11600-DS/i11800-DS platforms.
720713-2 : TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail
Component: TMOS
Symptoms:
When a BIG-IP iSeries i5800, i7800, or i10800 device is configured as a vCMP host and at least one vCMP guest is running (or ever ran), TMM traffic to the vCMP host may fail.
Note: Management port traffic to/from the device is unaffected.
Note: TMM traffic to/from the vCMP guests running on the device is unaffected. This issue affects only the vCMP host.
The most visible symptom is that TMM on the vCMP host fails to answer ARP requests that it receives for its own Self-IP addresses.
Conditions:
This issue occurs when all of the following conditions apply:
- BIG-IP iSeries i5800, i7800, or i10800 device in vCMP host mode.
- At least one vCMP guest is deployed or was deployed, at some point.
Impact:
Inability to communicate to/from the vCMP host via its Self-IP addresses.
Workaround:
Ensure that the host is running a compatible version of BIG-IP. For more information on supported host/guest versions, see K14088: vCMP host and compatible guest version matrix, available at https://support.f5.com/csp/article/K14088
Fix:
The vCMP host continues to handle traffic correctly once a guest is started.
720695-1 : Export then import of APM access Profile/Policy with advanced customization is failing
Component: Access Policy Manager
Symptoms:
An exported policy containing advanced customization fails to import.
Conditions:
-- Export policy containing advanced customization.
-- Import the same policy.
Impact:
Import fails.
Workaround:
None.
Fix:
Access policy import containing advanced customization now succeeds.
720651-2 : Running Guest Changed to Provisioned Never Stops
Component: TMOS
Symptoms:
After changing a vCMP guest status to provisioned the guest remains running showing a status of stopping.
Conditions:
-- Guests deployed on a BIG-IP VCMP host.
-- Changing the state from deployed to provisioned.
Impact:
Guests do not stop and change status until vcmpd process is restarted.
Workaround:
There is no workaround.
Fix:
The guest now stops when the state is changed from deployed to provisioned.
720610 : Updatecheck logs bogus 'Update Server unavailable' on every run
Component: TMOS
Symptoms:
The updatecheck operation erroneously logs that the Update Server is unavailable on every run, successful or not.
Conditions:
The BIG-IP system is configured to run the Automatic Update Check feature.
Impact:
Misleading messages in the log file, implying that the update server is not available.
Workaround:
None.
Fix:
The updatecheck operation no longer logs bogus message.
720585-1 : Signatures generated by Behavioral DOS algorithm can create false-positive signatures
Component: Anomaly Detection Services
Symptoms:
There is probability that the generated signatures will block unknown traffic (the traffic that was not presenting before the attack) even if it's not necessary from service health perspective
Conditions:
Run attack traffic.
In parallel run unknown traffic.
It should exceed the learned baseline together with the good traffic.
Impact:
The signatures may block unknown traffic even if it's not necessary from S/H perspective
Workaround:
There is no workaround at this time.
Fix:
Implement adaptive ratio threshold for covering current bad traffic samples. The ratio increases as long as the health is not good.
If the health returns to good levels (below one) the ratio is restarted to the initial value.
720461-2 : qkview prompts for password on chassis
Component: TMOS
Symptoms:
Qkview prompts for a password when executing getnodedates from the chassis module.
Conditions:
SSH auth keys are missing or corrupted.
Impact:
This blocks collecting qkview.
Workaround:
Edit the /user/bin/getnodedates script and add -oBatchMode=yes for the SSH command as shown in the following example:
$date = `/usr/bin/ssh -q -oBatchMode=yes -oStrictHostKeyChecking=no $ip /bin/date`;
Fix:
The qkview is no longer blocked with a password prompt.
720460-1 : Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly
Component: Local Traffic Manager
Symptoms:
The sys db compression.strategy is used to control the compression-provider selection. When it is set to 'softwareonly', compression somehow still selects a hardware accelerator.
Conditions:
This always happens when compression.strategy is set to 'softwareonly'.
Impact:
Compression.strategy set to 'softwareonly' does not work, and if there is a problem in a hardware accelerator, compression will still select the hardware accelerator, even though software compression is desired.
Workaround:
There is no workaround.
Fix:
The system now supports software compression when the sys db variable compression.strategy is set to 'softwareonly'.
720391-2 : BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'
Component: TMOS
Symptoms:
BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' and 'unknown' when OID sysObjectID is queried.
Conditions:
1. Execute 'tmsh show sys hardware'.
2. Query for OID sysObjectID using snmpwalk.
Impact:
System is reported as 'none', when it should be i7800-D. Platform with dual SSD not correctly identified using tmsh command or snmpwalk.
Workaround:
None.
Fix:
Added new SNMP OID for BIG-IP i7800 Dual SSD, reported as BIG-IP i7800-D, which is the correct designation.
720293-3 : HTTP2 IPv4 to IPv6 fails
Component: Local Traffic Manager
Symptoms:
An IPv4-formatted virtual server with an IPv6-formatted pool member cannot establish the connection to the pool member if HTTP2 is configured.
Conditions:
-- IPv4 virtual Server.
-- IPv6 pool member.
-- HTTP2 profile.
Impact:
Traffic connection does not establish; no traffic passes.
Workaround:
None.
Fix:
In this release, an IPv4-formatted virtual server with an IPv6-formatted pool member works with HTTP2.
720269-2 : TACACS audit logging may append garbage characters to the end of log strings
Component: TMOS
Symptoms:
When using TACACS audit logging, you might see extra 'garbage' characters appended to the end of logging strings.
Conditions:
Using audit forwarding with a remote TACACS server.
Impact:
Confusing log messages. Remote TACACS logging might stop altogether after some time.
Workaround:
There is no workaround at this time.
Fix:
Prevented extra characters from being appended to TACACS audit logs.
720219 : HSL::log command can fail to pick new pool member if last picked member is 'checking'
Solution Article: K13109068
Component: Local Traffic Manager
Symptoms:
This occurs in certain configurations where the HSL::log command is using a remote high speed log (HSL) pool with failing pool members. If a pool member goes into a 'checking' state and the command attempts to send the log via that pool member, it can fail to send and all future log commands from that iRule will also fail, if that pool member is actually unavailable.
Conditions:
-- Using HSL::log command.
-- iRule with a remote high speed logging configured.
Impact:
Failure to send log messages via HSL.
Workaround:
Follow this procedure:
1. Change the 'distribution' method of the remote high speed config to something else.
2. Save the configuration.
3. Change the method back.
Fix:
This issue no longer occurs. If a 'down' pool member is picked, it will eventually be bypassed to find an 'up' pool member, if possible.
720214-1 : NTLM Authentication might fail if Strict Update in iApp is modified
Component: Access Policy Manager
Symptoms:
Exchange Proxy NTLM Authentication failure when iApp strict updates is disabled initially and then turned on. NTLM authentication fails with STATUS_NO_LOGON_SERVERS.
Conditions:
The Strict Update option in the iApp is modified.
Impact:
Any service using NTLM authentication will be disrupted.
Workaround:
Restart ECA and NLAD modules to work correctly again. To do so, run the following commands:
bigstart restart nlad
bigstart restart eca
Fix:
NTLM authentication now works as expected when Strict Update in the iApp is modified.
720189-1 : VDI settings in APM Webtop have the incorrect URL for Citrix Receiver client download
Component: Access Policy Manager
Symptoms:
VDI settings have HTML5 package URL instead of Citrix Receiver download link. Hyperlink directs to HTML5 package link.
Conditions:
-- Citrix VDI is configured in Replacement mode.
-- HTML5 package is configured using Citrix client bundle.
-- Citrix HTML5 client bundle is used with Connectivity profile attached to the virtual server.
Impact:
The incorrect package is downloaded to the APM Webtop user.
Workaround:
None.
Fix:
Fixed the hyperlink for Citrix Receiver download in VDI settings of Webtop.
720136-1 : Upgrade may fail on mcpd when external netHSM is used
Component: Local Traffic Manager
Symptoms:
When upgrading from 13.1 to 14.1, there might be deadlock between mcpd and mcpd. "bigstart status pkcs11d" might return
"pkcs11d down, waiting for mcpd to release running semaphore".
Conditions:
Upgrading from 13.1 to 14.1 for BIG-IP with external netHSM enabled.
Impact:
External netHSM is not functional or the whole appliance/blade is not functional.
Workaround:
Try reinstalling external netHSM.
Fix:
The fix broke the circular dependency between mcpd's validation and pkcs11d.
720110-2 : 0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session.
Component: TMOS
Symptoms:
Neither learned nor default-originate default routes (0.0.0.0/0) are sent to the BGP peer if the BGP peer has terminated the BGP session with TCP FIN, without BGP notify message.
Conditions:
1. BGP session is terminated without BGP notify (just TCP FIN).
2. Either learned (not originated in DUT) and default-originate (originated in DUT) routes are not sent.
Impact:
Default routes are not propagated in the network after the BGP peer restart.
Workaround:
There is no workaround at this time.
Fix:
Default routes are now always sent after the BGP session reset. Consistent behavior between BGP session reset with and without BGP notify message.
720104-1 : BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'
Component: TMOS
Symptoms:
BIG-IP i2800/i2600 650W AC PSU is missing marketing name under 'show sys hardware' and displays 'unknown' when OID sysObjectID is queried.
Conditions:
-- Execute 'tmsh show sys hardware'.
-- Query for OID sysObjectID using snmpwalk.
-- Using BIG-IP i2800/i2600 platforms.
Impact:
System reports an empty marketing name when queried. Platform with 650W AC PSU not identified using tmsh command or snmpwalk.
Workaround:
There is no workaround at this time.
Fix:
Added new SNMP OID for BIG-IP i2800/i2600 650W AC PSU.
720045-1 : IP fragmented UDP DNS request and response packets dropped as DNS Malformed
Component: Advanced Firewall Manager
Symptoms:
AFM/DHD treats the IP fragmented UDP DNS packet (request or response) as DNS Malformed packet and drops these packets.
Conditions:
-- AFM/DHD is enabled (provisioned and licensed).
-- DNS Malformed vector is enabled at Device context (by default, it's always enabled).
-- AFM/DHD receives fragmented IP packet for UDP DNS request or response.
Impact:
AFM/DHD incorrectly treats such packets as DNS malformed and drops them.
If AFM/DHD receives any DNS request/response UDP packet that is fragmented at the IP layer, the system drops the packet, interrupting DNS service between client/servers through BIG-IP systems.
Workaround:
None.
Fix:
This issue is now fixed, as follows:
a) For IP fragmented UDP DNS request packet, AFM parses the first IP fragment to retrieve the L4 (UDP) header and DNS header and Question section.
- If this information is available in the first IP fragment, AFM processes the packet for further DoS checks.
- If this information is not available in first IP fragment, AFM drops the fragment as DNS Malformed.
b) For IP fragmented UDP DNS response packet, AFM parses the first IP fragment to retrieve the L4 (UDP) header and DNS header and Question section.
- If this information is available in the first IP fragment, AFM processes the packet for further DOS checks.
- If, however, this information is not available in first IP fragment, default behavior is that AFM allows such fragmented DNS response packet through. This behavior can be changed to drop incomplete IP fragmented DNS response packet by setting db variable 'Dos.dns.respfrag.allow' to 'false'.
719770-2 : tmctl -H -V and -l options without values crashed
Component: TMOS
Symptoms:
When the -H, -V or -l options were passed to tmctl without a following value, then tmctl crashed.
Conditions:
Use one of these options without the required value.
Impact:
Core file. No other impact.
Workaround:
Be sure to pass the required value with these options.
Fix:
The missing value is now reported as an error.
719644-2 : If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★
Component: Global Traffic Manager (DNS)
Symptoms:
When an LTM configuration has virtual server names containing period (.), a GTM configuration with auto-discovery enabled is upgraded from v11.5.x to a later version might lose consistency.
Conditions:
-- Upgrading GTM from v11.5.x to later versions (e.g., BIG-IP DNS v12.x).
-- Auto-discovery is enabled.
-- LTM configuration containing virtual server names containing the period character (.).
-- The same virtual server name is used in multiple partitions.
Impact:
The configuration after the upgrade might be affected in the following ways:
-- Missing virtual servers.
-- Deletion of some pool members.
-- Virtual servers with incorrect addresses.
Workaround:
There is no workaround at this time.
Fix:
This release supports GTM upgrades from 11.x to BIG-IP DNS 12.x and later versions for cases where:
-- Auto-discovery is enabled.
-- LTM virtual server name a period character (.).
-- The same virtual server name is used in multiple partitions.
719600-2 : TCP::collect iRule with L7 policy present may result in connection reset
Component: Local Traffic Manager
Symptoms:
If an iRule utilizing TCP::collect and HTTP_REQUEST is on a virtual server with an L7 policy, the policy engine may cause the connection to be unexpectedly reset with a 'policy execution error' reset cause, and 'Unable to resume pending policy event on connflow' will be logged to /var/log/ltm.
Conditions:
TCP::collect and HTTP_REQUEST iRule with L7 policy on virtual server.
Impact:
Connections may be unexpectedly reset and errors logged to /var/log/ltm.
Workaround:
At the start of the HTTP_REQUEST event, issue an 'after 1' command to allow the policy engine to reach a consistent state before proceeding with the remainder of the iRule.
719597 : HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0
Component: TMOS
Symptoms:
When two VIPRION chassis with B2250 blades try to form a high availability (HA) connection, with one running v12.1.1 and the other running v13.1.0, HA connections between TMMs on Active and TMMs on Standby might fail.
Conditions:
-- Two VIPRION chassis with B2250 blades.
-- One blade running v12.1.1 and the other running v13.1.0.
-- Try to configure HA connection.
Impact:
Fail to form HA connection.
Workaround:
There is no workaround other than installing the same software on both blades.
Fix:
A new sys db mhdag.bitshift is added to support HA configurations using B2250 blades running v12.1.1 and v13.1.x. Set mhdag.bitshift to 5 on VIPRION chassis with B2250 blades running v13.1.x by running the following command: tmsh modify sys db mhdag.bitshift value 5
HA between VIPRION chassis running v12.1.1 and v13.1.x with B2250 blades now works as expected.
719589-3 : GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic
Component: Access Policy Manager
Symptoms:
GUI and CLI category lookup test tool (Access Policy :: Secure Web Gateway : Database Settings : URL Category Lookup) can return different categories compared to the actual data-plane traffic
Conditions:
Access Policy, Secure Web Gateway : Database Settings : URL Category Lookup or command line lookup using 'urldb -c' construction.
Impact:
Some websites may be categorized differently depending on whether or not the IP is passed in. Correct category may not be returned.
Workaround:
None.
719554-2 : Linux Kernel Vulnerability: CVE-2018-8897
Solution Article: K17403481
719459-2 : Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled
Component: Application Security Manager
Symptoms:
Policy builder suggests adding already existing URLs (as HTTPS) learned from response.
Conditions:
-- Differentiate HTTP and HTTPS URLs is disabled.
-- Learn-from response is enabled.
-- Server responses contain HTTPS links for HTTP requests instead of using protocol-relative URLs.
Impact:
This is a cosmetic issue in that incorrect suggestions are created. There is no impact to functionality.
Workaround:
Add the incorrect suggestions to the 'ignore' list.
Fix:
Policy builder no longer creates suggestions to add already existing URLs.
719396-1 : DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot.
Solution Article: K34339214
Component: TMOS
Symptoms:
DHCP Client on the BIG-IP system sends host-name 'localhost' in DISCOVER packet after first boot.
Note: The problem goes away after the first boot.
Conditions:
-- DHCP is enabled (this is the default on BIG-IP systems).
-- Initial startup.
Impact:
This can affect the lease given out by the DHCP server in the given network if the DHCP server is configured in such a way as to dynamically update the DNS based on the host-name option in the lease.
Workaround:
-- Empty the /var/lib/dhclient/dhclient.leases file.
-- Run the following command: bigstart restart dhclient
Fix:
DHCP Client on the BIG-IP system no longer sends 'localhost' as the host-name in DISCOVER packet after first boot.
719304-2 : Inconsistent node ICMP monitor operation for IPv6 nodes
Component: Local Traffic Manager
Symptoms:
While running ping from different blades in a multi-blade environment, pings fail from blades that do not have the tmm that is responsible for pinging the node.
Conditions:
The blade that does not contain the owning tmm is responsible for the node monitors.
Impact:
The node will be incorrectly marked as being unavailable/down.
Workaround:
You can use the following workarounds:
-- Statically assign the NDP entries.
-- Set the route to a gateway that has a non-zero host portion in the address.
719247-2 : HTTP::path and HTTP::query iRule functions cannot be set to a blank string
Solution Article: K10845686
Component: Local Traffic Manager
Symptoms:
The HTTP::path and HTTP::query iRule functions generate an error if called with an argument that is a blank string, resulting in connection termination.
Conditions:
In an iRule where the argument is a blank string:
HTTP::path ""
HTTP::query ""
Impact:
Error encountered while executing iRule "HTTP::query $blank", and the connection is terminated with an error in the logs similar to the following:
-- err tmm[17219]: 01220001:3: TCL error: /Common/ir_1-4045405141_query <HTTP_REQUEST>
Workaround:
To set HTTP::query to blank, use the following function:
HTTP::uri [HTTP::path]
To set HTTP::path to blank, use the following function:
HTTP::uri [HTTP::query]
Fix:
HTTP::path and HTTP::query iRule functions now accept blank string arguments.
719192 : In VPE Agent VMware View Policy shows no properties
Component: Access Policy Manager
Symptoms:
When opened in Visual Policy Editor (VPE) VMware View, the policy shows an empty properties page instead of the expected policy options.
Conditions:
Open a policy in VPE VMware View.
Impact:
Unable to configure VMware view policy from VPE.
Workaround:
Use tmsh to configure VMware View policies.
Fix:
Properties are now displayed correctly in Visual Policy Editor (VPE) VMware View.
719186-2 : Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts
Component: Fraud Protection Services
Symptoms:
Multipart/form-data requests are not supported in FPS. FPS-protected pages which have the enhanced data-manipulation feature enabled, may generate a false-positive 'missing strong integrity parameter' alert for multipart/form-data requests.
Conditions:
-- FPS profile attached to a virtual server.
-- Multipart/form-data requests to a URL.
-- Enhanced data-manipulation feature enabled on a protected URL.
Impact:
False-positive 'missing strong integrity parameter' alert.
Workaround:
Use the ANTIFRAUD::disable_alert iRule command to drop the alert:
(set the static::drop_alert variable, probably matching URL name and checking that Content-Type header starts with 'multipart/form-data')
when ANTIFRAUD_ALERT {
if {$static::drop_alert eq 1 &&
[ANTIFRAUD::alert_type] eq "vtoken" &&
[ANTIFRAUD::alert_component] eq "no_strong_integrity_param" } {
ANTIFRAUD::disable_alert
set static::drop_alert 0
}
}
Fix:
FPS no longer sends automatic-transaction alerts for unsupported requests, so multipart/form-data requests no longer generate false positive 'missing strong integrity parameter' alerts.
719149-2 : VDI plugin might hang while processing native RDP connections
Component: Access Policy Manager
Symptoms:
Rarely, during processing of native RDP connections, the VDI plugin might hang, which prevents launch of VDI resources (Native RDP, Citrix, VMware View) from the APM Webtop.
Conditions:
APM Webtop is configured with native RDP resource.
Impact:
VDI resources (Native RDP, Citrix, VMware View) cannot be launched from APM Webtop.
Workaround:
None.
Fix:
Fixed rare VDI plugin hang caused by processing of native RDP connections.
719079-1 : Portal Access: same-origin AJAX request may fail under some conditions.
Component: Access Policy Manager
Symptoms:
Portal Access may reject response to same-origin AJAX request if host names in request and its origin differ in case.
Conditions:
Same-origin AJAX request with a host name whose case differs from the case of the origin page's host name, for example:
Request page: https://example.com/some/file
Page with URL: https://Example.com/origin/page.html
Impact:
Web application may not work correctly.
Workaround:
Use an iRule to remove 'F5_origin' parameter from the AJAX requests, for example:
when HTTP_REQUEST {
if { [ HTTP::path ] contains "/iNotes/Forms9.nsf/iNotes/Proxy/" and [ HTTP::query ] contains "F5_origin=" } {
regsub {F5_origin=[0-9a-f]+&F5CH=I} [ HTTP::query ] {F5CH=I} query
HTTP::query $query
}
}
Fix:
Now Portal Access handles same-origin AJAX requests correctly when host name case differs from the host name of origin page.
719005-1 : Login request may arrive corrupted to the backend server after CAPTCHA or CSID mitigation
Component: Application Security Manager
Symptoms:
Login request arrives corrupted (specifically, some of the characters in the payload are changed).
Conditions:
-- A brute force CAPTCHA or CSID mitigation happens.
-- Specific traffic conditions.
Impact:
Login request fails.
Workaround:
None.
Fix:
CAPTCHA or CSID request-handling now works as expected.
718885-3 : Under certain conditions, monitor probes may not be sent at the configured interval
Solution Article: K25348242
Component: Global Traffic Manager (DNS)
Symptoms:
When sufficient resources are configured with the same monitor interval, and the monitor timeout value is no more than two times the monitor interval, the monitored resource may be marked as unavailable (due to a timeout) then immediately changed to available.
Conditions:
Monitor interval is lower than the number of resources configured with the same monitor interval.
Impact:
Monitor probes are not consistently performed at the configured interval.
Workaround:
Set the monitor interval to a value greater than the number of resources monitored using that same interval value.
The key to this workaround is to ensure that the sum of the resources monitored at a given interval is not greater than the interval. That can be accomplished several ways depending on your configuration and requirements.
For example, if the monitoring interval is 30 seconds and there are 40 different monitors with a 30-second interval and each monitor is assigned to exactly one resource, there are at least two options:
-- Change the interval for 10 of the monitors to a different value.
-- Set the monitor interval to 40.
Note: If you change the monitor interval, make sure to also change the timeout value to follow best practices:
timeout value = (3 x interval) + 1.
Fix:
Monitoring is now consistently performed at the configured interval regardless of the number of resources with the same monitor interval.
718817-2 : Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail.
Component: TMOS
Symptoms:
Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest fails due to a race condition.
There are log entries in /var/log/liveinstall.log:
-- error: status 256 returned by command: F5_INSTALL_SESSION_TYPE=install tmsh -f save sys ucs /var/tmp/kRf24pKXTQ.ucs.
-- info: tar: config/.ucs_base_mac: Cannot stat: No such file or directory.
-- info: Unexpected Error: UCS saving process failed.
Conditions:
-- Installing onto secondary VIPRION blade or onto VIPRION-based vCMP guest.
Impact:
Software installation fails.
Workaround:
You can use either workaround:
-- Add 'ignore .ucs_base_mac' to the 'monitor dir /config' stanza in /etc/csyncd.conf on all blades, and then restart csyncd on all blades by running "clsh bigstart restart csyncd"
-- Retry the installation until it succeeds.
718772-2 : The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists)
Component: Anomaly Detection Services
Symptoms:
The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists).
Conditions:
Attack with traffic with 'unknown' header, for example
'Upgrade-Insecure-Requests: 1'.
Impact:
In the GUI, when the signature with the predicate 'unknown_header' is edited, this predicate is empty (instead of exists / does not exist).
Workaround:
There is no workaround.
Fix:
1. Change 'http.unknown_header' predicate into 'http.unknown_header_exists'.
2. Keep supporting the old format 'http.unknown_header'.
718685-1 : The measured number of pending requests is two times higher than actual one
Component: Anomaly Detection Services
Symptoms:
The measured number of pending requests is two times higher than actual.
Conditions:
Virtual server configured with a Behavioral DoS profile.
Impact:
Server stress mechanism is more sensitive than planned. A temporary traffic spike can cause unnecessary DoS mitigation start.
Note: The admd process provides stress-based DoS detection and mitigation control. When admd is not running, there is no stress-based anomaly detection or behavioral statistics aggregation.
Workaround:
Modify the adm.health.sensitivity value.
For example, to change health sensitivity from 50 to 500, run the following command:
tmsh modify sys db adm.health.sensitivity value 500
Fix:
Fixed initial adm flow sampling, so that the measured number of pending requests now equals actual.
718655 : DNS profile measurement unit name is incorrect.
Component: Application Visibility and Reporting
Symptoms:
DNS profile statistics values are incorrect.
Conditions:
DNS profile statistics are collected and reported using the following command:
tmsh show analytics dns-profile report view-by vs-name/name measures { measures-list}
Impact:
Unexpected values are reported. Although the values are correct, the metric label is misleading. The values reported do not match individual totals, but rather the average/second over the data range, for example, when the statistics collected represent 3000 requests in 600 seconds, the system reports the following values:
/Common/test-dns | 10.00
_listener | 0.00
A more accurate label for each metric is 'average_<metric_name>', as follows:
average_per_second_/Common/test-dns | 10.00
average_per_second__listener | 0.00
Workaround:
None.
Fix:
In this release, the values for DNS profile statistics are more accurately labeled.
718525-1 : PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting
Component: TMOS
Symptoms:
After removing the mcpd binary database and restarting, occasionally there are errors similar to the following in /var/log/ltm:
warning postgres[7663]: [3-1] ERROR: duplicate key value violates unique constraint "vlan_pkey"
(The object type may be something other than 'vlan_pkey'.)
Conditions:
This occurs when you remove the mcpd binary database and reboot the system.
Impact:
The configuration does not load until 'bigstart restart' is executed.
Workaround:
None.
Fix:
The 'duplicate key value' errors are no longer seen when removing the mcpd binary database and restarting.
718405-1 : RSA signature PAYLOAD_AUTH mismatch with certificates
Component: TMOS
Symptoms:
IPsec IKEv2 negotiation with other vendors may fail to establish tunnels when certificate authentication is configured, using either RSA signature or DSS.
The value of PAYLOAD_AUTH does not match when the BIG-IP system compares it with what the remote peer sends. The same certificate works when the BIG-IP system is the initiator, but not when another vendor is the initiator.
Conditions:
Interoperating with other vendors under IKEv2 while using certificates.
Impact:
IKEv2 tunnels fail to establish, failing the second IKE_AUTH exchange in the protocol.
Workaround:
Use pre-shared key authentication.
Fix:
BIG-IP systems now correctly build -- and verify -- AUTH payloads for RSA signatures and DSS, which should match other vendors and succeed, resulting in IKEv2 tunnels being created using certificates.
The DSS signature is no longer DER encoded, and the RSA signature now includes the 15-byte DER prefix (mandated by RFC3447, page 42) before the 20-byte SHA1 digest is signed by RSA.
718397-1 : IKEv2: racoon2 appends spurious trailing null byte to ID payloads
Component: TMOS
Symptoms:
IPsec clients implementing RFC5996 correctly cannot interoperate with the BIG-IP system when the peers-id-type is anything other than address, because racoon2 inside BIG-IP appends a null byte to any string-based ID type (for both peers_id and my_id). This makes the IKE_AUTH exchange fail, usually because the ID_I from the initiator cannot match the peers-id-value in config for that ike-peer, because there is a one-byte difference between the compared strings.
Conditions:
When any non-BIG-IP client initiates an IKE negotiation using any id-type that is not IPv4 or IPv6. In particular, fqdn and asn1dn for peers-id-type in local BIG-IP configurations.
Impact:
IKE negotiation fails during the second IKE_AUTH exchange of messages, preventing any tunnel from being established. Outage with a non-BIG-IP client is permanent until the config is changed to use peers-id-type=address.
Workaround:
Use peers-id-type=address to interoperate with non-BIG-IP clients for IPsec.
Fix:
Because RFC5996 forbids trailing null bytes in ID payloads, the BIG-IP software was actually not compliant with the RFC by encoding payloads this way itself. It only worked because both initiator and responder did the same thing. Now the BIG-IP software does not add the extra trailing null byte into ID payloads and local ID values, so the BIG-IP system can accept IKE_AUTH messages from non-BIG-IP clients.
Note: this fix creates an incompatibility with previous BIG-IP version when peers-id-type is any other type than address.
718210-2 : Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused
Component: Local Traffic Manager
Symptoms:
In very rare circumstances, connections that use virtual targeting virtual server and time-wait recycle result in a connection being improperly reused.
Conditions:
Virtual server targeting virtual server (usually occurs in an iRule) with time-wait recycle being used on the virtual server's TCP profile.
Note: This is the default value, so any virtual servers defined internally are using it.
Impact:
A connection might be reused even though it is a new one. TMM can crash and restart. Traffic disrupted while tmm restarts.
Note: This is an extremely rare issue.
Workaround:
None.
Fix:
This issue has been fixed.
718152 : ASM GUI request log does not load on cluster
Solution Article: K14591455
Component: Application Security Manager
Symptoms:
The ASM Request Log fails to load, and it keeps reading 'Loading Requests Log...'.
'Security :: Event Logs :: Application :: Requests'.
Conditions:
-- Any cluster device (vCMP or not), even if there is a single blade in use.
-- Running BIG-IP v13.1.0.4, v13.1.0.5, v13.1.0.6, or v13.1.0.7. (Other releases are not affected.)
Impact:
Cannot view the Request Log in the GUI.
Workaround:
None
Fix:
The ASM request log can now be loaded correctly on cluster devices.
718136-2 : 32-bit F5 VPN and Endpoint Inspector apps are discontinued on Linux
Component: Access Policy Manager
Symptoms:
32-bit F5 VPN and Endpoint Inspector apps are not available for new installation or update on Linux.
Conditions:
Use a browser (Mozilla Firefox or Google Chrome) to establish network access (VPN) for 32-bit F5 VPN and Endpoint Inspector apps.
Impact:
APM end user cannot establish network access (VPN) on 32-bit Linux using a browser. APM does not offer 32-bit F5 VPN and Endpoint Inspector apps for installations or update.
Workaround:
Use 32-bit CLI VPN client.
Fix:
Because of increased size, low usage, and industry trends, F5 has discontinued support of the desktop Linux 32-bit VPN and Endpoint Inspection apps.
718071-1 : HTTP2 with ASM policy not passing traffic
Component: Local Traffic Manager
Symptoms:
HTTP2 traffic does not pass traffic if an ASM policy is applied.
Conditions:
-- HTTP2 virtual server.
-- ASM policy applied.
Impact:
Traffic does not pass.
Workaround:
No workaround.
Fix:
HTTP2 and ASM now work correctly together.
717909 : tmm can abort on sPVA flush if the HSB flush does not succeed
Component: Advanced Firewall Manager
Symptoms:
When the BIG-IP system comes up, or when tmm/dwbld/iprepd restarts, tmm does a flush of sPVA. If the operation does not succeed, the system can wait for 10 seconds, which might cause an abort due to heartbeat failure. tmm crash
Conditions:
-- BIG-IP system comes up, or tmm/dwbld/iprepd restart.
-- HSB flush does not succeed within ~3 seconds (it is supposed to succeed within ~3 seconds unless something is wrong with the HSB).
Impact:
tmm will have to be restarted. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
The system now checks asynchronously to determine whether or not the flush sPVA has succeeded.
717900-2 : TMM crash while processing APM data
Solution Article: K27044729
717896-2 : Monitor instances deleted in peer unit after sync
Component: Local Traffic Manager
Symptoms:
An incremental-sync from a modified-node that was set to 'user-down' causes the target-node on the target-device to have only a single monitor instance, rather than the several monitor instances that were present on the from-node.
During the incremental sync, the system issues several messages similar to the following: err mcpd[6900]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 24913.
Conditions:
-- In high availability (HA) configurations.
-- A node is modified, and then manually set to 'user-down'.
-- That node has more than one associated monitor.
-- An incremental-sync occurs to the paired device.
Impact:
After incremental-sync, a single monitor instance exists for the node on a 'backup' unit in an HA configuration, rather than the several monitor instances that exist for that node on the 'active' unit; and that node session is 'enabled' (where the 'from-node' was 'disabled); and that node status may be 'up' (where the 'from-node' was 'user-down'), and later transition to 'down' from a monitor-fail.
Thus, after incremental-sync, the target-node may then be 'down', while the active unit in the HA configuration continues to function as expected.
Workaround:
There are several workarounds:
-- Perform a 'full-sync' (rather than an 'incremental-sync').
-- Ensure the node is 'user-up' (not 'user-down') before the incremental-sync.
-- Perform 'tmsh load sys config' on the target unit. In this case, the 'Invalid monitor rule instance identifier' messages will be seen, but the configuration will successfully load, and the target-unit will run correctly with the expected configuration.
Fix:
An incremental-sync from a modified-node that was set to 'user-down' successfully replicates the several monitor instances on that node to the target-node on the backup device in an HA configuration.
717888 : TMM may leak memory when a virtual server uses the MQTT profile.
Solution Article: K26583415
717832 : Remove unneeded files from UCS backup directories
Component: TMOS
Symptoms:
When using auto scale cloud formation templates, the system creates large bigip.ucs files that require additional storage space.
Conditions:
Deploy BIG-IP as part of auto scale cloud formation template (CFT).
Impact:
Large bigip.ucs file created requires additional storage space and might increase network traffic. (Size greater than 100 MB.)
Workaround:
Delete /config/cloud/* directories from the bigip.ucs file.
Fix:
This system no longer saves /config/cloud/ directories in UCS files, so the issue no longer occurs.
717785-1 : Interface-cos shows no egress stats for CoS configurations
Component: TMOS
Symptoms:
No egress packet counts per CoS queue are reported on B21x0 and 5x00/7x00 platforms. The issue affects the egress packet statistics reporting per CoS queue only. The operation of the CoS feature is not affected and the egress packets statistics reporting per external interface is also not affected.
Conditions:
-- Valid 8 HW CoS feature configuration has been enabled and passing traffic.
-- BIG-IP 5x00/7x00 platforms and VIPRION 21x0 blades.
-- Running the show net interface-cos command.
Impact:
Egress packet statistics reported per CoS queue shows no counts.
Workaround:
None.
Fix:
This release supports per egress CoS queue packet count statistics reporting for BIG-IP 5x00/7x00 platforms and VIPRION 21x0 blades.
717756-2 : High CPU usage from asm_config_server
Component: Application Security Manager
Symptoms:
Use of Automatic policy builder might result in high CPU usage of asm_config_server (and ASM slowdown).
Conditions:
- Automatic policy builder.
- Several entity types learning in 'Add all entities' configuration.
Impact:
ASM availability impacted.
Workaround:
-- Switch to Manual policy builder.
-- Set entity types learning to compact / selective / never.
Fix:
Policy builder no longer puts unnecessary load on ASM configurations.
717742-5 : Oracle Java SE vulnerability CVE-2018-2783
Solution Article: K44923228
717525-1 : Behavior for classification in manual learning mode
Component: Application Security Manager
Symptoms:
- Extractions are added to parameters in manual mode.
- In manual learning mode on 'fallback to default' URL classification is not ended properly (resulting in repetitive audit log attempts to end URL classification).
- In manual learning mode on 'fallback to default', parameter staging is set to true.
- The system writes errors to pabnagd.log.
Conditions:
- Manual learning mode.
- Classification is on for either parameters or URLs.
- Any option of 'Learn Dynamic Parameters' is turned on (even if checkbox is disabled).
Impact:
- URL content types are not enforced in manual mode.
- Parameters are getting staged automatically in manual mode.
- Parameters are classified as dynamic (value type).
- Extractions are added to dynamic parameters
Workaround:
- Update the URLs manually (any update will take them out of classification).
- Manually unstage parameters with 'fallback to default'.
- Unset parameters' dynamic value type (or uncheck all parameters' dynamic classification options in 'Learning And Blocking Settings').
Fix:
- URLs end classification successfully on 'fallback to default' in manual mode.
- Parameters staging is not changed on 'fallback to default' in manual mode.
- Parameters are not classified as dynamic in manual mode.
- Extractions are not added to dynamic parameters in manual mode.
- No errors in pabnagd.log.
717346-2 : [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total
Solution Article: K13040347
Component: Local Traffic Manager
Symptoms:
WebSocket profile statistics for current and maximum connections are always very large, even right after restarting the system. The numbers are several orders of magnitude larger than the statistics for total connections.
Conditions:
Rarely occurring, unstable network could be one of the reasons.
Impact:
Cannot use stats for troubleshooting.
Workaround:
Reset the stats using the following command:
# tmsh reset-stats ltm profile websocket
717113-2 : It is possible to add the same GSLB Pool monitor multiple times
Component: Global Traffic Manager (DNS)
Symptoms:
After adding a monitor in the Web GUI and updating, the monitor does not get removed from the Available list and can be added again.
Conditions:
This issue affects the GSLB Pool create and properties pages.
Impact:
The impact is only for those adding the monitor. No extra system resources are used when adding multiple identical monitors to a pool.
Workaround:
None.
Fix:
Once a monitor is added via the Web GUI, that monitor is now removed from the Available list.
717100-3 : FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member
Component: Local Traffic Manager
Symptoms:
FQDN ephemeral pool members and corresponding FQDN ephemeral nodes may not be created if multiple FQDN template pool members are created rapidly, without the corresponding FQDN template nodes being created first.
The missing FQDN ephemeral pool members may be created an hour after initial operations.
Conditions:
This may occur when all of the following conditions are true:
-- Multiple FQDN template pool members are created rapidly, such as during config load or multiple FQDN template pool members created in a single tmsh cli transaction, without the corresponding FQDN template nodes being created first.
-- The FQDN names in the newly-created FQDN template nodes all resolve to the same IP address.
Impact:
One or more FQDN ephemeral pool members may not be created, which could result in a pool with no members, and any virtual servers using that pool to fail to pass traffic.
Workaround:
The following steps, alone or in combination, may help avoid this issue:
1. Avoid rapid creation of multiple FQDN template pool members (such as by creating multiple in a single tmsh CLI transaction).
2. Create the corresponding FQDN template nodes first, before creating the FQDN template pool members.
Once this issue occurs (such as, after a config load), you can recover from this condition by deleting and recreating the FQDN template pool members that have no corresponding FQDN ephemeral pool members.
In addition, creating the corresponding FQDN template nodes first, with an FQDN 'interval' value set to a shorter timeout than the default (3600 seconds) allows automatic recovery from this condition after the configured FQDN 'interval' period (instead of after the default period of one hour).
Fix:
Ephemeral pool members are now created for each pool under these conditions.
716992-2 : The ASM bd process may crash
Solution Article: K75432956
716952-2 : With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete.
Component: Local Traffic Manager
Symptoms:
When TCP Nagle enabled, the data sent from server is handled by the SSL filter to offload data processing. The SSL filter forwards the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message to TCP4 filter. Because Nagle is enabled, this leaves the last offloaded packet 'stuck' in the TCP4 filter.
Conditions:
-- Nagle is enabled.
-- SSL filter is in the chain.
Impact:
The last data packet waits until all other packets have been ACKd.
Workaround:
None.
Fix:
SSL filter now holds the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message if an offloaded data packet is still in progress.
716940-2 : Traffic Learning screen graphs shows data for the last day only
Component: Application Security Manager
Symptoms:
Traffic Learning screen graphs shows data for the last day only.
Conditions:
Visit Learning screen 1 hour after policy creation.
Impact:
Statistics shown are for the last day. No statistics for longer or for shorter periods of time.
Workaround:
There is no workaround.
Fix:
Statistics are shown for the correct time interval, at most 2 weeks/policy creation date. Possible statistics intervals are as follows: 1 hour, 1 day, 2 weeks.
716922-2 : Reduction in PUSH flags when Nagle Enabled
Component: Local Traffic Manager
Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.
Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.
Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.
Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.
Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.
Mote: To take advantage of some of the Nagle benefits, use 'Auto'.
Fix:
Revised PUSH flag setting logic to set the flag in cases where sending is Nagle-limited.
716900-2 : TMM core when using MPTCP
Solution Article: K91026261
716788-2 : TMM may crash while response modifications are being performed within DoSL7 filter
Component: Application Security Manager
Symptoms:
TMM might crash when a response is modified by the DoSL7 filter while injecting an HTML response from a backend server.
Conditions:
-- ASM provisioned.
-- DoS application profile is attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts, failover may occur.
Workaround:
There is no workaround other than to remove the DoS application profile from the virtual server.
Fix:
Response modification handler has been modified so that this issue no longer occurs.
716782-2 : AVR should add new field to the events it sends: Microtimestamp
Component: Application Visibility and Reporting
Symptoms:
When AVR sends events to 'offbox' devices, the time stamp it uses is in seconds resolution.
Conditions:
Viewing AVR events in external logs.
Impact:
Measurement is in seconds.
Workaround:
None.
Fix:
This release adds a Microtimestamp field for AVR events (external log only).
716747-2 : TMM my crash while processing APM or SWG traffic
Component: Access Policy Manager
Symptoms:
Under certain circumstances, TMM may crash when processing APM or SWG.
There will be a log message in /var/log/apm near the time of crash with this:
err tmm[20598]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_initiate_swgt_policy_done, Line: 17000.
Conditions:
APM or SWG enabled.
Impact:
TMM crash, leading to a failover event.
Workaround:
There is no workaround at this time.
Fix:
TMM now processes APM and SWG traffic as expected.
716746 : Possible tmm restart when disabling single endpoint vector while attack is ongoing
Component: Advanced Firewall Manager
Symptoms:
tmm restarts.
Conditions:
-- AFM DoS single endpoint (sweep or flood) vector is configured.
-- The attack is ongoing.
-- The attack vector is being mitigated in hardware (HW).
-- The vector is manually disabled.
Impact:
tmm can crash and restart. Traffic disrupted while tmm restarts.
Workaround:
If you do not want to mitigate, set the mitigation_threshold to infinite.
Note: Do not disable the single endpoint vectors when an attack is ongoing and the vector is being mitigated in HW.
Fix:
tmm no longer restarts when disabling single endpoint vector while an attack is ongoing.
716716-2 : Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core
Component: Local Traffic Manager
Symptoms:
TMM cores when the system has a kernel route configured, but no matching TMM route.
Conditions:
The scenario that can lead to this state is unknown.
Impact:
TMM cores. Traffic disrupted while tmm restarts.
Workaround:
Either remove the kernel route, or add a matching TMM route.
Fix:
This release prevents the core that occurred when the kernel has a route that has no corresponding TMM route.
716714-1 : OCSP should be configured to avoid TMM crash.
Component: Local Traffic Manager
Symptoms:
TMM generates a core if OCSP is not configured in the SSL profile.
Conditions:
OCSP not configured in the SSL profile.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than configuring OCSP in SSL profiles.
Fix:
In this release, TMM skips processing OCSP if it is not enabled.
716469 : OpenSSL 1.0.1l fails with 512 bit DSA keys
Component: TMOS
Symptoms:
In certain cases with FIPS enabled the box would fail to boot because of attempts to use 512 bit DSA keys.
Conditions:
During BIG-IP booting and fips is enabled.
Impact:
BIG-IP failed to boot.
Workaround:
There is no workaround at this time.
Fix:
Boot will no longer fail with OpenSSL and 512 bit DSA keys.
716392-1 : Support for 24 vCMP guests on a single 4450 blade
Component: TMOS
Symptoms:
Cannot create more than 12 vCMP guests per blade.
Conditions:
-- Using vCMP.
-- VIPRION blades.
Impact:
Cannot configure more than 12 vCMP guests.
Workaround:
None.
Fix:
This release supports 24 vCMP guests on 4450 blades. Increased vCMP density ensures that all guests can access the hardware capabilities available from the BIG-IP platforms and VIPRION blades.
Behavior Change:
This release supports 24 vCMP guests on VIPRION 4450 blades. Increased vCMP density ensures that all guests can access the hardware capabilities available from BIG-IP platforms and VIPRION blades.
716391-2 : High priority for MySQL on 2 core vCMP may lead to control plane process starvation
Solution Article: K76031538
Component: TMOS
Symptoms:
vCMP guest with only 2 cores (or 2 cores per blade for multi-blade guests) may undergo control plane process starvation, which could lead to failover due to CPU starvation of sod.
Conditions:
-- A device using Intel Hyper-Threading Technology is configured with only 2 cores (or 2 cores per blade for multi-blade vCMP guests).
-- A module using MySQL is provisioned, MySQL, for example BIG-IP ASM and BIG-IP Analytics (AVR). These other modules also implicitly provision AVR: ASM, AFM, DOS, APM, PEM, and vCMP.
Impact:
Control plane processes may experience CPU starvation, including failover due to CPU starvation of sod. This is a rarely occurring issue.
Workaround:
Revert to pre-11.5.1 HF4 behavior by setting the scheduler.splitplanes.asmopt database key to false.
IMPORTANT: You should not revert to pre-11.5.1 HF4 behavior unless requested by F5 Support. However, if required, you can disable this new behavior and revert to pre-11.5.1-HF4 behavior. For instructions on how to do so, see K16469: Certain BIG-IP ASM control plane processes are now pinned to the highest-numbered logical CPU core :: https://support.f5.com/csp/article/K16469.
716318-2 : Engine/Signatures automatic update check may fail to find/download the latest update
Component: Fraud Protection Services
Symptoms:
Engine/Signatures automatic update check may fail to find/download the latest update if the timestamp of the factory update file is later than the timestamp of the update file in downloads.f5.com.
Note: This issue is relevant only for engineering hotfixes.
Conditions:
This occurs when the following conditions are met:
-- Engineering hotfix.
-- The factory update file timestamp is later than the timestamp of the update file in downloads.f5.com.
Impact:
Automatic update check will detect the wrong update file.
Workaround:
Manually check, and then download and install the update file from downloads.f5.com, if needed.
Fix:
The factory update file timestamp is now set to 0, unless there is a reason to install the factory file over the current update file in downloads.f5.com.
716213-1 : BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic
Component: Local Traffic Manager
Symptoms:
When APM connects to Active Directory Federation Services (ADFS), a blank page is observed. The log file /var/log/ltm exhibits a TCP reset issued by the BIG-IP system. The TCP capture informs that the issue is due to an out-of-bounds error that occurs when traffic gets parsed by the SSL Persistence Parser (SSID).
Conditions:
-- SSL persistence (SSID) is enabled for a virtual host.
-- APM connects to ADFS.
Impact:
A blank page is observed due to the TCP reset.
Workaround:
No workaround is available.
Fix:
The SSL persistence parser now validates the handshake message data-bytes are available prior to fetching them, so the bounds error does not get raised.
716166-4 : Dynamic routing not added when conflicting self IPs exist
Component: TMOS
Symptoms:
Missing dynamic route in dynamic routing daemon as shown via 'show ip route'.
Conditions:
When a self IP host address is the same as the network address of the dynamic route being propagated. For example: self IP 10.10.10.0/31 versus dynamic route 10.10.10.0/24; or 10.10.0.0/24 versus dynamic route 10.10.0.0/16.
Impact:
Propagation of the dynamic route to the kernel, TMM.
Workaround:
There is no workaround other than not creating self IPs on the network address of a prefix.
715923-1 : When processing TLS traffic TMM may terminate connections unexpectedly
Solution Article: K43625118
715883 : Tmm crash due to invalid cookie attribute
Component: Local Traffic Manager
Symptoms:
Tmm crash due to invalid request-side cookie attribute.
Conditions:
While processing an HTTP request, an iRule tries to add a cookie attribute to a cookie that is only valid in an HTTP response (for instance, an 'expires' attribute).
Impact:
TMM cored. Traffic disrupted while tmm restarts.
Workaround:
None.
715820-1 : vCMP in HA configuration with VIPRION chassis might cause unstable data plane
Component: TMOS
Symptoms:
When multiple vCMP guests are deployed in a high availability (HA) with VIPRION chassis, the data plane cluster might become unstable. When this issue occurs, the system posts repeated log messages in /var/log/ltm similar to the following:
-- CDP: exceeded 1/2 timeout for PG 3
Conditions:
-- Multiple vCMP guests are deployed.
-- HA configured.
-- Using VIPRION chassis.
Impact:
Unstable data plane might cause traffic disruption/packet drops.
Workaround:
None.
Fix:
This issue no longer occurs.
715785-2 : Incorrect encryption error for monitors during sync or upgrade
Component: Local Traffic Manager
Symptoms:
The system logs an error message similar to the following in /var/log/ltm:
err mcpd[6823]: 01071768:3: Encryption of the field (password) for object (<monitor name>) failed.
This may cause a configuration sync to fail, or an upgrade to fail.
Conditions:
The exact conditions are unknown, however it may occur under these circumstances:
-- Performing a config sync operation.
-- Performing an upgrade.
Impact:
Inability to sync peer devices, or an inability to upgrade.
Workaround:
There is no workaround at this time.
Fix:
This error is no longer triggered erroneously.
715756-2 : Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only
Component: Local Traffic Manager
Symptoms:
When filesystems critical to TMOS functional operation are mounted read-only, clusterd on that blade should trigger a primary election if it was primary. Either way, the cluster should be informed of this critical error state.
Conditions:
A critical filesystem (e.g., '/', '/var', '/var/run', '/config', '/shared') has been mounted read-only.
Impact:
The blade with read-only filesystems and degraded functionality might stay primary and claim to be passing traffic.
Workaround:
There is no workaround other than to avoid mounting filesystems read-only on a BIG-IP system.
Fix:
The blade with read-only filesystems and degraded functionality now yields primaryship to a more healthy cluster member.
715750-2 : The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.
Solution Article: K41515225
Component: Local Traffic Manager
Symptoms:
Upon receiving a FIN midstream in an SSL connection, the BIG-IP system will immediately proxy the FIN to the remote host on the peer side. At this point, depending on the specific configuration of the remote host on the peer side, the BIG-IP system may exhibit behaviors that may be deemed undesirable.
For instance, if the remote host on the peer side acknowledges the FIN but ignores it and keeps sending data to the BIG-IP system, the BIG-IP system will drop all ingress data (i.e., not proxy it) while keeping the side that transmitted the original FIN open indefinitely.
Once the remote host on the peer side completes transmitting data and sends a FIN of its own, the BIG-IP system will finally release the side that sent the original FIN by allowing it to close.
Conditions:
This issue occurs when the following conditions are met:
-- A standard virtual server with the clientssl and serverssl profiles in use.
-- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.
Impact:
There is no real impact to the BIG-IP system because of this issue. However, both the client and the server can be negatively impacted by this issue.
For example, if the original FIN was received by the BIG-IP system on the clientside:
-- The client connection is not allowed to close for potentially a very long time. During this time, the client does not receive anything other than Keep-Alive packets from the BIG-IP system. This can delay or adversely impact applications on the client.
-- The server continues to send data to the BIG-IP system unnecessarily. After accounting for the fact this could be a lot of data and many connections could be in this state, the server and/or its surrounding network could become impacted/congested. At a minimum, this might cause a waste of resources.
Workaround:
There is no workaround at this time.
Fix:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.
Behavior Change:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.
715747 : TMM may restart when running traffic through custom SSLO deployments.
Component: Local Traffic Manager
Symptoms:
TMM restarts with a SIGSEGV signal and dumps core.
Conditions:
This issue is known to happen when passing traffic through some custom SSLO deployments (e.g., iRule-based configurations).
Impact:
TMM restarts. If the system is in a high availability configuration, a failover occurs. Traffic disrupted while TMM restarts.
Workaround:
There is no workaround at this time.
Fix:
TMM no longer restarts.
715467-2 : Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY
Component: Local Traffic Manager
Symptoms:
If the 'A' record for an FQDN node is removed or replaced on the DNS server, then the BIG-IP system does not remove the old ephemeral pool member or create the new pool member and node.
Conditions:
-- FQDN nodes.
-- Pool members with a service port of ANY.
Impact:
Ephemeral pool member and nodes are not removed or updated when the DNS 'A' record is removed or changed.
Workaround:
There is no workaround at this time.
Fix:
Upon a DNS 'A' record being removed or changed, the ephemeral pool members and nodes based on the old value are removed or changed.
715448-2 : Providing LB::status with a GTM Pool name in a variable caused validation issues
Component: Global Traffic Manager (DNS)
Symptoms:
When utilizing an LB::status iRule where the GTM Pool name was provided in a variable, instead of directly written into the command, the system posts the following error message: Can't read 'monkey': no such variable.
Conditions:
LB::status pool a <Variable containing string>.
Impact:
Unable to use LB::status iRule.
Workaround:
There is no workaround at this time.
Fix:
Can now use LB::status iRule command to display the status of a GTM Pool when the name of the pool is provided in a variable.
715250-1 : TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED
Component: Access Policy Manager
Symptoms:
TMM generates a core and restarts when RPC resumes iRule event ACCESS_SESSION_CLOSED.
Conditions:
Plugin RPC call has iRule event ACCESS_SESSION_CLOSED configured.
Impact:
System instability, failover, traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
715207-3 : coapi errors while modifying per-request policy in VPE
Component: Access Policy Manager
Symptoms:
System reports errors about coapi in /var/log/ltm when modifying a per-request policy in the Visual Policy Editor (VPE).
err coapi: PHP: requested conversion of uninitialized member.
Conditions:
-- The per-request policy being modified is attached to the virtual server.
-- Using VPE.
Impact:
The impact can vary by version.
-- In some versions it represents a stray error log.
-- In other versions the 'Accepted Languages' in the Logon Page agent does not have the full list.
-- In other versions, there are server 500 errors when modifying agents.
Workaround:
To work around this issue, perform the following procedure: 1. Remove the per-request policy from the virtual server.
2. Modify the policy.
3. Add the policy back to the virtual server.
Fix:
Now per-request access policies can be simultaneously used and edited without causing spurious 'coapi' log errors.
715153-1 : AVR can generate many files in /var/avr/loader folder, which might cause disk-usage problem
Component: Application Visibility and Reporting
Symptoms:
-- The folder /var/avr/loader contains many files (e.g., more than 1500 files).
-- monpd is not running.
Conditions:
This occurs when the following conditions are met:
-- Avrd is running.
-- monpd is down.
Impact:
AVR writes many files to /var/avr/loader. Depending on disk usage, this might cause disk-usage problems.
Workaround:
There are two possible workarounds:
-- Restart monpd. When monpd starts up, it deletes the files under /var/avr/loader.
-- Delete all files under /var/avr/loader.
Fix:
There is now a limit for the /var/avr/loader folder, so that it can contain no more than 1100 files. This prevents disk-usage problems.
715128-1 : Simple mode Signature edit does not escape semicolon
Component: Application Security Manager
Symptoms:
When creating a user-defined ASM Signature in Simple mode, semicolon followed by space cannot be used in a keyword.
Conditions:
-- Using a user-defined ASM Signature in Simple mode.
-- There is a semicolon followed by a space in a keyword.
Impact:
The signature cannot be created.
Workaround:
The signature can be created in Advanced Mode by escaping semicolon as "|3B|".
715110 : AVR should report 'resolutions' in module GtmWideip
Component: Application Visibility and Reporting
Symptoms:
AVR does not report 'resolutions' in GtmWideip module.
Conditions:
One of the following modules is provisioned: AVR, AFM, or DNS/GTM.
Impact:
There are no statistics reported on 'resolutions' in GtmWideip module.
Workaround:
There is no workaround.
Fix:
AVR now reports 'resolutions' in GtmWideip module.
714974-2 : Platform-migrate of UCS containing QinQ fails on VE★
Component: TMOS
Symptoms:
If you are doing platform-migrate from a hardware device to a Virtual Edition (VE) guest, and the UCS that came from the hardware device has a QinQ VLAN configuration, then the upgrade will fail.
Conditions:
-- VLAN with a QinQ configuration exists on the hardware configuration.
-- UCS file is saved on the hardware device.
-- UCS is copied to a VE guest.
-- Attempt to load the configuration using the following command: load sys ucs <UCS filename> no-license platform-migrate.
Impact:
The UCS load will fail and generate an error:
01071bd8:3: The tag-mode for requested member <VLAN name> has to be 'none' on platforms that do not support QinQ. Unexpected Error: Loading configuration process failed.
Workaround:
None.
Fix:
The configuration now loads successfully, disables QinQ on the associated VLAN, and warns that this action was automatically taken.
714961-1 : antserver creates large temporary file in /tmp directory
Component: Access Policy Manager
Symptoms:
SWG Analytics (running through the antserver daemon) creates a large temporary file in the /tmp directory due to a lack of write permissions on the appropriate directory.
Conditions:
-- SWG provisioned.
-- Viewing SWG Analytics.
Impact:
/tmp is temporarily populated with a large file that might fill up the directory if it is already close to capacity.
Workaround:
There is no workaround at this time.
Fix:
System now writes to /shared/tmp/ant_server so that it no longer writes to /tmp, so the issue no longer occurs.
714903-2 : Errors in chmand
Component: TMOS
Symptoms:
VIPRION cluster does not form; only primary blade stays online. Chassis manager chmand generated a core file. System logs the following error in ltm log: err clusterd[11162]: 013a0004:3: Error adding cluster mgmt addr, HAL error 7.
Conditions:
-- Restoring UCS.
-- Chassis starting up.
-- System in stressed condition, where there is very little or no memory available.
Impact:
Cluster does not form.
Workaround:
None.
Fix:
These errors in chmand are fixed.
714879-3 : APM CRLDP Auth passes all certs
Solution Article: K34652116
714749-2 : cURL Vulnerability: CVE-2018-1000120
Component: TMOS
Symptoms:
It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.
Conditions:
BIG-IP systems are not affected by this vulnerability.
Impact:
None.
Workaround:
None.
Fix:
Patched CVE-2018-1000120
714716-2 : Apmd logs password for acp messages when in debug mode
Solution Article: K10248311
Component: Access Policy Manager
Symptoms:
Apmd logs password when executing policy via iRule.
Conditions:
-- APM is licensed and provisioned
-- Executing policy via iRule using iRule command 'ACCESS::policy evaluate'.
-- Clear text password is supplied for authentication
-- Debug mode active
Impact:
Apmd logs clear text password
Fix:
Apmd now no longer logs password in debug mode when evaluating policy via iRule.
714700-2 : SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy
Component: Access Policy Manager
Symptoms:
To address a vulnerability in their CredSSP implementation Microsoft released set of updates for all versions of Windows (https://aka.ms/credssp). Although the APM implementation is not affected by this vulnerability, the Microsoft Windows Server fix introduces compatibility issues. The update adds new Group Policy 'Encryption Oracle Remediation', which, if set to 'Force Updated Clients' on the server might break SSO for APM's native RDP resources.
Conditions:
-- RDP server has https://aka.ms/credssp update installed.
-- 'Encryption Oracle Remediation' Group Policy on the RDP server is set to 'Force Updated Clients'.
Impact:
SSO for native RDP resources does not work.
Workaround:
Set 'Encryption Oracle Remediation' Group Policy on the RDP server to 'Mitigated'.
Fix:
SSO for native RDP resources is now compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy.
714654-2 : Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM
Component: TMOS
Symptoms:
While creating a static route, tmrouted disconnects with error: existing entry is not a dynamic.
Conditions:
Creating a static route for a network that already has an advertised dynamic route.
Impact:
TMM's connection to tmrouted goes down, which results in loss of the dynamic route for TMM.
Workaround:
There is no workaround other than not creating a static route for routes received through dynamic routing.
Fix:
Creating static routes for advertised dynamic route no longer causes the tmrouted-to-TMM connection to drop.
714626-2 : When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect.
Solution Article: K30491022
Component: TMOS
Symptoms:
When the BIG-IP system is behind a proxy server, the licensing process does not work, despite having set the db variables for proxy.host, proxy.port, proxy.protocol, etc.
Conditions:
-- The BIG-IP system is behind a proxy server that gates internet access.
-- Attempting to license (or revoke the license of) the BIG-IP system is not possible using GUI or tmsh since communications with the license server will fail.
Impact:
Cannot license, reactivate license, or revoke the license of the BIG-IP system.
Workaround:
Instead of using GUI or tmsh, run the following command, substituting your proxy specification for <proxy> and your license registration key for <reg-key>:
/usr/local/bin/SOAPLicenseClient --proxy <proxy> --basekey <reg-key> --certupdatecheck
Fix:
Licensing/revoke licensing works as expected by simply setting the tmsh sys db variables proxy.host, proxy.port, etc.
714559-2 : Removal of HTTP hash persistence cookie when a pool member goes down.
Component: Local Traffic Manager
Symptoms:
When HTTP cookie hash persistence is configured the cookie is removed when a pool member goes down. This is incorrect if pool members are using session replication.
Conditions:
- Cookie hash persistence is configured.
- A pool member that the persistence record points to goes down.
- Pool members are using session replication.
Impact:
Connected clients must establish a new session.
Workaround:
To configure HTTP cookie hash persistence, use an iRule similar to the following:
when CLIENT_ACCEPTED {
persist cookie hash JSESSIONID
}
Fix:
HTTP hash persistence cookie is no longer removed when a pool member goes down.
If you need to remove the cookie, use an iRule similar to the following:
when PERSIST_DOWN {
HTTP::cookie remove JSESSIONID
}
714384-3 : DHCP traffic may not be forwarded when BWC is configured
Component: Local Traffic Manager
Symptoms:
DHCP traffic may not be forwarded when BWC is configured on the system.
Conditions:
-- DHCP virtual server configured.
-- BWC policy configured and attached to the route-domain.
Impact:
DHCP traffic may not be forwarded.
Workaround:
There is no workaround other than to remove the BWC policy.
Fix:
DHCP traffic is now forwarded when BWC is configured,
714369 : ADM may fail when processing HTTP traffic
Solution Article: K62201098
714350 : BADOS mitigation may fail
Solution Article: K62201098
714334-1 : admd stops responding and generates a core while under stress.
Component: Anomaly Detection Services
Symptoms:
admd stops responding and generates a core while under stress.
Conditions:
-- The BIG-IP system is under stress.
-- CPU starvation is occurring.
Impact:
admd core and restart.
Note: The admd process provides stress-based DoS detection and mitigation control. When admd is not running, there is no stress-based anomaly detection or behavioral statistics aggregation.
Workaround:
None.
Fix:
This issue no longer occurs.
714303-1 : X520 virtual functions do not support MAC masquerading
Solution Article: K25057050
Component: TMOS
Symptoms:
MAC masquerading is not supported when using X520 virtual functions (VFs) via SR-IOV in Virtual Edition (VE). This is due to a lack of functionality in the underlying hardware.
Conditions:
-- Use SR-IOV VFs as interfaces within VE.
-- Configure MAC masquerading with a shared MAC that should follow the active system after traffic group failovers.
Impact:
MAC masquerading does not function in this environment.
Workaround:
None.
Fix:
MAC masquerading is now supported when using X520 VFs via SR-IOV in VE with following prerequisites:
-- VFs must have MAC addresses before deploying the BIG-IP system.
-- Trust mode must be set on the host.
-- The DB variable, tm.macmasqaddr_per_vlan must be set to true if VFs belong to the same PF.
-- The driver version must match the following:
+ Driver: ixgbe
+ Version: 5.1.0-k-rh7.5
+ Firmware-version: 0x80000656
713951-5 : tmm core files produced by nitrox_diag may be missing data
Component: Local Traffic Manager
Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.
Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.
Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
When the nitrox_diag utility generates a tmm core file, that file now includes data for all tmm threads instead of only one.
713947-1 : stpd repeatedly logs "hal sendMessage failed"
Component: TMOS
Symptoms:
On non-primary clustered blades in a BIG-IP chassis environment, stpd may repeatedly log "hal sendMessage failed"
Conditions:
Two or more blades clustered in a chassis with STP enabled on one or more ports.
Impact:
All BIG-IP blades
Workaround:
No workaround except to ignore log messages - they are spurious and have no ill effect on the system besides log spam.
713934-2 : Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response
Component: Local Traffic Manager
Symptoms:
Received malformed Truncated DNS response.
Conditions:
-- Using iRule 'DNS::question name' to shorten the name.
-- DNS response is longer than 4096 UDP limit.
Impact:
DNS request might not be resolved correctly.
Workaround:
There is no workaround at this time.
Fix:
In this release, when DNS::query name changes the query name, the software ensures that the request is updated with proper lengths.
713932-1 : Commands are replicated to PostgreSQL even when not in use.
Component: TMOS
Symptoms:
In MCP, PostgreSQL is used only by AFM. Even when AFM is not provisioned, however, commands are being replicated to PostgreSQL.
Conditions:
AFM is not provisioned.
Impact:
Unnecessary CPU cycles spent by MCP replicating commands to PostgreSQL.
Workaround:
None.
Fix:
Prevented replication of commands to PostgreSQL when it is not in use.
713820-1 : Pass in IP address to urldb categorization engine
Component: Access Policy Manager
Symptoms:
Category lookup results might be inaccurate. In some cases, the system returns 'uncategorized' when the reference (Forcepoint) returns a specific category.
Conditions:
Category Lookup agent is in per-request policy using the categorization engine to lookup up a website's classification.
Impact:
Actions leveraging categorization results are applied incorrectly.
Workaround:
None.
Fix:
This release can now pass in more information to the urldb categorization engine, which supports finer-grained categorization.
713813-2 : Node monitor instances not showing up in GUI
Component: TMOS
Symptoms:
Navigating to Local Traffic :: Monitors :: <some_monitor> should show a list of nodes with some_monitor assigned to them. GUI does not list related nodes under Instances tab.
Conditions:
-- At Local Traffic :: Monitors :: <some_monitor>.
-- Under the Instances tab.
Impact:
No instances listed. Cannot use the GUI to determine which nodes are associated with a monitor.
Workaround:
Use tmsh to list nodes associated with a monitor.
Fix:
The GUI now lists all associated nodes under Local Traffic :: Monitors :: <some_monitor> :: Instances tab.
713690-3 : IPv6 cache route metrics are locked
Component: Local Traffic Manager
Symptoms:
Under certain circumstances IPv6 route metrics are locked for the lifetime of a route metrics cache entry.
Conditions:
Under certain circumstances IPv6 route metrics cache entries are created locked.
Impact:
IPV6 route metrics are locked for the lifetime of a route metrics cache entry. When receiving subsequent icmpv6 packet to big messages with a larger MTU, the value does not get updated.
Workaround:
None.
Fix:
IPv6 route metrics are not locked anymore.
713655-2 : RouteDomainSelectionAgent might fail under heavy control plane traffic/activities
Component: Access Policy Manager
Symptoms:
If per-session access policy requests route domain selection during policy evaluation, the agent might hang and fail to retrieve route domain information. APMD might restart and produce a core file.
Conditions:
-- Policy sync operation.
-- System receives a query for route domain information.
-- There is a heavy load of control plane traffic to process.
Impact:
Poor performance and/or APMD restarts with a core file, causing brief disruption of the authentication service.
Workaround:
None.
Fix:
Route domain selection operations no longer fail under heavy control-plane traffic/activities.
713612-1 : tmm might restart if the HTTP passthrough on pipeline option is used
Component: Local Traffic Manager
Symptoms:
The TMM may crash if the HTTP profile's 'passthrough_pipeline' field is set to 'passthrough'.
Conditions:
-- HTTP profile is configured as a transparent proxy.
-- HTTP profile has the 'passthrough_pipeline' field is set to 'passthrough'.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
tmm no longer crashes when HTTP switches to passthrough mode in some cases.
713533-2 : list self-ip with queries does not work
Component: Local Traffic Manager
Symptoms:
"list net self" command always returns all Self IPs, regardless of the regex patterns.
Conditions:
list net self always returns all Self IPs
Impact:
You are unable to filter the Self IP list using a regex pattern.
Fix:
You can now use pattern matching to list Self IPs
713491-2 : IKEv1 logging shows spi of deleted SA with opposite endianess
Component: TMOS
Symptoms:
Sometimes the IKEv1 racoon daemon logs a 32-bit child-SA spi with octets in backwards order (reversing the endianness).
Conditions:
When an SA is deleted.
Impact:
Logging typically shows a network byte order spi in the wrong order. Cosmetic interference with logging interpretation.
Workaround:
There is no workaround at this time.
Fix:
The spi values are shown in the correct endianness now.
713390-1 : ASM Signature Update cannot be performed on hourly billing cloud instance
Component: Application Security Manager
Symptoms:
ASM Signature Update cannot be performed on hourly billing cloud (AWS) instance. Licenses on these devices cannot be updated and have a fixed Service Check Date (SCD), which must be more recent to allow ASM Signature Update.
Conditions:
Attempt to perform ASM Signature Update on hourly billing cloud (AWS) instance.
Impact:
Performing ASM Signature Update fails.
Workaround:
There is no workaround at this time.
Fix:
ASM Signature Update can now be performed on hourly billing cloud instance.
713380 : Multiple B4450 blades in the same chassis run into inconsistent DAG state
Solution Article: K23331143
Component: TMOS
Symptoms:
Multiple B4450 blades in the same chassis can run into inconsistent DAGv2 state.
Conditions:
More than one B4450 blade in the same chassis.
Impact:
Inconsistent DAG state can cause traffic disruption.
Workaround:
Restart tmm on one blade in the chassis and force the blades to reform the cluster in data plane.
Fix:
Multiple B4450 blades in the same chassis no longer experiences an inconsistent DAG state.
713282-1 : Remote logger violation_details field does not appear when virtual server has more than one remote logger
Component: Application Security Manager
Symptoms:
Remote logger violation_details field appears empty.
Conditions:
-- More than one remote logger is attached to the virtual server.
-- A violation occurs.
-- Viewing the associated log.
Impact:
Violation_details field appears empty in logs.
Workaround:
There is no workaround at this time.
Fix:
Remote logger violation_details field is now populated as expected when the virtual server has more than one remote logger.
713273 : BIG-IP sys db variable avr.stats.internal.maxentitiespertable resets back to default value on services restart
Component: Application Visibility and Reporting
Symptoms:
After a BIG-IP system reset, a modified setting for the BIG-IP sys db variable avr.stats.internal.maxentitiespertable returns to the default value.
Conditions:
1. avr.stats.internal.maxentitiespertable value is modified from the default.
2. The BIG-IP system restarts.
Impact:
avr.stats.internal.maxentitiespertable returns to its default value.
Workaround:
After BIG-IP system reset, specify the value of avr.stats.internal.maxentitiespertable again.
Fix:
A modified avr.stats.internal.maxentitiespertable value no longer returns to the default value after BIG-IP system restart.
713156-1 : AGC cannot do redeploy in Exchange and ADFS use cases
Component: Access Policy Manager
Symptoms:
In AGC exchanges or Active Directory Federation Services (ADFS) configurations, the system creates an SSL HTML form and SSO HTML form control object. Because of the limitation of ICRD, the system cannot directly delete SSO HTML form control objects.
Conditions:
-- Redeploy occurs in an AGC exchange ADFS configuration.
-- Modifying existing configurations.
Impact:
Redeploy fails, configuration remain unmodified.
Workaround:
Do a undeploy, followed by a deploy.
Fix:
Redeploy now succeeds when using AGC with Exchange and ADFS use cases.
713111-1 : When ASM and APM are configured on the same virtual server, ASM might report some errors in its logging.
Component: Access Policy Manager
Symptoms:
When APM (SSO feature) and ASM are configured on the same virtual server, WebSSO recreates requests on 401 responses. Such requests have the same support ID, so ASM logs errors.
Conditions:
APM (WebSSO) and ASM are configured on same virtual server.
Impact:
ASM might potentially block such requests, so APM SSO functionality may not work.
Workaround:
There is no workaround except to not configure APM (WebSSO) and ASM on same virtual server.
Fix:
This issue has been fixed.
713066-1 : Connection failure during DNS lookup to disabled nameserver can crash TMM
Solution Article: K10620131
Component: Global Traffic Manager (DNS)
Symptoms:
TMM restart as a result of a DNS lookup to disabled nameserver.
Conditions:
DNS lookup that tries to connect to a nameserver that is not reachable for some reason.
This could be an explicit 'RESOLV::lookup' command in iRule, or it could be DNS lookups internally triggered by APM or HTTP.
Impact:
TMM restarts. Traffic disrupted while tmm restarts.
Workaround:
Verify connectivity to nameserver.
As an alternative, refrain from using RESOLV::lookup in iRules.
Fix:
This issue is now fixed.
713051 : PB generates a suggestion to add a disallowed filtetype with empty name.
Component: Application Security Manager
Symptoms:
Policy Builder (PB) generates a suggestion to add a disallowed filtetype with empty name.
When trying to accept suggestion, you get a message 'action failed'.
Conditions:
This is a timing-related issue that occurs when trying to accept an incorrectly presented suggestion.
Impact:
An incorrect suggestion is issued that cannot be accepted. There is no specific impact on functionality.
Workaround:
Delete the suggestion, or mark it as ignored so it does not reappear.
Fix:
PB no longer issues the incorrect suggestion.
712924-1 : In VPE SecurID servers list are not being displayed in SecurID authentication dialogue
Component: Access Policy Manager
Symptoms:
In VPE SecurID servers list are not being displayed in SecurID authentication dialogue. List is displaying only None.
Conditions:
Always when adding SecureID authentication action.
Impact:
Inability to (re)configure SecureId via VPE.
Workaround:
Manually modify RSA AAA server in SecurID Auth Agent via tmsh:
tmsh modify apm policy agent aaa-securid <aaa agent> server <securid server name>
712919-1 : Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server.
Component: Local Traffic Manager
Symptoms:
When an iRule is removed from a Virtual Server, especially one with explicitly specified high priority (with "priority" keyword), other iRules on the same Virtual Server may become "invisible" i.e. they are present but some of them are no longer executed. It may affect all the events or only certain types of them. Under certain conditions the defect may even disappear upon removing another iRule, particularly if it has low priority and handles the same event as the one which introduced the problem.
Conditions:
Removing an iRule from a Virtual Server.
Impact:
Some or all iRules on given Virtual Servers stop being executed.
Workaround:
Restart or reload the configuration. If removing iRules needs to be performed in run-time and it triggers the problem, it can be prevented by having any iRule (even an empty one) for the same event, as the iRule which is going to be removed, but with higher priority e.g. with attribute "priority 1".
Fix:
Corrected scanning of iRules stored behind the one which is being deleted.
712876-2 : CVE-2017-8824: Kernel Vulnerability
Solution Article: K15526101
712819-2 : 'HTTP::hsts preload' iRule command cannot be used
Component: Local Traffic Manager
Symptoms:
Using the 'HTTP::hsts preload' iRule command in the GUI, you might see error message similar to the following:
01070151:3: Rule [/Common/test] error: /Common/test:3: error: ["invalid argument preload; expected syntax spec: "][HTTP::hsts preload enable].
The message is incorrect: the command has the correct format. However, the system does not run it.
Conditions:
Using the 'HTTP::hsts preload' iRule command in the GUI.
Impact:
The command does not run. Cannot use the 'HTTP::hsts preload' iRule command in the GUI.
Workaround:
None.
Fix:
'HTTP::hsts preload' iRule command now works as expected.
712738-1 : fpdd may core dump when the system is going down
Component: TMOS
Symptoms:
fpdd may core dump when the system is going down. This is because the LED manager in the daemon cannot use the hal library to talk to other daemons.
Conditions:
The problem happens when the system is going down.
Impact:
This is a rarely occurring issue. When it happens, fpdd creates a core file. The LEDs may not reflect the status right before the shutdown. But the LEDs are reinitialized after the bootup.
Workaround:
None.
Fix:
fpdd no longer core dumps when the system is going down.
712710 : TMM may halt and restart when threshold mode is set to stress-based mitigation
Component: Advanced Firewall Manager
Symptoms:
When auto-DoS vector's threshold mode is set to stress-based mitigation, but the vector is in disabled state, TMM may halt and restart.
Conditions:
-- Threshold mode is set to stress-based mitigation.
-- Vector is disabled.
Impact:
TMM restarts. Traffic disrupted while TMM restarts.
Workaround:
There is no workaround other than not setting threshold mode to stress-based mitigation if the vector is disabled.
Fix:
TMM no longer restarts when threshold mode is set to stress-based mitigation and the vector is in disabled state.
712664-2 : IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address
Component: Local Traffic Manager
Symptoms:
As a result of a known issue IPv6 NS may be dropped if corresponds for host on remote VLAN of transparent vlangroup and matches a Virtual address with disabled ARP setting
Conditions:
- transparent vlan-group
- Virtual Address with ARP disabled
- Virtual Address corresponds to remote IPv6 host address
Impact:
NS for the host is dropped.
Traffic will not reach the remote host as resolution does not complete.
Workaround:
Do not use overlapping Virtual-addresses with ARP disabled, or enable ARP.
Fix:
IPv6 NS is no longer dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address.
712637-2 : Host header persistence not implemented
Component: Local Traffic Manager
Symptoms:
Online documentation describes a persistence mechanism which uses the HTTP Host: header. However, this mechanism is not implemented, and attempts to use it generates an error.
Conditions:
Online help for ltm persistence says that Host persistence can be enabled via iRule, but attempting to do so generates an error 'invalid argument host'.
Impact:
Although this does not impact any existing functionality, the documented function is not available.
Workaround:
There is no workaround at this time.
Fix:
LTM Host: header persistence is implemented.
712475-3 : DNS zones without servers will prevent DNS Express reading zone data
Solution Article: K56479945
Component: Local Traffic Manager
Symptoms:
DNS Express does not return dig requests.
Conditions:
DNS Express is configured a zone without a server.
Impact:
DNS Express does not return dig requests.
Workaround:
You can use either of the following workarounds:
-- Remove the zone without the server.
-- Configure a server for the zone.
Fix:
DNS zones without servers no longer prevent DNS Express reading zone data.
712437-3 : Records containing hyphens (-) will prevent child zone from loading correctly
Solution Article: K20355559
Component: Local Traffic Manager
Symptoms:
The dig command returns no record with SOA from the parent zone even though dnsxdump shows that the record exists.
Conditions:
-- Parent zone has a record containing - (a hyphen) and the preceding characters match the child zone. For example,
myzone.com -- parent
foo.myzone.com -- child
-- In myzone.com, you have a record of the following form:
foo-record.myzone.com
Impact:
DNS can not resolve records correctly.
Workaround:
None.
Fix:
DNS now handles the case in which the parent zone has a record containing - (a hyphen) and the preceding characters match the child zone.
712429 : Serverside packets excluded from DoS stats
Component: Advanced Firewall Manager
Symptoms:
BIG-IP systems configured with L4 DoS Protection might not provide sufficiently granular DDoS detection and mitigation to ensure that legitimate traffic is not impacted.
Conditions:
Configured for DDoS detection and mitigation.
Impact:
Legitimate traffic might be impacted.
Workaround:
None.
Fix:
The following DoS vectors no longer count serverside packets.
-- Single-Endpoint Flood
-- Global-Device level aggregate vectors
-- Bad-actor/attacked-dst for all vectors
Additionally, hardware-accelerated, device-level (global) aggregate DoS vectors are now programmed dynamically when traffic is detected, rather than at configuration time.
These behavior changes provide greater granularity in DDoS detection and mitigation to ensure that legitimate traffic is not impacted.
Behavior Change:
The following DoS vectors no longer count serverside packets.
-- Single-Endpoint Flood
-- Global-Device level aggregate vectors
-- Bad-actor/attacked-dst for all vectors
Additionally, hardware-accelerated, device-level (global) aggregate DoS vectors are now programmed dynamically when traffic is detected, rather than at configuration time.
These behavior changes provide greater granularity in DDoS detection and mitigation to ensure that legitimate traffic is not impacted.
712401-1 : Enhanced administrator lock/unlock for Common Criteria compliance
Component: TMOS
Symptoms:
The Network Device and Firewall collaborative Protection Profiles v2.0 require certain behavior for locking and unlocking administrative-user accounts on the BIG-IP system. BIG-IP software needs to be enhanced for compliance with those requirements.
Conditions:
The ccmode script must be run to activate these enhancements. Also, see the Common Criteria Guidance document (published when the certificate is obtained) for more details.
Impact:
Without these enhancements activated, the BIG-IP system is not compliant with Common Criteria requirements.
Workaround:
Risk acceptance for Common Criteria non-compliance.
Fix:
To meet Common Criteria requirements, the BIG-IP system is enhanced in two areas:
1. The primary administrative user account (generally 'admin') can be locked out, as any other administrative-user account can be. However, it is never locked out when signing in from the serial console.
2. Locked out administrative-users are unlocked only after an administrator-specified time period has passed. The default is 10 minutes, and is set in the ccmode script.
712362-3 : ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase
Component: Application Security Manager
Symptoms:
When the WebSocket HTTP handshake response comes without 'Switching Protocols' reason phrase at the first line, the ASM does not follow up WebSocket frames on the WebSocket's connection.
The system posts the following messages in /ts/log/bd.log:
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0269|101 Switching Protocols HTTP status arrived, but the websocket hanshake failed.
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0270|Possible reasons are websocket profile isn't assigned on a virtual server or handshake is illegal.
Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- WebSocket backend server sends 101 response without the 'Switching Protocols' phrase.
Impact:
WebSocket frames stalls.
Workaround:
#1 Change the backend server:
Change WebSocket backend server to return 101 response to include the 'Switching Protocols' reason phrase:
HTTP/1.1 101 Switching Protocols
#2 Use an irRule:
when SERVER_CONNECTED {
TCP::collect 15
}
when SERVER_DATA {
if { [TCP::payload 15] contains "HTTP/1.1 101 \r\n" } {
TCP::payload replace 0 12 "HTTP/1.1 101 Switching Protocols"
}
}
Fix:
This release correctly handles 101 responses even without the 'Switching Protocols' reason phrase.
712266-1 : Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware
Component: TMOS
Symptoms:
Messages like the following may show up in /var/log/ltm:
-- crit tmm5[28908]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=11): ctx dropped.
This occurs because the decompression of large compressed data failed.
Conditions:
This issue occurs when compressed data cannot be decompressed in a single request to the Nitrox 3 hardware accelerator.
Impact:
Requests fail with a connection reset.
Workaround:
Use zlib software decompression.
Fix:
This release fixes this decompression issue in the Nitrox 3 driver.
712118 : AVR should report on all 'global tags' in external logs
Component: Application Visibility and Reporting
Symptoms:
AVR reports only 'ssgName' from the global tags.
Conditions:
-- A BIG-IQ operation configures the 'tag file' (/var/config/rest/downloads/app_mapping.json) on the BIG-IP system.
-- Statistics are sent to the BIG-IQ system.
Impact:
Not all the tags are sent to the BIG-IQ system.
Workaround:
There is no workaround at this time.
Fix:
AVR now reports statistics on all tags to the BIG-IQ system.
712102-2 : customizing or changing the HTTP Profile's IPv6 field hides the field or the row
Solution Article: K11430165
Component: TMOS
Symptoms:
Customizing or changing the HTTP Profile's IPv6 field hides the field or the row.
Conditions:
Customizing or changing the HTTP Profile's IPv6 field.
Impact:
The HTTP Profile's IPv6 field cannot be customized or changed.
Workaround:
Use tmsh to set the HTTP Profile's IPv6 field.
Fix:
Customizing or changing the HTTP Profile's IPv6 field does not hide the field or the row.
711981-5 : BIG-IP system accepts larger-than-egress MTU, PMTU update
Component: Local Traffic Manager
Symptoms:
A Path MTU (PMTU) message can lead to the BIG-IP system to falsely assume an egress MTU on the related flow to be larger than the interface egress MTU.
Conditions:
A valid PMTU message.
Impact:
BIG-IP sends larger-than-configured interface egress MTU messages.
Workaround:
None.
Fix:
The BIG-IP system now limits the flow egress MTU to the interface egress MTU.
711929-1 : AVR should not send statistic on hidden rows for module InterfaceTraffic and module InterfaceHealth
Component: Application Visibility and Reporting
Symptoms:
AVR sends data on all interfaces, hidden and not hidden. It should send information only on not-hidden interfaces.
Conditions:
-- Tmstat table interface_stat exists.
-- Viewing statistics for module InterfaceTraffic and module InterfaceHealth.
Impact:
Irrelevant data is sent.
Workaround:
None.
Fix:
AVR now sends data only on not-hidden interfaces.
711708-1 : Default disabled DoS profile cannot be attached to virtual server because of BADOS '2 virtual servers limitation'
Component: Anomaly Detection Services
Symptoms:
Configuration error: DoS profile with behavioral detection
cannot be attached to a virtual server because use is limited to 2 virtual servers when the DoS profile does not have BADOS configuration.
Conditions:
Intermittent reproduction when more than 2 virtual servers and DoS profile pairs configured.
Impact:
Cannot assign DoS profile to virtual servers.
Workaround:
Modify the DoS profile configuration: enable/disable BADOS features (bad actors/signatures) and try to reassign DoS profile to the virtual server.
Fix:
There is no 2-virtual server limitation when no BADOS is configured.
711683-2 : bcm56xxd crash with empty trunk in QinQ VLAN
Component: TMOS
Symptoms:
When an empty trunk (no members) is configured 'tagged' in a QinQ VLAN, bcm56xxd will continuously crash.
Conditions:
Trunk with no members, configured as 'tagged' in a QinQ VLAN.
Impact:
bcm56xxd continuously crashes.
Workaround:
Use either of the following workarounds:
-- Add members to the trunk.
-- Remove the trunk from the QinQ VLAN.
Fix:
Do not program QinQ switch hardware if the trunk has no members.
711570-3 : PEM iRule subscriber policy name query using subscriber ID, may not return applied policies
Component: Policy Enforcement Manager
Symptoms:
PEM::subscriber config policy get <subscriber id> does not return policy names
Conditions:
PEM iRule using subscriber ID to get policy name.
Impact:
Subscriber policy names are not returned.
Workaround:
Use PEM::subscriber config policy get <IP address> instead.
Fix:
Subscriber policy names are now returned when running PEM iRules using subscriber ID to get policy names.
711427-2 : Edge Browser does not launch F5 VPN App
Component: Access Policy Manager
Symptoms:
On Microsoft Windows v10, use Edge Browser to establish VPN. Edge Browser does not launch F5 VPN App.
Conditions:
On Windows 10, use Edge Browser to establish VPN.
Impact:
APM end user cannot establish VPN tunnel using Edge Browser.
Workaround:
Use Mozilla Firefox or Google Chrome.
Fix:
You can now use Windows 10 to launch Edge Browser to establish VPN connections.
711405-1 : ASM GUI Fails to Display Policy List After Upgrade
Solution Article: K14770331
Component: Application Security Manager
Symptoms:
After upgrade to version 13.1.0 or later, ASM GUI fails to display the Policy List.
Conditions:
Using an 11.5.0 to 11.5.4-HF1 version that is affected by the issue of policies with duplicate REST IDs that occurred after restoring from policy history or using Policy Diff to compare policies.
Impact:
ASM GUI starting using the REST API from version 13.1.0, so any systems that have been affected by this issue on a previous version now cause the GUI to fail to display the Policy List.
Workaround:
On the device run the following script:
---------------------------------
perl -MF5::DbUtils -MF5::Utils::Rest -MF5::ASMConfig::Entity::Policy -e '$dbh = F5::DbUtils::get_dbh();
$dbh->begin_work();
$dbh->do("UPDATE PLC.PL_POLICIES a SET a.rest_uuid = \"\" WHERE a.rest_uuid IN ( SELECT rest_uuid FROM (SELECT rest_uuid FROM PLC.PL_POLICIES GROUP BY rest_uuid having count(*) > 1) b)");
F5::Utils::Rest::populate_uuids(dbh => $dbh);
$dbh->commit();'
---------------------------------
Note: In a management environment, this change must be pushed to the peer as a full sync. The easiest way to do so is to ensure that the ASM sync device group is in manual sync mode, and to push the config to the peers from the device where the script was run.
Fix:
This data inconsistency is now repaired on upgrade, and the GUI loads the policy list successfully.
711281-5 : nitrox_diag may run out of space on /shared
Component: Local Traffic Manager
Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.
Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.
Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.
Workaround:
The only workaround is to ensure there is enough free space for the files to be created.
In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.
Fix:
nitrox_diag now clears the older data before gathering new data, instead of after. Note, however, that if there is insufficient free space on /shared to collect the raw data, the operation still cannot succeed.
711249-1 : NAS-IP-Address added to RADIUS packet unexpectedly
Component: TMOS
Symptoms:
RADIUS authentication request contains NAS-IP-Address attribute with value 127.0.0.1.
Conditions:
VIPRION (single or multiblade) with no cluster member IP addresses configured.
Impact:
Authentication does not work as it has invalid/unrecognized source NAS-IP-Address.
Workaround:
Configure cluster member IP address or define hostname and address via global-settings remote-host.
711093-1 : PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled
Component: Policy Enforcement Manager
Symptoms:
PEM sessions may stay in the marked-for-delete state after session deletion.
Conditions:
This occurs if Gx final usage reporting response comes before Gy delete response (CCA).
Impact:
PEM sessions remain in marked-for-delete state.
Workaround:
None.
Fix:
PEM sessions no longer stay in the marked-for-delete state after session delete
711011-2 : 'API Security' security policy template changes
Component: Application Security Manager
Symptoms:
Parameter-related Learn/Alarm/Block settings in 'API Security' security policy template should be 'ON' by default.
Conditions:
Learn/Alarm/Block settings in 'API Security' security policy template.
Impact:
Settings not active.
Workaround:
None.
Fix:
Parameter-related Learn/Alarm/Block settings in 'API Security' security policy template are now 'ON' by default.
710996-2 : VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP
Component: Local Traffic Manager
Symptoms:
The behavior of outgoing IPv6 management and IPv4 management traffic from the primary blade differs:
IPv4 traffic is sourced from the cluster IP
IPv6 traffic is sourced from the cluster member IP
Conditions:
IPv6 configured on the 'cluster' address and 'cluster member' address.
Impact:
The blade IP address, rather than the cluster floating IP, will be used as the source IP when querying the RADIUS server for remote-auth login against the management port.
Workaround:
There is no workaround at this time.
710976-1 : Network Map might take a long time to load
Component: TMOS
Symptoms:
Network Map loading time is directly proportional to the number of profiles/policies associated with a virtual server. When there are a significant number, Network Map might take many tens of seconds to load; when there are fewer associated profiles/policies, loading time is shorter.
For example, consider a configuration that contains virtual servers with a large number of associated profiles/policies.
In the following example config, the virtual server has two associated profiles. The time to load the Network Map page increases with each additional profile/policy.
# tmsh list ltm virtual vs
ltm virtual vs {
creation-time 2018-03-06:18:27:53
destination 0.0.0.0:any
ip-protocol tcp
last-modified-time 2018-03-06:18:27:53
mask any
profiles {
myhttp { }
tcp { }
}
rules {
myrule
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
socks-tunnel
}
vs-index 5
}
Conditions:
-- Navigate to Local Traffic :: Network Map in the BIG-IP Configuration Utility.
-- The configuration contains a significantly large number of profiles/policies associated with the virtual server.
Impact:
It takes tens of seconds to load the Network Map page.
Workaround:
None.
Fix:
The data loading performance was improved to load the page faster.
710947-1 : AVR does not send errdef for entity DosIpLogReporting.
Component: Application Visibility and Reporting
Symptoms:
AVR does not send errdef for entity DosIpLogReporting.
Conditions:
-- AVR is configured.
-- View the DosIpLogReporting report.
Impact:
There is no errdef for module DosIpLogReporting
Workaround:
None.
Fix:
Added errdef for module DosIpLogReporting.
710884-1 : Portal Access might omit some valid cookies when rewriting HTTP request.
Component: Access Policy Manager
Symptoms:
Portal Access is not sending certain cookies to the backend application.
Conditions:
-- Request path and cookie path are equal.
-- The last character of request path is not a forward slash (/).
Impact:
Backend application does not receive some cookies and may decide that APM end users are not authenticated, when they are.
Workaround:
There is no workaround at this time.
Fix:
Fixed an issue in Portal Access which could cause web-applications to lose some valid cookies.
710870 : Temporary browser challenge failure after installing older ASU
Component: Application Security Manager
Symptoms:
After installing an older ASM Signature Update (ASU) may cause the browser challenge to fail for the first few minutes after provisioning ASM.
Conditions:
-- Using BIG-IP version 13.1.0.5.
-- Installing an ASU from before April 2018.
Impact:
Browsers remain on whitepage after receiving a browser challenge.
Note: The problem should go away after 10-to-15 minutes of provisioning ASM, when more versions of JavaScript are generated.
Workaround:
Install the latest ASU.
Fix:
The browser challenges will succeed even after installing an older ASU.
710857-2 : iControl requests may cause excessive resource usage
Solution Article: K64855220
710827-2 : TMUI dashboard daemon stability issue
Solution Article: K44603900
710755-1 : Crash when cached route information becomes stale and the system accesses the information from it.
Component: Advanced Firewall Manager
Symptoms:
The crash happens intermittently when the cached route information becomes stale and the system accesses the information from it.
Conditions:
Use stale cached route information.
Impact:
This condition can lead to a crash as the route information is no longer valid, and can lead to illegal memory access.
Workaround:
None.
Fix:
The system now fetches the latest egress route/interface information before accessing it.
710705-2 : Multiple Wireshark vulnerabilities
Solution Article: K34035645
710701-1 : "Application Layer Encryption" option is not saved in DataSafe GUI
Component: Fraud Protection Services
Symptoms:
"Application Layer Encryption" checkbox will remain enabled if un-checked via DataSafe GUI and will not be saved.
Conditions:
- Install DataSafe license
- Provision FPS
- Create URL
Impact:
Cannot enable/disable "Application Layer Encryption" via DataSafe GUI.
Workaround:
Application Layer Encryption can be enabled or disabled via TMSH command line or REST API.
Fix:
"Application Layer Encryption" option is saved if changed via DataSafe GUI.
710666-1 : VE with interface(s) marked down may report high cpu usage
Component: TMOS
Symptoms:
The "tmm" process may appear to be running at 90% or above in linux cpu reporting utilities such as "top" or "ps", even if the system is not handling a large amount of traffic.
In this case, "tmsh show sys tmm-info" continues to report tmm's cpu usage accurately.
Conditions:
- BIG-IP Virtual Edition
- One or more interfaces configured and used in the BIG-IP configuration is marked down
Impact:
tmm consumes cpu cycles even when idle. This may impact other guests running on the same hardware if the hypervisor has oversubscribed its cpu resources.
Workaround:
Disable any interface that is currently marked down.
For example:
tmsh modify net interface 1.1 disabled
and then restart tmm:
bigstart restart tmm
710564 : DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0
Component: Local Traffic Manager
Symptoms:
The DNS filter returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0.
Conditions:
- Virtual Server configured with 'DNS Profile' set to 'dns' or a 'dns'-derived profile.
- DNS queries with EDNS0 ECS option set.
Impact:
If the response ECS Scope Netmask has a value other than '0', LTM drops it, causing timeout and retry on client side.
Workaround:
There is no workaround at this time.
710424-2 : Possible SIGSEGV in GTMD when GTM persistence is enabled.
Solution Article: K00874337
Component: Global Traffic Manager (DNS)
Symptoms:
When GTM persistence is enabled, GTMD may occasionally crash and restart.
Conditions:
GTM persistence is enabled.
Impact:
GTMD may occasionally restart.
Workaround:
Disable GTM persistence.
Fix:
GTMD will no longer crash and restart when persistence is enabled.
710327-1 : Remote logger message is truncated at NULL character.
Component: Application Security Manager
Symptoms:
When a request including binary null character has been sent to an remote logger, configured for ASM, the request will arrive to the remote destination and will be truncated exactly at binary NULL character.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM remote logger attached to a virtual server.
-- Request including binary NULL character is sent to the remote logger destination.
Impact:
Partial request is logged at the remote logger destination.
Workaround:
None.
Fix:
Binary NULL character is now escaped before being sent to the remote logger destination, so the request is no longer truncated.
710315-1 : AVR-profile might cause issues when loading a configuration or when using config sync
Component: Application Visibility and Reporting
Symptoms:
Some fields in AVR-profile contain lists of items. Those lists can be set only if the relevant flag is set to 'true'. In case of a flag configuration change, the system must keep the lists as they were and not reset them, so they can be available in case the flag changes back again.
Validation settings were created such that the lists flag is set to 'true' by default, but this can cause the load/merge process to break if the list was set, and afterwards the flag was set to 'false'.
Conditions:
Setting the relevant flag to 'false' after creating a list of items.
The relevant fields in AVR-profile that have that logic are:
-- IPs-list.
-- Subnets-list.
-- Countries-list.
-- URLs-list.
Impact:
Management load and sync process may not work as expected.
Workaround:
None.
Fix:
Validation for those fields when the associated flag is set to 'false' will be skipped in a load/merge scenario.
710314-1 : TMM may crash while processing HTML traffic
Solution Article: K94105051
710305-1 : When ASM and APM are configured on the same virtual server, ASM could throw some errors in its logging.
Component: Access Policy Manager
Symptoms:
When ASM and APM WebSSO are on the same virtual server, WebSSO might generate a new request. When that happens, ASM might see multiple requests with same support ID. This can cause issues with ASM and log errors.
Conditions:
When APM WebSSO is configured (only for Basic, NTLM, Kerberos).
Impact:
ASM stops processing the HTTP requests that have duplicate support IDs, causing an issue to ASM/APM end users.
Workaround:
None.
Fix:
When ASM and APM WebSSO are on same virtual server, WebSSO no longer generates a new request, so duplicate support IDs are no longer created.
710277-1 : IKEv2 further child_sa validity checks
Component: TMOS
Symptoms:
A tmm restart can occur when a child_sa is rekeyed at expiration time, provided a race condition occurs.
Conditions:
Encountering the issue in which rekeying a child_sa might core when race conditions allowed that child_sa to be destroyed while in use.
Impact:
Restart of tmm and outage of IPsec tunnels until renegotiated.
Workaround:
None.
Fix:
The validity of a child_sa and its traffic selector are checked now before use, to prevent failure when freed objects are accidentally used.
710262-1 : Firewall is not updated when adding new rules
Component: Advanced Firewall Manager
Symptoms:
When adding new rules into existing firewall policies, firewall may be not updated, so new rules are not used in traffic processing.
If on-demand-compilation mode is enabled, firewall may remain in quiescent state instead of compilation-pending state after adding rules.
Conditions:
-- Firewall rules are added into existing firewall policies.
-- No rules are deleted or modified.
Impact:
Firewall is not updated and new rules do not affect data traffic.
If on-demand-compilation mode is enabled, firewall remain in quiescent state instead of going to compilation-pending state after adding rules.
Workaround:
Make additional changes to firewall rules in order to start firewall update, for esample:
-- Add a placeholder rule, and then delete it.
-- Modify a rule (e.g. by adding an IP address), and then revert the modification by removing that IP address.
Fix:
When adding new rules, firewall is now always updated.
If on-demand-compilation mode is enabled, firewall goes to the compilation-pending state after adding rules.
710246-2 : DNS-Express was not sending out NOTIFY messages on VE
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Express is not sending out NOTIFY messages on BIG-IP Virtual Edition (VE).
Conditions:
-- DNS Express configured to send out NOTIFY messages.
-- Running on BIG-IP VE configuration.
Impact:
DNS secondary servers serving stale data.
Workaround:
There is no workaround at this time.
Fix:
DNS Express now sends out NOTIFY messages on VE.
710244-3 : Memory Leak of access policy execution objects
Solution Article: K27391542
710232-2 : platform-migrate fails when LACP trunks are in use
Component: TMOS
Symptoms:
Use of the platform-migrate option might fail due to some configurations being invalid on the new system. The error message generated appears as follows:
01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform.
Conditions:
You have a trunk with LACP enabled.
-- You are migrating from a hardware platform to a Virtual Edition (VE).
Impact:
Configuration fails to migrate.
Workaround:
After taking the old system offline, but before saving the UCS, disable LACP on all trunks.
710221-2 : Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled
Solution Article: K67352313
Component: Local Traffic Manager
Symptoms:
In an high availability (HA) configuration where an FQDN template-node on the 'active' unit is 'Force Offline', and the configuration is synchronized to the 'standby' unit, upon 'Enable' on that FQDN template-node in the 'active' unit (and the configuration is synchronized to the 'standby' unit), the ephemeral nodes associated with that FQDN template node remain Unavailable on the 'standby' unit.
Conditions:
HA configuration is configured with 'active' sync.
-- FQDN template-node is configured.
-- After ephemeral nodes are refreshed on the 'active' unit, it transitions to the 'standby' unit.
-- The FQDN template node on the (new-'active') unit is 'Force Offline' by the user.
-- The user explicitly 'Enable' that FQDN template node on the 'active' unit.
Impact:
The ephemerals on the 'standby' unit remain unavailable, even though the associated FQDN template node is 'available'. However, as no traffic is routed to the 'standby' unit, traffic is unaffected. Upon transition from 'standby' to' active', the ephemeral nodes will be refreshed and traffic should continue.
Workaround:
You can use either of these configuration options to prevent this issue from occurring:
-- Select 'Disabled' (rather than 'Force Offline') for the FQDN template node on the 'active' unit.
-- Configure the node without using FQDN.
Fix:
Upon 'Force Offline' and then 'Enable' for an FQDN template node on an 'active' unit in an high availability (HA) configuration, the ephemerals on the 'standby' unit will reflect the re-enabled status based on the associated FQDN template-node on the 'active' unit.
710148-2 : CVE-2017-1000111 & CVE-2017-1000112
Solution Article: K60250153
710140-1 : TMM may consume excessive resources when processing SSL Intercept traffic
Solution Article: K20134942
710116-1 : VPN clients experience packet loss/disconnection
Component: Access Policy Manager
Symptoms:
VPN clients experience packet loss/disconnection.
Conditions:
In certain scenarios, the tunnel establishment procedure might leak a small memory. If the tmm is running for a longer duration, this small leak can accumulate and result in out-of-memory condition
Impact:
Connections start to drop as tmm runs out of memory. TMM will eventually run out of memory and connections could be terminated. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
A rare memory leak during APM VPN establishment has been corrected.
710110-1 : AVR does not publish DNS statistics to external log when usr-offbox is enabled.
Component: Application Visibility and Reporting
Symptoms:
AVR does not send DNS statistics to external logs when analytics global setting usr-offbox is enabled, if the following security analytics settings are set to disable:
-- collected-stats-internal-logging.
-- collected-stats-external-logging.
Conditions:
-- Security analytics settings collected-stats-internal-logging is disabled.
-- Security analytics settings collected-stats-external-logging is disabled.
-- Analytics global settings usr-offbox is enabled.
Impact:
DNS statistic are not sent to external log.
Workaround:
To work around this issue, perform the following procedure:
1. Provision ASM or AFM.
2. Run the tmsh command to set to enabled the security analytics setting collected-stats-external-logging.
2. Deprovision ASM/AFM.
Fix:
AVR now publishes DNS statistics to external logs when usr-offbox is enabled, as expected.
710032-1 : 'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system.
Component: Global Traffic Manager (DNS)
Symptoms:
The BIG-IP system posts a 'No Access' error message instead of the virtual server's properties.
Conditions:
-- At least two BIG-IP systems in a sync group.
-- One of the BIG-IP systems has a partition that does not exist on the other with an LTM virtual server on that partition.
-- The issue occurs when a GSLB Server discovers that LTM virtual server and displays it on its virtual server page.
Note: This same error message displays for GSLB pool member properties accessed by navigating to GSLB :: pools :: [pool] :: members :: Member : Address. The differing issues have been fixed in differing releases. You can find information about the similar issue in the AskF5 Bug Tracker article for 722734.
Impact:
It makes the GSLB Server's virtual server's properties page unavailable in this case.
Workaround:
Use either of the following workaroudns:
-- Use TMSH to view or edit the properties of that virtual server.
-- Create partitions on the GTM device to match those appearing to be referenced in the object names.
Fix:
Partition checking has been disabled for virtual servers on the GTM side, since a virtual server owned by a server is always in the partition of that server (/Common).
710028-2 : LTM SQL monitors may stop monitoring if multiple monitors querying same database
Component: Local Traffic Manager
Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.
When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:
[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'
then multiple, periodic instances of the following message, referencing the same connection string:
Abandoning hung SQL query: '<query string>' for: '<connection string>'
or:
<connection string>(<thread-number>): Hung SQL query; abandoning
Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.
And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.
Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.
Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.
To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.
Fix:
LTM SQL monitors continue monitoring when multiple monitors/ query the same server and database.
709972-6 : CVE-2017-12613: APR Vulnerability
Solution Article: K52319810
709952-1 : Disallow DHCP relay traffic to traverse between route domains
Component: Local Traffic Manager
Symptoms:
DHCP traffic can traverse between route domains, e.g., when working with a route domain with a parent. Under certain circumstances, this is not desired.
Conditions:
DHCP relay in use on a route domain with a parent relationship or strict isolation disabled.
Impact:
The DHCP server side flow might get established to the parent route domain, and will persist even after the route in its own route domain becomes available again.
Workaround:
There is no workaround at this time.
Fix:
A db key has been introduced, tmm.dhcp.routedomain.strictisolate, which allows enforcement of route domain traversal if desired/configured.
709936 : Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.
Component: TMOS
Symptoms:
/var/log/boot.log has this error:
dhcp_config: save error: 01070911:3: The requested host (ntp-servers-ip) is invalid for servers in ntp (/Common/ntp).
Conditions:
- The BIG-IP system has DHCP enabled for management interface.
- Multiple NTP servers or domain-search are specified in the dhclient lease (stored at /var/lib/dhclient/dhclient.leases).
Impact:
- DNS and NTP servers are not configured in MCPD.
- Name resolution can break.
Workaround:
None.
Fix:
Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.
709828-2 : fasthttp can crash with Large Receive Offload enabled
Component: Local Traffic Manager
Symptoms:
fasthttp and lro can lead to a tmm crash.
Conditions:
fasthttp and lro enabled. (lro is enabled by default >= 13.1.0)
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use fasthttp
Fix:
fasthttp with lro enabled no longer causes tmm to crash.
709688-3 : dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733
Solution Article: K08306700
709670-2 : iRule triggered from RADIUS occasionally fails to create subscribers.
Component: Policy Enforcement Manager
Symptoms:
The subscriber can not be added with the same IP address after retries. This is a rarely occurring issue: if the daily average of subscriber additions is ~30000 subscribers, 5 to 6 subscribers face this problem (0.02%).
Conditions:
Running iRule to create PEM sessions from RADIUS packets using the 'PEM::subscriber create' command.
Impact:
Intermittently (a few operations per day), the command silently fails. No session is created, and no TCL error is produced. Subscriber addition requires manual intervention.
Workaround:
Trigger a RADIUS START using a different IP address for the subscriber.
709610-3 : Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM
Component: Policy Enforcement Manager
Symptoms:
Session replacement fails as a result of a race condition between multiple RADIUS Accounting Start and Stop messages for the same subscriber.
Conditions:
This occurs when the following conditions are met:
-- These SysDB variables are set as follows:
sys db tmm.pem.session.radius.retransmit.timeout {
value "0"
}
sys db tmm.pem.session.provisioning.continuous {
value "disable"
}
-- Actions occur in the following order:
1. PEM receives RADIUS START with subscriber ID1 and IP1.
2. PEM receives RADIUS STOP with subscriber ID1 and IP1.
3. PEM receives RADIUS START with subscriber ID1 and IP2.
4. PEM receives RADIUS STOP with subscriber ID1 and IP2.
-- The time interval between steps 1 and 2 is very small (less than ~1ms).
Impact:
Subscriber session creation via PEM may fail.
Workaround:
There is no workaround other than to leave SysDbs variables set to the default values.
Fix:
The system now handles PEM subscriber session updates properly, so this issue no longer occurs.
709544-2 : VCMP guests in HA configuration become Active/Active during upgrade★
Component: TMOS
Symptoms:
When devices in a Device Service Cluster (DSC) are upgraded, multiple devices might become Active simultaneously.
During upgrade, the process erroneously clears the management-ip during reboot, and then synchronizes to other members of the DSC. If the system is not performing an upgrade, the error is repaired as the device starts up, and has no visible effect. If an upgrade is being performed, the management-ip cannot be repaired, and the DSC members lose contact with each other, so they all become Active.
Conditions:
-- Running on VIPRION chassis systems, either natively, or as a vCMP guest.
-- Upgrading from any affected versions (TMOS v12.1.3, TMOS v13.0.0, TMOS v13.0.1, TMOS v13.1.0), to any other version.
Impact:
When multiple devices become Active simultaneously, traffic is disrupted.
Workaround:
There is no workaround other than to remain in Active/Active state until upgrade is complete on all chassis in the DSC are finished. See K43990943: VIPRION systems configured for high availability may become active-active during the upgrade process :: https://support.f5.com/csp/article/K43990943 for more information on how to mitigate this issue.
Fix:
The erroneous management-ip change is not made, and the HA failover mechanism operates correctly across upgrade.
709444-2 : "NTP not configured on device" warning seen when NTP symmetric key authentication is configured
Component: TMOS
Symptoms:
When NTP symmetric key authentication is configured, as per https://support.f5.com/csp/article/K14120, and the BIG-IP is part of a device service cluster, then a warning similar to this will be seen periodically in /var/log/ltm:
warning mcpd[6317]: 01071af0:4: NTP not configured on device 1.2.3.4 - within a trust
Conditions:
- NTP symmetric key authentication must be configured.
- The BIG-IP must be part of a device service cluster.
- Non-authenticated NTP servers must not be in-use.
Impact:
Incorrect NTP warnings are seen periodically in /var/log/ltm.
Workaround:
There is no workaround at this time.
Fix:
Prevented this warning from being emitted when NTP symmetric key authentication is in-use in a device service cluster.
709383-2 : DIAMETER::persist reset non-functional
Component: Service Provider
Symptoms:
When the iRule DIAMETER::persist reset is called, it is meant to remove existing persistence records from diadb. Without this bug fix, calling DIAMETER::persist reset has no effect and the persistence record remains.
Conditions:
Diameter session profile has persistence enabled and an iRule attempts to remove a persistence record.
Impact:
You are unable to remove diameter persistence entries.
Workaround:
none
Fix:
DIAMETER::persist reset now functions properly. You can delete diameter persistence records with this iRule.
709334-1 : Memory leak when SSL Forward proxy is used and ssl re-negotiates
Component: Local Traffic Manager
Symptoms:
When looking at tmsh show sys memory you will see
ssl_compat continue to grow and fails to release memory.
Conditions:
-SSL Forward Proxy In use
-SSL Re-negotiations happening
Impact:
Eventually memory reaper will kick in.
Workaround:
There is no workaround at this time.
Fix:
ssl_compat now properly releases connections on re-negotiation.
709319-2 : Post-login client-side alerts are missing username in bigIQ
Component: Fraud Protection Services
Symptoms:
A client-side alert that contains a FPS-Username header with a value, but an empty fpm_username parameter - will be reported with "Unknown" username in bigIQ.
Conditions:
1. post login (alert is sent after submitting username parameter) client side alerts
2. alert-pool points to bigIQ IP (not Alert-Server)
Impact:
Post login client side alerts are missing username (will show as "Unknown" in bigIQ, works well with Alert-Server).
Workaround:
Route all client-side alerts to another virtual server and strip of the empty fpm_username parameter from payload/query-string.
Fix:
FPS will always send username in the fpm_username parameter in case it was empty and FPS has username value.
709274-1 : RADIUS Accounting requests egress on different Self IP addresses than they did pre-v13.1.0
Component: Access Policy Manager
Symptoms:
RADIUS Accounting requests egress different self IP addresses.
* START accounting message egresses floating self IP addresses.
* STOP accounting message egresses local self IP addresses.
Some RADIUS messages will come from floating IP addresses, some from self IP addresses. The RADIUS server should be configured to accept all self- and floating-IP addresses of all the devices in the high availability (HA) group, to ensure all messages are received.
Conditions:
RADIUS server configured with pool option.
Impact:
Causes RADIUS server to be unable to reconcile accounting messages.
Workaround:
You can reconcile accounting messages by tracking them through the Acct-Session-Id in RADIUS AVP's message, which is the same for the corresponding START and STOP messages to uniquely identify the session.
Fix:
RADIUS START and STOP messages now egress the same interface.
709256-2 : CVE-2017-9074: Local Linux Kernel Vulnerability
Solution Article: K61223103
709192-1 : GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart
Component: TMOS
Symptoms:
The export operation of SSL keys and certificate into a .tgz archive file fails when the httpd daemon is restarted.
Conditions:
-- Export SSL Keys and certificates into archive file.
-- httpd is restarted.
Impact:
Export of SSL Keys and certificates into archive file does not work immediately after httpd restart via GUI/iControl.
Workaround:
After httpd restart, perform other operation like creating a key/cert before exporting archive file.
Fix:
The system allows exporting SSL keys and certificate to be archived into .tgz files after httpd restart.
709133-2 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur
Component: Local Traffic Manager
Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error can occur.
Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- An error occurs when reading the certificate serial number.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than not setting the tmm.ssl.loggingcreatedcerts BigDB variable.
Fix:
Double-free removed.
709132-1 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur
Component: Local Traffic Manager
Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a buffer overflow can occur.
Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- A malformed certificate with a serial number length equal to 256 bytes is parsed during forging.
Impact:
A off-by-one error causes one byte to write off the end of an array.
Workaround:
There is no workaround other than to not set tmm.ssl.loggingcreatedcerts BigDB variable.
Fix:
Buffer no longer overflows.
708968-2 : OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address
Component: TMOS
Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not created in TMM when passed from Dynamic Routing protocols like OSPFv3.
Conditions:
- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.
Impact:
- Route entry is not created in TMM, packets addressed to such a destination might not be delivered at all or might not be delivered using the most efficient route.
- Connection between TMM and tmrouted is restarted that is a small performance overhead.
Workaround:
- If possible IPv4 address or IPv4-compatible IPv6 address should be passed instead of IPv4-mapped IPv6 address, however this depends on other routers.
708956-1 : During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'
Solution Article: K51206433
Component: TMOS
Symptoms:
During system bootup, the system occasionally posts the following error message and the system does not come up:
Dataplane INOPERABLE - only 1 HSBes found on this platform.
Conditions:
This occurs occasionally at system bootup.
-- Using the following platforms:
i4600, i4800, i10600, i10800, i2600, i2800, i7600, i7800, i5600, i5800, i15600, i15800, i12600, i12800, HERCULON i2800, HERCULON i5800, HERCULON i10800, i11600, i11800, i11800-DS, i5820-DF, i7820-DF.
Impact:
System does not come up.
Workaround:
Reboot system.
Because this condition only happens occasionally, rebooting typically corrects the issue.
Fix:
This release fixes a race condition that might have occurred while reading FPGA firmware loading status.
708888-1 : Some DNS truncated responses may not be processed by BIG-IP
Solution Article: K79814103
Component: Advanced Firewall Manager
Symptoms:
On 13.1.x DNS responses with truncated bit set are dropped when AFM DNS DoS is enabled.
Conditions:
-- AFM DNS DoS is enabled.
-- Using 13.1.x.
Impact:
Clients do not receive truncated DNS responses.
Workaround:
Disable DNS DoS protection by changing the dos.dnsport variable to another port for which there is no valid traffic. For instance:
tmsh modify sys db dos.dnsport value 54
708840 : 13.0.0-to-13.1.0 upgrade operation on VIPRION 2250 blades might fail if global whitelist is configured
Component: Advanced Firewall Manager
Symptoms:
Upgrading from 13.0.0 to 13.1.0 on VIPRION 2250 blades might fail if global whitelist is configured. After the upgrade, the system will stay offline.
Conditions:
-- Global whitelist configured.
-- Running on VIPRION 2250 blades.
Impact:
System f