Supplemental Document : BIG-IP 13.1.5 Fixes and Known Issues

Applies To:

  • BIG-IP AAM

    13.1.5

  • BIG-IP APM

    13.1.5

  • BIG-IP Link Controller

    13.1.5

  • BIG-IP Analytics

    13.1.5

  • BIG-IP LTM

    13.1.5

  • BIG-IP AFM

    13.1.5

  • BIG-IP PEM

    13.1.5

  • BIG-IP FPS

    13.1.5

  • BIG-IP DNS

    13.1.5

  • BIG-IP ASM

    13.1.5

Original Publication Date: 04/18/2022

Updated Date: 03/27/2026

BIG-IP Release Information

Version: 13.1.5
Build: 32.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker .

The blue background highlights fixes


Cumulative fixes from BIG-IP v13.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.6 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.8 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.7 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.6 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.1 that are included in this release
Known Issues in BIG-IP v13.1.x

Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
999933-5 CVE-2022-23017 K28042514 , BT999933 TMM may crash while processing DNS traffic on certain platforms 13.1.5, 14.1.4.5, 15.1.4.1
989701-3 CVE-2020-25212 K42355373 , BT989701 CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
981461-2 CVE-2021-23032 K45407662 , BT981461 Unspecified DNS responses cause TMM crash 13.1.5, 14.1.4.4, 15.1.3.1
966901-4 CVE-2020-14364 K09081535 , BT966901 CVE-2020-14364: Qemu Vulnerability 13.1.5, 14.1.4.4, 15.1.4.1
940317-2 CVE-2020-13692 K23157312 , BT940317 CVE-2020-13692: PostgreSQL JDBC Driver vulnerability 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
937333-5 CVE-2022-23013 K29500533 , BT937333 Incomplete validation of input in unspecified forms 13.1.5, 14.1.4.4, 15.1.4
904165-4 CVE-2020-27716 K51574311 , BT904165 BIG-IP APM vulnerability CVE-2020-27716 13.1.5, 14.1.3.1, 15.1.1
550928-3 CVE-2022-23010 K34360320 , BT550928 TMM may crash when processing HTTP traffic with a FastL4 virtual server 13.1.5, 14.1.4.4, 15.1.4.1
1089373-3 CVE-2022-0778 K31323265 OpenSSL Vulnerability: CVE-2022-0778 13.1.5
1089237-2 CVE-2022-0778 K31323265 OpenSSL Vulnerability: CVE-2022-0778 13.1.5
1087201-3 CVE-2022-0778 K31323265 OpenSSL Vulnerability: CVE-2022-0778 13.1.5
1032405-5 CVE-2021-23037 K21435974 , BT1032405 TMUI XSS vulnerability CVE-2021-23037 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1030689-4 CVE-2022-23019 K82793463 , BT1030689 TMM may consume excessive resources while processing Diameter traffic 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
1028669-3 CVE-2019-9948 K28622040 , BT1028669 Python vulnerability: CVE-2019-9948 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1028497-3 CVE-2019-15903 K05295469 , BT1028497 libexpat vulnerability: CVE-2019-15903 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1007489-3 CVE-2022-23018 K24358905 , BT1007489 TMM may crash while handling specific HTTP requests &start; 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
997193-3 CVE-2022-23028 K16101409 , BT997193 TCP connections may fail when AFM global syncookies are in operation. 13.1.5, 14.1.4.5, 15.1.5
981693-5 CVE-2022-23024 K54892865 , BT981693 TMM may consume excessive resources while processing IPSec ALG traffic 13.1.5, 14.1.4.2, 15.1.4.1
981273-4 CVE-2021-23054 K41997459 , BT981273 APM webtop hardening 13.1.5, 15.1.4
974341-4 CVE-2022-23026 K08402414 , BT974341 REST API: File upload 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
974093-2 CVE-2020-25705 K09604370 Linux kernel vulnerability CVE-2020-25705 13.1.5
962069-6 CVE-2021-23047 K79428827 , BT962069 Excessive resource consumption while processing OSCP requests via APM 13.1.5, 14.1.4.4, 15.1.3.1
941649-5 CVE-2021-23043 K63163637 , BT941649 Local File Inclusion Vulnerability 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
940185-4 CVE-2022-23023 K11742742 , BT940185 icrd_child may consume excessive resources while processing REST requests 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
907201-5 CVE-2021-23039 K66782293 , BT907201 TMM may crash when processing IPSec traffic 13.1.5, 14.1.2.8, 15.1.3, 16.0.1.2
887965-4 CVE-2022-23027 K30573026 , BT887965 Virtual server may stop responding while processing TCP traffic 13.1.5, 14.1.4.4, 15.1.4
870273-2 CVE-2020-5936 K44020030 , BT870273 TMM may consume excessive resources when processing SSL traffic 12.1.5.2, 13.1.5, 14.1.2.8, 15.1.1
803965-4 CVE-2018-20843 K51011533 , BT803965 Expat Vulnerability: CVE-2018-20843 13.1.5, 14.1.4.5, 15.1.4, 16.1.2
1013145-4 CVE-2021-23052 K32734107 APM Hardening 13.1.5, 14.1.4.4
1009725-5 CVE-2022-23030 K53442005 , BT1009725 Excessive resource usage when ixlv drivers are enabled 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1008561-2 CVE-2022-23025 K44110411 , BT1008561 In very rare condition, BIG-IP may crash when SIP ALG is deployed 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
1008077-3 CVE-2022-23029 K50343028 , BT1008077 TMM may crash while processing TCP traffic with a FastL4 VS 13.1.5, 14.1.4.4, 15.1.4.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
818169-4 2-Critical TMM may consume excessive resources when processing DNS profiles with DNS queing enabled 13.1.5, 15.1.0.2
1050537-4 2-Critical BT1050537 GTM pool member with none monitor will be part of load balancing decisions. 13.1.5
911141-5 3-Major BT911141 GTP v1 APN is not decoded/encoded properly 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
1046669-4 3-Major BT1046669 The audit forwarders may prematurely time out waiting for TACACS responses 13.1.5
1015133-1 3-Major BT1015133 Tail loss can cause TCP TLP to retransmit slowly. 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
985953-1 4-Minor BT985953 GRE Transparent Ethernet Bridging inner MAC overwrite 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
982697-3 4-Minor ICMP hardening 13.1.5
1033837-4 4-Minor REST authentication tokens persist on reboot &start; 13.1.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1042993-4 1-Blocking K19272127 , BT1042993 Provisioning high availability (HA) setup wizard fails to load, reports 'No Access' 13.1.5, 14.1.4.5, 15.1.4.1
1002109-5 1-Blocking BT1002109 Xen binaries do not follow security best practices 13.1.5, 14.1.4.4, 15.1.4
980325-3 2-Critical BT980325 Chmand core due to memory leak from dossier requests. 13.1.5, 14.1.4.4, 15.1.4
957897-3 2-Critical BT957897 Unable to modify gateway-ICMP monitor fields in the GUI 13.1.5
915981-1 2-Critical BIG-IP SCP hardening 13.1.5
817709-4 2-Critical BT817709 IPsec: TMM cored with SIGFPE in racoon2 13.1.5, 14.1.2.8, 15.1.0.2
775897-3 2-Critical BT775897 High Availability failover restarts tmipsecd when tmm connections are closed 13.1.5, 14.1.2.5
741676-1 2-Critical BT741676 Intermittent crash switching between tunnel mode and interface mode 13.1.5, 14.1.2.8
1059185-4 2-Critical iControl REST Hardening 13.1.5
1051561-4 2-Critical iControl REST request hardening 13.1.5
1043277-1 2-Critical K06520200 , BT1043277 'No access' error page displays for APM policy export and apply options. 13.1.5, 14.1.4.5, 15.1.4.1
1024325-1 2-Critical BT1024325 EHF installation is not updating the Linux Kernel 13.1.5
1004929-3 2-Critical BT1004929 During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid. 13.1.5, 14.1.4.5, 15.1.5
999125-4 3-Major BT999125 After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states. 13.1.5
982341-3 3-Major iControl REST endpoint hardening 13.1.5
969105-5 3-Major BT969105 HA failover connections via the management address do not work on vCMP guests running on VIPRION 13.1.5, 14.1.4.4, 15.1.4
958093-1 3-Major BT958093 IPv6 routes missing after BGP graceful restart 13.1.5, 14.1.4.5, 15.1.4.1
956589-4 3-Major BT956589 The tmrouted daemon restarts and produces a core file 13.1.5, 15.1.2.1
947529-3 3-Major BT947529 Security tab in virtual server menu renders slowly 13.1.5, 14.1.4.4, 15.1.4.1
919317-2 3-Major BT919317 NSM consumes 100% CPU processing nexthops for recursive ECMP routes 13.1.5
918409-5 3-Major BT918409 BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures 13.1.5
856953-6 3-Major BT856953 IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1 13.1.5, 14.1.2.8, 15.1.4.1
809657-4 3-Major BT809657 HA Group score not computed correctly for an unmonitored pool when mcpd starts 13.1.5, 14.1.4.4, 15.1.4.1
760950-2 3-Major BT760950 Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment 12.1.5.3, 13.1.5, 14.1.2.7
755976-1 3-Major BT755976 ZebOS might miss kernel routes after mcpd deamon restart 13.1.5
719555 3-Major BT719555 Interface listed as 'disable' after SFP insertion and enable 13.1.5, 14.1.4, 15.1.1
1066285-2 3-Major BT1066285 Master Key decrypt failure - decrypt failure. 13.1.5
1047169-4 3-Major BT1047169 GTM AAAA pool can be deleted from the configuration despite being in use by an iRule. 13.1.5
1045421-4 3-Major K16107301 , BT1045421 No Access error when performing various actions in the TMOS GUI 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1042009-4 3-Major BT1042009 Mcpd fails to reply if a request is proxied to another daemon and the connection to that daemon closes 13.1.5
1032077 3-Major BT1032077 TACACS authentication fails with tac_author_read: short author body 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1022637-4 3-Major BT1022637 A partition other than /Common may fail to save the configuration to disk 13.1.5, 15.1.5
1020789-1 3-Major BT1020789 Cannot deploy a four-core vCMP guest if the remaining cores are in use. 13.1.5
1019085-3 3-Major BT1019085 Network virtual-addresses fail to retain the "icmp-echo enabled" property following an upgrade or reload of the configuration from file. &start; 13.1.5
1010393-2 3-Major BT1010393 Unable to relax AS-path attribute in multi-path selection 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
1008269-5 3-Major BT1008269 Error: out of stack space 13.1.5
1003257-2 3-Major BT1003257 ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
884165-1 4-Minor BT884165 Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG 13.1.5, 14.1.4.4, 15.1.4.1
713614-6 4-Minor BT713614 Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only) 13.1.5, 15.1.0.5
528894-8 4-Minor BT528894 Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition 13.1.5, 15.1.5
1071365-2 4-Minor iControl SOAP WSDL hardening 13.1.5
1051797-4 4-Minor Linux kernel vulnerability: CVE-2018-18281 13.1.5
1046693-1 4-Minor BT1046693 TMM with BFD confgured might crash under significant memory pressure 13.1.5
1045549-1 4-Minor BT1045549 BFD sessions remain DOWN after graceful TMM restart 13.1.5
1040821-1 4-Minor BT1040821 Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes 13.1.5
1034589-4 4-Minor BT1034589 No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration. 13.1.5
1024621-1 4-Minor BT1024621 Re-establishing BFD session might take longer than expected. 13.1.5
1002809-5 4-Minor BT1002809 OSPF vertex-threshold should be at least 100 13.1.5


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1005433-1 1-Blocking BT1005433 LTM Pool Members may not be updated accurately when multiple identical database monitors are configured 13.1.5, 14.1.4.5
931677-3 2-Critical IPv6 hardening 13.1.5
910213-5 2-Critical BT910213 LB::down iRule command is ineffective, and can lead to inconsistent pool member status 13.1.5
757407-2 2-Critical BT757407 Error reading RRD file may induce processes to mutually wait for each other forever 13.1.5
1064617-4 2-Critical BT1064617 DBDaemon process may write to monitor log file indefinitely 13.1.5
1019081-1 2-Critical K97045220 , BT1019081 HTTP/2 hardening 13.1.5, 14.1.4.5, 15.1.3.1
1016657-5 2-Critical TMM may crash while processing LSN traffic 13.1.5
993981-5 3-Major TMM may crash when ePVA is enabled 13.1.5
963705-1 3-Major BT963705 Proxy ssl server response not forwarded 13.1.5, 14.1.4.5, 15.1.4.1
955617-5 3-Major BT955617 Cannot modify properties of a monitor that is already in use by a pool 13.1.5
951257-2 3-Major FTP active data channels are not established 13.1.5
941257-3 3-Major BT941257 Occasional Nitrox3 ZIP engine hang 13.1.5, 14.1.4.4, 15.1.4
912517-5 3-Major BT912517 Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured 13.1.5
904041-5 3-Major BT904041 Ephemeral pool members may be incorrect when modified via various actions 13.1.5, 14.1.4.5, 15.1.4.1
819329-3 3-Major BT819329 Specific FIPS device errors will not trigger failover 13.1.5, 14.1.3.1, 15.1.4, 16.0.1.2
803629-4 3-Major BT803629 SQL monitor fails with 'Analyze Response failure' message even if recv string is correct 13.1.5, 14.1.4.5, 15.1.4.1, 16.0.1.1
793669-4 3-Major BT793669 FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value. 13.1.5
757446-1 3-Major BT757446 Invoking the HTTP::respond iRule command when the HTTP2 profile is present can cause stalled or malformed responses. 13.1.5, 14.1.2.7
672963-4 3-Major BT672963 MSSQL monitor fails against databases using non-native charset 13.1.5
1052929-1 3-Major BT1052929 MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized. 13.1.5
1038629-2 3-Major BT1038629 DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
1034365 3-Major BT1034365 DTLS handshake fails with DTLS1.2 client version 13.1.5, 14.1.4.5, 15.1.5
1029897-4 3-Major K63312282 , BT1029897 Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members. 13.1.5
1023341-4 3-Major HSM hardening 13.1.5, 16.1.1
1018577-1 3-Major BT1018577 SASP monitor does not mark pool member with same IP Address but different Port from another pool member 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1017513-1 3-Major BT1017513 Config sync fails with error Invalid monitor rule instance identifier 13.1.5, 14.1.4.5, 16.1.2.1
1015161-4 3-Major BT1015161 Ephemeral pool member may not be created when FQDN resolves to address that matches static node 13.1.5, 14.1.4.5
1008017-3 3-Major BT1008017 Validation failure on Enforce TLS Requirements and TLS Renegotiation 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
936557-4 4-Minor BT936557 Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled. 13.1.5, 14.1.4.5, 15.1.4.1
935593-2 4-Minor BT935593 Incorrect SYN re-transmission handling with FastL4 timestamp rewrite 13.1.5, 14.1.3.1, 15.1.2, 16.0.1.1
757777-2 4-Minor BT757777 bigtcp does not issue a RST in all circumstances 13.1.5, 14.1.2.5
717806-4 4-Minor BT717806 In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured 13.1.5
1026605-1 4-Minor BT1026605 When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes 13.1.5
1018493-4 4-Minor BT1018493 Response code 304 from TMM Cache always closes TCP connection. 13.1.5, 14.1.4.5, 15.1.4, 16.1.2
898929-1 5-Cosmetic BT898929 Tmm might crash when ASM, AVR, and pool connection queuing are in use 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
873249-4 5-Cosmetic BT873249 Switching from fast_merge to slow_merge can result in incorrect tmm stats 13.1.5


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
995853-4 2-Critical BT995853 Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error. 13.1.5, 14.1.4.4, 15.1.4
905557-5 2-Critical BT905557 Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure 13.1.5, 14.1.4, 15.1.2
850509-2 2-Critical BT850509 Zone Trusted Signature inadequately maintained, following change of master key 13.1.5, 14.1.4.4, 15.1.2
741862-2 2-Critical BT741862 DNS GUI may generate error or display names with special characters incorrectly. 13.1.5
1064961-5 2-Critical big3d may consume excessive resources when processing route domains 13.1.5
1062513-1 2-Critical BT1062513 GUI returns 'no access' error message when modifying a GTM pool property. 13.1.5
1035853-5 2-Critical K41415626 , BT1035853 Transparent DNS Cache can consume excessive resources. 13.1.5, 14.1.4.5, 15.1.5, 16.1.2
993489-6 3-Major BT993489 GTM daemon leaks memory when reading GTM link objects 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
847105-4 3-Major BT847105 The bigip_gtm.conf is reverted to default after rebooting with license expired &start; 13.1.5, 14.1.4.4, 15.1.4.1
644192-6 3-Major K23022557 , BT644192 Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN 11.6.5.3, 13.1.5, 14.1.3.1, 15.1.2, 16.0.1.1
1046785-5 3-Major BT1046785 Missing GTM probes when max synchronous probes are exceeded. 13.1.5
1044425-5 3-Major NSEC3 record improvements for NXDOMAIN 13.1.5
1024553-4 3-Major BT1024553 GTM Pool member set to monitor type "none" results in big3d: timed out 13.1.5, 14.1.4.5, 15.1.5
1021417-5 3-Major BT1021417 Modifying GTM pool members with replace-all-with results in pool members with order 0 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1021061-1 3-Major BT1021061 Config fails to load for large config on platform with Platform FIPS license enabled 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
1018613-5 3-Major BT1018613 Modify wideip pools with replace-all-with results pools with same order 0 13.1.5
1011285-5 3-Major BT1011285 The iControl REST API no longer accepts an empty 'lastResortPool' property for wide IP objects. 13.1.5, 15.1.5
816277-3 4-Minor BT816277 Extremely long nameserver name causes GUI Error 13.1.5, 14.1.4.4
753821-1 4-Minor BT753821 Log messages 'TCP RST from remote system' messages logged if GTM/DNS is licensed but not provisioned 13.1.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
997137-5 2-Critical CSRF token modification may allow WAF bypass on GET requests 13.1.5, 14.1.4.4, 15.1.4.1
993613-3 2-Critical BT993613 Device fails to request full sync 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
970329-5 2-Critical ASM hardening 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
965229-4 2-Critical BT965229 ASM Load hangs after upgrade &start; 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
912149-3 2-Critical BT912149 ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
879841-2 2-Critical BT879841 Domain cookie same-site option is missing the "None" as value in GUI and rest 13.1.5, 14.1.4.5, 15.1.4.1
723061-1 2-Critical BT723061 Possible tmm core during high load, or when an ASM policy is enabled by other modules 13.1.5
1069449-4 2-Critical ASM attack signatures may not match cookies as expected 13.1.5
1019853-4 2-Critical K30911244 , BT1019853 Some signatures are not matched under specific conditions 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1011061-5 2-Critical Certain attack signatures may not match in multipart content 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
987157 3-Major K05391775 BIG-IP ASM system may not properly perform attack signature checks 13.1.5
984593-4 3-Major BT984593 BD crash 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
964245-4 3-Major BT964245 ASM reports and enforces username always 13.1.5, 14.1.4.4, 15.1.4
962497-5 3-Major BT962497 BD crash after ICAP response 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
956937 3-Major Duplicate Attack signature sets in policy containing server technologies 13.1.5
946081-4 3-Major BT946081 Getcrc tool help displays directory structure instead of version 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
932133-4 3-Major BT932133 Payloads with large number of elements in XML take a lot of time to process 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
926845-3 3-Major BT926845 Inactive ASM policies are deleted upon upgrade 13.1.5
920197-1 3-Major BT920197 Brute force mitigation can stop mitigating without a notification 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
871905-5 3-Major K02705117 , BT871905 Incorrect masking of parameters in event log 13.1.5, 14.1.2.5, 15.0.1.4, 15.1.0.5
871881-3 3-Major BT871881 Apply Policy action is not synchronized after making bulk signature changes 13.1.5
867825-1 3-Major BT867825 Export/Import on a parent policy leaves children in an inconsistent state 13.1.5, 14.1.4.4, 15.1.4
857633-4 3-Major BT857633 Attack Type (SSRF) appears incorrectly in REST result 13.1.5, 14.1.4.5, 15.1.4.1
842013-5 3-Major BT842013 ASM Configuration is Lost on License Reactivation &start; 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
818889-4 3-Major BT818889 False positive malformed json or xml violation. 13.1.5
785873-1 3-Major BT785873 ASM should treat 'Authorization: Negotiate TlR' as NTLM 13.1.5, 14.1.4.5
767057-3 3-Major BT767057 In a sync-only device group, inactive policy is synced to peer, ASM is removed from virtual server 13.1.5, 14.1.4.4
753715-3 3-Major BT753715 False positive JSON max array length violation 13.1.5, 14.1.4.4, 15.1.4.1
731168-2 3-Major BT731168 BIG-IP may attempt to write to an out of bounds memory location, causing the bd daemon to crash. 13.1.5, 14.1.4.5
712336-2 3-Major BT712336 bd daemon restart loop 12.1.5.3, 13.1.5, 14.1.4.4
1072197-4 3-Major Issue with input normalization in WebSocket. 13.1.5
1067285-4 3-Major Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.' 13.1.5
1060933-4 3-Major Issue with input normalization. 13.1.5
1051213-4 3-Major BT1051213 Increase default value for violation 'Check maximum number of headers'. 13.1.5
1051209-4 3-Major BD may not process certain HTTP payloads as expected 13.1.5
1045101-1 3-Major Bd may crash while processing ASM traffic 13.1.5, 15.1.5, 16.1.2.1
1043385-1 3-Major No Signature detected If Authorization header is missing padding. 13.1.5
1042069-4 3-Major Some signatures are not matched under specific conditions. 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2.1
1038733-1 3-Major Attack signature not detected for unsupported authorization types. 13.1.5
1037457-4 3-Major High CPU during specific dos mitigation 13.1.5
1031445 3-Major Intermittent false positive unparseable request violations with unknown authorization 13.1.5
1030853-4 3-Major BT1030853 Route domain IP exception is being treated as trusted (for learning) after being deleted 13.1.5
1023993-1 3-Major Brute Force is not blocking requests, even when auth failure happens multiple times 13.1.5
1022269-4 3-Major BT1022269 False positive RFC compliant violation 13.1.5, 14.1.4.4, 15.1.4, 16.1.2
1011069-5 3-Major Group/User R/W permissions should be changed for .pid and .cfg files. 13.1.5
1004069-3 3-Major BT1004069 Brute force attack is detected too soon 13.1.5, 14.1.4.5, 15.1.5, 16.1.2
944441-4 4-Minor BT944441 BD_XML logs memory usage at TS_DEBUG level 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
941249-1 4-Minor BT941249 Improvement to getcrc tool to print cookie names when cookie attributes are involved 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
844045-1 4-Minor ASM Response event logging for "Illegal response" violations. 13.1.5
1055453-1 4-Minor BT1055453 Blocking page trims the last digit of the Support ID. 13.1.5
1050697-1 4-Minor Traffic learning page counts Disabled signatures when they are ready to be enforced 13.1.5
1038741-1 4-Minor BT1038741 NTLM type-1 message triggers "Unparsable request content" violation. 13.1.5
1036521-5 4-Minor BT1036521 TMM crash in certain cases 13.1.5
1034941-4 4-Minor BT1034941 Exporting and then re-importing "some" XML policy does not load the XML content-profile properly 13.1.5
1020717-1 4-Minor Policy versions cleanup process sometimes removes newer versions 13.1.5


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
932137-3 3-Major BT932137 AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
926341-4 3-Major BT926341 RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade &start; 13.1.5, 14.1.4.4, 15.1.4
922105-5 3-Major BT922105 Avrd core when connection to BIG-IQ data collection device is not available 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
909161-5 3-Major BT909161 A core file is generated upon avrd process restart or stop 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
832805-3 3-Major BT832805 AVR should make sure file permissions are correct (tmstat_tables.xml) 13.1.5, 14.1.4.5, 15.1.4.1
787677-1 3-Major BT787677 AVRD stays at 100% CPU constantly on some systems 13.1.5, 14.1.4.5, 15.1.4.1
1038913-1 3-Major The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category 13.1.5
1035133-1 3-Major BT1035133 Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
948113-5 4-Minor BT948113 User-defined report scheduling fails 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
579219-1 2-Critical BT579219 Access keys missing from SessionDB after multi-blade reboot. 13.1.5, 14.1.2.8, 15.1.1
992073-5 3-Major APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS 13.1.5
827393-4 3-Major BT827393 In rare cases tmm crash is observed when using APM as RDG proxy. 13.1.5, 14.1.4.5, 16.1.2.1
470346-4 3-Major BT470346 Some IPv6 client connections get RST when connecting to APM virtual 13.1.5, 14.1.4.3, 15.1.4
423519-1 3-Major Bypass disabling the redirection controls configuration of APM RDP Resource. 13.1.5
1007629-3 3-Major BT1007629 APM policy configured with many ACL policies can create APM memory pressure 13.1.5, 14.1.4.4, 15.1.4.1
1002557-4 3-Major BT1002557 Tcl free object list growth 13.1.5, 14.1.4.4, 15.1.4.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1047053-4 2-Critical TMM may consume excessive resources while processing RTSP traffic 13.1.5, 15.1.5
1012721-3 2-Critical BT1012721 Tmm may crash with SIP-ALG deployment in a particular race condition 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.1
996113-5 3-Major BT996113 SIP messages with unbalanced escaped quotes in headers are dropped 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
957905-4 3-Major BT957905 SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP. 13.1.5
805821-5 3-Major BT805821 GTP log message contains no useful information 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
1078721-3 3-Major TMM may consume excessive resources while processing ICAP traffic 13.1.5
919301-5 4-Minor BT919301 GTP::ie count does not work with -message option 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
913413-5 4-Minor BT913413 'GTP::header extension count' iRule command returns 0 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
913409-5 4-Minor BT913409 GTP::header extension command may abort connection due to unreasonable TCL error 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
913393-5 5-Cosmetic BT913393 Tmsh help page for GTP iRule contains incorrect and missing information 13.1.5, 14.1.4.4, 15.1.4, 16.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1049229-4 2-Critical BT1049229 When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
756595-2 1-Blocking BT756595 Traffic redirection to an internal virtual server may fail. 13.1.5
946325-4 3-Major PEM subscriber GUI hardening 13.1.5


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
975593-1 3-Major TMM may crash while processing IPSec traffic 13.1.5, 14.1.4.5


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
873617-4 3-Major BT873617 DataSafe is not available with AWAF license after BIG-IP startup or MCP restart. 13.1.5


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1023437-5 3-Major Buffer overflow during attack with large HTTP Headers 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
1060409-1 4-Minor Behavioral DoS enable checkbox is wrong. 13.1.5


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
686783-4 4-Minor BT686783 UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
965853-5 3-Major IM package file hardening &start; 13.1.5


Guided Configuration Fixes

ID Number Severity Links to More Info Description Fixed Versions
982757-7 3-Major APM Access Guided Configuration hardening 13.1.5


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
944121-2 3-Major BT944121 Missing SNI information when using non-default domain https monitor running in TMM mode. 13.1.5



Cumulative fixes from BIG-IP v13.1.4.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
989009-5 CVE-2021-23033 K05314769 , BT989009 BD daemon may crash while processing WebSocket traffic 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
980125-5 CVE-2021-23030 K42051445 , BT980125 BD Daemon may crash while processing WebSocket traffic 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
935433-5 CVE-2021-23026 K53854428 , BT935433 iControl SOAP 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
794561-4 CVE-2020-5874 K46901953 , BT794561 TMM may crash while processing JWT/OpenID traffic. 13.1.4.1, 14.0.1.1, 14.1.2.5, 15.0.1.3
968349-4 CVE-2021-23048 K19012930 , BT968349 TMM crashes with unspecified message 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
965485-1 CVE-2019-5482 K41523201 CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
950017-4 CVE-2021-23045 K94941221 , BT950017 TMM may crash while processing SCTP traffic 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
949889-1 CVE-2019-3900 K04107324 , BT949889 CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx() 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
942701-4 CVE-2021-23044 K35408374 , BT942701 TMM may consume excessive resources while processing HTTP traffic 13.1.4.1, 14.1.4.2, 15.1.3.1
937365-5 CVE-2021-23041 K42526507 , BT937365 LTM UI does not follow best practices 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
907245-4 CVE-2021-23040 K94255403 , BT907245 AFM UI Hardening 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
906377-5 CVE-2021-23038 K61643620 , BT906377 iRulesLX hardening 13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2
842829-5 CVE-2018-16300 CVE-2018-14881 CVE-2018-14882 CVE-2018-16230 CVE-2018-16229 CVE-2018-16227 CVE-2019-15166 CVE-2018-16228 CVE-2018-16451 CVE-2018-16452 CVE-2018-10103 CVE-2018-10105 CVE-2018-14468 K04367730 , BT842829 Multiple tcpdump vulnerabilities 13.1.4.1, 14.1.3.1, 15.1.3
803933-4 CVE-2018-20843 K51011533 , BT803933 Expat XML parser vulnerability CVE-2018-20843 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
797769-3 CVE-2019-11599 K51674118 Linux vulnerability : CVE-2019-11599 13.1.4.1, 15.1.4, 16.0.1.2
968733-4 CVE-2018-1120 K42202505 , BT968733 CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
995629-1 2-Critical BT995629 Loading UCS files may hang if ASM is provisioned &start; 13.1.4.1, 14.1.4.1, 15.1.3, 16.0.1.2
990849-4 2-Critical BT990849 Loading UCS with platform-migrate option hangs and requires exiting from the command &start; 13.1.4.1, 14.1.4, 15.1.3, 16.0.1.2
967905-1 2-Critical BT967905 Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
1000973-1 2-Critical BT1000973 Unanticipated restart of TMM due to heartbeat failure 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
994801-5 3-Major SCP file transfer system 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
756820-1 3-Major BT756820 Non-UTF8 characters returned from /bin/createmanifest 13.1.4.1
713708 3-Major BT713708 Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI 13.1.4.1
819053-4 4-Minor CVE-2019-13232 unzip: overlapping of files in ZIP container 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
1004417-2 4-Minor BT1004417 Provisioning error message during boot up &start; 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
754143-2 2-Critical K45456231 , BT754143 TCP connection may hang after FIN 13.1.4.1, 14.1.0.2
760050-4 3-Major BT760050 "cwnd too low" warning message seen in logs 13.1.4.1, 14.1.2.7, 15.1.4
752530-3 3-Major BT752530 TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput. 13.1.4.1, 14.1.2.7
752334-3 3-Major BT752334 Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation 13.1.4.1, 14.1.2.7
962433-2 4-Minor BT962433 HTTP::retry for a HEAD request fails to create new connection 13.1.4.1, 14.1.4.3, 15.1.4
962177-4 4-Minor BT962177 Results of POLICY::names and POLICY::rules commands may be incorrect 13.1.4.1, 14.1.4, 15.1.4, 16.0.1.2
830833-3 4-Minor BT830833 HTTP PSM blocking resets should have better log messages 13.1.4.1, 14.1.2.5, 15.0.1.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
918597-1 2-Critical BT918597 Under certain conditions, deleting a topology record can result in a crash. 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
973261-5 3-Major BT973261 GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
912001-1 3-Major BT912001 TMM cores on secondary blades of the Chassis system. 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
863917-4 3-Major BT863917 The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval. 13.1.4.1, 14.1.4.5, 15.1.3, 16.0.1.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
996381-5 2-Critical K41503304 , BT996381 ASM attack signature may not match as expected 13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
968421-5 2-Critical K30291321 , BT968421 ASM attack signature doesn't matched 11.6.5.3, 12.1.6, 13.1.4.1, 14.1.4.2, 15.1.2.1, 16.0.1.2
943913-5 2-Critical K30150004 , BT943913 ASM attack signature does not match 13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2
1017645-4 2-Critical BT1017645 False positive HTTP compliance violation 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
955017-5 3-Major BT955017 Excessive CPU consumption by asm_config_event_handler 13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2
950917-3 3-Major BT950917 Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 13.1.4.1, 14.1.4.2, 15.1.4
928685-4 3-Major K49549213 , BT928685 ASM Brute Force mitigation not triggered as expected 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
907337-5 3-Major BT907337 BD crash on specific scenario 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
888289-4 3-Major BT888289 Add option to skip percent characters during normalization 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1
830341-4 3-Major BT830341 False positives Mismatched message key on ASM TS cookie 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2.1
792341-4 3-Major BT792341 Google Analytics shows incorrect stats. 13.1.4.1, 14.1.4.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
932485-1 3-Major BT932485 Incorrect sum(hits_count) value in aggregate tables 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
913085-5 3-Major BT913085 Avrd core when avrd process is stopped or restarted 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
889497-1 2-Critical BT889497 Deleting a log profile results in urldb and urldbmgrd CPU utilization increase to over 90% usage 13.1.4.1
866109-4 3-Major BT866109 JWK keys frequency does not support fewer than 60 minutes 13.1.4.1, 14.1.4.2, 15.1.4
673748-2 3-Major K19534801 , BT673748 ng_export, ng_import might leave security.configpassword in invalid state 12.1.3.2, 13.1.4.1
747234-4 4-Minor BT747234 Macro policy does not find corresponding access-profile directly 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
685888-1 4-Minor BT685888 OAuth client stores incorrectly escaped JSON values in session variables 13.1.4.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
868781-3 2-Critical BT868781 TMM crashes while processing MRF traffic 13.1.4.1, 14.1.4.2, 15.1.1


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
948573-3 3-Major BT948573 Wr_urldbd list of valid TLDs needs to be updated 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2



Cumulative fixes from BIG-IP v13.1.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
980809-4 CVE-2021-23031 K41351250 , BT980809 ASM REST Signature Rule Keywords Tool Hardening 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
962341-3 CVE-2021-23028 K00602225 , BT962341 BD crash while processing JSON content 13.1.4, 14.1.4.2, 15.1.3.1, 16.0.1.2
882633-5 CVE-2021-23008 K51213246 , BT882633 Active Directory authentication does not follow current best practices 12.1.6, 13.1.4, 14.1.4, 15.1.3
754855-4 CVE-2020-27714 K60344652 , BT754855 TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile 13.1.4, 14.1.3.1, 15.1.1
990333-3 CVE-2021-23016 K75540265 , BT990333 APM may return unexpected content when processing HTTP requests 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
945109-5 CVE-2015-9382 K46641512 , BT945109 Freetype Parser Skip Token Vulnerability CVE-2015-9382 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
938233-4 CVE-2021-23042 K93231374 An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
932697-1 CVE-2021-23000 K34441555 , BT932697 BIG-IP TMM vulnerability CVE-2021-23000 12.1.5.3, 13.1.4, 14.1.4
877109-5 CVE-2021-23012 K04234247 Unspecified input can break intended functionality in iHealth proxy 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
718189-2 CVE-2021-23011 K10751325 , BT718189 Unspecified IP traffic can cause low-memory conditions 11.6.5.3, 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
1003557-5 CVE-2021-23015 K74151369 , BT1003557 Not following best practices in Guided Configuration Bundle Install worker 13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2
1002561-4 CVE-2021-23007 K37451543 , BT1002561 TMM vulnerability CVE-2021-23007 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
838909-6 CVE-2020-5893 K97733133 , BT838909 BIG-IP APM Edge Client vulnerability CVE-2020-5893 11.6.5.2, 12.1.5.2, 13.1.4, 14.1.2.4, 15.1.0.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
912289-4 2-Critical BT912289 Cannot roll back after upgrading on certain platforms &start; 12.1.6, 13.1.4, 14.1.4, 15.1.1
933777-3 3-Major BT933777 Context use and syntax changes clarification 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
913829-2 3-Major BT913829 i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
794417-2 3-Major BT794417 Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not &start; 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
719338-4 4-Minor BT719338 Concurrent management SSH connections are unlimited 13.1.4, 14.1.4, 15.1.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
915305-2 2-Critical BT915305 Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1
888341-3 2-Critical BT888341 HA Group failover may fail to complete Active/Standby state transition 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
886693-1 2-Critical BT886693 System might become unresponsive after upgrading. &start; 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
785017-4 2-Critical BT785017 Secondary blades go offline after new primary is elected 13.1.4, 14.1.4, 15.1.3
743975-2 2-Critical BT743975 TMM crash (SIGFPE) when starting on a vCMP guest 12.1.6, 13.1.4
967745-4 3-Major BT967745 Last resort pool error for the modify command for Wide IP 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1
922297-4 3-Major BT922297 TMM does not start when using more than 11 interfaces with more than 11 vCPUs 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
838901-1 3-Major BT838901 TMM receives invalid rx descriptor from HSB hardware 13.1.4, 14.1.4, 15.1.2
829821-4 3-Major BT829821 Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
829317-1 3-Major BT829317 Memory leak in icrd_child due to concurrent REST usage 13.1.4, 14.1.3, 14.1.3.1, 15.1.0.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
922317-1 2-Critical BT922317 Using the LSN::persistence_entry command in an iRule may cause crashes and/or stalled connections 12.1.6, 13.1.4
920265 2-Critical BT920265 TMM may crash if a virtual server undergoes a series of specific configuration changes involving the transparent-nexthop option. 13.1.4
876801-1 2-Critical BT876801 Tmm crash: invalid route type 13.1.4, 14.1.4, 15.1.2
953845-5 3-Major BT953845 After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
926929-1 3-Major BT926929 RFC Compliance Enforcement lacks configuration availability 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.2
919049 3-Major BT919049 Guest fails to come up when vCMP guest and host both run BIG-IP v13.1.3.3, assigning FIPS partition 13.1.4
889601-5 3-Major K14903688 , BT889601 OCSP revocation not properly checked 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
888517-4 3-Major BT888517 Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU. &start; 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
858701-4 3-Major BT858701 Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x &start; 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
825689-5 3-Major Enhance FIPS crypto-user storage 12.1.6, 13.1.4, 14.1.4, 15.1.1
809597-1 3-Major BT809597 Memory leak in icrd_child observed during REST usage 13.1.4, 14.1.3, 15.1.0.2
784565-4 3-Major BT784565 VLAN groups are incompatible with fast-forwarded flows 11.6.5.3, 12.1.5.2, 13.1.4, 15.0.1.1
763093-1 3-Major BT763093 LRO packets are not taken into account for ifc_stats (VLAN stats) 13.1.4
773253-2 4-Minor BT773253 The BIG-IP may send VLAN failsafe probes from a disabled blade 13.1.4, 14.1.4.2, 15.1.2.1
724746-1 4-Minor BT724746 Incorrect RST message after 'reject' command 13.1.4
693901-4 4-Minor BT693901 Active FTP data connection may change source port on client-side 11.6.5.3, 12.1.6, 13.1.4


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
858973-4 3-Major BT858973 DNS request matches less specific WideIP when adding new wildcard wideips 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
712335-1 4-Minor BT712335 GTMD may intermittently crash under unusual conditions. 12.1.6, 13.1.4, 14.1.2.7


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
941621-4 3-Major K91414704 , BT941621 Brute Force breaks server's Post-Redirect-Get flow 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
929001-5 3-Major K48321015 , BT929001 ASM form handling improvements 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
846057-1 3-Major BT846057 UCS backup archive may include unnecessary files 13.1.4, 14.1.4, 15.1.3
673272-5 3-Major BT673272 Search by "Signature ID is" does not return results for some signature IDs 13.1.4, 14.1.4.2, 15.1.4, 16.0.1.2
824093-1 4-Minor BT824093 Parameters payload parser issue 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
981385-5 3-Major BT981385 AVRD does not send HTTP events to BIG-IQ DCD 13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2
949593-1 3-Major BT949593 Unable to load config if AVR widgets were created under '[All]' partition &start; 13.1.4, 14.1.4, 15.1.3, 16.0.1.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
628645 3-Major BT628645 Classification signatures fails to update and there are no errors in the GUI &start; 13.1.4



Cumulative fixes from BIG-IP v13.1.3.6 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
975233-4 CVE-2021-22992 K52510511 , BT975233 Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
973333-2 CVE-2021-22991 K56715231 , BT973333 TMM buffer-overflow vulnerability CVE-2021-22991 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
955145-4 CVE-2021-22986 K03009991 , BT955145 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
954381-4 CVE-2021-22986 K03009991 , BT954381 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
953677-4 CVE-2021-22987, CVE-2021-22988 K18132488 K70031188 , BT953677 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
950077-4 CVE-2021-22987, CVE-2021-22988 K18132488 K70031188 , BT950077 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
981169-4 CVE-2021-22994 K66851119 , BT981169 F5 TMUI XSS vulnerability CVE-2021-22994 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
959121-1 CVE-2021-23015 K74151369 , BT959121 Not following best practices in Guided Configuration Bundle Install worker 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
953729-4 CVE-2021-22989, CVE-2021-22990 K56142644 K45056101 , BT953729 Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
949933-3 CVE-2021-22980 K29282483 , BT949933 BIG-IP APM CTU vulnerability CVE-2021-22980 13.1.3.6, 14.1.4, 15.1.4, 16.0.1.1
941449-5 CVE-2021-22993 K55237223 , BT941449 BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
931837-3 CVE-2020-13817 K55376430 , BT931837 NTP has predictable timestamps 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
931513-4 CVE-2021-22977 K14693346 , BT931513 TMM vulnerability CVE-2021-22977 13.1.3.6, 14.1.3.1, 15.1.1, 16.0.1.1
921337-1 CVE-2021-22976 K88230177 , BT921337 BIG-IP ASM WebSocket vulnerability CVE-2021-22976 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
916821-5 CVE-2021-22974 K68652018 , BT916821 iControl REST vulnerability CVE-2021-22974 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
834257-5 CVE-2020-5931 K25400442 , BT834257 TMM may crash when processing HTTP traffic 13.1.3.6, 14.1.2.5, 15.1.1
976925-4 CVE-2021-23002 K71891773 , BT976925 BIG-IP APM VPN vulnerability CVE-2021-23002 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
948769-3 CVE-2021-23013 K05300051 , BT948769 TMM panic with SCTP traffic 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
939845-4 CVE-2021-23004 K31025212 , BT939845 BIG-IP MPTCP vulnerability CVE-2021-23004 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
939841-4 CVE-2021-23003 K43470422 , BT939841 BIG-IP MPTCP vulnerability CVE-2021-23003 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
937637-5 CVE-2021-23002 K71891773 , BT937637 BIG-IP APM VPN vulnerability CVE-2021-23002 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
935401-5 CVE-2021-23001 K06440657 , BT935401 BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
832757-4 CVE-2017-18551 K48073202 , BT832757 Linux kernel vulnerability CVE-2017-18551 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.3
743105-6 CVE-2021-22998 K31934524 , BT743105 BIG-IP SNAT vulnerability CVE-2021-22998 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
693360-5 CVE-2020-27721 K52035247 , BT693360 A virtual server status changes to yellow while still available 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1
825413-1 CVE-2021-23053 K36942191 , BT825413 ASM may consume excessive resources when matching signatures 13.1.3.6, 14.1.3.1, 15.1.3


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
742860 3-Major BT742860 VE: Predictable NIC ordering based on PCI coordinates until ordering is saved. 13.1.3.6, 14.1.4


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
940021-1 2-Critical BT940021 Syslog-ng hang may lead to unexpected reboot 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
769169-1 2-Critical BT769169 BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring 13.1.3.6, 14.0.0.5, 14.1.2.5
737322-4 2-Critical BT737322 tmm may crash at startup if the configuration load fails 12.1.5.3, 13.1.3.6
703039-2 2-Critical BT703039 Empty results on /tm/sys/config-diff/stats 13.1.3.6, 14.0.0
930741-4 3-Major BT930741 Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot 13.1.3.6, 14.1.3.1, 15.1.2
927941-2 3-Major BT927941 IPv6 static route BFD does not come up after OAMD restart 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
913433-4 3-Major BT913433 On blade failure, some trunked egress traffic is dropped. 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
896553-4 3-Major BT896553 On blade failure, some trunked egress traffic is dropped. 13.1.3.6, 14.1.4, 15.1.3
867181-4 3-Major BT867181 ixlv: double tagging is not working 13.1.3.6, 14.1.3.1, 15.1.2
865241-4 3-Major BT865241 Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0" 13.1.3.6, 14.1.3.1, 15.1.2
843597-4 3-Major BT843597 Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle 13.1.3.6, 14.1.3.1, 15.1.2
842189-3 3-Major BT842189 Tunnels removed when going offline are not restored when going back online 12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.2.1
829193-5 3-Major BT829193 REST system unavailable due to disk corruption 13.1.3.6, 14.1.3.1, 15.1.0.4
820845-1 3-Major BT820845 Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use. 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
759596-3 3-Major BT759596 Tcl errors in iRules 'table' command 12.1.5.3, 13.1.3.6, 14.1.4
754132-3 3-Major BT754132 A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command 13.1.3.6, 14.1.4
749007-3 3-Major BT749007 South Sudan, Sint Maarten, and Curacao country missing in GTM region list 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
744252-3 3-Major BT744252 BGP route map community value: either component cannot be set to 65535 13.1.3.6, 14.1.4
933461-2 4-Minor BT933461 BGP multi-path candidate selection does not work properly in all cases. 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
892677-3 4-Minor BT892677 Loading config file with imish adds the newline character 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
800193 4-Minor BT800193 Update OpenSSH to version 7 or later for disabling of DSA keys 13.1.3.6


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
726518-4 2-Critical BT726518 Tmsh show command terminated with CTRL-C can cause TMM to crash. 13.1.3.6, 14.1.2.8, 15.1.2
705768-5 2-Critical BT705768 The dynconfd process may core and restart with multiple DNS name servers configured 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2
949145-3 3-Major BT949145 Improve TCP's response to partial ACKs during loss recovery 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
879413-4 3-Major BT879413 Statsd fails to start if one or more of its *.info files becomes corrupted 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
860005-4 3-Major BT860005 Ephemeral nodes/pool members may be created for wrong FQDN name 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2
857845-5 3-Major BT857845 TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule 13.1.3.6, 14.1.3.1, 15.1.2
851045-4 3-Major BT851045 LTM database monitor may hang when monitored DB server goes down 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.1
814761-3 3-Major BT814761 PostgreSQL monitor fails on second ping with count != 1 12.1.5.3, 13.1.3.6, 14.1.2.3, 15.0.1.3
805017-3 3-Major BT805017 DB monitor marks pool member down if no send/recv strings are configured 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.0.1.3
803233-4 3-Major BT803233 Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1
772545-1 3-Major BT772545 Tmm core in SSLO environment 13.1.3.6, 14.1.2.3, 15.0.1.1
759056-1 3-Major BT759056 stpd memory leak on secondary blades in a multi-blade system 13.1.3.6, 14.1.3.1
747077-1 3-Major BT747077 Potential crash in TMM when updating pool members 13.1.3.6
745682-2 3-Major BT745682 Failed to parse X-Forwarded-For header in HTTP requests 13.1.3.6, 14.1.3.1
722707-4 3-Major BT722707 mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall 12.1.5.3, 13.1.3.6, 14.1.3.1
720440-1 3-Major BT720440 Radius monitor marks pool members down after 6 seconds 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.0.5
714642-1 3-Major BT714642 Ephemeral pool-member state on the standby is down 13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1
705387 3-Major BT705387 HTTP/2, ALPN and SSL 13.1.3.6
686062-1 3-Major BT686062 The dynconfd daemon uses UDP ports inefficiently 13.1.3.6
608952-4 3-Major BT608952 MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2 12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.5
824365-1 4-Minor BT824365 Need informative messages for HTTP iRule runtime validation errors 13.1.3.6, 14.1.2.3, 15.0.1.1, 15.1.0.2
822025-4 4-Minor BT822025 HTTP response not forwarded to client during an early response 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.0.1.4, 15.1.0.2
808409-1 4-Minor BT808409 Unable to specify if giaddr will be modified in DHCP relay chain 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
801705-2 4-Minor BT801705 When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC 13.1.3.6, 14.1.3.1
738032-2 4-Minor BT738032 BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed. 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
859717-4 5-Cosmetic BT859717 ICMP-limit-related warning messages in /var/log/ltm 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
918169-3 2-Critical BT918169 The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown. 13.1.3.6, 14.1.2.7, 15.1.2, 16.0.1.1
921625-5 3-Major BT921625 The certs extend function does not work for GTM/DNS sync group 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
921549-7 3-Major BT921549 The gtmd process does not receive updates from local big3d. 13.1.3.6
852101-4 3-Major BT852101 Monitor fails. 13.1.3.6, 14.1.3.1, 15.1.2
853585-5 4-Minor BT853585 REST Wide IP object presents an inconsistent lastResortPool value 12.1.6, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
940249-4 2-Critical BT940249 Sensitive data is not masked after "Maximum Array/Object Elements" is reached 11.6.5.3, 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
927617-4 2-Critical BT927617 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
940897-4 3-Major BT940897 Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
918933-4 3-Major K88162221 , BT918933 The BIG-IP ASM system may not properly perform signature checks on cookies 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.2.8, 15.1.2, 16.0.1.1
904053-5 3-Major BT904053 Unable to set ASM Main Cookie/Domain Cookie hashing to Never 13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1
742549-1 3-Major BT742549 Cannot create non-ASCII entities in non-UTF ASM policy using REST 13.1.3.6, 14.1.2.7, 15.1.0.5
767941-2 4-Minor BT767941 Gracefully handle policy builder errors 13.1.3.6, 14.1.4


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
743826-3 3-Major BT743826 Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0) 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
727031-1 1-Blocking BT727031 TMM restart in B2250 vCMP systems, and ping/monitor failures in non-B2250 vCMP systems. 12.1.5.3, 13.1.3.6
896709-1 2-Critical BT896709 Add support for Restart Desktop for webtop in VMware VDI 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
976501-4 3-Major BT976501 Failed to establish VPN connection 13.1.3.6, 14.1.4, 15.1.3
924929 3-Major BT924929 Logging improvements for VDI plugin 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
914649-1 3-Major BT914649 Support USB redirection through VVC (VMware virtual channel) with BlastX 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
760629-2 3-Major BT760629 Remove Obsolete APM keys in BigDB 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
739570-2 3-Major BT739570 Unable to install EPSEC package &start; 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
554228-7 3-Major BT554228 OneConnect does not work when WEBSSO is enabled/configured. 11.6.1, 13.1.3.6


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
939529-4 3-Major BT939529 Branch parameter not parsed properly when topmost via header received with comma separated values 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
755854-1 3-Major BT755854 TMM crash due to missing classification category 13.1.3.6


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
927993-5 1-Blocking K97501254 , BT927993 Built-in SSL Orchestrator RPM installation failure 12.1.5.3, 13.1.3.6, 14.1.3, 14.1.4, 15.1.2, 16.0.1.1



Cumulative fixes from BIG-IP v13.1.3.5 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
943125-4 CVE-2021-23010 K18570111 , BT943125 ASM bd may crash while processing WebSocket traffic 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
935721-3 CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 K82252291 , BT935721 ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.0.1
933741-5 CVE-2021-22979 K63497634 , BT933741 BIG-IP FPS XSS vulnerability CVE-2021-22979 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
933297 CVE-2020-5949 K20984059 , BT933297 FTP virtual server passive data channels do not pass traffic 13.1.3.5
932065-4 CVE-2021-22978 K87502622 , BT932065 iControl REST vulnerability CVE-2021-22978 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
917509-1 CVE-2020-27718 K58102101 , BT917509 BIG-IP ASM vulnerability CVE-2020-27718 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
912221-3 CVE-2020-12662
CVE-2020-12663 		K37661551 , BT912221 CVE-2020-12662 & CVE-2020-12663 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7, 15.1.0.5
911761-5 CVE-2020-5948 K42696541 , BT911761 F5 TMUI XSS vulnerability CVE-2020-5948 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
908673-2 CVE-2020-27717 K43850230 , BT908673 TMM may crash while processing DNS traffic 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
891457-5 CVE-2020-5939 K75111593 , BT891457 NIC driver may fail while transmitting data 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.4, 16.0.1
882189-4 CVE-2020-5897 K20346072 , BT882189 BIG-IP Edge Client for Windows vulnerability CVE-2020-5897 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
882185-4 CVE-2020-5897 K20346072 , BT882185 BIG-IP Edge Client Windows ActiveX 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
881317-3 CVE-2020-5896 K15478554 , BT881317 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
881293-4 CVE-2020-5896 K15478554 , BT881293 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
879745-5 CVE-2020-5942 K82530456 TMM may crash while processing Diameter traffic 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
879025-6 CVE-2020-5913 K72752002 , BT879025 When processing TLS traffic, LTM may not enforce certificate chain restrictions 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.1.0.2
846917-5 CVE-2019-10744 K47105354 , BT846917 lodash Vulnerability: CVE-2019-10744 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.3, 15.1.0.2
839453-2 CVE-2019-10744 K47105354 , BT839453 lodash library vulnerability CVE-2019-10744 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.1.1
788057-1 CVE-2020-5921 K00103216 , BT788057 MCPD may crash while processing syncookies 11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
946581 CVE-2020-27713 K37960100 , BT946581 TMM vulnerability CVE-2020-27713 13.1.3.5, 14.1.4
928037-4 CVE-2020-27729 K15310332 , BT928037 APM Hardening 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
917005-3 CVE-2020-8619 K19807532 ISC BIND Vulnerability: CVE-2020-8619 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1
912969-5 CVE-2020-27727 K50343630 , BT912969 iAppsLX REST vulnerability CVE-2020-27727 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
909837-3 CVE-2020-5950 K05204103 , BT909837 TMM may consume excessive resources when AFM is provisioned 13.1.3.5, 14.1.2.7, 15.1.0.5
905125-4 CVE-2020-27726 K30343902 , BT905125 Security hardening for APM Webtop 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
904937-5 CVE-2020-27725 K25595031 , BT904937 Excessive resource consumption in zxfrd 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1
898949-4 CVE-2020-27724 K04518313 , BT898949 APM may consume excessive resources while processing VPN traffic 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.0.5, 16.0.1
889557-3 CVE-2019-11358 K20455158 , BT889557 jQuery Vulnerability CVE-2019-11358 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
881445-4 CVE-2020-5898 K69154630 , BT881445 BIG-IP Edge Client for Windows vulnerability CVE-2020-5898 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
880361-4 CVE-2021-22973 K13323323 , BT880361 iRules LX vulnerability CVE-2021-22973 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
856961-4 CVE-2018-12207 K17269881 , BT856961 INTEL-SA-00201 MCE vulnerability CVE-2018-12207 13.1.3.5, 14.1.2.8, 15.0.1.4, 15.1.0.5
848405-1 CVE-2020-5933 K26244025 , BT848405 TMM may consume excessive resources while processing compressed HTTP traffic 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.1.1
842717-3 CVE-2020-5855 K55102004 , BT842717 BIG-IP Edge Client for Windows vulnerability CVE-2020-5855 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
831777-2 CVE-2020-27723 K42933418 , BT831777 Tmm crash in Ping access use case 13.1.3.5, 14.1.3.1
816413-4 CVE-2019-1125 K31085564 , BT816413 CVE-2019-1125: Spectre SWAPGS Gadget 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
811965-3 CVE-2020-27722 K73657294 , BT811965 Some VDI use cases can cause excessive resource consumption 13.1.3.5, 14.1.3.1, 15.0.1.4
778049-6 CVE-2018-13405 K00854051 , BT778049 Linux Kernel Vulnerability: CVE-2018-13405 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1
751036-3 CVE-2020-27721 K52035247 , BT751036 Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8
888493-5 CVE-2020-5928 K40843345 , BT888493 ASM GUI Hardening 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
852929-2 CVE-2020-5920 K25160703 , BT852929 AFM WebUI Hardening 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1
818213-6 CVE-2019-10639 K32804955 , BT818213 CVE-2019-10639: KASLR bypass using connectionless protocols 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
818177-1 CVE-2019-12295 K06725231 , BT818177 CVE-2019-12295 Wireshark Vulnerability 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1
773693-3 CVE-2020-5892 K15838353 , BT773693 CVE-2020-5892: APM Client Vulnerability 11.6.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
682352-2 CVE-2017-3735 K21462542 OpenSSL vulnerability CVE-2017-3735 13.1.3.5
834533-4 CVE-2019-15916 K57418558 , BT834533 Linux kernel vulnerability CVE-2019-15916 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
890229-4 3-Major BT890229 Source port preserve setting is not honored 13.1.3.5, 14.1.2.8, 15.1.1
738330-1 3-Major BT738330 /mgmt/toc endpoint issue after configuring remote authentication 13.1.3.5, 14.1.2.5, 15.0.1.4
657912-3 3-Major BT657912 PIM can be configured to use a floating self IP address 12.1.5.3, 13.1.3.5
745465-3 4-Minor BT745465 The tcpdump file does not provide the correct extension 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
749738-2 1-Blocking BT749738 After upgrade to 13.1.3.3 or 13.1.3.4, B2250 blades may fail to detect HSB and have restarting chmand &start; 13.1.3.5, 14.1.2.2
910201-5 2-Critical BT910201 OSPF - SPF/IA calculation scheduling might get stuck infinitely 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
896217-5 2-Critical BT896217 BIG-IP GUI unresponsive 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
860517-4 2-Critical BT860517 MCPD may crash on startup with many thousands of monitors on a system with many CPUs. 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1
829677-4 2-Critical BT829677 .tmp files in /var/config/rest/ may cause /var directory exhaustion 13.1.3.5, 14.1.2.7, 15.1.2, 16.0.1.1
812237-3 2-Critical BT812237 i10000 series appliances with HDVC part number 505-0030 missing name in show sys hardware and on LCD 12.1.6, 13.1.3.5
810593-4 2-Critical K10963690 , BT810593 Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade &start; 13.1.3.5, 14.1.2.7
796601-6 2-Critical BT796601 Invalid parameter in errdefsd while processing hostname db_variable 13.1.3.5, 14.1.3.1, 15.1.2
770989-1 2-Critical BT770989 Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x. &start; 13.1.3.5, 14.1.3.1
769817 2-Critical BT769817 BFD fails to propagate sessions state change during blade restart 11.6.5.1, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.4
769581 2-Critical BT769581 Timeout when sending many large iControl Rest requests 13.1.3.5, 14.0.0.5, 14.1.2.7
706521-5 2-Critical K21404407 , BT706521 The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
649205-1 2-Critical BT649205 Failure of mcpd during setup of HA communication 13.1.3.5
924493-5 3-Major BT924493 VMware EULA has been updated 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
915825-5 3-Major BT915825 Configuration error caused by Drafts folder in a deleted custom partition while upgrading. 13.1.3.5, 14.1.3.1, 15.1.1
908021-3 3-Major BT908021 Management and VLAN MAC addresses are identical 13.1.3.5, 14.1.3.1, 15.1.3
898705-2 3-Major BT898705 IPv6 static BFD configuration is truncated or missing 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
888497-5 3-Major BT888497 Cacheable HTTP Response 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1
887089-5 3-Major BT887089 Upgrade can fail when filenames contain spaces 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5
871657-3 3-Major BT871657 Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
867013-5 3-Major BT867013 Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout 13.1.3.5, 14.1.2.7, 15.1.1
858197-4 3-Major BT858197 Merged crash when memory exhausted 13.1.3.5, 14.1.2.8, 15.1.2, 16.0.1.1
846441-4 3-Major BT846441 Flow-control is reset to default for secondary blade's interface 13.1.3.5, 14.1.3.1, 15.1.2
846137-5 3-Major BT846137 The icrd returns incorrect route names in some cases 13.1.3.5, 14.1.3.1, 15.1.2
814585-5 3-Major BT814585 PPTP profile option not available when creating or modifying virtual servers in GUI 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1
810821-4 3-Major BT810821 Management interface flaps after rebooting the device. 13.1.3.5, 14.1.2.7, 15.1.2
810381-1 3-Major BT810381 The SNMP max message size check is being incorrectly applied. 13.1.3.5, 14.1.2.8, 15.1.0.4
808281 3-Major BT808281 OVA/Azure template sets '/var' partition with not enough space 13.1.3.5
802685-4 3-Major BT802685 Unable to configure performance HTTP virtual server via GUI 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
802281-4 3-Major BT802281 Gossip shows active even when devices are missing 13.1.3.5, 14.1.2.5, 15.1.0.2
797829-3 3-Major BT797829 The BIG-IP system may fail to deploy new or reconfigure existing iApps 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1
795649-2 3-Major BT795649 Loading UCS from one iSeries model to another causes FPGA to fail to load 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.0.3
788577 3-Major BT788577 BFD sessions may be reset after CMP state change 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
783113 3-Major BT783113 BGP sessions remain down upon new primary slot election 11.6.5.2, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.1
767737-3 3-Major BT767737 Timing issues during startup may make an HA peer stay in the inoperative state 13.1.3.5, 14.1.3.1, 15.1.2.1
755197-1 3-Major BT755197 UCS creation might fail during frequent config save transactions 13.1.3.5, 14.1.3.1, 15.1.2
754971-1 3-Major BT754971 OSPF inter-process redistribution might break OSPF route redistribution of various types. 13.1.3.5, 14.1.3.1
751021-3 3-Major BT751021 One or more TMM instances may be left without dynamic routes. 13.1.3.5, 14.1.4
750194-2 3-Major Moderate: net-snmp security update 13.1.3.5, 14.1.4
746704-1 3-Major BT746704 Syslog-ng Memory Leak 13.1.3.5, 14.1.2.8
745261-1 3-Major BT745261 The TMM process may crash in some tunnel cases 12.1.5.3, 13.1.3.5, 14.1.2.8
740589-3 3-Major BT740589 Mcpd crash with core after 'tmsh edit /sys syslog all-properties' 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
737098-3 3-Major BT737098 ASM Sync does not work when the configsync IP address is an IPv6 address 13.1.3.5, 14.1.3.1, 15.1.2
725985-1 3-Major BT725985 REST API takes more than 20 seconds when 1000+ virtual servers with SNAT-Pool configured 13.1.3.5
720569-1 3-Major BT720569 Disaggregation algorithm distributing traffic unequally across CPU cores on Virtual Edition 12.1.5.3, 13.1.3.5
707320-2 3-Major BT707320 Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs 13.1.3.5, 14.0.0
705655-2 3-Major BT705655 Virtual address not responding to ICMP when ICMP Echo set to Selective 13.1.3.5
699091-2 3-Major BT699091 SELinux denies console access for remote users. 12.1.5.3, 13.1.3.5
658716-1 3-Major BT658716 Failure of mcpd when closing out CMI connection 13.1.3.5
658715-1 3-Major BT658715 Mcpd crash 13.1.3.5
615934-3 3-Major BT615934 Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. 13.1.3.5, 14.1.4, 15.1.3
605675-2 3-Major BT605675 Sync requests can be generated faster than they can be handled 11.6.5.2, 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.2
489572-3 3-Major K60934489 , BT489572 Sync fails if file object is created and deleted before sync to peer BIG-IP 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
431503-6 3-Major K14838 , BT431503 TMSH crashes in rare initial tunnel configurations 13.1.3.5, 14.1.2.8, 15.1.1
902417-5 4-Minor BT902417 Configuration error caused by Drafts folder in a deleted custom partition &start; 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1.1
890277-1 4-Minor BT890277 Full config sync to a device group operation takes a long time when there are a large number of partitions. 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
864757-1 4-Minor BT864757 Traps that were disabled are enabled after configuration save 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
831293-2 4-Minor BT831293 SNMP address-related GET requests slow to respond. 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.2
804309-3 4-Minor BT804309 [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument 13.1.3.5, 14.1.2.7, 15.1.0.5
801637-1 4-Minor BT801637 Cmp_dest on C2200 platform may give incorrect results 12.1.5.3, 13.1.3.5
779857-4 4-Minor BT779857 Misleading GUI error when installing a new version in another partition &start; 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
692165-1 4-Minor BT692165 A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token 12.1.5, 13.1.3.5
591732-3 4-Minor BT591732 Local password policy not enforced when auth source is set to a remote type. 12.1.5.1, 13.1.3.5, 14.1.3.1, 15.0.1.4
583084-10 4-Minor K15101680 , BT583084 iControl produces 404 error while creating records successfully 13.1.3.5, 14.1.3.1, 15.1.2
714176-4 5-Cosmetic BT714176 UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
941089-4 2-Critical BT941089 TMM core when using Multipath TCP 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2
851857-4 2-Critical BT851857 HTTP 100 Continue handling does not work when it arrives in multiple packets 13.1.3.5, 14.1.3.1, 15.1.1
687603-2 2-Critical K36243347 , BT687603 tmsh query for dns records may cause tmm to crash 11.6.5.3, 12.1.3.2, 13.1.3.5
951033-1 3-Major BT951033 Virtual server resets all the connections for rstcause 'VIP disabled (administrative)' 13.1.3.5, 14.1.3.1
915689-5 3-Major BT915689 HTTP/2 dynamic header table may fail to identify indexed headers on the response side. 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
915605-4 3-Major K56251674 , BT915605 Image install fails if iRulesLX is provisioned and /usr mounted read-write &start; 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
915281-6 3-Major BT915281 Do not rearm TCP Keep Alive timer under certain conditions 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
909757 3-Major BT909757 HTTP CONNECT method with a delayed payload can cause a connection to be closed 13.1.3.5
892385-3 3-Major BT892385 HTTP does not process WebSocket payload when received with server HTTP response 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1
862597-3 3-Major BT862597 Improve MPTCP's SYN/ACK retransmission handling 13.1.3.5, 14.1.3.1, 15.1.0.2
828601-4 3-Major BT828601 IPv6 Management route is preferred over IPv6 tmm route 13.1.3.5, 14.1.2.7, 15.1.0.3
818853-5 3-Major BT818853 Duplicate MAC entries in FDB 13.1.3.5, 14.1.3.1, 15.1.0.2
810445-3 3-Major BT810445 PEM: ftp-data not classified or reported 13.1.3.5, 14.1.2.8
807821-3 3-Major BT807821 ICMP echo requests occasionally go unanswered 12.1.5.3, 13.1.3.5
790845-1 3-Major BT790845 An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default 13.1.3.5, 14.1.4, 15.1.2
786517-1 3-Major BT786517 Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address 13.1.3.5, 14.1.3.1, 15.1.0.5
783617-4 3-Major BT783617 Virtual server resets connections when all pool members are marked disabled 13.1.3.5, 14.1.3.1
766169-3 3-Major BT766169 Replacing all VLAN interfaces resets VLAN MTU to a default value 12.1.5.2, 13.1.3.5, 14.1.2.8
758631-2 3-Major BT758631 ec_point_formats extension might be included in the server hello even if not specified in the client hello 12.1.5, 13.1.3.5, 14.0.1.1, 14.1.2.5
758599-4 3-Major BT758599 IPv6 Management route is preferred over IPv6 tmm route 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.3
758437-4 3-Major BT758437 SYN w/ data disrupts stat collection in Fast L4 13.1.3.5, 14.1.2.8
758436-2 3-Major BT758436 Optimistic ACKs degrade Fast L4 statistics 13.1.3.5, 14.1.2.8
758041-4 3-Major BT758041 LTM Pool Members may not be updated accurately when multiple identical database monitors are configured. 13.1.3.5, 14.1.2.7, 15.1.4.1
745923-4 3-Major BT745923 Connection flow collision can cause packets to be sent with source and/or destination port 0 13.1.3.5, 14.1.2.5, 15.0.1.4
745663-2 3-Major BT745663 During traffic forwarding, nexthop data may be missed at large packet split 13.1.3.5, 14.1.2.8
724824-4 3-Major BT724824 Ephemeral nodes on peer devices report as unknown and unchecked after full config sync 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2
710930-1 3-Major BT710930 Enabling BigDB key bigd.tmm may cause SSL monitors to fail 13.1.3.5, 14.1.3.1
681814-1 3-Major BT681814 Changes to a cipher group are not propagated to SSL profiles until the configuration is reloaded 13.1.3.5
522241-2 3-Major BT522241 Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7
814037-1 4-Minor BT814037 No virtual server name in Hardware Syncookie activation logs. 13.1.3.5, 14.1.2.8, 15.1.1
781225-3 4-Minor BT781225 HTTP profile Response Size stats incorrect for keep-alive connections 12.1.5.3, 13.1.3.5, 14.1.3.1
726983-4 4-Minor BT726983 Inserting multi-line HTTP header not handled correctly 12.1.5.3, 13.1.3.5, 14.1.3.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
960749-4 1-Blocking BT960749 TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
960437-4 2-Critical BT960437 The BIG-IP system may initially fail to resolve some DNS queries 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
919553-4 2-Critical BT919553 GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets. 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
783125-4 2-Critical BT783125 iRule drop command on DNS traffic without Datagram-LB may cause TMM crash 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
781829-4 3-Major BT781829 GTM TCP monitor does not check the RECV string if server response string not ending with \n 13.1.3.5, 14.1.3.1
760471-4 3-Major BT760471 GTM iQuery connections may be reset during SSL key renegotiation. 12.1.5.2, 13.1.3.5, 14.1.2.3, 15.0.1.4, 15.1.0.2
758772-4 3-Major BT758772 DNS Cache RRSET Evictions Stat not increasing 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7
757464-3 3-Major BT757464 DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7
708421-2 3-Major K52142743 , BT708421 DNS::question 'set' options are applied to packet, but not to already parsed dns_msg 12.1.5.2, 13.1.3.5
700118-1 3-Major BT700118 rrset statistics unavailable 11.6.5.3, 12.1.6, 13.1.3.5
529896-1 3-Major BT529896 DNS Cache can use cached data from ADDITIONAL sections in answers after RRset cache cleared 11.6.5.3, 12.1.6, 13.1.3.5
643455-1 4-Minor BT643455 Update TTL for equally trusted records only 11.6.5.3, 12.1.6, 13.1.3.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
903453 2-Critical BT903453 TMM crash following redirect when Proactive Bot Defense is used 13.1.3.5
941853-3 3-Major BT941853 Logging Profiles do not disassociate from virtual server when multiple changes are made 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
900797-5 3-Major BT900797 Brute Force Protection (BFP) hash table entry cleanup 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
900793-3 3-Major K32055534 , BT900793 APM Brute Force Protection resources do not scale automatically 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
900789-5 3-Major BT900789 Alert before Brute Force Protection (BFP) hash are fully utilized 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
848445-4 3-Major K86285055 , BT848445 Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer &start; 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5
833685-1 3-Major BT833685 Idle async handlers can remain loaded for a long time doing nothing 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.5
722337-3 3-Major BT722337 Always show violations in request log when post request is large 13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1.1
692279-1 3-Major BT692279 Request logging is briefly suspended after policy re-assignment 13.1.3.5
424588-1 3-Major BT424588 iRule command [DOSL7::profile] returns empty value 13.1.3.5
935293-1 4-Minor BT935293 'Detected Violation' Field for event logs not showing 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
882769-5 4-Minor BT882769 Request Log: wrong filter applied when searching by Response contains or Response does not contain 13.1.3.5, 14.1.2.7, 15.1.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
722392-2 2-Critical BT722392 AVR: analytics statistics are displayed even if they are disabled 13.1.3.5
908065-5 3-Major BT908065 Logrotation for /var/log/avr blocked by files with .1 suffix 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
902485-1 3-Major BT902485 Incorrect pool member concurrent connection value 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
838685-1 3-Major BT838685 DoS report exist in per-widget but not under individual virtual 13.1.3.5, 14.1.2.7, 15.1.0.5
721408-4 3-Major BT721408 Possible to create Analytics overview widgets in '[All]' partition 13.1.3.5
866613-2 4-Minor BT866613 Missing MaxMemory Attribute 13.1.3.5, 14.1.2.8, 15.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
833049-3 3-Major BT833049 Category lookup tool in GUI may not match actual traffic categorization 13.1.3.5, 14.1.4, 15.1.2
766017-2 4-Minor BT766017 [APM][LocalDB] Local user database instance name length check inconsistencies &start; 12.1.5.3, 13.1.3.5, 14.1.4.2, 15.1.2, 16.0.1.1
679751-3 4-Minor BT679751 Authorization header can cause a connection reset 13.1.3.5, 14.1.2.8, 15.1.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
815877-4 3-Major BT815877 Information Elements with zero-length value are rejected by the GTP parser 11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.0.1.4, 15.1.0.5
845461-1 5-Cosmetic BT845461 MRF DIAMETER: additional details to log event to assist debugging 13.1.3.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
703165-5 3-Major BT703165 shared memory leakage 13.1.3.5, 14.1.2.8


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
783289-3 2-Critical BT783289 PEM actions not applied in VE bigTCP. 13.1.3.5, 14.1.3.1


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
943889 2-Critical BT943889 Reopening the publisher after a failed publishing attempt 13.1.3.5, 14.1.4
876581-5 3-Major BT876581 JavaScript engine file is empty if the original HTML page cached for too long 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
940401-4 5-Cosmetic BT940401 Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection' 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
913441 2-Critical BT913441 Tmm cores while doing Hitless Upgrade while there are active flows 12.1.5.3, 13.1.3.5
745733-1 3-Major BT745733 TMSH command "tmsh show ltm urlcat-query" not performing cloud lookup 13.1.3.5, 14.1.0.2
689614-1 3-Major BT689614 If DNS is not configured and management proxy is setup correctly, Webroot database fails to download 13.1.3.5


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
767613-3 3-Major BT767613 Restjavad can keep partially downloaded files open indefinitely 13.1.3.5, 14.1.3.1



Cumulative fixes from BIG-IP v13.1.3.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
900757-5 CVE-2020-5902 K52145254 , BT900757 TMUI RCE vulnerability CVE-2020-5902 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895525-5 CVE-2020-5902 K52145254 , BT895525 TMUI RCE vulnerability CVE-2020-5902 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
909237-3 CVE-2020-8617 K05544642 CVE-2020-8617: BIND Vulnerability 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
909233-3 CVE-2020-8616 K97810133 , BT909233 DNS Hardening 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
905905-4 CVE-2020-5904 K31301245 , BT905905 TMUI CSRF vulnerability CVE-2020-5904 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895993-5 CVE-2020-5902 K52145254 , BT895993 TMUI RCE vulnerability CVE-2020-5902 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895981-5 CVE-2020-5902 K52145254 , BT895981 TMUI RCE vulnerability CVE-2020-5902 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895881-4 CVE-2020-5903 K43638305 , BT895881 BIG-IP TMUI XSS vulnerability CVE-2020-5903 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
883717-4 CVE-2020-5914 K37466356 , BT883717 BD crash on specific server cookie scenario 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
852445-5 CVE-2019-6477 K15840535 , BT852445 Big-IP : CVE-2019-6477 BIND Vulnerability 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.1.2.5
841577-6 CVE-2020-5922 K20606443 , BT841577 iControl REST hardening 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.0.5
838677-5 CVE-2019-10744 K47105354 , BT838677 lodash library vulnerability CVE-2019-10744 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
837773-4 CVE-2020-5912 K12936322 , BT837773 Restjavad Storage and Configuration Hardening 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
830401-5 CVE-2020-5877 K54200228 , BT830401 TMM may crash while processing TCP traffic with iRules 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
819197-6 CVE-2019-13135 K20336394 , BT819197 BIGIP: CVE-2019-13135 ImageMagick vulnerability 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
819189-5 CVE-2019-13136 K03512441 , BT819189 BIGIP: CVE-2019-13136 ImageMagick vulnerability 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
818709-4 CVE-2020-5858 K36814487 , BT818709 TMSH does not follow current best practices 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.4
778077-1 CVE-2019-6680 K53183580 , BT778077 Virtual to virtual chain can cause TMM to crash 11.6.5.1, 12.1.5.1, 13.1.3.4, 14.0.1.1, 14.1.2.1, 15.0.1.1
767373-3 CVE-2019-8331 K24383845 , BT767373 CVE-2019-8331: Bootstrap Vulnerability 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.4
750292-4 CVE-2019-6592 K54167061 , BT750292 TMM may crash when processing TLS traffic 12.1.5.3, 13.1.3.4, 14.1.0.2
886085-1 CVE-2020-5925 K45421311 , BT886085 BIG-IP TMM vulnerability CVE-2020-5925 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5
872673-4 CVE-2020-5918 K26464312 , BT872673 TMM can crash when processing SCTP traffic 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
868349-5 CVE-2020-5935 K62830532 , BT868349 TMM may crash while processing iRules with MQTT commands 13.1.3.4, 14.1.2.5, 15.1.1
860477-6 CVE-2020-5906 K82518062 SCP hardening 12.1.5.2, 13.1.3.4
859089-3 CVE-2020-5907 K00091341 , BT859089 TMSH allows SFTP utility access 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4
858025-5 CVE-2021-22984 K33440533 , BT858025 BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
832885-5 CVE-2020-5923 K05975972 , BT832885 Self-IP hardening 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.0.5
829121-5 CVE-2020-5886 K65720640 , BT829121 State mirroring default does not require TLS 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.1.0.2
829117-5 CVE-2020-5885 K17663061 , BT829117 State mirroring default does not require TLS 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.1.0.2
811789-4 CVE-2020-5915 K57214921 , BT811789 Device trust UI hardening 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
789921-4 CVE-2020-5881 K03386032 , BT789921 TMM may restart while processing VLAN traffic 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
761112-5 CVE-2019-6683 K76328112 , BT761112 TMM may consume excessive resources when processing FastL4 traffic 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.0.1.1, 14.1.2.3, 15.0.1.4
756458-1 CVE-2018-18559 K28241423 , BT756458 Linux kernel vulnerability: CVE-2018-18559 13.1.3.4, 14.1.2.1, 15.0.1.4
745103-4 CVE-2018-7159 K27228191 , BT745103 NodeJS Vulnerability: CVE-2018-7159 13.1.3.4, 14.1.2.1, 15.0.1.3
715969-1 CVE-2017-5703 K19855851 , BT715969 CVE-2017-5703: Unsafe Opcodes exposed in Intel SPI based products 13.1.3.4
823893-4 CVE-2020-5890 K03318649 , BT823893 Qkview may fail to completely sanitize LDAP bind credentials 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
746091-3 CVE-2019-19151 K21711352 , BT746091 TMSH Vulnerability: CVE-2019-19151 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
717276-5 CVE-2020-5930 K20622530 , BT717276 TMM Route Metrics Hardening 11.6.5.3, 12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.5
759536-4 CVE-2019-8912 K31739796 , BT759536 Linux kernel vulnerability: CVE-2019-8912 13.1.3.4, 14.1.2.1, 15.0.1.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
819397-3 1-Blocking K50375550 , BT819397 TMM does not enforce RFC compliance when processing HTTP traffic 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.1
858229-2 3-Major K22493037 , BT858229 XML with sensitive data gets to the ICAP server 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
691499-1 3-Major BT691499 GTP::ie primitives in iRule to be certified 13.1.3.4, 14.1.2.7, 15.1.0.5
617929-4 3-Major BT617929 Support non-default route domains 13.1.3.4, 14.1.2.8, 15.0.1.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
747099-1 1-Blocking BT747099 AWS Cloud VE instance cannot connect to the metadata server to obtain licensing details. 13.1.3.4
841333-3 2-Critical BT841333 TMM may crash when tunnel used after returning from offline 12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.2
792285-3 2-Critical BT792285 TMM crashes if the queuing message to all HSL pool members fails 13.1.3.4, 14.1.2.5
780817 2-Critical BT780817 TMM can crash on certain vCMP hosts after modifications to VLANs and guests. 12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1
767013-4 2-Critical BT767013 Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.4.4
762205-1 2-Critical BT762205 IKEv2 rekey fails to recognize VENDOR_ID payload when it appears 13.1.3.4, 14.1.2.3, 15.0.1.4
882557-5 3-Major BT882557 TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher) 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4
866925-1 3-Major BT866925 The TMM pages used and available can be viewed in the F5 system stats MIB 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
865225-2 3-Major BT865225 100G modules may not work properly in i15000 and i15800 platforms 13.1.3.4, 15.1.0.2
842125-2 3-Major BT842125 Unable to reconnect outgoing SCTP connections that have previously aborted 13.1.3.4, 14.1.2.5, 15.1.0.5
812981-2 3-Major BT812981 MCPD: memory leak on standby BIG-IP device 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
807005-3 3-Major BT807005 Save-on-auto-sync is not working as expected with large configuration objects 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5
804477-2 3-Major BT804477 Add HSB register logging when parts of the device becomes unresponsive 13.1.3.4, 14.1.4.3
800185-2 3-Major BT800185 Saving a large encrypted UCS archive may fail and might trigger failover 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4
762073-1 3-Major BT762073 Continuous TMM restarts when HSB drops off the PCI bus 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4
760439-2 3-Major BT760439 After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status 12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1
753860-1 3-Major BT753860 Virtual server config changes causing incorrect route injection. 13.1.3.4, 14.1.2.7
749153-1 3-Major BT749153 Cannot create LTM policy from GUI using iControl 12.1.4.1, 13.1.3.4
742628-5 3-Major BT742628 A tmsh session initiation adds increased control plane pressure 12.1.5.3, 13.1.3.4, 14.1.2.6, 14.1.4, 15.0.1.4, 15.1.0.2
739872-2 3-Major BT739872 The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover 12.1.5.3, 13.1.3.4
738943-5 3-Major BT738943 imish command hangs when ospfd is enabled 12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1
738881-2 3-Major BT738881 Qkview does not collect any data under certain conditions that cause a timeout 13.1.3.4
734846-3 3-Major BT734846 Redirection to logon summary page does not occur after session timeout 13.1.3.4
701529-1 3-Major BT701529 Configuration may not load or not accept vlan or tunnel names as "default" or "all" 13.1.3.4, 14.1.2.7
688399-4 3-Major BT688399 HSB failure results in continuous TMM restarts 12.1.5.3, 13.1.3.4, 14.1.2.7, 15.0.1.4
648621-5 3-Major BT648621 SCTP: Multihome connections may not expire 11.6.5.3, 12.1.5.2, 13.1.3.4, 14.1.2.1, 15.0.1.4
641450-5 3-Major K30053855 , BT641450 A transaction that deletes and recreates a virtual may result in an invalid configuration 12.1.5.1, 13.1.3.4, 14.1.2.5
625901-2 3-Major BT625901 SNAT pools allow members in different partitions to be assigned, but this causes a load failure 12.1.5.1, 13.1.3.4
748940-1 4-Minor BT748940 iControl REST cert creation not working for non-Common folder 13.1.3.4
743815-3 4-Minor BT743815 vCMP guest observes connflow reset when a CMP state change occurs. 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7
726317-4 4-Minor BT726317 Improved debugging output for mcpd 12.1.5, 13.1.3.4, 14.1.0.6
722230-5 4-Minor BT722230 Cannot delete FQDN template node if another FQDN node resolves to same IP address 12.1.5.2, 13.1.3.4, 14.1.3.1, 15.0.1.4, 15.1.0.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
816273-4 1-Blocking BT816273 L7 Policies may execute CONTAINS operands incorrectly. 13.1.3.4, 14.1.2.3, 15.0.1.1
715032-5 1-Blocking K73302459 , BT715032 iRulesLX Hardening 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
853329 2-Critical BT853329 HTTP explicit proxy can crash TMM when used with classification profile 11.6.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3
841469-3 2-Critical BT841469 Application traffic may fail after an internal interface failure on a VIPRION system. 13.1.3.4, 15.1.2.1
831325-3 2-Critical K10701310 , BT831325 HTTP PSM detects more issues with Transfer-Encoding headers 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.1
826601-3 2-Critical BT826601 Prevent receive window shrinkage for looped flows that use a SYN cookie 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.3
813561-1 2-Critical BT813561 MCPD crashes when assigning an iRule that uses a proc 13.1.3.4, 14.1.2.8, 15.0.1.3
812525-5 2-Critical K27551003 , BT812525 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
757578-4 2-Critical BT757578 RAM cache is not compatible with verify-accept 12.1.5.2, 13.1.3.4, 14.1.2.1, 15.0.1.1
696908-1 2-Critical BT696908 Updating iRule causes TMM to crash 13.1.3.4
690291-1 2-Critical BT690291 tmm crash 13.1.3.4
858301-4 3-Major K27551003 , BT858301 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858297-4 3-Major K27551003 , BT858297 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858289-4 3-Major K27551003 , BT858289 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858285-4 3-Major K27551003 , BT858285 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
796993-3 3-Major BT796993 Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs 12.1.5.3, 13.1.3.4, 14.1.3.1
788753-1 3-Major BT788753 GATEWAY_ICMP monitor marks node down with wrong error code 13.1.3.4, 14.1.2.8, 15.1.0.5
778517-2 3-Major K91052217 , BT778517 Large number of in-TMM monitors results in delayed processing 13.1.3.4, 14.1.2.7
776229-4 3-Major BT776229 iRule 'pool' command no longer accepts pool members with ports that have a value of zero 13.1.3.4, 14.1.3.1
761185-4 3-Major K50375550 , BT761185 Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.1
760679 3-Major BT760679 Memory corruption when using C3D on certain platforms 13.1.3.4
759480-2 3-Major BT759480 HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash 12.1.5, 13.1.3.4, 14.1.3.1
758872-2 3-Major BT758872 TMM memory leak 12.1.5, 13.1.3.4, 14.1.2.3
756494-1 3-Major BT756494 For in-tmm monitoring: multiple instances of the same agent are running on the Standby device 13.1.3.4, 14.1.2.7
753805-1 3-Major BT753805 BIG-IP system failed to advertise virtual address even after the virtual address was in Available state. 12.1.5.3, 13.1.3.4, 14.1.3.1
716167-1 3-Major BT716167 The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp 13.1.3.4, 14.1.0.2
686059-2 3-Major BT686059 FDB entries for existing VLANs may be flushed when creating a new VLAN. 12.1.5.3, 13.1.3.4, 14.1.2.7
751586-5 4-Minor BT751586 Http2 virtual does not honour translate-address disabled 12.1.4.1, 13.1.3.4, 14.1.2.1, 15.1.4
747585-2 4-Minor BT747585 TCP Analytics supports ANY protocol number 12.1.5, 13.1.3.4, 14.1.2.1
594064-5 4-Minor K57004151 , BT594064 tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows. 11.6.5.3, 12.1.5.2, 13.1.3.4


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
807177-1 2-Critical BT807177 HTTPS monitoring is not caching SSL sessions correctly 13.1.3.4, 14.1.2.5
802961-1 3-Major BT802961 The 'any-available' prober selection is not as random as in earlier versions 13.1.3.4, 14.1.2.5
778365-1 3-Major BT778365 dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service 13.1.3.4, 14.1.2.7
774481-3 3-Major BT774481 DNS Virtual Server creation problem with Dependency List 13.1.3.4, 14.1.2.7
756470-3 3-Major BT756470 Additional logging added to detect when monitoring operations in the configuration exceeds capabilities. 13.1.3.4, 14.1.4.5
746348-1 3-Major BT746348 On rare occasions, gtmd fails to process probe responses originating from the same system. 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.2
704198-3 3-Major K29403988 , BT704198 Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance 12.1.5.2, 13.1.3.4, 14.1.2.5
744280-1 4-Minor BT744280 Enabling or disabling a Distributed Application results in a small memory leak 13.1.3.4, 14.0.0.5, 14.1.2.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
803813-3 2-Critical BT803813 TMM may experience high latency when processing WebSocket traffic 13.1.3.4, 14.1.2.7
754109-3 2-Critical BT754109 ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive 13.1.3.4, 14.1.2.3
854177-2 3-Major BT854177 ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.1.0.5
850673-4 3-Major BT850673 BD sends bad ACKs to the bd_agent for configuration 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
846493 3-Major BT846493 ASM CAPTCHA is not working the first time when a request contains sensitive parameters 13.1.3.4
783505 3-Major BT783505 ASU is very slow on device with hundreds of policies due to table checksums 12.1.5.1, 13.1.3.4
697269-1 3-Major BT697269 Request logging is briefly suspended after policy creation 13.1.3.4
689987-3 3-Major BT689987 Requests are not logged on new virtual servers after UCS load while ASM is running 13.1.3.4
681010-2 3-Major K33572148 , BT681010 'Referer' is not masked when 'Query String' contains sensitive parameter 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
673522-1 3-Major BT673522 RST when using Bot Defense profile and surfing to a long URL on related domain 13.1.3.4
629628-1 3-Major BT629628 Request Events Missing Due to Policy Builder Restart 13.1.3.4


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
838709-2 2-Critical BT838709 Enabling DoS stats also enables page-load-time 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
828937-4 2-Critical K45725467 , BT828937 Some systems can experience periodic high IO wait due to AVR data aggregation 13.1.3.4, 14.1.2.5, 15.1.0.5
870957-2 3-Major "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
863161-5 3-Major BT863161 Scheduled reports are sent via TLS even if configured as non encrypted 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
833113-1 3-Major BT833113 Avrd core when sending large messages via https 13.1.3.4, 14.1.4.3, 15.0.1.3, 15.1.4
830073-5 3-Major BT830073 AVRD may core when restarting due to data collection device connection timeout 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
700035-5 3-Major BT700035 /var/log/avr/monpd.disk.provision not rotate 13.1.3.4


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
885241 2-Critical BT885241 TMM leaks memory when the 'ACCESS::session remove' iRule command is called in an event other than an ACCESS event. 13.1.3.4
871761-2 2-Critical BT871761 Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
747192-2 2-Critical BT747192 Small memory leak while creating Access Policy items 12.1.4.1, 13.1.3.4
660913-4 2-Critical BT660913 For ActiveSync client type, browscap info provided is incorrect. &start; 12.1.4.1, 13.1.3.4, 14.1.4.3
850277-5 3-Major BT850277 Memory leak when using OAuth 13.1.3.4, 14.1.4, 15.0.1.3, 15.1.0.2
803825 3-Major BT803825 WebSSO does not support large NTLM target info length 13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2
744407-5 3-Major BT744407 While the client has been closed, iRule function should not try to check on a closed session 13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2


WebAccelerator Fixes

ID Number Severity Links to More Info Description Fixed Versions
833213-5 3-Major BT833213 Conditional requests are served incorrectly with AAM policy in webacceleration profile 13.1.3.4, 14.1.2.3, 15.0.1.3, 15.1.3


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
814097-4 2-Critical BT814097 Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event. 11.6.5.2, 13.1.3.4, 14.1.2.7
811105-3 2-Critical BT811105 MRF SIP-ALG drops SIP 183 and 200 OK messages 13.1.3.4, 14.1.2.5, 15.0.1.4
766405-3 2-Critical BT766405 MRF SIP ALG with SNAT: Fix for potential crash on next-active device 13.1.3.4, 14.1.0.6
745397-3 2-Critical BT745397 Virtual server configured with FIX profile can leak memory. 13.1.3.4
882273-1 3-Major BT882273 MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow 13.1.3.4, 14.1.2.5
866021-4 3-Major BT866021 Diameter Mirror connection lost on the standby due to "process ingress error" 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
842625-1 3-Major BT842625 SIP message routing remembers a 'no connection' failure state forever 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.2
824149-1 3-Major BT824149 SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
815529-4 3-Major BT815529 MRF outbound messages are dropped in per-peer mode 13.1.3.4, 14.1.2.7
811033-3 3-Major BT811033 MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used 13.1.3.4, 14.1.2.5
804313-4 3-Major BT804313 MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded. 13.1.3.4, 14.1.2.1, 15.0.1.2
803809-1 3-Major BT803809 SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled. 13.1.3.4, 14.1.2.7, 15.1.0.2
782353-8 3-Major BT782353 SIP MRF via header shows TCP Transport when TLS is enabled 13.1.3.4, 14.1.2.7
754658-1 3-Major BT754658 Improved matching of response messages uses end-to-end ID 13.1.3.4, 14.1.2.7
754617-1 3-Major BT754617 iRule 'DIAMETER::avp read' command does not work with 'source' option 13.1.3.4, 14.1.2.7
746731-3 3-Major BT746731 BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set 13.1.3.4, 14.1.2.7
744275-3 3-Major BT744275 BIG-IP system sends Product-Name AVP in CER with Mandatory bit set 13.1.3.4, 14.1.0.2
727288-3 3-Major BT727288 Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC 13.1.3.4
696348-2 3-Major BT696348 "GTP::ie insert" and "GTP::ie append" do not work without "-message" option 13.1.3.4, 14.1.2.7, 15.1.0.5
676709-3 3-Major K37604585 , BT676709 Diameter virtual server has different behavior of connection-prime when persistence is on/off 11.6.5.2, 13.1.3.4
836357-1 4-Minor BT836357 SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
793013 4-Minor BT793013 MRF DIAMETER: Implement sweeper for pending request messages queue 13.1.3.4
788513-4 4-Minor BT788513 Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5
786981-1 4-Minor BT786981 Pending GTP iRule operation maybe aborted when connection is expired 13.1.3.4, 14.1.2.7
753790 4-Minor BT753790 Allow 'DIAMETER::persist reset' command in EGRESS events 13.1.3.4
711641-1 4-Minor BT711641 MRF DIAMETER: Add log events to log when stale messages are removed from pending request queue 13.1.3.4
793005-4 5-Cosmetic BT793005 'Current Sessions' statistic of MRF/Diameter pool may be incorrect 13.1.3.4, 14.1.2.7, 15.1.0.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
852289-6 3-Major K23278332 , BT852289 DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector 13.1.3.4, 14.1.2.5, 15.1.1
751116-3 3-Major BT751116 DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring 13.1.3.4, 14.1.4.2


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
839597-2 3-Major BT839597 Restjavad fails to start if provision.extramb has a large value 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5



Cumulative fixes from BIG-IP v13.1.3.3 that are included in this release


Functional Change Fixes

None


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
803645-1 3-Major BT803645 GTMD daemon crashes 13.1.3.3, 14.1.2.7



Cumulative fixes from BIG-IP v13.1.3.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
818429-2 CVE-2020-5857 K70275209 , BT818429 TMM may crash while processing HTTP traffic 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.1
808301-1 CVE-2019-6678 K04897373 , BT808301 TMM may crash while processing IP traffic 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.1
805837-4 CVE-2019-6657 K22441651 , BT805837 REST does not follow current design best practices 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.5, 15.0.1.1
795437-2 CVE-2019-6677 K06747393 , BT795437 Improve handling of TCP traffic for iRules 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
795197-3 CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 K26618426 , BT795197 Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
781377-1 CVE-2019-6681 K93417064 , BT781377 tmrouted may crash while processing Multicast Forwarding Cache messages 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.4
780601-4 CVE-2020-5873 K03585731 , BT780601 SCP file transfer hardening 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.1.2.5, 15.0.1.1
769589-4 CVE-2019-6974 K11186236 , BT769589 CVE-2019-6974: Linux Kernel Vulnerability 13.1.3.2, 14.1.2.5
762453 CVE-2020-5872 K63558580 , BT762453 Hardware cryptography acceleration may fail 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.5
757357 CVE-2019-6676 K92002212 , BT757357 TMM may crash while processing traffic 13.1.3.2, 14.1.2.3, 15.0.1.1
636400-1 CVE-2019-6665 K26462555 , BT636400 CPB (BIG-IP->BIGIQ log node) Hardening 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1, 15.1.0.2
810537-3 CVE-2020-5883 K12234501 , BT810537 TMM may consume excessive resources while processing iRules 13.1.3.2, 14.0.1.1, 14.1.2.5, 15.0.1.1
809165-4 CVE-2020-5854 K50046200 , BT809165 TMM may crash will processing connector traffic 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.4
808525-4 CVE-2019-6686 K55812535 , BT808525 TMM may crash while processing Diameter traffic 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.4
795797-4 CVE-2019-6658 K21121741 , BT795797 AFM WebUI Hardening 12.1.5.1, 13.1.3.2, 14.1.2.1, 15.0.1.1
788773-4 CVE-2019-9515 K50233772 , BT788773 HTTP/2 Vulnerability: CVE-2019-9515 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
788769-4 CVE-2019-9514 K01988340 , BT788769 HTTP/2 Vulnerability: CVE-2019-9514 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
782529-4 CVE-2019-6685 K30215839 , BT782529 iRules does not follow current design best practices 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.3
781449-4 CVE-2019-6672 K14703097 , BT781449 Increase efficiency of sPVA DoS protection on wildcard virtual servers 13.1.3.2, 14.1.2.1, 15.0.1.1
777737-2 CVE-2019-6671 K39225055 , BT777737 TMM may consume excessive resources when processing IP traffic 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
773673-4 CVE-2019-9512 K98053339 , BT773673 HTTP/2 Vulnerability: CVE-2019-9512 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
768981-4 CVE-2019-6670 K05765031 , BT768981 VCMP Hypervisor Hardening 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
761144-6 CVE-2019-6684 K95117754 , BT761144 Broadcast frames may be dropped 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.3
761014-4 CVE-2019-6669 K11447758 , BT761014 TMM may crash while processing local traffic 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
758018-3 CVE-2019-6661 K61705126 , BT758018 APD/APMD may consume excessive resources 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1
725551-4 CVE-2019-6682 K40452417 , BT725551 ASM may consume excessive resources 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.4
636453-9 CVE-2016-10009 K31440025 OpenSSH vulnerability CVE-2016-10009 13.1.3.2
789893-4 CVE-2019-6679 K54336216 , BT789893 SCP file transfer hardening 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.1
779177-4 CVE-2019-19150 K37890841 , BT779177 Apmd logs "client-session-id" when access-policy debug log level is enabled 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.3
749324-2 CVE-2012-6708 K62532311 , BT749324 jQuery Vulnerability: CVE-2012-6708 12.1.5.2, 13.1.3.2, 14.1.2.3
738236-2 CVE-2019-6688 K25607522 , BT738236 UCS does not follow current best practices 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.3


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
724556-2 2-Critical BT724556 icrd_child spawns more than maximum allowed times (zombie processes) 12.1.5.3, 13.1.3.2, 14.1.2.7
769193-1 3-Major BT769193 Added support for faster congestion window increase in slow-start for stretch ACKs 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.3
759135-5 3-Major BT759135 AVR report limits are locked at 1000 transactions 13.1.3.2, 14.1.2.1, 15.0.1.1
788269-1 4-Minor BT788269 Adding toggle to disable AVR widgets on device-groups 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
725950 1-Blocking BT725950 Regcomp() leaks memory if passed an invalid regex. 13.1.3.2
831549 2-Critical BT831549 Marketing name does not display properly for BIG-IP i10010 (C127) 13.1.3.2, 14.1.4.4
765533-4 2-Critical K58243048 , BT765533 Sensitive information logged when DEBUG logging enabled 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.1.2.1
749388 2-Critical BT749388 'table delete' iRule command can cause TMM to crash 12.1.5.2, 13.1.3.2, 14.1.2.5
747203-4 2-Critical BT747203 Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding 13.1.3.2, 15.0.1.3
686996-1 2-Critical BT686996 TMM core under heavy load with PEM 13.1.3.2
809205-3 3-Major CVE-2019-3855: libssh2 Vulnerability 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.1, 15.1.3, 16.0.1.2
794501-4 3-Major BT794501 Duplicate if_indexes and OIDs between interfaces and tunnels 12.1.5.3, 13.1.3.2, 14.1.2.3, 15.0.1.1
793121-1 3-Major BT793121 Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication 13.1.3.2, 14.1.2.7, 15.0.1.3, 15.1.0.2
788557 3-Major BT788557 BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior 11.6.5.2, 13.1.3.2, 14.1.2.1, 15.0.1.1
788301-3 3-Major K58243048 , BT788301 SNMPv3 Hardening 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
777261-2 3-Major BT777261 When SNMP cannot locate a file it logs messages repeatedly 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
764873-4 3-Major BT764873 An accelerated flow may transmit packets to an unavailable pool member. 13.1.3.2, 14.1.4.2, 15.0.1.3
761993-4 3-Major BT761993 The nsm process may crash if it detects a nexthop mismatch 13.1.3.2, 14.1.2.1, 15.0.1.1
759735-1 3-Major BT759735 OSPF ASE route calculation for new external-LSA delayed 13.1.3.2, 14.1.2.5
758781-1 3-Major BT758781 iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates 13.1.3.2, 14.1.2.3, 15.0.1.1
758527-4 3-Major K39604784 , BT758527 BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.0.5, 14.1.2.3, 15.0.1.3
758119-4 3-Major K58243048 , BT758119 qkview may contain sensitive information 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
747592-2 3-Major PHP vulnerability CVE-2018-17082 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1
745825-3 3-Major BT745825 The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading 13.1.3.2, 14.1.0.2
741902-3 3-Major BT741902 sod does not validate message length vs. received packet length 11.6.5.2, 12.1.5.2, 13.1.3.2
740413-3 3-Major BT740413 Sod not logging Failover Condition messages 13.1.3.2
738445-2 3-Major BT738445 IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup 12.1.5, 13.1.3.2, 14.0.1.1
724109-4 3-Major BT724109 Manual config-sync fails after pool with FQDN pool members is deleted 12.1.5.3, 13.1.3.2, 14.1.2.1, 15.0.1.1
700712-1 3-Major BT700712 MariaDB binary logging takes up disk space 13.1.3.2
687115-2 3-Major BT687115 SNMP performance can be impacted by a long list of allowed-addresses 12.1.5.3, 13.1.3.2
683135-2 3-Major BT683135 Hardware syncookies number for virtual server stats is unrealistically high 13.1.3.2, 14.1.2.7
680917-1 3-Major BT680917 Invalid monitor rule instance identifier 12.1.5.3, 13.1.3.2, 14.1.2.1
815425 4-Minor BT815425 RAID status is shown <undefined> after upgrade from 12.1.3.5 to 13.1.x &start; 13.1.3.2
755018-4 4-Minor BT755018 Egress traffic processing may be stopped on one or more VE trunk interfaces 13.1.3.2, 14.1.2.7, 15.0.1.1
484683-3 4-Minor BT484683 Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer. 13.1.3.2, 14.1.2.7


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
800305-4 2-Critical BT800305 VDI::cmp_redirect generates flow with random client port 13.1.3.2, 14.1.2.3, 15.0.1.1
787825-3 2-Critical K58243048 , BT787825 Database monitors debug logs have plaintext password printed in the log file 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
739927-3 2-Critical BT739927 Bigd crashes after a specific combination of logging operations 11.5.9, 11.6.4, 12.1.4, 13.1.3.2
693491-1 2-Critical BT693491 ASM with Web Acceleration Profile can rarely cause TMM to core 13.1.3.2
813673-1 3-Major BT813673 The HTTP Explicit proxy does not work correctly with IPv6 clients connecting to IPv4 destinations over CONNECT to IPv4 targets. 13.1.3.2
788325-4 3-Major K39794285 , BT788325 Header continuation rule is applied to request/response line 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
781753-1 3-Major BT781753 WebSocket traffic is transmitted with unknown opcodes 13.1.3.2, 14.1.2.8
773421-2 3-Major BT773421 Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied 12.1.5.1, 13.1.3.2, 14.1.2.1, 15.0.1.1
770477-3 3-Major BT770477 SSL aborted when client_hello includes both renegotiation info extension and SCSV 12.1.5.3, 13.1.3.2, 14.1.2.5
761030-1 3-Major BT761030 tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route 13.1.3.2, 14.1.2.5
758992-1 3-Major BT758992 The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address 13.1.3.2, 14.1.2.3, 15.0.1.3
757827-3 3-Major BT757827 Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution 13.1.3.2, 14.1.2.5, 15.0.1.3
755727-3 3-Major BT755727 Ephemeral pool members not created after DNS flap and address record changes 12.1.5.2, 13.1.3.2, 14.1.2.5, 15.0.1.3
749294-2 3-Major BT749294 TMM cores when query session index is out of boundary 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.0.2
747907-1 3-Major BT747907 Persistence records leak while the high availability (HA) mirror connection is down 13.1.3.2, 14.1.0.6
743257-1 3-Major BT743257 Fix block size insecurity init and assign 13.1.3.2, 14.0.0.5, 14.1.2.5
742237-2 3-Major BT742237 CPU spikes appear wider than actual in graphs 12.1.5, 13.1.3.2, 14.1.2.1
739638-2 3-Major BT739638 BGP failed to connect with neighbor when pool route is used 12.1.4.1, 13.1.3.2, 14.0.1.1
726734-1 3-Major BT726734 DAGv2 port lookup stringent may fail 13.1.3.2, 14.1.2.8
726176-4 3-Major BT726176 Platforms using RSS hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve 13.1.3.2, 14.1.2.3, 15.0.1.1
716952-2 3-Major BT716952 With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete. 13.1.3.2
704450-3 3-Major BT704450 bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration 12.1.5.2, 13.1.3.2, 14.1.0.2
693582-1 3-Major BT693582 Monitor node log not rotated for certain monitor types 12.1.4, 13.1.3.2
689361-1 3-Major BT689361 Configsync can change the status of a monitored pool member 12.1.5.2, 13.1.3.2, 14.1.2.1
687887-1 3-Major BT687887 Unexpected result from multiple changes to a monitor-related object in a single transaction 12.1.5.3, 13.1.3.2, 14.1.2.3
676990-2 3-Major BT676990 No way to enable SNAT of host traffic 13.1.3.2
676557-1 3-Major BT676557 Binary data marshalled to TCL may be converted to UTF8 13.1.3.2
636842-3 3-Major K51472519 , BT636842 A FastL4 virtual server may drop a FIN packet when mirroring is enabled 12.1.5.1, 13.1.3.2, 14.1.2.5
601189-3 3-Major BT601189 The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode 12.1.5.1, 13.1.3.2, 14.1.2.5
769309-3 4-Minor BT769309 DB monitor reconnects to server on every probe when count = 0 12.1.5.3, 13.1.3.2, 14.1.2.3, 15.0.1.1
760683-2 4-Minor BT760683 RST from non-floating self-ip may use floating self-ip source mac-address 13.1.3.2, 14.1.2.5
754003-1 4-Minor K73202036 , BT754003 Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate 13.1.3.2, 14.1.2.3, 15.0.1.3
747628-3 4-Minor BT747628 BIG-IP sends spurious ICMP PMTU message to server 13.1.3.2, 14.1.2.3, 15.0.1.1
744210-1 4-Minor BT744210 DHCPv6 does not have the ability to override the hop limit from the client. 13.1.3.2, 14.1.2.3


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
772233-1 3-Major BT772233 IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV. 13.1.3.2, 14.1.2.5, 15.0.1.3
761032-4 3-Major K36328238 , BT761032 TMSH displays TSIG keys 13.1.3.2, 14.0.1.1, 14.1.2.3
699512-1 3-Major BT699512 UDP packet may be dropped when queued in parallel with another packet 13.1.3.2
672491-5 3-Major K10990182 , BT672491 net resolver uses internal IP as source if matching wildcard forwarding virtual server 11.6.5.3, 12.1.3.6, 13.1.3.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
813945-1 2-Critical BT813945 PB core dump while processing many entities 13.1.3.2, 14.1.2.3
775105-1 2-Critical BT775105 False positive on bot defense logs 13.1.3.2, 14.0.1.1
812341-1 3-Major BT812341 Patch or Delete commands take a long time to complete when modifying an ASM signature set. 13.1.3.2, 14.1.2.3
800453-1 3-Major K72252057 , BT800453 False positive virus violations 13.1.3.2, 14.1.2.3, 15.0.1.3
783513-1 3-Major BT783513 ASU is very slow on device with hundreds of policies due to logging profile handling 13.1.3.2, 14.1.2.3
739618-1 3-Major BT739618 When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy 13.1.3.2, 14.1.2.3, 15.1.0.2
727107-2 3-Major BT727107 Request Logs are not stored locally due to shmem pipe blockage 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
756102-3 2-Critical BT756102 TMM can crash with core on ABORT signal due to non-responsive AVR code 13.1.3.2, 14.1.0.6, 15.0.1.1
797785-3 3-Major BT797785 AVR reports no ASM-Anomalies data. 13.1.3.2, 14.1.2.1, 15.0.1.3
792265-1 3-Major BT792265 Traffic logs does not include the BIG-IQ tags 13.1.3.2, 14.1.2.1, 15.0.1.3
781581-4 3-Major BT781581 Monpd uses excessive memory on requests for network_log data 13.1.3.2, 14.1.2.3, 15.0.1.3
703196-5 3-Major BT703196 Reports for AVR are missing data 13.1.3.2
696191-1 3-Major BT696191 AVR-related disk partitions can get full during upgrade &start; 13.1.3.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
811145-4 2-Critical BT811145 VMware View resources with SAML SSO are not working 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
784989-4 2-Critical BT784989 TMM may crash with panic message: Assertion 'cookie name exists' failed 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
777173-4 2-Critical BT777173 Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
725505-2 2-Critical BT725505 SNAT settings in network resource are not applied after FastL4 profile is updated 13.1.3.2
618641-1 2-Critical BT618641 In rare cases VDI plugin might leak memory or crash while processing client connections 13.1.3.2
815753-4 3-Major BT815753 TMM leaks memory when explicit SWG is configured with Kerberos authentication 13.1.3.2, 14.0.1.1, 15.0.1.1
799149 3-Major BT799149 Authentication fails with empty password 13.1.3.2, 14.1.2.7
798261-4 3-Major BT798261 APMD fails to create session variables if spanning is enabled on SWG transparent virtual server 13.1.3.2, 14.1.2.5, 15.0.1.3
788417-3 3-Major BT788417 Remote Desktop client on macOS may show resource auth token on credentials prompt 13.1.3.2, 14.1.2.1, 15.0.1.1
787477-1 3-Major BT787477 Export fails from partitions with '-' as second character 13.1.3.2, 14.1.2.1
768025-1 3-Major BT768025 SAML requests/responses fail with "failed to find certificate" 13.1.3.2, 14.1.2.5, 15.0.1.3
766577-4 3-Major BT766577 APMD fails to send response to client and it already closed connection. 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.1
725040-3 3-Major BT725040 Auto-update fails for F5 Helper Applications on Linux 13.1.3.2
723278-1 3-Major BT723278 Radius Accounting-Request (STOP) always includes AVP Framed-IP-Address=0.16.0.0 when Network Access rescource configured with IPv4 & IPv6 13.1.3.2
697590-4 3-Major BT697590 APM iRule ACCESS::session remove fails outside of Access events 13.1.3.2, 14.1.2.1, 15.0.1.1
653210-1 3-Major BT653210 Rare resets during the login process 13.1.3.2, 14.1.2.4
643935-2 3-Major BT643935 Rewriting may cause an infinite loop while processing some objects 13.1.3.2, 14.0.1.1, 14.1.2.3
719589-3 4-Minor BT719589 GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic 13.1.3.2, 14.1.2.7
684414-2 4-Minor BT684414 Retrieving too many groups is causing out of memory errors in TMUI and VPE 12.1.3.2, 13.1.3.2


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
813657 3-Major BT813657 MRF SIP ALG with SNAT incorrectly detects ingress queue full 13.1.3.2
811745-4 3-Major BT811745 Failover between clustered DIAMETER devices can cause mirror connections to be disconnected 13.1.3.2, 14.1.2.1, 15.0.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
787901 2-Critical BT787901 While deleting a DoS profile, tmm might core in sPVA 13.1.3.2
778869-1 2-Critical K72423000 , BT778869 ACLs and other AFM features (e.g., IPI) may not function as designed 13.1.3.2, 14.0.1.1, 14.1.2.5
747922-2 2-Critical BT747922 With AFM enabled, during bootup, there is a small possibility of a tmm crash 13.1.3.2, 14.1.0.2
761345-1 3-Major BT761345 Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode 13.1.3.2, 14.1.2.3
738284-4 3-Major BT738284 Creating or deleting rule list results in warning message: Schema object encode failed 13.1.3.2, 14.1.2.3, 15.0.1.1
679722-1 3-Major BT679722 Configuration sync failure involving self IP references 13.1.3.2


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
753014-1 3-Major BT753014 PEM iRule action with RULE_INIT event fails to attach to PEM policy 12.1.5.3, 13.1.3.2, 14.1.2.7
747065-3 3-Major BT747065 PEM iRule burst of session ADDs leads to missing sessions 13.1.3.2


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
804185-3 3-Major BT804185 Some WebSafe request signatures may not work as expected 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
803477-1 3-Major BT803477 BaDoS State file load failure when signature protection is off 13.1.3.2, 14.1.2.1, 15.0.1.1
767045 4-Minor BT767045 TMM cores while applying policy 13.1.3.2, 14.1.2.3
711708-1 4-Minor BT711708 Default disabled DoS profile cannot be attached to virtual server because of BADOS '2 virtual servers limitation' 13.1.3.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
674795-2 4-Minor BT674795 tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours. 12.1.5.3, 13.1.3.2



Cumulative fixes from BIG-IP v13.1.3.1 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
688627-1 3-Major BT688627 OPT-0043 40G optical transceiver cannot be unbundled into 4x10G 13.1.3.1



Cumulative fixes from BIG-IP v13.1.3 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
809377-4 CVE-2019-6649 K05123525 AFM ConfigSync Hardening 13.1.3, 14.0.1, 14.1.2, 15.0.1
771873-3 CVE-2019-6642 K40378764 , BT771873 TMSH Hardening 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
767653-2 CVE-2019-6660 K23860356 , BT767653 Malformed HTTP request can result in endless loop in an iRule script 13.1.3, 14.0.1.1, 14.1.2.1
758065-2 CVE-2019-6667 K82781208 , BT758065 TMM may consume excessive resources while processing FIX traffic 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
757023-4 CVE-2018-5743 K74009656 , BT757023 BIND vulnerability CVE-2018-5743 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
756538-1 CVE-2019-6645 K15759349 , BT756538 Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair. 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6
754103-2 CVE-2019-6644 K75532331 , BT754103 iRulesLX NodeJS daemon does not follow best security practices 12.1.4.1, 13.1.3, 14.0.0.5, 14.1.0.6
739971-2 CVE-2018-5391 K74374841 , BT739971 Linux kernel vulnerability: CVE-2018-5391 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.5
726393-4 CVE-2019-6643 K36228121 , BT726393 DHCPRELAY6 can lead to a tmm crash 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6
715923-1 CVE-2018-15317 K43625118 , BT715923 When processing TLS traffic TMM may terminate connections unexpectedly 11.6.3.3, 12.1.5, 13.1.3, 14.0.0.3
757455-1 CVE-2019-6647 K87920510 , BT757455 Excessive resource consumption when processing REST requests 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6
773649-4 CVE-2019-6656 K23876153 , BT773649 APM Client Logging 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.2, 15.0.1.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
749704-3 4-Minor BT749704 GTPv2 Serving-Network field with mixed MNC digits 13.1.3, 14.0.1.1, 14.1.0.6


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
774445-3 1-Blocking K74921042 , BT774445 BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2 13.1.3, 14.0.0.5, 14.1.0.6
769809-2 2-Critical BT769809 The vCMP guests 'INOPERATIVE' after upgrade 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6
760408-1 2-Critical BT760408 System Integrity Status: Invalid after BIOS update &start; 13.1.3, 14.0.0.5, 14.1.0.6
757722-1 2-Critical BT757722 Unknown notify message types unsupported in IKEv2 13.1.3, 14.0.1.1, 14.1.0.6
756402-1 2-Critical BT756402 Re-transmitted IPsec packets can have garbled contents 13.1.3, 14.0.1.1, 14.1.0.6
756071-1 2-Critical BT756071 MCPD crash 13.1.3, 14.0.1.1, 14.1.0.6
753650 2-Critical BT753650 The BIG-IP system reports frequent kernel page allocation failures. 13.1.3, 14.0.1.1, 14.1.0.6
748205-1 2-Critical BT748205 SSD bay identification incorrect for RAID drive replacement &start; 12.1.5, 13.1.3, 14.1.2.5
734539-3 2-Critical BT734539 The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads 12.1.5, 13.1.3, 14.0.1.1
708968-2 2-Critical BT708968 OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address 13.1.3, 14.0.1.1
671741-3 2-Critical BT671741 LCD on iSeries devices can lock at red 'loading' screen. 12.1.5, 13.1.3
648270-3 2-Critical BT648270 mcpd can crash if viewing a fast-growing log file through the GUI 11.6.5.2, 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.0.6
756153-2 3-Major BT756153 Add diskmonitor support for MySQL /var/lib/mysql 12.1.4.1, 13.1.3, 14.1.2.7
749785-1 3-Major BT749785 nsm can become unresponsive when processing recursive routes 12.1.5.3, 13.1.3, 14.1.2.5
746266-1 3-Major BT746266 A vCMP guest VLAN MAC mismatch across blades. 12.1.5, 13.1.3, 14.1.2.3
735565-1 3-Major BT735565 BGP neighbor peer-group config element not persisting 12.1.4.1, 13.1.3, 14.0.1.1
723553-1 3-Major BT723553 BIG-IP installations on RAID systems (old style) may not boot &start; 13.1.3
720610 3-Major BT720610 Automatic Update Check logs false 'Update Server unavailable' message on every run 13.1.3, 14.1.2.7
716166-4 3-Major BT716166 Dynamic routing not added when conflicting self IPs exist 11.6.5.1, 12.1.4.1, 13.1.3
709544-2 3-Major BT709544 VCMP guests in HA configuration become Active/Active during upgrade &start; 12.1.4.1, 13.1.3, 14.0.0
705037-2 3-Major K32332000 , BT705037 System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart 12.1.4, 13.1.3, 14.0.1.1, 14.1.2.3
702310-1 3-Major BT702310 The ':l' and ':h' options are not available on the tmm interface in tcpdump 13.1.3
693388-2 3-Major BT693388 Log additional HSB registers when device becomes unresponsive 12.1.4.1, 13.1.3
667618-1 3-Major BT667618 Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts 13.1.3
620954-5 3-Major BT620954 Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable 12.1.5.1, 13.1.3
721526-2 4-Minor BT721526 tcpdump fails to write verbose packet data to file 12.1.5.3, 13.1.3
691171-1 4-Minor BT691171 static and dynamically learned blackhole route from ZebOS cannot be deleted 13.1.3, 14.0.0


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
759968 1-Blocking BT759968 Distinct vCMP guests are able to cluster with each other. 12.1.5, 13.1.3, 14.1.2.1, 15.0.1.1
757441-2 2-Critical BT757441 Specific sequence of packets causes Fast Open to be effectively disabled 13.1.3, 14.0.1.1, 14.1.2.1
757391-3 2-Critical BT757391 Datagroup iRule command class can lead to memory corruption 12.1.5, 13.1.3, 14.1.2.5
756450-2 2-Critical BT756450 Traffic using route entry that's more specific than existing blackhole route can cause core 11.6.5.1, 12.1.5, 13.1.3, 14.1.2.3
755585-3 2-Critical BT755585 mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction 13.1.3, 14.1.2.1
746710-2 2-Critical BT746710 Use of HTTP::cookie after HTTP:disable causes TMM core 13.1.3, 14.1.2.1
742184-1 2-Critical BT742184 TMM memory leak 13.1.3, 14.1.0.2
740228-1 2-Critical BT740228 TMM crash while sending a DHCP Lease Query to a DHCP server 12.1.5.3, 13.1.3, 14.0.0.5
724214-3 2-Critical BT724214 TMM core when using Multipath TCP 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5
667779-1 2-Critical BT667779 iRule commands may cause the TMM to crash in very rare situations. 11.6.5.2, 12.1.5, 13.1.3
794493 3-Major BT794493 Creating Client SSL profile via tmsh or iControl REST and specifying 'cert' and 'key' incorrectly leaves inherit-certkeychain as true 13.1.3
790205-2 3-Major BT790205 Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.2.7, 15.0.1.1
760771-3 3-Major BT760771 FastL4-steered traffic might cause SSL resume handshake delay 13.1.3, 14.1.2.3
760550-3 3-Major BT760550 Retransmitted TCP packet has FIN bit set 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6
757442-1 3-Major BT757442 A missed SYN cookie check causes crash at the standby TMM in HA mirroring system 13.1.3, 14.1.4
754349 3-Major BT754349 FTP connections to virtual server drop when both sides of data channel are offloaded via FastL4 13.1.3, 14.0.1.1
753594-3 3-Major BT753594 In-TMM monitors may have duplicate instances or stop monitoring 13.1.3, 14.1.3.1
753514-1 3-Major BT753514 Large configurations containing LTM Policies load slowly 13.1.3, 14.0.1.1, 14.1.2.3
749414-2 3-Major BT749414 Invalid monitor rule instance identifier error 11.6.5.2, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6
746922-4 3-Major BT746922 When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain. 12.1.4.1, 13.1.3, 14.0.1.1, 14.1.2.7
726001-1 3-Major BT726001 Rapid datagroup updates can cause type corruption 13.1.3
720219 3-Major K13109068 , BT720219 HSL::log command can fail to pick new pool member if last picked member is 'checking' 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.2
719304-2 3-Major BT719304 Inconsistent node ICMP monitor operation for IPv6 nodes 13.1.3, 14.1.4
712919-1 3-Major K54802336 , BT712919 Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server. 13.1.3, 14.0.1.1, 14.1.2.3
705112-2 3-Major BT705112 DHCP server flows are not re-established after expiration 11.5.9, 12.1.4.1, 13.1.3, 14.1.2.5, 15.1.0.2
675367-2 3-Major K95393925 , BT675367 The IMAP and POP3 monitors might fail if the mail server supports GSSAPI authentication 13.1.3
604811-2 3-Major BT604811 Under certain conditions TMM may crash while processing OneConnect traffic 11.6.3.2, 12.1.5.3, 13.1.3
273104-1 3-Major Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps 12.1.4.1, 13.1.3


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
759721-4 3-Major K03332436 , BT759721 DNS GUI does not follow best practices 13.1.3, 14.0.0.5, 14.1.0.6
754901-3 3-Major BT754901 Frequent zone update notifications may cause TMM to restart 13.1.3, 14.1.2.5
750213-2 3-Major K25351434 , BT750213 DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records. 12.1.5, 13.1.3, 14.1.2.5
726412-2 4-Minor BT726412 Virtual server drop down missing objects on pool creation 12.1.4.1, 13.1.3


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
781637-4 3-Major BT781637 ASM brute force counts unnecessary failed logins for NTLM 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
781605-1 3-Major BT781605 Fix RFC issue with the multipart parser 11.6.5.3, 12.1.6, 13.1.3, 14.1.2.1, 15.0.1.1
781069-4 3-Major BT781069 Bot Defense challenge blocks requests with long Referer headers 13.1.3, 14.1.2.1, 15.0.1.1
773553-4 3-Major BT773553 ASM JSON parser false positive. 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
769981-3 3-Major BT769981 bd crashes in a specific scenario 13.1.3, 14.1.2.1, 15.0.1.1
764373-1 3-Major BT764373 'Modified domain cookie' violation with multiple enforced domain cookies with different paths 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
763001-2 3-Major K70312000 , BT763001 Web-socket enforcement might lead to a false negative 13.1.3, 14.0.1.1, 14.1.0.6
761941-3 3-Major BT761941 ASM does not remove CSRT token query parameter before forwarding a request to the backend server 13.1.3, 14.0.1.1, 14.1.0.6
761231-4 3-Major K79240502 , BT761231 Bot Defense Search Engines getting blocked after configuring DNS correctly 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
739900-1 3-Major BT739900 All Policies are created with 3 new Signature Sets After Creation of a Policy using Application Ready Templates 13.1.3
713051 3-Major BT713051 PB generates a suggestion to add a disallowed filtetype with empty name. 13.1.3
686763-1 3-Major BT686763 asm_start is consuming too much memory 12.1.5.3, 13.1.3
686500-1 3-Major BT686500 Adding user defined signature on device with many policies is very slow 13.1.3, 14.0.0
675673-1 3-Major BT675673 Policy history files should be limited by settings in a configuration file. 13.1.3
768761-4 4-Minor BT768761 Improved accept action description for suggestions to disable signature/enable metacharacter in policy 13.1.3, 14.0.1.1, 14.1.0.6
761553-4 4-Minor BT761553 Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic 13.1.3, 14.0.1.1, 14.1.0.6
761549-4 4-Minor BT761549 Traffic Learning: Accept and Stage action is shown only in case entity is not in staging 13.1.3, 14.0.1.1, 14.1.0.6
750689-1 4-Minor BT750689 Request Log: Accept Request button available when not needed 13.1.3, 14.0.1.1, 14.1.0.6
749184-4 4-Minor BT749184 Added description of subviolation for the suggestions that enabled/disabled them 13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.3
747560-3 4-Minor BT747560 ASM REST: Unable to download Whitehat vulnerabilities 12.1.5.1, 13.1.3, 14.1.0.6
695878-4 4-Minor BT695878 Signature enforcement issue on specific requests 11.5.6, 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1
613728-2 4-Minor BT613728 Import/Activate Security policy with 'Replace policy associated with virtual server' option fails 12.1.4, 13.1.3
769061-4 5-Cosmetic BT769061 Improved details for learning suggestions to enable violation/sub-violation 13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
753485-2 2-Critical K50285521 , BT753485 AVR global settings are being overridden by high availability (HA) peers 13.1.3, 14.1.2, 15.0.1
771025-2 3-Major BT771025 AVR send domain names as an aggregate 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.3
688544-1 3-Major BT688544 SWG reports on BIG-IQ show same series as 'Allowed' and 'Blocked' at the same time 13.1.3


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
760130-1 2-Critical BT760130 [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK 13.1.3, 14.1.3.1
753370-1 2-Critical BT753370 RADIUS auth might not be working as configured when there is change in RADIUS auth config name. 13.1.3, 14.0.0.5, 14.1.0.6
745600-3 2-Critical BT745600 Tmm crash and core using iRule 13.1.3
741535-1 2-Critical BT741535 Memory leak when using SAML or Form-based Client-initiated SSO 13.1.3
723402-2 2-Critical BT723402 Apmd crashes running command: tmsh restart sys service all 13.1.3
686282-2 2-Critical BT686282 APMD intermittently crash when processing access policies 12.1.3.2, 13.1.3
783817-4 3-Major BT783817 UI becomes unresponsive when accessing Access active session information 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
775621-4 3-Major BT775621 urldb memory grows past the expected ~3.5GB 13.1.3, 14.1.2.1, 15.0.1.3
765621-1 3-Major BT765621 POST request being rejected when using OAuth Resource Server mode 13.1.3
760974-1 3-Major BT760974 TMM SIGABRT while evaluating access policy 13.1.3
759638-1 3-Major BT759638 APM current active and established session counts out of sync after failover 13.1.3
754542-4 3-Major BT754542 TMM may crash when using RADIUS Accounting agent 13.1.3, 14.1.0.6
750823-3 3-Major BT750823 Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD 13.1.3, 14.1.2.1
750631-1 3-Major BT750631 There may be a latency between session termination and deletion of its associated IP address mapping 13.1.3, 14.1.2.7
750170-1 3-Major BT750170 SP Connector config changes causes BIG-IP tmm core sometimes during handling of SAML SLO request 13.1.3
749161-1 3-Major Problem sync policy contains non-ASCII characters 13.1.3, 14.1.2.1
747725-2 3-Major BT747725 Kerberos Auth agent may override settings that manually made to krb5.conf 12.1.4.1, 13.1.3, 14.1.2.5
744532-2 3-Major BT744532 Websso fails to decrypt secured session variables 13.1.3
600985-3 3-Major BT600985 Network access tunnel data stalls 13.1.3, 14.1.2.7
770621-1 4-Minor BT770621 [Portal Access] HTTP 308 redirect does not get rewritten 13.1.3
737603-1 4-Minor BT737603 Apmd leaks memory when executing per-session policy via iRule 13.1.3, 14.0.1.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
759077-4 3-Major BT759077 MRF SIP filter queue sizes not configurable 13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.4
748253-3 3-Major BT748253 Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection 13.1.3, 14.1.2.1
745628-3 3-Major BT745628 MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message 13.1.3, 14.0.1.1, 14.1.0.2
745514-3 3-Major BT745514 MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message 13.1.3, 14.0.1.1, 14.1.0.2
745404-2 3-Major BT745404 MRF SIP ALG does not reparse SDP payload if replaced 12.1.5.2, 13.1.3, 14.0.1.1, 14.1.0.2
701680-2 3-Major BT701680 MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds 12.1.4.1, 13.1.3
747909-3 4-Minor BT747909 GTPv2 MEI and Serving-Network fields decoded incorrectly 11.6.5.1, 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.0.6


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
763121-1 2-Critical BT763121 Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM. 13.1.3, 14.1.2.8
757359-3 2-Critical BT757359 pccd crashes when deleting a nested Address List 13.1.3, 14.1.0.6
752363 2-Critical BT752363 Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled 13.1.3, 14.1.0.2
777733-1 3-Major BT777733 DoS profile default values cause config load failure on upgrade 13.1.3
771173-1 3-Major BT771173 FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly. &start; 13.1.3, 14.1.2.5, 15.0.1.3
757306-2 3-Major BT757306 SNMP MIBS for AFM NAT do not yet exist 13.1.3, 14.1.2, 15.0.1


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
726665-2 2-Critical BT726665 tmm core dump due to SEGFAULT 13.1.3, 14.0.1.1
760438-1 3-Major BT760438 PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions 13.1.3, 14.1.2.1
759192-1 3-Major BT759192 TMM core during display of PEM session under some specific conditions 13.1.3, 14.0.1.1, 14.1.2.1
756311-1 3-Major BT756311 High CPU during erroneous deletion 13.1.3, 14.0.1.1, 14.1.2.1
753163-2 3-Major BT753163 PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days 13.1.3, 14.1.2.1


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
775013-4 3-Major BT775013 TIME EXCEEDED alert has insufficient data for analysis 13.1.3, 14.1.2.1, 15.0.1.1


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
752803-2 2-Critical BT752803 CLASSIFICATION_DETECTED running reject can lead to a tmm core 13.1.3, 14.1.0.6



Cumulative fixes from BIG-IP v13.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
807477-9 CVE-2019-6650 K04280042 , BT807477 ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
797885-4 CVE-2019-6649 K05123525 , BT797885 ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
796469-2 CVE-2019-6649 K05123525 , BT796469 ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
810557-9 CVE-2019-6649 K05123525 , BT810557 ASM ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
799617-4 CVE-2019-6649 K05123525 , BT799617 ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
799589-4 CVE-2019-6649 K05123525 , BT799589 ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
794389-9 CVE-2019-6651 K89509323 , BT794389 iControl REST endpoint response inconsistency 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
794413-9 CVE-2019-6471 K10092301 , BT794413 BIND vulnerability CVE-2019-6471 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
744937-9 3-Major K00724442 , BT744937 BIG-IP DNS and GTM DNSSEC security exposure 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
760622-2 3-Major BT760622 Allow Device Certificate renewal from BIG-IP Configuration Utility 15.1.0.5
760363-2 3-Major BT760363 Update Alias Address field with default placeholder text 13.1.3.2


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
807445 3-Major BT807445 Replaced ISC_TRUE and ISC_FALSE with true and false



Cumulative fixes from BIG-IP v13.1.1.5 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
757025-3 CVE-2018-5744 K00040234 , BT757025 BIND Update 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
756774-4 CVE-2019-6612 K24401914 , BT756774 Aborted DNS queries to a cache may cause a TMM crash 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
754944-3 CVE-2019-6626 K00432398 , BT754944 AVR reporting UI does not follow best practices 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
754345-3 CVE-2019-6625 K79902360 , BT754345 WebUI does not follow best security practices 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
753975 CVE-2019-6666 K92411323 , BT753975 TMM may crash while processing HTTP traffic with webacceleration profile 13.1.1.5, 14.0.0.5, 14.1.0.6, 15.0.1.1
753776-1 CVE-2019-6624 K07127032 , BT753776 TMM may consume excessive resources when processing UDP traffic 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
749879-4 CVE-2019-6611 K47527163 , BT749879 Possible interruption while processing VPN traffic 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
748502-3 CVE-2019-6623 K72335002 , BT748502 TMM may crash when processing iSession traffic 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
737731-2 CVE-2019-6622 K44885536 , BT737731 iControl REST input sanitization 12.1.5.1, 13.1.1.5, 14.0.1.1, 14.1.0.6
737574-2 CVE-2019-6621 K20541896 , BT737574 iControl REST input sanitization &start; 11.5.9, 11.6.4, 12.1.5, 13.1.1.5, 14.0.0.5, 14.1.0.6
737565-2 CVE-2019-6620 K20445457 , BT737565 iControl REST input sanitization 11.6.5.1, 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.0.6
726327-2 CVE-2018-12120 K37111863 , BT726327 NodeJS debugger accepts connections from any host 13.1.1.5, 14.1.0.6
791369-4 CVE-2019-6662 K01049383 The REST framework may reflect client data in error logs 13.1.1.5
757027-3 CVE-2019-6465 K01713115 , BT757027 BIND Update 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
757026-3 CVE-2018-5745 K25244852 , BT757026 BIND Update 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
753796-2 CVE-2019-6640 K40443301 SNMP does not follow best security practices 11.5.9, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
750460-3 CVE-2019-6639 K61002104 , BT750460 Subscriber management configuration GUI 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
750187-3 CVE-2019-6637 K29149494 , BT750187 ASM REST may consume excessive resources 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
745713-1 CVE-2019-6619 K94563344 , BT745713 TMM may crash when processing HTTP/2 traffic 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
745387-3 CVE-2019-6618 K07702240 , BT745387 Resource-admin user roles can no longer get bash access 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
745371-2 CVE-2019-6636 K68151373 , BT745371 AFM GUI does not follow best security practices 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
745257-3 CVE-2018-14634 K20934447 , BT745257 Linux kernel vulnerability: CVE-2018-14634 11.6.4, 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.0.6
745165-3 CVE-2019-6617 K38941195 , BT745165 Users without Advanced Shell Access are not allowed SFTP access 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
742226-2 CVE-2019-6635 K11330536 , BT742226 TMSH platform_check utility does not follow best security practices 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
710857-2 CVE-2019-6634 K64855220 iControl requests may cause excessive resource usage 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
703835-2 CVE-2019-6616 K82814400 , BT703835 When using SCP into BIG-IP systems, you must specify the target filename 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
702472-3 CVE-2019-6615 K87659521 , BT702472 Appliance Mode Security Hardening 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
702469-3 CVE-2019-6633 K73522927 , BT702469 Appliance mode hardening in scp 11.6.5.1, 12.1.5, 13.1.1.5, 14.0.0.5, 14.1.0.6
698376-3 CVE-2019-6614 K46524395 , BT698376 Non-admin users have limited bash commands and can only write to certain directories 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
673842-4 CVE-2019-6632 K01413496 , BT673842 VCMP does not follow best security practices 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
752835-3 2-Critical K46971044 , BT752835 Mitigate mcpd out of memory error with auto-sync enabled. 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
750586-1 2-Critical BT750586 HSL may incorrectly handle pending TCP connections with elongated handshake time. 12.1.5, 13.1.1.5, 14.1.0.6
707013 2-Critical BT707013 vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest 13.1.1.5, 14.0.1.1, 14.1.0.2
699515-1 2-Critical nsm cores during update of nexthop for ECMP recursive route 13.1.1.5, 14.1.2.5
621260-4 2-Critical BT621260 mcpd core on iControl REST reference to non-existing pool 11.6.5.1, 12.1.5.1, 13.1.1.5, 14.0.1.1, 14.1.0.2
760222-5 3-Major BT760222 SCP fails unexpected when FIPS mode is enabled 13.1.1.5, 14.0.0.5, 14.1.0.3
757414 3-Major BT757414 GUI Network Map slow page load with large configuration 13.1.1.5
756088-1 3-Major BT756088 The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address 13.1.1.5
754567 3-Major BT754567 Child clientSSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file 13.1.1.5
751011-1 3-Major BT751011 ihealth.sh script and qkview locking mechanism not working 13.1.1.5, 14.1.0.2
750447-1 3-Major BT750447 GUI VLAN list page loading slowly with 50 records per screen 13.1.1.5, 14.1.0.2
750318-1 3-Major BT750318 HTTPS monitor does not appear to be using cert from server-ssl profile 13.1.1.5, 14.1.2.3
748187-2 3-Major BT748187 'Transaction Not Found' Error on PATCH after Transaction has been Created 12.1.4, 13.1.1.5, 14.0.1.1, 14.1.0.6
740345-1 3-Major BT740345 TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled. 13.1.1.5, 14.0.0.5, 14.1.0.6
725791-4 3-Major K44895409 , BT725791 Potential HW/HSB issue detected 11.6.5.2, 12.1.5.2, 13.1.1.5, 14.1.0.6
723794-3 3-Major BT723794 PTI (Meltdown) mitigation should be disabled on AMD-based platforms 11.6.5.1, 12.1.4.1, 13.1.1.5
722380-2 3-Major BT722380 The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core. 12.1.5.2, 13.1.1.5
721805 3-Major BT721805 Traffic Policy edit to datagroup errors on adding ASM disable action 13.1.1.5
720819-2 3-Major BT720819 Certain platforms may take longer than expected to detect and recover from HSB lock-ups 12.1.4.1, 13.1.1.5
720269-2 3-Major BT720269 TACACS audit logging may append garbage characters to the end of log strings 12.1.4.1, 13.1.1.5, 14.0.1.1
714626-2 3-Major BT714626 When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect. 13.1.1.5, 14.0.0
701898-1 3-Major BT701898 Certain virtual address route-advertisement settings break upgrades from 13.0.0 hotfix rollups 13.1.1.5, 14.0.0
698619-2 3-Major BT698619 Disable port bridging on HSB ports for non-vCMP systems 12.1.4, 13.1.1.5
681009-1 3-Major BT681009 Large configurations can cause memory exhaustion during live-install &start; 13.1.1.5
581921-3 3-Major K22327083 , BT581921 Required files under /etc/ssh are not moved during a UCS restore 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.1.1, 14.1.0.6
697766-1 4-Minor BT697766 Cisco IOS XR ISIS routers may report 'Authentication TLV not found' 13.1.1.5
687368-1 4-Minor BT687368 The Configuration utility may calculate and display an incorrect HA Group Score 13.1.1.5
686111-1 4-Minor K89363245 , BT686111 Searching and Reseting Audit Logs not working as expected 13.1.1.5


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
753912 2-Critical K44385170 , BT753912 UDP flows may not be swept 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
752930-1 2-Critical BT752930 Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.0.6
745533-4 2-Critical NodeJS Vulnerability: CVE-2016-5325 13.1.1.5, 14.0.0.5, 14.1.0.6
680564-1 2-Critical BT680564 "MCP Message:" seen on boot up with Best License 13.1.1.5
756270-2 3-Major BT756270 SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle 11.5.9, 11.6.4, 12.1.5, 13.1.1.5, 14.1.0.6
750843-1 3-Major BT750843 HTTP data re-ordering when receiving data while iRule parked 13.1.1.5, 14.0.0.5
750200-1 3-Major BT750200 DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode 13.1.1.5, 14.0.1.1, 14.1.0.2
749689-1 3-Major BT749689 HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart 13.1.1.5, 14.1.2.3
747968-2 3-Major BT747968 DNS64 stats not increasing when requests go through DNS cache resolver 11.6.5.3, 12.1.4.1, 13.1.1.5, 14.1.0.6
747617-1 3-Major BT747617 TMM core when processing invalid timer 12.1.5.2, 13.1.1.5, 14.0.1.1, 14.1.0.2
742078-2 3-Major BT742078 Incoming SYNs are dropped and the connection does not time out. 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
738523-2 3-Major BT738523 SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages 12.1.4.1, 13.1.1.5, 14.0.1.1
727292-1 3-Major BT727292 SSL in proxy shutdown case does not deliver server TCP FIN 12.1.5, 13.1.1.5
712664-2 3-Major BT712664 IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address 12.1.3.7, 13.1.1.5, 14.0.0.3
710564 3-Major BT710564 DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0 12.1.4.1, 13.1.1.5
709952-1 3-Major BT709952 Disallow DHCP relay traffic to traverse between route domains 13.1.1.5
699979-2 3-Major BT699979 Support for Safenet Client Software v7.x 13.1.1.5
698437-1 3-Major BT698437 Internal capacity increase 13.1.1.5
688553-3 3-Major BT688553 SASP GWM monitor may not mark member UP as expected 12.1.3.6, 13.1.1.5, 14.0.0.5
599567-3 3-Major BT599567 APM assumes SNAT automap, does not use SNAT pool 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.2.5
746077-1 4-Minor BT746077 If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified 12.1.5.3, 13.1.1.5, 14.1.2.5
664618-1 4-Minor BT664618 Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block' 12.1.4.1, 13.1.1.5, 14.0.0.5
658382-2 5-Cosmetic BT658382 Large numbers of ERR_UNKNOWN appearing in the logs 12.1.4.1, 13.1.1.5


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
735832-1 2-Critical BT735832 RAM Cache traffic fails on B2150 12.1.5, 13.1.1.5


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
756094-3 2-Critical BT756094 DNS express in restart loop, 'Error writing scratch database' in ltm log 12.1.4.1, 13.1.1.5, 14.1.0.2
749508-3 3-Major BT749508 LDNS and DNSSEC: Various OOM conditions need to be handled properly 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
749222-3 3-Major BT749222 dname compression offset overflow causes bad compression pointer 13.1.1.5, 14.0.0.5, 14.1.0.6
748902-7 3-Major BT748902 Incorrect handling of memory allocations while processing DNSSEC queries 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
746877-3 3-Major BT746877 Omitted check for success of memory allocation for DNSSEC resource record 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
737332-3 3-Major BT737332 It is possible for DNSX to serve partial zone information for a short period of time 12.1.4, 13.1.1.5
748177-3 4-Minor BT748177 Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character 12.1.4.1, 13.1.1.5, 14.1.0.6


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
759360 2-Critical BT759360 Apply Policy fails due to policy corruption from previously enforced signature 13.1.1.5, 14.1.0.6
758961 2-Critical K58243048 During brute force attack, the attempted passwords may be logged 13.1.1.5
723790-1 2-Critical BT723790 Idle asm_config_server handlers consumes a lot of memory 12.1.5, 13.1.1.5, 14.0.0.5, 14.1.0.6
760878-2 3-Major BT760878 Incorrect enforcement of explicit global parameters 12.1.5, 13.1.1.5, 14.1.0.6
755005-3 3-Major BT755005 Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations 12.1.5.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
754365-3 3-Major BT754365 Updated flags for countries that changed their flags since 2010 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
751710-2 3-Major BT751710 False positive cookie hijacking violation 13.1.1.5, 14.0.0.5, 14.1.2.1
749109-1 3-Major BT749109 CSRF situation on BIGIP-ASM GUI 13.1.1.5, 14.0.0.5, 14.1.0.2
746146-2 3-Major BT746146 AVRD can crash with core when disconnecting/reconnecting on HTTPS connection 13.1.1.5
739945-2 3-Major BT739945 JavaScript challenge on POST with 307 breaks application 12.1.4, 13.1.1.5, 14.0.1.1, 14.1.0.2
738647-2 3-Major BT738647 Add the login detection criteria of 'status code is not X' 12.1.4, 13.1.1.5, 14.0.0.5
721399-2 3-Major BT721399 Signature Set cannot be modified to Accuracy = 'All' after another value 12.1.5, 13.1.1.5
717525-1 3-Major BT717525 Behavior for classification in manual learning mode 13.1.1.5, 14.0.0.5
691945-1 3-Major BT691945 Security Policy Configuration Changes When Disabling Learning 12.1.4.1, 13.1.1.5
761921-3 4-Minor BT761921 avrd high CPU utilization due to perpetual connection attempts 13.1.1.5, 14.0.0.5, 14.1.0.6
758336-1 4-Minor BT758336 Incorrect recommendation in Online Help of Proactive Bot Defense 12.1.5, 13.1.1.5, 14.1.4, 15.1.2.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
763349-1 2-Critical BT763349 AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out 13.1.1.5, 14.0.0.5, 14.1.0.6
756205-3 2-Critical BT756205 TMSTAT offbox statistics are not continuous 13.1.1.5, 14.0.0.5, 14.1.0.6
764665-1 3-Major BT764665 AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change 13.1.1.5, 14.0.0.5, 14.1.0.6
763005-2 3-Major BT763005 Aggregated Domain Names in DNS statistics are shown as random domain name 13.1.1.5, 14.0.0.5, 14.1.0.6
760356-4 3-Major BT760356 Users with Application Security Administrator role cannot delete Scheduled Reports 13.1.1.5, 14.0.0.5, 14.1.0.6, 15.0.1.1
753446-1 3-Major BT753446 avrd process crash during shutdown if connected to BIG-IQ 13.1.1.5, 14.0.0.5, 14.1.0.2
738614-2 3-Major BT738614 'Internal error' appears on Goodput GUI page 13.1.1.5, 14.0.0.5
738197-2 3-Major BT738197 IP address from XFF header is not taken into account when there are trailing spaces after IP address 13.1.1.5
737863-1 3-Major BT737863 Advanced Filters for Captured Transactions not working on Multi-Blade Platforms 13.1.1.5, 14.0.0.5
718655 3-Major BT718655 DNS profile measurement unit name is incorrect. 13.1.1.5
700322-2 3-Major BT700322 Upgrade may fail on a multi blade system when there are scheduled reports in configuration &start; 13.1.1.5
754330-1 4-Minor BT754330 Monpd might load many CSV files such that stats for AVR are not loaded to the database as quickly as expected 13.1.1.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
752592-2 2-Critical BT752592 VMware Horizon PCoIP clients may fail to connect shortly after logout 13.1.1.5, 14.1.0.2
704587-2 2-Critical BT704587 Authentication with UTF-8 chars in password or handling of IP addresses fail due to byte-array processing in iRules 13.1.1.5, 14.0.0.5
660826-3 2-Critical BT660826 BIG-IQ Deployment fails with customization-templates 13.1.1.5, 14.0.0
758764-4 3-Major BT758764 APMD Core when CRLDP Auth fails to download revoked certificate 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
757992-1 3-Major BT757992 RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup 13.1.1.5, 14.0.0.5, 14.1.0.6
757781-1 3-Major BT757781 Portal Access: cookie exchange may be broken sometimes 13.1.1.5, 14.0.0.5, 14.1.4.2, 15.0.1.1
755507-3 3-Major BT755507 [App Tunnel] 'URI sanitization' error 12.1.5, 13.1.1.5, 14.0.0.5
755475-3 3-Major BT755475 Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync 13.1.1.5, 14.0.0.5, 14.1.0.6
749057-3 3-Major BT749057 VMware Horizon idle timeout is ignored when connecting via APM 13.1.1.5, 14.0.0.5, 14.1.0.6
738430-1 3-Major BT738430 APM is not able to do compliance check on iOS devices running F5 Access VPN client 13.1.1.5, 14.0.0.5, 14.1.0.6
734291-2 3-Major BT734291 Logon page modification fails to sync to standby 13.1.1.5, 14.1.0.6
696835-1 3-Major BT696835 Secondary Authentication or SSO fail after changing AD or LDAP password 13.1.1.5
695985-2 3-Major BT695985 Access HUD filter has URL length limit (4096 bytes) 13.1.1.5, 14.0.0.5, 14.1.0.6
656784-1 3-Major K98510679 , BT656784 Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM 12.1.4.1, 13.1.1.5, 14.0.0


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
704555-2 2-Critical BT704555 Core occurs if DIAMETER::persist reset is called if no persistence key is set. 13.1.1.5, 14.0.0.5
752822-3 3-Major BT752822 SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type 13.1.1.5, 14.0.1.1, 14.1.0.6
751179-3 3-Major BT751179 MRF: Race condition may create to many outgoing connections to a peer 11.6.5.2, 13.1.1.5, 14.1.0.6
749603-3 3-Major BT749603 MRF SIP ALG: Potential to end wrong call when BYE received 13.1.1.5, 14.0.1.1, 14.1.0.2
748043-3 3-Major BT748043 MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP 13.1.1.5, 14.0.1.1, 14.1.0.2
747187-3 3-Major BT747187 SIP falsely detects media flow collision when SDP is in both 183 and 200 response 12.1.5.2, 13.1.1.5, 14.0.1.1, 14.1.0.2
744949-3 3-Major BT744949 MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix 13.1.1.5, 14.0.1.1, 14.1.0.2


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
751869 2-Critical BT751869 Possible tmm crash when using manual mode mitigation in DoS Profile 13.1.1.5, 14.1.0.5
757279 3-Major BT757279 LDAP authenticated Firewall Manager role cannot edit firewall policies 13.1.1.5, 14.1.2.8, 15.1.0.5
753893-1 3-Major BT753893 Inconsistent validation for firewall address-list's nested address-list causes load failure 13.1.1.5
748081-2 3-Major BT748081 Memory leak in Behavioral DoS module 13.1.1.5, 14.1.0.2
710262-1 3-Major BT710262 Firewall is not updated when adding new rules 13.1.1.5


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
739272-1 3-Major BT739272 Incorrect zombie counts in PBA stats with long PBA block-lifetimes 13.1.1.5


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
752782-3 3-Major BT752782 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe' 13.1.1.5, 14.0.0.5, 14.1.0.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
760961 2-Critical BT760961 TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts 13.1.1.5, 14.1.4.4
757088-3 2-Critical BT757088 TMM clock advances and cluster failover happens during webroot db nightly updates 12.1.5, 13.1.1.5, 14.1.0.5
752047-2 2-Critical BT752047 iRule running reject in CLASSIFICATION_DETECTED event can cause core 13.1.1.5, 14.1.0.6
761273-1 3-Major BT761273 wr_urldbd creates sparse log files by writing from the previous position after logrotate. 13.1.1.5, 14.1.2.8


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
761300 3-Major K61105950 , BT761300 Errors in REST token requests may log sensitive data 13.1.1.5


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
717654-2 2-Critical BT717654 TMM may crash when flooded to the Virtual Servers with SSL Forward Proxy 13.1.1.5, 14.0.0



Cumulative fixes from BIG-IP v13.1.1.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
744035-4 CVE-2018-15332 K12130880 , BT744035 APM Client Vulnerability: CVE-2018-15332 11.6.5.1, 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.2
739970-2 CVE-2018-5390 K95343321 , BT739970 Linux kernel vulnerability: CVE-2018-5390 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.4, 14.0.1.1
738119-2 CVE-2019-6589 K23566124 , BT738119 SIP routing UI does not follow best practices 11.6.3.3, 12.1.4, 13.1.1.4, 14.0.0.3
745358-3 CVE-2019-6607 K14812883 , BT745358 ASM GUI does not follow best practices 11.5.9, 11.6.4, 12.1.4, 13.1.1.4, 14.0.0.3
737910-2 CVE-2019-6609 K18535734 , BT737910 Security hardening on the following platforms 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.2
737442-2 CVE-2019-6591 K32840424 , BT737442 Error in APM Hosted Content when set to public access 12.1.4, 13.1.1.4, 14.0.0.5
658557-3 CVE-2019-6606 K35209601 , BT658557 The snmpd daemon may leak memory when processing requests. 11.6.4, 12.1.4, 13.1.1.4, 14.0.0.3
530775-3 CVE-2019-6600 K23734425 Login page may generate unexpected HTML output 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.4, 14.0.0.3
701785-2 CVE-2017-18017 K18352029 , BT701785 Linux kernel vulnerability: CVE-2017-18017 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.4, 14.0.0.3


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
744685-1 2-Critical BT744685 BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension 13.1.1.4, 14.0.1.1, 14.1.0.2
744188 2-Critical BT744188 First successful auth iControl REST requests will now be logged in audit and secure log files 13.1.1.4, 14.0.1.1, 14.1.0.2
748851-1 3-Major BT748851 Bot Detection injection include tags which may cause faulty display of application 13.1.1.4
725878-2 3-Major BT725878 AVR does not collect all of APM TMStats 13.1.1.4, 14.0.1.1
700827-4 3-Major BT700827 B2250 blades may lose efficiency when source ports form an arithmetic sequence. 12.1.4, 13.1.1.4, 14.0.0.5
667257-4 3-Major BT667257 CPU Usage Reaches 100% With High FastL4 Traffic 11.6.4, 12.1.4.1, 13.1.1.4


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
682837-2 1-Blocking BT682837 Compression watchdog period too brief. 12.1.3.1, 13.1.1.4
744331 2-Critical OpenSSH hardening 12.1.5, 13.1.1.4, 14.0.0.5
743790-3 2-Critical BT743790 BIG-IP system should trigger a high availability (HA) failover event when expected HSB device is missing from PCI bus 12.1.5, 13.1.1.4
741423-2 2-Critical BT741423 Secondary blade goes offline when provisioning ASM/FPS on already established config-sync 12.1.4, 13.1.1.4, 14.0.0.5
738887-3 2-Critical BIG-IP SNMPD vulnerability CVE-2019-6608 11.6.4, 12.1.4, 13.1.1.4, 14.0.0.3
726487-2 2-Critical BT726487 MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change. 12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.6
723298-2 2-Critical BT723298 BIND upgrade to version 9.11.4 12.1.4, 13.1.1.4, 14.0.0.3
713380 2-Critical K23331143 , BT713380 Multiple B4450 blades in the same chassis run into inconsistent DAG state 13.1.1.4
712738-1 2-Critical BT712738 fpdd may core dump when the system is going down 13.1.1.4
710277-1 2-Critical BT710277 IKEv2 further child_sa validity checks 12.1.5, 13.1.1.4, 14.0.0.5
697424-1 2-Critical BT697424 iControl-REST crashes on /example for firewall address-lists 12.1.4, 13.1.1.4
688148-3 2-Critical BT688148 IKEv1 racoon daemon SEGV during phase-two SA list iteration 12.1.3.7, 13.1.1.4
680556-1 2-Critical BT680556 Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted 13.1.1.4
677937-3 2-Critical K41517253 , BT677937 APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets 12.1.3.4, 13.1.1.4
668041-2 2-Critical K27535157 , BT668041 Config load fails when an iRule comment ends with backslash in a config where there is also a policy. &start; 13.1.1.4, 14.0.0.5, 14.1.0.2
751009-1 3-Major BT751009 Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out 13.1.1.4, 14.0.1.1, 14.1.0.2
748206 3-Major BT748206 Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position 13.1.1.4, 14.1.0.6
745809 3-Major BT745809 The /var partition may become 100% full, requiring manual intervention to clear space 13.1.1.4, 14.0.0.5, 14.1.0.6
743803-2 3-Major BT743803 IKEv2 potential double free of object when async request queueing fails 12.1.5, 13.1.1.4, 14.0.0.3, 14.1.0.6
737536-1 3-Major BT737536 Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others. 13.1.1.4, 14.0.0.5, 14.1.0.2
737437-2 3-Major BT737437 IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages 12.1.5, 13.1.1.4, 14.0.1.1
737397-3 3-Major BT737397 User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP 13.1.1.4, 14.0.0.5
724143-1 3-Major BT724143 IKEv2 connflow expiration upon ike-peer change 13.1.1.4, 14.0.0.5
723579-4 3-Major BT723579 OSPF routes missing 13.1.1.4
722691 3-Major BT722691 Available datagroup list does not contain datagroups with the correct type. 13.1.1.4
721016 3-Major BT721016 vcmpd fails updating VLAN information on vcmp guest 13.1.1.4
720110-2 3-Major BT720110 0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session. 12.1.4.1, 13.1.1.4
718817-2 3-Major BT718817 Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail. 13.1.1.4, 14.0.0.3
718405-1 3-Major BT718405 RSA signature PAYLOAD_AUTH mismatch with certificates 13.1.1.4, 14.1.0.6
718397-1 3-Major BT718397 IKEv2: racoon2 appends spurious trailing null byte to ID payloads 13.1.1.4, 14.0.0.5
710666-1 3-Major BT710666 VE with interface(s) marked down may report high cpu usage 13.1.1.4
706104-3 3-Major BT706104 Dynamically advertised route may flap 12.1.4, 13.1.1.4
705442-1 3-Major BT705442 GUI Network Map objects search on Virtual Server IP Address and Port does not work 13.1.1.4
698947-2 3-Major BT698947 BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled. 12.1.3.6, 13.1.1.4
693884-1 3-Major BT693884 ospfd core on secondary blade during network unstability 12.1.4, 13.1.1.4
693106-1 3-Major BT693106 IKEv1 newest established phase-one SAs should be found first in a search 12.1.3.6, 13.1.1.4
686926-2 3-Major BT686926 IPsec: responder N(cookie) in SA_INIT response handled incorrectly 12.1.3.6, 13.1.1.4
686124-1 3-Major K83576240 , BT686124 IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs 12.1.3.7, 13.1.1.4
680838-2 3-Major BT680838 IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator 12.1.3.6, 13.1.1.4
678925-1 3-Major BT678925 Using a multicast VXLAN tunnel without a proper route may cause a TMM crash. 12.1.3.6, 13.1.1.4
678380-2 3-Major K26023811 , BT678380 Deleting an IKEv1 peer in current use could SEGV on race conditions. 12.1.3.7, 13.1.1.4
676897-3 3-Major K25082113 , BT676897 IPsec keeps failing to reconnect 12.1.3.6, 13.1.1.4
676092-3 3-Major BT676092 IPsec keeps failing to reconnect 12.1.3.6, 13.1.1.4
674145-1 3-Major BT674145 chmand error log message missing data 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.4
670197-1 3-Major BT670197 IPsec: ASSERT 'BIG-IP_conn tag' failed 13.1.1.4
652502-2 3-Major BT652502 SNMP queries return 'No Such Object available' error for LTM OIDs 13.1.1.4, 14.1.3.1
639619-5 3-Major BT639619 UCS may fail to load due to Master key decryption failure on EEPROM-less systems &start; 11.6.4, 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2
598085-1 3-Major BT598085 Expected telemetry is not transmitted by sFlow on the standby-mode unit. 12.1.4, 13.1.1.4
491560-2 3-Major BT491560 Using proxy for IP intelligence updates 12.1.4, 13.1.1.4
738985-2 4-Minor BIND vulnerability: CVE-2018-5740 13.1.1.4, 14.0.0.3
689491 4-Minor BT689491 cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled 13.1.1.4
689211-3 4-Minor BT689211 IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 } 12.1.3.7, 13.1.1.4
680856-2 4-Minor BT680856 IPsec config via REST scripts may require post-definition touch of both policy and traffic selector 12.1.3.6, 13.1.1.4
713491-2 5-Cosmetic BT713491 IKEv1 logging shows spi of deleted SA with opposite endianess 12.1.3.6, 13.1.1.4, 14.0.0.3


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
744269-2 2-Critical BT744269 dynconfd restarts if FQDN template node deleted while IP address change in progress 12.1.4.1, 13.1.1.4, 14.0.0.5
744117-5 2-Critical K18263026 , BT744117 The HTTP URI is not always parsed correctly 12.1.4, 13.1.1.4, 14.0.0.5
743857 2-Critical K21942600 , BT743857 Clientssl accepts non-SSL traffic when cipher-group is configured 13.1.1.4
742627-2 2-Critical BT742627 SSL session mirroring may cause memory leakage if HA channel is down 13.1.1.4, 14.0.0.5
741919 2-Critical BT741919 HTTP response may be dropped following a 100 continue message. 12.1.4.1, 13.1.1.4, 14.0.0.5
740963-2 2-Critical BT740963 VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart 12.1.5, 13.1.1.4, 14.0.0.5
740490-1 2-Critical BT740490 Configuration changes involving HTTP2 or SPDY may leak memory 12.1.4, 13.1.1.4, 14.0.0.5
739003-1 2-Critical BT739003 TMM may crash when FastL4 is used on ePVA-capable BIG-IP platforms 13.1.1.4
738945-2 2-Critical BT738945 SSL persistence does not work when there are multiple handshakes present in a single record 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2
738046-2 2-Critical BT738046 SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby 12.1.5, 13.1.1.4
737758-2 2-Critical BT737758 MPTCP Passthrough and VIP-on-VIP can lead to TMM core 12.1.4, 13.1.1.4, 14.0.0.3
734276-2 2-Critical BT734276 TMM may leak memory when SSL certificates with VDI or EAM in use 13.1.1.4
727206 2-Critical BT727206 Memory corruption when using SSL Forward Proxy on certain platforms 12.1.4.1, 13.1.1.4, 14.0.0.5
720136-1 2-Critical BT720136 Upgrade may fail on mcpd when external netHSM is used 13.1.1.4
718210-2 2-Critical BT718210 Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused 12.1.4.1, 13.1.1.4, 14.0.0.5
716714-1 2-Critical BT716714 OCSP should be configured to avoid TMM crash. 13.1.1.4, 14.0.1.1, 14.1.0.2
702792-1 2-Critical K82327396 , BT702792 Upgrade creates Server SSL profiles with invalid cipher strings &start; 13.1.1.4, 14.0.0
685254-2 2-Critical K14013100 , BT685254 RAM Cache Exceeding Watchdog Timeout in Header Field Search 12.1.3.4, 13.1.1.4
513310-5 2-Critical BT513310 TMM might core when a profile is changed. 11.5.9, 11.6.4, 12.1.3.7, 13.1.1.4, 14.0.0.5
849861 3-Major BT849861 TMM may crash with FastL4 and HTTP profile using fallback host and iRule command 13.1.1.4
752078 3-Major BT752078 Header Field Value String Corruption 13.1.1.4, 14.1.0.6
739963-2 3-Major BT739963 TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup 12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.2
739379-2 3-Major BT739379 Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error 13.1.1.4, 14.0.0.5
739349-1 3-Major BT739349 LRO segments might be erroneously VLAN-tagged. 13.1.1.4, 14.0.1.1, 14.1.0.2
738521-1 3-Major BT738521 i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag. 12.1.4, 13.1.1.4, 14.0.0.5
726319-2 3-Major BT726319 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses 13.1.1.4, 14.0.0.3
724564-1 3-Major BT724564 A FastL4 connection can fail with loose-init and hash persistence enabled 13.1.1.4
724327-1 3-Major BT724327 Changes to a cipher rule do not immediately have an effect 13.1.1.4, 14.1.0.2
721621-1 3-Major BT721621 Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node 12.1.4.1, 13.1.1.4, 14.0.0.3
720799-2 3-Major BT720799 Virtual Server/VIP flaps with FQDN pool members when all IP addresses change 12.1.4.1, 13.1.1.4, 14.0.0.3
717896-2 3-Major BT717896 Monitor instances deleted in peer unit after sync 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2
717100-3 3-Major BT717100 FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2
716716-2 3-Major BT716716 Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core 12.1.4.1, 13.1.1.4, 14.0.0.3
714559-2 3-Major BT714559 Removal of HTTP hash persistence cookie when a pool member goes down. 12.1.4, 13.1.1.4
713690-3 3-Major BT713690 IPv6 cache route metrics are locked 12.1.3.7, 13.1.1.4, 14.0.0.5
711981-5 3-Major BT711981 BIG-IP system accepts larger-than-egress MTU, PMTU update 11.6.5.3, 12.1.3.7, 13.1.1.4, 14.0.0.5
710028-2 3-Major BT710028 LTM SQL monitors may stop monitoring if multiple monitors querying same database 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.4, 14.0.0.5
708068-2 3-Major BT708068 Tcl commands like "HTTP::path -normalize" do not return normalized path. 12.1.4, 13.1.1.4, 14.0.0.5
707691-4 3-Major BT707691 BIG-IP handles some pathmtu messages incorrectly 13.1.1.4, 14.0.0.5
706102-2 3-Major BT706102 SMTP monitor does not handle all multi-line banner use cases 12.1.4, 13.1.1.4, 14.0.0.5
701678-2 3-Major BT701678 Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded 12.1.4, 13.1.1.4, 14.0.0
685519-1 3-Major BT685519 Mirrored connections ignore the handshake timeout 11.6.4, 12.1.4.1, 13.1.1.4
683697-1 3-Major K00647240 , BT683697 SASP monitor may use the same UID for multiple HA device group members 12.1.3.4, 13.1.1.4
674591-3 3-Major K37975308 , BT674591 Packets with payload smaller than MSS are being marked to be TSOed 11.6.5.2, 12.1.4, 13.1.1.4
504522-1 3-Major BT504522 Trailing space present after 'tmsh ltm pool members monitor' attribute value 12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.6
719247-2 4-Minor K10845686 , BT719247 HTTP::path and HTTP::query iRule functions cannot be set to a blank string 13.1.1.4, 14.0.0.5
618884-6 4-Minor BT618884 Behavior when using VLAN-Group and STP 12.1.4, 13.1.1.4


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
739846-3 2-Critical BT739846 Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.4, 14.0.0.3
749774-3 3-Major BT749774 EDNS0 client subnet behavior inconsistent when DNS Caching is enabled 11.5.8, 11.6.3.4, 12.1.4, 13.1.1.4, 14.0.0.4, 14.1.0.1
749675-3 3-Major BT749675 DNS cache resolver may return a malformed truncated response with multiple OPT records 11.5.8, 11.6.3.4, 12.1.4, 13.1.1.4, 14.0.0.4, 14.1.0.1
744707-4 3-Major BT744707 Crash related to DNSSEC key rollover 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.6
726255-2 3-Major BT726255 dns_path lingering in memory with last_access 0 causing high memory usage 11.5.9, 11.6.5.1, 12.1.3.7, 13.1.1.4, 14.0.0.3
723288-2 3-Major BT723288 DNS cache replication between TMMs does not always work for net dns-resolver 11.6.5.3, 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.6
710246-2 3-Major BT710246 DNS-Express was not sending out NOTIFY messages on VE 12.1.3.7, 13.1.1.4, 14.0.0.3
702457-2 3-Major BT702457 DNS Cache connections remain open indefinitely 12.1.5.3, 13.1.1.4, 14.0.0.5
717113-2 4-Minor BT717113 It is possible to add the same GSLB Pool monitor multiple times 13.1.1.4


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
750922-3 2-Critical BT750922 BD crash when content profile used for login page has no parse parameters set 13.1.1.4, 14.0.0.5, 14.1.0.2
726537-1 2-Critical BT726537 Rare TMM crash when Single Page Application is enabled on DoSL7 13.1.1.4, 14.0.0
576123-4 2-Critical K23221623 , BT576123 ASM policies are created as inactive policies on the peer device 11.5.9, 11.6.3.2, 12.1.3.2, 13.1.1.4
750356-3 3-Major BT750356 Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted 13.1.1.4, 14.0.0.5, 14.1.0.2
747777-1 3-Major BT747777 Extractions are learned in manual learning mode 13.1.1.4, 14.0.0.5, 14.1.0.2
747550-1 3-Major BT747550 Error 'This Logout URL already exists!' when updating logout page via GUI 13.1.1.4, 14.0.0.5, 14.1.0.2
745802-3 3-Major BT745802 Brute Force CAPTCHA response page truncates last digit in the support id 13.1.1.4, 14.0.0.5, 14.1.2.1
744347-2 3-Major BT744347 Protocol Security logging profiles cause slow ASM upgrade and apply policy 12.1.4, 13.1.1.4, 14.0.0.5, 14.1.0.2
743961-3 3-Major BT743961 Signature Overrides for Content Profiles do not work after signature update 13.1.1.4, 14.0.0.5
738864-1 3-Major BT738864 javascript functions in href are learned from response as new URLs 13.1.1.4, 14.0.0.5
738211-3 3-Major BT738211 pabnagd core when centralized learning is turned on 13.1.1.4, 14.0.0.5
734228-1 3-Major BT734228 False-positive illegal-length violation can appear 13.1.1.4, 14.0.1.1, 14.1.2.3
726377-1 3-Major BT726377 False-positive cookie hijacking violation 13.1.1.4
721752-2 3-Major BT721752 Null char returned in REST for Suggestion with more than MAX_INT occurrences 12.1.3.7, 13.1.1.4, 14.0.0.5
705925-1 3-Major BT705925 Websocket Message Type not displayed in Request Log 13.1.1.4, 14.0.0
701792-2 3-Major BT701792 JS Injection into cached HTML response causes TCP RST on the fictive URLs 13.1.1.4
696333-1 3-Major BT696333 Threat campaign filter does not return campaign if filter contains quotation marks 13.1.1.4
690215-2 3-Major BT690215 Missing requests in request log 12.1.4.1, 13.1.1.4
676416-4 3-Major BT676416 BD restart when switching FTP profiles 11.6.3.2, 12.1.3.2, 13.1.1.4
676223-4 3-Major BT676223 Internal parameter in order not to sign allowed cookies 12.1.3.7, 13.1.1.4
663535-2 3-Major BT663535 Sending ASM cookies with "secure" attribute even without client-ssl profile 12.1.3.2, 13.1.1.4
605649-2 3-Major K28782793 , BT605649 The cbrd daemon runs at 100% CPU utilization 12.1.5, 13.1.1.4
748999-1 4-Minor BT748999 invalid inactivity timeout suggestion for cookies 13.1.1.4, 14.0.0.5, 14.1.0.2
747905-1 4-Minor BT747905 'Illegal Query String Length' violation displays wrong length 13.1.1.4, 14.0.1.1
745531-1 4-Minor BT745531 Puffin Browser gets blocked by Bot Defense 13.1.1.4, 14.1.0.2
739345 4-Minor BT739345 Reporting invalid signature id after specific signature upgrade 13.1.1.4
685743-5 4-Minor BT685743 When changing internal parameter 'request_buffer_size' in large request violations might not be reported 12.1.3.2, 13.1.1.4
665470-3 4-Minor BT665470 Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised 12.1.3.6, 13.1.1.4


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
746941 2-Critical BT746941 Memory leak in avrd when BIG-IQ fails to receive stats information 13.1.1.4, 14.0.0.5, 14.1.0.2
739446-2 2-Critical BT739446 Resetting SSL-socket correctly for AVR connection 13.1.1.4
737813-1 2-Critical BT737813 BIG-IP is unable to send statistics to BIG-IQ DCD node using IPv6 address 13.1.1.4, 14.0.0.5
749464 3-Major BT749464 Race condition while BIG-IQ updates common file 13.1.1.4, 14.0.0.5, 14.1.0.2
749461 3-Major BT749461 Race condition while modifying analytics global-settings 13.1.1.4, 14.0.0.5, 14.1.0.2
746823 3-Major BT746823 AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members 13.1.1.4, 14.0.0.5
745027 3-Major BT745027 AVR is doing extra activity of DNS data collection even when it should not 13.1.1.4, 14.0.0.5, 14.1.0.2
744595-1 3-Major BT744595 DoS-related reports might not contain some of the activity that took place 13.1.1.4, 14.0.0.5, 14.1.0.2
744589-1 3-Major BT744589 Missing data for Firewall Events Statistics 13.1.1.4, 14.0.0.5, 14.1.0.2
741767-2 3-Major BT741767 ASM Resource :: CPU Utilization statistics are in wrong scale 13.1.1.4, 14.0.1.1
740086 3-Major BT740086 AVR report ignore partitions for Admin users 13.1.1.4, 14.0.0.5
716782-2 3-Major BT716782 AVR should add new field to the events it sends: Microtimestamp 13.1.1.4, 14.0.0


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
753368 1-Blocking BT753368 Unable to import access policy with pool 13.1.1.4
747621-2 2-Critical BT747621 Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used 13.1.1.4, 14.0.0.5
744556-1 2-Critical K01226413 , BT744556 Upgrade PingAccess SDK used by BIG-IP APM to v1.1.3 13.1.1.4
714716-2 2-Critical K10248311 , BT714716 Apmd logs password for acp messages when in debug mode 11.6.3.2, 12.1.4.1, 13.1.1.4, 14.0.0
754346-1 3-Major BT754346 Access policy was not found while creating configuration snapshot. 13.1.1.4, 14.0.0.5, 14.1.0.2
750496-1 3-Major BT750496 TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP 13.1.1.4, 14.0.0.5
746771-1 3-Major BT746771 APMD recreates config snapshots for all access profiles every minute 13.1.1.4, 14.1.0.2
746768-1 3-Major BT746768 APMD leaks memory if access policy policy contains variable/resource assign policy items 12.1.4.1, 13.1.1.4, 14.1.2.1
745654-2 3-Major BT745654 Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.2
745574-3 3-Major BT745574 URL is not removed from custom category when deleted 12.1.4, 13.1.1.4, 14.0.0.5, 14.1.0.6
743437-1 3-Major BT743437 Portal Access: Issue with long 'data:' URL 13.1.1.4, 14.0.0.5, 14.1.0.2
743150-1 3-Major BT743150 Increase the limit of the maximum allowed timestamp for OAuth token processing for OAuth Client 13.1.1.4
739744-1 3-Major BT739744 Import of Policy using Pool with members is failing 12.1.4, 13.1.1.4
719079-1 3-Major BT719079 Portal Access: same-origin AJAX request may fail under some conditions. 13.1.1.4
718136-2 3-Major BT718136 32-bit F5 VPN and Endpoint Inspector apps are discontinued on Linux 13.1.1.4, 14.0.0


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
742829-3 3-Major BT742829 SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0 13.1.1.4, 14.0.1.1, 14.1.0.2
741951-2 3-Major BT741951 Multiple extensions in SIP NOTIFY request cause message to be dropped. 11.6.5.2, 12.1.5.2, 13.1.1.4, 14.0.0.5
699431-3 3-Major BT699431 Possible memory leak in MRF under low memory 12.1.3.2, 13.1.1.4


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
747104-3 1-Blocking K52868493 , BT747104 LibSSH: CVE-2018-10933 12.1.4.1, 13.1.1.4, 14.1.0.2
753028-1 3-Major BT753028 AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule 13.1.1.4, 14.1.0.6
747926 3-Major BT747926 Rare TMM restart due to NULL pointer access during AFM ACL logging 13.1.1.4, 14.1.0.2


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
744516-1 2-Critical BT744516 TMM panics after a large number of LSN remote picks 12.1.4, 13.1.1.4, 14.1.0.6
744959-1 3-Major BT744959 SNMP OID for sysLsnPoolStatTotal not incremented in stats 12.1.4.1, 13.1.1.4
727212-1 3-Major BT727212 Subscriber-id query using full length IPv6 address fails. 13.1.1.4, 14.0.0.5


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
748976 3-Major BT748976 DataSafe Logging Settings page is missing when DataSafe license is active 13.1.1.4
742037-3 3-Major BT742037 FPS live updates do not install when minor version is different 13.1.1.4, 14.0.0.5
741449-1 4-Minor BT741449 alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts 13.1.1.4, 14.0.0.5, 14.1.0.2
726039 5-Cosmetic BT726039 Information is not updated after installing FPS live update via GUI 13.1.1.4


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
748813-1 2-Critical BT748813 tmm cores under stress test on virtual server with DoS profile with admd enabled 13.1.1.4, 14.0.0.5, 14.1.2.3
748121-1 2-Critical BT748121 admd livelock under CPU starvation 13.1.1.4, 14.0.0.5, 14.1.0.6
741761-1 2-Critical BT741761 admd might fail the heartbeat, resulting in a core 13.1.1.4, 14.0.0.5
704236-1 2-Critical BT704236 TMM crash when attaching FastL4 profile 13.1.1.4, 14.0.0
702936-1 2-Critical BT702936 TMM SIGSEGV under specific conditions. 13.1.1.4
653573-4 2-Critical BT653573 ADMd not cleaning up child rsync processes 13.1.1.4, 14.0.0.5, 14.1.0.6, 14.1.2.3
741993-1 3-Major BT741993 The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured. 13.1.1.4, 14.0.0.5
741752-1 3-Major BT741752 [BADOS] state file is not saved when virtual server reuses a self IP of the device 13.1.1.4


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
724847 3-Major K95010813 , BT724847 DNS traffic does not get classified for AFM port misuse case 13.1.1.4, 14.0.0


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
740969-1 1-Blocking K65151021 , BT740969 Menu visibility issue with newly activated license. &start; 12.1.4.1, 13.1.1.4
706339-1 2-Critical K30392060 , BT706339 TMM crashes due to memory leaking while processing SSL forward proxy traffic 13.1.1.4, 14.0.0



Cumulative fixes from BIG-IP v13.1.1.3 that are included in this release


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
745783-3 3-Major BT745783 Anti-fraud: remote logging of login attempts 13.1.1.3, 14.1.0.3


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
684370-1 3-Major BT684370 APM now supports VMware Workspace ONE integration with VIDM as ID Provider 13.1.1.3, 14.0.0
683741-1 3-Major BT683741 APM now supports VMware Workspace ONE integration with vIDM as ID Provider 13.1.1.3, 14.0.0
635509-1 3-Major BT635509 APM does not support Vmware'e Blast UDP 13.1.1.3



Cumulative fixes from BIG-IP v13.1.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
739947-1 CVE-2019-6610 K42465020 , BT739947 TMM may crash while processing APM traffic 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.2, 14.0.0.5
737443-5 CVE-2018-5546 K54431371 , BT737443 BIG-IP APM client for Linux and macOS vulnerability CVE-2018-5546 13.1.1.2, 14.0.0.5
737441-5 CVE-2018-5546 K54431371 , BT737441 Disallow hard links to svpn log files 11.5.9, 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.5
726089-2 CVE-2018-15312 K44462254 , BT726089 Modifications to AVR metrics page 12.1.3.7, 13.1.1.2, 14.0.0
725815-1 CVE-2018-15320 K72442354 , BT725815 vlangroup usage may cause a excessive resource consumption 13.1.1.2, 14.0.0.3
724339-1 CVE-2018-15314 K04524282 , BT724339 Unexpected TMUI output in AFM 12.1.3.7, 13.1.1.2, 14.0.0
724335-1 CVE-2018-15313 K21042153 , BT724335 Unexpected TMUI output in AFM 12.1.3.7, 13.1.1.2, 14.0.0
722677-4 CVE-2019-6604 K26455071 , BT722677 BIG-IP HSB vulnerability CVE-2019-6604 11.5.9, 11.6.4, 12.1.3.7, 13.1.1.2, 14.0.0.3
722387-3 CVE-2019-6596 K97241515 , BT722387 TMM may crash when processing APM DTLS traffic 11.5.9, 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.3
722091-3 CVE-2018-15319 K64208870 , BT722091 TMM may crash while processing HTTP traffic 12.1.3.7, 13.1.1.2, 14.0.0.3
717888 CVE-2018-15323 K26583415 , BT717888 TMM may leak memory when a virtual server uses the MQTT profile. 13.1.1.2, 14.0.0.3
717742-5 CVE-2018-2798, CVE-2018-2811, CVE-2018-2795, CVE-2018-2790, CVE-2018-2783, CVE-2018-2825, CVE-2018-2826, CVE-2018-2796, CVE-2018-2799, CVE-2018-2815, CVE-2018-2800, CVE-2018-2814, CVE-2018-2797, CVE-2018-2794 K44923228 , BT717742 Oracle Java SE vulnerability CVE-2018-2783 12.1.3.7, 13.1.1.2, 14.0.0.3
707990-2 CVE-2018-15315 K41704442 , BT707990 Unexpected TMUI output in SSL Certificate Instance page 12.1.3.7, 13.1.1.2, 14.0.0
704184-6 CVE-2018-5529 K52171282 , BT704184 APM MAC Client create files with owner only read write permissions 11.5.9, 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.5
701253-5 CVE-2018-15318 K16248201 , BT701253 TMM core when using MPTCP 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.3
693810-6 CVE-2018-5529 K52171282 , BT693810 CVE-2018-5529: APM Linux Client Vulnerability 11.5.9, 11.6.3.3, 13.1.1.2, 14.0.0.5
741858-1 CVE-2018-15324 K52206731 , BT741858 TMM may crash while processing Portal Access requests 13.1.1.2, 14.0.0.5
734822-3 CVE-2018-15325 K77313277 , BT734822 TMSH improvements 13.1.1.2, 14.0.0.3
725801-4 CVE-2017-7889 K80440915 , BT725801 CVE-2017-7889: Kernel Vulnerability 13.1.1.2, 14.0.0.3
725635-2 CVE-2018-3665 K21344224 , BT725635 CVE-2018-3665: Intel Lazy FPU Vulnerability 13.1.1.2, 14.0.0.3
724680-4 CVE-2018-0732 K21665601 , BT724680 OpenSSL Vulnerability: CVE-2018-0732 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.2, 14.0.1.1, 14.1.0.2
721924-2 CVE-2018-17539 K17264695 , BT721924 BIG-IP ARM BGP vulnerability CVE-2018-17539 11.5.9, 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.3
719554-2 CVE-2018-8897 K17403481 , BT719554 Linux Kernel Vulnerability: CVE-2018-8897 11.5.9, 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.3
716900-2 CVE-2019-6594 K91026261 , BT716900 TMM core when using MPTCP 11.6.3.3, 12.1.4, 13.1.1.2, 14.0.0.3
710705-2 CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421 K34035645 , BT710705 Multiple Wireshark vulnerabilities 12.1.3.6, 13.1.1.2, 14.0.0.3
705799-2 CVE-2018-15325 K77313277 , BT705799 TMSH improvements 13.1.1.2, 14.0.0
699453-4 CVE-2018-15327 K20222812 , BT699453 Web UI does not follow current best coding practices 13.1.1.2, 14.0.0.3
699452-4 CVE-2019-6597 K29280193 Web UI does not follow current best coding practices 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.2
712876-2 CVE-2017-8824 K15526101 , BT712876 CVE-2017-8824: Kernel Vulnerability 11.6.5.1, 12.1.5.1, 13.1.1.2, 14.0.1.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
734527-1 3-Major BT734527 BGP 'capability graceful-restart' for peer-group not properly advertised when configured 11.6.5.1, 12.1.4, 13.1.1.2, 14.0.0.3
715750-2 3-Major K41515225 , BT715750 The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection. 11.6.5.1, 12.1.3.7, 13.1.1.2, 14.0.0.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
693611-3 1-Blocking K76313256 , BT693611 IKEv2 ike-peer might crash on stats object during peer modification update 13.1.1.2
743810-1 2-Critical BT743810 AWS: Disk resizing in m5/c5 instances fails silently. 13.1.1.2
743082-1 2-Critical BT743082 Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members &start; 12.1.5.2, 13.1.1.2, 14.0.0.3
739507 2-Critical BT739507 Improved recovery method for BIG-IP system that has halted from a failed FIPS integrity check 13.1.1.2, 14.1.4, 15.1.0.5
739505 2-Critical BT739505 Automatic ISO digital signature checking not required when FIPS license active &start; 13.1.1.2, 14.1.4, 15.1.2.1, 16.0.1.1
739285-1 2-Critical BT739285 GUI partially missing when VCMP is provisioned 13.1.1.2
725696-1 2-Critical BT725696 A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted 13.1.1.2, 14.0.0.3
723722-2 2-Critical BT723722 MCPD crashes if several thousand files are created between config syncs. 12.1.4, 13.1.1.2, 14.0.0.3
721350-2 2-Critical BT721350 The size of the icrd_child process is steadily growing 13.1.1.2
717785-1 2-Critical BT717785 Interface-cos shows no egress stats for CoS configurations 13.1.1.2
716391-2 2-Critical K76031538 , BT716391 High priority for MySQL on 2 core vCMP may lead to control plane process starvation 11.5.9, 11.6.4, 12.1.3.7, 13.1.1.2, 14.0.0.5
711683-2 2-Critical BT711683 bcm56xxd crash with empty trunk in QinQ VLAN 13.1.1.2
707003-3 2-Critical BT707003 Unexpected syntax error in TMSH AVR 12.1.3.6, 13.1.1.2, 14.0.0
706423-1 2-Critical BT706423 tmm may restart if an IKEv2 child SA expires during an async encryption or decryption 12.1.3.6, 13.1.1.2, 14.0.0.3
703669-2 2-Critical BT703669 Eventd restarts on NULL pointer access 13.1.1.2, 14.0.0.3
703045-1 2-Critical BT703045 If using TMSH commands with deprecated attributes in iApp, the upgrade will fail. 13.1.1.2, 14.0.0.3
700386-2 2-Critical BT700386 mcpd may dump core on startup 12.1.4, 13.1.1.2
693996-5 2-Critical K42285625 , BT693996 MCPD sync errors and restart after multiple modifications to file object in chassis 11.5.9, 11.6.5.1, 12.1.5, 13.1.1.2
692158-1 2-Critical BT692158 iCall and CLI script memory leak when saving configuration 12.1.3.6, 13.1.1.2, 14.0.0
691589-4 2-Critical BT691589 When using LDAP client auth, tamd may become stuck 12.1.4, 13.1.1.2
690819-1 2-Critical BT690819 Using an iRule module after a 'session lookup' may result in crash 11.6.3.3, 12.1.3.6, 13.1.1.2
689437-1 2-Critical K49554067 , BT689437 icrd_child cores due to infinite recursion caused by incorrect group name handling 11.5.9, 11.6.4, 12.1.4, 13.1.1.2
689002-3 2-Critical BT689002 Stackoverflow when JSON is deeply nested 12.1.4, 13.1.1.2
658410-2 2-Critical BT658410 icrd_child generates a core when calling PUT on ltm/data-group/internal/ 13.1.1.2
652877-5 2-Critical BT652877 Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades 11.5.9, 11.6.4, 12.1.4, 13.1.1.2
638091-6 2-Critical BT638091 Config sync after changing named pool members can cause mcpd on secondary blades to restart 12.1.4, 13.1.1.2
739126 3-Major BT739126 Multiple VE installations may have different sized volumes 13.1.1.2
733585-3 3-Major BT733585 Merged can use %100 of CPU if all stats snapshot files are in the future 13.1.1.2
727467-1 3-Major BT727467 Some iSeries appliances can experience traffic disruption when the high availability (HA) peer is upgraded from 12.1.3 and earlier to 13.1.0 or later. 13.1.1.2, 14.0.0.5
726409-4 3-Major Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.2, 14.0.0.3
722682-2 3-Major BT722682 Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load &start; 12.1.4.1, 13.1.1.2, 14.0.0.3
721740-2 3-Major BT721740 CPU stats are not correctly recorded when snapshot files have timestamps in the future 13.1.1.2
720713-2 3-Major BT720713 TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail 12.1.4, 13.1.1.2, 14.0.0.3
720461-2 3-Major BT720461 qkview prompts for password on chassis 12.1.4, 13.1.1.2
718525-1 3-Major BT718525 PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting 13.1.1.2, 14.0.0.3
714974-2 3-Major BT714974 Platform-migrate of UCS containing QinQ fails on VE &start; 13.1.1.2
714903-2 3-Major BT714903 Errors in chmand 12.1.4.1, 13.1.1.2, 14.0.0.5
714654-2 3-Major BT714654 Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM 12.1.4.1, 13.1.1.2
713813-2 3-Major BT713813 Node monitor instances not showing up in GUI 13.1.1.2
712102-2 3-Major K11430165 , BT712102 customizing or changing the HTTP Profile's IPv6 field hides the field or the row 13.1.1.2
710232-2 3-Major BT710232 platform-migrate fails when LACP trunks are in use 13.1.1.2, 14.0.0.3
709444-2 3-Major BT709444 "NTP not configured on device" warning seen when NTP symmetric key authentication is configured 13.1.1.2
709192-1 3-Major BT709192 GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart 13.1.1.2, 14.0.0.3
707740-4 3-Major BT707740 Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.2, 14.0.0.5
707509-1 3-Major BT707509 Initial vCMP guest creations can fail if certain hotfixes are used 12.1.5, 13.1.1.2
707391-2 3-Major BT707391 BGP may keep announcing routes after disabling route health injection 12.1.4, 13.1.1.2, 14.0.0.3
706804-1 3-Major BT706804 SNMP trap destination configuration of network option is missing "default" keyword 13.1.1.2
706354-2 3-Major BT706354 OPT-0045 optic unable to link 12.1.4, 13.1.1.2, 14.0.0
706169-3 3-Major BT706169 tmsh memory leak 13.1.1.2, 14.0.0.3
705456-1 3-Major BT705456 Enabling HTTP-to-HTTPS redirection in a vCMP guest can prevent some Host-Guest Management features from working 13.1.1.2, 14.0.0
704755-1 3-Major BT704755 EUD_M package could not be installed on 800 platforms 13.1.1.2, 14.0.0.3
704512-1 3-Major BT704512 Automated upload of qkview to iHealth can time out resulting in error 13.1.1.2, 14.0.0
704336-1 3-Major BT704336 Updating 3rd party device cert not copied correctly to trusted certificate store 12.1.3.6, 13.1.1.2
702227-3 3-Major BT702227 Memory leak in TMSH load sys config 13.1.1.2, 14.0.0.3
700757-1 3-Major BT700757 vcmpd may crash when it is exiting 11.6.4, 12.1.4, 13.1.1.2
700576-1 3-Major BT700576 GUI - Server SSL Profile shows irrelevant options when "Server Certificate" is set to "Ignore" 13.1.1.2, 14.0.0
700426 3-Major K58033284 , BT700426 Switching partitions while viewing objects in GUI can result in empty list 13.1.1.2
700250-3 3-Major K59327012 , BT700250 qkviews for secondary blade appear to be corrupt 13.1.1.2
698875-1 3-Major Qkview Security Hardening 13.1.1.2
698084-3 3-Major K03776801 , BT698084 IPsec log messages in /var/log/ltm missing module ID to reach bigiq logs 13.1.1.2
696731-3 3-Major K94062594 , BT696731 The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled 13.1.1.2
693578-2 3-Major BT693578 switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0 13.1.1.2
692189-1 3-Major BT692189 errdefsd fails to generate a core file on request. 12.1.4, 13.1.1.2
692179-1 3-Major BT692179 Potential high memory usage from errdefsd. 12.1.3.6, 13.1.1.2
691609-1 3-Major BT691609 1NIC: Configuration error: Clearing IP on interface mgmt failed - Cannot assign requested address &start; 13.1.1.2
690890-1 3-Major BT690890 Running sod manually can cause issues/failover 13.1.1.2
689375-1 3-Major K01512833 , BT689375 Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled 13.1.1.2
688406-1 3-Major K14513346 , BT688406 HA-Group Score showing 0 13.1.1.2
687905-2 3-Major K72040312 , BT687905 OneConnect profile causes CMP redirected connections on the HA standby 12.1.3.6, 13.1.1.2
687534-1 3-Major BT687534 If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page 12.1.3.6, 13.1.1.2
684391-3 3-Major BT684391 Existing IPsec tunnels reload. tmipsecd creates a core file. 12.1.3.6, 13.1.1.2
684218-1 3-Major BT684218 vADC 'live-install' Downgrade from v13.1.0 is not possible 13.1.1.2
681782-6 3-Major BT681782 Unicast IP address can be configured in a failover multicast configuration 13.1.1.2
679347-2 3-Major K44117473 , BT679347 ECP does not work for PFS in IKEv2 child SAs 12.1.3.6, 13.1.1.2, 14.0.0
678488-1 3-Major K59332320 , BT678488 BGP default-originate not announced to peers if several are peering over different VLANs 12.1.4.1, 13.1.1.2
677485-1 3-Major BT677485 Discovery of DSC clustered BIG-IP systems fails due to secure value decryption error 13.1.1.2
671712-2 3-Major BT671712 The values returned for the ltmUserStatProfileStat table are incorrect. 12.1.3.7, 13.1.1.2, 14.0.0.3
670528-4 3-Major K20251354 , BT670528 Warnings during vCMP host upgrade. 11.6.5.2, 12.1.3.7, 13.1.1.2
651413-4 3-Major K34042229 , BT651413 tmsh list ltm node does not return an error when node does not exist 12.1.3.4, 13.1.1.2
642923-6 3-Major BT642923 MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system 12.1.4, 13.1.1.2
617643-2 3-Major BT617643 iControl.ForceSessions enabled results in GUI error on certain pages 13.1.1.2
551925-4 3-Major BT551925 Misdirected UDP traffic with hardware acceleration 11.6.4, 12.1.3.7, 13.1.1.2
464650-6 3-Major BT464650 Failure of mcpd with invalid authentication context. 11.5.7, 11.6.3.3, 12.1.3.7, 13.1.1.2
727297-3 4-Minor BT727297 GUI TACACS+ remote server list should accept hostname 13.1.1.2
725612-1 4-Minor BT725612 syslog-ng does not send any messages to the remote servers after reconfiguration 13.1.1.2, 14.0.0.3
719770-2 4-Minor BT719770 tmctl -H -V and -l options without values crashed 13.1.1.2, 14.0.0.5
714749-2 4-Minor cURL Vulnerability: CVE-2018-1000120 13.1.1.2, 14.0.0.3
713947-1 4-Minor BT713947 stpd repeatedly logs "hal sendMessage failed" 13.1.1.2
713932-1 4-Minor BT713932 Commands are replicated to PostgreSQL even when not in use. 13.1.1.2, 14.0.0.3
707631-2 4-Minor BT707631 The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI 13.1.1.2
707267 4-Minor BT707267 REST Framework HTTP header limit size increased to 8 KB 13.1.1.2, 14.0.0.3
701826 4-Minor BT701826 qkview upload to ihealth fails or unable to untar qkview file 13.1.1.2
691491-5 4-Minor K13841403 , BT691491 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces 13.1.1.2
685582-7 4-Minor BT685582 Incorrect output of b64 unit key hash by command f5mku -f 12.1.5.3, 13.1.1.2
683029-1 4-Minor BT683029 Sync of virtual address and self IP traffic groups only happens in one direction 13.1.1.2
679135-2 4-Minor BT679135 IKEv1 and IKEv2 cannot share common local address in tunnels 12.1.3.6, 13.1.1.2
678388-1 4-Minor K00050055 , BT678388 IKEv1 racoon daemon is not restarted when killed multiple times 12.1.3.6, 13.1.1.2
550526-2 4-Minor K84370515 , BT550526 Some time zones prevent configuring trust with a peer device using the GUI. 12.1.3.7, 13.1.1.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
722594-2 1-Blocking BT722594 TCP flow may not work as expected if double tagging is used 13.1.1.2, 14.0.0
737445-2 2-Critical BT737445 Use of TCP Verified Accept can disable server-side flow control 13.1.1.2, 14.0.0.3
727044-2 2-Critical TMM may crash while processing compressed data 12.1.4, 13.1.1.2, 14.0.0.3
726239-4 2-Critical BT726239 interruption of traffic handling as sod daemon restarts TMM 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.2, 14.0.0.3
725545-1 2-Critical BT725545 Ephemeral listener might not be set up correctly 13.1.1.2, 14.0.0
724906-1 2-Critical BT724906 sasp_gwm monitor leaks memory over time 13.1.1.2, 14.0.0.3
724868-1 2-Critical BT724868 dynconfd memory usage increases over time 12.1.4, 13.1.1.2, 14.0.0.3
724213-1 2-Critical K74431483 , BT724213 Modified ssl_profile monitor param not synced correctly 13.1.1.2, 14.0.0.3
722893-1 2-Critical K30764018 , BT722893 TMM can restart without a stack trace or core file after becoming disconnected from MCPD. 13.1.1.2, 14.0.0
716213-1 2-Critical BT716213 BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic 12.1.3.7, 13.1.1.2, 14.0.0.5
713612-1 2-Critical BT713612 tmm might restart if the HTTP passthrough on pipeline option is used 13.1.1.2
710221-2 2-Critical K67352313 , BT710221 Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled 13.1.1.2, 14.0.0.3
673664-1 2-Critical BT673664 TMM crashes when sys db Crypto.HwAcceleration is disabled. &start; 13.1.1.2
635191-2 2-Critical BT635191 Under rare circumstances TMM may crash 12.1.3.7, 13.1.1.2, 14.0.0
727222-1 3-Major BT727222 206 Partial Content responses from ramcache have malformed Content-Range header 13.1.1.2
723300-2 3-Major BT723300 TMM may crash when tracing iRules containing nameless listeners on internal virtual servers 13.1.1.2, 14.0.0
722363-2 3-Major BT722363 Client fails to connect to server when using PVA offload at Established 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.3
721261-1 3-Major BT721261 v12.x Policy rule names containing slashes are not migrated properly 13.1.1.2, 14.0.0.5
720293-3 3-Major BT720293 HTTP2 IPv4 to IPv6 fails 12.1.3.7, 13.1.1.2, 14.0.0.3
719600-2 3-Major BT719600 TCP::collect iRule with L7 policy present may result in connection reset 13.1.1.2, 14.0.0.3
717346-2 3-Major K13040347 , BT717346 [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total 13.1.1.2, 14.0.0.3, 16.0.1.1
715883 3-Major BT715883 Tmm crash due to invalid cookie attribute 13.1.1.2, 14.0.0.3
715785-2 3-Major BT715785 Incorrect encryption error for monitors during sync or upgrade 13.1.1.2, 14.0.0.5
715756-2 3-Major BT715756 Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only 13.1.1.2
715467-2 3-Major BT715467 Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY 12.1.5, 13.1.1.2, 14.0.0.3
714384-3 3-Major BT714384 DHCP traffic may not be forwarded when BWC is configured 13.1.1.2, 14.0.0.3
707951-2 3-Major BT707951 Stalled mirrored flows on HA next-active when OneConnect is used. 12.1.3.6, 13.1.1.2, 14.0.0.3
704764-3 3-Major BT704764 SASP monitor marks members down with non-default route domains 13.1.1.2, 14.0.0.3
703580-1 3-Major BT703580 TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host. 12.1.3.6, 13.1.1.2
703266-2 3-Major BT703266 Potential MCP memory leak in LTM policy compile code 13.1.1.2
702450-1 3-Major BT702450 The validation error message generated by deleting certain object types referenced by a policy action is incorrect 11.6.4, 12.1.5, 13.1.1.2, 14.0.0.5
701690-1 3-Major K53819652 , BT701690 Fragmented ICMP forwarded with incorrect icmp checksum 13.1.1.2
700696-1 3-Major BT700696 SSID does not cache fragmented Client Certificates correctly via iRule 12.1.3.7, 13.1.1.2
699273-1 3-Major BT699273 TMM Core During FTP Monitor Use 13.1.1.2
695925-1 3-Major BT695925 Tmm crash when showing connections for a CMP disabled virtual server 11.6.4, 12.1.4, 13.1.1.2
691785-1 3-Major BT691785 The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes 13.1.1.2
691224-3 3-Major K59327001 , BT691224 Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled 12.1.3.7, 13.1.1.2
690778-1 3-Major K53531153 , BT690778 Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule 13.1.1.2
688629-1 3-Major K52334096 , BT688629 Deleting data-group in use by iRule does not trigger validation error 12.1.5, 13.1.1.2
685110-1 3-Major K05430133 , BT685110 With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members. 12.1.3.2, 13.1.1.2
681757-3 3-Major K32521651 , BT681757 Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member' 12.1.3.6, 13.1.1.2
681673-4 3-Major BT681673 tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results 13.1.1.2
679613-1 3-Major K23531420 , BT679613 i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1' 13.1.1.2
672312-3 3-Major BT672312 IP ToS may not be forwarded to serverside with syncookie activated 12.1.4, 13.1.1.2, 14.0.0.5
602708-4 3-Major K84837413 , BT602708 Traffic may not passthrough CoS by default 12.1.3.7, 13.1.1.2, 14.0.0.3
716922-2 4-Minor BT716922 Reduction in PUSH flags when Nagle Enabled 11.5.7, 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.3
712637-2 4-Minor BT712637 Host header persistence not implemented 13.1.1.2, 14.0.0.3
700433-1 4-Minor K10870739 , BT700433 Memory leak when attaching an LTM policy to a virtual server 11.6.4, 12.1.3.6, 13.1.1.2
697988-3 4-Minor K34554754 , BT697988 During config sync, if many client-ssl profiles are on a virtual server the CPU may briefly spike to 100% 13.1.1.2
693966-1 4-Minor BT693966 TCP sndpack not reset along with other tcp profile stats 13.1.1.2
688557-1 4-Minor K50462482 , BT688557 Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull' 13.1.1.2
495242-4 4-Minor BT495242 mcpd log messages: Failed to unpublish LOIPC object 11.5.6, 11.6.4, 12.1.3.6, 13.1.1.2


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
718885-3 2-Critical K25348242 , BT718885 Under certain conditions, monitor probes may not be sent at the configured interval 12.1.3.7, 13.1.1.2, 14.0.0
723792-2 3-Major BT723792 GTM regex handling of some escape characters renders it invalid 12.1.4, 13.1.1.2, 14.0.0.3
719644-2 3-Major BT719644 If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions &start; 12.1.3.7, 13.1.1.2, 14.0.0.3


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
737500-2 2-Critical BT737500 Apply Policy and Upgrade time degradation when there are previous enforced rules 13.1.1.2, 14.0.0.5
726090-1 2-Critical BT726090 No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense 13.1.1.2, 14.0.0.5
724414-2 2-Critical BT724414 ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled 13.1.1.2, 14.0.0.5
724032-1 2-Critical BT724032 Searching Request Log for value containing backslash does not return expected result 13.1.1.2, 14.0.0.5
721741-3 2-Critical BT721741 BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative 12.1.3.7, 13.1.1.2, 14.1.0.2
704143-1 2-Critical BT704143 BD memory leak 12.1.3.6, 13.1.1.2, 14.0.0
701856-1 2-Critical BT701856 Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart 12.1.3.7, 13.1.1.2
740719-2 3-Major BT740719 ASM CSP header parser does not honor unsafe-inline attribute within script-src directive 13.1.1.2, 14.0.0.5


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
737867-1 3-Major BT737867 Scheduled reports are being incorrectly displayed in different partitions 13.1.1.2, 14.0.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
739716-2 1-Blocking BT739716 APM Subroutine loops without finishing 13.1.1.2, 14.0.0.5
740777-1 2-Critical BT740777 Secondary blades mcp daemon restart when subroutine properties are configured 12.1.4, 13.1.1.2
739674-1 2-Critical BT739674 TMM might core in SWG scenario with per-request policy. 13.1.1.2
722013 2-Critical BT722013 MCPD restarts on all secondary blades post config-sync involving APM customization group 12.1.3.7, 13.1.1.2, 14.0.0.5
713820-1 2-Critical BT713820 Pass in IP address to urldb categorization engine 13.1.1.2
739939-1 3-Major BT739939 Ping Access Agent Module leaks memory in TMM. 13.1.1.2, 14.0.0.5
739190 3-Major BT739190 Policies could be exported with not patched /Common partition 13.1.1.2
738582-1 3-Major BT738582 Ping Access Agent Module leaks memory in TMM. 13.1.1.2, 14.0.0.5
738397-1 3-Major BT738397 SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails. 12.1.3.7, 13.1.1.2, 14.0.0.5
737355-1 3-Major BT737355 HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files 13.1.1.2
737064-2 3-Major BT737064 ACCESS::session iRule commands may not work in serverside events 13.1.1.2
726895 3-Major K02205915 , BT726895 VPE cannot modify subroutine settings 12.1.3.7, 13.1.1.2
726616-1 3-Major BT726616 TMM crashes when a session is terminated 13.1.1.2, 14.0.0.5
726592-1 3-Major BT726592 Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop 12.1.4, 13.1.1.2
725867-2 3-Major BT725867 ADFS proxy does not fetch configuration for non-floating virtual servers 13.1.1.2, 14.0.0.5
725412-1 3-Major APM does not follow current best practices for HTTP headers 13.1.1.2, 14.0.0
724571-1 3-Major BT724571 Importing access profile takes a long time 13.1.1.2
722969-2 3-Major BT722969 Access Policy import with 'reuse' enabled instead rewrites shared objects 12.1.4.1, 13.1.1.2, 14.0.0
722423-1 3-Major BT722423 Analytics agent always resets when Category Lookup is of type custom only 13.1.1.2, 14.0.0.5
720757-1 3-Major BT720757 Without proper licenses Category Lookup always fails with license error in Allow Ending 13.1.1.2, 14.0.0.5
713655-2 3-Major BT713655 RouteDomainSelectionAgent might fail under heavy control plane traffic/activities 12.1.3.7, 13.1.1.2, 14.0.0.5
711427-2 3-Major BT711427 Edge Browser does not launch F5 VPN App 13.1.1.2, 14.0.0
710884-1 3-Major BT710884 Portal Access might omit some valid cookies when rewriting HTTP request. 13.1.1.2, 14.0.0.5
701800-2 3-Major K29064506 , BT701800 SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x 13.1.1.2, 14.0.0.5
701056-1 3-Major BT701056 User is not able to reset their Active Directory password 13.1.1.2
698984-1 3-Major BT698984 Auto-disable TMM.HTTP.TCL.Validation when APM is provisioned 13.1.1.2
696669-1 3-Major BT696669 Users cannot change or reset RSA PIN 13.1.1.2
696544-1 3-Major BT696544 APM end users can not change/reset password when auth agents are included in per-req policy 13.1.1.2
671323-1 3-Major BT671323 Reset PIN Fail if Token input field is not 'password' field 13.1.1.2
734595-2 4-Minor BT734595 sp-connector is not being deleted together with profile 13.1.1.2
721375-1 4-Minor BT721375 Export then import of config with RSA server in it might fail 12.1.3.7, 13.1.1.2


WebAccelerator Fixes

ID Number Severity Links to More Info Description Fixed Versions
706642-2 2-Critical BT706642 wamd may leak memory during configuration changes and cluster events 11.5.9, 11.6.4, 12.1.4, 13.1.1.2, 14.0.0.3


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
709383-2 3-Major BT709383 DIAMETER::persist reset non-functional 13.1.1.2
706750-1 3-Major BT706750 Changing CGNAT SIP ALG profile log settings while handling traffic may cause tmm crash. 13.1.1.2, 14.0.0
691048-1 3-Major K34553736 , BT691048 Support DIAMETER Experimental-Result AVP response 13.1.1.2
688942-5 3-Major BT688942 ICAP: Chunk parser performs poorly with very large chunk 12.1.3.6, 13.1.1.2


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
724532-2 2-Critical BT724532 SIG SEGV during IP intelligence category match in TMM 12.1.4, 13.1.1.2
720045-1 2-Critical BT720045 IP fragmented UDP DNS request and response packets dropped as DNS Malformed 13.1.1.2, 14.0.0
710755-1 2-Critical BT710755 TMM crash when route information becomes stale and the system accesses stale information. 12.1.4, 13.1.1.2, 14.0.0
698333-1 2-Critical K43392052 , BT698333 TMM core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families) 13.1.1.2, 14.0.0
694849-1 2-Critical BT694849 TMM crash when packet sampling is turned for DNS BDOS signatures. 13.1.1.2
672514-1 2-Critical BT672514 Local Traffic/Virtual Server/Security page crashed 13.1.1.2
630137-2 2-Critical BT630137 Dynamic Signatures feature can fill up /config partition impacting system stability 13.1.1.2, 14.0.0
726154-2 3-Major BT726154 TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies 12.1.5.3, 13.1.1.2
704528-2 3-Major BT704528 tmm may run out of memory during IP shunning 13.1.1.2, 14.0.0
704369-2 3-Major BT704369 TMM on BIG-IP restarts if a dos profile is attached to a virtual with sip-routing enabled 13.1.1.2, 14.0.0
696201-1 3-Major BT696201 Anomaly threshold floor calculation (for bins with very low learnt threshold) during signature generation 13.1.1.2
686376-2 3-Major BT686376 Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon 12.1.4.1, 13.1.1.2
707054-1 4-Minor BT707054 SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162 13.1.1.2
699454-4 4-Minor Web UI does not follow current best coding practices 12.1.4, 13.1.1.2, 14.0.0.3


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
726647-3 3-Major BT726647 PEM content insertion in a compressed response may truncate some data 12.1.4.1, 13.1.1.2, 14.0.0.3, 14.1.0.2
721704-1 3-Major BT721704 UDP flows are not deleted after subscriber deletion 13.1.1.2
709670-2 3-Major BT709670 iRule triggered from RADIUS occasionally fails to create subscribers. 12.1.5, 13.1.1.2, 14.0.0.5


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
721570-1 1-Blocking K20285019 , BT721570 TMM core when trying to log an unknown subscriber 13.1.1.2, 14.0.0
734446-2 2-Critical BT734446 TMM crash after changing LSN pool mode from PBA to NAPT 11.6.4, 12.1.4, 13.1.1.2, 14.0.0.3
688246-1 2-Critical BT688246 An invalid mode in the LSN::persistence command causes TMM crash 13.1.1.2
708830-2 3-Major BT708830 Inbound or hairpin connections may get stuck consuming memory. 12.1.4.1, 13.1.1.2, 14.0.0


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
738669-2 3-Major BT738669 Login validation may fail for a large request with early server response 12.1.3.7, 13.1.1.2
737368-1 3-Major BT737368 Fingerprint cookie large value may result in tmm core. 13.1.1.2, 14.0.1.1


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
739277 2-Critical BT739277 TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode 13.1.1.2, 14.0.0.5
720585-1 3-Major BT720585 Signatures generated by Behavioral DOS algorithm can create false-positive signatures 13.1.1.2, 14.0.0.5
689540-1 3-Major BT689540 The same DOS attack generates new signatures even if there are signatures generated during previous attacks. 13.1.1.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
726303-1 3-Major BT726303 Unlock 10 million custom db entry limit 12.1.3.7, 13.1.1.2


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
726872-2 3-Major BT726872 iApp LX directory disappears after upgrade or restoring from UCS &start; 13.1.1.2, 14.0.1.1



Cumulative fixes from BIG-IP v13.1.1.1 that are included in this release


Functional Change Fixes

None



Cumulative fixes from BIG-IP v13.1.1 that are included in this release


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
693359-1 1-Blocking BT693359 AWS M5 and C5 instance families are supported 13.1.1, 14.0.0.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
721364 1-Blocking BT721364 BIG-IP per-application VE BYOL license does not support three wildcard virtual servers 13.1.1, 14.0.0.1
716469 1-Blocking BT716469 OpenSSL 1.0.1l fails with 512 bit DSA keys 13.1.1
697615-1 1-Blocking K65013424 , BT697615 Neurond may restart indefinitely after boot, with neurond_i2c_config message 13.1.1
675921-2 1-Blocking BT675921 Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running 12.1.3.1, 13.1.1
723130-1 2-Critical K13996 , BT723130 Invalid-certificate warning displayed when deploying BIG-IP VE OVA file 11.5.8, 11.6.3.3, 12.1.3.6, 13.1.1, 14.0.0
700086-1 2-Critical BT700086 AWS C5/M5 Instances do not support BIG-IP VE 13.1.1, 14.0.0.1
696732-3 2-Critical K54431534 , BT696732 tmm may crash in a compression provider 12.1.3.5, 13.1.1
721985 3-Major BT721985 PAYG License remains inactive as dossier verification fails. 13.1.1, 14.0.0.1
721512 3-Major BT721512 Config tool fails to configure management-ip when default routes exist for both IPv4 and IPv6. 13.1.1
721342 3-Major BT721342 No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments. 13.1.1, 14.0.0.1
720961-1 3-Major BT720961 Upgrading in Intelligence Community AWS environment may fail 13.1.1, 14.0.0.1
720756-1 3-Major BT720756 SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS 12.1.3.6, 13.1.1
720651-2 3-Major BT720651 Running Guest Changed to Provisioned Never Stops 12.1.4, 13.1.1, 14.0.0.3
720104-1 3-Major BT720104 BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware' 12.1.3.6, 13.1.1, 14.0.0.3
719396-1 3-Major K34339214 , BT719396 DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot. 13.1.1, 14.0.0.1
717832 3-Major BT717832 Remove unneeded files from UCS backup directories 13.1.1
714303-1 3-Major K25057050 , BT714303 X520 virtual functions do not support MAC masquerading 13.1.1, 14.0.0.1
712266-1 3-Major BT712266 Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware 13.1.1
697616-2 3-Major BT697616 Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests 12.1.3.5, 13.1.1
680086 3-Major BT680086 BMC firmware fails md5sum check 13.1.1
673996-2 3-Major BT673996 Unable to set 'media-fixed' on management port on BIG-IP i15000 platforms 13.1.1, 14.0.0
680388-1 4-Minor BT680388 f5optics should not show function name in non-debug log messages 12.1.3.5, 13.1.1
653759-1 4-Minor BT653759 Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update &start; 12.1.3.5, 13.1.1
720391-2 5-Cosmetic BT720391 BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' 12.1.3.6, 13.1.1, 14.0.0.3


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
737550 2-Critical BT737550 State Mirroring between BIG-IP 13.0.x and 13.1.x systems may cause TMM core on standby system during upgrade &start; 13.1.1
701538-2 2-Critical BT701538 SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured 12.1.3.5, 13.1.1
720460-1 3-Major BT720460 Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly 13.1.1
694778-1 3-Major BT694778 Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size 12.1.3.5, 13.1.1
686631-2 3-Major BT686631 Deselect a compression provider at the end of a job and reselect a provider for a new job 12.1.3.5, 13.1.1
679494-1 3-Major BT679494 Change the default compression strategy to speed 12.1.3.5, 13.1.1
495443-9 3-Major K16621 , BT495443 ECDH negotiation failures logged as critical errors. 11.5.3, 12.1.3.5, 13.1.1
679496-2 4-Minor BT679496 Add 'comp_req' to the output of 'tmctl compress' 12.1.3.5, 13.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
717909 2-Critical BT717909 tmm can abort on sPVA flush if the HSB flush does not succeed 13.1.1, 14.0.0
701637 2-Critical BT701637 Crash in bcm56xxd during TMM failover 13.1.1
702738-1 3-Major K32181540 , BT702738 Tmm might crash activating new blob when changing firewall rules 12.1.3.4, 13.1.1
698182 3-Major BT698182 Upgrading from 13.1.1 to newer release might cause config to not be copied over &start; 13.1.1
697516 3-Major BT697516 Upgrading using a ucs or scf file does not autogenerate uuids when current config has the uuid-default-autogenerate flag enabled 13.1.1



Cumulative fixes from BIG-IP v13.1.0.8 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
716992-2 CVE-2018-5539 K75432956 , BT716992 The ASM bd process may crash 11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0
710244-3 CVE-2018-5536 K27391542 , BT710244 Memory Leak of access policy execution objects 12.1.3.6, 13.1.0.8, 14.0.0.5
710140-1 CVE-2018-5527 K20134942 , BT710140 TMM may consume excessive resources when processing SSL Intercept traffic 13.1.0.8, 14.0.0
709688-3 CVE-2017-3144
CVE-2018-5732
CVE-2018-5733 		K08306700 , BT709688 dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733 12.1.3.6, 13.1.0.8, 14.0.0.3
695072-2 CVE-2016-8399
CVE-2017-1000111
CVE-2017-1000112
CVE-2017-11176
CVE-2017-14106
CVE-2017-7184
CVE-2017-7541
CVE-2017-7542
CVE-2017-7558 		K23030550 , BT695072 CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558 13.1.0.8, 14.0.0.3
693744-4 CVE-2018-5531 K64721111 , BT693744 CVE-2018-5531: vCMP vulnerability 11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.8
651741-2 CVE-2017-5970, K60104355 , BT651741 CVE-2017-5970 kernel.el7: ipv4: Invalid IP options could cause skb->dst drop 13.1.0.8, 14.0.0.3
717900-2 CVE-2018-5528 K27044729 , BT717900 TMM crash while processing APM data 13.1.0.8, 14.0.0
710827-2 CVE-2019-6598 K44603900 , BT710827 TMUI dashboard daemon stability issue 11.5.9, 11.6.3.3, 12.1.3.6, 13.1.0.8, 14.0.0.3
710148-2 CVE-2017-1000111
CVE-2017-1000112 		K60250153 , BT710148 CVE-2017-1000111 & CVE-2017-1000112 11.5.7, 11.6.3.3, 12.1.3.6, 13.1.0.8, 14.0.0.3
709256-2 CVE-2017-9074
CVE-2017-7542 		K61223103 , BT709256 CVE-2017-9074: Local Linux Kernel Vulnerability 11.5.6, 11.6.3.1, 12.1.3.3, 13.1.0.8, 14.0.0.3
705476-2 CVE-2018-15322 K28003839 , BT705476 Appliance Mode does not follow design best practices 11.5.7, 11.6.3.3, 12.1.3.6, 13.1.0.8, 14.0.0.3
698813-2 CVE-2018-5538 K45435121 , BT698813 When processing DNSX transfers ZoneRunner does not enforce best practices 12.1.3.6, 13.1.0.8, 14.0.0
688625-5 CVE-2017-11628 K75543432 , BT688625 PHP Vulnerability CVE-2017-11628 11.5.7, 11.6.3.2, 12.1.3.2, 13.1.0.8
662850-6 CVE-2015-2716 K50459349 , BT662850 Expat XML library vulnerability CVE-2015-2716 11.5.7, 11.6.3.2, 12.1.3.2, 13.1.0.8
714879-3 CVE-2018-15326 K34652116 , BT714879 APM CRLDP Auth passes all certs 11.6.3.3, 12.1.3.6, 13.1.0.8, 14.0.0.5


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
685020-3 3-Major BT685020 Enhancement to SessionDB provides timeout 12.1.3.2, 13.1.0.8


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
708956-1 1-Blocking K51206433 , BT708956 During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform' 12.1.3.5, 13.1.0.8, 14.0.1.1
719597 2-Critical BT719597 HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0 13.1.0.8, 14.0.0.3
715820-1 2-Critical BT715820 vCMP in HA configuration with VIPRION chassis might cause unstable data plane 13.1.0.8
712401-1 2-Critical BT712401 Enhanced administrator lock/unlock for Common Criteria compliance 13.1.0.8
676203-3 2-Critical BT676203 Inter-blade mpi connection fails, does not recover, and eventually all memory consumed. 12.1.3.2, 13.1.0.8
665362-2 2-Critical BT665362 MCPD might crash if the AOM restarts 12.1.3.6, 13.1.0.8, 14.0.0
581851-6 2-Critical K16234725 , BT581851 mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands 11.5.9, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0
711249-1 3-Major BT711249 NAS-IP-Address added to RADIUS packet unexpectedly 12.1.4, 13.1.0.8, 14.0.0.3
710976-1 3-Major BT710976 Network Map can take a long time to load. 13.1.0.8, 14.0.0.3
708484-2 3-Major BT708484 Network Map might take a long time to load 13.1.0.8, 14.0.0.3
707445-3 3-Major K47025244 Nitrox 3 compression hangs/unable to recover 11.5.9, 11.6.3.3, 12.1.3.6, 13.1.0.8
705818-1 3-Major BT705818 GUI Network Map Policy with forward Rule to Pool, Pool does not show up 13.1.0.8, 14.0.0
704804-1 3-Major BT704804 The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address 12.1.3.3, 13.1.0.8, 14.0.0.3
704733-1 3-Major BT704733 NAS-IP-Address is sent with the bytes in reverse order 12.1.3.3, 13.1.0.8, 14.0.0.3
704247-2 3-Major BT704247 BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted 12.1.3.7, 13.1.0.8, 14.0.0.3
701249-1 3-Major BT701249 RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1 12.1.3.3, 13.1.0.8, 14.0.0.3
700895-1 3-Major K34944451 , BT700895 GUI Network Map objects in subfolders are not being shown 13.1.0.8
696260-1 3-Major K53103420 , BT696260 GUI Network Map as Start Screen presents database error 13.1.0.8
694696-5 3-Major BT694696 On multiblade Viprion, creating a new traffic-group causes the device to go Offline 12.1.3.2, 13.1.0.8
694547-2 3-Major K74203532 , BT694547 TMSH save sys config creates unneeded generate_config processes. 13.1.0.8
689730-3 3-Major BT689730 Software installations from v13.1.0 might fail &start; 12.1.3.5, 13.1.0.8
687658 3-Major BT687658 Monitor operations in transaction will cause it to stay unchecked 11.6.3.3, 12.1.3.2, 13.1.0.8
686906-2 3-Major BT686906 Fragmented IPv6 packets not handled correctly on Virtual Edition 13.1.0.8
674455-5 3-Major BT674455 Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS 12.1.3.5, 13.1.0.8
678254-1 4-Minor BT678254 Error logged when restarting Tomcat 12.1.3.7, 13.1.0.8


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
721571-1 2-Critical BT721571 State Mirroring between BIG-IP 12.1.3.* and 13.* or 14.* systems may cause TMM core on standby system during upgrade &start; 13.1.0.8
718071-1 2-Critical BT718071 HTTP2 with ASM policy not passing traffic 12.1.3.6, 13.1.0.8, 14.0.0
715747 2-Critical BT715747 TMM may restart when running traffic through custom SSLO deployments. 13.1.0.8, 14.0.0
709828-2 2-Critical BT709828 fasthttp can crash with Large Receive Offload enabled 13.1.0.8, 14.0.0.3
707244-3 2-Critical BT707244 iRule command clientside and serverside may crash tmm 13.1.0.8, 14.0.0
707207-1 2-Critical BT707207 iRuleLx returning undefined value may cause TMM restart 12.1.3.6, 13.1.0.8, 14.0.0.5
700597-1 2-Critical BT700597 Local Traffic Policy on HTTP/2 virtual server no longer matches 13.1.0.8
700056-1 2-Critical BT700056 MCPD process may lock up and restart when applying Local Traffic Policy to virtual server 13.1.0.8, 14.0.0.3
690756-1 2-Critical BT690756 APM depends on undocumented internal behavior of HTTP iRule commands after a retry is initiated 13.1.0.8
571651-4 2-Critical BT571651 Reset Nitrox3 crypto accelerator queue if it becomes stuck. 11.5.9, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0.5
713951-5 3-Major BT713951 tmm core files produced by nitrox_diag may be missing data 11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0.3
713934-2 3-Major BT713934 Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response 12.1.3.6, 13.1.0.8, 14.0.0.3
712819-2 3-Major BT712819 'HTTP::hsts preload' iRule command cannot be used 13.1.0.8, 14.0.0.3
712475-3 3-Major K56479945 , BT712475 DNS zones without servers will prevent DNS Express reading zone data 12.1.3.6, 13.1.0.8, 14.0.0
712437-3 3-Major K20355559 , BT712437 Records containing hyphens (-) will prevent child zone from loading correctly 12.1.3.6, 13.1.0.8, 14.0.0
711281-5 3-Major BT711281 nitrox_diag may run out of space on /shared 11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0.3
710996-2 3-Major BT710996 VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP 13.1.0.8
709133-2 3-Major BT709133 When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur 13.1.0.8, 14.0.0.3
709132-1 3-Major BT709132 When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur 13.1.0.8, 14.0.0.3
707961-2 3-Major K50013510 , BT707961 Unable to add policy to virtual server; error = Failed to compile the combined policies 13.1.0.8, 14.0.0.3
707109-1 3-Major BT707109 Memory leak when using C3D 13.1.0.8, 14.0.0
704381-5 3-Major BT704381 SSL/TLS handshake failures and terminations are logged at too low a level 11.6.5.1, 12.1.3.6, 13.1.0.8, 14.0.0.3
702151-1 3-Major BT702151 HTTP/2 can garble large headers 11.6.3.3, 12.1.3.6, 13.1.0.8
700889-3 3-Major K07330445 , BT700889 Software syncookies without TCP TS improperly include TCP options that are not encoded 11.6.3.3, 12.1.3.6, 13.1.0.8
700061-4 3-Major BT700061 Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file 12.1.3.6, 13.1.0.8
699598-2 3-Major BT699598 HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR or TCP RST 12.1.5, 13.1.0.8, 14.0.0.3
696755 3-Major BT696755 HTTP/2 may truncate a response body when served from cache 13.1.0.8, 14.1.0.6, 15.1.3, 16.0.1.2
693308-1 3-Major BT693308 SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain 12.1.3.7, 13.1.0.8
689089-1 3-Major BT689089 VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot 12.1.3.2, 13.1.0.8
688744-1 3-Major K11793920 , BT688744 LTM Policy does not correctly handle multiple datagroups 13.1.0.8
686890-1 3-Major BT686890 X509_EXTENSION memory blocks leak when C3D forges the certificate. 13.1.0.8
682944-1 3-Major BT682944 key-id missing for installed netHSM key for standby BIG-IP system in high availability (HA) setup 13.1.0.8
682283-2 3-Major BT682283 Malformed HTTP/2 request with invalid Content-Length value is served against RFC 13.1.0.8, 14.0.0.3
678872-3 3-Major BT678872 Inconsistent behavior for virtual-address and selfip on the same ip-address 12.1.3.6, 13.1.0.8
673399-3 3-Major BT673399 HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server. 12.1.3.4, 13.1.0.8
653201-2 3-Major BT653201 Update the default CA certificate bundle file to the latest version and remove expiring certificates from it 13.1.0.8
713533-2 4-Minor BT713533 list self-ip with queries does not work 12.1.3.6, 13.1.0.8, 14.0.0.3
708249-2 4-Minor BT708249 nitrox_diag utility generates QKView files with 5 MB maximum file size limit 11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0.3
692095-1 4-Minor K65311501 , BT692095 bigd logs monitor status unknown for FQDN Node/Pool Member 11.6.3.3, 12.1.3.2, 13.1.0.8
678801-4 4-Minor BT678801 WS::enabled returned empty string 12.1.3.6, 13.1.0.8
677958-4 4-Minor BT677958 WS::frame prepend and WS::frame append do not insert string in the right place. 12.1.3.6, 13.1.0.8


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
698992-1 3-Major BT698992 Performance degraded 13.1.0.8


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
713066-1 2-Critical K10620131 , BT713066 Connection failure during DNS lookup to disabled nameserver can crash TMM 12.1.3.6, 13.1.0.8, 14.0.0
707310-2 2-Critical BT707310 DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs) 12.1.3.6, 13.1.0.8, 14.0.0
721895 3-Major Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery) 11.5.7, 11.6.4, 12.1.4.1, 13.1.0.8, 14.0.0.5
715448-2 3-Major BT715448 Providing LB::status with a GTM Pool name in a variable caused validation issues 12.1.3.7, 13.1.0.8, 14.0.0.3
710032-1 3-Major BT710032 'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system. 13.1.0.8, 14.0.0.3
706128-2 3-Major BT706128 DNSSEC Signed Zone Transfers Can Leak Memory 12.1.3.6, 13.1.0.8, 14.0.0
703545-1 3-Major BT703545 DNS::return iRule "loop" checking disabled 13.1.0.8, 14.0.0


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
718152 2-Critical K14591455 , BT718152 ASM GUI request log does not load on cluster 13.1.0.8
716788-2 2-Critical BT716788 TMM may crash while response modifications are being performed within DoSL7 filter 12.1.3.7, 13.1.0.8, 14.0.0.5
713390-1 2-Critical ASM Signature Update cannot be performed on hourly billing cloud instance 13.1.0.8
685230-3 2-Critical BT685230 memory leak on a specific server scenario 12.1.3.7, 13.1.0.8
606983-2 2-Critical BT606983 ASM errors during policy import 12.1.3.6, 13.1.0.8, 14.0.0.5
719459-2 3-Major BT719459 Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled 13.1.0.8, 14.0.0.5
719005-1 3-Major BT719005 Login request may arrive corrupted to the backend server after CAPTCHA or CSID mitigation 13.1.0.8, 14.0.0.5
717756-2 3-Major BT717756 High CPU usage from asm_config_server 13.1.0.8, 14.0.0
716940-2 3-Major BT716940 Traffic Learning screen graphs shows data for the last day only 13.1.0.8, 14.0.0.5
715128-1 3-Major BT715128 Simple mode Signature edit does not escape semicolon 13.1.0.8, 14.0.0.5
713282-1 3-Major BT713282 Remote logger violation_details field does not appear when virtual server has more than one remote logger 12.1.3.7, 13.1.0.8, 14.0.0.5
712362-3 3-Major BT712362 ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase 12.1.3.6, 13.1.0.8, 14.0.0.5
711405-1 3-Major K14770331 , BT711405 ASM GUI Fails to Display Policy List After Upgrade 13.1.0.8, 14.0.0.5
710327-1 3-Major BT710327 Remote logger message is truncated at NULL character. 12.1.3.6, 13.1.0.8, 14.0.0
707147-1 3-Major BT707147 High CPU consumed by asm_config_server_rpc_handler_async.pl 12.1.3.6, 13.1.0.8, 14.0.0
706845-2 3-Major BT706845 False positive illegal multipart violation 12.1.3.6, 13.1.0.8
706665-2 3-Major BT706665 ASM policy is modified after pabnagd restart 13.1.0.8, 14.0.0
704643-1 3-Major BT704643 Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule 13.1.0.8, 14.0.1.1
702008-1 3-Major BT702008 ASM REST: Missing DB Cleanup for some tables 13.1.0.8
700143-2 3-Major BT700143 ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages 12.1.3.2, 13.1.0.8
691897-3 3-Major BT691897 Names of the modified cookies do not appear in the event log 12.1.3.6, 13.1.0.8
687759-1 3-Major BT687759 bd crash 12.1.3.6, 13.1.0.8, 14.0.0.5, 14.1.0.6
686765-2 3-Major BT686765 Database cleaning failure may allow MySQL space to fill the disk entirely 12.1.3.6, 13.1.0.8
674256-2 3-Major K60745057 , BT674256 False positive cookie hijacking violation 13.1.0.8, 13.1.1.4, 14.0.0
675232-6 4-Minor BT675232 Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction 11.6.3.2, 12.1.3.2, 13.1.0.8


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
710315-1 2-Critical BT710315 AVR-profile might cause issues when loading a configuration or when using config sync 13.1.0.8, 14.0.0
698226-1 2-Critical BT698226 Filters under Security :: Reports :: DoS :: URL Latencies work incorrectly 13.1.0.8
696642-1 2-Critical BT696642 monpd core is sometimes created when the system is under heavy load. 13.1.0.8
721474-1 3-Major BT721474 AVR does not send all SSLO statistics to offbox machine. 13.1.0.8, 14.0.0
715110 3-Major BT715110 AVR should report 'resolutions' in module GtmWideip 13.1.0.8, 14.1.0.2
712118 3-Major BT712118 AVR should report on all 'global tags' in external logs 13.1.0.8, 14.0.0
706361 3-Major BT706361 IPS stats tables are empty after upgrade from 13.1.0 to 14.0.0 &start; 13.1.0.8
696212-1 3-Major BT696212 monpd does not return data for multi-dimension query 13.1.0.8
648242-2 3-Major K73521040 , BT648242 Administrator users unable to access all partition via TMSH for AVR reports 12.1.3.2, 13.1.0.8, 14.0.0.5, 14.1.4, 15.1.2.1, 16.0.1.1
649161-2 4-Minor K42340304 , BT649161 AVR caching mechanism not working properly 12.1.3.2, 13.1.0.8


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
720214-1 2-Critical BT720214 NTLM Authentication might fail if Strict Update in iApp is modified 13.1.0.8, 14.0.0
720189-1 2-Critical BT720189 VDI settings in APM Webtop have the incorrect URL for Citrix Receiver client download 13.1.0.8, 14.0.0
719149-2 2-Critical BT719149 VDI plugin might hang while processing native RDP connections 13.1.0.8, 14.0.0
716747-2 2-Critical TMM my crash while processing APM or SWG traffic 12.1.3.6, 13.1.0.8, 14.0.0
715250-1 2-Critical BT715250 TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED 12.1.3.6, 13.1.0.8
713156-1 2-Critical BT713156 AGC cannot do redeploy in Exchange and ADFS use cases 13.1.0.8, 14.0.0
710116-1 2-Critical BT710116 VPN clients experience packet loss/disconnection 13.1.0.8, 14.0.0
694078-1 2-Critical BT694078 In rare cases, TMM may crash with high APM traffic 13.1.0.8
720695-1 3-Major BT720695 Export then import of APM access Profile/Policy with advanced customization is failing 12.1.3.6, 13.1.0.8, 14.0.0
719192 3-Major BT719192 In VPE Agent VMware View Policy shows no properties 13.1.0.8
715207-3 3-Major BT715207 coapi errors while modifying per-request policy in VPE 12.1.3.6, 13.1.0.8, 14.0.0
714961-1 3-Major BT714961 antserver creates large temporary file in /tmp directory 13.1.0.8, 14.0.0
714700-2 3-Major BT714700 SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy 13.1.0.8, 14.0.0
713111-1 3-Major BT713111 When ASM and APM are configured on the same virtual server, ASM might report some errors in its logging. 13.1.0.8
710305-1 3-Major BT710305 When ASM and APM are configured on the same virtual server, ASM could throw some errors in its logging. 13.1.0.8
709274-1 3-Major BT709274 RADIUS Accounting requests egress on different Self IP addresses than they did pre-v13.1.0 13.1.0.8, 14.0.0
699267-2 3-Major BT699267 LDAP Query may fail to resolve nested groups 11.6.3.3, 12.1.3.4, 13.1.0.8
658278-1 3-Major BT658278 Network Access configuration with Layered-VS does not work with Edge Client 11.6.4, 13.1.0.8, 14.0.0


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
703515-3 2-Critical K44933323 , BT703515 MRF SIP LB - Message corruption when using custom persistence key 11.6.3.2, 12.1.3.6, 13.1.0.8
692310-2 3-Major K69250459 , BT692310 ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body 13.1.0.8


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
677473-3 2-Critical BT677473 MCPD core is generated on multiple add/remove of Mgmt-Rules 12.1.3.6, 13.1.0.8


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
711570-3 3-Major BT711570 PEM iRule subscriber policy name query using subscriber ID, may not return applied policies 12.1.3.6, 13.1.0.8
663874-2 3-Major K77173309 , BT663874 Off-box HSL logging does not work with PEM in SPAN mode. 13.1.0.8


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
719186-2 3-Major BT719186 Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts 13.1.0.8, 14.0.1.1
716318-2 3-Major BT716318 Engine/Signatures automatic update check may fail to find/download the latest update 12.1.3.7, 13.1.0.8, 14.0.0.5


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
714334-1 2-Critical BT714334 admd stops responding and generates a core while under stress. 13.1.0.8, 14.0.0.5
718772-2 3-Major BT718772 The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists) 13.1.0.8, 14.0.0.5
718685-1 3-Major BT718685 The measured number of pending requests is two times higher than actual one 13.1.0.8
701288-1 3-Major BT701288 Server health significantly increases during DoSL7 TPS prevention 13.1.0.8, 14.0.0


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
693694-1 3-Major BT693694 tmsh::load within IApp template results in unpredicted behavior 13.1.0.8



Cumulative fixes from BIG-IP v13.1.0.7 that are included in this release


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
716392-1 1-Blocking BT716392 Support for 24 vCMP guests on a single 4450 blade 13.1.0.7, 14.0.0.2
712429 1-Blocking BT712429 Serverside packets excluded from DoS stats 13.1.0.7
704552 3-Major BT704552 Support for ONAP site licensing 13.1.0.7, 14.0.0.2, 14.1.4.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
707100 2-Critical BT707100 Potentially fail to create user in AzureStack 13.1.0.7, 14.0.0.1
706688 2-Critical BT706688 Automatically add additional certificates to BIG-IP system in C2S and IC environments 13.1.0.7, 14.0.0.1
709936 3-Major BT709936 Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration. 13.1.0.7, 14.0.0.1
707585-1 3-Major BT707585 Use native driver for 82599 NICs instead of UNIC 13.1.0.7, 14.0.0.1
703869 3-Major BT703869 Waagent updated to 2.2.21 12.1.3.3, 13.1.0.7, 14.0.0.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
713273 2-Critical BT713273 BIG-IP sys db variable avr.stats.internal.maxentitiespertable resets back to default value on services restart 13.1.0.7, 14.0.0
715153-1 3-Major BT715153 AVR can generate many files in /var/avr/loader folder, which might cause disk-usage problem 13.1.0.7, 14.0.0


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
716746 3-Major BT716746 Possible tmm restart when disabling single endpoint vector while attack is ongoing 13.1.0.7, 14.1.4.2, 15.1.3, 16.0.1.2
712710 3-Major BT712710 TMM may halt and restart when threshold mode is set to stress-based mitigation 13.1.0.7, 14.0.0


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
699103-1 3-Major BT699103 tmm continuously restarts after provisioning AFM 13.1.0.7, 14.0.0



Cumulative fixes from BIG-IP v13.1.0.6 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
709972-6 CVE-2017-12613 K52319810 , BT709972 CVE-2017-12613: APR Vulnerability 12.1.3.6, 13.1.0.6, 14.0.0.3
707186-1 CVE-2018-5514 K45320419 , BT707186 TMM may crash while processing HTTP/2 traffic 13.1.0.6, 14.0.0
702232-1 CVE-2018-5517 K25573437 , BT702232 TMM may crash while processing FastL4 TCP traffic 13.1.0.6, 14.0.0
693312-1 CVE-2018-5518 K03165684 , BT693312 vCMPd may crash when processing bridged network traffic 12.1.3.4, 13.1.0.6
688516-1 CVE-2018-5518 K03165684 , BT688516 vCMPd may crash when processing bridged network traffic 12.1.3.4, 13.1.0.6
686305-1 CVE-2018-5534 K64552448 , BT686305 TMM may crash while processing SSL forward proxy traffic 11.5.7, 11.6.3.2, 12.1.3.2, 13.0.1, 13.1.0.6
589233-2 CVE-2018-5518 K03165684 vCMPd may crash when processing bridged network traffic 13.1.0.6
714369 CVE-2018-5526 K62201098 , BT714369 ADM may fail when processing HTTP traffic 13.1.0.6, 14.0.0
714350 CVE-2018-5526 K62201098 , BT714350 BADOS mitigation may fail 13.1.0.6, 14.0.0
710314-1 CVE-2018-5537 K94105051 , BT710314 TMM may crash while processing HTML traffic 11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.6, 14.0.0
706176-1 CVE-2018-5512 K51754851 , BT706176 TMM crash can occur when using LRO 13.1.0.6, 14.0.0
706086-3 CVE-2018-5515 K62750376 , BT706086 PAM RADIUS authentication subsystem hardening 12.1.3.3, 13.1.0.6, 14.0.0
703940-2 CVE-2018-5530 K45611803 , BT703940 Malformed HTTP/2 frame consumes excessive system resources 11.6.3.2, 12.1.3.6, 13.1.0.6, 14.0.0
699346-3 CVE-2018-5524 K53931245 , BT699346 NetHSM capacity reduces when handling errors 11.6.3.2, 12.1.3.2, 13.0.1, 13.1.0.6
688011-7 CVE-2018-5520 K02043709 , BT688011 Dig utility does not apply best practices 12.1.3.2, 13.0.1, 13.1.0.6, 14.0.0
688009-7 CVE-2018-5519 K46121888 , BT688009 Appliance Mode TMSH hardening 12.1.3.4, 13.0.1, 13.1.0.6, 14.0.0
677088-2 CVE-2018-15321 K01067037 , BT677088 BIG-IP tmsh vulnerability CVE-2018-15321 11.5.7, 11.6.3.3, 12.1.3.6, 13.1.0.6, 14.0.0.3
708653-1 CVE-2018-15311 K07550539 , BT708653 TMM may crash while processing TCP traffic 11.5.7, 11.6.3.3, 12.1.3.6, 13.1.0.6, 14.0.0
632875-5 CVE-2018-5516 K37442533 , BT632875 Non-Administrator TMSH users no longer allowed to run dig 12.1.3, 13.0.1, 13.1.0.6, 14.0.0


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
708389 3-Major BT708389 BADOS monitoring with Grafana requires admin privilege 13.1.0.6, 14.0.0.5
680850-2 3-Major K48342409 , BT680850 Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage. 12.1.3.4, 13.1.0.6


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
694897-2 1-Blocking BT694897 Unsupported Copper SFP can trigger a crash on i4x00 platforms. 13.1.0.6
708054-1 2-Critical BT708054 Web Acceleration: TMM may crash on very large HTML files with conditional comments 12.1.3.4, 13.1.0.6, 14.0.0
706305-1 2-Critical BT706305 bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled 12.1.3.4, 13.1.0.6, 14.0.0
706087 2-Critical BT706087 Entry for SSL key replaced by config-sync causes tmsh load config to fail 13.1.0.6, 14.0.0
703761-2 2-Critical Disable DSA keys for public-key and host-based authentication in Common Criteria mode 12.1.3.4, 13.1.0.6
696113-3 2-Critical BT696113 Extra IPsec reference added per crypto operation overflows connflow refcount 12.1.3.6, 13.1.0.6
692683-1 2-Critical BT692683 Core with /usr/bin/tmm.debug at qa_device_mgr_uninit 13.1.0.6
690793-1 2-Critical K25263287 , BT690793 TMM may crash and dump core due to improper connflow tracking 12.1.3.7, 13.1.0.6
689577-3 2-Critical K45800333 , BT689577 ospf6d may crash when processing specific LSAs 12.1.3.2, 13.1.0.6
688911-1 2-Critical K94296004 , BT688911 LTM Policy GUI incorrectly shows conditions with datagroups 13.1.0.6
563661-1 2-Critical BT563661 Datastor may crash 11.6.3.3, 12.1.3.2, 13.1.0.6
704282-2 3-Major BT704282 TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy 12.1.3.6, 13.1.0.6
703298-2 3-Major BT703298 Licensing and phonehome_upload are not using the sync'd key/certificate 13.1.0.6, 14.0.0
701626-2 3-Major K16465222 , BT701626 GUI resets custom Certificate Key Chain in child client SSL profile 11.6.3.3, 12.1.3.4, 13.1.0.6
698429-1 3-Major BT698429 Misleading log error message: Store Read invalid store addr 0x3800, len 10 12.1.5.3, 13.1.0.6
693964-1 3-Major BT693964 Qkview utility may generate invalid XML in files contained in Qkview 13.1.0.6
691497-2 3-Major BT691497 tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions 13.1.0.6
691210-1 3-Major BT691210 Traffic stops on tmm restart when guest VLAN tagging is used for BIG-IP VE. 13.1.0.6
687353-1 3-Major K35595105 , BT687353 Qkview truncates tmstat snapshot files 12.1.3.2, 13.0.1, 13.1.0.6
631316-2 3-Major K62532020 , BT631316 Unable to load config with client-SSL profile error &start; 11.6.3.2, 12.1.3.2, 13.1.0.6
514703-3 4-Minor BT514703 gtm listener cannot be listed across partitions 13.0.1, 13.1.0.6


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
709334-1 2-Critical BT709334 Memory leak when SSL Forward proxy is used and ssl re-negotiates 12.1.3.6, 13.1.0.6, 14.0.0
708114-1 2-Critical K33319853 , BT708114 TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed 11.6.3.2, 12.1.3.6, 13.1.0.6, 14.0.0
707447-1 2-Critical BT707447 Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles. 12.1.3.6, 13.1.0.6, 14.0.0
707246-1 2-Critical BT707246 TMM would crash if SSL Client profile could not load cert-key-chain successfully 13.1.0.6, 14.0.0
706631-2 2-Critical BT706631 A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured. 12.1.3.4, 13.1.0.6, 14.0.0
705611-2 2-Critical BT705611 The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used 12.1.3.4, 13.1.0.6, 14.0.0
704666-1 2-Critical BT704666 memory corruption can occur when using certain certificates 12.1.3.4, 13.1.0.6, 14.0.0
704435-1 2-Critical BT704435 Client connection may hang when NTLM and OneConnect profiles used together 13.1.0.6
703914-2 2-Critical BT703914 TMM SIGSEGV crash in poolmbr_conn_dec. 12.1.3.6, 13.1.0.6, 14.0.0
703191-2 2-Critical BT703191 HTTP2 requests may contain invalid headers when sent to servers 13.1.0.6
701244-1 2-Critical K81742541 , BT701244 An incorrect data manipulation in cipher encrypt and decrypt could cause TMM crash with SIGABRT 13.1.0.6
701202-3 2-Critical K35023432 , BT701202 SSL memory corruption 12.1.3.4, 13.1.0.6
700393-3 2-Critical K53464344 , BT700393 Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash 11.6.3.3, 12.1.3.4, 13.1.0.6, 14.0.0
697259-2 2-Critical K14023450 , BT697259 Different versioned vCMP guests on the same chassis may crash. 12.1.3.7, 13.1.0.6
694656-1 2-Critical K05186205 , BT694656 Routing changes may cause TMM to restart 12.1.3.7, 13.1.0.6
686228-1 2-Critical K23243525 , BT686228 TMM may crash in some circumstances with VLAN failsafe 11.5.9, 11.6.4, 12.1.3.2, 13.1.0.6
680074-2 2-Critical BT680074 TMM crashes when serverssl cannot provide certificate to backend server. 13.1.0.6
667770-1 2-Critical K12472293 , BT667770 SIGSEGV to tmm when performing multiple, repeated SSL profile updates, or during UCS restore 13.1.0.6
648320-5 2-Critical K38159538 , BT648320 Downloading via APM tunnels could experience performance downgrade. 11.6.3.2, 12.1.3.4, 13.0.1, 13.1.0.6
705794-2 3-Major BT705794 Under certain circumstances a stale HTTP/2 stream might cause a tmm crash 11.6.3.3, 12.1.3.4, 13.1.0.6, 14.0.0
701147-2 3-Major K36563645 , BT701147 ProxySSL does not work properly with Extended Master Secret and OCSP 13.1.0.6
700057-4 3-Major BT700057 LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved 11.6.4, 12.1.3.6, 13.1.0.6
693910-4 3-Major BT693910 Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series) 12.1.4, 13.1.0.6
693244-2 3-Major BT693244 BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned 13.1.0.6, 14.0.0.3
690042-1 3-Major K43412307 , BT690042 Potential Tcl leak during iRule suspend operation 11.6.4, 12.1.3.4, 13.1.0.6
689561-1 3-Major BT689561 HTTPS request hangs when multiple virtual https servers shares the same ip address 13.1.0.6
686972-4 3-Major BT686972 The change of APM log settings will reset the SSL session cache. 12.1.3.4, 13.1.0.6
685615-4 3-Major K24447043 , BT685615 Incorrect source mac for TCP Reset with vlangroup for host traffic 11.5.6, 11.6.5.1, 12.1.3.6, 13.1.0.6
677525-2 3-Major BT677525 Translucent VLAN group may use unexpected source MAC address 11.5.6, 11.6.3.2, 12.1.3.6, 13.1.0.6
663821-1 3-Major K41344010 , BT663821 SNAT Stats may not include port FTP traffic 12.1.3.2, 13.0.1, 13.1.0.6
653976-4 3-Major K00610259 , BT653976 SSL handshake fails if server certificate contains multiple CommonNames 12.1.3.4, 13.1.0.6
594751-1 3-Major K90535529 , BT594751 LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN 12.1.5.1, 13.1.0.6


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
710424-2 2-Critical BT710424 Possible SIGSEGV in GTMD when GTM persistence is enabled. 11.6.5.2, 12.1.3.4, 13.1.0.6, 14.0.0
678861-1 2-Critical BT678861 DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other &start; 12.1.3.2, 13.1.0.6


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
710870 2-Critical BT710870 Temporary browser challenge failure after installing older ASU 13.1.0.6
711011-2 3-Major BT711011 'API Security' security policy template changes 13.1.0.6, 14.0.0
683241-1 3-Major K70517410 , BT683241 Improve CSRF token handling 11.5.6, 11.6.3.2, 12.1.3.6, 13.1.0.6


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
710947-1 2-Critical BT710947 AVR does not send errdef for entity DosIpLogReporting. 13.1.0.6, 14.0.0
710110-1 2-Critical BT710110 AVR does not publish DNS statistics to external log when usr-offbox is enabled. 13.1.0.6, 14.0.0
711929-1 3-Major BT711929 AVR should not send statistic on hidden rows for module InterfaceTraffic and module InterfaceHealth 13.1.0.6, 14.0.0


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
679221-2 1-Blocking BT679221 APMD may generate core file or appears locked up after APM configuration changed 12.1.3.4, 13.1.0.6
708005-1 2-Critical K12423316 , BT708005 Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources 13.1.0.6, 14.0.0
703208-1 2-Critical BT703208 PingAccessAgent causes TMM core 13.1.0.6, 14.0.0
702278-2 2-Critical Potential XSS security exposure on APM logon page. 12.1.3.4, 13.0.1, 13.1.0.6, 14.0.0
700522-1 2-Critical BT700522 APMD may unexpectedly restart when worker threads are stuck 13.1.0.6
700090-2 2-Critical BT700090 tmm crash during execution of a per-request policy when modified during execution. 13.1.0.6, 14.0.0
699686-1 2-Critical BT699686 localdbmgr can occasionally crash during shutdown 13.1.0.6, 14.0.0
697452-1 2-Critical BT697452 Websso crashes because of bad argument in logging 13.0.1, 13.1.0.6
712924-1 3-Major BT712924 In VPE SecurID servers list are not being displayed in SecurID authentication dialogue 12.1.3.6, 13.1.0.6
703793-3 3-Major BT703793 tmm restarts when using ACCESS::perflow get' in certain events 12.1.3.7, 13.1.0.6, 14.0.0
703171-1 3-Major BT703171 High CPU usage for apmd, localdbmgr and oauth processes 13.1.0.6, 14.0.0
702487-3 3-Major BT702487 AD/LDAP admins with spaces in names are not supported 12.1.3.4, 13.1.0.6
684937-3 3-Major K26451305 , BT684937 [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users 11.5.6, 11.6.3.2, 12.1.3.6, 13.0.1, 13.1.0.6
683113-3 3-Major K22904904 , BT683113 [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users 11.5.6, 11.6.3.2, 12.1.3.6, 13.0.1, 13.1.0.6
681415-3 3-Major BT681415 Copying of profile with advanced customization or images might fail 12.1.3.4, 13.1.0.6
678427-1 3-Major K03138339 , BT678427 Safari 11 displays F5 EPI and F5 VPN launch confirmation dialogs twice 13.1.0.6
675775-4 3-Major BT675775 TMM crashes inside dynamic ACL building session db callback 12.1.3.4, 13.1.0.6
671597-3 3-Major BT671597 Import, export, copy and delete is taking too long on 1000 entries policy 12.1.3.2, 13.0.1, 13.1.0.6
673717-3 4-Minor BT673717 VPE loading times can be very long 12.1.3.2, 13.0.1, 13.1.0.6


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
701889-1 2-Critical BT701889 Setting log.ivs.level or log-config filter level to informational causes crash 13.1.0.6
679114-4 3-Major BT679114 Persistence record expires early if an error is returned for a BYE command 11.6.3, 12.1.3.6, 13.1.0.6


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
708888-1 2-Critical K79814103 , BT708888 Some DNS truncated responses may not be processed by BIG-IP 13.1.0.6, 14.0.0
667353 2-Critical BT667353 Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table 13.1.0.6, 14.0.0


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
702705-2 2-Critical BT702705 Core observed during lease query testing when RADIUS Authentication is configured in DHCP profile 13.1.0.6
699531-1 2-Critical BT699531 Potential TMM crash due to incorrect number of attributes in a PEM iRule command 12.1.3.6, 13.1.0.6, 14.0.0.3
696294-1 2-Critical BT696294 TMM core may be seen when using Application reporting with flow filter in PEM 12.1.3.6, 13.1.0.6
711093-1 3-Major BT711093 PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled 12.1.3.6, 13.1.0.6, 14.0.0.3
709610-3 3-Major BT709610 Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM 12.1.3.6, 13.1.0.6, 14.0.0.3
697718-1 3-Major BT697718 Increase PEM HSL reporting buffer size to 4K. 12.1.3.6, 13.1.0.6
677494-1 3-Major BT677494 Flow filter with Periodic content insertion action could leak insert content record 13.1.0.6
677148-1 3-Major BT677148 Periodic content insertion creates duplicate records if same policy is added to Global high and subscriber specific 13.1.0.6
676346-2 3-Major BT676346 PEM displays incorrect policy action counters when the gate status is disabled. 13.1.0.6, 14.0.0.3
648802-1 3-Major BT648802 Required custom AVPs are not included in an RAA when reporting an error. 12.1.3.6, 13.1.0.6, 14.0.0.3


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
710701-1 3-Major BT710701 "Application Layer Encryption" option is not saved in DataSafe GUI 13.1.0.6, 14.0.0
709319-2 3-Major BT709319 Post-login client-side alerts are missing username in bigIQ 13.1.0.6, 14.0.0
706835 3-Major BT706835 When cloning a profile, URL parameters are not shown 13.1.0.6
706771-1 3-Major BT706771 FPS ajax-mapping property may be set even when it should be blocked 13.1.0.6, 14.0.0
706651-1 3-Major BT706651 Cloning URL does not clone "Description" field 13.1.0.6, 14.0.0
706276-1 4-Minor BT706276 Unnecessary pop-up appears 13.1.0.6


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
708305-2 3-Major BT708305 Discover task may get stuck in CHECK_IS_ACTIVE step 13.1.0.6, 14.0.0
705593-5 4-Minor CVE-2015-7940: Bouncy Castle Java Vulnerability 13.1.0.6, 14.0.0



Cumulative fixes from BIG-IP v13.1.0.5 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
633441-1 3-Major BT633441 Datasync Background Tasks running even without features requiring it 13.1.0.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
708189 4-Minor BT708189 OAuth Discovery Auto Pilot is implemented 13.1.0.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
708840 3-Major BT708840 13.0.0-to-13.1.0 upgrade operation on VIPRION 2250 blades might fail if global whitelist is configured 13.1.0.5, 14.0.0



Cumulative fixes from BIG-IP v13.1.0.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
705161-1 CVE-2018-5505 K23520761 , BT705161 BIG-IP ASM and BIG-IP AFM/BIG-IP Analytics vulnerability CVE-2018-5505 13.1.0.4, 14.0.0
703517 CVE-2018-5505 K23520761 , BT703517 BIG-IP ASM and BIG-IP AFM/BIG-IP Analytics vulnerability CVE-2018-5505 13.1.0.4
700556-1 CVE-2018-5504 K11718033 , BT700556 TMM may crash when processing WebSockets data 12.1.3.2, 13.0.1, 13.1.0.4
699012-1 CVE-2018-5502 K43121447 , BT699012 TMM may crash when processing SSL/TLS data 13.0.1, 13.1.0.4
698080-3 CVE-2018-5503 K54562183 , BT698080 TMM may consume excessive resources when processing with PEM 12.1.3.2, 13.1.0.4
695901-1 CVE-2018-5513 K46940010 , BT695901 TMM may crash when processing ProxySSL data 11.5.6, 11.6.3.2, 12.1.3.4, 13.0.1, 13.1.0.4
691504-1 CVE-2018-5503 K54562183 , BT691504 PEM content insertion in a compressed response may cause a crash. 12.1.3.2, 13.1.0.4
704580-1 CVE-2018-5549 K05018525 , BT704580 apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP 11.6.3.2, 12.1.3.4, 13.0.1, 13.1.0.4, 14.0.0
701447-1 CVE-2017-5754 K91229003 , BT701447 CVE-2017-5754 (Meltdown) 13.0.1, 13.1.0.4, 14.0.0
701445-1 CVE-2017-5753
CVE-2017-9074
CVE-2017-7542
CVE-2017-11176 		K91229003 , BT701445 CVE-2017-5753 (Spectre Variant 1) 13.0.1, 13.1.0.4, 14.0.0
701359-4 CVE-2017-3145 K08613310 BIND vulnerability CVE-2017-3145 11.6.3.2, 12.1.3.4, 13.0.1, 13.1.0.4
699455-4 CVE-2018-5523 K50254952 , BT699455 SAML export does not follow best practices 11.5.6, 11.6.3.2, 12.1.3.2, 13.0.1, 13.1.0.4
699451-3 CVE-2018-5511 K30500703 , BT699451 OAuth reports do not follow best practices 13.0.1, 13.1.0.4
676457-5 CVE-2017-6153 K52167636 , BT676457 TMM may consume excessive resource when processing compressed data 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.4
640766-2 CVE-2016-10088
CVE-2016-9576 		K05513373 , BT640766 Linux kernel vulnerability: CVE-2016-10088 CVE-2016-9576 13.0.1, 13.1.0.4
636986-1 CVE-2021-22982 K72708443 , BT636986 big3d agent vulnerability CVE-2021-22982 13.1.0.4


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
686389-1 3-Major BT686389 APM does not honor per-farm HTML5 client disabling at the View Connection Server 11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4
678524-1 3-Major BT678524 Join FF02::2 multicast group when router-advertisement is configured 13.1.0.4
693007-1 4-Minor BT693007 Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC 12.1.3.6, 13.1.0.4


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
707226 1-Blocking BT707226 DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations 11.5.6, 11.6.3.1, 12.1.3.3, 13.0.1, 13.1.0.4, 14.0.0
700315-2 1-Blocking K26130444 , BT700315 Ctrl+C does not terminate TShark 12.1.3.6, 13.1.0.4
667148-3 1-Blocking K02500042 , BT667148 Config load or upgrade can fail when loading GTM objects from a non-/Common partition 12.1.3.2, 13.0.1, 13.1.0.4
706998-3 2-Critical BT706998 Memory leak when OCSP is configured in clientSSL profile for C3D, or in serverSSL profile for server authentication 13.1.0.4, 14.0.0
692890-3 2-Critical BT692890 Adding support for BIG-IP 800 in 13.1.x 13.1.0.4
685458-7 2-Critical K44738140 , BT685458 merged fails merging a table when a table row has incomplete keys defined. 12.1.5, 13.1.0.4
665354-1 2-Critical K31190471 , BT665354 Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log 12.1.3, 13.0.1, 13.1.0.4
703848-1 3-Major BT703848 Possible memory leak when reusing statistics rows in tables 13.0.1, 13.1.0.4
702520-2 3-Major K53330514 , BT702520 Same AZ failover in AWS fails in some configurations with two or more objects sharing the same IP address. 13.1.0.4
694740-3 3-Major BT694740 BIG-IP reboot during a TMM core results in an incomplete core dump 12.1.3.6, 13.1.0.4
692753-1 3-Major BT692753 shutting down trap not sent when shutdown -r or shutdown -h issued from shell 13.1.0.4
689691-2 3-Major BT689691 iStats line length greater than 4032 bytes results in corrupted statistics or merge errors 13.0.1, 13.1.0.4
686029-2 3-Major BT686029 A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces 12.1.3.4, 13.1.0.4
669462-2 3-Major BT669462 Error adding /Common/WideIPs as members to GTM Pool in non-Common partition 12.1.3.2, 13.1.0.4
589083-6 3-Major BT589083 TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors. 12.1.2, 13.1.0.4, 14.0.0
699281-1 4-Minor BT699281 Version format of hypervisor bundle matches Version format of ISO 12.1.3.2, 13.1.0.4
685475-1 4-Minor K93145012 , BT685475 Unexpected error when applying hotfix 12.1.3.6, 13.1.0.4


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
706534-1 1-Blocking BT706534 L7 connection mirroring may not be fully mirrored on standby BIG-IP system 13.1.0.4, 14.0.0
698424-1 1-Blocking K11906514 , BT698424 Traffic over a QinQ VLAN (double tagged) will not pass 13.1.0.4
700862-1 2-Critical K15130240 , BT700862 tmm SIGFPE 'valid node' 12.1.3.4, 13.1.0.4
699298-2 2-Critical BT699298 13.0.0 Hotfix HF3 3.0.1679 TMM CORED due to SIGSEGV. 13.0.1, 13.1.0.4
698461-1 2-Critical BT698461 Tmm may crash in fastl4 TCP 13.1.0.4, 14.0.0
692970-2 2-Critical BT692970 Using UDP port 67 for purposes other than DHCP might cause TMM to crash 12.1.3.2, 13.0.1, 13.1.0.4
691095-1 2-Critical BT691095 CA bundle manager loses certificates in the CA bundle if the serial number is longer than 4 bytes 13.1.0.4
687635-1 2-Critical K58002142 , BT687635 Tmm becomes unresponsive and might restart 13.0.1, 13.1.0.4
687205-2 2-Critical BT687205 Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart 12.1.3.4, 13.1.0.4
681175-3 2-Critical K32153360 , BT681175 TMM may crash during routing updates 12.1.3.2, 13.1.0.4
674576-3 2-Critical BT674576 Outage may occur with VIP-VIP configurations 12.1.3.2, 13.0.1, 13.1.0.4
452283-5 2-Critical BT452283 An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows 11.6.3.3, 12.1.3.4, 13.1.0.4
440620-1 2-Critical BT440620 New connections may be reset when a client reuses the same port as it used for a recently closed connection 11.6.5.1, 12.1.3.6, 13.1.0.4
704073-1 3-Major K24233427 , BT704073 Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm 12.1.3.2, 13.1.0.4
702439 3-Major K04964898 , BT702439 Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset 13.1.0.4
698916-1 3-Major BT698916 TMM crash with HTTP/2 under specific condition 12.1.3.6, 13.1.0.4
698379-2 3-Major K61238215 , BT698379 HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR( 12.1.3.6, 13.1.0.4
698000-3 3-Major K04473510 , BT698000 Connections may stop passing traffic after a route update 11.6.3, 12.1.3.2, 13.1.0.4
695707-5 3-Major BT695707 BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection 13.1.0.4
691806-1 3-Major K61815412 , BT691806 RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state 11.5.7, 11.6.3.3, 12.1.3.6, 13.1.0.4
689449-1 3-Major BT689449 Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured 11.6.4, 12.1.3.4, 13.1.0.4, 14.0.0
688571-2 3-Major K40332712 , BT688571 Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile. 13.1.0.4
688570-5 3-Major BT688570 BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes 13.1.0.4
686307-3 3-Major K10665315 , BT686307 Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later 12.1.3.2, 13.1.0.4
686065-2 3-Major BT686065 RESOLV::lookup iRule command can trigger crash with slow resolver 12.1.3.2, 13.0.1, 13.1.0.4
682104-3 3-Major BT682104 HTTP PSM leaks memory when looking up evasion descriptions 12.1.3.2, 13.1.0.4
680264-2 3-Major BT680264 HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags 12.1.4, 13.0.1, 13.1.0.4
677666-2 3-Major BT677666 /var/tmstat/blades/scripts segment grows in size. 13.0.1, 13.1.0.4
664528-2 3-Major K53282793 , BT664528 SSL record can be larger than maximum fragment size (16384 bytes) 12.1.3.4, 13.1.0.4
251162-1 3-Major K11564 The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name 12.1.3.6, 13.1.0.4
685467-1 4-Minor K12933087 , BT685467 Certain header manipulations in HTTP profile may result in losing connection. 12.1.3.6, 13.1.0.4


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
699135-1 2-Critical BT699135 tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip 12.1.3.4, 13.1.0.4
692941-1 2-Critical BT692941 GTMD and TMM SIGSEGV when changing wide IP pool in GTMD 11.5.9, 12.1.3.2, 13.1.0.4
691287-1 2-Critical BT691287 tmm crashes on iRule with GTM pool command 12.1.3.4, 13.1.0.4
682335-1 2-Critical BT682335 TMM can establish multiple connections to the same gtmd 12.1.3.4, 13.1.0.4
580537-3 2-Critical BT580537 The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data 12.1.3.2, 13.0.1, 13.1.0.4
562921-5 2-Critical BT562921 Cipher 3DES and iQuery encrypting traffic between BIG-IP systems 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.4
705503-3 3-Major BT705503 Context leaked from iRule DNS lookup 12.1.3.6, 13.1.0.4, 14.0.0
703702 3-Major BT703702 Fixed iControl REST not listing GTM Listeners 13.1.0.4
700527-3 3-Major BT700527 cmp-hash change can cause repeated iRule DNS-lookup hang 12.1.3.2, 13.1.0.4
699339-3 3-Major K24634702 , BT699339 Geolocation upgrade files fail to replicate to secondary blades 12.1.3.4, 13.1.0.4
696808-1 3-Major BT696808 Disabling a single pool member removes all GTM persistence records 12.1.3.4, 13.1.0.4
691498-3 3-Major BT691498 Connection failure during iRule DNS lookup can crash TMM 12.1.3.2, 13.1.0.4
690166-1 3-Major BT690166 ZoneRunner create new stub zone when creating a SRV WIP with more subdomains 12.1.3.2, 13.1.0.4
687128-1 3-Major BT687128 gtm::host iRule validation for ipv4 and ipv6 addresses 12.1.3.4, 13.1.0.4
680069-1 3-Major K81834254 , BT680069 zxfrd core during transfer while network failure and DNS server removed from DNS zone config &start; 12.1.3.6, 13.1.0.4
679149-1 3-Major BT679149 TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0] 12.1.3.4, 13.1.0.4
667469-3 3-Major K35324588 , BT667469 Higher than expected CPU usage when using DNS Cache 12.1.3.2, 13.0.1, 13.1.0.4
636997-1 4-Minor big3d may crash 13.1.0.4
636994-1 4-Minor big3d may crash 13.1.0.4
636992-1 4-Minor big3d may crash 13.1.0.4
636982-1 4-Minor big3d may crash 13.1.0.4


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
705774-1 3-Major BT705774 Add a set of disallowed file types to RDP template 13.1.0.4, 14.0.0
703833-1 3-Major BT703833 Some bot detected features might not work as expected on Single Page Applications 13.1.0.4
702946-3 3-Major BT702946 Added option to reset staging period for signatures 12.1.3.2, 13.1.0.4
701841-2 3-Major BT701841 Unnecessary file recovery_db/conf.tar.gz consumes /var disk space 12.1.3.2, 13.1.0.4
701327-2 3-Major BT701327 failed configuration deletion may cause unwanted bd exit 12.1.3.2, 13.1.0.4
700812-1 3-Major BT700812 asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview 12.1.3.6, 13.1.0.4
700726-2 3-Major BT700726 Search engine list was updated, and fixing case of multiple entries 12.1.3.6, 13.1.0.4, 14.0.0
698919-3 3-Major BT698919 Anti virus false positive detection on long XML uploads 12.1.3.2, 13.1.0.4
697756-1 3-Major BT697756 Policy with CSRF URL parameter cannot be imported as binary policy file 13.1.0.4
697303-1 3-Major BT697303 BD crash 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.4
696265-5 3-Major K60985582 , BT696265 BD crash 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.4
696073-2 3-Major BT696073 BD core on a specific scenario 13.1.0.4
695563-1 3-Major Improve speed of ASM initialization on first startup 13.1.0.4
694922-5 3-Major BT694922 ASM Auto-Sync Device Group Does Not Sync 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.4
693780-1 3-Major BT693780 Proactive Bot Defense sends CAPTCHA to the UC browser on iOS devices 13.1.0.4
693663-1 3-Major BT693663 Proactive Bot Defense sends CAPTCHA to the Firefox browser on iOS only in desktop mode 13.1.0.4
691477-2 3-Major BT691477 ASM standby unit showing future date and high version count for ASM Device Group 12.1.3.2, 13.1.0.4
679384-3 3-Major K85153939 , BT679384 The policy builder is not getting updates about the newly added signatures. 12.1.3.2, 13.1.0.4
678293-2 3-Major K25066531 , BT678293 Uncleaned policy history files cause /var disk exhaustion 12.1.3.2, 13.1.0.4
665992-2 3-Major K40510140 , BT665992 Live Update via Proxy No Longer Works 13.1.0.4
608988-1 3-Major BT608988 Error when deleting multiple ASM Policies 13.1.0.4


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
703233 3-Major BT703233 Some filters don't work in Security->Reporting->URL Latencies page 13.1.0.4


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
707676-1 2-Critical BT707676 Memory leak in Machine Certificate Check agent of the apmd process 13.1.0.4, 14.0.0
700724-2 2-Critical BT700724 Client connection with large number of HTTP requests may cause tmm to restart 13.0.1, 13.1.0.4
692557-1 2-Critical BT692557 When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted. 13.0.1, 13.1.0.4
690116-1 2-Critical BT690116 websso daemon might crash when logging set to debug 13.1.0.4
689591-2 2-Critical BT689591 When pingaccess SDK processes certain POST requests from the client, the TMM may restart 13.0.1, 13.1.0.4
677368-2 2-Critical BT677368 Websso crash due to uninitialized member in websso context object while processing a log message 13.0.1, 13.1.0.4
631286-3 2-Critical BT631286 TMM Memory leak caused by APM URI cache entries 12.1.3.7, 13.0.1, 13.1.0.4
703429-2 3-Major BT703429 Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services 12.1.3.2, 13.0.1, 13.1.0.4
702263-1 3-Major BT702263 An access profile with large number of SAML Resources (greater than 200) causes APM error ERR_TOOBIG while loading. 13.1.0.4
702222-1 3-Major BT702222 RADIUS and SecurID Auth fails with empty password 13.1.0.4
701740-1 3-Major BT701740 apmd leaks memory when updating Access V2 policy 13.1.0.4
701737-1 3-Major BT701737 apmd may leak memory on destroying Kerberos cache 13.1.0.4
701736-1 3-Major BT701736 Memory leak in Machine Certificate Check agent of the apmd process 13.1.0.4
701639-1 3-Major BT701639 Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by BIG-IP as SP. 13.1.0.4, 14.0.0
697636-3 3-Major BT697636 ACCESS is not replacing headers while replacing POST body 13.0.1, 13.1.0.4
695953-1 3-Major BT695953 Custom URL Filter object is missing after load sys config TMSH command 13.0.1, 13.1.0.4
694624-1 3-Major BT694624 SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor 13.0.1, 13.1.0.4
693844-1 3-Major K58335157 , BT693844 APMD may restart continuously and cannot come up 13.1.0.4
692307-3 3-Major BT692307 User with 'operator' role may not be able to view some session variables 12.1.3.2, 13.0.1, 13.1.0.4
687937-1 3-Major BT687937 RDP URIs generated by APM Webtop are not properly encoded 13.1.0.4
685862-1 3-Major BT685862 BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message 12.1.5.1, 13.1.0.4
684583-1 3-Major BT684583 Buitin Okta Scopes Request object uses client -id and client-secret 13.1.0.4
684325-1 3-Major BT684325 APMD Memory leak when applying a specific access profile 11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4
683389-3 3-Major BT683389 Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file 12.1.3.2, 13.0.1, 13.1.0.4
683297-2 3-Major BT683297 Portal Access may use incorrect back-end for resources referenced by CSS 13.0.1, 13.1.0.4
682500-2 3-Major BT682500 VDI Profile and Storefront Portal Access resource do not work together 12.1.3.2, 13.0.1, 13.1.0.4
678851-3 3-Major BT678851 Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase() 12.1.3.2, 13.0.1, 13.1.0.4
675866-4 3-Major BT675866 WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO 11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4
671627-3 3-Major K06424790 , BT671627 HTTP responces without body may contain chunked body with empty payload being processed by Portal Access. 12.1.3.2, 13.1.0.4
632646-1 3-Major BT632646 APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server. 11.6.3.2, 12.1.3.2, 13.0.1, 13.1.0.4
629334-1 3-Major BT629334 Portal Access: JavaScript expressions in parentheses may be rewritten incorrectly 13.1.0.4
612792-1 3-Major BT612792 Support RDP redirection for connections launched from APM Webtop on iOS 13.0.1, 13.1.0.4
612118-2 3-Major BT612118 Nexthop explicit proxy is not used for the very first connection to communicate with the backend. 13.0.1, 13.1.0.4
536831-1 3-Major BT536831 APM PAM module does not handle local-only users list correctly 13.1.0.4


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
698338-1 2-Critical BT698338 Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection 11.6.5.2, 12.1.3.6, 13.1.0.4
689343-2 2-Critical BT689343 Diameter persistence entries with bi-directional flag created with 10 sec timeout 13.1.0.4
685708-4 2-Critical BT685708 Routing via iRule to a host without providing a transport from a transport-config created connection cores 11.6.3.2, 12.1.3.6, 13.1.0.4
700571-4 3-Major BT700571 SIP MR profile, setting incorrect branch param for CANCEL to INVITE 11.6.3.2, 12.1.3.6, 13.1.0.4
696049-1 3-Major BT696049 High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running 11.5.6, 11.6.3.2, 12.1.3.6, 13.1.0.4
674747-4 3-Major K30837366 , BT674747 sipdb cannot delete custom bidirectional persistence entries. 11.6.3, 12.1.3.6, 13.1.0.4
656901-3 3-Major BT656901 MRF add 'existing_connection_only' and 'outgoing_connection_instance_seed' two iRule commands 13.1.0.4


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
704207-1 2-Critical BT704207 DNS query name is not showing up in DNS AVR reporting 13.1.0.4, 14.0.0
692328-1 2-Critical BT692328 Tmm core due to incorrect memory allocation 13.1.0.4
703959 3-Major BT703959 Manual thresholds for DoS Protection Dynamic Signatures are not accepted via TMUI 13.1.0.4
631418-1 3-Major BT631418 Packets dropped by HW grey list may not be counted toward AVR. 13.1.0.4, 14.0.0


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
696383-1 2-Critical BT696383 PEM Diameter incomplete flow crashes when sweeped 12.1.3.2, 13.0.1, 13.1.0.4
694717-1 2-Critical BT694717 Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup. 12.1.3.2, 13.0.1, 13.1.0.4
616008-1 2-Critical K23164003 , BT616008 TMM core may be seen when using an HSL format script for HSL reporting in PEM 11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4
696789-1 3-Major BT696789 PEM Diameter incomplete flow crashes when TCL resumed 12.1.3.2, 13.0.1, 13.1.0.4
695968-1 3-Major BT695968 Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues. 12.1.3.2, 13.0.1, 13.1.0.4
694319-1 3-Major BT694319 CCA without a request type AVP cannot be tracked in PEM. 12.1.3.2, 13.1.0.4
694318-1 3-Major BT694318 PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP. 12.1.3.2, 13.1.0.4
684333-1 3-Major BT684333 PEM session created by Gx may get deleted across HA multiple switchover with CLI command 12.1.3.2, 13.0.1, 13.1.0.4
678820-1 3-Major BT678820 Potential memory leak if PEM Diameter sessions are not created successfully. 12.1.3.2, 13.0.1, 13.1.0.4
642068-4 3-Major BT642068 PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens 11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4
624231-4 3-Major BT624231 No flow control when using content-insertion with compression 12.1.3.2, 13.1.0.4
680729-1 4-Minor K64307999 , BT680729 DHCP Trace log incorrectly marked as an Error log. 11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
697363-1 2-Critical BT697363 FPS should forward all XFF header values 13.1.0.4
705559-1 3-Major BT705559 FPS: false positive "no strong integrity param" when none of the configured data-integrity params are present in request 13.1.0.4, 14.0.0
662311-1 3-Major BT662311 CS alerts should contain actual client IP address in XFF header 13.1.0.4


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
671716-1 3-Major BT671716 UCS version check was too strict for IPS hitless upgrade 13.1.0.4



Cumulative fixes from BIG-IP v13.1.0.3 that are included in this release


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
702419 3-Major BT702419 Protocol Inspection needs add-on license to work 13.1.0.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
660239-6 4-Minor BT660239 When accessing the dashboard, invalid HTTP headers may be present 11.5.7, 11.6.3.3, 12.1.3.2, 13.0.1, 13.1.0.3


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
677919-4 3-Major BT677919 Enhanced Data Manipulation AJAX Support 13.1.0.3



Cumulative fixes from BIG-IP v13.1.0.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
681955-1 CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 K23565223 , BT681955 Apache CVE-2017-9788 13.1.0.2
673595-9 CVE-2017-3167 CVE-2017-3169 K34125394 Apache CVE-2017-3167 12.1.3.1, 12.1.3.2, 13.0.1, 13.1.0.2
694274-1 CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798 K23565223 , BT694274 [RHSA-2017:3195-01] Important: httpd security update - EL6.7 12.1.3.2, 13.0.1, 13.1.0.2
672124-6 CVE-2018-5541 K12403422 , BT672124 Excessive resource usage when BD is processing requests 11.5.6, 11.6.3.2, 12.1.3.6, 13.1.0.2
679861 CVE-2019-6655 K31152411 , BT679861 Weak Access Restrictions on the AVR Reporting Interface 11.5.10, 11.6.5, 12.1.5, 13.1.0.2
673607-9 CVE-2017-3169 K83043359 Apache CVE-2017-3169 12.1.3.2, 13.0.1, 13.1.0.2
672667-6 CVE-2017-7679 K75429050 , BT672667 CVE-2017-7679: Apache vulnerability 12.1.3.2, 13.0.1, 13.1.0.2
641101-7 CVE-2016-8743 K00373024 httpd security and bug fix update CVE-2016-8743 13.1.0.2
684033-3 CVE-2017-9798 K70084351 , BT684033 CVE-2017-9798 : Apache Vulnerability (OptionsBleed) 12.1.3.2, 13.0.1, 13.1.0.2
661939-2 CVE-2017-2647 K32115847 , BT661939 Linux kernel vulnerability CVE-2017-2647 13.1.0.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
685056 3-Major BT685056 VE OVAs is not the supported platform to run VMware guest OS customization 13.1.0.2
670103-1 3-Major BT670103 No way to query logins to BIG-IP in TMUI 13.1.0.2
681385-2 4-Minor Forward proxy forged cert lifespan can be configured from days into hours. 13.1.0.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
700247 2-Critical K60053504 , BT700247 APM Client Software may be missing after doing fresh install of BIG-IP VE 13.1.0.2
693979 3-Major BT693979 Autoscale is not functional because of the change in file permission of the /shared/vadc/aws/iid-document document 13.1.0.2
683131-1 3-Major BT683131 Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present &start; 13.1.0.2
682213-1 3-Major K31623549 , BT682213 TLS v1.2 support in IP reputation daemon 12.1.3.2, 13.1.0.2
669585-1 3-Major BT669585 The tmsh sys log filter is unable to display information in uncompressed log files. 13.1.0.2
668826-1 3-Major BT668826 File named /root/.ssh/bigip.a.k.bak is present but should not be 13.1.0.2
668276-1 3-Major BT668276 BIG-IP does not display failed login attempts since last login in GUI 13.1.0.2
668273-1 3-Major K12541531 , BT668273 Logout button not available in Configuration Utility when using Client Cert LDAP 13.1.0.2
471237-4 3-Major K12155235 , BT471237 BIG-IP VE instances do not work with an encrypted disk in AWS. 12.1.3.2, 13.1.0.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
699624-1 2-Critical BT699624 Config with custom 'SIP' or 'Firepass' monitor fails to load after upgrade &start; 13.1.0.2
463097-5 3-Major BT463097 Clock advanced messages with large amount of data maintained in DNS Express zones 12.1.3.1, 13.1.0.2


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
672504-2 2-Critical K52325625 , BT672504 Deleting zones from large databases can take excessive amounts of time. 12.1.3.1, 13.1.0.2
667542-6 2-Critical BT667542 DNS Express does not correctly process multi-message DNS IXFR updates. 13.1.0.2
645615-6 2-Critical K70543226 , BT645615 zxfrd may fail and restart after multiple failovers between blades in a chassis. 11.5.7, 11.6.3, 12.1.3.1, 13.1.0.2
655233-2 3-Major K93338593 , BT655233 DNS Express using wrong TTL for SOA RRSIG record in NoData response 12.1.3.1, 13.1.0.2
648766-2 3-Major K57853542 , BT648766 DNS Express responses missing SOA record in NoData responses if CNAMEs present 12.1.3.1, 13.1.0.2
646615-2 4-Minor BT646615 Improved default storage size for DNS Express database 12.1.3.1, 13.1.0.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
699720-1 2-Critical BT699720 ASM crash when configuring remote logger for WebSocket traffic with response-logging:all 12.1.3.2, 13.1.0.2
691670-5 2-Critical BT691670 Rare BD crash in a specific scenario 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.2
686108-1 2-Critical BT686108 User gets blocking page instead of captcha during brute force attack 13.1.0.2
684312-1 2-Critical K54140729 , BT684312 During Apply Policy action, bd agent crashes, causing the machine to go Offline 11.6.3.2, 12.1.3.2, 13.1.0.2
698940-1 3-Major BT698940 Add new security policy template for API driven systems - "API Security" 13.1.0.2
690883-1 3-Major BT690883 BIG-IQ: Changing learning mode for elements does not always take effect 13.1.0.2
686517-2 3-Major BT686517 Changes to a parent policy that has no active children are not synced to the secondary chassis slots. 13.1.0.2
686470-1 3-Major BT686470 Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load. 13.1.0.2
686452-1 3-Major BT686452 File Content Detection Formats are not exported in Policy XML 13.1.0.2
685964-1 3-Major BT685964 cs_qualified_urls bigdb does not cause configured URLs to be qualified. 13.1.0.2
685771-1 3-Major BT685771 Policies cannot be created with SAP, OWA, or SharePoint templates 13.1.0.2
685207-1 3-Major DoS client side challenge does not encode the Referer header. 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.2
685164-1 3-Major K34646484 , BT685164 In partitions with default route domain != 0 request log is not showing requests 12.1.5, 13.1.0.2
683508-1 3-Major K00152663 , BT683508 WebSockets: umu memory leak of binary frames when remote logger is configured 12.1.3.2, 13.1.0.2
680353-1 3-Major BT680353 Brute force sourced based mitigation is not working as expected 13.1.0.2
674494-4 3-Major K77993010 , BT674494 BD memory leak on specific configuration and specific traffic 12.1.3.2, 13.1.0.2
668184-2 3-Major BT668184 Huge values are shown in the AVR statistics for ASM violations 12.1.3.2, 13.1.0.2
694073-3 4-Minor BT694073 All signature update details are shown in 'View update history from previous BIG-IP versions' popup 11.6.3, 12.1.3.2, 13.1.0.2
685193-1 4-Minor BT685193 If Inheritance is None in the Parent Policy and there are at least 1 child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies 13.1.0.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
697421 3-Major BT697421 Monpd core when trying to restart 13.1.0.2
688813-2 3-Major K23345645 , BT688813 Some ASM tables can massively grow in size. 13.1.0.2
686510-1 3-Major BT686510 If tmm was restarted during an attack, the attack might appear ongoing in GUI 13.1.0.2
683474 3-Major The case-sensitive problem during comparison of 2 Virtual Servers 13.1.0.2
679088-1 3-Major BT679088 Avr reporting and analytics does not display statistics of many source regions 13.1.0.2


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
684852-1 2-Critical BT684852 Obfuscator not producing deterministic output 13.1.0.2
692123 3-Major BT692123 GET parameter is grayed out if MobileSafe is not licensed 12.1.3.2, 13.1.0.2


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
700320 2-Critical BT700320 tmm core under stress when BADOS configured and attack signatures enabled 13.1.0.2
691462-1 3-Major BT691462 Bad actors detection might not work when signature mitigation blocks bad traffic 13.1.0.2
687987 3-Major BT687987 Presentation of signatures in human-readable format 13.1.0.2
687986 3-Major BT687986 High CPU consumption during signature generation, not limited number of signatures per virtual server 13.1.0.2
687984 3-Major BT687984 Attacks with randomization of HTTP headers parameters generates too many signatures 13.1.0.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
698396-1 2-Critical BT698396 Config load failed after upgrade from 12.1.2 to 13.x or 14.x &start; 13.1.0.2



Cumulative fixes from BIG-IP v13.1.0.1 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
686190-1 2-Critical BT686190 LRO performance impact with BWC and FastL4 virtual server 13.1.0.1
667173-1 2-Critical BT667173 13.1.0 cannot join a device group with 13.1.0.1 11.6.3, 12.1.3.1, 13.1.0.1
683114-2 3-Major BT683114 Need support for 4th element version in Update Check 12.1.3.1, 13.1.0.1


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
685628-1 1-Blocking BT685628 Performance regression on B4450 blade &start; 13.1.0.1
673832-1 1-Blocking BT673832 Performance impact for certain platforms after upgrading to 13.1.0. 13.1.0.1, 14.0.0
696525-1 2-Critical BT696525 B2250 blades experience degraded performance. 13.1.0.1

Cumulative fix details for BIG-IP v13.1.5 that are included in this release

999933-5 : TMM may crash while processing DNS traffic on certain platforms

Links to More Info: K28042514 , BT999933

999125-4 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.

Links to More Info: BT999125

Component: TMOS

Symptoms:
After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states.

Conditions:
-- One or more devices belonging to a sync-failover device-group undergo a management IP change.

Impact:
-- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network).

Workaround:
If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur.

Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command:

tmsh restart sys service sod

Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future.

Fix:
Redundant devices remain in the correct failover state following a management IP address change.

Fixed Versions:
13.1.5

997193-3 : TCP connections may fail when AFM global syncookies are in operation.

Links to More Info: K16101409 , BT997193

997137-5 : CSRF token modification may allow WAF bypass on GET requests

Component: Application Security Manager

Symptoms:
Under certain conditions a parameter is not processed as expected.

Conditions:
1. CSRF feature is configured
2. Request contains a crafted parameter

Impact:
Malicious request will bypass signatures and will not raise any attack signature violation

Workaround:
N/A

Fix:
The parameter is now processed as expected.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1

996381-5 : ASM attack signature may not match as expected

Links to More Info: K41503304 , BT996381

Component: Application Security Manager

Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.

Conditions:
- Attack signature 200000128 enabled.

Impact:
Processed traffic may not match all expected attack signatures

Workaround:
N/A

Fix:
Attack signature 200000128 now matches as expected.

Fixed Versions:
13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1

996113-5 : SIP messages with unbalanced escaped quotes in headers are dropped

Links to More Info: BT996113

Component: Service Provider

Symptoms:
Dropped SIP messages.

Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote

Impact:
Certain SIP messages are not being passed via MRF.

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1

995853-4 : Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error.

Links to More Info: BT995853

Component: Global Traffic Manager (DNS)

Symptoms:
Unable to create GLSB Server object with both IPv4 and IPv6 self IPs as device IPs.

Conditions:
-- DNS and LTM services enabled.
-- Configure two self IPs on the box for IPv4 and IPv6.
-- GLSB Server object creation with IPv4 and IPv6 addresses in device tab along with Virtual Server Discovery enable.

Impact:
GSLB Server object creation fails.

Workaround:
TMSH is not impacted. Use TMSH to create GSLB Server objects.

Fix:
GSLB Server object creation no longer fails.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4

995629-1 : Loading UCS files may hang if ASM is provisioned &start;

Links to More Info: BT995629

Component: TMOS

Symptoms:
If a UCS file from a BIG-IP system running a different software version that also has an ASM configuration is loaded onto a device that already has ASM provisioned, the load may hang indefinitely.

Conditions:
-- A system that has ASM provisioned.
-- Loading a UCS file with an ASM configuration that comes from a different system.

Impact:
-- UCS load might fail.
-- Config save and load operations fail while the UCS load hangs. The failure of those operations may not be obvious, leaving the BIG-IP saved configuration different from the running configuration.

Workaround:
If you encounter this, run 'load sys config default' to de-provision ASM. The UCS file should then load successfully.

Note: If loading a UCS archive with the 'platform-migrate' argument, then there is no workaround. See: https://cdn.f5.com/product/bugtracker/ID990849.html

Fix:
Loading UCS files no longer hangs if ASM is provisioned.

Fixed Versions:
13.1.4.1, 14.1.4.1, 15.1.3, 16.0.1.2

994801-5 : SCP file transfer system

Component: TMOS

Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.

Conditions:
A user assigned to a role, such as Resource Administrator, without Advanced Shell access can run arbitrary commands SCP file transfer.

Impact:
Users without Advanced Shell access can run SCP file trasnfer commands.

Workaround:
None

Fix:
This issue is fixed. The SCP file transfer system now follows current best practices. Users without Advanced Shell access cannot run SCP file transfer commands.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2

993981-5 : TMM may crash when ePVA is enabled

Component: Local Traffic Manager

Symptoms:
When ePVA is enabled on the BIG-IP system, Increased CMP redirections can cause tmm to core and report an error:
tmm SIGFPE "nexthop ref valid".

Conditions:
-- ePVA acceleration is enabled on the BIG-IP system.
-- High rate of CMP redirections.

Impact:
Traffic disrupted while TMM restarts, and systems configured as part of a high availability (HA) group may failover.

Workaround:
Disable ePVA acceleration option.

Note: Performing this procedure may increase CPU use because TCP connections are subsequently processed in software by the Traffic Management Microkernel (TMM).

Fix:
TMM now operates as expected with ePVA enabled.

Fixed Versions:
13.1.5

993613-3 : Device fails to request full sync

Links to More Info: BT993613

Component: Application Security Manager

Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs

Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.

Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage

Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1

993489-6 : GTM daemon leaks memory when reading GTM link objects

Links to More Info: BT993489

Component: Global Traffic Manager (DNS)

Symptoms:
The gtmd process memory consumption is higher than expected.

Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.

Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1

992073-5 : APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS

Component: Access Policy Manager

Symptoms:
End user clients frequently get a prompt to enter credentials when they should not.

Conditions:
APM Access Profile with NTLM authentication enabled.

Impact:
NTLM handshake failure causing user authentication failures.

Workaround:
N/A

Fix:
APM now processes NTLM requests as expected.

Fixed Versions:
13.1.5

990849-4 : Loading UCS with platform-migrate option hangs and requires exiting from the command &start;

Links to More Info: BT990849

Component: TMOS

Symptoms:
The UCS loading process with platform-migrate stops responding and hangs after printing:

Platform migrate loaded successfully. Saving configuration.

Conditions:
Load UCS with platform-migrate option:
tmsh load sys ucs <ucs_name> platform-migrate

Note: If you are loading a UCS archive created on a system running a different software version that also has an ASM configuration, there are other other aspects to consider. See: https://cdn.f5.com/product/bugtracker/ID995629.html

Impact:
The UCS loading process stops responding, causing the device to be in an INOPERATIVE state.

Workaround:
None.

Fix:
Loading UCS with the platform-migrate option executes smoothly without getting stuck.

Fixed Versions:
13.1.4.1, 14.1.4, 15.1.3, 16.0.1.2

990333-3 : APM may return unexpected content when processing HTTP requests

Links to More Info: K75540265 , BT990333

989701-3 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response

Links to More Info: K42355373 , BT989701

989009-5 : BD daemon may crash while processing WebSocket traffic

Links to More Info: K05314769 , BT989009

987157 : BIG-IP ASM system may not properly perform attack signature checks

Links to More Info: K05391775

Component: Application Security Manager

Symptoms:
For more information see: https://support.f5.com/csp/article/K05391775

Conditions:
For more information see: https://support.f5.com/csp/article/K05391775

Impact:
For more information see: https://support.f5.com/csp/article/K05391775

Workaround:
N/A

Fix:
For more information see: https://support.f5.com/csp/article/K05391775

Fixed Versions:
13.1.5

985953-1 : GRE Transparent Ethernet Bridging inner MAC overwrite

Links to More Info: BT985953

Component: TMOS

Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.

Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.

Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.

Workaround:
None

Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2

984593-4 : BD crash

Links to More Info: BT984593

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1

982757-7 : APM Access Guided Configuration hardening

Component: Guided Configuration

Symptoms:
APM Guided Configuration does not follow current best practices

Conditions:
- APM provisioned
- Authenticated administrative user

Impact:
Guided Configuration does not follow current best practices.

Workaround:
N/A

Fix:
Guided Configuration now follows current best practices.

Fixed Versions:
13.1.5

982697-3 : ICMP hardening

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM does not follow current best practices for ICMP traffic.

Conditions:
- ICMP traffic
- DNS in use

Impact:
TMM does not follow current best practices.

Workaround:
N/A

Fix:
TMM now follows current best practices while processing ICMP traffic.

Behavior Change:
The change randomly adjusts the BIG-IP's ICMP rate limit to within 1/8% of the configured rate. While the average rate will remain the same, the number of ICMP packets issued second-to-second will vary randomly.

Fixed Versions:
13.1.5

982341-3 : iControl REST endpoint hardening

Component: TMOS

Symptoms:
iControl REST endpoints do not apply current best practices.

Conditions:
- Authenticated administrative user
- Request to iControl endpoint

Impact:
iControl REST endpoints do not follow current best practices.

Workaround:
N/A

Fix:
iControl REST endpoints now follow current best practices.

Fixed Versions:
13.1.5

981693-5 : TMM may consume excessive resources while processing IPSec ALG traffic

Links to More Info: K54892865 , BT981693

981461-2 : Unspecified DNS responses cause TMM crash

Links to More Info: K45407662 , BT981461

981385-5 : AVRD does not send HTTP events to BIG-IQ DCD

Links to More Info: BT981385

Component: Application Visibility and Reporting

Symptoms:
AVRD does not send HTTP events to BIG-IQ data collection device (DCD).

Conditions:
This happens under normal operation.

Impact:
AVRD does not write Traffic Capture logs for analysis. Cannot analyze issues when Traffic Capture does not provide event information.

Workaround:
None.

Fixed Versions:
13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2

981273-4 : APM webtop hardening

Links to More Info: K41997459 , BT981273

981169-4 : F5 TMUI XSS vulnerability CVE-2021-22994

Links to More Info: K66851119 , BT981169

980809-4 : ASM REST Signature Rule Keywords Tool Hardening

Links to More Info: K41351250 , BT980809

980325-3 : Chmand core due to memory leak from dossier requests.

Links to More Info: BT980325

Component: TMOS

Symptoms:
Chmand generates a core file when get_dossier is run continuously.

Due to excessive dossier requests, there is a high consumption of memory. The program is terminated with signal SIGSEGV, Segmentation fault.

Conditions:
Repeated/continuous dossier requests during licensing operations.

Impact:
Chmand crashes; potential traffic impact while chmand restarts.

Workaround:
None.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4

980125-5 : BD Daemon may crash while processing WebSocket traffic

Links to More Info: K42051445 , BT980125

976925-4 : BIG-IP APM VPN vulnerability CVE-2021-23002

Links to More Info: K71891773 , BT976925

976501-4 : Failed to establish VPN connection

Links to More Info: BT976501

Component: Access Policy Manager

Symptoms:
VPN client exits with message "Failed to establish VPN connection"

Conditions:
-- Connect to Network Access using web browser.
-- Disconnect and then click on the Network Access resource again in the Webtop
-- Internet Explorer browser

Impact:
Client will be unable to launch the VPN tunnel from the browser.

Workaround:
Clear cache in the browser and retry.
Disable caching in the browser.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3

975593-1 : TMM may crash while processing IPSec traffic

Component: Carrier-Grade NAT

Symptoms:
Under certain conditions, TMM may crash while processing IPSec traffic.

Conditions:
-IPSecAGL enabled

Impact:
TMM crash leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes IPSec traffic as expected.

Fixed Versions:
13.1.5, 14.1.4.5

975233-4 : Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992

Links to More Info: K52510511 , BT975233

974341-4 : REST API: File upload

Links to More Info: K08402414 , BT974341

974093-2 : Linux kernel vulnerability CVE-2020-25705

Links to More Info: K09604370

973333-2 : TMM buffer-overflow vulnerability CVE-2021-22991

Links to More Info: K56715231 , BT973333

973261-5 : GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects

Links to More Info: BT973261

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d does not try to open TCP connections if a HTTPS monitor contains a cert/key.
/var/log/gtm shows:

err big3d[19217]: 01333001:3: Start: SSL error:02001002:system library:fopen:No such file or directory
err big3d[19217]: 01333001:3: Start: SSL error:20074002:BIO routines:FILE_CTRL:system lib
err big3d[19217]: 01333001:3: Start: SSL error:140CE002:SSL routines:SSL_use_RSAPrivateKey_file:system lib
err big3d[19217]: 01330014:3: CSSLSocket:: Unable to get the session.

Conditions:
GTM HTTPS monitor with non-default cert/key.

Impact:
Unable to use HTTPs monitor.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2

970329-5 : ASM hardening

Component: Application Security Manager

Symptoms:
Under certain conditions, ASM does not follow current best practices.

Conditions:
- ASM provisioned

Impact:
Attack detection is not triggered as expected

Workaround:
N/A

Fix:
Attack detection is now triggered as expected

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1

969105-5 : HA failover connections via the management address do not work on vCMP guests running on VIPRION

Links to More Info: BT969105

Component: TMOS

Symptoms:
A high availability (HA) failover connection using the management IP addresses does not work on vCMP guests running on a VIPRION device.

BIG-IP instances running directly on hardware, on Virtual Edition, and as vCMP guests running on an appliance are unaffected.

HA failover connections using self IPs are unaffected.

Conditions:
-- vCMP guest running on a VIPRION device
-- high availability (HA) failover connection using the management IP addresses (unicast and/or multicast)

Impact:
Failover state determination over the management port is permanently down.

Workaround:
While self IP-based high availability (HA) failover connections are not affected by this issue, F5 recommends configuring failover connections over both management IPs and self IPs (as detailed in K37361453: Configuring network failover for redundant VIPRION systems :: https://support.f5.com/csp/article/K37361453).

To mitigate this issue, run the following command on each blade of every guest:
touch /var/run/chmand.pid


The workaround does not survive a reboot, so a more permanent workaround is to edit the file /config/startup and add a line to touch /var/run/chmand.pid.

Add this line to the end of /config/startup:

(sleep 120; touch /var/run/chmand.pid) &

Note: The sleep time of 120 seconds should be tested as it depends on how quickly or slowly the Guest starts up, so the appropriate value for one system may differ from another system.


Alternatively, You can use instructions in K11948: Configuring the BIG-IP system to run commands or scripts upon system startup :: https://support.f5.com/csp/article/K11948 to issue commands at system startup after verification if mcpd is up and ready, e.g.:

#!/bin/bash
source /usr/lib/bigstart/bigip-ready-functions
wait_bigip_ready

# Customized startup command(s) can be added below this line.
touch /var/run/chmand.pid
# Customized startup command(s) should end above this line.

You may also request an Engineering Hotfix from F5.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4

968733-4 : CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service

Links to More Info: K42202505 , BT968733

968421-5 : ASM attack signature doesn't matched

Links to More Info: K30291321 , BT968421

Component: Application Security Manager

Symptoms:
A specific attack signature doesn't match as expected.

Conditions:
Undisclosed conditions.

Impact:
Attack signature does not match as expected, request is not logged.

Workaround:
N/A

Fix:
Attack signature now matches as expected.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.4.1, 14.1.4.2, 15.1.2.1, 16.0.1.2

968349-4 : TMM crashes with unspecified message

Links to More Info: K19012930 , BT968349

967905-1 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash

Links to More Info: BT967905

Component: TMOS

Symptoms:
Tmm crashes.

Conditions:
-- static bwc
-- virtual to virtual chain

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the static bwc on a virtual chain.

Fix:
Fixed a tmm crash.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2

967745-4 : Last resort pool error for the modify command for Wide IP

Links to More Info: BT967745

Component: TMOS

Symptoms:
System reports error for the modify command for Wide IP.

01b60021:3: Last resort pool type not specified for Wide IP 9084.example.com of type A.

Conditions:
Running the modify command involving last-resort-pool and not specifying a type or name for the object.

Impact:
The object is not modified, and the system reports an error.

Workaround:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.

Append the command with last-resort-pool a <pool_name>, for example:

modify a 9084.example.com aliases replace-all-with { 9084.example1.com } last-resort-pool a pool1_test

Fix:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.

Fixed Versions:
13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1

966901-4 : CVE-2020-14364: Qemu Vulnerability

Links to More Info: K09081535 , BT966901

965853-5 : IM package file hardening &start;

Component: Protocol Inspection

Symptoms:
IM package file uploads do not follow current best practices.

Conditions:
- IM package file uploaded to BIG-IP

Impact:
IM package file uploads do not follow current best practices.

Workaround:
N/A

Fix:
IM package file uploads now follow current best practices.

Fixed Versions:
13.1.5

965485-1 : CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL

Links to More Info: K41523201

965229-4 : ASM Load hangs after upgrade &start;

Links to More Info: BT965229

Component: Application Security Manager

Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------

In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
info tsconfig.pl[24675]: ASM initial configration script launched
info tsconfig.pl[24675]: ASM initial configration script finished
info asm_start[25365]: ASM config loaded
err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------

Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade

Impact:
ASM post upgrade config load hangs and there are no logs or errors

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1

964245-4 : ASM reports and enforces username always

Links to More Info: BT964245

Component: Application Security Manager

Symptoms:
When session tracking is enabled and configured to enforce usernames for a specific list of login URLs, the username which arrives in an Authorization header is being enforced even if the request to the URL with the Authorization is not configured at all as a login URL.

Conditions:
Session tracking is enabled for login URLs with the Username Threshold set to 1.

Impact:
Username from the Authorization appears with status = BLOCK-ALL in the session tracking status list, even though session tracking is not configured for that URL.

Workaround:
None

Fix:
Username from the Authorization not appearing with status = BLOCK-ALL in session tracking status list.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4

963705-1 : Proxy ssl server response not forwarded

Links to More Info: BT963705

Component: Local Traffic Manager

Symptoms:
A server response may not be forwarded after TLS renegotiation.

Conditions:
-- Proxy ssl enabled
-- A server renegotiation occurs

Impact:
Server response may not be not forwarded

Fix:
Proxy ssl will now forward server response after renegotiation

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1

962497-5 : BD crash after ICAP response

Links to More Info: BT962497

Component: Application Security Manager

Symptoms:
BD crash when checking ICAP job after ICAP response

Conditions:
BD is used with ICAP feature

Impact:
Traffic disrupted while BD restarts.

Workaround:
N/A

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2

962433-2 : HTTP::retry for a HEAD request fails to create new connection

Links to More Info: BT962433

Component: Local Traffic Manager

Symptoms:
In case of a HEAD request, BIG-IP fails to set up a new connection to the server with the HTTP::retry iRule.

Conditions:
1.) Basic HTTP profile is configured on BIG-IP
2.) BIG-IP sends the HEAD request to the server and gets error response
3.) iRule with HTTP::retry is configured
4.) The system is using the default (non-debug) TMM version

Impact:
BIG-IP might send the retry HEAD request after the connection is closed, more specifically after the server has sent a FIN, the retry is leaked on the network.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4

962341-3 : BD crash while processing JSON content

Links to More Info: K00602225 , BT962341

962177-4 : Results of POLICY::names and POLICY::rules commands may be incorrect

Links to More Info: BT962177

Component: Local Traffic Manager

Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.

Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.

Impact:
Traffic processing may not provide expected results.

Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.

Fixed Versions:
13.1.4.1, 14.1.4, 15.1.4, 16.0.1.2

962069-6 : Excessive resource consumption while processing OSCP requests via APM

Links to More Info: K79428827 , BT962069

960749-4 : TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic

Links to More Info: BT960749

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes, dumps a core file, and restarts.

Conditions:
-- The configuration includes one or more 'DNS Cache' or 'Network DNS Resolver' objects.

-- The DNS Cache or Network DNS Resolver objects receive traffic.

Impact:
Traffic disrupted while tmm restarts. A redundant unit will fail over.

Fix:
TMM no longer crashes when 'DNS Cache' or 'Network DNS Resolver' objects handle traffic.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1

960437-4 : The BIG-IP system may initially fail to resolve some DNS queries

Links to More Info: BT960437

Component: Global Traffic Manager (DNS)

Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.

Subsequent queries for the same domain name, however, work as expected.

Only some domain names are affected.

Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.

- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).

- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.

Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure is returned to the client.

In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.

For instance, SWG, SSL Orchestrator, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.

Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.

1a. Go to DNS :: Caches :: Cache list.
OR
1b. Go to Network :: DNS Resolvers :: DNS Resolver list.
2. Select the item you want to update in the list.
3. Uncheck 'Use IPv6'
4, Select Update.

You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.

Fix:
DNS resolution works as expected, with domains resolving the first time they are queried.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1

959121-1 : Not following best practices in Guided Configuration Bundle Install worker

Links to More Info: K74151369 , BT959121

958093-1 : IPv6 routes missing after BGP graceful restart

Links to More Info: BT958093

Component: TMOS

Symptoms:
When BGP graceful restart is configured for peers in IPv4 unicast and IPv6 unicast address families, after graceful restart for both IPv4 and Ipv6 address families, routes from IPv6 unicast address family might be missing.

Conditions:
- Different BGP peers configured in IPv4 unicast and IPv6 unicast address families.
- BGP graceful restart happens for both IPv4 unicast and IPv6 unicast.

Impact:
Routes from IPv6 peers are missing. They are also not present in the RIB.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1

957905-4 : SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP.

Links to More Info: BT957905

Component: Service Provider

Symptoms:
SIP Requests that don't contain a content_length header are accepted and forwarded by the BIG-IP to the server.

SIP Responses that don't contain a content_length header are accepted and forwarded to the client.

The sipmsg parser does not treats the content_length header as a required header as part of the SIP Request / Response.

Conditions:
SIP request / response without content_length header.

Impact:
RFC 6731 non compliance.

Workaround:
N/A

Fix:
BIG-IP now aborts the connection of any TCP SIP request / response that does not contain a content_length header.

content_length header is treated as optional for UDP and SCTP.

Fixed Versions:
13.1.5

957897-3 : Unable to modify gateway-ICMP monitor fields in the GUI

Links to More Info: BT957897

Component: TMOS

Symptoms:
While modifying a gateway-ICMP monitor you see the following error:

01070374:3: Cannot modify the address type of monitor /Common/<monitor_name>.

Conditions:
-- Using the GUI to modify a Gateway-ICMP monitor field.
-- The monitor is attached with a pool that has one or more pool members.

Impact:
You cannot update the Gateway-ICMP monitor fields via the GUI.

Workaround:
Use the tmsh command:
tmsh modify ltm monitor gateway-icmp <monitor_name> [<field> <new_value>]

For example, to update the description of a monitor named gw_icmp, use the following command:
modify ltm monitor gateway-icmp gw_icmp description new_description

Fix:
You can now update the Gateway-ICMP monitor fields via the GUI.

Fixed Versions:
13.1.5

956937 : Duplicate Attack signature sets in policy containing server technologies

Component: Application Security Manager

Symptoms:
When creating a new security policy, choosing a server technology for the policy causes duplicate signature sets to be created.

Conditions:
-- Create a new security policy using a server technology
-- Create another security policy using the same server technology

Impact:
Duplicate signature sets are created.

Workaround:
You can repair the policy by navigating to “Security ›› Application Security : Policy Building : Learning and Blocking Settings”, clicking on “change”, and choosing the original created sets instead of the duplicated sets. Save, and then apply the policy. The duplicated sets can be deleted after that.

Fixed Versions:
13.1.5

956589-4 : The tmrouted daemon restarts and produces a core file

Links to More Info: BT956589

Component: TMOS

Symptoms:
The tmrouted daemon restarts and produces a core file.

Conditions:
Exact trigger is unknown, but the issue was seen on a chassis setup during a blade failover

Impact:
Traffic disrupted while tmrouted restarts.

Workaround:
None

Fix:
Tmrouted daemon should not restart during blade reset

Fixed Versions:
13.1.5, 15.1.2.1

955617-5 : Cannot modify properties of a monitor that is already in use by a pool

Links to More Info: BT955617

Component: Local Traffic Manager

Symptoms:
Modifying monitor properties gives error, if it is attached to a pool with Node/Pool member instance.

0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor

Conditions:
-- Monitor with alias address field as default properties.
-- Pool containing a node or pool member.
-- Monitor is attached to the pool.

Impact:
Monitor properties can't be modified if they are in use by a pool.

Workaround:
Remove monitor, modify it, and then add it back.

Fixed Versions:
13.1.5

955145-4 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Links to More Info: K03009991 , BT955145

955017-5 : Excessive CPU consumption by asm_config_event_handler

Links to More Info: BT955017

Component: Application Security Manager

Symptoms:
Asm_config_event_handler is consuming a lot of CPU while processing signatures after sync

Conditions:
This is encountered during a UCS load, or by a high availability (HA) configuration sync.

Impact:
Asm_config_server_rpc_handler.pl consumes excessive CPU and takes an exceedingly long time to complete.

Workaround:
Disable the signature staging action item for all policies.

Fixed Versions:
13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2

954381-4 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Links to More Info: K03009991 , BT954381

953845-5 : After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart

Links to More Info: BT953845

Component: Local Traffic Manager

Symptoms:
When re-initializing an onboard HSM on particular platforms, BIG-IP may disconnect from the HSM after a second restart of the MCPD daemon.

This can occur when using administrative commands such as:
-- tmsh run util fips-util init
-- fipsutil init
-- tmsh run util fips-util loginreset -r
-- fipsutil loginreset -r

Conditions:
-- Using the following platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
+ vCMP guest on i5820-DF / i7820-DF
+ vCMP guest on 10350v-F

Impact:
BIG-IP is unable to communicate with the onboard HSM.

Workaround:
The last step in using "fipsutil init" is to restart all system services ("tmsh restart sys service all") or reboot.

Immediately before doing this:

-- open /config/bigip.conf in a text editor (e.g. vim or nano)
-- locate and delete the configuration "sys fipsuser f5cu" stanza, e.g.:

sys fipsuser f5cu {
password $M$Et$b3R0ZXJzCg==
}

Fix:
Fixed an issue with re-initializing the onboard FIPS HSM.

Fixed Versions:
12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1

953729-4 : Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990

Links to More Info: K56142644 K45056101 , BT953729

953677-4 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988

Links to More Info: K18132488 K70031188 , BT953677

951257-2 : FTP active data channels are not established

Component: Local Traffic Manager

Symptoms:
Under certain conditions FTP active data channels may not be established as expected.

Conditions:
-- The FTP profile has "allow-active-mode" enabled and "port" set to a non-zero value.

Impact:
FTP transfers with active data channels are not processed as expected.

Workaround:
- Disable 'active' FTP and only use passive FTP or
- Use a custom FTP profile with port set to '0' on FTP virtual servers.

Fix:
FTP active data channels are now established as expected.

Fixed Versions:
13.1.5

951033-1 : Virtual server resets all the connections for rstcause 'VIP disabled (administrative)'

Links to More Info: BT951033

Component: Local Traffic Manager

Symptoms:
Virtual server resets all the connections for rstcause 'VIP disabled (administrative)', after all the conditions are met.

Once it happens, the virtual server starts resetting all the incoming connections for rstcause 'VIP disabled (administrative)'. This continues even after the connection limit is deactivated.

Conditions:
-- There is at least one pool member that is DISABLED.
-- Other pool members have a connection limit configured.
-- A configuration change occurs while the connection limit is activated, and the change lowers the connection limit value, for example, the value is changed from 10 to 5.

Impact:
A virtual server continues resetting new connections.

Workaround:
Use Forced offline instead of disabled to prevent this issue.

Fix:
The BIG-IP system no longer continually resets new connections when the connection limit is lowered while it is being enforced.

Fixed Versions:
13.1.3.5, 14.1.3.1

950917-3 : Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034

Links to More Info: BT950917

Component: Application Security Manager

Symptoms:
Following Signature Update (-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error:

01310027:2: subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. )

Conditions:
Signature Update -SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.

Impact:
Apply policy fails.

Workaround:
You can use any of the following workarounds:

-- Install an older signature update -SignatureFile_20200917_175034

-- Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied.

-- Run the following SQL command to correct all affected policies on the device:
----------------------------------------------------------------------
UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = '';
----------------------------------------------------------------------

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4

950077-4 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988

Links to More Info: K18132488 K70031188 , BT950077

950017-4 : TMM may crash while processing SCTP traffic

Links to More Info: K94941221 , BT950017

949933-3 : BIG-IP APM CTU vulnerability CVE-2021-22980

Links to More Info: K29282483 , BT949933

949889-1 : CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()

Links to More Info: K04107324 , BT949889

949593-1 : Unable to load config if AVR widgets were created under '[All]' partition &start;

Links to More Info: BT949593

Component: Application Visibility and Reporting

Symptoms:
When upgrading to or loading saved configuration on BIG-IP software v13.0.0 or later, if the configuration contains AVR widgets created under a partition of '[All]', the config load fails.

Conditions:
This occurs if one or more AVR widgets in the configuration was created under the read-only '[All]' pseudo-partition.
This could have occurred if you were running a version of BIG-IP which did not include the fix for ID 721408.

Impact:
Upgrading to or loading an affected configuration on BIG-IP v13.x or later fails.

Workaround:
Manually edit the /config/bigip.conf configuration file and change '[All]' to 'Common':

# sed -i 's/\\\[All\]/Common/g' /config/bigip.conf
# tmsh load sys config
# tmsh save sys config

This should be done before upgrading to BIG-IP v13.x or later, or before saving configuration to be loaded later, or before loading a saved configuration from the config files.

Fix:
It is possible to successfully upgrade from or load a configuration containing one or more AVR widgets created under the read-only '\[All]' pseudo-partition or under other not existing partitions. With the current fix all partitions are changed to "Common" during upgrade.

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2

949145-3 : Improve TCP's response to partial ACKs during loss recovery

Links to More Info: BT949145

Component: Local Traffic Manager

Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.

Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.

Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.

Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.

Fix:
Partial ACK handling during loss recovery is improved.

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

948769-3 : TMM panic with SCTP traffic

Links to More Info: K05300051 , BT948769

948573-3 : Wr_urldbd list of valid TLDs needs to be updated

Links to More Info: BT948573

Component: Traffic Classification Engine

Symptoms:
Several new TLDs have been added and need to be classified. The classification results return "Unknown" when the new TLD is being queried.

Conditions:
New TLD is being queried

Impact:
The URL query with new TLDs can not be blocked with custom feed list.
Custom, Webroot, and Cloud returns Unknown category.

Workaround:
Configure CPM policy to classify traffic based on hostname or SNI rather than urlcat.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2

948113-5 : User-defined report scheduling fails

Links to More Info: BT948113

Component: Application Visibility and Reporting

Symptoms:
A scheduled report fails to be sent.

An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts):
DB|ERROR|....... Error (err-code 1054) executing SQL string :
.....
.....
.....
Because : Unknown column ....... in 'order clause'

Conditions:
1. Using predefined-report in scheduled-report.
2. Predefined-report has more than one measure.
3. Sort-by value is different from the first measure on predefined-report

Impact:
Internal error for AVR report for ASM pre-defined.

Workaround:
First, remount /usr to read-write:
mount -o remount,rw /usr

Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line:
push(@measures,@{$base_request->{measures}}[0]);
to this:
push(@measures,@{$base_request->{sort_by}}[0]->{measure});

The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly):
sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm

Lastly, remount /usr back to read-only:
mount -o remount,ro /usr

Fix:
Using 'sort-by' measure when building PDF (instead of the first value on measure-list)

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2

947529-3 : Security tab in virtual server menu renders slowly

Links to More Info: BT947529

Component: TMOS

Symptoms:
When a large number of virtual servers use the same ASM policy from a manually-created LTM Traffic policy, the Security tab of the virtual server takes a long time to load.

Conditions:
Large number of virtual servers using the same ASM policy

Impact:
Loading of Security tab of a virtual server takes a long time

Workaround:
NA

Fix:
Security tab of a virtual server loads fast

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1

946581 : TMM vulnerability CVE-2020-27713

Links to More Info: K37960100 , BT946581

946325-4 : PEM subscriber GUI hardening

Component: Policy Enforcement Manager

Symptoms:
The PEM subscriber GUI does not follow current best practices.

Conditions:
- Authenticated administrative user
- PEM GUI request

Impact:
PEM subscriber GUI does not follow current best practices.

Workaround:
N/A

Fix:
PEM subscriber GUI now follows current best practices.

Fixed Versions:
13.1.5

946081-4 : Getcrc tool help displays directory structure instead of version

Links to More Info: BT946081

Component: Application Security Manager

Symptoms:
When getcrc tool displays help to the end user, it displays a directory structure instead of version.

Conditions:
Displaying help in getcrc utility.

Impact:
Version information is not displayed.

Fix:
Getcrc utility help now displays version information.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2

945109-5 : Freetype Parser Skip Token Vulnerability CVE-2015-9382

Links to More Info: K46641512 , BT945109

944441-4 : BD_XML logs memory usage at TS_DEBUG level

Links to More Info: BT944441

Component: Application Security Manager

Symptoms:
There are two messages in BD_XML logs that the system reports at the TS_DEBUG log level, but they should be logged as TS_INFO.

BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1687|after create of profile 754. (xml memory 5111702493 bytes)
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1586|add profile 755. name: /ws/replanifierIntervention_V1-0 is soap? 1 (xml memory before add 5111702493 bytes)

Conditions:
These messages can occur when XML/JSON profiles are configured.

Impact:
Messages that should be logged at the TS_INFO level are logged at the TS_DEBUG level. These are informational log messages.

Workaround:
None

Fix:
The relevant two BD_XML logs are now categorized as TS_INFO.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2

944121-2 : Missing SNI information when using non-default domain https monitor running in TMM mode.

Links to More Info: BT944121

Component: In-tmm monitors

Symptoms:
In-TMM https monitors do not send the SNI (Server Name Indication) information for non-default route domain pool members.

In-TMM monitors do not send any packet when TLS1.3 monitor is used.

Conditions:
-- SNI is configured in serverssl profile
-- serverssl profile is assigned to in-tmm https monitors
-- https monitors are monitoring pool members that are in a non-default route domain.

- Another Condition :

TLS1.3 Monitor is used

Impact:
The TLS connection might fail in case of SNI

No SYN packet is sent in case of TLS1.3 monitor

Workaround:
N/A

Fix:
N/A

Fixed Versions:
13.1.5

943913-5 : ASM attack signature does not match

Links to More Info: K30150004 , BT943913

Component: Application Security Manager

Symptoms:
When processing certain traffic, ASM attack signatures may not match as intended.

Conditions:
- ASM enabled
- Undisclosed attack signature variation

Impact:
ASM attack signature does not match or trigger further processing.

Workaround:
N/A

Fix:
ASM now processes traffic as expected.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2

943889 : Reopening the publisher after a failed publishing attempt

Links to More Info: BT943889

Component: Fraud Protection Services

Symptoms:
TMM crashes repeatedly on SIGSEGV.

Conditions:
This can occur after a HSL disconnect and re-connect.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system publishes data to HSL publisher on a second attempt successfully (after a reconnect).

Fixed Versions:
13.1.3.5, 14.1.4

943125-4 : ASM bd may crash while processing WebSocket traffic

Links to More Info: K18570111 , BT943125

942701-4 : TMM may consume excessive resources while processing HTTP traffic

Links to More Info: K35408374 , BT942701

941853-3 : Logging Profiles do not disassociate from virtual server when multiple changes are made

Links to More Info: BT941853

Component: Application Security Manager

Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.

Conditions:
Multiple Logging Profile changes are made in a single update.

Impact:
The previous Logging Profiles are not disassociated from the virtual server.

Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1

941649-5 : Local File Inclusion Vulnerability

Links to More Info: K63163637 , BT941649

941621-4 : Brute Force breaks server's Post-Redirect-Get flow

Links to More Info: K91414704 , BT941621

Component: Application Security Manager

Symptoms:
Brute Force breaks server's Post-Redirect-Get flow

Conditions:
ASM policy is attached to VS
Brute force protection is enabled.
CSI challenge or Captcha are in use.
Server implements Post-Redirect-Get flow.

Impact:
Brute Force breaks server's Post-Redirect-Get flow

Workaround:
None

Fix:
Support PRG mechanism in brute force mitigations.

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.1

941449-5 : BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993

Links to More Info: K55237223 , BT941449

941257-3 : Occasional Nitrox3 ZIP engine hang

Links to More Info: BT941257

Component: Local Traffic Manager

Symptoms:
Occasionally the Nitrox3 ZIP engine hangs.

In /var/log/ltm:

crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.

Conditions:
BIG-IP appliance that uses the Nitrox 3 hardware compression chip: 5xxx, 7xxx, 12250 and B2250.

You can check if your platform has the nitrox3 by running the following command:

tmctl -w 200 compress -s provider

provider
--------
bzip2
lzo
nitrox3 <--------
zlib

Impact:
The Nitrox3 hardware compression system becomes unavailable and the compression mode switches to software compression. This can lead to high CPU usage.

Workaround:
Disable http compression

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4

941249-1 : Improvement to getcrc tool to print cookie names when cookie attributes are involved

Links to More Info: BT941249

Component: Application Security Manager

Symptoms:
The name provided by getcrc tool provides incorrect ASM cookie name when cookie attributes path or/and domain is/are present in response from server

Conditions:
This is applicable when domain and path cookie attributes are present in response from server

Impact:
ASM cookie name which is displayed is incorrect

Workaround:
None

Fix:
More options need to be added to getcrc tool such that it caters for path/domain cookie attribute/s

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2

941089-4 : TMM core when using Multipath TCP

Links to More Info: BT941089

Component: Local Traffic Manager

Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than to disable MPTCP.

Fix:
TMM no longer produces a core.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2

940897-4 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached

Links to More Info: BT940897

Component: Application Security Manager

Symptoms:
False positive violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached with enabled "Parse Parameter".

Conditions:
"JSON data does not comply with format settings" and "Illegal meta character in value" violations are enabled and content profile parsing is enabled in ASM.

Impact:
False positives detected, such as "Illegal meta character in value" violation and attack signature for incorrect context.

Workaround:
N/A

Fix:
No false positives detected.

Fixed Versions:
12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

940401-4 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'

Links to More Info: BT940401

Component: Fraud Protection Services

Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.

Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.

Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.

Workaround:
None.

Fix:
Section now reads 'Rooting Detection'.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1

940317-2 : CVE-2020-13692: PostgreSQL JDBC Driver vulnerability

Links to More Info: K23157312 , BT940317

940249-4 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached

Links to More Info: BT940249

Component: Application Security Manager

Symptoms:
If "Maximum Array/Object Elements" is reached and "JSON data does not comply with format settings" is detected, then all sensitive
data after last allowed element is not masked.

Conditions:
Define JSON profile, set "JSON data does not comply with format settings" to blocking and set "Maximum Array/Object Elements" to desired value.

Impact:
Data after last allowed element is not masked.

Fix:
Now the values are masked.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

940185-4 : icrd_child may consume excessive resources while processing REST requests

Links to More Info: K11742742 , BT940185

940021-1 : Syslog-ng hang may lead to unexpected reboot

Links to More Info: BT940021

Component: TMOS

Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to unexpected reboot.

The BIG-IP may unexpectedly reboot after a host watchdog timeout when syslog-ng gets hung up.

Logs via syslog-ng are no longer written, though logging not via syslog-ng continues unaffected.
This happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.

At this time syslog-ng typically spins, using near 100% CPU (just one core equivalent, not all CPU capacity on system).

Typically things appear fine on rest of system - there will usually be adequate CPU and memory.
Hours or days later graphs will have a gap of usually tens of minutes to hours before an unexpected reboot.

Post reboot logs (in /var/log/sel for iSeries or ltm log otherwise) show this is a host watchdog reboot.
After reboot the system runs correctly, though if the syslog-ng remote server was invalid this remains the case.

Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.

A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.

Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:

Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

The final log will of a broken connection only, usually one minute after the last established/broken pair.

Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.

Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable.

Fix:
Fixed an issue with syslog-ng hang occasionally causing a system restart.

This fix is not a complete fix. You will still need to remove unused syslog-ng servers from the BIG-IP configuration.

ID 1040277 tracks the remaining issue.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1

939845-4 : BIG-IP MPTCP vulnerability CVE-2021-23004

Links to More Info: K31025212 , BT939845

939841-4 : BIG-IP MPTCP vulnerability CVE-2021-23003

Links to More Info: K43470422 , BT939841

939529-4 : Branch parameter not parsed properly when topmost via header received with comma separated values

Links to More Info: BT939529

Component: Service Provider

Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.

Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.

Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:

SIP/2.0 481 Call/Transaction Does Not Exist.

Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.

Fix:
The BIG-IP system now ensures the branch field inserted in the via header same for INVITE and CANCEL messages.

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1

938233-4 : An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization

Links to More Info: K93231374

937637-5 : BIG-IP APM VPN vulnerability CVE-2021-23002

Links to More Info: K71891773 , BT937637

937365-5 : LTM UI does not follow best practices

Links to More Info: K42526507 , BT937365

937333-5 : Incomplete validation of input in unspecified forms

Links to More Info: K29500533 , BT937333

936557-4 : Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled.

Links to More Info: BT936557

Component: Local Traffic Manager

Symptoms:
As the BIG-IP system attempts to open a TCP connection to a server-side object (e.g., a pool member), retransmissions of the initial SYN segment incorrectly use a non-zero acknowledgement number.

Conditions:
This issue occurs when the following conditions are true:

-- Standard TCP virtual server.

-- TCP profile with Verified Accept enabled.

-- Receipt of the client's ACK (as part of the client-side TCP 3-way handshake) is delayed. Due to Verified Accept being enabled, this delay causes the BIG-IP system to retransmit its SYN to the server until the client's ACK is received.

Impact:
Depending on the specific server implementation, or the security devices present on the BIG-IP system's server-side before the server, a SYN containing a non-zero acknowledgement number may be rejected. In turn, this may cause connections to fail to establish.

Workaround:
If compatible with your application and specific needs, you can work around this issue by disabling Verified Accept in the TCP profile.

Fix:
SYN segment retransmissions now correctly use 0 as the acknowledgement number.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1

935721-3 : ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

Links to More Info: K82252291 , BT935721

935593-2 : Incorrect SYN re-transmission handling with FastL4 timestamp rewrite

Links to More Info: BT935593

Component: Local Traffic Manager

Symptoms:
FastL4 profiles configured with the TCP timestamp rewrite option enabled does not treat retransmitted SYNs in a correct manner.

Conditions:
FastL4 profile with TCP timestamp rewrite option is in use.

Impact:
Timestamp on some TCP packets sent by BIG-IP systems might be incorrect.

Workaround:
Do not use TCP timestamp rewrite.

Fixed Versions:
13.1.5, 14.1.3.1, 15.1.2, 16.0.1.1

935433-5 : iControl SOAP

Links to More Info: K53854428 , BT935433

935401-5 : BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001

Links to More Info: K06440657 , BT935401

935293-1 : 'Detected Violation' Field for event logs not showing

Links to More Info: BT935293

Component: Application Security Manager

Symptoms:
Violation is missing/details not populated in the event log page, when a POST request with large number of parameters are sent to the BIG IP system.

Conditions:
-- A large POST request with lots of parameters is sent to BIG-IP system.
-- 'Learn New Parameters' is enabled.

Impact:
You cannot see the violation details.

Workaround:
Disabling parameter learning helps.

Note: This happens only with a large number of parameters. Usually it works as expected.

Fix:
The eventlog is reserving space for violations.

Fixed Versions:
13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1

933777-3 : Context use and syntax changes clarification

Links to More Info: BT933777

Component: Application Visibility and Reporting

Symptoms:
There are two context and syntax-related issues:

-- In v14.x, the context for tmsh analytics commands related to server side connections changed. For example, 'total-server-side-conns' became a simple 'server-side-conns'.

-- In v13.x and 14.x, the calculation method for 'max-tps' changed from cumulative to commutative.

Conditions:
This occurs in either of the following scenarios:
-- Using tmsh analytics commands related to max-tps in v13.x or later.
-- Using tmsh analytics commands related to server side connections in BIG-IP v14.x and later.

Impact:
Stats names do not reflect their actual values. The 'max-tps' value is no longer valid for client IP context. These changes might have varied impacts, depending on your configuration.

Workaround:
None

Fix:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).

-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.

Behavior Change:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).

-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.

Fixed Versions:
13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2

933741-5 : BIG-IP FPS XSS vulnerability CVE-2021-22979

Links to More Info: K63497634 , BT933741

933461-2 : BGP multi-path candidate selection does not work properly in all cases.

Links to More Info: BT933461

Component: TMOS

Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.

Conditions:
An inbound route-map exists that modifies a route's path selection attribute.

Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.

Workaround:
None.

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

933297 : FTP virtual server passive data channels do not pass traffic

Links to More Info: K20984059 , BT933297

932697-1 : BIG-IP TMM vulnerability CVE-2021-23000

Links to More Info: K34441555 , BT932697

932485-1 : Incorrect sum(hits_count) value in aggregate tables

Links to More Info: BT932485

Component: Application Visibility and Reporting

Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.

Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.

Impact:
The system reports incorrect values in AVR tables when dealing with large numbers

Workaround:
None.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2

932137-3 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade

Links to More Info: BT932137

Component: Application Visibility and Reporting

Symptoms:
After upgrade, AFM statistics show non-relevant data.

Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.

Impact:
Non-relevant data are shown in AFM statistics.

Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2

932133-4 : Payloads with large number of elements in XML take a lot of time to process

Links to More Info: BT932133

Component: Application Security Manager

Symptoms:
ASM experiences high CPU and latency usage while processing a large XML request.

Conditions:
-- ASM provisioned
-- HTTP request with a large XML payload (several MB) is sent to the backend server which triggers the XML parser.

Impact:
High CPU and latency occurs while bd processes the payload. This may cause a bottleneck for different requests that arrive concurrently with the large XML payload request.

Workaround:
None

Fix:
This fix includes performance improvements for large XML payloads.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2

932065-4 : iControl REST vulnerability CVE-2021-22978

Links to More Info: K87502622 , BT932065

931837-3 : NTP has predictable timestamps

Links to More Info: K55376430 , BT931837

931677-3 : IPv6 hardening

Component: Local Traffic Manager

Symptoms:
Under certain conditions, handling of IPv6 traffic to BIG-IP owned addressed (e.g. self-IPs) do not follow current best practices.

Conditions:
-- IPv6 strict compliance is enabled (tmsh modify sys db ipv6.strictcompliance value true)
-- IPv6 traffic to BIG-IP owned addresses

Impact:
Handling of IPv6 traffic does not follow current best practices.

Workaround:
Disable IPv6 strict compliance with the command:
tmsh modify sys db ipv6.strictcompliance value false

Fix:
BIG-IP now handles IPv6 traffic in compliance with current best practices.

Fixed Versions:
13.1.5

931513-4 : TMM vulnerability CVE-2021-22977

Links to More Info: K14693346 , BT931513

930741-4 : Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot

Links to More Info: BT930741

Component: TMOS

Symptoms:
If there is a truncated BIG-IP software image in /shared/images, a kernel lockup and reboot could occur.

One way to have a truncated image in /shared/images is by using iControl/SOAP to upload the image. Using SOAP, the image is uploaded in chunks, so until the last chunk is uploaded, the image is not complete/is truncated.

Conditions:
-- Truncated BIG-IP image in /shared/images
-- Using SOAP to upload the image.

Impact:
Traffic disruption caused by the reboot.

Workaround:
If you are using SOAP to upload BIG-IP software images, upload them to /shared first and then move them to /shared/images.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2

929001-5 : ASM form handling improvements

Links to More Info: K48321015 , BT929001

Component: Application Security Manager

Symptoms:
Under certain conditions, the ASM form handler may not enforce as expected.

Conditions:
- Brute force protection is configured

Impact:
Enforcement not triggered as expected.

Workaround:
N/A

Fix:
ASM now processes forms as expected.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2

928685-4 : ASM Brute Force mitigation not triggered as expected

Links to More Info: K49549213 , BT928685

Component: Application Security Manager

Symptoms:
Under certain conditions the Brute Force mitigation will not be triggered.

Conditions:
- ASM enabled
- Brute Force mitigation enabled

Impact:
Brute Force mitigation is not triggered as expected.

Workaround:
The following iRule will look for an issue with the authorization header and will raise an custom violation when this is happening:

when ASM_REQUEST_DONE
{
if { [catch { HTTP::username } ] } {
log local0. "ERROR: bad username";
ASM::raise bad_auth_header_custom_violation
}
}

Fix:
Brute Force mitigation is now triggered as expected.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2

928037-4 : APM Hardening

Links to More Info: K15310332 , BT928037

927993-5 : Built-in SSL Orchestrator RPM installation failure

Links to More Info: K97501254 , BT927993

Component: SSL Orchestrator

Symptoms:
Attempting to install the built-in SSL Orchestrator RPM results in the following error:

Failed to load IApp artifacts from f5-iappslx-ssl-orchestrator: java.lang.IllegalStateException: Failed to post templates to block collection.

Conditions:
In the BIG-IP TMUI, the BIG-IP administrator navigates to the SSL Orchestrator Configuration page. This would automatically invoke the installation of the built-in SSL Orchestrator RPM, resulting in the failure.

Impact:
The built-in SSL Orchestrator RPM is not installed and SSL Orchestrator management is not possible.

Workaround:
Step 1. Run the following commands in the BIG-IP command line:

# Get ID for f5-ssl-orchestrator-dg-data:
id1=$(restcurl shared/iapp/blocks/ | jq -r '.items[] | select(.name == "f5-ssl-orchestrator-dg-data") | .id')

# Get ID for f5-ssl-orchestrator-dg-template:
id2=$(restcurl shared/iapp/blocks/ | jq -r '.items[] | select(.name == "f5-ssl-orchestrator-dg-template") | .id')

# Temporarily unlink the "f5-ssl-orchestrator-dg-data" (id1) dependency on "f5-ssl-orchestrator-dg-template" (id2).
restcurl -X PATCH -d "{\"baseReference\": {\"link\": \"https://localhost/mgmt/shared/iapp/blocks/$id1\"}}" shared/iapp/blocks/$id1

# Remove all SSL Orchestrator block templates.
restcurl shared/iapp/blocks | jq -r '.items[] | select(.state == "TEMPLATE") | select(.name | startswith("f5-ssl-orchestrator")) | .id' | for x in $(cat) ; do restcurl -X DELETE shared/iapp/blocks/$x; done

# Remove the SSL Orchestrator RPM installation references (if any).
restcurl -X DELETE shared/iapp/global-installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
restcurl -X DELETE shared/iapp/installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99

---

Step 2. Use the BIG-IP TMUI:
Log in to the TMUI and navigate to SSL Orchestrator > Configuration. This would refresh the related page and install the SSL Orchestrator RPM. Wait for the SSL Orchestrator configuration page to complete loading.

---

Step 3. Run the following commands in the BIG-IP command line:

# Restore the "f5-ssl-orchestrator-dg-data" dependency on "f5-ssl-orchestrator-dg-template".
restcurl -X PATCH -d "{\"baseReference\": {\"link\": \"https://localhost/mgmt/shared/iapp/blocks/$id1\"}}" shared/iapp/blocks/$id2

---

Step 4. Use the BIG-IP TMUI:
Refresh the SSL Orchestrator > Configuration page.

Fix:
Built-in SSL Orchestrator RPM installation failure

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3, 14.1.4, 15.1.2, 16.0.1.1

927941-2 : IPv6 static route BFD does not come up after OAMD restart

Links to More Info: BT927941

Component: TMOS

Symptoms:
The Bidirectional Forwarding Detection (BFD) session for an IPv6 static route is not shown in response to the command:
imish -e "show bfd session"

Conditions:
-- BFD is configured with static route IPv6.
-- Restart the oamd process.

Impact:
BFD session is not shown in 'show bfd session'.

Workaround:
Restart tmrouted:
bigstart restart tmrouted

Fix:
IPv6 static route BFD session now comes up after restarting the oamd process.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1

927617-4 : 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value

Links to More Info: BT927617

Component: Application Security Manager

Symptoms:
A valid request that should be passed to the backend server is blocked.

Conditions:
-- A cookie name is defined in Security :: Application Security : Headers : Cookies List :: New Cookie, with Base64 Decoding enabled.

-- The cookie header that contain the valid cookie value is encoded to base64.

Impact:
A request is blocked that should not be.

Workaround:
Disable 'Base64 Decoding' for the desired cookie.

Fix:
Requests with valid base64 encoding cookies are now correctly passed by the enforcer.

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

926929-1 : RFC Compliance Enforcement lacks configuration availability

Links to More Info: BT926929

Component: Local Traffic Manager

Symptoms:
Earlier versions contained fixes that enforce several RFC compliance items for HTTP request and response processing by BIG-IP systems. Enforcement for some of these items is unavoidable, but might cause issues for certain applications.

Conditions:
The configuration has a virtual server with an HTTP profile.

Impact:
Some applications that require certain constructions after a header name may not function.

Workaround:
None

Fix:
A configuration item has been introduced to manage RFC-compliance options.

In releases 13.1.4, 14.1.4, 15.1.2.1 and 16.0.1.2 and in subsequent releases in those families, a global flag is used to control the enforcement:

sys db tmm.http.rfc.allowwsheadername

The possible values are "enabled" and "disabled"; the default is "enabled".

In release 16.1.0 and subsequent releases, there are two per-profile options; these have been added to the Configuration Utility's configuration page for HTTP profiles, in the 'Enforcement' section:

-- Enforce RFC Compliance
-- Allow Space Header Name

The following sample output shows how the RFC-compliance and whitespace-enforcement settings might appear in tmsh, if enabled:

(tmos)# list ltm profile http http-wsheader
ltm profile http http-wsheader {
app-service none
defaults-from http
enforcement {
allow-ws-header-name enabled
rfc-compliance enabled
}
proxy-type reverse
}

Fixed Versions:
13.1.4, 14.1.4, 15.1.2.1, 16.0.1.2

926845-3 : Inactive ASM policies are deleted upon upgrade

Links to More Info: BT926845

Component: Application Security Manager

Symptoms:
Upon upgrade, active ASM policies are preserved, and inactive policies are deleted.

Conditions:
-- Configuration contains active and inactive ASM policies.
-- Upgrade the BIG-IP system to any later version.
-- You can check existing ASM policies in tmsh:
tmsh list asm policy

Impact:
Only the active ASM policies are preserved; the inactive policies are deleted.

Workaround:
None.

Fixed Versions:
13.1.5

926341-4 : RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade &start;

Links to More Info: BT926341

Component: Application Visibility and Reporting

Symptoms:
Unusually high AVR CPU utilization occurs following an upgrade.

Conditions:
-- BIG-IP software upgrade to v13.0.x or later.
-- Running AVR.

Impact:
AVR CPU utilization can be unusually high for an unusually long period of time.

Workaround:
After upgrade manually edit /etc/avr/avrd.cfg to decrease AVR CPU usage is high by increasing the time period of real-time statistics collection. In order to do so:
1. Change value of RtIntervalSecs in /etc/avr/avrd.cfg file to 30 or 60 seconds.
2. Restart the system by running the following command at the command prompt:
bigstart restart.

When changing RtIntervalSecs please take into consideration two important limitations:
-- Value of RtIntervalSecs cannot be less than 10.
-- Value of RtIntervalSecs must be 10 on BIG-IP devices that are registered on BIG-IQ DCD nodes.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4

924929 : Logging improvements for VDI plugin

Links to More Info: BT924929

Component: Access Policy Manager

Symptoms:
If the Virtual Desktop Interface (VDI) plugin aborts, the names of the events are not logged in the APM log file.

Conditions:
- Virtual Desktop Interface (VDI) configured
- The plugin encounters a problem and aborts

Impact:
Event names are not displayed in the APM log.

Workaround:
None.

Fix:
Event names along with the exceptions are also seen in the APM log file.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1

924493-5 : VMware EULA has been updated

Links to More Info: BT924493

Component: TMOS

Symptoms:
The End User License Agreement (EULA) presented in VMware is out of date.

Conditions:
The EULA is presented to the user when deploying an OVF template.

Impact:
The current EULA is version: DOC-0355-16 (as explained in K12902: End User License Agreement Change Notice :: https://support.f5.com/csp/article/K12902).

Although the OVA EULA for 16.0.0 shows: DOC-0355-12, the EULA presented during license activation is the EULA in force for this instance, so you can safely ignore the discrepancy; there is no functional impact.

Workaround:
None needed. The EULA presented during license activation is the EULA in force for this instance.

Fix:
The EULA presented in VMware was out of date and has been updated.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1

922317-1 : Using the LSN::persistence_entry command in an iRule may cause crashes and/or stalled connections

Links to More Info: BT922317

Component: Local Traffic Manager

Symptoms:
-- Stalled serverside connections visible in connection table.
-- No traffic going out towards pool member.
-- Sometimes tmm crashes may occur.

Conditions:
The LSN::persistence_entry Tcl command is used inside of an iRule triggered by a serverside event, e.g., SERVER_CONNECTED.

Impact:
-- Traffic not reaching pool members.
-- System disruption while tmm restarts in case of crash.

Workaround:
Do not use the LSN::persistence_entry command in iRules triggered by serverside events.

Fix:
Traffic now reaches pool members, no stalled connections occur, and crashes are eliminated.

Fixed Versions:
12.1.6, 13.1.4

922297-4 : TMM does not start when using more than 11 interfaces with more than 11 vCPUs

Links to More Info: BT922297

Component: TMOS

Symptoms:
TMM may not start when using more than 11 network interfaces with more than 11 vCPUs configured.

You see the following log entries in /var/log/tmm:

-- notice ixlv(1.1)[0:5.0]: Waiting for tmm10 to reach state 1...

In the TMM log for that TMM, you can see that it is waiting for tmm0, e.g.:

-- notice ixlv(1.10)[0:6.0]: Waiting for tmm0 to reach state 2...

Conditions:
-- BIG-IP Virtual Edition (VE).
-- More than 11 interfaces configured.
-- More than 11 vCPUs configured.

Impact:
TMM does not start.

Workaround:
Configure fewer network interfaces or vCPUs.

Fix:
Fixed a TMM startup deadloop stuck issue (when there are more than 10 interfaces and tmms/vCPUs).

Fixed Versions:
13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2

922105-5 : Avrd core when connection to BIG-IQ data collection device is not available

Links to More Info: BT922105

Component: Application Visibility and Reporting

Symptoms:
When a BIG-IP system is configured to work with BIG-IQ but cannot connect due to network problems, avrd restarts itself every 10 minutes. During such restarts, a core is sometimes generated.

Conditions:
BIG-IP system is registered on BIG-IQ, but there is no network connectivity for any number of reasons.

Impact:
No impact since there is no network connectivity with BIG-IQ, and the data from the BIG-IP system cannot be sent anywhere.

Workaround:
Attempts to connect to BIG-IQ can be disabled manually by the following command:

tmsh modify analytics global-settings use-offbox disabled

Fix:
Avrd no longer cores when the connection to the BIG-IQ data collection device is not available.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2

921625-5 : The certs extend function does not work for GTM/DNS sync group

Links to More Info: BT921625

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM/DNS systems in the same sync group receive the error 'SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca', these systems cannot automatically connect to BIG-IP devices with which that GTM/DNS device has not already exchanged a SSL cert.

As part of normal functionality, when one GTM/DNS tries to connect to a BIG-IP server and receives 'unknown ca' SSL error, if its peer GTM/DNS has already built a connection with that BIG-IP server, then the second GTM/DNS system should also be able to connect to that BIG-IP server automatically. But it cannot because of this issue.

The problem exists only when the GTM/DNS device has not exchanged a cert with the BIG-IP server object, and there are two or more certs in /config/httpd/conf/ssl.crt/server.crt on that GTM/DNS device.

You might see messages similar to the following:

-- iqmgmt_ssl_connect: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
-- err gtmd[28112]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (336151576).
-- notice gtmd[28112]: 011ae03d:5: Probe to 10.10.0.3: buffer = <direct><![CDATA[<clientcert><ip>10.10.0.10</ip><target_ip>10.10.0.6</target_ip><cert>....

Conditions:
-- /config/httpd/conf/ssl.crt/server.crt file with two or more certs on the requesting GTM/DNS device, which results in that file being larger than 4000 bytes.

-- Configuration is as follows:
1. GTMDNS1 and GTMDNS2 are in a same GTM/DNS sync group.
2. GTMDNS1 has a self-authorized CA cert.
3. You add a BIG-IP server that is reachable but with which GTMDNS1 has not exchanged SSL certs.

Impact:
Certain GTM/DNS systems in the sync group cannot automatically connect to BIG-IP devices as expected. You must run additional bigip_add commands on those GTM/DNS systems in the GTM/DNS sync group to add the BIG-IP server.

Workaround:
Run bigip_add on each GTM/DNS server to add the configured BIG-IP servers.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1

921549-7 : The gtmd process does not receive updates from local big3d.

Links to More Info: BT921549

Component: Global Traffic Manager (DNS)

Symptoms:
Oversized server.crt file prevents gtmd (other devices in a same syncgroup) from receiving from local big3d.

Conditions:
One GTM/DNS device in the syncgroup has an oversized server.crt file (approximately 4000 or larger) and sends a client cert direct message to peer GTM/DNS devices.

Impact:
The gtmd process marks resources down unexpectedly and does not receive persist updates.

Workaround:
1. For each GTM/DNS device, use bigip_add to add all BIG-IP servers configured in bigip_gtm.conf file.
2. Restart each GTM/DNS that is affected.

Fixed Versions:
13.1.3.6

921337-1 : BIG-IP ASM WebSocket vulnerability CVE-2021-22976

Links to More Info: K88230177 , BT921337

920265 : TMM may crash if a virtual server undergoes a series of specific configuration changes involving the transparent-nexthop option.

Links to More Info: BT920265

Component: Local Traffic Manager

Symptoms:
TMM crashes and produces a core dump.

Conditions:
This issue occurs when:

- You initially enable the transparent-nexthop setting on a virtual server.
- You then disable the option.
- You then disable auto-lasthop for the virtual server.
- The virtual server receives traffic.

Impact:
Traffic is impacted while TMM restarts.

Workaround:
There is no workaround that you can instantiate to prevent this issue. However, if you are aware that you have already performed the necessary configuration changes to cause this issue to occur, and TMM has not crashed yet, you can delete the virtual server and recreate it (with the intended/final configuration) to prevent the crash.

Fix:
TMM no longer crashes after modifying a virtual server as described under Conditions.

Fixed Versions:
13.1.4

920197-1 : Brute force mitigation can stop mitigating without a notification

Links to More Info: BT920197

Component: Application Security Manager

Symptoms:
A brute force attack coming from an entity (such as an IP address, etc.) may be stopped prematurely.

Conditions:
-- Many brute force attacks are happening at once, coming from many sources.
-- Distributed attack is not detected (due to configuration).

Impact:
At some point, an entity might not be mitigated due to the sheer number of mitigated entities. When this occurs, there is no notification.

Workaround:
None.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2

919553-4 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.

Links to More Info: BT919553

Component: Global Traffic Manager (DNS)

Symptoms:
GTM/DNS monitors based on the TCP protocol may fail to find the configured receive string in the server's response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when the server's response spans multiple packets (for example, when the response is particularly large or includes dynamically generated content delivered in chunks).

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by ensuring your server returns a response to the BIG-IP GTM/DNS's monitor that fits in one packet.

Fix:
GTM/DNS monitors based on the TCP protocol no longer fail when the server's response spans multiple packets.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1

919317-2 : NSM consumes 100% CPU processing nexthops for recursive ECMP routes

Links to More Info: BT919317

Component: TMOS

Symptoms:
The NSM process might enter a state where it gets stuck at 100% CPU usage.

Conditions:
ECMP routes reachable via recursive nexthops.

Impact:
NSM is stuck at 100% CPU usage.

Workaround:
Avoid using EMCP routes reachable via recursive nexthops.

Fixed Versions:
13.1.5

919301-5 : GTP::ie count does not work with -message option

Links to More Info: BT919301

Component: Service Provider

Symptoms:
The 'GTP::ie count' iRule command does not work with the -message option. The command fails with an error:

wrong # args: should be "-type <ie-path>"

Conditions:
Issue the 'GTP::ie count' command with -message command, for example:

GTP::ie count -message $m -type apn

Impact:
iRules fails and it could cause connection abort.

Workaround:
Swap order of argument by moving -message to the end, for example:

GTP::ie count -type apn -message $m

There is a warning message due to iRules validation, but the command works in runtime.

Fix:
'GTP::ie' count is now working with -message option.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1

919049 : Guest fails to come up when vCMP guest and host both run BIG-IP v13.1.3.3, assigning FIPS partition

Links to More Info: BT919049

Component: Local Traffic Manager

Symptoms:
The vCMP guest fails to come up.

Conditions:
-- Using i5820-DF, i7820-DF, or 10350v-F platforms.
-- Running BIG-IP software v13.1.3.3 on the hypervisor.
-- Once FIPS card is initialized on the hypervisor:
1. Create vCMP guest.
2. Assign FIPS partition (can be default PARTITION_1, or you can resize PARTITION_1 and create a different partition).
3. Change state of vCMP guest to 'deployed'.

Impact:
The vCMP guest fails to come up with an attached N3FIPS partition.

Note: This happens only when the host is running v13.1.3.3 and the vCMP guest tries to come up with v13.1.3.3.

Workaround:
None.

Fixed Versions:
13.1.4

918933-4 : The BIG-IP ASM system may not properly perform signature checks on cookies

Links to More Info: K88162221 , BT918933

Component: Application Security Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Impact:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Workaround:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Fix:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.2.8, 15.1.2, 16.0.1.1

918597-1 : Under certain conditions, deleting a topology record can result in a crash.

Links to More Info: BT918597

Component: Global Traffic Manager (DNS)

Symptoms:
During a topology load balancing decision, TMM can crash.

Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.

Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Topology record changes are now done in a way that prevents the possibility of TMM crashing when making load balancing decisions in which the record is used.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2

918409-5 : BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures

Links to More Info: BT918409

Component: TMOS

Symptoms:
If a BIG-IP device has more than 24 tmm instances and one of the tmm processes above the 24th cpu loops (e.g., in response to an internal issue), it loops indefinitely.

Conditions:
-- BIG-IP i15600 / i15800 platforms.
-- Another issue occurs that that causes a tmm process greater than the 24th tmm process to loop.

Impact:
Traffic disrupted on the tmm process that is looping indefinitely.

Workaround:
1. Manually change /defaults/daemon.conf to include the appropriate tmm number and respective heartbeat action if the supported tmm is not listed.

Note: The change does not persist across software installs.

a. mount -o remount,rw /usr
b. Edit /defaults/daemon.conf and put these contents at the top of the file:

sys daemon-ha tmm24 {
description none
heartbeat enabled
heartbeat-action go-offline-downlinks-restart
running enabled
running-timeout 2
}
sys daemon-ha tmm25 {
description none
heartbeat enabled
heartbeat-action go-offline-downlinks-restart
running enabled
running-timeout 2
}
sys daemon-ha tmm26 {
description none
heartbeat enabled
heartbeat-action go-offline-downlinks-restart
running enabled
running-timeout 2
}
sys daemon-ha tmm27 {
description none
heartbeat enabled
heartbeat-action go-offline-downlinks-restart
running enabled
running-timeout 2
}

c. mount -o remount,ro /usr

2. After performing the edit, load the changes into the running configuration via 'tmsh load sys config partitions all'.
3. Verify that sod is now correctly monitoring tmm instances above tmm24 using a command such as:

tmsh show sys ha-status all-properties | grep "daemon-heartbeat" | grep tmm

Fixed Versions:
13.1.5

918169-3 : The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.

Links to More Info: BT918169

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM/DNS HTTPS monitor may fail to find the configured receive string in a HTTP response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when all of the following conditions are true:

-- The server being monitored performs an unclean shutdown of the SSL session (the underlying TCP connection is closed without first issuing a close notify alert at the SSL level).

-- The server's HTTP response does not terminate with a newline.

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by performing any one of the following actions:

-- Ensure the server issues a close notify alert before it closes the underlying TCP connection.

-- Ensure the server's HTTP response ends with a newline.

Fix:
The GTM/DNS HTTPS monitor no longer fails when the SSL peer performs an unclean shutdown.

Fixed Versions:
13.1.3.6, 14.1.2.7, 15.1.2, 16.0.1.1

917509-1 : BIG-IP ASM vulnerability CVE-2020-27718

Links to More Info: K58102101 , BT917509

917005-3 : ISC BIND Vulnerability: CVE-2020-8619

Links to More Info: K19807532

916821-5 : iControl REST vulnerability CVE-2021-22974

Links to More Info: K68652018 , BT916821

915981-1 : BIG-IP SCP hardening

Component: TMOS

Symptoms:
Under certain conditions SCP does not follow current best practices.

Conditions:
- Authenticated high-privilege user
- SCP file transfer

Impact:
BIG-IP do not follow current best practices for filesystem protection.

Workaround:
N/A

Fix:
All filesystem protections now follow best practices.

Fixed Versions:
13.1.5

915825-5 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.

Links to More Info: BT915825

Component: TMOS

Symptoms:
A configuration error occurs during upgrade due to custom partition-associated Draft folder, which exists in configuration file after deleting a custom partition.

Configuration error: Can't associate folder (/User/Drafts) folder does not exist.

Conditions:
This occurs in the following scenario:

1. Create Partition.
2. Create Policy under that partition.
3. Delete Policy.
4. Delete Partition.
5. Upgrade.

Impact:
Upgrade fails when a Drafts folder exists under the custom partition folder, if the custom partition is deleted.

Workaround:
Manually remove the stale folders in the configuration file, or use a script to remove them.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1

915689-5 : HTTP/2 dynamic header table may fail to identify indexed headers on the response side.

Links to More Info: BT915689

Component: Local Traffic Manager

Symptoms:
Some HTTP/2 response headers may be added to the dynamic header table even if this header is already stored in the table. Instead of subsequent responses using the correct dynamic header table index, these headers may be continually seen as being incrementally indexed.

Conditions:
-- HTTP/2 clientside profile.
-- Concurrent HTTP/2 responses contain headers.

Impact:
Select HTTP/2 response headers may fail to use the dynamic header table index. These headers are incrementally indexed on subsequent responses instead of using the existing table index.

Workaround:
None.

Fix:
HTTP/2 response headers now properly use the dynamic header table index when possible.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1

915605-4 : Image install fails if iRulesLX is provisioned and /usr mounted read-write &start;

Links to More Info: K56251674 , BT915605

Component: Local Traffic Manager

Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.

tmsh show software status will report the status for the target volume as one of the following:

-- Could not access configuration source.
-- Unable to get hosting system product info.

Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.

Impact:
Unable to upgrade or more generally install an image on a new or existing volume.

Workaround:
Re-mount /usr as read-only:

mount -o remount,ro /usr

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1

915305-2 : Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded

Links to More Info: BT915305

Component: TMOS

Symptoms:
Dynamic routing changes do not cause point-to-point tunnel flows to refresh their connection entries causing tunneled traffic to be dropped/discarded.

Conditions:
Path to a remote tunnel endpoint is provided by a dynamic routing.

Impact:
Tunneled traffic might be dropped/discarded by the BIG-IP system.

Workaround:
Use static routing to provide a path to remote tunnel endpoint.

Fixed Versions:
13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1

915281-6 : Do not rearm TCP Keep Alive timer under certain conditions

Links to More Info: BT915281

Component: Local Traffic Manager

Symptoms:
Increased CPU usage due to zombie TCP flows rearming TCP Keep Alive timer continuously and unnecessarily.

Conditions:
-- A large number of zombie flows exists.
-- TCP Keep Alive timer is rearmed aggressively for zombie flows with very small idle_timeout (0) value.
-- TCP Keep alive timer keeps expiring and is rearmed continuously.

Impact:
Continuous rearming results in consuming CPU resources unnecessarily.

Workaround:
None.

Fix:
Rearming of TCP Keep Alive timer is improved.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1

914649-1 : Support USB redirection through VVC (VMware virtual channel) with BlastX

Links to More Info: BT914649

Component: Access Policy Manager

Symptoms:
USB is unavailable after opening VMware View Desktop.

Conditions:
1. Secure Tunnel disabled on VCS
2. Launch view virtual desktop via native view client from an APM webtop or from the View client

Impact:
USB is unavailable after opening VMware View Desktop

Workaround:
None.

Fix:
USB is now available after opening VMware View Desktop

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

913829-2 : i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence

Links to More Info: BT913829

Component: TMOS

Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic

Conditions:
Source ports used to connect to i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades form an arithmetic sequence.

For example, some client devices always use even source port numbers for ephemeral connections they initiate. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.

Impact:
Traffic imbalance may result in tmm threads on different CPU cores having imbalanced workloads. While this can sometimes impact on performance, an overloaded tmm thread can usually redistribute load to less loaded threads in a way that does not impact performance. However the loads on the CPU cores will appear imbalanced still.

Workaround:
Where possible, configure devices to draw from the largest possible pool of source ports when connecting via a BIG-IP system.

Behavior Change:
This release introduces a new variable to mitigate this issue:
dagv2.pu.table.size.multiplier.

You must set the variable to 2 or 3 on the host, and then restart tmm on all host blades and then all guests to mitigate the issue. dag2.pu.table.size.multiplier.

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2

913441 : Tmm cores while doing Hitless Upgrade while there are active flows

Links to More Info: BT913441

Component: Traffic Classification Engine

Symptoms:
Tmm cores.

Conditions:
Addition of new flows to existing lib while Hitless Upgrade is in progress.

Impact:
Tmm core while doing app detection for new flows. Traffic disrupted while tmm restarts.

Workaround:
Restrict addition of new flows if a Hitless Upgrade is in progress.

Fix:
New flows are no longer added to the classification engine to any of the library if the Hitless Upgrade process is in progress.

Fixed Versions:
12.1.5.3, 13.1.3.5

913433-4 : On blade failure, some trunked egress traffic is dropped.

Links to More Info: BT913433

Component: TMOS

Symptoms:
When a blade fails, other blades may try to forward traffic using trunked interfaces on the down blade.

Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- A blade is pulled or powered off.

Impact:
Some traffic is dropped until the failed blade is detected by clusterd (10 seconds by default.)

Workaround:
None.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1

913413-5 : 'GTP::header extension count' iRule command returns 0

Links to More Info: BT913413

Component: Service Provider

Symptoms:
The 'GTP::header extension count' iRule command always returns 0 (zero).

Conditions:
This is encountered when using 'GTP::header extension count' in an iRule.

Impact:
The command returns false information.

Workaround:
None

Fix:
'GTP::header extension count' command now returns number of header extension correctly.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1

913409-5 : GTP::header extension command may abort connection due to unreasonable TCL error

Links to More Info: BT913409

Component: Service Provider

Symptoms:
When running "GTP::header extension" iRule command with some conditions, it may cause a TCL error and abort the connection.

Conditions:
Running "GTP::header extension" iRule command is used with some specific arguments and/or specific condition of GTP message

Impact:
TCL error log is shown and connection is aborted

Workaround:
None

Fix:
GTP::header extension command no longer abort connection due to unreasonable TCL error

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1

913393-5 : Tmsh help page for GTP iRule contains incorrect and missing information

Links to More Info: BT913393

Component: Service Provider

Symptoms:
In the tmsh help page for the GTP iRule command, it contains incorrect and missing information for GTP::header and GTP::respond command.

Conditions:
When running "tmsh help ltm rule command GTP::header"quot;, information regarding GTP::header and GTP::respond iRule command may be incorrect or missing.

Impact:
User may not be able to use related iRule command properly.

Workaround:
None

Fix:
Tmsh help page for GTP iRule is updated

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1

913085-5 : Avrd core when avrd process is stopped or restarted

Links to More Info: BT913085

Component: Application Visibility and Reporting

Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.

Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.

Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.

Workaround:
None.

Fix:
Avrd no longer cores when avrd process is stopped or restarted.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1

912969-5 : iAppsLX REST vulnerability CVE-2020-27727

Links to More Info: K50343630 , BT912969

912517-5 : Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured

Links to More Info: BT912517

Component: Local Traffic Manager

Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.

Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.

Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.

Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).

Fix:
Database monitor no longer marks pool member down if 'send' is configured but no 'receive' strings are configured.

Fixed Versions:
13.1.5

912289-4 : Cannot roll back after upgrading on certain platforms &start;

Links to More Info: BT912289

Component: Local Traffic Manager

Symptoms:
On certain platforms, after upgrade to particular software versions, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.

- BIG-IP v12.1.6 or later in the v12.x branch of code
- BIG-IP v13.1.4 or later in the v13.x branch of code
- BIG-IP v14.1.4 or later in the v14.x branch of code
- BIG-IP v15.1.1 or later in the v15.x branch of code
- BIG-IP v16.0.0 or later

Conditions:
-- Using the following platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F

-- Upgrade the software to one of the following software versions:

+ BIG-IP v12.1.6 or later in the v12.x branch of code
+ BIG-IP v13.1.4 or later in the v13.x branch of code
+ BIG-IP v14.1.4 or later in the v14.x branch of code
+ BIG-IP v15.1.1 or later in the v15.x branch of code
+ BIG-IP v16.0.0 or later

-- Attempt to roll back to a previous version.

Impact:
Cannot boot into a previous version. Contact F5 Support for the reversion process if this is required.

Workaround:
None.

Fix:
Contact F5 Support for the reversion process if this is required.

Behavior Change:
On certain platforms, after upgrade to particular software versions, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.

The particular platforms are:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F

The particular software versions are:
+ BIG-IP v12.1.6 or later in the v12.x branch of code
+ BIG-IP v13.1.4 or later in the v13.x branch of code
+ BIG-IP v14.1.4 or later in the v14.x branch of code
+ BIG-IP v15.1.1 or later in the v15.x branch of code
+ BIG-IP v16.0.0 or later

Fixed Versions:
12.1.6, 13.1.4, 14.1.4, 15.1.1

912221-3 : CVE-2020-12662 & CVE-2020-12663

Links to More Info: K37661551 , BT912221

912149-3 : ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476'

Links to More Info: BT912149

Component: Application Security Manager

Symptoms:
The system exhibits various symptoms related to sync and control plane, and reports errors similar to the following:

/var/log/:

asm:
-- (asm_config_server.pl,F5::Cgc::Channel::send): Failed to send a message, error:15638476.

ts_debug.log:
-- |ZEROMQ|May 21 23:27:31.840|24813|25914|25914|epoll.cpp:0060|~epoll_t()|(zmq_assert) Assertion failed: load.get () == 0

Conditions:
-- Two devices in a sync-failover/sync-only device group.
-- Other conditions required to reproduce this issue are under investigation.

Note: The occurrences of the Cgc::Channel message in the /var/log/ and /var/log/ts/asm_config_server logs are the most reliable indicator of this issue.

Impact:
-- Config-sync does not work, resulting in a different configuration among the devices in a sync group.

-- Security log profile changes are not propagated to other devices.

-- Portions of the GUI hang, e.g.: Security module tab, and 'security' menu under virtual server.

-- Policies with learning enabled do not generate learning suggestions.

Workaround:
Restart asm_config_server on the units in the device group.

# pkill -f asm_config_server

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2

912001-1 : TMM cores on secondary blades of the Chassis system.

Links to More Info: BT912001

Component: Global Traffic Manager (DNS)

Symptoms:
When using DNS Cache on chassis systems with a forward zone pointing at a self IP for communication with local BIND, the following assert triggers:

tmm_panic (... "../net/loop.c:572: %sIDX set on listener%s") at ../lib/stdio.c:1307

Conditions:
-- Chassis system is used.
-- Secondary TMMs core dump.
-- Primary works as expected.

Impact:
TMMs on secondary blades core dump. Traffic disrupted while tmm restarts.

Workaround:
1) Create another virtual server with a DNS profile to use configured to use the local bind server.
2) Set the forward zones to point to that virtual server instead of the self IP as name servers.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2

911761-5 : F5 TMUI XSS vulnerability CVE-2020-5948

Links to More Info: K42696541 , BT911761

911141-5 : GTP v1 APN is not decoded/encoded properly

Links to More Info: BT911141

Component: Service Provider

Symptoms:
GTP v1 APN element was decoded/encoded as octetstring and Only GTP v2 APN element is decoded/encoded as DNS encoding.

Conditions:
- GTP version 1.
- APN element.

Impact:
iRules become more complex when dealing with GTP v1 APN element, as it may need to convert between octetstring and dotted style domain name value after decoding or before encoding the data.

Workaround:
Use iRules to convert between octetstring and dotted style domain name values.

Fix:
GTP version 1 APN information element is now decoded/encoded as DNS encoding.

Behavior Change:
GTP v1 apn element is now decoded/encoded using DNS-like encoding. Previously, it was decoded/encoded as octetstring.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1

910213-5 : LB::down iRule command is ineffective, and can lead to inconsistent pool member status

Links to More Info: BT910213

Component: Local Traffic Manager

Symptoms:
Use of the LB::down command in an iRule may not have the desired effect, or may result in pool members that are down for load balancing, but indicate up/available in the GUI and CLI.

Specifically, the pool member is marked down within the tmm instance executing the iRule, but the status change is not updated to mcpd, or to other tmm instances.

As a result, the message 'Pool /Common/mypool member /Common/1.1.1.1:80 monitor status iRule down' does not appear in the log, and the status of the pool member is not updated when viewed in the GUI or via 'tmsh show ltm pool xxxx members'.

Note: If [event info] is logged in the LB_FAILED event, it will indicate that the load balancing decision failed due to "connection limit"

Conditions:
Using the LB::down command in an iRule.

Impact:
Because mcpd believes the pool member to be up, it does not update tmm's status, so tmm continues to regard it as down indefinitely, or until a monitor state change occurs.

If the LB::down command is used on all members of a pool, the affected tmms cannot load balance to that pool, even though the GUI/tmsh indicate that the pool has available members.

Because pool member status is stored on per-tmm basis and incoming connections are distributed across tmms using a hash, this can lead to apparently inconsistent results, where some traffic (traffic hitting a particular tmm) is rejected with an RST cause of 'No pool member available'.

Workaround:
- Delete and recreate affected pool members
(or) Restart tmm
(or) Restart the BIG-IP.

There is no direct workaround, but the use of an inband monitor instead of the LB::down command may be effective. You must tune the inband monitor's settings to values consistent with the desired behavior.

Fixed Versions:
13.1.5

910201-5 : OSPF - SPF/IA calculation scheduling might get stuck infinitely

Links to More Info: BT910201

Component: TMOS

Symptoms:
After SPF/IA calculation gets suspended, it might enter a state where it never fires again.

Conditions:
SPF/IA calculation gets suspended;

This occurs for various reasons; BIG-IP end users have no influence on it occurring.

Impact:
OSPF routes are visible in the OSPF database, but not installed in the routing table.

Workaround:
Restart the routing daemons:
# bigstart restart tmrouted

Running this command allows you to recover from this situation, but does not prevent the event from reoccurring.

If due to a topology, SPF/IA calculation suspension occurs again after a restart, this workaround essentially has no effect.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1

909837-3 : TMM may consume excessive resources when AFM is provisioned

Links to More Info: K05204103 , BT909837

909757 : HTTP CONNECT method with a delayed payload can cause a connection to be closed

Links to More Info: BT909757

Component: Local Traffic Manager

Symptoms:
If the HTTP CONNECT method is utilized and payload arrives in a later TCP segment, the HTTP connection will be closed.

Conditions:
-- HTTP profile.
-- HTTP CONNECTION with delayed payload.

Impact:
The HTTP connection is incorrectly closed.

Workaround:
None.

Fix:
Traffic containing the HTTP CONNECT method and a delayed payload no longer has its connection closed.

Fixed Versions:
13.1.3.5

909237-3 : CVE-2020-8617: BIND Vulnerability

Links to More Info: K05544642

909233-3 : DNS Hardening

Links to More Info: K97810133 , BT909233

909161-5 : A core file is generated upon avrd process restart or stop

Links to More Info: BT909161

Component: Application Visibility and Reporting

Symptoms:
Sometime when avrd process is stopped or restarted, a core is generated.

Conditions:
Avrd process is stopped or restarted.

Impact:
Avrd creates a core file but there is no other negative impact to the system.

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1

908673-2 : TMM may crash while processing DNS traffic

Links to More Info: K43850230 , BT908673

908065-5 : Logrotation for /var/log/avr blocked by files with .1 suffix

Links to More Info: BT908065

Component: Application Visibility and Reporting

Symptoms:
AVR logrotate reports errors in /var/log/avr:

error: error creating output file /var/log/avr/avrd.log.1: File exists
/var/log/avr/avrd.log will remain unchanged
/var/log/avr/avrd.log.1 will remain unchanged

Conditions:
Files ending with .1 exist in the log directory.

Impact:
Logrotate does not work. This might fill the disk with logs over time.

Workaround:
Remove or rename all of the .1 log files.

Fix:
Fixed an issue with logrotate failing when files ending with .1 exist in the log directory.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1

908021-3 : Management and VLAN MAC addresses are identical

Links to More Info: BT908021

Component: TMOS

Symptoms:
The 'tmsh show sys mac-address' command indicates the management interface is using the same MAC address as a VLAN.

Conditions:
This can occur on chassis based systems and on VCMP guests. The MAC address pool does not reserve specific MAC addresses for the management interfaces and so pool entries may be reused for VLANs.

Impact:
The management MAC address is the same as the VLAN MAC address, resulting in issues relating to the inability to differentiate traffic to the management port or to traffic ports.

Workaround:
None.

Fix:
The issue has been fixed for hardware platforms. That is, MAC addresses in the MAC address pool have been reserved for the management port. Due to the small MAC pool size for a few platforms (see K14513: MAC address assignment for interfaces, trunks, and VLANs :: https://support.f5.com/csp/article/K14513#vlans), entries cannot be reserved for VCMP guest management interfaces.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.3

907337-5 : BD crash on specific scenario

Links to More Info: BT907337

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
A specific scenario that results in memory corruption.

Impact:
Failover, traffic disturbance. Traffic disrupted while BD restarts.

Workaround:
None.

Fix:
This BD crash no longer occurs.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2

907245-4 : AFM UI Hardening

Links to More Info: K94255403 , BT907245

907201-5 : TMM may crash when processing IPSec traffic

Links to More Info: K66782293 , BT907201

906377-5 : iRulesLX hardening

Links to More Info: K61643620 , BT906377

905905-4 : TMUI CSRF vulnerability CVE-2020-5904

Links to More Info: K31301245 , BT905905

905557-5 : Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure

Links to More Info: BT905557

Component: Global Traffic Manager (DNS)

Symptoms:
A TMM daemon logs a SIGSEGV error, halts, and then be restarted.

Conditions:
-- A BIG-IP system configured to perform DNS/GTM Global Server Load Balancing.
-- High Speed Logging (HSL) is configured.
-- Multiple HSL destinations are configured.
-- The enabled HSL settings include 'replication'.
-- At least one HSL destination is up.
-- At least one HSL destination is down.
-- A pool resource changes state from up to down.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure HSL with only a single log destination.

Fixed Versions:
13.1.5, 14.1.4, 15.1.2

905125-4 : Security hardening for APM Webtop

Links to More Info: K30343902 , BT905125

904937-5 : Excessive resource consumption in zxfrd

Links to More Info: K25595031 , BT904937

904165-4 : BIG-IP APM vulnerability CVE-2020-27716

Links to More Info: K51574311 , BT904165

904053-5 : Unable to set ASM Main Cookie/Domain Cookie hashing to Never

Links to More Info: BT904053

Component: Application Security Manager

Symptoms:
Disabling ASM Main Cookie/Domain Cookie hashing in a Policy's Learning and Blocking Setting with 'Never (wildcard only)' does not stop the ASM Main Cookie from continuing to hash server-provided cookies.

Conditions:
-- ASM enabled.
-- Learning mode enabled for Policy.
-- Learn New Cookies set to 'Never (wildcard only)' instead of default 'Selective'.

Impact:
A sufficient number of ASM Main Cookies and/or a sufficiently large number of cookies for each ASM Main cookie to hash can result in the HTTP header becoming prohibitively large, causing traffic to be refused by the server.

Workaround:
Disable Learning mode for the Policy disables Cookie hashing.

Note: This affects all learning, not just Cookie hashing.

Fix:
Cookie hashing can now be disabled at the policy level in the Cookie subsection of an ASM Policy's Learning and Blocking Settings by setting Learn New Cookies to "Never (wildcard only)".

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1

904041-5 : Ephemeral pool members may be incorrect when modified via various actions

Links to More Info: BT904041

Component: Local Traffic Manager

Symptoms:
Ephemeral pool members may not be in the expected state if the corresponding FQDN template pool member is modified by one of several actions.

For example:

A. Ephemeral pool members may be missing from a pool in a partition other than Common, after reloading the configuration of that partition.

B. Ephemeral pool members may not inherit the 'session' state from the corresponding FQDN template pool member if the FQDN template pool member is disabled (session == user-disabled), the config is synced between high availability (HA) members, and BIG-IP is restarted.

Conditions:
Scenario A may occur when reloading the configuration of non-'Common' partition, e.g.:
-- tmsh -c "cd /testpartition; load sys config current-partition"

Scenario B may occur when an FQDN template pool member is disabled (session == user-disabled), the config is synced between HA members, and BIG-IP is restarted.

Impact:
Impacts may include:
- Missing ephemeral pool members, inability to pass traffic as expected.
- Ephemeral pool members becoming enabled and receiving traffic when expected to be disabled.

Workaround:
For scenario A, reload the entire configuration instead of just the individual partition.

For scenario B, it may be possible to work around this issue by checking the status of ephemeral pool members after BIG-IP restart, and toggling the 'session' value between user-enabled and user-disabled.

Fix:
FQDN ephemeral pool members now better reflect expected states after the corresponding FQDN template pool member is modified by one of several actions such as config load, config sync and BIG-IP restart.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1

903453 : TMM crash following redirect when Proactive Bot Defense is used

Links to More Info: BT903453

Component: Application Security Manager

Symptoms:
TMM may rarely crash when Proactive Bot Defense is enabled.

Conditions:
TMM may rarely crash under specific configurations when Proactive Bot Defense is used.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None.

Fixed Versions:
13.1.3.5

902485-1 : Incorrect pool member concurrent connection value

Links to More Info: BT902485

Component: Application Visibility and Reporting

Symptoms:
In AVR pool-traffic report, 'server-concurrent-conns' reports a larger value than 'server-max-concurrent-conns'.

Conditions:
This is encountered when viewing the pool-traffic report.

Impact:
Incorrect stats reported in the pool-traffic report table

Workaround:
In /etc/avr/monpd/monp_tmstat_pool_traffic_measures.cfg, change the formula of server_concurrent_connections:

From this:
formula=round(sum(server_concurrent_conns),2)

Change it to this:
formula=round(sum(server_concurrent_conns)/count(distinct time_stamp),2)

Fix:
Changed the calculation formula of 'server-concurrent-conns' so it reports the correct statistics.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1

902417-5 : Configuration error caused by Drafts folder in a deleted custom partition &start;

Links to More Info: BT902417

Component: TMOS

Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.

01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.

Conditions:
Create draft policy under custom partition

Impact:
Impacts the software upgrade.

Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1.1

900797-5 : Brute Force Protection (BFP) hash table entry cleanup

Links to More Info: BT900797

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.

Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.

Impact:
Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.

Workaround:
N/A

Fix:
Mitigated entries are kept in the hash table.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1

900793-3 : APM Brute Force Protection resources do not scale automatically

Links to More Info: K32055534 , BT900793

Component: Application Security Manager

Symptoms:
Under certain conditions, resources for Brute Force Protection must be manually scaled by administrators to provide full protection.

Conditions:
-- Many virtual server (hundreds) that have web application protection with brute force protection enabled.
-- Numerous failed login requests coming to all virtual servers all the time.

Impact:
Administrators must manually change the hash size upon need instead of relying on the automatic configuration.

Workaround:
Set the internal parameter external_entity_hash_size to 0 to allow automatic recalculation of the correct value.

Fix:
Brute Force Protection resources are now scaled automatically based on available system resources.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1

900789-5 : Alert before Brute Force Protection (BFP) hash are fully utilized

Links to More Info: BT900789

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IP addresses and usernames. There is a separate hash table for each virtual server. When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed without logging a warning.

Conditions:
This can be encountered when Brute Force Protection is enabled and the hash table reaches its maximum capacity.

Impact:
No alert is sent when entries are evicted.

Workaround:
None.

Fix:
Alert/Warning is now announced in ASM logs, describing the status of the hash table.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1

900757-5 : TMUI RCE vulnerability CVE-2020-5902

Links to More Info: K52145254 , BT900757

898949-4 : APM may consume excessive resources while processing VPN traffic

Links to More Info: K04518313 , BT898949

898929-1 : Tmm might crash when ASM, AVR, and pool connection queuing are in use

Links to More Info: BT898929

Component: Local Traffic Manager

Symptoms:
TMM crashes and generates a core file.

Conditions:
-- System is provisioned for at least ASM, AVR, and LTM.
-- An LTM pool is configured to use connection queuing.
-- The LTM pool is used on a virtual server with an analytics profile.

Impact:
Tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
Disable connection queuing on the pool.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1

898705-2 : IPv6 static BFD configuration is truncated or missing

Links to More Info: BT898705

Component: TMOS

Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.

-- IPv6 static BFD configuration entries go missing during a daemon restart.

Conditions:
IPv6 static BFD configuration.

Impact:
The IPv6 static BFD configuration does not persist during reloads.

-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.

Workaround:
None.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1

896709-1 : Add support for Restart Desktop for webtop in VMware VDI

Links to More Info: BT896709

Component: Access Policy Manager

Symptoms:
VMware has a restart desktop option to reboot the Horizon Agents, but APM does not support this feature on the webtop.

Conditions:
You wish to use the VMware Restart desktop feature for the Horizon Agents that are managed by the vCenter Server.

Impact:
Cannot restart the desktop (Horizon Agent) from the webtop by clicking the restart icon.

Workaround:
None.

Fix:
APM now supports restart desktop option on webtop for VMware VDI.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1

896553-4 : On blade failure, some trunked egress traffic is dropped.

Links to More Info: BT896553

Component: TMOS

Symptoms:
When a blade fails (but not administratively disabled), other blades take 10 seconds (configured with db variable clusterd.peermembertimeout) to detect its absence. Until the blade failure is detected, egress traffic which used the failed blade's interfaces is dropped.

Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- Some blades do not have directly attached interfaces.
-- A blade which does have directly attached interfaces fails.

Impact:
Some traffic is dropped until the failed blade is detected (10 seconds by default.)

Workaround:
Attach interfaces to all blades.

Fix:
Failed blades are detected within a second.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3

896217-5 : BIG-IP GUI unresponsive

Links to More Info: BT896217

Component: TMOS

Symptoms:
When you try to log into the GUI via the management IP, you see only a single gray bar displayed in the middle of the window.

Conditions:
-- A GUI session expired while you were logged on.
-- The partition on which the GUI session expires is deleted.
-- You log on again.

Impact:
GUI becomes unresponsive.

Workaround:
Restart tomcat via SSH:
# bigstart restart tomcat

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1

895993-5 : TMUI RCE vulnerability CVE-2020-5902

Links to More Info: K52145254 , BT895993

895981-5 : TMUI RCE vulnerability CVE-2020-5902

Links to More Info: K52145254 , BT895981

895881-4 : BIG-IP TMUI XSS vulnerability CVE-2020-5903

Links to More Info: K43638305 , BT895881

895525-5 : TMUI RCE vulnerability CVE-2020-5902

Links to More Info: K52145254 , BT895525

892677-3 : Loading config file with imish adds the newline character

Links to More Info: BT892677

Component: TMOS

Symptoms:
While loading configuration from the file with IMISH ('imish -f <f_name>'), the newline character gets copied at the end of each line which causes problems with commands containing regex expressions.

In particular, this affects the bigip_imish_config Ansible module.

Conditions:
Loading a config with 'imish -f <f_name>' commands.

Note: This command is used with the bigip_imish_config Ansible module.

Impact:
Regex expressions are not created properly.

Workaround:
You can use either of the following workarounds:

-- Delete and re-add the offending commands using the imish interactive shell.

-- Restart tmrouted:
bigstart restart tmrouted

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

892385-3 : HTTP does not process WebSocket payload when received with server HTTP response

Links to More Info: BT892385

Component: Local Traffic Manager

Symptoms:
WebSocket connection hangs on the clientside if the serverside WebSocket payload is small and received in the same TCP packet with server HTTP response.

Conditions:
-- Virtual contains HTTP and WebSocket filters.
-- HTTP response and a small WebSocket payload is received in the same TCP packet from the server.
-- Small WebSocket payload is not delivered on the clientside.

Impact:
-- WebSocket connection hangs.

Workaround:
None.

Fix:
HTTP processes WebSocket payload without delay when payload is received with server HTTP response.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1

891457-5 : NIC driver may fail while transmitting data

Links to More Info: K75111593 , BT891457

890277-1 : Full config sync to a device group operation takes a long time when there are a large number of partitions.

Links to More Info: BT890277

Component: TMOS

Symptoms:
When a full config sync is done to a device group with large number of partitions:
-- The config sync operation takes a long time to complete.
-- There is a spike in CPU usage on the device where config push is initiated.
-- The mcpd daemon is unresponsive to other daemons, such tmsh, GUI etc., as it is busy pushing the config sync.
-- iQuery connections are terminated due to high CPU utilization.

Conditions:
Full config sync on device with large number of partitions.

Impact:
The operation takes a long time to complete, minutes on a BIG-IP Virtual Edition (VE) configurations, and varies by platform and the size of the configuration. For example, config sync on a medium BIG-IP VE setup running v15.1.0.1 with 512 partitions takes ~3 minutes.

Impedes management of device as well as terminates iQuery connections to GTM/DNS devices.

Workaround:
Enable Manual Incremental Sync.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1

890229-4 : Source port preserve setting is not honored

Links to More Info: BT890229

Component: Local Traffic Manager

Symptoms:
The source port is always changed in source-port preserve mode even if the original source port with the other parameters would hash to the same TMM.

Conditions:
This issue occurs when both of the following conditions are met:

-- The virtual server is configured with source-port preserve (the default).
-- The system uses one of the following hash configurations including IP addresses.
- Using RSS DAG as a default hash on BIG-IP Virtual Edition (VE) (Z100) or on 2000- and 4000-series devices.
- Configuring a VLAN's 'CMP Hash' setting to a non-default value.
- Using a special variable such as non-default udp.hash or tcp.hash.

Impact:
Applications relying on a specific, fixed source port might not work as expected.

Workaround:
Set source-port to preserve-strict.

Fix:
Now source-port preserve setting does best effort to preserve the source port.

Behavior Change:
Beginning with v16.0.0, the TM.PortFind.Src_Preserve BigDB variable introduced in v15.1.0 is no longer supported.

The source-port preserve setting now does best effort to preserve the source port.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1

889601-5 : OCSP revocation not properly checked

Links to More Info: K14903688 , BT889601

Component: Local Traffic Manager

Symptoms:
The revocation status of un-trusted intermediate CA certs are not checked when ocsp object is configured.

Conditions:
When OCSP object revocation checking is configured in client and server SSL profiles

Impact:
The SSL handshake continues eve if a certificate is revoked.

Fix:
OCSP revocation checking now working properly.

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2

889557-3 : jQuery Vulnerability CVE-2019-11358

Links to More Info: K20455158 , BT889557

889497-1 : Deleting a log profile results in urldb and urldbmgrd CPU utilization increase to over 90% usage

Links to More Info: BT889497

Component: Access Policy Manager

Symptoms:
The urldb and urldbmgrd process CPU utilization increases to over 90%.

Conditions:
-- SWG provisioned.
-- Creating an APM Event log profile and then deleting it.

Impact:
High CPU utilization by urldb and urldbmgrd.

Workaround:
Do not delete an APM Event log profile.

If an APM Event log has already been deleted, restart urldb and urldbmgrd to return CPU processing.top

Fixed Versions:
13.1.4.1

888517-4 : Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU. &start;

Links to More Info: BT888517

Component: Local Traffic Manager

Symptoms:
Tmm is running at 100% CPU even under light network load. The 'tmctl tmm/ndal_tx_stats' command shows a high number of packet drops. The 'tmctl tmm/ndal_tx_stats' indicates a large number of queue full events.

Conditions:
-- BIG-IP Virtual Edition.
-- There are underlying network performance issues causing the transmit queue to be full (e.g., a non-SR-IOV virtual machine environment).
-- Upgrading from BIG-IP v12.x to BIG-IP v14.x.

Impact:
NDAL's busy polling runs the tmm CPU usage to 100%.

Workaround:
Correct the underlying networking/virtualization issue.

Fix:
NDAL needs to provide visible information, for example, a log entry, when busy polling over a period of time.

Fixed Versions:
13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2

888497-5 : Cacheable HTTP Response

Links to More Info: BT888497

Component: TMOS

Symptoms:
JSESSIONID, BIGIPAUTHCOOKIE, BIGIPAUTH can be seen in the browser's debugging page.

Conditions:
-- Accessing the BIG-IP system using the GUI.
-- Viewing the browser's stored cache information.

Impact:
HTTPS session information is captured/seen in the browser's local cache, cookie.

Note: The BIG-IP system does not display and/or return sensitive data in the TMUI. Content that is marked appropriately as sensitive is never returned, so it is never cached. Data that is cached for TMUI in the client browser session is not considered secret.

Workaround:
Disable caching in browsers.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1

888493-5 : ASM GUI Hardening

Links to More Info: K40843345 , BT888493

888341-3 : HA Group failover may fail to complete Active/Standby state transition

Links to More Info: BT888341

Component: TMOS

Symptoms:
After a long uptime interval (i.e., the sod process has been running uninterrupted for a long time), HA Group failover may not complete despite an HA Group score change occurring. As a result, a BIG-IP unit with a lower HA Group score may remain as the Active device.

Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime, e.g.:

-- 1 floating traffic group: 2485~ days.
-- 2 floating traffic groups: 1242~ days.
-- 4 floating traffic groups: 621~ days.
-- 8 floating traffic groups: 310~ days.
-- 9 floating traffic groups: 276~ days.

Note: You can confirm sod process uptime in tmsh:

# tmsh show /sys service sod

Conditions:
HA Group failover configured.

Note: No other failover configuration is affected except for HA Group failover, specifically, these are not affected:

o VLAN failsafe failover.
o Gateway failsafe failover.
o Failover triggered by loss of network failover heartbeat packets.
o Failover caused by system failsafe (i.e., the tmm process was terminated on the Active unit).

Impact:
HA Group Active/Standby state transition may not complete despite HA Group score change.

Workaround:
There is no workaround.

The only option is to reboot all BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2

888289-4 : Add option to skip percent characters during normalization

Links to More Info: BT888289

Component: Application Security Manager

Symptoms:
An attack signature is not detected.

Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.

Impact:
An attack goes undetected.

Workaround:
Turn on the bad unescape violation or the metacharacter violation.

Fix:
Added an internal parameter, normalization_remove_percents. Its default is 0 (zero), meaning that the previous behavior is maintained. When enabled, the normalization of the data before running the signature removes the percent characters (as it does to high ASCII and space characters).

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1

887965-4 : Virtual server may stop responding while processing TCP traffic

Links to More Info: K30573026 , BT887965

887089-5 : Upgrade can fail when filenames contain spaces

Links to More Info: BT887089

Component: TMOS

Symptoms:
Filenames with spaces in /config directory can cause upgrade/UCS load to fail because the im upgrade script that backs up the config, processes the lines in a file spec using white space characters. The number of spaces in the filename is significant because it determines how the process separates the name into various fields, including a path to the file, an md5sum, and some file properties (notably size). If the path contains white space, when the upgrade/UCS load process attempts to use a field, the operation encounters a value other than what it expects, so the upgrade/UCS load fails.

The file's content is also significant because that determines the md5sum value.

Although rarely occurring, a tangential issue exists when the sixth word is a large number. The sixth field is used to determine the amount of space needed for the installation. When the value is a very large number, you might see an error message at the end of the upgrade or installation process:

Not enough free disk space to install!

Conditions:
Filenames with spaces in /config directory.

Impact:
Upgrade or loading of UCS fails.

Workaround:
Remove the spaces in filenames and try the upgrade/UCS load again.

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5

886693-1 : System might become unresponsive after upgrading. &start;

Links to More Info: BT886693

Component: TMOS

Symptoms:
After upgrading, the system encounters numerous issues:

-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.

Conditions:
-- The configuration loads in the previous release, but does not load successfully on the first boot into the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.

Exact conditions that trigger this issue are unknown and could be varied. In the environment in which it occurs, a datagroup is deleted, but an iRule still references it, see: https://cdn.f5.com/product/bugtracker/ID688629.html

Impact:
-- System down, too busy to process traffic.
-- Difficulty logging in over SSH might require serial console access.

Workaround:
Reboot to an unaffected, pre-upgrade volume.

-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.

-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.

Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.

For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.

Fix:
The system should now remain responsive if the configuration fails to load during an upgrade on the following platforms:

-- BIG-IP 2000s / 2200s
-- BIG-IP 4000s / 4200v
-- BIG-IP i850 / i2600 / i2800

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2

886085-1 : BIG-IP TMM vulnerability CVE-2020-5925

Links to More Info: K45421311 , BT886085

885241 : TMM leaks memory when the 'ACCESS::session remove' iRule command is called in an event other than an ACCESS event.

Links to More Info: BT885241

Component: Access Policy Manager

Symptoms:
TMM leaks memory and eventually crashes when it cannot allocate any more memory.

Conditions:
The 'ACCESS::session remove' iRule command is called in an event other than an ACCESS event (for example, the CLIENTSSL_HANDSHAKE event).

The only affected versions are 13.1.3.2 and 13.1.3.3.

Impact:
The leak initially causes traffic disruption, as TMM reaps flows prematurely in an effort to free up memory. Eventually, TMM crashes, as it is unable to allocate any more memory. When this happens, redundant systems fail over. Traffic disrupted while tmm restarts.

Workaround:
Do not use the 'ACCESS::session remove' iRule command under any event that isn't an ACCESS event.

To restore TMM to a fully functional state after making all necessary configuration changes, or to temporarily work around this issue, you can restart TMM with the following command:

bigstart restart tmm

Fixed Versions:
13.1.3.4

884165-1 : Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG

Links to More Info: BT884165

Component: TMOS

Symptoms:
Frequent config syncs and spamming of logs are occurring on BIG-IP devices in a high availability (HA) configuration.

Conditions:
Datasync CAPTCHA table is re-generated while CAPTCHA is being consumed by users.

Impact:
Sync to the datasync groups cause the sync status of the devices to fluctuate.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1

883717-4 : BD crash on specific server cookie scenario

Links to More Info: K37466356 , BT883717

882769-5 : Request Log: wrong filter applied when searching by Response contains or Response does not contain

Links to More Info: BT882769

Component: Application Security Manager

Symptoms:
When searching by "Response contains" or "Response does not contain", an incorrect filter is applied and displayed

Conditions:
This occurs in the GUI when selecting "Response contains" or "Response does not contain" filter

Impact:
You are unable to search by response in the GUI

Workaround:
There is no way to search in GUI, but you can search using REST API

Fix:
Correct filter applied and displayed for Response contains or Response does not contain filters

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.2

882633-5 : Active Directory authentication does not follow current best practices

Links to More Info: K51213246 , BT882633

882557-5 : TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)

Links to More Info: BT882557

Component: TMOS

Symptoms:
If the underlying virtio platform specifies RX and/or TX queue sizes that are 4096 or larger, the BIG-IP system cannot allocate enough contiguous memory space to accommodate this. Errors similar to these are seen in the tmm log files:

ndal Error: Failed to allocate 2232336 (2228224 + 4096 + 16) bytes
virtio[0:7.0]: Error: Failed to allocate descriptor chain
virtio[0:7.0]: Error: Failed allocate indirect rx buffers

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with virtio drivers.
-- The underlying platform specifies RX and/or TX queue sizes of 4096 or larger.

Impact:
TMM continually restarts.

Workaround:
Use the sock driver instead of virtio.

In your BIG-IP VE VM execute the lspci command to determine which virtio driver is present:

# lspci -nn | grep -i eth | grep -i virtio
00:03.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:04.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:0b.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]

Configure a socket driver:

echo "device driver vendor_dev 1af4:1000 sock" > /config/tmm_init.tcl

Reboot the instance

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4

882273-1 : MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow

Links to More Info: BT882273

Component: Service Provider

Symptoms:
Memory leak can cause tmm to crash and memory usage to grow.

Conditions:
-- Diameter transmission setting is enabled and action should be retrans.
-- auto-init should be enabled.
-- And server is down.

Impact:
Memory corruption will lead to tmm crash in longer run and memory leak make memory usage to grow in linear order. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
When server is down BIG-IP keeps creating new connection to it. there is memory leak need to be fixed.

Fixed Versions:
13.1.3.4, 14.1.2.5

882189-4 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5897

Links to More Info: K20346072 , BT882189

882185-4 : BIG-IP Edge Client Windows ActiveX

Links to More Info: K20346072 , BT882185

881445-4 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5898

Links to More Info: K69154630 , BT881445

881317-3 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896

Links to More Info: K15478554 , BT881317

881293-4 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896

Links to More Info: K15478554 , BT881293

880361-4 : iRules LX vulnerability CVE-2021-22973

Links to More Info: K13323323 , BT880361

879841-2 : Domain cookie same-site option is missing the "None" as value in GUI and rest

Links to More Info: BT879841

Component: Application Security Manager

Symptoms:
There isn't an option to add to a domain cookie with the attribute "SameSite=None". The value "None" which appears as an option is used will not add the attribute at all.

Conditions:
You want to have SameSite=none attribute added to a domain cookie.

Impact:
You are unable to set SameSite=None

Workaround:
Set the SameSite=None cookie value in the application. An iRule could also be added that inserts the cookie. For more information on the iRule, see the following DevCentral article: https://devcentral.f5.com/s/articles/iRule-to-set-SameSite-for-compatible-clients-and-remove-it-for-incompatible-clients-LTM-ASM-APM

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1

879745-5 : TMM may crash while processing Diameter traffic

Links to More Info: K82530456

879413-4 : Statsd fails to start if one or more of its *.info files becomes corrupted

Links to More Info: BT879413

Component: Local Traffic Manager

Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd fails to load it and ends up restarting continuously. You see the following messages in /var/log/ltm:

-- err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'.
-- err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.

Conditions:
Corrupted *.info file in /var/rrd.

Impact:
Stats are no longer accurate.

Workaround:
It might take multiple attempts to repair the *.info files. You might have to run the following command several times for different .info files, where <filename> is the actual name of the file (e.g., 'throughput.info'):

found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done

Fix:
The system now detects corrupt *.info files and deletes and recreates them.

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

879025-6 : When processing TLS traffic, LTM may not enforce certificate chain restrictions

Links to More Info: K72752002 , BT879025

877109-5 : Unspecified input can break intended functionality in iHealth proxy

Links to More Info: K04234247

876801-1 : Tmm crash: invalid route type

Links to More Info: BT876801

Component: Local Traffic Manager

Symptoms:
Tmm crashes. /var/log/tmm contains the log entries:

tmm1: notice panic: invalid route type
tmm1: notice ** SIGFPE **

Conditions:
The issue is intermittent.

1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. A new routing entry for child route domain is added.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
There is no way to workaround a problem, but there is a safe way to add and delete routes without putting a BIG-IP into a state where it could encounter this issue.

Safe way to add/delete a route.
1) Add routes to child route domains first, then to parent route domain.
2) Delete routes from parent route domain first, then from child route domain.

Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table and it's not causing a TMM crash anymore.

Fixed Versions:
13.1.4, 14.1.4, 15.1.2

876581-5 : JavaScript engine file is empty if the original HTML page cached for too long

Links to More Info: BT876581

Component: Fraud Protection Services

Symptoms:
JavaScript engine file is empty.

Conditions:
Original HTML page with FPS injected content is cached for too long due to some caching headers (e.g., ETag), so the JavaScript engine link becomes invalid.

Impact:
No FPS protection for that HTML page.

Workaround:
You can use either workaround:

-- Use an iRule to disable caching for protected HTML pages.

-- Set caching time for protected HTML pages to the same value as the datasync tables regeneration timer according to the active datasync profile (default value is two 2 days).

Fix:
FPS now also removes ETag headers from protected HTML pages.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1

873617-4 : DataSafe is not available with AWAF license after BIG-IP startup or MCP restart.

Links to More Info: BT873617

Component: Fraud Protection Services

Symptoms:
DataSafe is not available with an AWAF license.

Conditions:
-- AWAF license
-- BIG-IP startup or MCP restart

Impact:
DataSafe is not available.

Workaround:
Reset to default license.antifraud.id variable.
tmsh modify sys db license.antifraud.id reset-to-default.

Fix:
Additional DataSafe license validation during MCP startup after license information is loaded.

Fixed Versions:
13.1.5

873249-4 : Switching from fast_merge to slow_merge can result in incorrect tmm stats

Links to More Info: BT873249

Component: Local Traffic Manager

Symptoms:
TMM stats are reported incorrectly. For example, the system may report double the number of running TMMs or an incorrect amount of available memory.

Conditions:
Changing the DB key merged.method from fast_merge to slow_merge.

Impact:
Incorrect reporting for TMM stats.

Workaround:
Remove the file /var/tmstat/cluster/blade0-performance.

These files are roll-ups and will be re-created as necessary.

Fixed Versions:
13.1.5

872673-4 : TMM can crash when processing SCTP traffic

Links to More Info: K26464312 , BT872673

871905-5 : Incorrect masking of parameters in event log

Links to More Info: K02705117 , BT871905

Component: Application Security Manager

Symptoms:
When using CSRF protection, sensitive parameters values can be masked incorrectly in the event log.

Conditions:
The request contains a CSRF token and sensitive parameters.

Impact:
Sensitive parameters values can be masked incorrectly in the event log.

Workaround:
None.

Fix:
Sensitive parameters values are now correctly masked in the event log when request contains CSRF token.

Fixed Versions:
13.1.5, 14.1.2.5, 15.0.1.4, 15.1.0.5

871881-3 : Apply Policy action is not synchronized after making bulk signature changes

Links to More Info: BT871881

Component: Application Security Manager

Symptoms:
After an action that affects thousands of objects, a subsequent Apply Policy may be missed by a peer.

Conditions:
-- Devices are in an auto-sync device group with ASM sync enabled.
-- A bulk action that affects thousands of objects is performed (e.g., enforcing or disabling all signatures).
-- An Apply Policy action is taken immediately afterwards.

Impact:
Peer devices that are still busy processing the large request miss the Apply Policy action, and it is never sent again.

Workaround:
Make a spurious change and reapply the policy.

Fixed Versions:
13.1.5

871761-2 : Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS

Links to More Info: BT871761

Component: Access Policy Manager

Symptoms:
APM virtual server user's GUI (e.g., 'Logon page') cannot be rendered by browsers.

Conditions:
This issue is encountered when an XML profile is configured for the APM virtual server.

Impact:
APM end users are unable to get a logon page.

Workaround:
Disable the XML profile for the APM virtual server.

Fix:
There is no unexpected traffic interruption from the APM virtual server when the XML profile is configured for the virtual server.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2

871657-3 : Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S

Links to More Info: BT871657

Component: TMOS

Symptoms:
Mcpd restarts and produces a core file.

Conditions:
This can occur while adding a pool member to a NAPTR GTM pool where the flag used is an uppercase 'A' or 'S' character.

Impact:
Mcpd crash and restart results in high availability (HA) failover.

Workaround:
Use a lowercase 'a' or 's' as the flag value.

Fix:
Mcpd no longer crashes under these conditions. The flag value is always stored in lowercase regardless of the case used as input in the REST call or tmsh command, etc.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5

870957-2 : "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage

Component: Application Visibility and Reporting

Symptoms:
TMM CPU utilization around 100 percent under Security ›› Reporting : ASM Resources : CPU Utilization.

Conditions:
No special conditions. Only viewing at the stats of TMM CPU in 'Security ›› Reporting : ASM Resources : CPU Utilization'. They will always be in wrong scale, but when the TMM has ~1% CPU usage, it will be presented as 100% CPU usage.

Impact:
Wrong scale is presented and might cause machine's state to be interpreted wrongly.

Workaround:
1. Backup /etc/avr/monpd/monp_asm_cpu_info_measures.cfg file.
2. Run the following:
$ sed -i 's|tmm_avg_cpu_util)/(count(distinct time_stamp)|tmm_avg_cpu_util)/(count(distinct time_stamp)*100|g' /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
3. Compare the backup file to /etc/avr/monpd/monp_asm_cpu_info_measures.cfg:
Make sure that there are two lines modified, and that the modification is multiplying with 100 the denominator (i.e., actually dividing the TMM value with 100).
4. To make those changes take affect, run the following command:
$ bigstart restart monpd

Fix:
Dividing the TMM value with 100 to fit correct scale.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2

870273-2 : TMM may consume excessive resources when processing SSL traffic

Links to More Info: K44020030 , BT870273

868781-3 : TMM crashes while processing MRF traffic

Links to More Info: BT868781

Component: Service Provider

Symptoms:
TMM panic occurs when processing overflowed the MPI messages due to incorrectly calculated master key length:

../dev/mpi/mpi_mem.c:1129: Assertion "tail not past head" failed.

Conditions:
-- Message Routing Framework (MRF) traffic of type Diameter and SIP.

-- Auto-initialization enabled on peer, but can happen without auto-initialization enabled, just at a less-predictable rate.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM crash no longer occurs under these conditions.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.1

868349-5 : TMM may crash while processing iRules with MQTT commands

Links to More Info: K62830532 , BT868349

867825-1 : Export/Import on a parent policy leaves children in an inconsistent state

Links to More Info: BT867825

Component: Application Security Manager

Symptoms:
When overwriting a parent policy with import/replace, elements from the parent policy that were deleted remain in the child policies.

Conditions:
-- A parent policy exists with a child policy that inherits a section in which new configuration elements can be created in the parent policy (like ip address exceptions).
-- An element is deleted from the parent policy, and then the parent policy is exported.
-- The parent policy is then imported to replace a parent policy on a different device to perform the same changes on its children.

Impact:
The children on the different devices are left unexpectedly in different states.

Fix:
Import/Replace for a parent policy for sections that remain inherited will now delete elements that were removed from the parent policy instead of disinheriting them.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4

867181-4 : ixlv: double tagging is not working

Links to More Info: BT867181

Component: TMOS

Symptoms:
If a VLAN tag is configured on the Virtual Function in the host, and the BIG-IP guest is configured to use a tagged VLAN, packets that egress the host on this VLAN contain only the VLAN tag configured on the host (i.e. the BIG-IP's VLAN tag is lost).

Conditions:
- Using a BIG-IP VE.
- A VLAN tag is configured on both the host VF and on the BIG-IP.

Impact:
The BIG-IP's VLAN tag is lost.

Fix:
Both VLAN tags are now present in packets.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2

867013-5 : Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout

Links to More Info: BT867013

Component: TMOS

Symptoms:
You are unable to associate new ASM policies to LTM policies, due to REST timeout.

Conditions:
This can be encountered when there are a large number of policies configured in ASM.

Impact:
Unable to associate new ASM policies to LTM policies, due to rest timeout.

Workaround:
None.

Fix:
Modified REST query to get only fullPath to display the list of policies, so the timeout no longer occurs.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.1

866925-1 : The TMM pages used and available can be viewed in the F5 system stats MIB

Links to More Info: BT866925

Component: TMOS

Symptoms:
The memory pages available and in use are tracked with system statistics. Previously those statistics were available only with the tmctl command in the shell.

Conditions:
When system resource decisions are being made, the information about memory usage is important.

Impact:
It is not feasible to query each BIG-IP device separately.

Workaround:
None.

Fix:
You can query these statistics with SNMP through the F5-BIGIP-SYSTEM-MIB::sysTmmPagesStat table.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2

866613-2 : Missing MaxMemory Attribute

Links to More Info: BT866613

Component: Application Visibility and Reporting

Symptoms:
The MaxMemory Attribute is not reported in the System Monitor statistics report.

Conditions:
This is encountered when viewing the System Monitor report.

Impact:
No 'MaxMemory' value label appears in System Monitor statistics. Instead, there are duplicate AvgMemory fields, for example:
...(AvgMemory='3818',AvgMemory='3818').

Workaround:
Use the AvgMemory value that is the higher of the two to represent MaxMemory.

Note: Sometimes, the AvgMemory and MaxMemory values are the same. In that case, use the second value.

Fix:
The MaxMemory attribute is now reported in System Monitor statistics.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1

866109-4 : JWK keys frequency does not support fewer than 60 minutes

Links to More Info: BT866109

Component: Access Policy Manager

Symptoms:
When configuring the OAuth provider and trying to set the task frequency to fewer than 60 minutes, the BIG-IP reports an error:

01b70003:3: Discovery interval (10) for OAuth provider must be greater than (60) minutes.

Conditions:
This occurs when configuring the frequency interval of an OAuth provider to a value lower than 60 minutes.

Impact:
You are unable to create a provider with a frequency interval of fewer than 60 minutes.

Workaround:
Use a value of 60 minutes or higher.

Fix:
Auto discovery frequency now supported values lower than 60 minutes.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4

866021-4 : Diameter Mirror connection lost on the standby due to "process ingress error"

Links to More Info: BT866021

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, mirrored connections on the standby may be lost when the "process ingress error" log is observed only on the standby, and there is no matching log on the active.

Conditions:
This can happen when there is a large amount of mirror traffic, this includes the traffic processed by the active that requires mirroring and the high availability (HA) context synchronization such as persistence information, message state, etc.

Impact:
Diameter mirror connections are lost on the standby. When failover occurs, these connections may need to reconnect.

Fix:
Diameter mirror connection no longer lost due to "process ingress error" when there is high mirror traffic.

Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5

865241-4 : Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"

Links to More Info: BT865241

Component: TMOS

Symptoms:
When BGP tries to print the address of the default route's peer but there is no matching address for IPv4 or IPv6 so the system returns a NULL and attempting to print results in a crash.

Conditions:
-- Running the show command: sh bgp ipv6 ::/0.
-- There is no matching IPv4 or IPv6 address for the peer.

The conditions that cause this to occur are unknown.

Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.

Workaround:
None.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2

865225-2 : 100G modules may not work properly in i15000 and i15800 platforms

Links to More Info: BT865225

Component: TMOS

Symptoms:
The tuning values programmed in the switch are not correct for 100G OPT-0039 and OPT-0031 SFP modules.

Conditions:
-- Using OPT-0039 or OPT-0031 modules.

-- Running on i15000 and i15800 platforms.

Note: Use 'tmsh list net interface vendor-partnum', to identify the optic modules installed.

Impact:
You might see traffic drop.

Note: Potential issues related to incorrect tuning values come from F5-internal sources and have not been reported in production configurations.

Workaround:
None.

Fixed Versions:
13.1.3.4, 15.1.0.2

864757-1 : Traps that were disabled are enabled after configuration save

Links to More Info: BT864757

Component: TMOS

Symptoms:
The ifLinkUpDownTrapEnable setting is not saved to config files nor UCS. If you have disabled 'link up/down' traps for an interface, save the config, and then load the config files or UCS, all interfaces will have traps enabled, even the ones that were explicitly disabled.

Conditions:
-- Disable 'link up/down' traps for an interface.
-- Save the configuration or UCS.
-- Reload the configuration or load the UCS.

Impact:
All interfaces have traps enabled, even the ones that were explicitly disabled.

Workaround:
None.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1

863917-4 : The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval.

Links to More Info: BT863917

Component: Global Traffic Manager (DNS)

Symptoms:
Messages similar to the following may be seen in the DNS (GTM) logs:

The list processing time (32 seconds) exceeded the interval value. There may be too many monitor instances configured with a 30 second interval.

This message was introduced in 15.0.0 as an aid to help identifying overloaded DNS (GTM) systems, but it triggers too easily and can be logged when the device is not overloaded.

Conditions:
-- DNS (GTM) servers are present.
-- Virtual servers are configured on those DNS (GTM) servers.
-- A monitor is applied to the DNS (GTM) server.

Impact:
Messages are logged that imply the system is overloaded when it is not.

Workaround:
Create a log filter to suppress the messages

sys log-config filter gtm-warn {
level warn
message-id 011ae116
source gtmd
}

Fixed Versions:
13.1.4.1, 14.1.4.5, 15.1.3, 16.0.1.2

863161-5 : Scheduled reports are sent via TLS even if configured as non encrypted

Links to More Info: BT863161

Component: Application Visibility and Reporting

Symptoms:
The scheduled report email is sent from BIG-IP using TLS even if configured to not use encryption. When the mail server TLS is outdated it may lead to failure of the mail delivery.

Conditions:
The scheduled reports are enabled and configured to use a mail server which reports TLS capability.

Impact:
The minor impact is unexpected behaviour. In rare cases it may lead to malfunction of the scheduled reports.

Fix:
The automatic TLS connection was introduced via udate of the phpmailer module. The current fix disables automatic behaviour such that encryption will be used according to BIG-IP configuration.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2

862597-3 : Improve MPTCP's SYN/ACK retransmission handling

Links to More Info: BT862597

Component: Local Traffic Manager

Symptoms:
- MPTCP enabled TCP connection is in SYN_RECEIVED state.
- TMM cores.

Conditions:
- MPTCP is enabled.
- SYN/ACK (with MP_JOIN or MP_CAPABLE) sent by the BIG-IP is not ACKed and needs to be retransmitted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP option in the TCP profile.

Fix:
MPTCP's SYN/ACK retransmission handling is improved.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.0.2

860517-4 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.

Links to More Info: BT860517

Component: TMOS

Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.

As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash

Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.

Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.

Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.

Fix:
The memory efficiency of MCPD has been improved. This allows very large BIG-IP configurations to be used successfully.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1

860477-6 : SCP hardening

Links to More Info: K82518062

860005-4 : Ephemeral nodes/pool members may be created for wrong FQDN name

Links to More Info: BT860005

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, one or more ephemeral nodes and pool members may be created for the wrong FQDN name, resulting in one or more ephemeral pool members being created incorrectly for a given pool.

Conditions:
This problem occurs when a DNS Request is sent to resolve a particular FQDN name with the same DNS Transaction ID (TXID) as another DNS Request currently pending with the same DNS name server. When this occurs, the IP addresses returned in the first DNS Response received with that TXID may be incorrectly associated with a pending DNS Request with the same TXID, but for a different FQDN name which does not actually resolve to those IP addresses.

The timing conditions that produce such duplicate TXIDs may be produced by one or more of the following factors:
1. Many FQDN names to be resolved.
2. Short DNS query interval values configured for the FQDN template nodes (or short TTL values returned by the DNS name server with the query interval configured as 'ttl').
3. Delayed responses from the DNS name server causing DNS queries to remain pending for several seconds.

Impact:
When this issue occurs, traffic may be load-balanced to the wrong members for a given pool.

Workaround:
It may be possible to mitigate this issue by one or more of the following actions:

-- Ensuring that the DNS servers used to resolve FQDN node names have sufficient resources to respond quickly to DNS requests.

-- Reducing the number of FQDN template nodes (FQDN names to be resolved).

-- Reducing the frequency of DNS queries to resolve FQDN node names (FQDN names) by either increasing the 'interval' value configured for FQDN template nodes, or by increasing the TTL values for DNS zone records for FQDN names for FQDN nodes configured with an 'interval' value of 'ttl'.

Fixed Versions:
12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2

859717-4 : ICMP-limit-related warning messages in /var/log/ltm

Links to More Info: BT859717

Component: Local Traffic Manager

Symptoms:
'ICMP error limit reached' warning messages in /var/log/ltm:

warning tmm3[23425]: 01200015:4: Warning, ICMP error limit reached.

Conditions:
Viewing /var/log/ltm.

Impact:
Potentially numerous error messages, depending on the traffic and the BIG-IP configuration. No clear indication of how to remedy the situation.

Workaround:
None.

Fix:
The system better tracks what kind of traffic triggers the 'ICMP error limit reached' logs so the issue can be mitigated.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

859089-3 : TMSH allows SFTP utility access

Links to More Info: K00091341 , BT859089

858973-4 : DNS request matches less specific WideIP when adding new wildcard wideips

Links to More Info: BT858973

Component: Global Traffic Manager (DNS)

Symptoms:
After adding a new wildcard wideip, DNS requests start matching the wildcard even if a more specific wildcard wideip should match.

Conditions:
New less specific Wildcard WideIPs are created.

Impact:
DNS request matches less specific WideIP.

Workaround:
# tmsh load sys config gtm-only
or
restart tmm

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2

858701-4 : Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x &start;

Links to More Info: BT858701

Component: Local Traffic Manager

Symptoms:
When you upgrade an 11.x/12.x device with route advertisement enabled, you might discover a difference between the running configuration and the saved configuration post upgrade, which might result in route advertisement becoming disabled.

-- In the running configuration, the virtual-addresses route advertisement setting 'enabled' changes to 'selective'.
-- In bigip.conf, the virtual-addresses route advertisement setting is still set to 'enabled'.
-- After config load or after re-licensing, the virtual-addresses route advertisement reverts to disabled.

Conditions:
-- Upgrading an 11.x/12.x device with route advertisement enabled.
-- After saving the config, both the running-config and bigip.conf have the same value: i.e., 'selective'.
-- Loading the configuration (tmsh load sys config) results in route advertisement becoming disabled.

Impact:
The route-advertisement setting is 'enabled' in the config file, but 'selective' in the running configuration. This has the following impact:

If you save the configuration and then reload it, the route advertisement is changed to 'selective' in the config file and 'disabled' in the running config.

Workaround:
You can identify whether systems running v13.0.0 or higher are at risk of encountering this issue by checking a legacy internal setting, ROUTE_ADVERTISEMENT:

Procedure to identify whether virtual-addresses are affected, that have an incorrect setting in the legacy ROUTE_ADVERTISEMENT artifact:

Virtual-addresses may be affected by this issue on v13.0.0 and higher if ROUTE_ADVERTISEMENT=true in mcpd.

You can check this value with the guishell command:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";

Example:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
-----------------------------------------------------------
| NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
-----------------------------------------------------------
| /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
| /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
| /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
| /Common/10.32.101.47 | true | 0 | <<< MEDIUM RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
| /Common/10.32.101.49 | true | 1 | <<< HIGH RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled

Any virtual address that shows ROUTE_ADVERTISEMENT=true is at risk. If true but route-advertisement is not in use, there is no risk until route-advertisement is configured later.

------------------------------------------------------------------------------------------
Procedure to remove the legacy ROUTE_ADVERTISEMENT artifact from the config on systems found to be affected:

1. Review Standby system (if available) and ensure Route Advertisement in running configuration is configured and functioning as desired with "tmsh list ltm virtual-address route-advertisement". If not, manually correct Route Advertisement to desired configuration and confirm functionality.

2. Fail over Active system to Standby status:
tmsh run sys failover standby

3. Review former Active (now Standby) system and ensure Route Advertisement in running configuration is configured and functioning as desired. If not, manually correct Route Advertisement to desired configuration.

4. Save the config to disk:
tmsh save sys config

5. Load the config from disk. This may temporarily cause route-advertisement to revert to disabled on at risk virtual-addresses:
tmsh load sys config

6. Load the config a 2nd time. This removes the legacy artifact, re-enables route-advertisement as per the configuration, and leaves the system in a not-at-risk state:
tmsh load sys config

7. Verify it worked:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";

Example of a fixed config:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
-----------------------------------------------------------
| NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
-----------------------------------------------------------
| /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
| /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
| /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
| /Common/10.32.101.47 | false | 0 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
| /Common/10.32.101.49 | false | 1 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled

------------------------------------------------------------------------------------------
If you encounter this issue and route-advertisement becomes disabled before cleaning the legacy ROUTE_ADVERTISEMENT artifact from the config, reload the configuration again using the following command to set the running config and saved config to 'selective':

tmsh load sys config

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2

858301-4 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Links to More Info: K27551003 , BT858301

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1

858297-4 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Links to More Info: K27551003 , BT858297

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1

858289-4 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Links to More Info: K27551003 , BT858289

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Fixed Versions:
13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1

858285-4 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Links to More Info: K27551003 , BT858285

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Fixed Versions:
13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1

858229-2 : XML with sensitive data gets to the ICAP server

Links to More Info: K22493037 , BT858229

Component: Application Security Manager

Symptoms:
XML with sensitive data gets to the ICAP server, even when the XML profile is not configured to be inspected.

Conditions:
XML profile is configured with sensitive elements on a policy.
ICAP server is configured to inspect file uploads on that policy.

Impact:
Sensitive data will reach the ICAP server.

Workaround:
No immediate workaround except policy related changes

Fix:
An internal parameter, send_xml_sensitive_entities_to_icap was added. It's default is 1 as this is the expected behavior. To disable this functionality, change the internal parameter value to 0.

Behavior Change:
An internal parameter has been added, called send_xml_sensitive_entities_to_icap, and the default value is 1.

When this is changed to 0 (using this command):
/usr/share/ts/bin/add_del_internal add send_xml_sensitive_entities_to_icap 0
XML requests with sensitive data will not be sent to ICAP.

Fixed Versions:
11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2

858197-4 : Merged crash when memory exhausted

Links to More Info: BT858197

Component: TMOS

Symptoms:
Merged crashes when system memory is exhausted

Conditions:
System memory is is at 0% available.

Impact:
Merged crashes, stopping stats updates

Workaround:
Reduce the configuration on the system

Fix:
Remove function call to drop row from table on error path where row was not successfully added.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.2, 16.0.1.1

858025-5 : BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984

Links to More Info: K33440533 , BT858025

857845-5 : TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule

Links to More Info: BT857845

Component: Local Traffic Manager

Symptoms:
Whenever the server or client side data have not been drained, 'server drained' or 'client drained' appear in /var/log/tmm as errors.

Conditions:
-- Using iRule configuration with LB::detach or LB::connect.
-- Server- or client-side data has not been drained before those statements are triggered.

Impact:
TMM crashes and can cause an outage on standalone system or failover in a DSC. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes and the 'server not drained' or 'client not drained' message is logged instead. If tmm.oops is set to 'log', the OOPS messages is reported in /var/log/tmm.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2

857633-4 : Attack Type (SSRF) appears incorrectly in REST result

Links to More Info: BT857633

Component: Application Security Manager

Symptoms:
After ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, a mistaken value for Attack Type (SSRF) appears incorrectly in REST query results.

Conditions:
ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, even if another ASM Signature update is installed subsequently.

Impact:
A mistaken value for Attack Type (SSRF) appears incorrectly in REST query results. This impacts BIG-IQ usage and other REST clients.

Workaround:
Workaround:
1) Install a newer ASU to reassociate the affected signatures with the correct attack type
2) Run the following SQL on the affected BIG-IP devices:

DELETE FROM PLC.NEGSIG_ATTACK_TYPES WHERE attack_type_name = "Server-Side Request Forgery (SSRF)";

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1

856961-4 : INTEL-SA-00201 MCE vulnerability CVE-2018-12207

Links to More Info: K17269881 , BT856961

856953-6 : IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1

Links to More Info: BT856953

Component: TMOS

Symptoms:
In rare circumstances, TMM may core when changing the ike-peer configuration from IKEv2 to IKEv1.

Conditions:
- The BIG-IP system is attempting to establish an IKEv2 tunnel.
- The related ike-peer config is changed from IKEv2 to IKEv1.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not reconfigure the ike-peer configuration while the related IPsec tunnel is attempting to establish.

Fix:
TMM no longer cores.

Fixed Versions:
13.1.5, 14.1.2.8, 15.1.4.1

854177-2 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality

Links to More Info: BT854177

Component: Application Security Manager

Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.

Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.

Impact:
Latency is introduced to ASM handling.

Workaround:
Set the fast changing nodes to static updates every hour.

Fix:
ASM now correctly ignores pool member updates that do not affect remote logging.

Fixed Versions:
12.1.5.1, 13.1.3.4, 14.1.2.5, 15.1.0.5

853585-5 : REST Wide IP object presents an inconsistent lastResortPool value

Links to More Info: BT853585

Component: Global Traffic Manager (DNS)

Symptoms:
The output of a REST call to tm/gtm/wideip/<wideip_kind> returns objects that contain inconsistent values for the property 'lastResortPool'. For instance, for the kind 'aaaa', the output might be:

...
"lastResortPool": "aaaa \"\""
...

Conditions:
The BIG-IP admin has modified a Wide IP object via tmsh and used the following command structure:

tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind>

Impact:
The lastResortValue in the REST response might be confusing for an external orchestrator that consumes the BIG-IP configuration via iControl REST. BIG-IQ, for instance. BIG-IQ might not work as expected with these values.

Workaround:
Change the Wide IP object via the GUI and set the Last Resort Pool to None, then save the changes.

Fix:
The tmsh interpreter now enforces the structure 'tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind> <pool_name>'.

Fixed Versions:
12.1.6, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1

853329 : HTTP explicit proxy can crash TMM when used with classification profile

Links to More Info: BT853329

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may serve HTTP traffic as forward proxy and use DNS resolver objects to provide a server to connect to for request processing. When a classification profile is attached to the virtual server, it may result in a TMM crash with regards to some HTTP requests.

Conditions:
-- PEM is provisioned.
-- HTTP explicit proxy is configured on a virtual server.
-- A classification profile attached to the virtual server.

Impact:
TMM crashes, causing failover. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release prevents a condition causing this TMM crash.

Fixed Versions:
11.6.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3

852929-2 : AFM WebUI Hardening

Links to More Info: K25160703 , BT852929

852445-5 : Big-IP : CVE-2019-6477 BIND Vulnerability

Links to More Info: K15840535 , BT852445

852289-6 : DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector

Links to More Info: K23278332 , BT852289

Component: Advanced Firewall Manager

Symptoms:
DNS over TCP packet is not rate-limited accurately by DoS device sweep and flood vector.

Conditions:
-- Setting the correct DNS pkt type in the DoS device sweep or flood vector.
-- Sending DNS over TCP.

Impact:
DNS over TCP is DDoS attack is not mitigated correctly.

Workaround:
Using DNS DoS vector to mitigate the attack.

Fix:
The attack mitigation by sweep and flood vector is accurate.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.1.1

852101-4 : Monitor fails.

Links to More Info: BT852101

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d fails external monitor SIP_monitor because GTM SIP Monitors need to be running as privileged.

Conditions:
TLS SIP monitor on pool member requiring client auth.

Impact:
Big3d fails external monitor SIP_monitor.

Workaround:
The only workaround is to allow world reading of key files in the filestore, however, this is not ideal as it exposes potentially sensitive data.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2

851857-4 : HTTP 100 Continue handling does not work when it arrives in multiple packets

Links to More Info: BT851857

Component: Local Traffic Manager

Symptoms:
If a 100 Continue response from a server arrives in mulitple packets, HTTP Parsing may not work as expected. The later server response payload may not be sent to the client.

Conditions:
The server responds with a 100 Continue response which has been broken into more than one packet.

Impact:
The response is not delivered to the client. Browsers may retry the request.

Workaround:
None.

Fix:
100 Continue responses are parsed correctly by the HTTP parser if they are broken into multiple packets.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1

851045-4 : LTM database monitor may hang when monitored DB server goes down

Links to More Info: BT851045

Component: Local Traffic Manager

Symptoms:
When multiple database servers are monitored by LTM database (MSSQL, MySQL, PostgreSQL, Oracle) monitors and one database server goes down (such by stopping the database server process), a deadlock may occur in the LTM database monitor daemon (DBDaemon) which causes an interruption in monitoring of other database servers.
When this occurs, one database server going down may cause all monitored database servers to be marked Down for several minutes until the blocking operation times out and normal monitoring can resume.

Conditions:
This may occur when:
1. Running a version of BIG-IP or an Engineering Hotfix which contains fixes for bugs ID769309 and ID775901.
2. Stopping a monitored database server process (such as by halting the database service).

Impact:
Monitoring of database servers may be interrupted for up to several minutes, causing monitored database servers to be marked Down. This may persist for several minutes until the blocking operation times out, the backlog of blocked DB monitor threads are processed to completion, and normal DB monitoring resumes.

Workaround:
You can prevent this issue from occurring by using a different LTM monitor type (such as a TCP monitor or external monitor) to monitor the database servers.

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.1

850673-4 : BD sends bad ACKs to the bd_agent for configuration

Links to More Info: BT850673

Component: Application Security Manager

Symptoms:
-- The bd_agents stops sending the configuration in the middle of startup or a configuration change.

-- The policy may be incomplete in the bd causing incorrect enforcement actions.

Conditions:
This is a rarely occurring issue, and the exact conditions that trigger it are unknown.

Impact:
-- The bd_agent hangs or restarts, which may cause a complete ASM restart (and failover).

-- A partial policy may exist in bd causing improper enforcement.

Workaround:
-- Unassign and reassign the policy.

-- if unassign/reassign does not help, export and then reimport the policy.

Fix:
Fixed inconsistency scenario between bd and bd_agent.

Fixed Versions:
12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2

850509-2 : Zone Trusted Signature inadequately maintained, following change of master key

Links to More Info: BT850509

Component: Global Traffic Manager (DNS)

Symptoms:
During config load or system start-up, you may see the following error:

-- 01071769:3: Decryption of the field (privatekey) for object (13079) failed.
Unexpected Error: Loading configuration process failed.

In some instances, other errors resembling the following may appear:

-- Failed to sign zone transfer query for zone DNSZONE01 using TSIG key zone01key.pl.

-- Failed to transfer DNSZONE01 from 203.0.113.53, will attempt IXFR (Retry).

Conditions:
-- TSIG keys are present in the device configuration.
-- The device's master key is changed.

Impact:
Unable to view TSIG keys. Configuration cannot be loaded. Failures of DNS zone transfers may occur.

Workaround:
None.

Fix:
When master key changes, TSIG keys are now properly re-encrypted, so this problem no longer exists.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.2

850277-5 : Memory leak when using OAuth

Links to More Info: BT850277

Component: Access Policy Manager

Symptoms:
Tmm memory usage keeps going up when passing multiple HTTP requests through a kept-alive TCP connection carrying an OAuth token as bearer in the Authorization header.

Conditions:
-- Multiple HTTP requests through a kept-alive TCP connection.
-- Requests carry an OAuth token as bearer in the Authorization header.

Impact:
Memory leak occurs in which tmm memory usage increases.

Workaround:
None.

Fixed Versions:
13.1.3.4, 14.1.4, 15.0.1.3, 15.1.0.2

849861 : TMM may crash with FastL4 and HTTP profile using fallback host and iRule command

Links to More Info: BT849861

Component: Local Traffic Manager

Symptoms:
TMM may crash when FastL4 is used with an HTTP profile and an iRule command. Even if TMM does not crash, the incorrect iRule may prevent the connection from working.

Conditions:
-- A virtual server configured to use FastL4 with an HTTP profile with a fallback host.

-- The virtual server has an iRule that performs a pool pick after the connection is established.

Note: Using the pool command after the server-side connection is established is not a valid operation.

Impact:
TMM typically crashes; however, whether or not TMM crashes, the invalid use of the pool command results in connection failure.

Workaround:
Remove the invalid iRule configuration.

Fix:
This issue no longer occurs.

Fixed Versions:
13.1.1.4

848445-4 : Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer &start;

Links to More Info: K86285055 , BT848445

Component: Application Security Manager

Symptoms:
Global/URL/Flow Parameters with flag is_sensitive true are not masked in referrer and their value may be exposed in logs.

Conditions:
Global/URL/Flow Parameters with flag is_sensitive true are defined in the policy. In logs, the value of such parameter will be masked in QS, but will be exposed in the referrer.

Impact:
The parameter will not be masked in 'Referer' value header in logs, although it is masked in 'QS' string.

Workaround:
Can defined the parameters as global sensitive parameters.

Fix:
After the fix, such parameters will be treated like global sensitive parameters and will be covered also in the Referer

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5

848405-1 : TMM may consume excessive resources while processing compressed HTTP traffic

Links to More Info: K26244025 , BT848405

847105-4 : The bigip_gtm.conf is reverted to default after rebooting with license expired &start;

Links to More Info: BT847105

Component: Global Traffic Manager (DNS)

Symptoms:
The bigip_gtm.conf is reverted to default after rebooting (or upgrading to a newer BIG-IP software release).

Conditions:
-- The BIG-IP license is expired prior to the reboot or upgrade.
-- GTM is configured.

Impact:
The GTM configuration (in /config/bigip_gtm.conf) information is lost in the newly installed boot location.

Workaround:
Renew license before reboot. Always reboot with valid license.

If you have already rebooted or upgraded with an expired license, and your configuration has been lost, you can restore it using the following procedure.

1. Re-activate the BIG-IP license
2. Restore bigip_gtm.conf from the auto-created backup (.bak) file:
cp /config/bigip_gtm.conf.bak /config/bigip_gtm.conf
3. Load the replaced config:
tmsh load sys config gtm-only

If this is a the result of a software upgrade, and the .bak file is not available or has been overwritten, you can boot back to the previous volume and re-copy the configuration from there (cpcfg or via the GUI) before rebooting back to the upgraded software release.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1

846917-5 : lodash Vulnerability: CVE-2019-10744

Links to More Info: K47105354 , BT846917

846493 : ASM CAPTCHA is not working the first time when a request contains sensitive parameters

Links to More Info: BT846493

Component: Application Security Manager

Symptoms:
ASM end users are required to type CAPTCHA letters twice to get the login request to be forwarded to the server. In addition, the original login request is not sent to the server, which results in failed logins.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Brute force enabled in the ASM policy.
-- Brute force issues CAPTCHA mitigation.

Impact:
False-positive bad logins.

Workaround:
Remove sensitive parameters from asm policy.

Impact of workaround: This results in sensitive parameters being revealed in the ASM event logs.

Fix:
CAPTCHA mechanism now works correctly along with sensitive parameters.

Fixed Versions:
13.1.3.4

846441-4 : Flow-control is reset to default for secondary blade's interface

Links to More Info: BT846441

Component: TMOS

Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.

Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.

Impact:
The flow-control setting is reset to default (tx-rx).

Workaround:
Reload the configuration on the primary blade.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2

846137-5 : The icrd returns incorrect route names in some cases

Links to More Info: BT846137

Component: TMOS

Symptoms:
The icrd returns an incorrect route names when a '.' (dot, or period) is present in the subPath, as it treats the subPath as an IP address and the leaf name as a subnet and considers its name as a whole. Also the subPath field is missed in the response route object. This happens only in the case of curl request.

Conditions:
-- The subPath contains a '.' in it.
-- A curl request is made.

Impact:
Result information is not compatible with actual result.

Workaround:
None.

Fix:
The system now verifies whether or not the leafname a numeric valuel, so this issue no longer occurs.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2

846057-1 : UCS backup archive may include unnecessary files

Links to More Info: BT846057

Component: Application Security Manager

Symptoms:
UCS backup archive file size is much larger than UCS files in previous releases.

Conditions:
-- UCS backup process finishes with failure and does not clean temporary files.
-- A second UCS backup is attempted.

Impact:
Those files are included in the UCS archive, which results in an unusually large UCS backup files.

Workaround:
Before running the UCS backup process, remove directories:

/var/tmp/ts_db.save_dir_*.cstmp/

Fixed Versions:
13.1.4, 14.1.4, 15.1.3

845461-1 : MRF DIAMETER: additional details to log event to assist debugging

Links to More Info: BT845461

Component: Service Provider

Symptoms:
There are not enough details in log events when stale pending requests are removed.

Conditions:
An answer message is not received before the configured timeout has been reached.

Impact:
The set of arguments in the log message do not have enough information to debug why the message was not responded to.

Workaround:
None.

Fix:
New details have been added to help debug why the message was not responded to.

Fixed Versions:
13.1.3.5

844045-1 : ASM Response event logging for "Illegal response" violations.

Component: Application Security Manager

Symptoms:
Response log is not available when the request is legal but returns an illegal response status code.
In ASM, logging profiles allow the logging of all blocked responses. The existing response logging allows either all requests or illegal requests only which does not contain response logging data.

Conditions:
-- Response logging is enabled
-- An illegal response occurs

Impact:
Response logging does not occur.

Workaround:
N/A

Fix:
When a response has ASM response violations and response logging is enabled only for when there was a violation, ASM includes the response in the log.

Added an internal variable:
disable_illegal_response_logging -- default value 0.

If the response logging is enabled in the GUI, only the response logs are captured.
If the variable disable_illegal_response_logging is set to 1, then response logging is disabled(even if enabled in GUI).

Fixed Versions:
13.1.5

843597-4 : Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle

Links to More Info: BT843597

Component: TMOS

Symptoms:
The vmxnet3 driver cannot handle MTUs larger than 9000 bytes. This issue can present itself in a few different ways, depending on the underlying platform. One example would be the BIG-IP failing to initialize vmxnet interfaces with messages similar to the following logged in /var/log/tmm:

notice vmxnet3[1b:00.0]: MTU: 9198
notice vmxnet3[1b:00.0]: Error: Activation command failed: 1

If the BIG-IP does successfully initialize its vmxnet interfaces, there can be unpredictable behavior (possibly with the hypervisor).

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with the vmxnet3 driver.
-- If the BIG-IP is able to initialize the vmxnet interfaces: Passing packets larger than 9000 bytes.

Impact:
The BIG-IP system may not be able to initialize the vmxnet3 interfaces on startup. If it is able to do so, then packets may be dropped, or the hypervisor may crash on some platforms that do not handle this condition gracefully.

Workaround:
Modify the tmm_init.tcl file, adding the following line:

ndal mtu 9000 15ad:07b0

Fix:
The software now ensure that the default setting for the vmxnet3 driver MTU is 9000, which prevents the issue from occurring.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2

842829-5 : Multiple tcpdump vulnerabilities

Links to More Info: K04367730 , BT842829

842717-3 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5855

Links to More Info: K55102004 , BT842717

842625-1 : SIP message routing remembers a 'no connection' failure state forever

Links to More Info: BT842625

Component: Service Provider

Symptoms:
When SIP message routing fails to route to a pool member (Triggering a MR_FAILED, MR::message status of 'no connection'), The BIG-IP system caches the failed state and continues to return this even after the pool member becomes reachable again.

Conditions:
When BIG-IP systen fails to route messages to the peer (server) due to unavailability of route or any other issues.

Impact:
The BIG-IP system is never be able to establish connection to the peer.

Workaround:
None.

Fix:
SIP message routing now recovers from a 'no connection' failure state.

Fixed Versions:
13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.2

842189-3 : Tunnels removed when going offline are not restored when going back online

Links to More Info: BT842189

Component: TMOS

Symptoms:
When a BIG-IP instance goes offline, any functioning tunnel is removed from the active configuration. Upon restoration to online operation, the tunnel is not automatically restored.

Conditions:
-- Configuration includes tunnels.
-- BIG-IP instance goes offline and then comes back online.

Impact:
Failure of tunnel packet traffic.

Workaround:
Manually recreate the tunnel after the BIG-IP instance has been brought back online.

Fix:
Tunnels removed when going offline are now restored when going back online.

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.2.1

842125-2 : Unable to reconnect outgoing SCTP connections that have previously aborted

Links to More Info: BT842125

Component: TMOS

Symptoms:
When an outgoing SCTP connection is created using an ephemeral port, the connection may appear to be open after an SCTP connection halt. This prevents new connections to the same endpoint, as the connection appears to already exist.

Conditions:
-- A virtual server configured with an SCTP profile.
-- An outgoing SCTP connection after an existing connection to the same endpoint has halted.

Impact:
New connections are unable to be created resulting in dropped messages.

Workaround:
None.

Fix:
SCTP connections can now be halted and recreated to the same endpoint.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.1.0.5

842013-5 : ASM Configuration is Lost on License Reactivation &start;

Links to More Info: BT842013

Component: Application Security Manager

Symptoms:
After re-activating a BIG-IP license, if the configuration fails to load and reverts to a base config load, the ASM policy config contains 'default' or 'stub' policies, even after fixing the error that caused the configuration to fail to load.

Conditions:
1) A parsing error exists in the BIG-IP config such that 'tmsh load sys config verify' would fail
2) There is a license reactivation or the configuration is reloaded

Impact:
ASM policy configuration is lost and all policies are reverted to empty 'stubs'

Workaround:
In the case of license re-activation/before upgrade:

Run the command "tmsh load sys config verify" prior to license activation on ASM units to be sure that the config will pass parsing and avoid the fallback to base configuration load.

In a case of booting the system into the new version:

Option 1:

1. Using the steps in either K4423 or K8465, fix the issue that was preventing the config to load.
2. Reload the config from the fixed UCS file using the command in K13132.

Option 2:

1. Roll back to the old version.
2. Fix the issue that was preventing the config to load.
3. Before activating the Boot Location of the new version at System >> Software Management : Boot Locations, make sure to set the option Install Configuration to Yes. see: K64400324

Option 3: If one of the high availability (HA) units successfully upgraded, then use config-sync to push the working config to the failing unit.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2

841577-6 : iControl REST hardening

Links to More Info: K20606443 , BT841577

841469-3 : Application traffic may fail after an internal interface failure on a VIPRION system.

Links to More Info: BT841469

Component: Local Traffic Manager

Symptoms:
Blades in a VIPRION system connect with one another over a data backplane and a management backplane.

For more information on the manner in which blades interconnect over the data backplane, please refer to K13306: Overview of the manner in which the VIPRION chassis and blades interconnect :: https://support.f5.com/csp/article/K13306.

Should an internal interface fail and thus block communication over the data backplane between two distinct blades, an unusual situation arises where different blades compute different CMP states.

For example, if on a 4-slot chassis, blades 2 and 3 become disconnected with one another, the following is TMM's computation of which slots are on-line:

slot1: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
slot2: slots 1, 2, and 4 on-line (cmp state 0xb / 11)
slot3: slots 1, 3, and 4 on-line (cmp state 0xd / 13)
slot4: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)

As different slots are effectively operating under different assumptions of the state of the cluster, application traffic does not flow as expected. Some connections time out or are reset.

You can run the following command to inspect the CMP state of each slot:

clsh 'tmctl -d blade -s cmp_state tmm/cmp'

All slots should report the same state, for instance:

# clsh 'tmctl -d blade -s cmp_state tmm/cmp'
=== slot 2 addr 127.3.0.2 color green ===
cmp_state
---------
15

=== slot 3 addr 127.3.0.3 color green ===
cmp_state
---------
15

=== slot 4 addr 127.3.0.4 color green ===
cmp_state
---------
15

=== slot 1 addr 127.3.0.1 color green ===
cmp_state
---------
15

When this issue occurs, logs similar to the following example can be expected in the /var/log/ltm file:

-- info bcm56xxd[4276]: 012c0015:6: Link: 2/5.3 is DOWN
-- info bcm56xxd[4296]: 012c0015:6: Link: 3/5.1 is DOWN
-- info bcm56xxd[4296]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4339]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4214]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd

And a CMP transition will be visible in the /var/log/tmm file similar to the following example:

-- notice CDP: PG 2 timed out
-- notice CDP: New pending state 0f -> 0b
-- notice Immediately transitioning dissaggregator to state 0xb
-- notice cmp state: 0xb

For more information on troubleshooting VIPRION backplane hardware issues, please refer to K14764: Troubleshooting possible hardware issues on the VIPRION backplane :: https://support.f5.com/csp/article/K14764.

Conditions:
This issue arises after a very specific type of hardware failure. The condition is very unlikely to occur and is impossible to predict in advance.

Impact:
Application traffic is impacted and fails sporadically due to a mismatch in CMP states between the blades. Failures are likely to manifest as timeouts or resets from the BIG-IP system.

Workaround:
F5 recommends the following to minimize the impact of this potential issue:

1) For all highly available configurations (e.g., A/S, A/A, A/A/S, etc.).

The BIG-IP system has functionality, in all software versions, to enact a fast failover when the conditions described occur.

To ensure this functionality will trigger, the following configuration requirements must be met:

a) The mirroring strategy must be set to 'between'.
b) A mirroring channel to the next-active unit must be up.
c) The min-up-members option must be set to the number of blades in the chassis (e.g., 4 if there are 4 blades in the chassis).

Note: It is not required to actually configure connection mirroring on any virtual server; simply choosing the aforementioned strategy and ensuring a channel is up to the next-active unit will suffice. However, note that some configurations will benefit by also configuring connection mirroring on some virtual servers, as that can greatly reduce the number of affected connections during a failover.

2) For 'regular' standalone units.

If a VIPRION system is truly standalone (no kind of redundancy whatsoever), there is no applicable failsafe action, as you will want to keep that chassis online even if some traffic is impaired. Ensure suitable monitoring of the system is in place (e.g., remote syslog servers, SNMP traps, etc.), so that a BIG-IP Administrator can react quickly in the unlikely event this issue does occur.

3) For a standalone chassis which belongs to a pool on an upstream load-balancer.

If the virtual servers of a standalone VIPRION system are pool members on an upstream load-balancer, it makes sense for the virtual servers to report unavailable (e.g., by resetting all new connection attempts) so that the upstream load-balancer can select different pool members.

An Engineering Hotfix can be provided which introduces an enhancement for this particular use-case. A new DB key is made available under the Engineering Hotfix: tmm.cdp.requirematchingstates, which takes values 'enable' and 'disable'.

The default is 'disable', which makes the VIPRION system behave as in versions without the enhancement. When set to 'enable', the VIPRION system attempts to detect this failure and, if it does, resets all new connections. This should trigger some monitor failures on the upstream load-balancer and allow it to select different pool members.

Please note you should only request the Engineering Hotfix and enable this DB key when this specific use-case applies: a standalone VIPRION system which belongs to a pool on an upstream load-balancer.

When the new feature is enabled, the following log messages in the /var/log/ltm file indicate when this begins and stops triggering:

-- crit tmm[13733]: 01010366:2: CMP state discrepancy between blades detected, forcing maintenance mode. Unable to relinquish maintenance mode until event clears or feature (tmm.cdp.requirematchingstates) is disabled.

-- crit tmm[13262]: 01010367:2: CMP state discrepancy between blades cleared or feature (tmm.cdp.requirematchingstates) disabled, relinquishing maintenance mode.

Fix:
The system now includes the enhancement for the 'standalone chassis which belongs to a pool' use-case, as discussed under the Workaround section.

Fixed Versions:
13.1.3.4, 15.1.2.1

841333-3 : TMM may crash when tunnel used after returning from offline

Links to More Info: BT841333

Component: TMOS

Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.

Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.2

839597-2 : Restjavad fails to start if provision.extramb has a large value

Links to More Info: BT839597

Component: Device Management

Symptoms:
Rolling restarts of restjavad occur every few seconds and the following messages are seen in the daemon log:

daemon.log: emerg logger: Re-starting restjavad

The system reports similar message at the command line.

No obvious cause is logged in rest logs.

Conditions:
-- System DB variable provision.extramb has an unusually high value*:
+ above ~2700-2800 MB for v12.1.0 and earlier.
+ above ~2900-3000 MB for v13.0.0 and later.

-- On v13.0.0 and later, sys db variable restjavad.useextramb needs to have the value 'true'

*A range of values is shown. When the value is above the approximate range specified, constant restarts are extremely likely, and within tens of MB below that point may be less frequent.

To check the values of these system DB varaiables use:
tmsh list sys db provision.extramb

tmsh list sys db restjavad.useextramb

Impact:
This impacts the ability to use the REST API to manage the system.

Workaround:
If needing sys db restjavad.useextramb to have the value 'true', keep sys db provision.extramb well below the values listed (e.g., 2000 MB work without issue).

To set that at command line:

tmsh modify sys db provision.extramb value 2000


If continual restarts of restjavad are causing difficulties managing the unit on the command line:

1. Stop restjavad (you can copy this string and paste it into the command line on the BIG-IP system):
tmsh stop sys service restjavad

2. Reduce the large value of provision.extramb if necessary.

3. Restart the restjavad service:
tmsh start sys service restjavad

Fix:
Restjavad memory is now capped at a sensible maximum.

If provision.extramb is set to a value higher than 2500 MB it will be considered to be 2500 MB for the purposes of restjavad, and the system logs a message similar to the following in /var/log/ltm, where XXXX is the value of provision.extramb:

notice restjavad: JVM heap limit exceeded. Using maximum supported value of 2500 instead of provision.extramb XXXX.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5

839453-2 : lodash library vulnerability CVE-2019-10744

Links to More Info: K47105354 , BT839453

838909-6 : BIG-IP APM Edge Client vulnerability CVE-2020-5893

Links to More Info: K97733133 , BT838909

838901-1 : TMM receives invalid rx descriptor from HSB hardware

Links to More Info: BT838901

Component: TMOS

Symptoms:
The HSB hardware returns an invalid receive (rx) descriptor to TMM. This results in a TMM core and can be seen as a SIGSEGV in the TMM logs. This also might result in continuous restarts of TMM, resulting in subsequent SIGSEGVs reported in the TMM logs until the unit is manually recovered.

Conditions:
The exact conditions under which this occurs are unknown.

Impact:
Traffic disrupted while tmm restarts. This may result in continuous TMM restarts until the BIG-IP system is rebooted.

Workaround:
None.

Fixed Versions:
13.1.4, 14.1.4, 15.1.2

838709-2 : Enabling DoS stats also enables page-load-time

Links to More Info: BT838709

Component: Application Visibility and Reporting

Symptoms:
If collect-all-dos-statistic is enabled, AVR 'promises' to the client a JavaScript injection in the response by adding the expected length of the JavaScript to the Content-length header.

Conditions:
Security :: reporting : settings : collect-all-dos-statistic is enabled.

Impact:
In addition to collecting DoS statistics, JavaScript injection also occurs.

Workaround:
Can use iRules to control which pages should get the JavaScript injection.

For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.

Fix:
Changed the condition that insert the JavaScript injection in case that "collect all dos stats" is enabled.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2

838685-1 : DoS report exist in per-widget but not under individual virtual

Links to More Info: BT838685

Component: Application Visibility and Reporting

Symptoms:
'Undefined entity dosl7_vip was used' error message is reported on widgets whenever a 'Virtual Server' filter is selected on the 'Security :: Reporting : DoS : Custom Page' GUI page.

Conditions:
-- Navigate to Security :: Reporting : DoS : Custom Page in the GUI.
-- Filter widgets results with specific 'Virtual Server'.

Impact:
GUI widgets report errors and cannot show stats.

Workaround:
This GUI fix requires modifying a single PHP file in one location, which you can do directly on your BIG-IP system with a few bash commands:

1. Backup the file '/var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php':
$ cp /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/

2. Change permissions to allow modifying it:
$ chmod +w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

3. Change the file to include the fix:
$ sed -i 's/dosl7_vip/vip/g' /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
$ sed -i "s/ANALYTICS_MOD_DNS_DOS => 'vip'/ANALYTICS_MOD_DNS_DOS => 'dns_vip'/g" /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

4. Verify that the fix is as expected:
$ vimdiff /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/dos_custom_overview_commons.php

(** You should see two lines modified:
1. ANALYTICS_MOD_DOSL7 => 'dosl7_vip' to ANALYTICS_MOD_DOSL7 => 'vip'.
2. ANALYTICS_MOD_DNS_DOS => 'vip' to ANALYTICS_MOD_DNS_DOS => 'dns_vip')

5. Revert permissions of the file:
$ chmod -w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

6. Log out and log back into the GUI, so that the new version of the file loads.

Fix:
GUI configuration for the 'Virtual Server' filter is fixed with the correct dimension name.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.0.5

838677-5 : lodash library vulnerability CVE-2019-10744

Links to More Info: K47105354 , BT838677

837773-4 : Restjavad Storage and Configuration Hardening

Links to More Info: K12936322 , BT837773

836357-1 : SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2

Links to More Info: BT836357

Component: Service Provider

Symptoms:
In MBLB/SIP, if the BIG-IP system attempts to send messages to the destination over a TCP connection that is in FIN-wait2 stage, instead of returning a failure and silently dropping the message, the BIG-IP system attempts to create a new TCP connection by sending a SYN. Eventually, the attempt fails and causes the connection to be aborted.

Conditions:
-- This happens on MBLB/SIP deployment with TCP.
-- There is message sent from the server to the BIG-IP system.
-- The BIG-IP system forwards the message from the server-side to client-side.
-- The destination flow (for the BIG-IP system to forward the message to) is controlled by 'node <ip> <port>' and 'snat <ip> <port>' iRules command.
-- The destination flow is in the FIN-wait2 stage.

Impact:
This causes the BIG-IP system to abort the flow that originates the message.

Workaround:
None.

Fix:
SIP MBLB correctly initiates a new flow from a virtual IP to the client when an existing flow is in the FIN-wait2 stage.

Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2

834533-4 : Linux kernel vulnerability CVE-2019-15916

Links to More Info: K57418558 , BT834533

834257-5 : TMM may crash when processing HTTP traffic

Links to More Info: K25400442 , BT834257

833685-1 : Idle async handlers can remain loaded for a long time doing nothing

Links to More Info: BT833685

Component: Application Security Manager

Symptoms:
Idle async handlers can remain loaded for a long time doing nothing because they do not have an idle timer. The sum of such idle async handlers can add unnecessary memory pressure.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a large XML ASM policy and then leaving the BIG-IP system idle. The relevant asm_config_server handler process increases its memory consumption and remains that way, holding on to the memory until it is released with a restart.

Impact:
Depletion of memory by lingering idle async handlers may deprive other processes of sufficient memory, triggering out-of-memory conditions and process failures.

Workaround:
-- Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
-- Restart asm_config_server periodically using cron, as idle handlers are soon created again.

Fix:
Idle async handlers now exit after 5 minutes of not receiving any new calls.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.5

833213-5 : Conditional requests are served incorrectly with AAM policy in webacceleration profile

Links to More Info: BT833213

Component: WebAccelerator

Symptoms:
HTTP 1.1 allows a conditional request with header If-Modified-Since or If-Unmodified-Since to determine whether a resource changed since a specified date and time. If AAM is provisioned and its policy is assigned to a virtual server, it may incorrectly respond with 304 Not Modified, even after the resource was updated.

Conditions:
-- AAM is provisioned and webacceleration policy is attached to a virtual server.
-- Client sends a conditional request with If-Modified-Since or If-Unmodified-Since header.
-- The BIG-IP system responds from AAM cache.

Impact:
Client does not receive an updated resource.

Workaround:
Use webacceleration profile without AAM policy for resources that require conditional checks falling back into Ramcache.

Fix:
The BIG-IP system now respects If-Modified-Since or If-Unmodified-Since header and provides an appropriate response for the requested resource when compared to the date supplied in either header.

Fixed Versions:
13.1.3.4, 14.1.2.3, 15.0.1.3, 15.1.3

833113-1 : Avrd core when sending large messages via https

Links to More Info: BT833113

Component: Application Visibility and Reporting

Symptoms:
When sending large messages (>4KB) via HTTPs may cause avrd to core.

Conditions:
This typically happens when BIG-IP is managed by BIG-IQ and configuration is large and complex or traffic capturing is enabled.

Impact:
Messages to BIG-IQ are lost. In severe cases, analytics functionality may be unavailable due contiguous AVRD cores.

Workaround:
None.

Fix:
Fixed an avrd crash

Fixed Versions:
13.1.3.4, 14.1.4.3, 15.0.1.3, 15.1.4

833049-3 : Category lookup tool in GUI may not match actual traffic categorization

Links to More Info: BT833049

Component: Access Policy Manager

Symptoms:
Category Lookup agent has changed to include the IP in the categorization query. The BIG-IP TMUI does not do the same (Access Policy :: Secure Web Gateway : Database Settings : URL Category Lookup).

Conditions:
-- SWG or URLDB provisioned.
-- Run traffic with category lookup in the PRP and note the category produced.
-- Run the same URL through the GUI lookup tool or the command line tool.

Impact:
Some websites may be categorized differently depending on if the IP address is passed in or not.

Workaround:
None.

Fixed Versions:
13.1.3.5, 14.1.4, 15.1.2

832885-5 : Self-IP hardening

Links to More Info: K05975972 , BT832885

832805-3 : AVR should make sure file permissions are correct (tmstat_tables.xml)

Links to More Info: BT832805

Component: Application Visibility and Reporting

Symptoms:
By building rpm of avrd, few cfg files get wrong set of permissions (executable)

Conditions:
Any build of avrd rpm

Impact:
Apparently not having the right set of permissions can lead to system halt

Workaround:
Change permissions on file:

# chmod -x /etc/avr/tmstat_tables.xml

Fix:
AVR build the rpm cfg files with the right set of permissions, instead of building them as executable file, building them in 644 mode.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1

832757-4 : Linux kernel vulnerability CVE-2017-18551

Links to More Info: K48073202 , BT832757

831777-2 : Tmm crash in Ping access use case

Links to More Info: K42933418 , BT831777

831549 : Marketing name does not display properly for BIG-IP i10010 (C127)

Links to More Info: BT831549

Component: TMOS

Symptoms:
The /var/log/ltm log includes error messages about the marketing names errors:
Invalid marketing name.

Conditions:
-- Running BIG-IP software version 13.1.3.1.
-- Using BIG-IP i10010 (C127) platform.

Impact:
This causes errors in the logs, and affects the tmsh and LCD displays. The LCD displays C127 for the Platform Name instead of the actual platform name. The TMSH command, tmsh show sys hw, displays C127 for the Platform Name instead of the actual platform name.

Workaround:
None.

Fix:
This is fixed in version 13.1.3.2.

Fixed Versions:
13.1.3.2, 14.1.4.4

831325-3 : HTTP PSM detects more issues with Transfer-Encoding headers

Links to More Info: K10701310 , BT831325

Component: Local Traffic Manager

Symptoms:
HTTP PSM may not detect some invalid Transfer-Encoding headers.

Conditions:
HTTP PSM is used to detect HTTP RFC violations. A request with an invalid Transfer-Encoding header is sent.

Impact:
Traffic is not alarmed/blocked as expected.

Workaround:
None.

Fix:
HTTP PSM detects new cases of invalid Transfer-Encoding headers.

Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.1

831293-2 : SNMP address-related GET requests slow to respond.

Links to More Info: BT831293

Component: TMOS

Symptoms:
SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical are slow to respond.

Conditions:
Using SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical.

Impact:
Slow performance.

Workaround:
None.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.2

830833-3 : HTTP PSM blocking resets should have better log messages

Links to More Info: BT830833

Component: Local Traffic Manager

Symptoms:
When reset-cause logging is turned on, or when RST packet logging is used, the reset reason used when rejecting bad HTTP PSM traffic is not descriptive.

Conditions:
This occurs under either of these conditions:

-- HTTP PSM is used, and a request is blocked.
-- Reset cause or RST packet logging is enabled.

Impact:
The reset reason given is not descriptive, making troubleshooting difficult.

Workaround:
None.

Fix:
The reset reason used when rejecting HTTP PSM traffic is more descriptive.

Fixed Versions:
13.1.4.1, 14.1.2.5, 15.0.1.1

830401-5 : TMM may crash while processing TCP traffic with iRules

Links to More Info: K54200228 , BT830401

830341-4 : False positives Mismatched message key on ASM TS cookie

Links to More Info: BT830341

Component: Application Security Manager

Symptoms:
ASM system triggers false positives for ASM Cookie Hijacking violation with reason "Mismatched message key"

Conditions:
-- An HTTP request containing an old frame cookie with a different message key from the main ts cookie is rejected
-- The cookie is left intact

Impact:
All subsequent requests are rejected on ASM Cookie Hijacking violation

Workaround:
1. Disable "Learn Host Names" flag all policies. If the policy builder is on manual mode, they need to change it back to Auto mode, disable "Learn Host Names", then change to manual mode.

OR

2. Delete the mismatched cookie. This will cause the violations to stop occurring if the request comes from a legit endpoint

Fix:
In order to activate the changed functionality, set internal parameter ignore_cookies_msg_key to 1 and restart asm by executing following commands in CLI:
/usr/share/ts/bin/add_del_internal add ignore_cookies_msg_key 1
bigstart restart asm

Once enabled, ASM system does not trigger false positives.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2.1

830073-5 : AVRD may core when restarting due to data collection device connection timeout

Links to More Info: BT830073

Component: Application Visibility and Reporting

Symptoms:
Avrd crashes, one or more core avrd files exist in /var/core

Conditions:
-- A BIG-IP system is managed by BIG-IQ via secure channel
-- Avrd is restarted.

Impact:
Avrd cores as it is shutting down. During avrd shutdown, the BIG-IQ data collection device (DCD) is unreachable for 10 minutes

Workaround:
None.

Fix:
The AVRD HTTPS module now stops any connection attempts when shutdown sequence is in progress, so this issue no longer occurs.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2

829821-4 : Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured

Links to More Info: BT829821

Component: TMOS

Symptoms:
If a very large amount of pool members are configured (tens of thousands), mcpd may miss its high availability (HA) heartbeat and be killed by sod.

Conditions:
-- A large number of pool members.
-- Pool member validation occurs (such as when loading a configuration or doing a configsync operation).

Impact:
Mcpd is killed by sod. This causes a failover (when the BIG-IP is in a DSC) or outage (if standalone).

Workaround:
None.

Fixed Versions:
13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2

829677-4 : .tmp files in /var/config/rest/ may cause /var directory exhaustion

Links to More Info: BT829677

Component: TMOS

Symptoms:
The /var partition might become completely full on the disk due to tmp files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemon restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open.

This issue is happening because a VIPRION process is not available because of a REST timeout.

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Manually run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Fix:
Increased the rest socket timeout value and shellexecutor timeout value to 6 min to fix the timeout issue of viprion worker

The fix also includes automatic removal of unused tmp files.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.2, 16.0.1.1

829317-1 : Memory leak in icrd_child due to concurrent REST usage

Links to More Info: BT829317

Component: TMOS

Symptoms:
When multiple users are issuing REST commands, memory may leak slowly in icrd_child.

Conditions:
-- The icrd_child process is running.
-- There are multiple users accessing device via REST.

Impact:
Memory slowly leaks in icrd_child.

Workaround:
None.

Fix:
Fixed a memory leak in icrd_child.

Fixed Versions:
13.1.4, 14.1.3, 14.1.3.1, 15.1.0.2

829193-5 : REST system unavailable due to disk corruption

Links to More Info: BT829193

Component: TMOS

Symptoms:
-- The iControl REST commands respond with the following:

[INFO] Text: u'{"code":200,"message":"REST system unavailable due to disk corruption! See /var/log/restjavad.*.log for errors.","restOperationId":1472895,"kind":":resterrorresponse"}'

-- The GUI indicates that iAppLX sub-system is unresponsive.

-- On the BIG-IP device, /var/config/rest/storage/LOST-STORAGE.txt exists.

Conditions:
The conditions that trigger this are unknown. It might be due to a previous catastrophic event such as power loss or out-of-memory errors.

Manually creating the file /var/config/rest/storage/LOST-STORAGE.txt can also trigger this error.

Impact:
The iControl REST system is unavailable.

Workaround:
Run the following commands at the BIG-IP command prompt:

bigstart stop restjavad restnoded
rm -rf /var/config/rest/storage
rm -rf /var/config/rest/index
bigstart start restjavad restnoded
rm -f /var/config/rest/downloads/*.rpm
rm -f /var/config/rest/iapps/RPMS/*.rpm
tmsh restart sys service tomcat

Then, reinstall any iAppLX packages that were installed.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.0.4

829121-5 : State mirroring default does not require TLS

Links to More Info: K65720640 , BT829121

829117-5 : State mirroring default does not require TLS

Links to More Info: K17663061 , BT829117

828937-4 : Some systems can experience periodic high IO wait due to AVR data aggregation

Links to More Info: K45725467 , BT828937

Component: Application Visibility and Reporting

Symptoms:
Systems with a large amount of statistics data collected in the local database (i.e., systems not working with BIG-IQ) can have high IO Wait CPU usage, peaking at 10 minutes, 1 hour, and 24 hours. This is caused by the data aggregation process that is running on the local database. Notice that large memory footprints, particularly for avrd might be a symptom for the phenomenon.

Conditions:
-- The BIG-IP system is collecting statistics locally (i.e., not sending data to BIG-IQ or another external device).
-- There is a large amount of statistics data.
-- May occur even if AVR is not explicitly provisioned (in that case, ASM, APM, PEM, AFM, or AAM must be provisioned).

Impact:
High IO can impact various processes on BIG-IP systems. Some of them can experience timeouts and might restart.

Workaround:
The most effective workaround is to lower the amount of data collected by setting the 'avr.stats.internal.maxentitiespertable' DB variable to a lower value. The recommended values are 20000 (on larger, more powerful systems with more than 8 cores) or 2148 (on smaller systems).


Note: After you lower the database value, continue to monitor the BIG-IP system for long I/O wait times and high CPU usage. If symptoms persist and the system continues to experience resource issues, you may need to reset the BIG-IP AVR statistics. For information about resetting BIG-IP AVR statistics, refer to K14956: Resetting BIG-IP AVR statistics :: https://support.f5.com/csp/article/K14956.

Fix:
Set default value of avr.stats.internal.maxentitiespertable DB variable to 2148 on systems with the number of CPU cores fewer than or equal to 8.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.1.0.5

828601-4 : IPv6 Management route is preferred over IPv6 tmm route

Links to More Info: BT828601

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metrics than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the management interface.

Conditions:
-- Create an IPv6 management route, which is going to be a default gateway.

-- Receive another default gateway from a configured peer using any of dynamic routing protocols (BGP, OSPF, etc.)

Impact:
The incorrect routing table sends the traffic that matches the default route to the management interface.

Workaround:
None.

Fix:
IPv6 routes now prioritize TMM interfaces.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.0.3

827393-4 : In rare cases tmm crash is observed when using APM as RDG proxy.

Links to More Info: BT827393

Component: Access Policy Manager

Symptoms:
Tmm may crash when APM is configured as an RDG proxy to access Microsoft remote desktops and applications.

Conditions:
APM is used as RDG proxy

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Tmm does not crash when APM is configured as RDG proxy.

Fixed Versions:
13.1.5, 14.1.4.5, 16.1.2.1

826601-3 : Prevent receive window shrinkage for looped flows that use a SYN cookie

Links to More Info: BT826601

Component: Local Traffic Manager

Symptoms:
TMM cores.

Conditions:
-- VIP to VIP (looped flow) configuration.
-- SYN cookie is used.
-- Initial receive window is greater than 3.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
-- Set the initial receive window value of the VIP to 3.

Fix:
Receive window shrinkage is prevented for looped flows using SYN cookies.

Fixed Versions:
11.6.5.2, 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.3

825689-5 : Enhance FIPS crypto-user storage

Component: Local Traffic Manager

Symptoms:
Existing TMOS releases use legacy storage and generation facilities that have been supplanted in newer TMOS releases.

Conditions:
Crypto-officer access to TMSH / fipsutil.

Impact:
Did not leverage Secure Vault facilities.

Workaround:
None.

Fix:
FIPS crypto-user storage now leverages Secure Vault facilities.

Fixed Versions:
12.1.6, 13.1.4, 14.1.4, 15.1.1

825413-1 : ASM may consume excessive resources when matching signatures

Links to More Info: K36942191 , BT825413

824365-1 : Need informative messages for HTTP iRule runtime validation errors

Links to More Info: BT824365

Component: Local Traffic Manager

Symptoms:
For HTTP iRule runtime validation errors, an ERR_NOT_SUPPORTED error message is appended (with rule name and event) to /var/log/ltm, but the message is not informative about the cause of the validation error:

err tmm1[20445]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri".

The system should post a more informative message, in this case:

err tmm[10662]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - can't call after responding - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri"

Conditions:
-- HTTP filter and HTTP iRules are used by a virtual server.
-- An HTTP iRule runtime validation error happens. For example, HTTP::uri is called after HTTP::respond () which is not supported.

Impact:
With no informative error messages, it is difficult to identify the validation error.

Workaround:
There is no workaround at this time.

Fix:
Informative messages are provided for HTTP iRule runtime validation errors.

Fixed Versions:
13.1.3.6, 14.1.2.3, 15.0.1.1, 15.1.0.2

824149-1 : SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured

Links to More Info: BT824149

Component: Service Provider

Symptoms:
In SIP ALG virtual with source-nat-policy assigned, if traffic processed by the virtual server does not match source-nat-policy, or if it matches source-nat-policy that does not have source-translation configured, tmm cores and restarts.

Conditions:
-- SIP ALG virtual server with an assigned source-nat-policy.
-- Traffic does not match the source-nat-policy, or traffic matches a source-nat-policy that has no source-translation configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure SIP ALG virtual so that the condition never happens. For example, apply a source attribute to the virtual server that filters out traffic that will not match the source-nat-policy. Never use a source-nat-policy that has no source-translation.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5

824093-1 : Parameters payload parser issue

Links to More Info: BT824093

Component: Application Security Manager

Symptoms:
Incorrect parameter parsing occurs under some conditions. For example, in a signature violation, the 'Actual Parameter Name' value appears as 'attachment; filename'.

Conditions:
-- ASM in use.
-- Request contains multipart headers.

Impact:
Incorrect policy enforcement.

Workaround:
None.

Fix:
This release fixes an issue related to multipart requests.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3

823893-4 : Qkview may fail to completely sanitize LDAP bind credentials

Links to More Info: K03318649 , BT823893

822025-4 : HTTP response not forwarded to client during an early response

Links to More Info: BT822025

Component: Local Traffic Manager

Symptoms:
In early server responses, the client does not receive the intended response from the HTTP::respond iRule. The client instead receives an unexpected 500 internal server error.

Conditions:
-- A slow client.
-- early server response with the HTTP::respond iRule.

Impact:
A client does not receive the redirect from the HTTP::respond iRule.

Workaround:
None.

Fix:
The client now receives the redirect from the HTTP:respond iRule.

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.0.1.4, 15.1.0.2

820845-1 : Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.

Links to More Info: BT820845

Component: TMOS

Symptoms:
BIG-IP systems might not respond to ( ARP / Neighbour Discovery ) requests received via EtherIP tunnels on a multi-blade system.

Conditions:
Decapsulated ( ARP / Neighbour Discovery ) requests for an address owned by the BIG-IP system is processed by a secondary blade.

Impact:
Some endpoints may not be able to resolve ( ARP / Neighbour protocol ) via EtherIP tunnel.

Workaround:
Create static ARP entries on affected endpoints.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1

819397-3 : TMM does not enforce RFC compliance when processing HTTP traffic

Links to More Info: K50375550 , BT819397

Component: Local Traffic Manager

Symptoms:
TMM does not require RFC compliance when processing HTTP traffic. This does not impact the performance or security of BIG-IP systems, but may impact connected systems if they expect only compliant traffic to be forwarded.

Conditions:
-- HTTP virtual server
-- Non-compliant HTTP request from client

Impact:
Pool members may be exposed to non-compliant HTTP requests.

Workaround:
None.

Fix:
The HTTP filter now optionally performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.

Behavior Change:
A new BigDB variable has been added.

The new 'Tmm.HTTP.RFC.Enforcement' option may be enabled or disabled. It is disabled by default.

If enabled, the HTTP filter performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.

The checks performed are a subset of those described within the HTTP PSM module. If a blocking page is required, or more detailed control over which checks are performed, configure HTTP PSM or ASM on the virtual server.

If either HTTP PSM or ASM are configured on a virtual server, the state of the 'Tmm.HTTP.RFC.Enforcement' BigDB variable is ignored on that virtual server.

Fixed Versions:
12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.1

819329-3 : Specific FIPS device errors will not trigger failover

Links to More Info: BT819329

Component: Local Traffic Manager

Symptoms:
When the FIPS device experiences a hardware failure during idle-time, the device may not fail over.

Conditions:
-- FIPS hardware failure occurs, but the device is idle

Impact:
The device may not fail over on FIPS hardware failure.

Fix:
Interpret rare FIPS card failure as failover event.

Fixed Versions:
13.1.5, 14.1.3.1, 15.1.4, 16.0.1.2

819197-6 : BIGIP: CVE-2019-13135 ImageMagick vulnerability

Links to More Info: K20336394 , BT819197

819189-5 : BIGIP: CVE-2019-13136 ImageMagick vulnerability

Links to More Info: K03512441 , BT819189

819053-4 : CVE-2019-13232 unzip: overlapping of files in ZIP container

Component: TMOS

Symptoms:
CVE-2019-13232 unzip: overlapping of files in ZIP container leads to denial of service

Conditions:
Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container

Impact:
UnZip overlapping will leading to denial of service.

Workaround:
N/A

Fix:
UnZip updated to resolve CVE-2019-13232

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2

818889-4 : False positive malformed json or xml violation.

Links to More Info: BT818889

Component: Application Security Manager

Symptoms:
A false positive malformed XML or JSON violation occurs.

Conditions:
-- A stream profile is attached (or the http profile is set to rechunk on the request side).
-- A json/XML profile attached to the virtual.

Impact:
A false positive violation.

Workaround:
Modify the http profile to work in preserve mode for request chunking (this workaround is not possible in 16.1).

Fix:
N/A

Fixed Versions:
13.1.5

818853-5 : Duplicate MAC entries in FDB

Links to More Info: BT818853

Component: Local Traffic Manager

Symptoms:
Forwarding DataBase (FDB) not updated when a MAC moves among interfaces.

Conditions:
-- Having multiple paths to a MAC in a given configuration.

Impact:
There are duplicate MAC address entries which come from multiple interfaces.

Workaround:
None.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.0.2

818709-4 : TMSH does not follow current best practices

Links to More Info: K36814487 , BT818709

818429-2 : TMM may crash while processing HTTP traffic

Links to More Info: K70275209 , BT818429

818213-6 : CVE-2019-10639: KASLR bypass using connectionless protocols

Links to More Info: K32804955 , BT818213

818177-1 : CVE-2019-12295 Wireshark Vulnerability

Links to More Info: K06725231 , BT818177

818169-4 : TMM may consume excessive resources when processing DNS profiles with DNS queing enabled

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may consume excessive resources while processing traffic with a DNS profile.

Conditions:
A DNS listener is configured with DNS queuing enabled.
DNS queuing is enabled by default.

Impact:
Excessive resources consumption potentially leading to a TMM crash and failover event.

Workaround:
Disable DNS queuing.

Fix:
Resource limits for DNS queuing are introduced with the help of DB variables.

modify /sys db dns.ingress.queue.high value <value>
modify /sys db dns.ingress.queue.low value <value>

This change also exposes following variables to ensure that the paths to the DNSX database are resilient in the face of a temporarily unavailable DNSX database:

modify /sys db dns.action.queue.max value <value>
modify /sys db dns.actions.poll value <value>
modify /sys db dns.contexts.poll value <value>

Modify the value to default to reset any of the above variables.

Behavior Change:
Resource limits for DNS queuing are introduced with the help of DB variables.

modify /sys db dns.ingress.queue.high value <value>
modify /sys db dns.ingress.queue.low value <value>

This change also exposes following variables to ensure that the paths to the DNSX database are resilient in the face of a temporarily unavailable DNSX database:

modify /sys db dns.action.queue.max value <value>
modify /sys db dns.actions.poll value <value>
modify /sys db dns.contexts.poll value <value>

Modify the value to default to reset any of the above variables.

Fixed Versions:
13.1.5, 15.1.0.2

817709-4 : IPsec: TMM cored with SIGFPE in racoon2

Links to More Info: BT817709

Component: TMOS

Symptoms:
TMM asserted and cored in racoon2 with this panic message:

panic: iked/ikev2_child.c:2858: Assertion "Invalid Child SA proposal" failed.

Conditions:
When IKEv2 Phase 2 SA has no peer proposal associated with it.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This issue no longer occurs.

Fixed Versions:
13.1.5, 14.1.2.8, 15.1.0.2

816413-4 : CVE-2019-1125: Spectre SWAPGS Gadget

Links to More Info: K31085564 , BT816413

816277-3 : Extremely long nameserver name causes GUI Error

Links to More Info: BT816277

Component: Global Traffic Manager (DNS)

Symptoms:
Extremely long nameserver and tsig key name gives an error in the GUI while viewing:

-- Bad Request. Your browser sent a request that this server could not understand.
-- Request-URI Too Long. The requested URL's length exceeds the capacity limit for this server.

Conditions:
When nameserver and tsig key name length exceeds 3300 characters.

Impact:
The GUI reports an error when you try to view them. Youa re unable to view nameserver and tsig keys having extremely long names.

Workaround:
Create nameserver and tsig keys with shorter names, preferably fewer than 255 characters.

Fix:
Nameserver and tsig key names are now validated, so this error no longer occurs.

Fixed Versions:
13.1.5, 14.1.4.4

816273-4 : L7 Policies may execute CONTAINS operands incorrectly.

Links to More Info: BT816273

Component: Local Traffic Manager

Symptoms:
L7 Policies involving CONTAINS operands may execute incorrectly in some cases.

The policy compiler may incorrectly combine some internal states, 'forgetting' degrees of partial evaluation of a CONTAINS operation.

Conditions:
Multiple CONTAINS conditions are used on the same virtual server.

Impact:
The wrong policy actions may be triggered.

Workaround:
It may be possible to reorder the rules in a policy to restore correct operation. However, the more complex the policy, the less likely this is.

Fix:
L7 Policy CONTAINS operations are compiled correctly. Policies with CONTAINS operations no longer trigger the wrong rule actions.

Fixed Versions:
13.1.3.4, 14.1.2.3, 15.0.1.1

815877-4 : Information Elements with zero-length value are rejected by the GTP parser

Links to More Info: BT815877

Component: Service Provider

Symptoms:
When processing a GTP message containing zero-length IEs (which are allowed by the 3GPP Technical Specification), the message might get rejected.

Conditions:
Virtual server with GTP profile enabled processing GTP traffic.

Impact:
Well-formed GTP messages might get rejected.

Workaround:
Avoid sending GTP messages containing zero-length IEs.

Fix:
Zero-length IEs are now processed correctly.

Fixed Versions:
11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.0.1.4, 15.1.0.5

815753-4 : TMM leaks memory when explicit SWG is configured with Kerberos authentication

Links to More Info: BT815753

Component: Access Policy Manager

Symptoms:
Memory usage of filter keeps increasing over time and becomes one of major consumers of the TMM memory.

Conditions:
This issue happens if the following conditions are met:
1. Access profile type is SWG-explicit.
2. Access policy contains HTTP 407 Response policy item with HTTP Auth Level being Negotiate.
3. Kerberos is used to authenticate a user.

Impact:
TMM sweeper enters aggressive mode and reaps connections.

Workaround:
None.

Fixed Versions:
13.1.3.2, 14.0.1.1, 15.0.1.1

815529-4 : MRF outbound messages are dropped in per-peer mode

Links to More Info: BT815529

Component: Service Provider

Symptoms:
When a Message Routing profile is configured with a peer consisting of an outbound virtual server, transport config, no pool, and per-peer mode, messages may be dropped when the outgoing connection is persisted to a different tmm than the message was received on.

Conditions:
-- Message Routing Profile.
-- A peer configured for outbound traffic with a virtual server and transport config in per-peer mode, no pool.
-- Persistence is enabled.
-- Multiple outbound messages with the same destination address.

Impact:
Outbound traffic with the same destination address may be dropped at random.

Workaround:
Change the peer connection mode to 'Per TMM'.

Fix:
Multiple outbound messages to the same destination address are no longer randomly dropped.

Fixed Versions:
13.1.3.4, 14.1.2.7

815425 : RAID status is shown <undefined> after upgrade from 12.1.3.5 to 13.1.x &start;

Links to More Info: BT815425

Component: TMOS

Symptoms:
On RAID supported BIG-IP platforms, upgrade from BIG-IP v12.1.3.5 to BIG-IP v13.1.x, RAID array member state is shown as 'undefined' in below commands, though actual RAID status is 'up'.
- array
- tmsh show sys raid

Conditions:
On RAID supported platforms, clean install of BIG-IP 12.1.x version followed by upgrade to BIG-IP 13.1.x version.

Impact:
RAID information is reported wrongly.

Fix:
RAID information is retrieved and parsed according to the new mdadm supported in BIG-IP 13.1.x version.

Fixed Versions:
13.1.3.2

814761-3 : PostgreSQL monitor fails on second ping with count != 1

Links to More Info: BT814761

Component: Local Traffic Manager

Symptoms:
When using one of the DB monitors (Oracle, MSSQL, MySQL, PostgreSQL) to monitor the health of a server, the pool member may initially be marked UP, but then will be marked DOWN on the next and all subsequent pings.

When this occurs, an error message similar to the following appears in the monitor-instance log under /var/log/monitors:

Database down, see /var/log/DBDaemon.log for details.
Exception in thread "DBPinger-##" java.lang.AbstractMethodError: org.postgresql.jdbc3.Jdbc3Connection.isValid(I)Z
at com.f5.eav.DB_Pinger.db_Connect(DBDaemon.java:1474)
at com.f5.eav.DB_Pinger.db_Ping(DBDaemon.java:1428)
at com.f5.eav.MonitorWorker.run(DBDaemon.java:772)
at java.lang.Thread.run(Thread.java:748)

Conditions:
This may occur if all of the following conditions are true:
1. You are using a DB monitor (Oracle, MSSQL, MySQL, PostgreSQL) configured with a 'count' value of either '0' or a value of '2' or higher.
2. You are using a version of BIG-IP (including an Engineering Hotfix) which contains the fix for ID 769309.

Impact:
Unable to monitor the health of postgresql server pool members accurately.

Workaround:
To work around this issue, configure a 'count' value of '1' in the postgresql monitor configuration.

Fix:
The DB monitor reports the health of a DB server pool member accurately in conjunction with the fix for ID 769309.

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.2.3, 15.0.1.3

814585-5 : PPTP profile option not available when creating or modifying virtual servers in GUI

Links to More Info: BT814585

Component: TMOS

Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.

Conditions:
Creating or modifying a virtual server in the GUI.

Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.

Workaround:
Use TMSH to add a PPTP profile to the virtual server.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1

814097-4 : Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.

Links to More Info: BT814097

Component: Service Provider

Symptoms:
When using the Generic Message router to convert SIP messages from TCP to UDP, BIG-IP fails to raise the SERVER_CONNECTED iRule event.

Conditions:
Converting the transport of SIP messages with the Generic Message router.

Impact:
Any code that waits for the SERVER_CONNECTED event will not run.

Fix:
SERVER_CONNECTED event is raised.

Fixed Versions:
11.6.5.2, 13.1.3.4, 14.1.2.7

814037-1 : No virtual server name in Hardware Syncookie activation logs.

Links to More Info: BT814037

Component: Local Traffic Manager

Symptoms:
Missing virtual server name in Hardware Syncookie activation logs. ltm/logs contains error messages:

notice tmm2[1150]: 01010240:5: Syncookie HW mode activated, server = 0.0.0.0:0, HSB modId = 2.

Conditions:
-- More than one virtual server with same Destination IP e.g., 'x.x.x.x'.
-- Port 'y' configured.
-- Hardware Syncookie activated.

Impact:
Difficult to determine which virtual server actually got the Syncookie activated.

Workaround:
None.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1

813945-1 : PB core dump while processing many entities

Links to More Info: BT813945

Component: Application Security Manager

Symptoms:
PB core dump.

Conditions:
This may happen when the system is strained and PB is processing large policies (updating many entities may happen during periodic processing, response analysis).

This is a very rarely occurring scenario.

Impact:
PB core dump and restart.

Workaround:
None.

Fix:
PB core dump no longer occurs.

Fixed Versions:
13.1.3.2, 14.1.2.3

813673-1 : The HTTP Explicit proxy does not work correctly with IPv6 clients connecting to IPv4 destinations over CONNECT to IPv4 targets.

Links to More Info: BT813673

Component: Local Traffic Manager

Symptoms:
A typical configuration of the HTTP Explicit Proxy includes four virtual servers:
-- Two virtual servers for the Explicit Proxy, one IPv4, one IPv6.
-- Two general-purpose virtual servers: one IPv4, one IPv6.

The general-purpose virtual servers allow handling of CONNECT tunneling over the HTTP-tunnel interface.

Unfortunately, if an IPv6 client tries to CONNECT to an IPv4 destination, it fails, returning a 503 status error.

This is due to the IPv6 general-purpose virtual server not being found when performing the destination lookup.

Conditions:
-- The HTTP explicit proxy virtual server is listening on an IPv6 address.
-- 'default-connect-handling deny' is configured on the explicit proxy HTTP profile.
-- IPv4 and IPv6 general-purpose virtual servers exist on the HTTP-tunnel interface.
-- The client connects, and uses CONNECT to proxy to an IPv4 address.

Impact:
The IPv6 client will not be able to "CONNECT" through the explicit proxy to an IPv4 address.

Workaround:
None.

Fix:
Mismatched IPv6 to IPv4 scenarios are supported with the HTTP Explicit Proxy.

Fixed Versions:
13.1.3.2

813657 : MRF SIP ALG with SNAT incorrectly detects ingress queue full

Links to More Info: BT813657

Component: Service Provider

Symptoms:
When SIP ALG processes a non-registered subscriber SIP outbound call, the ingress queue counter may underflow. This is interpreted as ingress queue full and the rest of message will be dropped.

Conditions:
SIP ALG processes non registered subscriber SIP outbound calls (nonregister-subscriber-callout option is enabled in SIP session profile).

Impact:
SIP ALG incorrectly detects the ingress queue is full and stops processing the rest of SIP ALG traffic.

Workaround:
None

Fix:
When SIP ALG processes non registered subscriber SIP call, the ingress queue counter is handled correctly.

Fixed Versions:
13.1.3.2

813561-1 : MCPD crashes when assigning an iRule that uses a proc

Links to More Info: BT813561

Component: Local Traffic Manager

Symptoms:
MCPD crashes when assigning an iRule to a Virtual Server or loading a config with an iRule assigned.

Conditions:
The iRule must uses a proc that contains three statements associated with different feature flags.

Impact:
MCPD will crash, unable to use a desired iRule.

Workaround:
None

Fix:
iRules using proc can be assigned to a Virtual Server without crashing MCPD.

Fixed Versions:
13.1.3.4, 14.1.2.8, 15.0.1.3

812981-2 : MCPD: memory leak on standby BIG-IP device

Links to More Info: BT812981

Component: TMOS

Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.

Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically

Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.

Fix:
MCPD on standby BIG-IP device does not take more memory than the same daemon on active BIG-IP device.

Fixed Versions:
12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2

812525-5 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Links to More Info: K27551003 , BT812525

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Fixed Versions:
13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1

812341-1 : Patch or Delete commands take a long time to complete when modifying an ASM signature set.

Links to More Info: BT812341

Component: Application Security Manager

Symptoms:
When modifying an ASM signature set that is not attached to any security policy using iControl REST Patch or Delete commands, the command takes a long time to complete.

Conditions:
-- ASM provisioned.
-- Using REST API Patch or Delete command to modify an ASM signature set.

Impact:
Command takes longer (several seconds) to process on detached ASM signature sets than it takes to complete on attached signature sets.

Workaround:
None.

Fix:
Changes to signatures and signatures sets now only recompile policies that are affected by the change.

Fixed Versions:
13.1.3.2, 14.1.2.3

812237-3 : i10000 series appliances with HDVC part number 505-0030 missing name in show sys hardware and on LCD

Links to More Info: BT812237

Component: TMOS

Symptoms:
"tmsh show sys hardware" will not display a "Name" for the Platform on i100000 series appliances with part number 505-0030.
The LCD will not display the system name.

Conditions:
i10000 series appliances with part number 505-0030 with HDVC (high voltage DC) power supplies.

Impact:
Display only. No functional impact.

The LCD and "tmsh show sys hardware" will not display the product name of i10600 or i10800 as expected.

Workaround:
None

Fix:
Display correct F5 marketing name for i10000 series appliances with high voltage DC power supplies.

Fixed Versions:
12.1.6, 13.1.3.5

811965-3 : Some VDI use cases can cause excessive resource consumption

Links to More Info: K73657294 , BT811965

811789-4 : Device trust UI hardening

Links to More Info: K57214921 , BT811789

811745-4 : Failover between clustered DIAMETER devices can cause mirror connections to be disconnected

Links to More Info: BT811745

Component: Service Provider

Symptoms:
When using DIAMETER with certain settings, a failover might cause mirror connections to get disconnected.

Conditions:
-- Two or more BIG-IP systems in a high availability (HA) configuration.
-- Aggressive settings for the DIAMETER watchdog timeout and max failures.

Impact:
Loss of mirroring between BIG-IP systems.

Workaround:
None.

Fix:
Mirror connections no longer disconnect during a failover.

Fixed Versions:
13.1.3.2, 14.1.2.1, 15.0.1.1

811145-4 : VMware View resources with SAML SSO are not working

Links to More Info: BT811145

Component: Access Policy Manager

Symptoms:
Connections to SAML-enabled VMware View resources fail with following error in /var/log/apm:
err vdi[18581]: 019cffff:3: /pathname: {a7.C} Failed to handle View request: Can't find 'artifact' parameter.

Conditions:
VMware View resource is configured with SAML SSO method.

Impact:
Users cannot launch VMware View apps/desktops via SAML-enabled resource.

Workaround:
None.

Fix:
Can now successfully use VMware View resources with SAML SSO.

Fixed Versions:
13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1

811105-3 : MRF SIP-ALG drops SIP 183 and 200 OK messages

Links to More Info: BT811105

Component: Service Provider

Symptoms:
SIP 183 and 200 OK messages are dropped after an INVITE in MRF SIP-ALG when media info is present in the Session Description Protocol.

Conditions:
- MRF SIP-ALG default configuration
- INVITE sent with media info in SDP
- Media info contains an rtcp without an IP address

Impact:
SIP calls are unable to establish media connections.

Workaround:
Ensure all RTCP attributes in the SDP have IP addresses.
Example: Change "a=rtcp:29974\r\n" to "a=rtcp:29974 IN IP4 10.10.10.10\r\n"

Fix:
Calls are able to establish media connections in MRF SIP-ALG when media info contains an RTCP with no IP information.

Fixed Versions:
13.1.3.4, 14.1.2.5, 15.0.1.4

811033-3 : MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used

Links to More Info: BT811033

Component: Service Provider

Symptoms:
If a message is routed from one transport protocol (for example TCP) to another transport protocol (for example UDP), messages traveling from the destination to the source of the persistence entry are incorrectly delivered to the destination.

Conditions:
-- A message is routed from one transport protocol (for example TCP) to another transport protocol (for example UDP).
-- Messages are traveling from the destination to the source of the persistence entry.

Impact:
Messages are forwarded to an incorrect endpoint.

Workaround:
None.

Fix:
For all bi-directional persistence records the transport protocol of the connection is not used in the key used to store the record.

Fixed Versions:
13.1.3.4, 14.1.2.5

810821-4 : Management interface flaps after rebooting the device.

Links to More Info: BT810821

Component: TMOS

Symptoms:
The Management interface flaps after rebooting the device, which may cause a momentary active-active condition in a high availability (HA) configuration.

Conditions:
This can occur after rebooting the active or standby device in an HA configuration if the final management port configuration completes late in the startup sequence. This can be due to network conditions for the network the management port is connected to.

This problem has been observed only on hardware platforms.

Impact:
Devices go active-active for a few seconds and then resume normal operation.

Workaround:
You may be able to work around this by changing the management port speed to 100/Fixed Duplex.

For more information on changing the interface, see K14107: Configuring the media speed and duplex settings for network interfaces (11.x - 13.x), available at https://support.f5.com/csp/article/K14107.

or

Connecting serial failover cable between HA peers would prevent active/active issue from happening.

Fix:
The startup sequence has been changed to confirm that management port configuration is complete before proceeding with HA processing.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.2

810593-4 : Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade &start;

Links to More Info: K10963690 , BT810593

Component: TMOS

Symptoms:
The vCMP guests go to 'INOPERATIVE' after upgrade.

Conditions:
-- Upgrading the host from v12.1.4.1.
-- Upgrading the host from v13.1.1.5.

Impact:
The vCMP guests go to the 'INOPERATIVE' state and do not pass traffic.

Workaround:
There is no workaround. You must upgrade the VCMP host to a fixed version, for example, 15.1.0.

Fixed Versions:
13.1.3.5, 14.1.2.7

810557-9 : ASM ConfigSync Hardening

Links to More Info: K05123525 , BT810557

810537-3 : TMM may consume excessive resources while processing iRules

Links to More Info: K12234501 , BT810537

810445-3 : PEM: ftp-data not classified or reported

Links to More Info: BT810445

Component: Local Traffic Manager

Symptoms:
When a virtual server is configured with an FTP profile, and also a PEM or classification profile, the traffic associated with the FTP data stream is not correctly classified or reported.

Conditions:
-- Virtual server is configured with an FTP profile.
-- There is also PEM or classification profile.

Impact:
Traffic associated with ftp-data (i.e., file transfers using FTP) may not be classified or reported.

Workaround:
None.

Fix:
Ftp-data is now correctly classified and reported. Note that the 'inherit-parent-profile' in the FTP profile must be enabled.

Fixed Versions:
13.1.3.5, 14.1.2.8

810381-1 : The SNMP max message size check is being incorrectly applied.

Links to More Info: BT810381

Component: TMOS

Symptoms:
If the SNMP server receives an SNMPv3 request with a small max message size then, it applies that check to all requests. This can cause SNMPv1 and SNMPv2c requests time out if they are too long or if their responses are too long, for example, large get bulk requests.

Conditions:
An SNMPv3 small max message size received while processing large SNMPv1 and SNMPv2c requests.

Impact:
Responses time out.

Workaround:
Do not send SNMPv3 requests to the BIG-IP system.

Fix:
SNMPv3 requests no longer impact SNMPv1 and SNMPv2c requests.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.0.4

809657-4 : HA Group score not computed correctly for an unmonitored pool when mcpd starts

Links to More Info: BT809657

Component: TMOS

Symptoms:
When mcpd starts up, unmonitored pools in an high availability (HA) group do not contribute to the HA group's score.

Conditions:
-- HA group configured with at least one pool.
-- At least one of the pools assigned to the HA group is not using monitoring.
-- mcpd is starting up (due to bigstart restart, or a reboot, etc.).

Impact:
Incorrect HA Group score.

Workaround:
Remove the unmonitored pools from the HA group and re-add them.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1

809597-1 : Memory leak in icrd_child observed during REST usage

Links to More Info: BT809597

Component: Local Traffic Manager

Symptoms:
When multiple users are issuing REST commands, memory may leak slowly in icrd_child.

Conditions:
-- The icrd_child process is running.
-- There are multiple users accessing device via REST.

Impact:
The memory leak is very progressive. Eventually, the icrd_child process runs out of memory.

Workaround:
None.

Fix:
Fixed a memory leak in icrd_child.

Fixed Versions:
13.1.4, 14.1.3, 15.1.0.2

809377-4 : AFM ConfigSync Hardening

Links to More Info: K05123525

809205-3 : CVE-2019-3855: libssh2 Vulnerability

Component: TMOS

Symptoms:
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server.

Conditions:
-- Authenticated administrative user with Advanced Shell Access.
-- Use of cURL from the command line to connect to a compromised SSH server.

Impact:
A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

Workaround:
None.

Fix:
libcurl updated

Fixed Versions:
12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.1, 15.1.3, 16.0.1.2

809165-4 : TMM may crash will processing connector traffic

Links to More Info: K50046200 , BT809165

808525-4 : TMM may crash while processing Diameter traffic

Links to More Info: K55812535 , BT808525

808409-1 : Unable to specify if giaddr will be modified in DHCP relay chain

Links to More Info: BT808409

Component: Local Traffic Manager

Symptoms:
ID746077 changed the dhcprelay behavior in order to comply with RFC 1542 Clarifications and Extensions for BOOTP.

However, as the change also encompasses the DHCP-to-DHCP relay scope, the behavior cannot be configurable with a db key.

Conditions:
DHCP Relay deployments where the giaddr needs to be changed.

Impact:
You are unable to specify whether giaddr will be changed.

Workaround:
None.

Fix:
A new sys db tmm.dhcp.relay.giaddr.overwrite is introduced

The default is :

sys db tmm.dhcp.relay.giaddr.overwrite {
value "enable"
}

On versions with a fix to 746077, the sys db DOES NOT exist and BIG-IP will always retain the source IP

On versions with both this fix and ID748333 fix, this fix overrides the fix for 746077. To change the default, set to "disable" to retain

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

808301-1 : TMM may crash while processing IP traffic

Links to More Info: K04897373 , BT808301

808281 : OVA/Azure template sets '/var' partition with not enough space

Links to More Info: BT808281

Component: TMOS

Symptoms:
After booting a new BIG-IP Virtual Edition (VE) image from OVA or Azure, you see errors on the console:

Broadcast message from root@localhost.localdomain:
011d0004:3: Disk partition /var has only 19% free.

Conditions:
Installing BIG-IP software via the OVA template or Azure image.

Impact:
System is generally un-usable; applications cannot operate without space in /var. Diskmonitor reports console errors and errors in /var/log/ltm.

Workaround:
Remove unused APM binaries in /var/sam/images.

Fixed Versions:
13.1.3.5

807821-3 : ICMP echo requests occasionally go unanswered

Links to More Info: BT807821

Component: Local Traffic Manager

Symptoms:
ARP entry get stuck at state NEXTHOP_INCOMPLETE for several seconds.

Conditions:
-- There is no ARP entry for the return-route router.
-- The 'remote' BIG-IP system receives ICMP echo request.

Impact:
Possible traffic failures.

Workaround:
None.

Fix:
ICMP echo replies are always sent for a valid ICMP echo request.

Fixed Versions:
12.1.5.3, 13.1.3.5

807477-9 : ConfigSync Hardening

Links to More Info: K04280042 , BT807477

807445 : Replaced ISC_TRUE and ISC_FALSE with true and false

Links to More Info: BT807445

Component: Global Traffic Manager (DNS)

Symptoms:
Updated the zrd code to remove references to ISC_TRUE and ISC_FALSE since the software is upgraded BIND to 9.11.8 and those macros do not exist anymore.

Conditions:
BIND version is earlier than 9.11.8.

Impact:
There is no functional impact.

Workaround:
None.

Fix:
Removed references to ISC_TRUE and ISC_FALSE zrd since the software has been upgraded to BIND to 9.11.8 and those macros do not exist anymore.

807177-1 : HTTPS monitoring is not caching SSL sessions correctly

Links to More Info: BT807177

Component: Global Traffic Manager (DNS)

Symptoms:
In situations where a cached SSL session cannot be used, there are conditions where the information for old and new SSL sessions are not properly updated, and valid SSL sessions are not terminated in an orderly fashion.

Conditions:
When using GTM HTTPS monitoring.

Impact:
Information for old and new SSL sessions are not properly updated, and valid SSL sessions are not terminated in an orderly fashion.

Workaround:
Restart big3d by running the following command:

bigstart restart big3d

Fixed Versions:
13.1.3.4, 14.1.2.5

807005-3 : Save-on-auto-sync is not working as expected with large configuration objects

Links to More Info: BT807005

Component: TMOS

Symptoms:
In device group has enabled 'save sys config' for all auto-sync operations using the following command:
modify cm device-group name save-on-auto-sync true

Warning: Enabling the save-on-auto-sync option can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.

Conditions:
-- The save-on-auto-sync option is enabled.
-- Device has large configuration, such as 2,100 virtual servers and ~1100 partitions

Impact:
Configuration is not saved, which leads to out-of-sync condition.

Workaround:
You can avoid this issue by using manual sync instead of auto-sync, or by not enabling 'save-on-auto-sync'.

Fixed Versions:
11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5

805837-4 : REST does not follow current design best practices

Links to More Info: K22441651 , BT805837

805821-5 : GTP log message contains no useful information

Links to More Info: BT805821

Component: Service Provider

Symptoms:
GTP profile and GTP iRules provide no useful information in order to proceed with troubleshooting.

Conditions:
GTP profile or iRules fails to process message

Impact:
User lacks of information for troubleshooting

Workaround:
N/A

Fix:
GTP error log has been replaced with a more useful message. The new log message provides more intuitive information including the reason and, in some messages, location of data that causes the failure.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1

805017-3 : DB monitor marks pool member down if no send/recv strings are configured

Links to More Info: BT805017

Component: Local Traffic Manager

Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle or PostgreSQL database monitor type) is configured without a 'send' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.

Conditions:
-- AnLTM pool or pool members are configured to us an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- No send string is configured for the monitor.

Impact:
With this configuration, the monitor connects to the configured database, but does not issue a query or check for a specific response. Pool members are always marked DOWN when using a database monitor with no 'send' string configured.

Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.0.1.3

804477-2 : Add HSB register logging when parts of the device becomes unresponsive

Links to More Info: BT804477

Component: TMOS

Symptoms:
Parts of the HSB can become unresponsive, with insufficient logging to diagnose the root cause. Additional data needs to be captured when the issue occurs.

Conditions:
This additional logging will trigger whenever parts of the HSB become unresponsive.

Impact:
The register logging will provide further insight into the HSB state when it becomes unresponsive.

Workaround:
None.

Fix:
Additional logging of HSB register states has been added whenever parts of the HSB become unresponsive.

Fixed Versions:
13.1.3.4, 14.1.4.3

804313-4 : MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.

Links to More Info: BT804313

Component: Service Provider

Symptoms:
The mirrored-message-sweeper-interval configuration option has no effect on the BIG-IP.

Conditions:
MRF in use, high availability configured, and a SIP profile is configured to use a specific Mirrored Message Sweeper Interval setting.

Impact:
On a system under high load, the next active device in a high availability (HA) pair could run out of memory.

Workaround:
None

Fix:
Message sweeper interval value now loads correctly.

Fixed Versions:
13.1.3.4, 14.1.2.1, 15.0.1.2

804309-3 : [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument

Links to More Info: BT804309

Component: TMOS

Symptoms:
Running the command 'tmsh list' on a pool or virtual server with the 'all-properties' argument generates a warning:

[api-status-warning] ltm/virtual, properties : deprecated : urldb-feed-policy

Conditions:
Including the 'all-properties' argument with the 'tmsh list' command.

Impact:
There is no impact to the system. The excessive [api-status-warning] at stderr and /var/log/ltm for tmsh list commands are spurious, benign, and can be ignored.

Workaround:
tmsh modify /mgmt shared settings api-status log resource-property deprecatedApiAllowed false

tmsh modify /mgmt shared settings api-status log resource deprecatedApiAllowed false

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.0.5

804185-3 : Some WebSafe request signatures may not work as expected

Links to More Info: BT804185

Component: Fraud Protection Services

Symptoms:
Request signatures are part of the WebSafe signature mechanism. The request signature is achieved by configuring an FPS-protected URL and a corresponding custom-alert. If the URL is a wildcard, a priority must be assigned to determine the order of matching. URL matching by priority is not working properly. As a result, the signature do not work as expected

Conditions:
There is at least one wildcard URL configured by the request signature update file.

Impact:
A portion of WebSafe request signature do not work as expected:
-- An alert is sent, though it should not be (false-positive).
-- An alert was not sent, though it should be (false-negative).

Workaround:
Configure the same signature manually in the BIG-IP system's GUI/tmsh.

Fix:
FPS now correctly handles signature-based wildcard URL's priority.

Fixed Versions:
13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1

803965-4 : Expat Vulnerability: CVE-2018-20843

Links to More Info: K51011533 , BT803965

803933-4 : Expat XML parser vulnerability CVE-2018-20843

Links to More Info: K51011533 , BT803933

803825 : WebSSO does not support large NTLM target info length

Links to More Info: BT803825

Component: Access Policy Manager

Symptoms:
WebSSO crashes.

Conditions:
When the optional field of the target info is about 1000 bytes or larger.

Impact:
WebSSO crashes and loss of service.

Workaround:
Config NTLM not to have large target info, recommend < 800.

Fixed Versions:
13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2

803813-3 : TMM may experience high latency when processing WebSocket traffic

Links to More Info: BT803813

Component: Application Security Manager

Symptoms:
Under certain conditions, TMM may experience higher than usual latency when processing WebSocket traffic.

Conditions:
-- WebSocket traffic.
-- Very long connections or large amounts traffic.
-- Platforms with many CPUs.

Impact:
Increased latency in WebSocket traffic.

Workaround:
None.

Fix:
Fix an issue that could cause a latency with WebSocket traffic.

Fixed Versions:
13.1.3.4, 14.1.2.7

803809-1 : SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.

Links to More Info: BT803809

Component: Service Provider

Symptoms:
When MRF SIP is configured in per-client mode and preserve-strict source port is enabled on a virtual server, messages may fail to forward due to port collisions when multiple clients try to use the same port (which is expected/accepted behavior with this configuration). After the port has been freed or the configuration changed, messages continue to fail for clients that had previous port collisions.

Conditions:
-- MRF SIP configured with: Per-Client connection mode and virtual server with preserve-strict source port enabled.
-- Multiple clients try to connect using the same local port.
-- Previously failed client connections attempt to connect again after the port has been freed or configuration changed.

Impact:
Calls from one or more clients are unable to be completed.

Workaround:
You can prevent this behavior using either workaround:
-- Configure a different connection mode (Per-TMM, for example).
-- Disable preserve-strict source port on the virtual server.

Fix:
Clients with previous connection failures are now able to connect when the port is no longer in use or the configuration has been changed.

Fixed Versions:
13.1.3.4, 14.1.2.7, 15.1.0.2

803645-1 : GTMD daemon crashes

Links to More Info: BT803645

Component: Global Traffic Manager (DNS)

Symptoms:
The gtmd process crashes in response to a call triggered by its own timer event.

Conditions:
The conditions under which this causes this intermittent issue are difficult to reproduce, but it might occur when the system is under heavy load when gtmd is starved of CPU cycles.

Impact:
The gtmd process restarts and produces a core file.

Workaround:
None.

Fixed Versions:
13.1.3.3, 14.1.2.7

803629-4 : SQL monitor fails with 'Analyze Response failure' message even if recv string is correct

Links to More Info: BT803629

Component: Local Traffic Manager

Symptoms:
For a database (mssql, mysql, postgresql or oracle) monitor type, with a 'recv' string configured, a pool member configured to use the DB monitor may be marked down even if the server is working and includes the configured response string among the response data.

Debug logging of the SQL monitor indicates the following:
... [DBPinger-3778] - Response from server: Database: 'db1'Database: 'information_schema'
... [DBPinger-3778] - Checking for recv string: information_schema
... [DBPinger-3778] - Analyze Response failure

The log shows 'Analyze Response failure' error message even when the configured 'recv' string appears within the response message from the DB server.

Conditions:
This occurs when the string matching the configured 'recv' string value does not appear in the response from the DB server in the row indicated by the 'recv-row' value configured for the monitor.

The default value of 'none' for the 'recv-row' monitor configuration value is actually interpreted as 'row 1' by the DB monitor core implementation.
Therefore, with the default configuration, any 'recv' string configured must appear in the first row of the DB server response in order to be recognized as a match.

Impact:
The DB monitor fails, and the DB server (node) is marked as down even though it is reachable and responding correctly per the configured 'recv' string.

Workaround:
You may use one of the following methods to work around this issue:
1. Configure the DB monitor's 'recv' string to match on the first row in the server response message.
2. Configure the 'recv-row' value in the DB monitor to match the row of the DB server's response which contains the configured 'recv' string.
3. Do not configure 'send' or 'recv' string for the DB monitor.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.0.1.1

803477-1 : BaDoS State file load failure when signature protection is off

Links to More Info: BT803477

Component: Anomaly Detection Services

Symptoms:
Behavioral DoS (BADoS) loses its learned thresholds.

Conditions:
Restart of admd when signature protection is off.

Impact:
The system must relearn the thresholds, BADoS protection is not available during the learning time.

Workaround:
Turn on signatures detection.

Fix:
BADoS State file successfully loads after admd restart, even without signatures detection.

Fixed Versions:
13.1.3.2, 14.1.2.1, 15.0.1.1

803233-4 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable

Links to More Info: BT803233

Component: Local Traffic Manager

Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):

1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:

-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.

2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:

-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.

Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.

Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.

Workaround:
None.

Fix:
FQDN ephemeral pool members are created in a more timely manner when FQDN resolution via DNS returns new address records.

Fixed Versions:
12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1

802961-1 : The 'any-available' prober selection is not as random as in earlier versions

Links to More Info: BT802961

Component: Global Traffic Manager (DNS)

Symptoms:
Some big3d instances can be periodically busier than other big3d instances.

Conditions:
-- When 'any-available' is selected for either the prober-preference or prober-fallback options.
-- A large number of monitors are defined.

Impact:
When the 'any-available' prober option is used, the selection of big3d probers may not be as random as in BIG-IP software versions prior to v13.0.0.

Workaround:
None.

Fixed Versions:
13.1.3.4, 14.1.2.5

802685-4 : Unable to configure performance HTTP virtual server via GUI

Links to More Info: BT802685

Component: TMOS

Symptoms:
When creating 'performance HTTP' virtual servers via GUI, the following error is reported:
01070734:3: Configuration error: A Virtual Server(/Common/vfasthttp) cannot be associated with both fasthttp and L4 profile.

Conditions:
Use the GUI to create a virtual server of type Performance (HTTP).

Impact:
Failed to create a 'performance HTTP' virtual server.

Workaround:
Use TMSH to configure the performance HTTP virtual server:
tmsh create ltm virtual vfasthttp destination 1.1.1.1:80 ip-protocol tcp profiles add { fasthttp }

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5

802281-4 : Gossip shows active even when devices are missing

Links to More Info: BT802281

Component: TMOS

Symptoms:
Gossip appears Active even when one or more devices go missing from device group. 'restcurl shared/gossip' shows active on both devices, even when the devices are not listed in 'restcurl shared/resolver/device-groups/tm-shared-allBIG-IPs/devices'.

Conditions:
The conditions under which this issue occurs are unknown. This is an intermittent issue.

Impact:
Gossip reports that it is working when it is not.

Workaround:
-- If the missing device is the active device, run the following command on the Active DSC Device:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state

-- If the missing device is the standby device, reboot the device, make it active, and then run the following command:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state

Fixed Versions:
13.1.3.5, 14.1.2.5, 15.1.0.2

801705-2 : When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC

Links to More Info: BT801705

Component: Local Traffic Manager

Symptoms:
The 'HTTP::cookie attribute' irule command allows manipulation of Cookie or Set-Cookie headers in HTTP requests or responses. When this command is used to insert a cookie attribute, it appends the attribute (and a possible value) to the header without a leading space character. A leading space character is a requirement per RFC 6265. When such a header is formed with iRule command 'HTTP::cookie insert' or 'HTTP::cookie attribute insert', the leading space is not provided, violating the RFC.

Conditions:
-- A virtual server with HTTP profile is configured.
-- There is an iRule generating or updating a cookie header with 'HTTP::cookie insert' or 'HTTP::cookie attribute insert' command.

Impact:
There is no space preceding the attribute. RFC is violated.

Workaround:
When inserting a cookie attribute with iRule command, add a leading space to the name of attribute to be inserted.

Fixed Versions:
13.1.3.6, 14.1.3.1

801637-1 : Cmp_dest on C2200 platform may give incorrect results

Links to More Info: BT801637

Component: TMOS

Symptoms:
Cmp_dest on C2200 platform may give incorrect results.

Conditions:
Run cmp_dest.

Impact:
Incorrect results from cmp_dest.

Fix:
Cmp_dest now gives correct results.

Fixed Versions:
12.1.5.3, 13.1.3.5

800453-1 : False positive virus violations

Links to More Info: K72252057 , BT800453

Component: Application Security Manager

Symptoms:
False positive ASM virus violations.

Conditions:
Specific connection characteristics between ASM and the antivirus server may cause replies from the antivirus server to be missed by the ASM.

Impact:
ASM reports a virus when the antivirus reply is timed out. False positive blocking or violation reporting.

Workaround:
Configure the EnableASMByPass internal parameter setting to allow the antivirus server to not reply, so it does not issue a violation when it occurs:

/usr/share/ts/bin/add_del_internal add EnableASMByPass 1
bigstart restart asm

Note: When the internal parameter is enabled, ASM also bypasses huge HTTP requests (when they come on multiple connections) instead of resetting them.

Fix:
False positive ASM virus violations no longer occur under these conditions.

Fixed Versions:
13.1.3.2, 14.1.2.3, 15.0.1.3

800305-4 : VDI::cmp_redirect generates flow with random client port

Links to More Info: BT800305

Component: Local Traffic Manager

Symptoms:
The VDI::cmp_redirect iRule command generates a flow with a randomly-assigned client port.

Conditions:
-- VDI::cmp_redirect iRule command used

Impact:
Client port is not the same as the original client port.

Fix:
The VDI::cmp_redirect iRule command now uses the same port.

Fixed Versions:
13.1.3.2, 14.1.2.3, 15.0.1.1

800193 : Update OpenSSH to version 7 or later for disabling of DSA keys

Links to More Info: BT800193

Component: TMOS

Symptoms:
Current OpenSSH version 6.6.1p1 in BIG-IP v13.1.x does not allow for disabling DSA Key. Lack of this feature causes failure audits due to allowing DSA keys to authenticate to the BIG-IP system.

Conditions:
The issue can be seen on BIG-IP software that has OpenSSH version 6.6.

Impact:
Lack of this feature(disabling DSA Key) causes audit failures due to allowing DSA keys to authenticate to the BIG-IP system.

Workaround:
None.

Fix:
This version has updated OpenSSH to version 7 for disabling DSA keys.

Fixed Versions:
13.1.3.6

800185-2 : Saving a large encrypted UCS archive may fail and might trigger failover

Links to More Info: BT800185

Component: TMOS

Symptoms:
-- When saving a very large encrypted UCS file, you may encounter an error:

# tmsh save /sys ucs my_ucs passphrase <mysecret>
Saving active configuration...
Can't fork at /usr/local/bin/im line 305.
/var/tmp/configsync.spec: Error creating package

-- If saving UCS is automated you may find related errors in /var/log/audit:

err scriptd[45342]: 014f0013:3: Script (/Common/f5.automated_backup__backup) generated this Tcl error: (script did not successfully complete: (UCS saving process failed. while executing "tmsh::save /sys ucs $fname ))

-- Other services might be restarted due to lack of memory, which might result in failover.

--System management via config utility or command line may be sluggish while UCS saves.

Conditions:
-- Large encrypted UCS files and low free host memory.

-- UCS file sizes in hundreds of MB are much more likely to encounter this issue, along with free memory less than 1 GB.

Impact:
The operation uses at least 1.3 times the UCS file size of RAM. The UCS may not get saved correctly, and if not enough memory is available, low free-memory symptoms become apparent.

The latter may result in services being killed to free memory, resulting in service impact and failover, though it is quite typical for the overly large process saving the UCS to be terminated with no other impact.

Workaround:
A mitigation is to minimise UCS file size. UCS files large enough to encounter this issue typically contain very large files, some of which may not be needed or are no longer necessary.

Remove unnecessary large files from directories that contribute to UCS archives, for example, stray, large files such as packet captures in /config or its subdirectories. (For help understanding what is in UCS archives, see K12278: Removing non-essential files from a UCS when disk space errors are encountered :: https://support.f5.com/csp/article/K12278.)

If using APM, remove unnecessary EPSEC ISO files. (For more information, see K21175584: Removing unnecessary OPSWAT EPSEC packages from the BIG-IP APM system :: https://support.f5.com/csp/article/K21175584.

Fix:
Saving a large UCS file no longer fails.

Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4

799617-4 : ConfigSync Hardening

Links to More Info: K05123525 , BT799617

799589-4 : ConfigSync Hardening

Links to More Info: K05123525 , BT799589

799149 : Authentication fails with empty password

Links to More Info: BT799149

Component: Access Policy Manager

Symptoms:
Per-req policy authentication fails when an empty password is detected. Following errors are seen in apm logs:

-- err apmd[13930]: 01490301:3: /Common/test_sp::abcdef78/Common/test_auth/XXXXXXX==: Empty session variable value received from tmm.
-- err apmd[13930]: 01490302:3: /Common/test_sp::abcdef78/Common/test_auth/XXXXXXX==: Failed to decrypt session variable 'subsession.logon.last.password' from tmm with error code: 3.

Conditions:
-- APM is licensed and provisioned.
-- Per-req policy is created with at least one Auth agent.

Impact:
APM end users cannot change a password/token or access backend resources.

Workaround:
None.

Fix:
Per-request policy auth no longer complains about empty password. If the backend server accepts an empty password, auth should work fine.

Fixed Versions:
13.1.3.2, 14.1.2.7

798261-4 : APMD fails to create session variables if spanning is enabled on SWG transparent virtual server

Links to More Info: BT798261

Component: Access Policy Manager

Symptoms:
The following logs showed up in APM log and user session was terminated.

Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_finish_set_pipeline()" line: 720 Msg: Error: Set pipeline: While receiving response to 0 cmd set /.*/tmm.session.6833364e.session.assigned.uuid 0 0 32 s
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_server_disconnect()" line: 2533 Msg: Error: bad memcache connection (tmm:1), (fd:205)
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.

The SET command failed because it incorrectly attempted to create session variable in all traffic groups.

Conditions:
1. Virtual address for SWG transparent is 0.0.0.0
2. Spanning on the virtual address is enabled.

Impact:
User sessions will be terminated

Workaround:
Disable virtual address spanning.

Fix:
N/A

Fixed Versions:
13.1.3.2, 14.1.2.5, 15.0.1.3

797885-4 : ConfigSync Hardening

Links to More Info: K05123525 , BT797885

797829-3 : The BIG-IP system may fail to deploy new or reconfigure existing iApps

Links to More Info: BT797829

Component: TMOS

Symptoms:
The BIG-IP system may fail to deploy new or reconfigure existing iApps. When this happens, a long error message is displayed in the GUI that begins with:

script did not successfully complete: ('source-addr' unexpected argument while executing

The message is also logged to /var/log/audit by scriptd with a severity of 'notice'.

The unexpected argument mentioned in the error varies depending on the iApp being deployed and on the settings you configure. You may also see 'snatpool', 'ldap', etc.

Conditions:
This issue occurs when:

-- The BIG-IP system is configured with multiple users of varying roles.

-- The scriptd daemon has already spawned the maximum number (5) of allowed child processes to serve its queue, and all the processes were assigned a low 'security context'. This can happen, for instance, if a low-privileged user (such as an Auditor) has been looking at the configuration of iApps using the GUI a lot.

-- Subsequently, a high-privileged user (such as an Administrator) attempts to deploy a new iApp or reconfigure an existing one.

Note: You can inspect the number of child processes already created by scriptd by running the following command:

pstree -a -p -l | grep scriptd | grep -v grep

However, it is not possible to determine their current 'security context'.

Impact:
New iApps cannot be deployed. Existing iApps cannot be re-configured.

Workaround:
Restart scriptd. To restart scriptd, run:

bigstart restart scriptd

Running this command has no negative impact on the system.

The workaround is not permanent; the issue may occasionally recur depending on your system usage.

Fix:
The system now stops all scriptd child processes and creates new ones with the new user security-context when the user changes.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1

797785-3 : AVR reports no ASM-Anomalies data.

Links to More Info: BT797785

Component: Application Visibility and Reporting

Symptoms:
AVR collects data for ASM-Anomalies, which include Brute-Force and Web-Scraping activities. When reported, all metrics and dimensions are hidden. AVR output looks like this:
errdefs_msgno=\"22282253\",Entity=\"ASM_ANOMALIES\

Conditions:
When gathering statistics reporting a Brute-Force or Web-Scraping attack.

Impact:
AVR reports no ASM-Anomalies data.

Workaround:
None.

Fixed Versions:
13.1.3.2, 14.1.2.1, 15.0.1.3

797769-3 : Linux vulnerability : CVE-2019-11599

Links to More Info: K51674118

796993-3 : Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs

Links to More Info: BT796993

Component: Local Traffic Manager

Symptoms:
When a pool contains FQDN nodes as pool members, pool member state changes messages are not logged in /var/log/ltm.

Conditions:
-- Create a pool with fqdn node as it pool members
-- Apply monitor to it
-- Monitor marks the pool member up/down based on reachability

Impact:
-- Status message is not updated in /var/log/ltm logs.
-- There is no functional impact.

Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.3.1

796601-6 : Invalid parameter in errdefsd while processing hostname db_variable

Links to More Info: BT796601

Component: TMOS

Symptoms:
Errdefsd crashes, creates a core file, and restarts.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Possible loss of some logged messages.

Workaround:
None.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2

796469-2 : ConfigSync Hardening

Links to More Info: K05123525 , BT796469

795797-4 : AFM WebUI Hardening

Links to More Info: K21121741 , BT795797

795649-2 : Loading UCS from one iSeries model to another causes FPGA to fail to load

Links to More Info: BT795649

Component: TMOS

Symptoms:
When loading a UCS file from one iSeries model to a different iSeries model, the FPGA fails to load due to a symlink in the UCS file pointing to the firmware version for the source device.

The system will remain in INOPERATIVE state, and messages similar to the following will be seen repeatedly in /var/log/ltm:

-- emerg chmand[7806]: 012a0000:0: FPGA firmware mismatch - auto update, No Interruption!
-- emerg chmand[7806]: 012a0000:0: No HSBe2_v4 PCIs found yet. possible restart to recover Dataplane.
-- emerg chmand[7806]: 012a0000:0: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
-- err chmand[7806]: 012a0003:3: HAL exception publishing switch config: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2

Conditions:
Loading a UCS from one iSeries model onto another model, for example, from an i7800 onto an i11400-ds, or from an i2600 to an i5600.

Impact:
FPGA fails to load; the BIG-IP system becomes unusable.

Workaround:
1. Update the symbolic link /config/firmware/hsb/current_version to point to the correct firmware file for the hardware model in use. Here are some examples:

-- For the i2800:

# ln -sf /usr/firmware/hsbe2v4_atlantis/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i7800:

# ln -sf /usr/firmware/hsbe2v2_discovery/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i11400-ds:

# ln -sf /usr/firmware/hsbe2_discovery_turbo/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

2. Reboot the system

Fixed Versions:
12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.0.3

795437-2 : Improve handling of TCP traffic for iRules

Links to More Info: K06747393 , BT795437

795197-3 : Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Links to More Info: K26618426 , BT795197

794561-4 : TMM may crash while processing JWT/OpenID traffic.

Links to More Info: K46901953 , BT794561

794501-4 : Duplicate if_indexes and OIDs between interfaces and tunnels

Links to More Info: BT794501

Component: TMOS

Symptoms:
In certain instances, having a configuration with both tunnels and interfaces can result in duplicate if_indexes between a tunnel and an interface, which also results in duplicate OIDs for SNMP.

Conditions:
There is no completely predictable trigger, but at a minimum, a configuration with at least one interface and at least one tunnel is needed.

Impact:
SNMP OIDs relating to interfaces may yield incomplete results.

Duplicate if_indexes and duplicate OIDs. SNMP logs error messages:

# tmsh list net interface all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net vlan all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net tunnel all-properties | egrep "(^net)|(if-index)"
net interface 0.10 {
if-index 64 <-------------------------------
net interface mgmt {
if-index 32
net vlan external {
if-index 96
net vlan internal {
if-index 112
net vlan test {
if-index 128
net vlan tmm_bp {
if-index 48
net tunnels tunnel http-tunnel {
if-index 64 <-------------------------------
net tunnels tunnel socks-tunnel {
if-index 80


# snmpwalk -c public -v 2c localhost >/dev/null; tail /var/log/ltm

-- notice sod[4258]: 010c0044:5: Command: running disable zrd bigstart.
-- notice zxfrd[6556]: 01530007:5: /usr/bin/zxfrd started
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID ZXFRD_Publisher and filterType 1024
-- info bigd[11158]: 0114002b:6: high availability (HA) daemon_heartbeat bigd enabled.
-- info cbrd[6106]: 0114002b:6: high availability (HA) daemon_heartbeat cbrd enabled.
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID cbrd and filterType 1152921504606846976
-- info runsm1_named[6104]: 0114002b:6: high availability (HA) proc_running named enabled.
=========================

-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if_x.c:289

Workaround:
No workaround currently known.

Fix:
Duplicate if_indexes are no longer assigned to tunnels and interfaces. The resulting duplicate SNMP OIDs are prevented.

Fixed Versions:
12.1.5.3, 13.1.3.2, 14.1.2.3, 15.0.1.1

794493 : Creating Client SSL profile via tmsh or iControl REST and specifying 'cert' and 'key' incorrectly leaves inherit-certkeychain as true

Links to More Info: BT794493

Component: Local Traffic Manager

Symptoms:
Client SSL profiles may have distinct (different from parent profile) certificate and key files, but the 'inherit-certkeychain' attribute set as 'true', even though the profile should not be inheriting these values from parent, for example:

ltm profile client-ssl example-prof {
cert example.crt
cert-key-chain {
example{
app-service none
cert example.crt
chain none
key example.key
passphrase none
}
}
defaults-from intermediate
inherit-certkeychain true
key example.key
}

If multiple profiles are configured for SNI and assigned to a virtual server, attempting to modify the parent profile can result in error:

err mcpd[5352]: 0107149e:3: Virtual server /Common/vs_test has more than one clientssl/serverssl profile with same server name.

Conditions:
-- Parent profile other than 'clientssl'
-- Have a child profile created by defining 'cert' and 'key' attributes, rather than specifying a 'cert-key-chain', e.g.:

tmsh create ltm profile client-ssl example-prof defaults-from intermediate cert example.crt key example.key

Impact:
Not able to modify SSL profile if profiles assigned to virtual server.

If profiles are not configured for SNI, the specified certificate and key on child profiles will be reverted to the values from the parent profile.

Workaround:
Create SSL profiles by specifying cert-key-chain, rather than separately specifying 'cert' and 'key' attributes on SSL profile.

For profiles that are already affected, you can use either of the following workarounds.

Use the GUI:
-- Modify profiles using the GUI and check the 'Custom' checkbox for 'Certificate Key Chain'.

Change the configuration file:
1. Save the configuration.
2. Open bigip.conf for editing.
3. Modify the affected profiles, changing 'inherit-certkeychain true' to 'inherit-certkeychain false'.
4. Load the configuration.

Fix:
SSL profiles created specifying certificates and keys in the profile now have inherit-certkeychain set to false.

Fixed Versions:
13.1.3

794417-2 : Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not &start;

Links to More Info: BT794417

Component: Local Traffic Manager

Symptoms:
On a single virtual server, when 'TLS Renegotiation' is enabled in an associated Client SSL profile, the system should prevent enabling the 'Enforce TLS Requirements' option in the associated HTTP/2 profile.

Conditions:
BIG-IP system validation does not prevent this configuration in the following scenario:

1. Disable the 'Enforce TLS Requirements' option in the HTTP/2 profile.
2. Enable 'TLS Renegotiation' in the Client SSL profile.
3. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile.

Impact:
The configuration does not load if saved, and reports an error:

01070734:3: Configuration error: In Virtual Server (/Common/http2vs) an http2 profile with enforce-tls-requirements enabled is incompatible with clientssl profile '/Common/my_clientssl'; renegotiation must be disabled.

Workaround:
If enabling 'Enforce TLS Requirements' in an HTTP/2 profile configured on a virtual server, ensure that 'TLS Renegotiation' is disabled in all Client SSL profiles on that virtual server.

Fix:
Added a missing validation check for TLS Renegotiation and Enforce TLS Requirements.

Behavior Change:
BIG-IP validation now requires TLS Renegotiation of the SSL profile to be disabled when the TLS Enforcement requirement (RFC7540) is enabled in the HTTP/2 profile

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2

794413-9 : BIND vulnerability CVE-2019-6471

Links to More Info: K10092301 , BT794413

794389-9 : iControl REST endpoint response inconsistency

Links to More Info: K89509323 , BT794389

793669-4 : FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value.

Links to More Info: BT793669

Component: Local Traffic Manager

Symptoms:
On a high availability (HA) paired device group configuration, where there are FQDN nodes as pool members in a pool, when the pool member is enabled or disabled on one device, and with config-sync, the other device does not fully update the peer. The template node gets updated with the new value, but the ephemeral pool member retains the old value.

Conditions:
Steps to Reproduce:
1. Configure HA, specifically a Device group (for example, Failover) with two BIG-IP systems.
2. Create an HTTP pool (TEST_FQDN_POOL) and FQDN Pool Member on both systems.
3. Wait for the FQDN pool member to report as AVAIL_GREEN and the ephemeral node as AVAIL_BLUE on both systems.
4. Tmsh login to any of the systems.
5. Run the command:
tmsh run cm config-sync to-group Failover
6. Run the command:
tmsh modify ltm pool TEST_FQDN_POOL members modify { example.com:http { session user-disabled } }
7. Run the command:
tmsh run cm config-sync force-full-load-push to-group Failover

Impact:
FQDN pool member enabling/disabling is not being fully propagated to the other device after config-sync.

Workaround:
Delete the fqdn node from the pool and add it back.

Fix:
FQDN ephemeral pool members are now in sync and disabled on the high availability (HA) peer.

Fixed Versions:
13.1.5

793121-1 : Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication

Links to More Info: BT793121

Component: TMOS

Symptoms:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, high availability (HA) status, provisioning, and installed software information.

Conditions:
The TMUI redirect-http-to-https is enabled.

Impact:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, HA status, provisioning, and installed software information.

Workaround:
On the vCMP guest, disable sys httpd redirect-http-to-https.

Fixed Versions:
13.1.3.2, 14.1.2.7, 15.0.1.3, 15.1.0.2

793013 : MRF DIAMETER: Implement sweeper for pending request messages queue

Links to More Info: BT793013

Component: Service Provider

Symptoms:
MRF Diameter remembers details for each request message to assist with routing answer messages. If the answer message is not received, this information is not cleaned up.

Conditions:
The server does not respond to a request message with an answer message.

Impact:
For each unresponded request message, memory is leaked. Eventually the system might run of memory and restart.

Workaround:
None.

Fix:
The DIAMETER logic will not delete any stale pending request record if it is older than twice the configured transaction timeout (in diameterrouter profile).

Fixed Versions:
13.1.3.4

793005-4 : 'Current Sessions' statistic of MRF/Diameter pool may be incorrect

Links to More Info: BT793005

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, the LTM pool 'Current Sessions' statistics may show an unusually large number, such as 18446744073709551606.

Conditions:
There is a Diameter answer that does not match a pending request, the answer message is dropped, but BIG-IP system still decrements the 'Current Sessions' counter. If the counter is already zero, it can underflow.

Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue. When it underflows, the number becomes useless, making troubleshooting more difficult.

Workaround:
None.

Fix:
'Current Sessions' statistics of MRF/Diameter pool reports correctly.

Fixed Versions:
13.1.3.4, 14.1.2.7, 15.1.0.5

792341-4 : Google Analytics shows incorrect stats.

Links to More Info: BT792341

Component: Application Security Manager

Symptoms:
ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.

Conditions:
Scenario 1:
-- ASM provisioned.
-- ASM policy attached to a virtual server with challenge mitigation enabled (as part of brute force protection, for example).

Scenario 2:
-- Bot defense profile attached to a virtual server with challenge mitigation enabled.

Scenario 3:
-- DoS Application profile attached to a virtual server with challenge mitigation enabled.

Impact:
Incorrect data is displayed in the Google Analytics dashboard.

Workaround:
Have an iRule that injects google-analytics.js into the challenge white page at the HTTP_RESPONSE_SENT time event.

Fix:
ASM now handles the backend's response to fix up document.referrer for tools that read this property.

Fixed Versions:
13.1.4.1, 14.1.4.2

792285-3 : TMM crashes if the queuing message to all HSL pool members fails

Links to More Info: BT792285

Component: TMOS

Symptoms:
When a system uses a High Speed Logging (HSL) configuration with the HSL pool, TMM is crashing if the queuing message to all HSL pool members fails.

Conditions:
-- Two-member pool configured as remote-high-speed-log destination.
-- Data-Plane logging using for example but not limited to: iRule HSL::send.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
13.1.3.4, 14.1.2.5

792265-1 : Traffic logs does not include the BIG-IQ tags

Links to More Info: BT792265

Component: Application Visibility and Reporting

Symptoms:
AVR collects traffic data. When that data is reported to BIG-IQ, it omits the BIG-IQ tags which are required by BIG-IQ.

Conditions:
When AVR collects traffic data and sending it BIG-IQ.

Impact:
There are no BIG-IQ tags in the traffic logs. BIG-IQ is unable to map traffic-capturing logs to applications.

Workaround:
None.

Fix:
Traffic logs now include the BIG-IQ tags.

Fixed Versions:
13.1.3.2, 14.1.2.1, 15.0.1.3

791369-4 : The REST framework may reflect client data in error logs

Links to More Info: K01049383

790845-1 : An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default

Links to More Info: BT790845

Component: Local Traffic Manager

Symptoms:
An In-TMM monitor may be marked down when the CMP-hash (Cluster Multiprocessing) is set to non-default value.

Conditions:
-- There is a configured In-TMM monitor (K11323537).
-- CMP-hash is set to non-default value.

Note: For information about In-TMM monitoring, see K11323537: Configuring In-TMM monitoring :: https://support.f5.com/csp/article/K11323537.

Impact:
An In-TMM monitor is falsely marked as down.

Workaround:
Use default settings for a CMP-hash.

Fix:
An In-TMM monitor is not marked down when a non-default CMP-hash is in use.

Fixed Versions:
13.1.3.5, 14.1.4, 15.1.2

790205-2 : Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core

Links to More Info: BT790205

Component: Local Traffic Manager

Symptoms:
TMM cores when adding a route (either statically or dynamically) to a child route domain.

Conditions:
Adding a more-specific route to a child domain that overrides a route in the default domain.

Impact:
TMM cores. A failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when adding routes to child domains.

Fixed Versions:
12.1.5.3, 13.1.3, 14.0.1.1, 14.1.2.7, 15.0.1.1

789921-4 : TMM may restart while processing VLAN traffic

Links to More Info: K03386032 , BT789921

789893-4 : SCP file transfer hardening

Links to More Info: K54336216 , BT789893

788773-4 : HTTP/2 Vulnerability: CVE-2019-9515

Links to More Info: K50233772 , BT788773

788769-4 : HTTP/2 Vulnerability: CVE-2019-9514

Links to More Info: K01988340 , BT788769

788753-1 : GATEWAY_ICMP monitor marks node down with wrong error code

Links to More Info: BT788753

Component: Local Traffic Manager

Symptoms:
Pool state shows down when there is no route configured to node.

Conditions:
-- In-tmm gateway_icmp monitor configured for a node or pool member.
-- There is no route to the node or pool member.

Impact:
The pool member or node is marked down and the reason listed is 'timeout', instead of 'no route to host'.

Workaround:
None.

Fixed Versions:
13.1.3.4, 14.1.2.8, 15.1.0.5

788577 : BFD sessions may be reset after CMP state change

Links to More Info: BT788577

Component: TMOS

Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.

This happens in the following instances:
- Blade reset.
- Booting up or shutting down.
- Running 'bigstart restart'.
- Setting a blade state from/to primary/secondary.

During these events, Bidirectional Forwarding Detection (BFD) session processing ownership might be migrating from old, processing TMMs to new, selected TMMs. This process is rapid and could lead to contest between several TMMs over who should be the next BFD processing owner.

It might also lead to a situation where the BFD session is deleted and immediately recreated.

This problem occurs rarely and only on a chassis with more than one blade.

Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BFD peering is configured.
-- CMP state change is occurred on one of the blades.
-- BFD connection is redistributed to the processing group (TMMs) on the blade that experienced the CMP state change and the contest between the old TMM owner and the new TMM owner occurs.

Impact:
When the BFD session is recreated, it marks corresponding routing protocol DOWN if it's configured. The protocol might be BGP, OSPF, or any other routing protocols that support BFD.

This causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decision are from networks learnt by affected routing protocols when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
There are two workarounds, although the latter is probably impractical:

-- Change CMP hash of affected VLAN to the Default value.
-- Maintain a chassis with a single blade only. Disable or shut down all blades except one.

Fix:
BFD session is no longer reset during CMP state change.

Fixed Versions:
11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1

788557 : BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior

Links to More Info: BT788557

Component: TMOS

Symptoms:
GRST - BGP graceful reset.

The problem occurs when the routing daemon bgpd restarts/starts (e.g., by terminating the bgpd daemon) its distribution of a process and is not supported. Another way we've found is to call "bigstart restart" command on a primary blade on chassis with more than one blade.

After the new primary blade takes over, BGP and BFD sessions are recreated at around the 'graceful restart' timeout interval.

Conditions:
-- BGP and BFD are configured.
-- BGP router's 'graceful restart' option is configured, enabled (set to 120 by default).
-- The bgpd daemon is terminated.

Another way to trigger the issue is to run 'bigstart restart' on a primary blade on a chassis with more than one blade.

Impact:
If BGP peering is reset, it causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocol from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.


In most cases, unexpected routing decisions come from networks learnt by affected routing protocol when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system, typically, the routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
None.

Fix:
BGP and BFD peering is not recreated in GRST timeout anymore.

Fixed Versions:
11.6.5.2, 13.1.3.2, 14.1.2.1, 15.0.1.1

788513-4 : Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log

Links to More Info: BT788513

Component: Service Provider

Symptoms:
A configuration warning is produced when the RADIUS avp command is used with a variable instead of a constant, for example:

warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:integer"102 45][RADIUS::avp replace USER-NAME $custom_name]

This appears to be benign, as the configuration loads successfully, and the script works as expected.

Conditions:
Using:
RADIUS::avp replace USER-NAME $custom_name

Instead of:
RADIUS::avp replace USER-NAME "static value"

Impact:
Incorrect warning in log. You can ignore these messages, as the configuration loads successfully, and the script works as expected.

Workaround:
This warning is benign, as the configuration loads successfully, and script works as expected.

Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5

788417-3 : Remote Desktop client on macOS may show resource auth token on credentials prompt

Links to More Info: BT788417

Component: Access Policy Manager

Symptoms:
APM uses the 'username' attribute to pass auth token for SSO enabled native RDP resources on macOS. In case Windows policy forces the user to provide credentials, or if Single Sign-on fails, the end user may see a credentials prompt containing the base 64-encoded auth token in the username field.

This behavior is observed only with Remote Desktop Client v10.x for macOS.

Conditions:
-- APM Webtop is configured with Single Sign-on enabled native RDP resource.
-- Try to access the RDP resource from macOS using RDP client v10.x.

Note: This issue is known to occur when Microsoft Group Policy 'Always prompt for password upon connection' is enabled on the target RDP server: Computer Configuration \ Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Security \ Always prompt for password upon connection.

Impact:
Prompt for credentials (contains auth token in username field) causing APM end user confusion.

Workaround:
Apply the following iRule:

Note: With the following iRule implemented, users running RDP client v8 for macOS may see an empty credentials prompt when launching APM native RDP resources.

when HTTP_RESPONSE_RELEASE {
catch {
set locationUri [HTTP::header Location]
if { [HTTP::status] == 302 && $locationUri starts_with "rdp://" &&
$locationUri contains "username=s:f5_apm"} {
HTTP::header Location \
[string map {"username=s:f5_apm" "gatewayaccesstoken=s:"} $locationUri]
}
}
}

Fix:
Remote Desktop client on macOS does not show resource auth token on credentials prompt.

Fixed Versions:
13.1.3.2, 14.1.2.1, 15.0.1.1

788325-4 : Header continuation rule is applied to request/response line

Links to More Info: K39794285 , BT788325

Component: Local Traffic Manager

Symptoms:
When a browser communicates with a server over HTTP, it can split a long header into several lines, prepending continuation lines with leading whitespace symbols. This rule does not apply to request or response line, so having leading whitespace in a first header line is invalid. The BIG-IP system parses such line a header with empty value.

Conditions:
A virtual server is configured on the BIG-IP system with HTTP profile.

Impact:
The BIG-IP system can hide some important HTTP headers either passing those to the pool member or failing to properly handle the request (or response) or failing to correctly load balance a connection (or request in case of OneConnect profile).

Workaround:
None.

Fix:
Now, when the BIG-IP system receives an invalid request or response with leading whitespace in first header line, it properly parses the header and handles it correctly.

Fixed Versions:
11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1

788301-3 : SNMPv3 Hardening

Links to More Info: K58243048 , BT788301

Component: TMOS

Symptoms:
SNMPv3 agents do not follow current best practices.

Conditions:
SNMPv3 agents enabled.

Impact:
SNMPv3 agents do not follow current best practices.

Fix:
SNMPv3 features now follow current best practices.

Fixed Versions:
11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1

788269-1 : Adding toggle to disable AVR widgets on device-groups

Links to More Info: BT788269

Component: Application Visibility and Reporting

Symptoms:
Devices on device-group get into state of not-synced when AVR-related widgets are created or modified.

It occurs more frequently when manual config sync is enabled.

It can also occur when visiting a widgets page for the first time that automatically creates default widgets on the first page visit, such as Security :: Overview : Application : Traffic. This can make it appear that a 'read-only' user visiting the page has triggered the need for a config sync.

Conditions:
-- Two or more devices are in a device-group.
-- AVR-related widgets are created or modified.

Impact:
Devices go into a non-synced state.

Workaround:
None.

Fix:
A DB-variable called avr.gui.widgets.sync has been added to disable widgets syncing. Possible values are 'disable' or 'enable', it is enabled by default.

Behavior Change:
This release adds a DB-variable, avr.gui.widgets.sync, to disable widget syncing. Possible values are 'disable' or 'enable'. It is enabled by default.

Fixed Versions:
13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.3

788057-1 : MCPD may crash while processing syncookies

Links to More Info: K00103216 , BT788057

787901 : While deleting a DoS profile, tmm might core in sPVA

Links to More Info: BT787901

Component: Advanced Firewall Manager

Symptoms:
When trying to delete a DoS profile attached to a virtual server, it is possible that tmm might core and restart.

Conditions:
-- An AFM DoS profile is attached to a virtual server.
-- Some of the DoS attacks are programmed into hardware (HW) through sPVA.
-- That DoS profile is deleted.

Impact:
tmm might generate a core and restart. Traffic disrupted while tmm restarts.

Workaround:
Use software (SW) DoS only.

Fix:
The tmm process no longer generates a core and restarts when deleting a profile that is attached to a virtual server.

Fixed Versions:
13.1.3.2

787825-3 : Database monitors debug logs have plaintext password printed in the log file

Links to More Info: K58243048 , BT787825

Component: Local Traffic Manager

Symptoms:
When monitor instance is in "debug" logging enabled mode for certain monitor types, the resulting monitor instance logs may contain sensitive details like password

Conditions:
When debug mode is enabled for following monitoring types
1. mssql
2. mysql
3. oracle
4. postgresql

Impact:
The user-account password configured in the health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors/.

Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected monitor types. 2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes , remove the resulting log files from the BIG-IP system after troubleshooting is completed.

Fix:
The password filed for monitor will now be redacted by external monitors when monitor debugging is enabled.

Fixed Versions:
11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1

787677-1 : AVRD stays at 100% CPU constantly on some systems

Links to More Info: BT787677

Component: Application Visibility and Reporting

Symptoms:
One thread of the avrd process spontaneously starts to consume 100% CPU.

Conditions:
The exact conditions under which this occurs are unknown, but might occur only on vCMP configurations.

Impact:
System performance degrades.

Workaround:
Restart TMM:
bigstart restart tmm

Fix:
Added processing that prevents AVRD from entering endless loops.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1

787477-1 : Export fails from partitions with '-' as second character

Links to More Info: BT787477

Component: Access Policy Manager

Symptoms:
Attempting to export a profile/policy from partition using the hyphen/dash (-) as the second character results in error message:
'Incorrect arguments: <partition> is not specified' error.

Conditions:
Partition with '-' as second character in the name.

Impact:
Unable to export policy from given partition

Workaround:
Rename partition without '-' as the second character.

Fix:
Export is working as expected in this scenario.

Fixed Versions:
13.1.3.2, 14.1.2.1

786981-1 : Pending GTP iRule operation maybe aborted when connection is expired

Links to More Info: BT786981

Component: Service Provider

Symptoms:
When there is a suspended iRule operation (such as the table or after command) in GTP iRule event, the operation may be intermittently aborted when the connection is expired.

Conditions:
This occurs when a connection times out while there is still a pending iRule operation. For example, in one use case, there is a table command in GTP_SIGNALLING_INGRESS event, and the immediate idle timeout is configured in the UDP profile.

Impact:
GTP iRule may not be completely executed.

Workaround:
For the specific use case when immediate idle timeout is used, change idle timeout to some positive value. Then use the iRule to expire the connection after the GTP iRule event is done, for example, by setting 'IP::idle_timeout 0' in SERVER_CONNECTED event.

Fix:
When connection is expired, pending iRule operations in GTP iRule events are now completed.

Fixed Versions:
13.1.3.4, 14.1.2.7

786517-1 : Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address

Links to More Info: BT786517

Component: Local Traffic Manager

Symptoms:
- Monitors are firing and are being sent to a pool-member or node address rather than a monitor's alias address.

- Running the command 'tmsh load /sys config' reports an error:
01070038:3: Monitor /Common/a-tcp address type requires a port.

Conditions:
-- Create a monitor without an alias address.
-- Modify the monitor later in the TMUI to specify an alias address.

Impact:
Monitors are sent to an incorrect IP address.

tmsh load /sys config will fail to load the configuration.

Workaround:
There are two workarounds:
-- Delete and recreate the monitor and specify the correct alias address at creation time.

-- Fix the monitor definition using tmsh.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.0.5

785873-1 : ASM should treat 'Authorization: Negotiate TlR' as NTLM

Links to More Info: BT785873

Component: Application Security Manager

Symptoms:
When an authentication request with Authorization: Negotiate arrives to ASM. ASM does not count it as a login attempt. As a result brute force protection isn't applied.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual sever.
-- Login URL configured in ASM policy.
-- Brute force protection enabled in ASM policy.

Impact:
Brute force attack checking can be skipped if the backend server authorization type is NTLM but the client sends 'Authorization: Negotiate TlR'.

Workaround:
Use iRule which changes 'Authorization: Negotiate TlR' to NTLM on the client side (before ASM) and sets is back to the original value on the server side (after ASM)

Fix:
After the fix ASM treats 'Authorization: Negotiate TlR' as NTLM, while the 'TlR' is a sign of NTLM usage.

Fixed Versions:
13.1.5, 14.1.4.5

785017-4 : Secondary blades go offline after new primary is elected

Links to More Info: BT785017

Component: TMOS

Symptoms:
Secondary active blades go offline.

Conditions:
-- Cluster with three or more active blades.
-- Primary blade is rebooted.

For example, on a 4-bladed system, after slot 1 (primary blade) was rebooted and slot 2 (secondary blade) takes over as primary, slots 3 and 4 both go offline due to high availability (HA) table, with the logs showing reason as 'waiting for configuration load'.

Impact:
Cluster reduced to a single blade, which may impact performance.

Workaround:
None.

Fixed Versions:
13.1.4, 14.1.4, 15.1.3

784989-4 : TMM may crash with panic message: Assertion 'cookie name exists' failed

Links to More Info: BT784989

Component: Access Policy Manager

Symptoms:
TMM crashes with SIGFPE panic

panic: ../modules/hudfilter/http/http_cookie.c:489: Assertion 'cookie name exists' failed.

Conditions:
-- Virtual server with remote desktop or VDI profile attached.
-- VDI logging level is set to Debug.
-- iRule that modifies/reads HTTP cookies.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Increase the log-level for VDI from 'Debug' to a higher level.

Fix:
Fixed TMM crash, which occurred when remotedesktop/VDI profile was used together with custom iRule and Debug level logging.

Fixed Versions:
13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1

784565-4 : VLAN groups are incompatible with fast-forwarded flows

Links to More Info: BT784565

Component: Local Traffic Manager

Symptoms:
Traffic flowing through VLAN groups may get fast-forwarded to another TMM, which might cause that connection to be reset with reason 'Unable to select local port'.

Conditions:
-- Using VLAN groups.
-- Flows are fast-forwarded to other TMMs.

Impact:
Some connections may fail.

Workaround:
None.

Fix:
The system now prevents flows on VLAN groups from being fast-forwarded to other TMMs.

Fixed Versions:
11.6.5.3, 12.1.5.2, 13.1.4, 15.0.1.1

783817-4 : UI becomes unresponsive when accessing Access active session information

Links to More Info: BT783817

Component: Access Policy Manager

Symptoms:
When accessing Admin UI Access :: Overview :: Active Sessions page, the page status is stuck in 'Receiving configuration data from your device'. TMSH command 'show apm access-info' also hangs.

The following error messages shows up in TMM log:

-- notice mcp error: 0x1020002 at ../mcp/db_access.c:831
-- notice mcp error: 0x1020031 at ../mcp/mcp_config.c:588

Conditions:
-- Two vCMP guests or two chassis are set up in high availability mode.
-- If Network Mirroring is toggled between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.

Impact:
Some session variables may be lost, which results in UI hang. Admin UI becomes unusable.

Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1

783617-4 : Virtual server resets connections when all pool members are marked disabled

Links to More Info: BT783617

Component: Local Traffic Manager

Symptoms:
The BIG-IP system immediately responds with an RST against a SYN when all pool members are marked disabled by a monitor.

Conditions:
All of the pool members are marked disabled by a monitor or administratively.

Impact:
Cannot use iRules to respond with an HTTP 503 error to incoming traffic.

Cannot use LTM policies to select multiple pools if all pool members are disabled in a default pool assigned to a virtual server.

Workaround:
Use Forced offline instead of disabled to prevent this issue.

Fix:
Virtual server no longer resets connections when all pool members are marked disabled.

Fixed Versions:
13.1.3.5, 14.1.3.1

783513-1 : ASU is very slow on device with hundreds of policies due to logging profile handling

Links to More Info: BT783513

Component: Application Security Manager

Symptoms:
Signature Update (ASU) is very slow on devices with hundreds of policies due to logging profile handling.

Conditions:
-- There are hundreds of ASM policies on the device.
-- ASU is performed.
-- The BIG-IP is configured for logging profile handling.

Impact:
The ASU process takes hours to complete.

Workaround:
None.

Fixed Versions:
13.1.3.2, 14.1.2.3

783505 : ASU is very slow on device with hundreds of policies due to table checksums

Links to More Info: BT783505

Component: Application Security Manager

Symptoms:
ASU is very slow on devices with hundreds of policies due to table checksums.

Conditions:
-- There are hundreds of ASM policies on the device.
-- ASU is performed.
-- 'DoTableChecksums' is set to 1.

Impact:
The ASU process takes hours to complete.

Workaround:
In the configuration file /etc/ts/dcc/prepare_policy.cfg, set 'DoTableChecksums' to 0.

Fixed Versions:
12.1.5.1, 13.1.3.4

783289-3 : PEM actions not applied in VE bigTCP.

Links to More Info: BT783289

Component: Policy Enforcement Manager

Symptoms:
If PEM virtual server is configured using bigTCP, the return traffic from the server may not return to the same TMM. PEM policies do not get applied.

Conditions:
-- BIG-IP Virtual Edition.
-- bigTCP is configured (FastL4 with PEM/GPA hudfilters).
-- Virtual server uses Source-NAT.

Impact:
PEM policies do not get applied.

Workaround:
To work around this, do the following:
-- Configure bigTCP virtual server not to use source-NAT.
-- Configure destination-IP for hashing in server-vlan (the external VLAN that has the virtual server).

Fixed Versions:
13.1.3.5, 14.1.3.1

783125-4 : iRule drop command on DNS traffic without Datagram-LB may cause TMM crash

Links to More Info: BT783125

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may crash and restart when an iRule on a DNS virtual server performs the 'drop' command while the BIG-IP system is handling both a DNS request and DNS response at the same time for the same DNS client IP and port without UDP Datagram-LB.

Conditions:
-- The BIG-IP instance has two or more TMM processes as a result of having two or more physical cores or virtual CPUs.
-- A virtual server with both DNS and UDP profiles and one or more iRules.
-- The UDP profile has Datagram LB disabled.
-- The iRules have a 'drop' command.
-- The iRules have a DNS_REQUEST and/or DNS_RESPONSE event with an iRule command that require coordinating data with another TMM on the system, such as the 'table' command.

Impact:
TMM crash or restart. Traffic impacted. Traffic disrupted while tmm restarts.

Workaround:
F5 strongly recommends using a UDP profile with Datagram-LB enabled for DNS UDP virtual servers.

Alternatively, replace the 'drop' command with DNS::drop in DNS_REQUEST and DNS_RESPONSE events, or with UDP::drop in other iRule events.

See the respective references pages for DNS::drop and UDP::drop for the Valid Events each iRule command is available in:
https://clouddocs.f5.com/api/irules/DNS__drop.html
https://clouddocs.f5.com/api/irules/UDP__drop.html

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1

783113 : BGP sessions remain down upon new primary slot election

Links to More Info: BT783113

Component: TMOS

Symptoms:
BGP flapping after new primary slot election.

Conditions:
--- A BFD session is processed on a secondary blade. (It can be identified by running tcpdump.)

-- After a primary blade reset/reboot, the BFD session should be processed by the same tmm on the same blade, which was secondary before the primary blade reset/reboot.

-- The BFD session creation should happens approximately in 30 seconds after the reset/reboot.

Impact:
BGP goes down. BGP flaps cause route-dampening to kick-in on the BGP neighbors.

Workaround:
There is no workaround, but you can stabilize the BIG-IP system after the issue occurs by restarting the tmrouted daemon. To do so, issue the following command:
bigstart restart tmrouted

Fix:
BFD no longer remains DOWN after a blade reset/reboot. There is a convergence period caused by blade changes(blade reset/reboot, new blade installed, blade comes up), which may take a few moments, but after that BFD sessions show correct status.

Fixed Versions:
11.6.5.2, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.1

782529-4 : iRules does not follow current design best practices

Links to More Info: K30215839 , BT782529

782353-8 : SIP MRF via header shows TCP Transport when TLS is enabled

Links to More Info: BT782353

Component: Service Provider

Symptoms:
When an SSL Client Profile (TLS) is enabled on a SIP Message-Routing Virtual Server, the via header shows an incorrect transport protocol when SIP messages are sent out the client side of MRF. For example, the via header contains 'SIP/2.0/TCP' or 'SIP/2.0/UDP', when it should read 'SIP/2.0/TLS'.

Conditions:
Sending SIP messages from the client side of the SIP MRF when an SSL client profile is enabled on the SIP Message-Routing virtual server.

Impact:
The via header is not correct and violates the SIP RFC.

Workaround:
Create an iRule that replaces the incorrect via header with a correct one, for example:

when SIP_REQUEST_SEND {
if { [clientside] } {
SIP::header replace Via [string map [list "SIP/2.0/TCP " "SIP/2.0/TLS " "SIP/2.0/UDP " "SIP/2.0/TLS "] [SIP::header Via 0]] 0

}
}

Fix:
The via headers show the correct text (e.g., SIP/2.0/TLS) when an SSL Client Profile is enabled on a SIP Message-Routing virtual server.

Fixed Versions:
13.1.3.4, 14.1.2.7

781829-4 : GTM TCP monitor does not check the RECV string if server response string not ending with \n

Links to More Info: BT781829

Component: Global Traffic Manager (DNS)

Symptoms:
GTM TCP monitor marks resource down.

Conditions:
TCP server respond string not ending with '\n'.

Impact:
Available resources are marked down.

Workaround:
If the TCP server is sending a text response, reconfigure the server to make sure it terminates the output with '\n'.

If the TCP server can not be changed (for example if it produces binary output), it may be possible to create an external gtm monitor instead.

Fixed Versions:
13.1.3.5, 14.1.3.1

781753-1 : WebSocket traffic is transmitted with unknown opcodes

Links to More Info: BT781753

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not preserve WebSocket frames. Frame headers and payload may be reordered such that a header for a second frame may be sent out in the middle of a first frame's payload. Frame boundaries get skewed and payload gets interpreted as headers.

Conditions:
A request logging profile is configured on a WebSocket virtual server.

Impact:
WebSocket frames are not preserved such that traffic appears to be garbage.

-- If request logging is enabled, client frames may not be preserved.
-- If response logging is enabled, server frames may not be preserved.

Workaround:
Remove the request logging profile.

Fixed Versions:
13.1.3.2, 14.1.2.8

781637-4 : ASM brute force counts unnecessary failed logins for NTLM

Links to More Info: BT781637

Component: Application Security Manager

Symptoms:
False positive brute force violation raised and login request is blocked

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM Brute force protection enabled for NTLM login type

Impact:
login request blocked by asm policy

Workaround:
Define higher thresholds in brute force protection settings

Fix:
asm code has been fixed and do not count unnecessary failed logins for NTLM

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1

781605-1 : Fix RFC issue with the multipart parser

Links to More Info: BT781605

Component: Application Security Manager

Symptoms:
False positive or false negative attack signature match on multipart payload.

Conditions:
Very specific parsing issue.

Impact:
A parameter specific excluded signature may be matched or un-matched.

Workaround:
N/A

Fix:
Multi part parser issue was fixed.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3, 14.1.2.1, 15.0.1.1

781581-4 : Monpd uses excessive memory on requests for network_log data

Links to More Info: BT781581

Component: Application Visibility and Reporting

Symptoms:
Monpd allocates excessive memory on multi-blade devices, and in some cases the kernel may kill monpd. The following log signature may be encountered in /var/log/kern.log:

err kernel: : [1537424.588160] Out of memory: Kill process 28371 (monpd) score 117 or sacrifice child

Conditions:
This can occur in a multi-blade BIG-IP environment when you are displaying pages that query for network_log data, for example Bot Defense requests in the event log, or realtime AVR data.

Impact:
Large fluctuations in host memory usage, occasionally leading to OOM events.

Workaround:
None.

Fix:
A db variable has been added: avr.eventlogsreportrownumber, which controls the number of logs displayed. The db variable default is 10000, and supports a range from 100 through 1000000.

Note: Using the maximum value may trigger the behavior described here. The system behavior depends on the specific machine hardware.

Fixed Versions:
13.1.3.2, 14.1.2.3, 15.0.1.3

781449-4 : Increase efficiency of sPVA DoS protection on wildcard virtual servers

Links to More Info: K14703097 , BT781449

781377-1 : tmrouted may crash while processing Multicast Forwarding Cache messages

Links to More Info: K93417064 , BT781377

781225-3 : HTTP profile Response Size stats incorrect for keep-alive connections

Links to More Info: BT781225

Component: Local Traffic Manager

Symptoms:
The HTTP profile Response Size static is incorrectly updated per-response using the cumulative number of response bytes seen for the lifetime of the connection, rather than the bytes seen per-response.

Conditions:
-- HTTP profile configured
-- HTTP connection reused for multiple requests/responses

Impact:
The HTTP profile Response Size statistics may be incorrectly reported and do not correlate to actual traffic seen.

Workaround:
None.

Fix:
The HTTP Response Size statistics are correctly updated using per-response values.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1

781069-4 : Bot Defense challenge blocks requests with long Referer headers

Links to More Info: BT781069

Component: Application Security Manager

Symptoms:
The Bot Defense challenge may block the client if the Referer header is between about 1400 characters and 3072 characters long.
This client may get blocked by TCP RST, or suffer from a challenge loop.

Conditions:
-- Bot Defense with Verify before Access, or Proactive Bot Defense are configured
-- Request has a Referer header that is between ~1400 and 3072 characters long

Impact:
Legitimate browsers may get blocked or suffer from a challenge loop

Workaround:
Use an iRule to override the Referer header from the HTTP_REQUEST event, to make it shorter.

Fix:
Challenges with long Referer headers no longer block legitimate clients.

Fixed Versions:
13.1.3, 14.1.2.1, 15.0.1.1

780817 : TMM can crash on certain vCMP hosts after modifications to VLANs and guests.

Links to More Info: BT780817

Component: TMOS

Symptoms:
TMM crashes and produces a core file. TMM logs show the crash was of type SIGFPE, with the following panic message:

notice panic: ../base/vcmp.c:608: Assertion "guest has vlan ref" failed.

Conditions:
-- The vCMP host is a platform with more than one tmm process per blade or appliance.

+ VIPRION B4300, B4340, and B44xx blades.
+ BIG-IP iSeries i15x00 platforms

-- A VLAN is assigned to a vCMP guest.
-- The TAG of the VLAN is modified.
-- The VLAN is removed from the vCMP guest.

Impact:
While TMM crashes and restarts on the host, traffic is disrupted on all the guests running on that system.

Guests part of a redundant pair may fail over.

Workaround:
None.

Fix:
TMM no longer crashes on certain vCMP hosts after modifications to VLANs and guests.

Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1

780601-4 : SCP file transfer hardening

Links to More Info: K03585731 , BT780601

779857-4 : Misleading GUI error when installing a new version in another partition &start;

Links to More Info: BT779857

Component: TMOS

Symptoms:
While installing a new version in another partition, the GUI displays an error for a brief time:

'Install Status':Failed Troubleshooting

Conditions:
Install a new version in another partition.

Impact:
The GUI error is misleading. It is showing the install status as 'Failed Troubleshooting' even though the installation is proceeding normally. The installation process is proceeding normally; only the error is incorrect and does not indicate a problem with the installation.

Workaround:
If you click on the 'Troubleshooting' link on the GUI screen, the GUI indicates that it is actually installing properly without any error.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1

779177-4 : Apmd logs "client-session-id" when access-policy debug log level is enabled

Links to More Info: K37890841 , BT779177

778869-1 : ACLs and other AFM features (e.g., IPI) may not function as designed

Links to More Info: K72423000 , BT778869

Component: Advanced Firewall Manager

Symptoms:
Under certain conditions, ACLs, IPI and other AFM features may not function as designed.

Conditions:
AFM provisioned and configured.
TCP mitigations active.

Impact:
AFM features do not function as designed.

Workaround:
None.

Fix:
ACLs and other AFM rules (e.g., IPI) features now function as designed.

Fixed Versions:
13.1.3.2, 14.0.1.1, 14.1.2.5

778517-2 : Large number of in-TMM monitors results in delayed processing

Links to More Info: K91052217 , BT778517

Component: Local Traffic Manager

Symptoms:
A monitor may continue to probe for a while after it has been removed from pool / member / node. Duplicate monitor instances may get created after associating a monitor to a server.

Conditions:
Device has a large number of in-TMM monitors.

Impact:
-- Monitor target may appear down when responding correctly.
-- Monitor may continue to run after removed from pool / member / node.
-- Increased monitoring load on server.

Workaround:
Disable in-tmm monitors:
tmsh modify sys db bigd.tmm value disable

Fix:
Large numbers of in-TMM monitors are processed in a timely fashion.

Fixed Versions:
13.1.3.4, 14.1.2.7

778365-1 : dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service

Links to More Info: BT778365

Component: Global Traffic Manager (DNS)

Symptoms:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS. If there is DNS service running on the LDNS, RTT metrics should be collected successfully as expected. However if there is no DNS service on the LDNS, there should not be any RTT metrics collected. But BIG-IP still populates the RTT values giving users a "false positive" results.

Conditions:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS and there is no DNS service running on the LDNS.

Impact:
RTT metrics are collected even though no response from the DNS service is present giving users wrong impression that there is.

Fix:
RTT metrics are collected only when the DNS service is present otherwise zero RTT values are returned.

Fixed Versions:
13.1.3.4, 14.1.2.7

778077-1 : Virtual to virtual chain can cause TMM to crash

Links to More Info: K53183580 , BT778077

778049-6 : Linux Kernel Vulnerability: CVE-2018-13405

Links to More Info: K00854051 , BT778049

777737-2 : TMM may consume excessive resources when processing IP traffic

Links to More Info: K39225055 , BT777737

777733-1 : DoS profile default values cause config load failure on upgrade

Links to More Info: BT777733

Component: Advanced Firewall Manager

Symptoms:
Upon upgrading from 12.1.x, the config fails to load with an error similar to the following:

01071aa6:3: Dos DNS query data bad actor can not be enabled if per-source detection/limit pps is less than 1% of the Dos vector (a) rate threshold setting for sub-profile (PROFILE_DOS_NETWORK_VS-ADIB-GTM-ID177_53_UDP) of Dos profile (/Common/PROFILE_DOS_NETWORK_VS-ADIB-GTM-ID177_53_UDP).

Conditions:
-- AFM configured.
-- One or more SIP or DNS vectors are configured with the rate_threshold values set to the default in 12.x.
+ For SIP, the rate_threshold value in 12.x is 30000.
+ For DNS, the rate_threshold value in 12.x is 50000.

Impact:
During upgrade, the BIG-IP system fails to convert these thresholds to the new default value of 'infinite'. After upgrade, the configuration fails to load.

Workaround:
Manually edit the profile to disable bad-actor, or change the DNS and SIP default rate_threshold value to 'infinite', then config can be loaded.

For example, in this affected configuration for DNS:

dns-query-vector {
a {
allow-advertisement disabled
...
rate-increase 500
rate-limit 250000
rate-threshold 50000 <<---
}


Change it to this:

dns-query-vector {
a {
allow-advertisement disabled
...
rate-increase 500
rate-limit 250000
rate-threshold infinite
}

At that point, the configuration should load successfully.

Fix:
DNS and SIP default rate_threshold value of 50000 and 30000 of 12.1.x are now converted to default value of 'infinite' during upgrade, so the configuration loads as expected.

Fixed Versions:
13.1.3

777261-2 : When SNMP cannot locate a file it logs messages repeatedly

Links to More Info: BT777261

Component: TMOS

Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.

Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.

Impact:
This can fill up the log with errors.

Fix:
The SNMP daemon has been fixed to log this error once.

Fixed Versions:
11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1

777173-4 : Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error

Links to More Info: BT777173

Component: Access Policy Manager

Symptoms:
When administrator runs Citrix vdi iApp in APM standalone deployment (LTM is not licensed), iApp fails with the following error:
01070356:3: HTTP header transformation feature not licensed

This is result of a license check added for HTTP header transformation.

Conditions:
- APM is licensed as stand alone (no LTM license)
- Admin tries to run Citrix vdi iApp

Impact:
Administrator is not able to use the iApp to configure Citrix vdi access

Workaround:
Adding LTM module license will resolve the error.

Fix:
Citrix vdi iApp now can be used to configure Citrix vdi access in an APM standalone deployment.

Fixed Versions:
13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1

776229-4 : iRule 'pool' command no longer accepts pool members with ports that have a value of zero

Links to More Info: BT776229

Component: Local Traffic Manager

Symptoms:
Values of 0 (zero) are no longer accepted for pool member ports in iRule 'pool' commands. The system reports an error similar to the following in /var/log/ltm:

err tmm3[12179]: 01220001:3: TCL error: /Common/_user_script_member <CLIENT_ACCEPTED> - bad port in 'pool member <addr> <port>' cmd while executing "pool test_pool member 10.1.30.10 0"

Conditions:
-- Configure an iRule to use the 'pool' command to go to the pool member using a zero port in the CLIENT_ACCEPTED event.
-- Attach the iRule to the virtual server.
-- Run traffic through it.

Impact:
The iRule rejects traffic when the pool member's port number is 0.

Workaround:
Configure any iRule using the 'pool' command to go to apool member using a non-0 port in the CLIENT_ACCEPTED event.

Fix:
No longer blocking access to pool members that use port number 0 (zero) from iRule 'pool' commands.

Fixed Versions:
13.1.3.4, 14.1.3.1

775897-3 : High Availability failover restarts tmipsecd when tmm connections are closed

Links to More Info: BT775897

Component: TMOS

Symptoms:
All security associations (SAs) can be deleted when tmipsecd restarts as a result of closing tmm connections during failover from active to standby.

Conditions:
When failover happens for high availability (HA), tmipsecd aims to close tmm connections when on standby, because tmm must connect instead to the daemon running in the active system. But a side effect of this restarts tmipsecd, resulting in deletion of all SAs when tmipsecd came back up.

Impact:
tmipsecd restarts. All IPsec tunnels experience an interruption of service until new SAs are negotiated.

Workaround:
None.

Fix:
Now tmipsecd no longer restarts when the tmm connections are closed in response to failover from active to standby.

Fixed Versions:
13.1.5, 14.1.2.5

775621-4 : urldb memory grows past the expected ~3.5GB

Links to More Info: BT775621

Component: Access Policy Manager

Symptoms:
When using the categorization engine (urldb), memory may increase when real-time update databases are downloaded (once every ten minutes, as available).

Conditions:
-- SWG provisioned.
-- Using urldb.
-- Real-time database updates occurring.

Impact:
Memory increases, and if there is not enough room on the BIG-IP system, urldb can core.

Workaround:
None.

Fix:
The system no longer preloads the database into memory, so memory no longer grows past what is expected.

Fixed Versions:
13.1.3, 14.1.2.1, 15.0.1.3

775105-1 : False positive on bot defense logs

Links to More Info: BT775105

Component: Application Security Manager

Symptoms:
Remote log entries suggest that blocking events have occurred although their DoS profile is not set to block any traffic.

Conditions:
DoS profile is not set to block any traffic.

Impact:
False positives where remote log entries which suggest blocking events have occurred.

Workaround:
None.

Fix:
Bot defense remote logging profile attached to virtual servers and some bot signatures is be set to 'Report'.

Fixed Versions:
13.1.3.2, 14.0.1.1

775013-4 : TIME EXCEEDED alert has insufficient data for analysis

Links to More Info: BT775013

Component: Fraud Protection Services

Symptoms:
The time-exceeded alert does not include sufficient alert details to troubleshoot the process. It is difficult to determine whether or not the alert is valid, or how long past the request time the alert occurred.

Conditions:
Viewing alert logs for time-exceeded messages.

Impact:
Makes troubleshooting and/or analysis difficult.

Workaround:
None.

Fix:
All encryption failures alert now provides additional details to assist in troubleshooting the process.

Fixed Versions:
13.1.3, 14.1.2.1, 15.0.1.1

774481-3 : DNS Virtual Server creation problem with Dependency List

Links to More Info: BT774481

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use the GUI to create virtual servers with dependent virtual server.

Conditions:
This occurs when creating a virtual server that contains a dependent virtual server.

Impact:
Cannot use the GUI to create the virtual server that contains a dependent virtual server in one step.

Workaround:
You can use either of the following workarounds:

-- Use tmsh;
-- Create the virtual server through GUI without dependent virtual server first and then edit the virtual server to add dependency.

Fixed Versions:
13.1.3.4, 14.1.2.7

774445-3 : BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2

Links to More Info: K74921042 , BT774445

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) does not pass traffic when deployed on ESXi 6.7 Update 2 hypervisors, when the VE is using VMXNET 3 network interfaces (VMXNET 3 interfaces are the default).

Conditions:
-- BIG-IP VE running on VMware ESXi 6.7 Update 2 (build number 13006603) hypervisor.
-- VMXNET 3 NICs.

Impact:
Traffic does not pass through non-mgmt interfaces.

Workaround:
You can use the following workarounds:

-- Until this issue is fixed in a Point-Release for your software branch, you can contact F5 Networks Technical Support to obtain an Engineering Hotfix to address the issue. This workaround allows TMM to continue to use the VMXNET3 driver, which is preferable.

-- On BIG-IP version 14.1.0, you can switch to the 'sock' driver.

-- On BIG-IP versions earlier than 14.1.0, you can switch to the 'unic' driver.

Note: The workarounds that switch driver must be applied individually to devices, as they do not synchronize via ConfigSync.

IMPORTANT: The driver must be configured the same way on all devices in a sync-failover device group.

To switch driver:

1. Add a line to /config/tmm_init.tcl that reads 'device driver vendor_dev 15ad:07b0 DRIVER' (replacing DRIVER with 'unic' or 'sock', as appropriate). For example:

echo "device driver vendor_dev 15ad:07b0 sock" >> /config/tmm_init.tcl

2. Restart tmm for the changes to take effect (restarting tmm disrupts traffic):

bigstart restart tmm

3. After tmm restarts, confirm the driver in use by examining the output of:

tmctl -d blade tmm/device_probed

Fix:
BIG-IP VE now passes traffic on ESXi 6.7 Update 2.

Fixed Versions:
13.1.3, 14.0.0.5, 14.1.0.6

773693-3 : CVE-2020-5892: APM Client Vulnerability

Links to More Info: K15838353 , BT773693

773673-4 : HTTP/2 Vulnerability: CVE-2019-9512

Links to More Info: K98053339 , BT773673

773649-4 : APM Client Logging

Links to More Info: K23876153 , BT773649

773553-4 : ASM JSON parser false positive.

Links to More Info: BT773553

Component: Application Security Manager

Symptoms:
False positive JSON malformed violation.

Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.

Impact:
HTTP request is blocked or an alarm is raised.

Workaround:
There is no workaround other than disabling the JSON profile.

Fix:
JSON parser has been fixed as per RFC8259.

Fixed Versions:
12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1

773421-2 : Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied

Links to More Info: BT773421

Component: Local Traffic Manager

Symptoms:
When OneConnect is applied to a virtual server, the server-side packets larger than the client-side MTU may be dropped.

Conditions:
-- If the client-side MTU is smaller than server-side (either via Path MTU Discovery (PMTUD), or by manually configuring the client-side VLAN).

-- OneConnect is applied.

-- proxy-mss is enabled (the default value starting in v12.0.0).

Impact:
The BIG-IP system rejects server-side ingress packets larger than the client-side MTU, with an ICMP fragmentation needed message. Connections could hang if the server ignores ICMP fragmentation needed and still sends TCP packets with larger size.

Workaround:
Disable proxy-mss in the configured TCP profile.

Fix:
OneConnect prevents sending ICMP fragmentation needed messages to servers.

Fixed Versions:
12.1.5.1, 13.1.3.2, 14.1.2.1, 15.0.1.1

773253-2 : The BIG-IP may send VLAN failsafe probes from a disabled blade

Links to More Info: BT773253

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends multicast ping from a disabled blade. tmm core

Conditions:
-- There is one or more blades disabled on the VIPRION platform.
-- VLAN failsafe is enabled on one or more VLANs.
-- the VLAN failsafe-action is set to 'failover'.
-- There is more than one blade installed in the chassis or vCMP guest.

Impact:
The BIG-IP system sends unexpected multicast ping requests from a disabled blade.

Workaround:
To mitigate this issue, restart tmm on the disabled blade. This causes tmm to stop sending the multicast traffic.

Impact of workaround: Traffic disrupted while tmm restarts.

Fixed Versions:
13.1.4, 14.1.4.2, 15.1.2.1

772545-1 : Tmm core in SSLO environment

Links to More Info: BT772545

Component: Local Traffic Manager

Symptoms:
Unexpected SSL events can occur in SSLO configuration, possibly resulting in tmm core.

Conditions:
SSLO environment which can cause serverside ssl to become enabled during clientside handshake causing unexpected events.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Enabling SSL forward proxy verified-handshake setting available in 14.0.

Fixed Versions:
13.1.3.6, 14.1.2.3, 15.0.1.1

772233-1 : IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.

Links to More Info: BT772233

Component: Global Traffic Manager (DNS)

Symptoms:
When probing DNS Path, the metric round trip time (RTT) is not set correctly if the collection protocols used are NDS_DOT or DNS_REV.

The problem occurs only if the Path involves an IPv6 address; IPv4 address works fine.

Conditions:
-- Path involves IPv6 addresses.
-- Collection protocol used is either DNS_DOT or DNS_REV.

Impact:
RTT metric is not set at all.

Workaround:
Use collection protocols - ICMP instead.

Fix:
The problem for both collection protocols - DNS_DOT and DNS_REV no longer occurs, and the RTT is set correctly.

Fixed Versions:
13.1.3.2, 14.1.2.5, 15.0.1.3

771873-3 : TMSH Hardening

Links to More Info: K40378764 , BT771873

771173-1 : FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly. &start;

Links to More Info: BT771173

Component: Advanced Firewall Manager

Symptoms:
The system does not roll forward the FastL4 profile syn-cookie-enable attribute after upgrading from 12.x to 13.x and beyond.

Conditions:
This happens when upgrading from 12.x to 13.x and beyond.

Impact:
If syn cookies are explicitly disabled on a FastL4 profile prior to upgrading, they may be enabled.

FastL4 profiles with default values for "hardware-syn-cookie" (enabled) and "software-syn-cookie" (disabled) prior to upgrading will have "syn-cookie-enable" set to "disabled" on first boot after upgrading.

Workaround:
You can fix the configuration by modifying it manually after upgrading.

In tmsh:
tmsh modify ltm profile fastl4 <profile_name> syn-cookie-enable <enabled|disabled>

Fix:
N/A

Fixed Versions:
13.1.3, 14.1.2.5, 15.0.1.3

771025-2 : AVR send domain names as an aggregate

Links to More Info: BT771025

Component: Application Visibility and Reporting

Symptoms:
AVR sends domain name as an aggregate of a number of domain names.

Conditions:
-- AVR receives more than the number of domain names it can handle.
-- After AVR gets DNS calls with different domain name, it no longer clears the domain name.
-- When AVR receives the maximum number of total domain names, it start to aggregate all the new domain names.

Impact:
Cannot see the correct domain name.

Workaround:
None.

Fix:
AVR now removes old domain names, so it can add new ones and send the actual domain names it collected.

Fixed Versions:
13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.3

770989-1 : Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x. &start;

Links to More Info: BT770989

Component: TMOS

Symptoms:
F5optics installation can fail with RPM database corruption on B4450 blades and iSeries platforms when installing 14.1.x.

Conditions:
-- Using B4450 blades or iSeries platforms.

-- Clean install (i.e., a completely new installation) of 14.1.0 from either an external drive or PXE without taking over license:

image2disk --format=volumes --nosaveconfig --nosavelicense BIGIP-14.1.0-0.0.116.iso

Impact:
-- After 14.1.0 boots up, when you check /shared/lib/rpm RPM database (by running the command: /opt/bin/rpm --dbpath /shared/lib/rpm -qa), you see errors if the RPM database has already been corrupted.

+ rpmdb: /shared/lib/rpm/Name: unexpected file type or format.
+ error: cannot open Name index using db3 - Invalid argument (22).

-- No default f5optics package is reported when running the command: tmsh show net f5optics. No f5optics packages is present in the /shared/f5optics/images/ directory (even the /shared/f5optics/images/ directory is not created).

Due to corruption of '/shared/lib/rpm' RPM database, additional component 'f5optics' installation can fail with RPM error. Other components such as geoip or epsec might also be affected due to corrupted '/shared/lib/rpm' RPM database.

Other symptoms may be that the Link Controller linkcost library (Non-US patch) may be unable to install, showing the error message:
DB_VERSION_MISMATCH: Database environment version mismatch.

Workaround:
Remove the RPM database and manually install the f5_optics RPM package.

Steps
=====
1. Remove corrupted RPM database:
# rm -rf /shared/lib/rpm/

2. Initialize rpm database and update
# /opt/bin/rpm --root /shared --dbpath /lib/rpm --initdb
# /opt/bin/rpm --dbpath /shared/lib/rpm -qa

3. For iSeries platform:
# /usr/bin/f5optics_install

For VIPRION platform
# tmsh install net f5optics slot all

Fixed Versions:
13.1.3.5, 14.1.3.1

770621-1 : [Portal Access] HTTP 308 redirect does not get rewritten

Links to More Info: BT770621

Component: Access Policy Manager

Symptoms:
Requests with URLs that are not rewritten in web application.

Conditions:
HTTP response from the backend with 308 redirect.

Impact:
HTTP Status Code 308 (Permanent Redirect) is not supported. Unexpected web application operation.

Workaround:
Use a custom iRule to rewrite the request.

Fix:
HTTP Status Code 308 (Permanent Redirect) is now supported; Location header is now rewritten.

Fixed Versions:
13.1.3

770477-3 : SSL aborted when client_hello includes both renegotiation info extension and SCSV

Links to More Info: BT770477

Component: Local Traffic Manager

Symptoms:
Client SSL reports an error and terminates handshake.

Conditions:
Initial client_hello message includes both signaling mechanism for secure renegotiation: empty renegotiation_info extension and TLS_EMPTY_RENEGOTIATION_INFO_SCSV.

Impact:
Unable to connect with SSL.

Workaround:
None.

Fix:
Allow both signaling mechanism in client_hello.

Fixed Versions:
12.1.5.3, 13.1.3.2, 14.1.2.5

769981-3 : bd crashes in a specific scenario

Links to More Info: BT769981

Component: Application Security Manager

Symptoms:
bd crash with a core file.

Conditions:
-- XML profile with schema validation is attached to a security policy.

-- The bd.log shows out-of-memory messages relating to XML.

Impact:
Failover; traffic disruption.

Workaround:
Increase the memory XML uses by using the internal parameters total_xml_memory and/or additional_xml_memory_in_mb. For more information, see K10803: Customizing the amount of memory allocated to the BIG-IP ASM XML processing engine available at https://support.f5.com/csp/article/K10803

Fixed Versions:
13.1.3, 14.1.2.1, 15.0.1.1

769817 : BFD fails to propagate sessions state change during blade restart

Links to More Info: BT769817

Component: TMOS

Symptoms:
BFD fails to propagate sessions state change during blade restart.

Conditions:
-- On a chassis with multiple blades, several routing protocol sessions are established, (e.g., BGP sessions).
-- BFD sessions are configured for each BGP session to sustain fast failover of BGP sessions.
-- There is a BGP session that can be established only via specific blade and the corresponding BFD session of this BGP session is processed on the same blade.
-- This blade is restarted (e.g., using the bladectl command) or experienced a blade failure.

Impact:
The BFD session remains in the BFD sessions table and remains there until BGP session is timed out by hold the timer (90 seconds, by default). Dynamic routes, which are learnt via affected BGP session, remain in the routing table until the hold time is reached.

Workaround:
Change BGP hold time to reasonable lower value.

Fix:
The affected BFD session is removed from the BFD table after blade reset during the period configured for this BFD session.

Fixed Versions:
11.6.5.1, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.4

769809-2 : The vCMP guests 'INOPERATIVE' after upgrade

Links to More Info: BT769809

Component: TMOS

Symptoms:
After upgrading the host or creating new vCMP guests, the prompt in the vCMP guests report as INOPERATIVE.

Conditions:
-- The system truncates the unit key. (Note: This occurs because the unit key is designed to be a certain length, and the internally generated unit key for the guest has a NULL in it.)
-- Upgrading the host.
-- Creating new guests.

Impact:
The vCMP guests are sent a truncated unit key and fail to decrypt the master key needed to load the config. vCMP Guests report 'INOPERATIVE' after upgrade.

Workaround:
Important: If you upgrade vCMP hosts from an affected version to a version unaffected by this issue (ID 769809), ensure that the upgrade version contains the fix for Bug ID 810593: Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade :: https://cdn.f5.com/product/bugtracker/ID810593.html.

Upon encountering this issue, it may be best to roll back to the previously used, unaffected version on the vCMP host, and then install a version unaffected by this issue (i.e., versions later than 12.1.4.1 or later than 13.1.1.5).

Fix:
The system now handles a guest unit key that has a NULL in it, so vCMP guests are no longer 'INOPERATIVE' after upgrade

Fixed Versions:
12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6

769589-4 : CVE-2019-6974: Linux Kernel Vulnerability

Links to More Info: K11186236 , BT769589

769581 : Timeout when sending many large iControl Rest requests

Links to More Info: BT769581

Component: TMOS

Symptoms:
After sending hundreds of REST requests, REST requests eventually begins to time out. This is the case for applications such as an AS3, with requests with 700 services.

Conditions:
1. Download and install the AS3 iApp. This adds the /mgmt/shared/appsvcs/ endpoint to the the BIG-IP system.

2. Deploy config with AS3:
curl -X POST \
https://<$IP_address>/mgmt/shared/appsvcs/declare \
-H 'Content-Type: application/json' \
-d //This should be the data from an AS3 body

3. While deployment in step 2 is happening, make a GET to the tasks:
curl -X GET \
https://<$IP_address>/mgmt/shared/appsvcs/task \
-H 'Content-Type: application/json'

4. Delete configuration:
curl -X DELETE \
https://<$IP_address>/mgmt/shared/appsvcs/declare

It may take 3 or 4 times repeating steps 2 through 4 for the issue to show up. When it appears, you will start seeing messages in the AS3 task response like the following:

-- 'message': 'failed to save BIG-IP config (POST http://<$USERNAME>:<$PASSWORD>@<$IP_address>:8100/mgmt/tm/task/sys/config create task save sys config response=400 body={\"code\":400,\"message\":\"remoteSender:Unknown, method:POST \",\"originalRequestBody\":\"{\\\"command\\\":\\\"save\\\"}\",\"referer\":\"Unknown\",\"restOperationId\":6924816,\"kind\":\":resterrorresponse\"})'

Impact:
Saving new configuration data does not work. Any new transaction tasks fail.

Workaround:
1. Restart restjavad and all iControl Rest (icrd_child) instances.
2. Wait longer for large requests to finish before performing additional requests.

Fix:
Changes to handle the new transaction iControl Rest creation process creation properly when the existing process was killed with a timeout operation.

Fixed Versions:
13.1.3.5, 14.0.0.5, 14.1.2.7

769309-3 : DB monitor reconnects to server on every probe when count = 0

Links to More Info: BT769309

Component: Local Traffic Manager

Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.

Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).

Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.

Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.

Fix:
The LTM database monitor keeps the network connection to the monitored database server open indefinitely when configured with the default 'count' value of 0 (zero).

Fixed Versions:
12.1.5.3, 13.1.3.2, 14.1.2.3, 15.0.1.1

769193-1 : Added support for faster congestion window increase in slow-start for stretch ACKs

Links to More Info: BT769193

Component: Local Traffic Manager

Symptoms:
When Appropriate Byte Counting is enabled (the default), TCP's congestion window increases slower in slow-start when the data receiver sends stretch ACKs.

Conditions:
-- TCP data sender receives stretch ACKs (ACKs that acknowledges more than 2*MSS bytes of data).
-- Appropriate Byte Counting (ABC) is enabled in slow-start.

Impact:
ABC limits the increase of congestion window by 2*MSS bytes per ACK. TCP's congestion window is increased slower in slow-start, which may lead to longer transfer times.

Workaround:
There is no workaround at this time.

Fix:
A new sys db (TM.TcpABCssLimit) is provided to set TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received. If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.

Behavior Change:
There is a new db variable, TM.TcpABCssLimit for specifying TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received.

Note: If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.

Fixed Versions:
12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.3

769169-1 : BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring

Links to More Info: BT769169

Component: TMOS

Symptoms:
BIG-IQ sends a lot of request to the BIG-IP system to collect the stats it makes the BIG-IP slow and eventually GUI goes unresponsive.

Conditions:
-- BIG-IQ monitoring a large BIG-IP configuration.
-- With a very large number of requests, and with resource-expensive requests.

Impact:
ICRD requests wait longer in the ICRD queue, which can make the BIG-IP system becomes unresponsive. Policy Creation, Device Overview, and stats pages take more time to respond, and eventually, the GUI becomes unresponsive on these three pages.

Lot of process terminated/re-created messages in restjavad logs.

Workaround:
Remove the BIG-IP device from the BIG-IQ and restart the mcpd.

Fix:
The system now handles the queue so that there is time for BIG-IP system to recover and become responsive.

Fixed Versions:
13.1.3.6, 14.0.0.5, 14.1.2.5

769061-4 : Improved details for learning suggestions to enable violation/sub-violation

Links to More Info: BT769061

Component: Application Security Manager

Symptoms:
The title for the entity in suggestions to enable violation/sub-violation is 'Match violation'/'Matched HTTP Check', though these suggestions are created when there is no match in the observed traffic.

Conditions:
There are learning suggestions to enable violations/sub-violation in the policy

Impact:
Misleading suggestion details.

Workaround:
None.

Fix:
The misleading word 'Matched' was removed from the title.

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.1

768981-4 : VCMP Hypervisor Hardening

Links to More Info: K05765031 , BT768981

768761-4 : Improved accept action description for suggestions to disable signature/enable metacharacter in policy

Links to More Info: BT768761

Component: Application Security Manager

Symptoms:
It is difficult to understand the description for suggestions to disable signature or enable metacharacter on parameter/URL alternative action (accept for all entities).

Conditions:
There are suggestions to disable signature or enable metacharacter on parameter/URL.

Impact:
Action description can be difficult to understand.

Workaround:
None.

Fix:
'Accept for Any Entity' action has been renamed to 'Accept Globally'. The 'Charset' type is now mentioned in the action description for better understanding of the applied action.

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6

768025-1 : SAML requests/responses fail with "failed to find certificate"

Links to More Info: BT768025

Component: Access Policy Manager

Symptoms:
BIG-IP as SP and BIG-IP as IdP fail to generate signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after the certificate that is used for signing is modified.

Conditions:
The certificate used for signing SAML requests/responses or SAML SLO requests/responses is modified or re-imported.

Impact:
When this issue occurs, SAML services are impacted when BIG-IP is configured as SP or IdP. Subsequent SAML/SAML SLO requests/responses fail with the error 'failed to find certificate'.

-- When BIG-IP is configured as IdP, then SAML Authentication fails and SAML/SAML SLO services do not work.

-- When BIG-IP is configured as SP, resources that need SAML Authentication cannot be accessed. Also, SAML SLO service does not work.

Workaround:
-- When BIG-IP as IdP is affected, configure a different certificate associated with SAML IdP configuration that is used for signing, change it back to the original certificate, and then the apply policy.

-- Similarly, when BIG-IP as SP is affected, configure a different certificate associated with SAML SP configuration that is used for signing, change it back to the original certificate, and then apply the policy.

Fix:
BIG-IP as SP and BIG-IP as IdP works as expected while generating signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after certificate that is used for signing is modified.

Fixed Versions:
13.1.3.2, 14.1.2.5, 15.0.1.3

767941-2 : Gracefully handle policy builder errors

Links to More Info: BT767941

Component: Application Security Manager

Symptoms:
Policy Builder (pabnagd) restarts when it encounters an error, and logs errors to /var/log/asm:

crit perl[24868]: 01310027:2: ASM subsystem error (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: pabnagd, Failure: Insufficient number of threads (required: 2, found: 0).

Conditions:
This occurs when policy builder encounters an error.

Impact:
Temporary loss of connectivity with ASM and Policy Builder.

Workaround:
None.

Fix:
The system now handles Policy Builder errors gracefully and reduces Policy Builder down time upon connectivity loss with ASM.

Fixed Versions:
13.1.3.6, 14.1.4

767737-3 : Timing issues during startup may make an HA peer stay in the inoperative state

Links to More Info: BT767737

Component: TMOS

Symptoms:
When two BIG-IP systems are paired, it is possible during startup for the network connection to be made too early during the boot sequence. This may leave a peer in the inoperative state.

Conditions:
This is a timing-related issue that might occur during boot up of high availability (HA) peers.

Impact:
An HA peer does not become ACTIVE when it should.

Workaround:
None.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2.1

767653-2 : Malformed HTTP request can result in endless loop in an iRule script

Links to More Info: K23860356 , BT767653

767613-3 : Restjavad can keep partially downloaded files open indefinitely

Links to More Info: BT767613

Component: Device Management

Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client does not complete the download. Since these files remain open, the total number of available file handles for the process decreases, and the disk space for the files cannot be recovered. Symptoms may include errors like 'Too many open files', low disk space even after deleting the associated files, and items listed with '(deleted)' in lsof output.

Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.

Impact:
Various errors ('Too many open files.'), low disk space, items listed with '(deleted)' when listed using lsof.

Workaround:
To free the file handles, restart restjavad:
tmsh restart sys service restjavad

Files that were deleted now have their space reclaimed.

Fix:
The restjavad process now internally clears the file handles of such partially downloaded files if they remain untouched for two hours.

Fixed Versions:
13.1.3.5, 14.1.3.1

767373-3 : CVE-2019-8331: Bootstrap Vulnerability

Links to More Info: K24383845 , BT767373

767057-3 : In a sync-only device group, inactive policy is synced to peer, ASM is removed from virtual server

Links to More Info: BT767057

Component: Application Security Manager

Symptoms:
An ASM policy is suddenly detached from a virtual server and deactivated.

Conditions:
-- sync-only device group.
-- ASM sync enabled.
-- A policy is used on device ASM-A (attached to virtual server/device group).
-- The same policy is not used on device ASM-B (not attached to virtual server/device group).

Impact:
Inactive policy is synced to the peer, resulting in ASM being unassigned from the Virtual Server.

Workaround:
To prevent Policy Sweeper from deactivating any ASM policy, create a non-functioning device group and attach the unused ASM policies to that device group.

Fixed Versions:
13.1.5, 14.1.4.4

767045 : TMM cores while applying policy

Links to More Info: BT767045

Component: Anomaly Detection Services

Symptoms:
TMM core and possible cores of other daemons.

Conditions:
The exact conditions are unknown.

Occurrences have been seen during specialized internal testing and while applying a copied and edited ASM policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
13.1.3.2, 14.1.2.3

767013-4 : Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch

Links to More Info: BT767013

Component: TMOS

Symptoms:
In a rare scenario, the HSB sends a large amount and continuous pause frames to the Broadcom switch, which indicates that the HSB is in a bad state.

Conditions:
This happens when there is heavy traffic load on VIPRION B2150, B2250, and B4450 blades. This has also been seen on F5 Appliances, such as iSeries platforms. The root cause of that is still under investigation. It happens extreme rarely.

Impact:
Reboot the BIG-IP system.

Workaround:
None.

Fix:
The system now monitors the pause frames and reboots when it detects that the HSB is in this state.

Fixed Versions:
11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.4.4

766577-4 : APMD fails to send response to client and it already closed connection.

Links to More Info: BT766577

Component: Access Policy Manager

Symptoms:
APMD fails to send response to client and produces error message:
err apmd[8353]: 01490085:3: /pt-qp-campus/apm-cdp-qp-qa:pt-qp-campus:bb651ae6: Response could not be sent to remote client. Socket error: Connection reset by peer

APMD does most of its action with backend authentication servers (e.g., AD, LDAP, RADIUS). If the backend server response is very slow (because of various reasons such as network issues), it might cause slow apmd client response. Sometimes, the client has already closed the connection to the virtual server, so the client connection is no longer valid.

Conditions:
Backend server is slow, causing longer-than-usual response times.

Impact:
This causes the client to close the connection. APMD fails to respond to the client.

The cumulative slowness of the backend server causes delay in response. Most of the time, the client connection is already closed. As a result, the request queue gets full. When apmd starts processing the request from the queue, the client connection is already closed for some of them, and processing those requests still continues, which is unnecessary and causes more delay.

Fix:
The system now tests the client connection after picking up the request from the request queue and before processing.
-- If the connection is already closed, the system drops the request.
-- If the request is already in progress, the system checks the client connection before saving the session variables and sending the response to client.

Fixed Versions:
12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.1

766405-3 : MRF SIP ALG with SNAT: Fix for potential crash on next-active device

Links to More Info: BT766405

Component: Service Provider

Symptoms:
The next active device may crash with a core when attempting to create media flows.

Conditions:
The names for the LSN pool and router profile are longer than expected.

Impact:
The TMM on the next active device may core. Traffic disrupted while tmm restarts; If the next-active device was not carrying traffic for a traffic group, traffic is not disrupted.

Workaround:
None.

Fix:
Device no longer cores.

Fixed Versions:
13.1.3.4, 14.1.0.6

766169-3 : Replacing all VLAN interfaces resets VLAN MTU to a default value

Links to More Info: BT766169

Component: Local Traffic Manager

Symptoms:
When the last physical interface is removed from a VLAN, VLAN's MTU is reset to default value of 1500. However when replacing all interfaces belonging to a VLAN with a new ones (e.g., with a command 'tmsh modify net vlan [name] interfaces replace-all-with {...}'), even if it does not look like removing all interfaces, it is actually done by removing all interfaces immediately followed by adding new ones. Because all interfaces are removed first, the VLAN MTU is reset to the default value even if the original value is perfectly valid for newly added interfaces. As it is done automatically inside TMM, it is not reflected in the configuration. TMSH and Configuration Utility continue to report original value.

Conditions:
Issue is visible only when removing or replacing all interfaces in a VLAN which has MTU value different than default 1500. Added interfaces must also have MTU values larger than 1500.

Impact:
VLAN MTU is set to 1500 despite Configuration Utility and TMSH still reporting original value.

Workaround:
There are two workarounds:

-- Reset desired MTU value after each operation of replacing all interfaces in a VLAN.
-- Avoid replace-all-with operation by adding new interfaces before removing unneeded ones.

Fix:
VLAN MTU value is left unchanged after the last interface is removed. It is recalculated upon adding a new interface anyway, so there is no risk it will be too large.

Fixed Versions:
12.1.5.2, 13.1.3.5, 14.1.2.8

766017-2 : [APM][LocalDB] Local user database instance name length check inconsistencies &start;

Links to More Info: BT766017

Component: Access Policy Manager

Symptoms:
Tmsh accepts long localdb instance names, but ldbutil later refuses to work with names longer than 64 characters.

The GUI limits the instance name length to 64 characters including the partition prefix, but this is not obvious to the admin.

Conditions:
-- Create a 64 character long local user database instance using tmsh.
-- Try to add users to this instance or try to delete the instance from the GUI.

Impact:
A tmsh-created localdb instance with a name length greater than 64 characters can be created but cannot be used.

Workaround:
Delete instance from tmsh and re-create it with a shorter name.

Fix:
Tmsh now enforces the length limit for localdb instance names.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.4.2, 15.1.2, 16.0.1.1

765621-1 : POST request being rejected when using OAuth Resource Server mode

Links to More Info: BT765621

Component: Access Policy Manager

Symptoms:
POST request is rejected.

Conditions:
-- Using OAuth Resource Server access type.
-- Client sends a large POST body.

Impact:
The request is rejected.

Workaround:
Increase the tmm.access.maxrequestbodysize sys db variable to be larger than the POST body size.

Fix:
The system now supports larger POST requests in OAuth Resource Server mode.

Fixed Versions:
13.1.3

765533-4 : Sensitive information logged when DEBUG logging enabled

Links to More Info: K58243048 , BT765533

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048

Conditions:
For more information see: https://support.f5.com/csp/article/K58243048

Impact:
For more information see: https://support.f5.com/csp/article/K58243048

Workaround:
For more information see: https://support.f5.com/csp/article/K58243048

Fix:
For more information see: https://support.f5.com/csp/article/K58243048

Fixed Versions:
11.6.5.2, 12.1.5.1, 13.1.3.2, 14.1.2.1

764873-4 : An accelerated flow may transmit packets to an unavailable pool member.

Links to More Info: BT764873

Component: TMOS

Symptoms:
Normally, when a pool member becomes unavailable, the flow is redirected towards another available pool member. However, an accelerated flow can continue to send traffic to the unavailable pool member rather than the updated one.

Conditions:
-- Using virtual servers configured for ePVA hardware acceleration via ePVA.
-- A flow changes the pool member it should go to, while the flow is accelerated.

Impact:
The flow's traffic continues to be targeted to a pool member that has become unavailable, resulting in a failure of service.

Workaround:
You can use either of the following workarounds:

-- Disable HW acceleration.

-- On BIG-IP v14.1.0 and later, if a pool member goes away, run the following command to flush all accelerated flows to be handled correctly by software:

tmsh modify sys conn flow-accel-type software-only

Fixed Versions:
13.1.3.2, 14.1.4.2, 15.0.1.3

764665-1 : AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change

Links to More Info: BT764665

Component: Application Visibility and Reporting

Symptoms:
When BIG-IP is registered on BIG-IQ system, sometimes avrd crashes with core.

Conditions:
-- BIG-IP is registered at BIG-IQ.
-- BIG-IQ sends configuration update to BIG-IP.

Impact:
Avrd cores and restarts. Functionality is not impacted, stats data are sent to BIG-IQ.

Workaround:
None.

Fix:
Corrected issue in setting value for internal flag.

Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6

764373-1 : 'Modified domain cookie' violation with multiple enforced domain cookies with different paths

Links to More Info: BT764373

Component: Application Security Manager

Symptoms:
When the server sends enforced cookies with the same name for different paths, a false-positive 'Modified domain cookie' violation is reported.

Conditions:
Server sends enforced cookies with the same name but with different paths.

Impact:
A valid request might be rejected.

Workaround:
None.

Fix:
The system now checks all enforced cookies correctly, so this issue no longer includes.

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1

763349-1 : AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out

Links to More Info: BT763349

Component: Application Visibility and Reporting

Symptoms:
avrd application on BIG-IP crashes; core is generated.

Conditions:
-- The BIG-IP is configured to send data to BIG-IQ DCD node via the HTTPS protocol.

-- Connection to DCD is established but response does not arrive within the timeout interval, so the connection times out.

Impact:
avrd crashes, and a core is generated.

Workaround:
None.

Fix:
avrd now reconnects to BIG-IQ DCD in a different sequence so this issue no longer occurs.

Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6

763121-1 : Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM.

Links to More Info: BT763121

Component: Advanced Firewall Manager

Symptoms:
TMM crashes and produces a core file. The crash is a SIGFPE accompanied by the following panic string:

Assertion "packet must already have an ethernet header" failed.

Conditions:
This issue occurs when all of the following conditions are met:

- The system is provisioned for AFM.
- A TCP Half Open attack to the system is underway.
- A BIG-IP Administrator attempts to use the AFM Packet Tester tool, and simulates sending a TCP segment with the SYN flag set.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the AFM Packet Tester tool while a TCP Half Open attack is underway.

Fix:
TMM no longer crashes when utilizing the AFM Packet Tester tool.

Fixed Versions:
13.1.3, 14.1.2.8

763093-1 : LRO packets are not taken into account for ifc_stats (VLAN stats)

Links to More Info: BT763093

Component: Local Traffic Manager

Symptoms:
The ifc_stats do not correctly reflect the number of incoming octets/packets. There is a discrepancy between octets/packets in/out in the ifc_stats table, which tracks per-VLAN stats.

Conditions:
LRO is enabled and used for incoming packets.

Impact:
ifc_stats are incorrect for incoming octets and packets.

Workaround:
Disable LRO using the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable

After modifying that variable, you must restart tmm for it to take effect (traffic disrupted while tmm restarts):
bigstart restart tmm

Fixed Versions:
13.1.4

763005-2 : Aggregated Domain Names in DNS statistics are shown as random domain name

Links to More Info: BT763005

Component: Application Visibility and Reporting

Symptoms:
Many DNS queries (e.g., 50000) with different query domain names are sent and AVR aggregates data it shows aggregated names using a random name taken from the first lookup table record.

Conditions:
-- Run 50000 DNS queries, all with different domain names.
-- View Statistics :: Analytics :: DNS, and choose View By : Domain Names.

Impact:
There is one random domain name with a high counter value, other domains are shown with counter 1.

Workaround:
None.

Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6

763001-2 : Web-socket enforcement might lead to a false negative

Links to More Info: K70312000 , BT763001

Component: Application Security Manager

Symptoms:
A request that should be blocked will be passed to server.

Conditions:
Parse parameters flag in json profile is enabled.
Requests are sent in json websocket.

Impact:
Bad requests may be passed to the server

Workaround:
Disable parse parameters flag in json profile

Fix:
Web-socket enforcement now filters requests as expected.

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6

762453 : Hardware cryptography acceleration may fail

Links to More Info: K63558580 , BT762453

762205-1 : IKEv2 rekey fails to recognize VENDOR_ID payload when it appears

Links to More Info: BT762205

Component: TMOS

Symptoms:
Rekey with non BIG-IP systems can fail when a response contains a VENDOR_ID payload.

Conditions:
- IKEv2 Responder sends VENDOR_ID payload in rekey response.
- The ipsec.log misleadingly reports:
[I] [PROTO_ERR]: unexpected critical payload (type 43)
Note: This message may be correctly present under other conditions, with different type constants not equal to 43.

Impact:
BIG-IP as the initiator of rekey drops the rekey negotiation without making further progress when the responder included a VENDOR_ID payload in a response. This will result in deleting the SA for good when the hard lifetime expires, causing a tunnel outage.

Workaround:
No workaround is known at this time.

Fix:
Handling of payload types during rekey will now ignore VENDOR_ID when it appears, the same way we ignore VENDOR_ID in other messages during IKE negotiation.

Fixed Versions:
13.1.3.4, 14.1.2.3, 15.0.1.4

762073-1 : Continuous TMM restarts when HSB drops off the PCI bus

Links to More Info: BT762073

Component: TMOS

Symptoms:
In the unlikely event that HSB drops off the PCI bus, TMM continuously restarts until the BIG-IP system is rebooted.

Conditions:
The conditions under which the issue occurs are unknown, but it is a rarely occurring issue.

Impact:
Repeated TMM restarts. Traffic disrupted until you reboot the BIG-IP system. The HSB reappears and is functional after reboot.

Workaround:
Manually reboot the BIG-IP system.

Fix:
TMM no longer gets stuck in a restart loop, as a reboot is now automatic in this scenario.

Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4

761993-4 : The nsm process may crash if it detects a nexthop mismatch

Links to More Info: BT761993

Component: TMOS

Symptoms:
If there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop, nsm may crash and restart.

Conditions:
-- Dynamic routing is in use.
-- A mismatch between tmrouted and nsm for the interface index or gateway of a nexthop exists.

Impact:
There is a temporary interruption to dynamic routing while nsm is restarted.

Workaround:
None.

Fix:
Prevented nsm crashing when there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop.

Fixed Versions:
13.1.3.2, 14.1.2.1, 15.0.1.1

761941-3 : ASM does not remove CSRT token query parameter before forwarding a request to the backend server

Links to More Info: BT761941

Component: Application Security Manager

Symptoms:
CSRT query parameter observed in tcpdump on the BIG-IP system's server side.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- CSRF enabled in ASM policy.

Impact:
Backend app gets CSRT parameter, which might impact its business logic.

Workaround:
You can remove a CSRT query parameter using a URI modification iRule on the server side.

Fix:
The system now removes the csrt query parameter before forwarding a request to the backend server

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6

761921-3 : avrd high CPU utilization due to perpetual connection attempts

Links to More Info: BT761921

Component: Application Security Manager

Symptoms:
avrd shows high CPU utilization. Repeated retries on auth token client failed connection attempts.

Conditions:
-- The BIG-IQ system is not available (even though it is configured).
-- Frequent connection retries.

Impact:
avrd consumes a large amount of CPU.

Workaround:
Correct BIG-IQ availability and restart avrd.

Fix:
avrd now waits between connection retries, so this issue does not occur.

Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6

761553-4 : Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic

Links to More Info: BT761553

Component: Application Security Manager

Symptoms:
Text for analyzed requests might be misleading for suggestions that are created as result of an absence of violations in traffic:

X requests triggered this suggestion from date:time until date:time.

Actually:
-- 'X requests' did not trigger a violation, and no sampled are requests provided.

-- The format of the time in 'from date:time until date:time' is difficult to parse.

Conditions:
There are suggestions that were created as result of an absence of violations in traffic in the policy.

Impact:
Text might be misleading.

Workaround:
None.

Fix:
Improved text for analyzed requests for suggestions that were created as result of absence of violations in traffic

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6

761549-4 : Traffic Learning: Accept and Stage action is shown only in case entity is not in staging

Links to More Info: BT761549

Component: Application Security Manager

Symptoms:
Accept and Stage action is available, even for entities that are in staging already.

Conditions:
Create suggestion for the entity (e.g., Attack signature on parameter) that is in staging.

Impact:
Action that is not relevant is shown.

Workaround:
None.

Fix:
Accept and Stage action is available only for suggestions on entities that are not in staging

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6

761345-1 : Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode

Links to More Info: BT761345

Component: Advanced Firewall Manager

Symptoms:
When manual config-sync mode is enabled for a HA setup, additional config-sync may be required after firewall blob compilation.

Conditions:
Firewall rule configuration modified on a high availability (HA) setup with manual config-sync mode enabled.

Impact:
Additional config-sync may be required after compilation completion.
A warning may be given: "There is a possible change conflict between <device1> and <device2>.", and full sync may be forced.

Workaround:
Enable auto config-sync instead of manual config-sync.

Fix:
Additional config-sync is not required in these conditions.

Fixed Versions:
13.1.3.2, 14.1.2.3

761300 : Errors in REST token requests may log sensitive data

Links to More Info: K61105950 , BT761300

Component: Device Management

Symptoms:
When requests for REST tokens generate a parsing error the logged message may contain sensitive data present in the request, including passwords.

Conditions:
Error in token request parsing. Typically causes include a typo or other JSON syntax error in the POST body of the REST request.

Impact:
Restlogs record sensitive data. Properly formatted requests do not generate this error logging and do not record sensitive data.

Workaround:
None.

Fix:
Sensitive data is now filtered from logging.

Fixed Versions:
13.1.1.5

761273-1 : wr_urldbd creates sparse log files by writing from the previous position after logrotate.

Links to More Info: BT761273

Component: Traffic Classification Engine

Symptoms:
After log rotation, the wr_urldbd daemon continues to write at the pre-rotate offset into the file, so the next message is written at offset N, making the file sparse, with all characters prior to position being read as nulls.

Conditions:
System rotates log files.

Impact:
Some automated systems might not be able to read log file.

Workaround:
None.

Fix:
Log file preserves text file type after log rotation.

Fixed Versions:
13.1.1.5, 14.1.2.8

761231-4 : Bot Defense Search Engines getting blocked after configuring DNS correctly

Links to More Info: K79240502 , BT761231

Component: Application Security Manager

Symptoms:
Bot Defense performs a reverse DNS for requests with User-Agents of known Search Engines.

A cache is stored for legal / illegal requests to prevent querying the DNS again.

This cache never expires, so in case of an initial misconfiguration, after fixing the DNS configuration, or routing or networking issue, the Search Engines may still be blocked until TMM is restarted.

Conditions:
-- Initial misconfiguration of DNS or routing or networking issue.
-- Cache stores requests to prevent future queries to DNS.
-- Correct the misconfiguration.

Impact:
Cache does not expire and is never updated, so it retains the misconfigured requests. As a result, valid Search Engines are getting blocked by Bot Defense.

Workaround:
Restart TMM by running the following command:
bigstart restart tmm

Fix:
The internal DNS cache within Bot Defense and DoSL7 now expires after five minutes.

Fixed Versions:
12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1

761185-4 : Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic

Links to More Info: K50375550 , BT761185

Component: Local Traffic Manager

Symptoms:
For more information please see: https://support.f5.com/csp/article/K50375550

Conditions:
For more information please see: https://support.f5.com/csp/article/K50375550

Impact:
For more information please see: https://support.f5.com/csp/article/K50375550

Workaround:
For more information please see: https://support.f5.com/csp/article/K50375550

Fix:
For more information please see: https://support.f5.com/csp/article/K50375550

Fixed Versions:
12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.1

761144-6 : Broadcast frames may be dropped

Links to More Info: K95117754 , BT761144

761112-5 : TMM may consume excessive resources when processing FastL4 traffic

Links to More Info: K76328112 , BT761112

761032-4 : TMSH displays TSIG keys

Links to More Info: K36328238 , BT761032

Component: Global Traffic Manager (DNS)

Symptoms:
TSIG key is displayed when related configuration is listed in TMSH.

Conditions:
Authenticated administrative user.
Listing TSIG keys using TMSH.

Impact:
Displaying TSIG keys is a security exposure.

Workaround:
None.

Fix:
TMSH no longer displays TSIG keys when listing configuration.

Fixed Versions:
13.1.3.2, 14.0.1.1, 14.1.2.3

761030-1 : tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route

Links to More Info: BT761030

Component: Local Traffic Manager

Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not shown using the show net route lookup command.

Conditions:
-- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.
-- Dynamic Routing protocols such as OSPFv3 configured.

Impact:
Cannot see any dynamic routes added while IPv4-mapped IPv6 addresses are configured.

Workaround:
None.

Fix:
The query for IPv4-mapped IPv6 addresses now shows dynamic routes added while IPv4-mapped IPv6 is configured.

Fixed Versions:
13.1.3.2, 14.1.2.5

761014-4 : TMM may crash while processing local traffic

Links to More Info: K11447758 , BT761014

760974-1 : TMM SIGABRT while evaluating access policy

Links to More Info: BT760974

Component: Access Policy Manager

Symptoms:
TMM cores while evaluating access policy.

Conditions:
-- Secure Web Gateway is configured and in use.
-- An access policy is being evaluated.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use an iRule similar to the following:

when ACCESS_POLICY_COMPLETED {
set res [ACCESS::session data get "session.policy.result"]

if {[string compare $res "in_progress"] == 0} {
log local0.notice "rejecting"
reject
}
log local0.notice "result :$res"
}

Fix:
TMM no longer cores under these conditions.

Fixed Versions:
13.1.3

760961 : TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts

Links to More Info: BT760961

Component: Traffic Classification Engine

Symptoms:
Webroot daemon (wr_urldbd) crashes because of a socket handler issue that occurs when sending the URI categorization request to the BrightCloud server.

Wr_urldbd daemon restarts, and during startup, it loads the downloaded database to the shared memory channel. This shared memory channel is being used by the TMM, which has no information about the wr_urldbd restart, so tmm restarts.

Conditions:
-- Wr_urldbd restarts (which occurs due to an issue in socket handler when sending URL categorization requests to the BrightCloud server).

-- During wr_urldbd startup, the daemon starts loading the downloaded webroot database to the shared memory channel set up between the wr_urldbd and TMM.

-- TMM accesses this shared memory channel to perform a URL category lookup (due to traffic).

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes under these conditions.

Fixed Versions:
13.1.1.5, 14.1.4.4

760950-2 : Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment

Links to More Info: BT760950

Component: TMOS

Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.

Note: A previous bug had this same symptom, but was due to a different root cause.

Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.

Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.

Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.

Fix:
The advertised next-hop in BGP is now the smallest floating-IP active on the current BIG-IP system.

Fixed Versions:
12.1.5.3, 13.1.5, 14.1.2.7

760878-2 : Incorrect enforcement of explicit global parameters

Links to More Info: BT760878

Component: Application Security Manager

Symptoms:
A false positive or false negative enforcement of explicit global parameter.

Conditions:
-- A configuration with more than 255 security policies.
-- Policies configured with an explicit parameter that is unique (for example, 'static', a disabled signature, etc.).
-- Attempt to enforce that parameter.

Impact:
Wrong blocking/violations. The parameter is not found, and the wildcard * parameter is enforced instead.

Workaround:
Make the explicit parameters a wildcard parameter.

Fix:
Explicit parameters are enforced correctly on all parameters.

Fixed Versions:
12.1.5, 13.1.1.5, 14.1.0.6

760771-3 : FastL4-steered traffic might cause SSL resume handshake delay

Links to More Info: BT760771

Component: Local Traffic Manager

Symptoms:
When a FastL4 virtual server steers traffic to another SSL-enabled virtual server, there can be a delay on SSL session resumption because SSL is unable to identify the connection flow.

Additionally, it has been observed that if fallback persistence is configured, the BIG-IP system might fail to start the connection serverside.

Conditions:
-- FastL4 virtual server.
-- iRule is used to steer traffic to another virtual server with client SSL enabled.
-- Multiple tmm's.

Impact:
-- Potential impact to SSL performance.
-- Possible connection failure.

Workaround:
To workaround this issue:
-- Disable FastL4.
-- Enable OneConnect.

Fix:
FastL4-steered traffic no longer causes SSL resume handshake delay.

Fixed Versions:
13.1.3, 14.1.2.3

760683-2 : RST from non-floating self-ip may use floating self-ip source mac-address

Links to More Info: BT760683

Component: Local Traffic Manager

Symptoms:
A RST from non-floating self-ip may use floating self-ip source mac-address when AFM or ASM is enabled.

Conditions:
-- AFM or ASM is enabled.
-- RST generated from non-floating self-ip address.

Impact:
An L2 switch may update the fwd table incorrectly.

Workaround:
None.

Fix:
The system now uses the correct source mac-address under these conditions.

Fixed Versions:
13.1.3.2, 14.1.2.5

760679 : Memory corruption when using C3D on certain platforms

Links to More Info: BT760679

Component: Local Traffic Manager

Symptoms:
When using Client Certificate Constrained Delegation (C3D), memory corruption can occur, which can eventually lead to a tmm crash.

Conditions:
C3D is enabled on a virtual server.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes under these conditions.

Fixed Versions:
13.1.3.4

760629-2 : Remove Obsolete APM keys in BigDB

Links to More Info: BT760629

Component: Access Policy Manager

Symptoms:
Several APM/Access BigDB keys are obsolete

Conditions:
This is encountered on BIG-IP software installations.

Impact:
The db keys are obsolete and can be safely ignored.

Workaround:
None

Fix:
The following db keys have been removed from the system:

Log.AccessControl.Level
Log.ApmAcl.Level
Log.SSO.Level
Log.swg.Level
Log.AccessPerRequest.Level
Log.access.syslog
Log.access.db

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1

760622-2 : Allow Device Certificate renewal from BIG-IP Configuration Utility

Links to More Info: BT760622

Component: TMOS

Symptoms:
Unable to renew Device Certificate from System :: Certificate Management : Device Certificate Management : Device Certificate :: server.crt in non-English BIG-IP configurations.

Conditions:
Attempting to renew a device certificate on the System :: Certificate Management : Device Certificate Management : Device Certificate :: using the server.crt-equivalent on a non-English BIG-IP system.

Impact:
Unable to renew Device Certificate from the BIG-IP Configuration Utility.

Workaround:
Use a command of the following syntax, replacing key name, cert name, and # of days with your values:

openssl req -new -x509 -key ../ssl.key/server.key -days <# of days> -out server.crt

For example, to renew the siteserver.key and siteserver.crt for 90 days, use the following command:

openssl req -new -x509 -key ../ssl.key/siteserver.key -days 90 -out siteserver.crt

Fix:
The system now allows Device Certificate renewal from BIG-IP Configuration Utility.

Fixed Versions:
15.1.0.5

760550-3 : Retransmitted TCP packet has FIN bit set

Links to More Info: BT760550

Component: Local Traffic Manager

Symptoms:
After TCP sends a packet with FIN, retransmitted data earlier in the sequence space might also have the FIN bit set.

Conditions:
-- Nagle is enabled.
-- TCP has already sent a FIN.
-- A packet is retransmitted with less than MSS bytes in the send queue.

Impact:
The retransmitted packet has the FIN bit set even if it does not contain the end of the data stream. This might cause the connection to stall near the end.

Workaround:
Set Nagle to disabled in the TCP profile.

Fix:
The incorrect FIN bit is removed.

Fixed Versions:
11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6

760471-4 : GTM iQuery connections may be reset during SSL key renegotiation.

Links to More Info: BT760471

Component: Global Traffic Manager (DNS)

Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.

Conditions:
This occurs occasionally during routine renegotiation. Renegotiation occurs once very 24 hours, per connection, by default (but can be controlled by the db key big3d.renegotiation.interval)

Impact:
The affected iQuery connection is briefly marked down as the connection is marked down before the connection is immediately re-established.

Workaround:
There is no workaround.

Fix:
GTM iQuery renegotiations no longer cause the error that reset the connection.

Fixed Versions:
12.1.5.2, 13.1.3.5, 14.1.2.3, 15.0.1.4, 15.1.0.2

760439-2 : After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status

Links to More Info: BT760439

Component: TMOS

Symptoms:
After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status (e.g., transitions to standby or active).

Conditions:
Installing UCS that was taken in forced-offline state on clean installed unit.

Impact:
Unit may become active/standby before intended (e.g., during maintenance).

Workaround:
After installing the UCS, ensure that the unit is in forced-offline state as intended. If not in forced-offline state, force the unit offline before proceeding.

Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1

760438-1 : PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions

Links to More Info: BT760438

Component: Policy Enforcement Manager

Symptoms:
tmm coredump

Conditions:
-- Using an iRule to apply a referential policy in a rigorous loop.
-- This is a rarely occurring timing issue.

Impact:
Traffic impact due to tmm coredump. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The BIG-IP system now validates session presence before applying the policy.

Fixed Versions:
13.1.3, 14.1.2.1

760408-1 : System Integrity Status: Invalid after BIOS update &start;

Links to More Info: BT760408

Component: TMOS

Symptoms:
When BIG-IP system boots, it performs a System Integrity Check. The System Integrity Status may return one of three states: Valid, Unavailable, or Invalid.

This issue causes the System Integrity Status to return a value of 'Invalid'.

Conditions:
-- One of the following BIG-IP platforms, which has a Trusted Platform Module (TPM), that were manufactured using a earlier BIOS version:

- i850, i2600, i2800, i4600, i4800
- i5600, i5800, i7600, i7800, i10600, i10800
- i12600, i12800, i15600, i15800
- B4400 series blades

-- Updating to a newer BIOS version.

Impact:
The System Integrity Status returns a status of Invalid, which may falsely indicate that the system BIOS or OS has been compromised.

Workaround:
Install the new BIOS, which fixes the issue that causes the 'Invalid' status to be reported, and, on systems where the BIOS and OS have not been compromised, returns a status of 'Valid'.

Fix:
The System Integrity Status check now return 'Valid' for systems that have not been compromised.

Fixed Versions:
13.1.3, 14.0.0.5, 14.1.0.6

760363-2 : Update Alias Address field with default placeholder text

Links to More Info: BT760363

Component: TMOS

Symptoms:
Unable to update Alias Address field with the default value under Local Traffic :: Monitors :: [MonitorName] after removing everything from the input field and updating again with the placeholder text.

Conditions:
-- Using a system running software in which the GUI supports Chinese characters.
-- Remove content from the Alias Address field under Local Traffic :: Monitors:: [MonitorName].
-- Enter the default placeholder text.

Impact:
Unable to update the Alias Address input field with default placeholder text after replacing the said field with blank text or a valid value.

Workaround:
Pass empty value or ::

Fix:
Allow monitors to update with default placeholder text for Alias Address

Fixed Versions:
13.1.3.2

760356-4 : Users with Application Security Administrator role cannot delete Scheduled Reports

Links to More Info: BT760356

Component: Application Visibility and Reporting

Symptoms:
User accounts configured with the Application Security Administrator role cannot delete scheduled reports, while they can create/view/edit them.

Conditions:
-- Logged on with a user account configured as an Application Security Administrator.
-- Attempting to delete a scheduled report.

Impact:
Cannot complete the delete operation. Deleting scheduled reports requires root/admin intervention.

Workaround:
Use root or a user account configured as Administrator to delete scheduled reports.

Fix:
User accounts configured with the Application Security Administrator role can now delete Scheduled Reports

Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6, 15.0.1.1

760222-5 : SCP fails unexpected when FIPS mode is enabled

Links to More Info: BT760222

Component: TMOS

Symptoms:
Secure Copy (scp) to some locations fails with the following message:
Path not allowed.

Conditions:
-- FIPS mode is enabled.
-- Copying a file to a restricted location using SCP.

Impact:
Cannot use SCP to copy to restricted locations on the BIG-IP system.

Workaround:
None.

Fix:
This scp issue no longer occurs when FIPS cards are installed.

Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.3

760130-1 : [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK

Links to More Info: BT760130

Component: Access Policy Manager

Symptoms:
-- Increased overall TMM memory usage, which eventually forces TMM to start closing connections to reduce memory usage.
-- connflow memory usage keeps increasing. Memory usage can be observed with this command:
# tmctl -f /var/tmstat/blade/tmm0 memory_usage_stat -w200

Conditions:
1. Using PingAccess.
2. Errors are being logged in /var/log/paa.

Impact:
-- Memory leak.
-- Eventually TMM starts closing connections randomly.

Workaround:
None.

Fix:
When PingAccess encounters an error after sending traffic data to PingAccess SDK, TMM no longer leaks memory.

Fixed Versions:
13.1.3, 14.1.3.1

760050-4 : "cwnd too low" warning message seen in logs

Links to More Info: BT760050

Component: Local Traffic Manager

Symptoms:
The following benign message appears in the log: "cwnd too low."

The message can be seen in both tmm logs (where it shows as 'notice' severity) and also in the ltm log (where it shows as 'crit' (critical) severity).

Conditions:
The TCP congestion window has dropped below one Maximum Segment Size, which should not happen.

Impact:
None. TCP resets the congestion window to 1 MSS.

Workaround:
This message does not indicate a functional issue, so you can safely ignore this message. There is no action to take, but the presence of the message can be useful information for debugging other TCP problems.

Fixed Versions:
13.1.4.1, 14.1.2.7, 15.1.4

759968 : Distinct vCMP guests are able to cluster with each other.

Links to More Info: BT759968

Component: Local Traffic Manager

Symptoms:
-- Distinct vCMP guests are able to cluster with each other.

-- Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:

clsh tmctl -d blade tmm/vcmp -w 200 -s vcmp_name,tmid,rebroad_mac

Check the 'rebroad_mac' field for duplicate mac addresses.

vcmp_name tmid rebroad_mac
--------- ---- -----------------
default 0 02:01:23:45:01:00
vcmp1 0 00:00:00:00:00:00
vcmp5 0 02:01:23:45:01:04
vcmp6 0 00:00:00:00:00:00
vcmp7 0 02:01:23:45:01:06
vcmp8 0 00:00:00:00:00:00
vcmp9 0 02:01:23:45:01:08
vcmp10 0 02:01:23:45:01:0A <--------------
vcmp11 0 02:01:23:45:01:0A <--------------

Conditions:
-- It is not yet clear under what circumstances the issue occurs.

-- One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate 'rebroad_mac' on one or more slots.

Impact:
Only the vCMP guest acting as primary will be operative.

Workaround:
-- Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:

modify sys db clusterd.communicateovertmmbp value false.

To disable the db variable on the affected guest, log in to the TMOS Shell (tmsh) by entering the following command:

tmsh

Then run the following commands, in sequence:

stop sys service clusterd
modify sys db clusterd.communicateovertmmbp value false
start sys service clusterd
save sys config

Afterwards, the affected guest might still have the wrong management IP address. To resolve that, log into the vCMP Hypervisor and force a management IP update such as changing the netmask and then changing it back.

With the above steps, the duplicated rebroadcaster MAC still shows, but the vguests are in stable states. To fix the duplicated MAC problem, apply the workaround (on all blades) documented in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.

Important: Applying procedure described in K13030 interrupts traffic.

Fix:
The vCMP guests no longer end up having a non-null and duplicate 'rebroad_mac' on one or more slots. Distinct vCMP guests are no longer able to cluster with each other.

Fixed Versions:
12.1.5, 13.1.3, 14.1.2.1, 15.0.1.1

759735-1 : OSPF ASE route calculation for new external-LSA delayed

Links to More Info: BT759735

Component: TMOS

Symptoms:
External link-state advertisement (LSA) update does not trigger OSPF ASE route calculation, resulting in delay for route state changes from external LSA.

Conditions:
-- OSPF enabled.
-- More than 20 updated external LSA.
-- No updated router and network LSA.

Impact:
Delay of route update from external LSA.

Workaround:
Manually clear ip ospf process.

Fix:
OSPF ASE route calculation from external LSA are happening as normal.

Fixed Versions:
13.1.3.2, 14.1.2.5

759721-4 : DNS GUI does not follow best practices

Links to More Info: K03332436 , BT759721

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS WebUI does not follow best security practices.

Conditions:
DNS services provisioned, enabled, and configured

Impact:
The DNS WebUI does not follow best security practices.

Workaround:
None.

Fix:
The DNS WebUI now follows best security practices.

Fixed Versions:
13.1.3, 14.0.0.5, 14.1.0.6

759638-1 : APM current active and established session counts out of sync after failover

Links to More Info: BT759638

Component: Access Policy Manager

Symptoms:
The 'tmsh show apm license' command shows that the current established session count is much larger than the current active session count. In the extreme case, current established session count can reach the maximum allowed, and the system reports the ERR_TOOBIG error in the apm log.

err tmm3[12351]: 01490581:3: (null):Common:00000000: Access stats encountered error: SessionDB operation failed (key: tmm.license.global_estab_stats.f26de3c7, ret: ERR_TOOBIG).

Conditions:
This counter out-of-sync period happens right after failover and lasts for five minutes.

Impact:
There is no impact to user sessions. Only the connection counts are impacted.

Workaround:
None.

Fixed Versions:
13.1.3

759596-3 : Tcl errors in iRules 'table' command

Links to More Info: BT759596

Component: TMOS

Symptoms:
The iRules 'table delete' command causes Tcl errors due to improperly handling the return code from SessionDB.

Conditions:
-- iRules 'table delete' command is used.
-- Does not occur consistently, but is more prone to occur when the system is processing more traffic.

Impact:
The 'table delete' command randomly fails and causes disruptions in traffic.

Workaround:
Do not use 'table delete' command

Fix:
Fixed 'table delete' to properly interpret the return code from SessionDB.

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.4

759536-4 : Linux kernel vulnerability: CVE-2019-8912

Links to More Info: K31739796 , BT759536

759480-2 : HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash

Links to More Info: BT759480

Component: Local Traffic Manager

Symptoms:
When a request is sent to the virtual server which meets the conditions specified, TMM may crash.

Conditions:
When all of the following conditions are met:

-- Virtual server configured with iRule that contains HTTP::respond or HTTP::redirect in an LB_FAILED event.

-- A command in an LB_FAILED event (does not have to be in the same iRule as the previous point, but must be attached to the same virtual server), that parks the iRule (e.g., table, session, persist, after, HSL).

-- A CLIENT_CLOSED event is present.

-- The pool member fails in some manner, triggering LB_FAILED

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Add reject command to LB_FAILED event to force the serverside of the connection closed before response is sent to the client.

Fixed Versions:
12.1.5, 13.1.3.4, 14.1.3.1

759360 : Apply Policy fails due to policy corruption from previously enforced signature

Links to More Info: BT759360

Component: Application Security Manager

Symptoms:
Apply Policy fails due to policy corruption in PLC database from a previously enforced signature.

Conditions:
1. Export a policy containing a signature with an enforced rule.
2. Update ASM Signatures (ASU).
3. Import that previously exported policy.
4. Apply the newly imported policy.

Impact:
Apply policy fails.

Workaround:
As a workaround, run the following SQL, and then apply the policy:

----------------------------------------------------------------------
UPDATE PLC.PL_POLICY_NEGSIG_SIGNATURES SET previous_enforced_rule_md5 = '' WHERE previous_enforced_rule = '' and previous_enforced_rule_md5 != ''
----------------------------------------------------------------------

Fixed Versions:
13.1.1.5, 14.1.0.6

759192-1 : TMM core during display of PEM session under some specific conditions

Links to More Info: BT759192

Component: Policy Enforcement Manager

Symptoms:
TMM crashes during display of PEM session if the session has multiple IP addresses added under certain conditions.

Conditions:
-- Session has multiple IP addresses added.
-- When the session was created, addition of multiple IP addresses was not allowed.

Impact:
TMM restart. Traffic disrupted while tmm restarts.

Workaround:
Do not change the value of sys db variable tmm.pem.session.ip.addr.max while some sessions are already created.

Fix:
TMM core during display of PEM session no longer occurs.

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.2.1

759135-5 : AVR report limits are locked at 1000 transactions

Links to More Info: BT759135

Component: Application Visibility and Reporting

Symptoms:
AVR reports are limited to 1000 transactions. This is due to a hard-coded limit.

Conditions:
Using AVR reports for more than 1000 transactions.

Impact:
Unable to create reports with more than 1000 rows.

Workaround:
None.

Fix:
A db variable avr.stats.reportrownumberlimit has been added, that can be controlled via TMSH. The variable controls the number of rows in report within the range of 1 to 100000.

For example, for a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:

tmsh modify sys db avr.stats.reportrownumberlimit value 10000

Behavior Change:
There is a new db variable avr.stats.reportrownumberlimit available in TMSH, which controls the number of rows in an AVR report. Valid values are from 1 to 100000.

For example, to create a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:

tmsh modify sys db avr.stats.reportrownumberlimit value 10000

Fixed Versions:
13.1.3.2, 14.1.2.1, 15.0.1.1

759077-4 : MRF SIP filter queue sizes not configurable

Links to More Info: BT759077

Component: Service Provider

Symptoms:
The ingress and egress queues of the MRF SIP filter have fixed sizes that cannot be configured.

Conditions:
If the hard-coded queue size of 512 messages or 65535 bytes are exceeded, the filter enables its flow control logic.

Impact:
Messages may be dropped.

Workaround:
None.

Fix:
The max-pending-messages and max-pending-bytes values in the SIP router profile will be used as the limits for the SIP filter's queues. If the configured value is less than the existing hard-coded limits (512 bytes or 65535 bytes), the hard-coded limits will be used.

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.4

759056-1 : stpd memory leak on secondary blades in a multi-blade system

Links to More Info: BT759056

Component: Local Traffic Manager

Symptoms:
On secondary blades in a multi-blade system, stpd shows continued increased memory usage.

Conditions:
A non passthru STP mode (STP, RSTP or MSTP) is enabled on the system.

Impact:
System performance is degraded due to needless memory usage by stpd.

Workaround:
None.

Fix:
Stpd no longer leaks memory.

Fixed Versions:
13.1.3.6, 14.1.3.1

758992-1 : The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address

Links to More Info: BT758992

Component: Local Traffic Manager

Symptoms:
tmm may use a combination of the traffic-group MAC address and the per-VLAN MAC address for traffic associated with the traffic-group.

Conditions:
All of the following:
-- The traffic-group has a MAC address set.
-- The sys db variable 'tm.macmasqaddr_per_vlan' is set to true.
-- There are multiple tmm processes running on the BIG-IP system.

Note: BIG-IP Virtual Edition is not affected since there is only one tmm process.

Impact:
Incorrect MAC address used for traffic associated with the traffic-group.

Workaround:
None.

Fix:
tmm uses the proper MAC address when there is a traffic-group mac address defined and 'tm.macmasqaddr_per_vlan' is set to true.

Fixed Versions:
13.1.3.2, 14.1.2.3, 15.0.1.3

758961 : During brute force attack, the attempted passwords may be logged

Links to More Info: K58243048

Component: Application Security Manager

Symptoms:
Request data potentially included passwords is not masked in the ASM local and remote logger.

Conditions:
A brute force attack is in progress and login traffic is blocked from the suspicious IPs.

Impact:
An exposure of potentially sensitive data to the BIG-IP logger.

Workaround:
N/A

Fix:
Potentially sensitive data from brute force blocked requests is no longer logged.

Fixed Versions:
13.1.1.5

758872-2 : TMM memory leak

Links to More Info: BT758872

Component: Local Traffic Manager

Symptoms:
When a Clustered Multiprocessing (CMP) disabled virtual server enters syncookie mode the flows created on TMM instances other than tmm0 are not removed, resulting in a TMM memory leak.

Note: CMP-disabled virtual servers are not distributed among the available TMM processes, but instead are processed on tmm0.

Conditions:
-- Virtual server is CMP disabled.
-- The same virtual server enters syncookie mode.

Impact:
Elevated memory utilization that may impact performance. In extreme cases, it might lead to out-of-memory crash.

Workaround:
Make sure the virtual server is not CMP disabled, for example, avoid using global variables in iRules.

Fix:
Flows of CMP-disabled virtual servers are now properly removed from all TMM instances.

Fixed Versions:
12.1.5, 13.1.3.4, 14.1.2.3

758781-1 : iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates

Links to More Info: BT758781

Component: TMOS

Symptoms:
The following commands take a long time to complete when there are a large number of certificates:
get_certificate_list()
get_certificate_list_v2()
get_certificate_list_v3()

Conditions:
-- Using the get_certificate_list(), get_certificate_list_v2(), and get_certificate_list_v3() commands to get certificate information.
-- A large number of certificates (typically in the thousands) are installed on the BIG-IP system.

Impact:
Slowness might cause timeouts in applications that are calling these functions.

Workaround:
Use iControl REST API corresponding to sys/file/ssl-cert.

Fixed Versions:
13.1.3.2, 14.1.2.3, 15.0.1.1

758772-4 : DNS Cache RRSET Evictions Stat not increasing

Links to More Info: BT758772

Component: Global Traffic Manager (DNS)

Symptoms:
In the DNS Cache stats, the 'Resource Record Cache' statistic of 'Evictions' does not increase.

Conditions:
This occurs when the cache is full enough for records to be evicted.

Impact:
The 'Evictions' statistics do not increase when those records are evicted. Incorrect statistics accounting.

Workaround:
None.

Fix:
Fixed an issue preventing the DNS Cache's 'Resource Record Cache' statistic from counting 'Evictions'.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7

758764-4 : APMD Core when CRLDP Auth fails to download revoked certificate

Links to More Info: BT758764

Component: Access Policy Manager

Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.

Conditions:
Empty revoked-certificate list handling.

Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.

Workaround:
None.

Fix:
The system now checks for empty revoked certificate lists (for NULL) and lets the validation OK (because there is nothing to validate against).

Fixed Versions:
12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6

758631-2 : ec_point_formats extension might be included in the server hello even if not specified in the client hello

Links to More Info: BT758631

Component: Local Traffic Manager

Symptoms:
RFC 5246 states that if an extension does not exist in the client hello, it must not exist in the server hello. When an EC cipher suite is selected, the server might send the ec_point_formats extension, even if none exists in the client hello.

Conditions:
-- An EC cipher suite is selected.
-- The client does not send an ec_point_formats extension.

Impact:
Some clients abort the connection in this case.

Workaround:
There is no workaround other than not configuring any EC cipher suites.

Fix:
With this change, the server does not send an unsolicited ec_point_formats extension.

Fixed Versions:
12.1.5, 13.1.3.5, 14.0.1.1, 14.1.2.5

758599-4 : IPv6 Management route is preferred over IPv6 tmm route

Links to More Info: BT758599

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metric than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the mgmt interface.

Conditions:
Create an IPv6 mgmt route and a static IPv6 tmm route on the same BIG-IP system. IPv6 routes from TMM are injected at metric 1024.

Impact:
The incorrect routing table sends the traffic that matches the default route to the mgmt interface.

Workaround:
None.

Fix:
The IPv4 and IPv6 management routes now have a metric value of 4096. Default value of static routes are 1 for IPv4 and 1024 for IPv6. This makes static routes (TMM routes) preferred over management routes, which is correct behavior.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.3

758527-4 : BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode

Links to More Info: K39604784 , BT758527

Component: TMOS

Symptoms:
Under certain conditions BIG-IP may forward VLAN-tagged frames even if the VLAN is not defined on the ingress interface.

Conditions:
Tagged VLANs in use.
STP pass-through mode enabled.

Impact:
Frames not delivered as expected.

Workaround:
Disable global STP.

Fix:
Frames now delivered as expected.

Fixed Versions:
11.6.5.1, 12.1.5, 13.1.3.2, 14.0.0.5, 14.1.2.3, 15.0.1.3

758437-4 : SYN w/ data disrupts stat collection in Fast L4

Links to More Info: BT758437

Component: Local Traffic Manager

Symptoms:
Fast L4 analytics reports very large integers for goodput.

Conditions:
BIG-IP receives SYNs with attached data.

Impact:
Goodput data is unreliable.

Workaround:
None.

Fix:
Data coupled with the SYN breaks the check for a Fast L4 state change. The connection can still function normally, but statistics collection is reliant on the state change to initialize things properly. The system now ensures the correct state under these conditions, so statistics are measured correctly.

Fixed Versions:
13.1.3.5, 14.1.2.8

758436-2 : Optimistic ACKs degrade Fast L4 statistics

Links to More Info: BT758436

Component: Local Traffic Manager

Symptoms:
Fast L4 Analytics reports very large integers for goodput.

Conditions:
Endpoints send ACKs for data that has not been sent.

Impact:
Goodput statistics are not usable in certain data sets.

Workaround:
None.

Fix:
Additional checks prevent analytics from trusting optimistic ACKs.

Fixed Versions:
13.1.3.5, 14.1.2.8

758336-1 : Incorrect recommendation in Online Help of Proactive Bot Defense

Links to More Info: BT758336

Component: Application Security Manager

Symptoms:
The online help of Proactive Bot Defense within the DoS profile shows the following under the 'Cross-Domain Requests' section:

Allow configured domains; validate in bulk: ... We recommend this option if your web site has many cross-domain resources.

Allow configured domains; validate upon request: ... We recommend this option if your web site does not have many cross-domain resources.

The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.

Conditions:
Application has multiple cross-domain resources.

Impact:
Confusing documentation. The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.

Workaround:
For many cross-domain resources, it is better to use 'validate upon request'.

Fix:
The online help of Proactive Bot Defense has been corrected under the 'Cross-Domain Requests' section.

Fixed Versions:
12.1.5, 13.1.1.5, 14.1.4, 15.1.2.1

758119-4 : qkview may contain sensitive information

Links to More Info: K58243048 , BT758119

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048

Conditions:
For more information see: https://support.f5.com/csp/article/K58243048

Impact:
For more information see: https://support.f5.com/csp/article/K58243048

Workaround:
For more information see: https://support.f5.com/csp/article/K58243048

Fix:
For more information see: https://support.f5.com/csp/article/K58243048

Fixed Versions:
11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1

758065-2 : TMM may consume excessive resources while processing FIX traffic

Links to More Info: K82781208 , BT758065

758041-4 : LTM Pool Members may not be updated accurately when multiple identical database monitors are configured.

Links to More Info: BT758041

Component: Local Traffic Manager

Symptoms:
When two or more LTM database monitors (MSSQL, MySQL, PostgreSQL, Oracle) with identical 'send' and 'recv' strings are configured and applied to different LTM pools (with at least one pool member in each), the monitor status of some LTM pool members may not be updated accurately.

Other parameters of the affected LTM monitors that differ (such as 'recv row' or 'recv column' indicating where the specified 'recv' string should be found in the result set) may cause pool members using one of the affected monitors to connect to the same database to be marked UP, while LTM pool members using another affected monitor may be marked DOWN.

As a result of this issue, LTM pool members that should be marked UP or DOWN by the configured LTM monitor may instead be marked according to another affected monitor's configuration, resulting in the affected LTM pool members being intermittently marked with an incorrect state.

After the next monitor ping interval, affectedLTM pool members members may be marked with the correct state.

Conditions:
This may occur when multiple LTM database monitors (MSSQL, MySQL, PostgreSQL, Oracle) are configured with identical 'send' and 'recv' parameters, and applied to different LTM pools/members which share the same IP address and Port values.

For example:
ltm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
recv none
send "select version();"
...
}

Impact:
Monitored LTM pool members using an LTM database monitor (MSSQL, MySQL, PostgreSQL, Oracle) randomly go offline/online.

Workaround:
To avoid this issue, configure each LTM database monitor with values that make the combined parameters unique by changing either the 'send' or the 'recv' parameters, or both.

For example:
ltm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
recv 5.7
send "select version();"
...
}

Fix:
The system now correctly updates LTM pool members when multiple identical LTM database monitors are configured.

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.4.1

758018-3 : APD/APMD may consume excessive resources

Links to More Info: K61705126 , BT758018

757992-1 : RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup

Links to More Info: BT757992

Component: Access Policy Manager

Symptoms:
RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup

Conditions:
-- Configure Floating IP with route domain.
-- Configure RADIUS accounting server with Pool Setup.
-- Configure the virtual server containing the access policy to use the RADIUS Accounting server.
-- Access the virtual server.

Impact:
-- START message is being sent through proper egress floating IP address.
-- STOP message is not sent, and the system logs the following error message:
-- err tmm1[11193]: 01490586:3: (null):Common:8a505e8c: Processing radius acct stop message failed, connection failure.
-- err tmm1[11193]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_RTE. File: ../modules/hudfilter/access/access_session.c, Function: access_session_final_callback, Line: 4439.

Workaround:
This issue is present only when the floating IP address is configured with a non-default route domain. It works fine with the default route domain. Use of default route domain is recommended.

Fix:
RADIUS Acct STOP message is now sent as expected.

Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6

757827-3 : Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution

Links to More Info: BT757827

Component: Local Traffic Manager

Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP reboot operation.

Conditions:
This may occur on affected BIG-IP versions when:
-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.

-- DNS queries to resolve these FQDN names occur almost simultaneously.

-- The BIG-IP version in use contains the fix for ID 726319 :: Bug ID 726319: 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses :: https://cdn.f5.com/product/bugtracker/ID726319.html.

The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.

Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected. As a result, some pools may not have any active pool members, and do not pass traffic.

This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.

Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes ('##' is the desired number of seconds between successive DNS queries to resolve the configure FQDN name):

tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }

Fix:
When using FQDN nodes and pool members, ephemeral pool members are now created as expected following a configuration-load or BIG-IP reboot operation.

However, messages similar to the following may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name:

-- err mcpd[20479]: 01020066:3: The requested Node (****) already exists in partition ****.
-- err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.

These are benign messages that do not affect BIG-IP functionality.

Fixed Versions:
13.1.3.2, 14.1.2.5, 15.0.1.3

757781-1 : Portal Access: cookie exchange may be broken sometimes

Links to More Info: BT757781

Component: Access Policy Manager

Symptoms:
Portal Access uses special HTTP request with URL '/private/fm/volatile.html' to exchange cookie data between client and BIG-IP. Sometimes the BIG-IP system might send an invalid response to such a request. As a result, no cookie data can be sent from the backend server to the client.

Conditions:
Invalid response to HTTP requests with the following URL:
/private/fm/volatile.html.

Impact:
Portal Access client cannot see cookies set by the backend server. Backend server does not send cookie data to the client.

Workaround:
None.

Fix:
Portal Access now sends correct HTTP responses with backend cookie data to the client.

Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.4.2, 15.0.1.1

757777-2 : bigtcp does not issue a RST in all circumstances

Links to More Info: BT757777

Component: Local Traffic Manager

Symptoms:
bigtcp does not issue a TCP reset, e.g. when using the iRule reject command on CLIENT_ACCEPTED

Conditions:
bigtcp in use, tcp connection, connection ungracefully shut down via a 'reject' command in an iRule

Impact:
TCP RST is not sent, and the SYN is silently dropped.

Workaround:
none

Fix:
bigtcp virtuals send now a TCP RST if needed.

Fixed Versions:
13.1.5, 14.1.2.5

757722-1 : Unknown notify message types unsupported in IKEv2

Links to More Info: BT757722

Component: TMOS

Symptoms:
IKE negotiation fails when an unrecognized notify payload type is seen in a message processed by IKEv2.

Conditions:
Receiving an IKE message that contains a notify payload whose numeric type value is unrecognized by IKEv2.

Impact:
Negotiation fails with an aborted connection, preventing tunnel creation.

Workaround:
A peer can suppress notification payloads with advisory values that get rejected by IKEv2 within the BIG-IP system.

Fix:
All unknown notify types are now logged and then ignored.

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6

757578-4 : RAM cache is not compatible with verify-accept

Links to More Info: BT757578

Component: Local Traffic Manager

Symptoms:
The TCP profile's verify-accept option is not compatible with the RAM cache feature

Conditions:
A TCP profile is used with the 'verify-accept' option enabled, together with a Web Acceleration via RAM cache.

Impact:
There may be a log message in /var/log/tmm# describing an 'Invalid Proxy Transition'. The RAM cache feature may not handle later pipelined requests due to the proxy shutting down the connection.

Workaround:
Do not use TCP's verify-accept option together with RAM cache.

Fix:
RAM cache now works correctly when the TCP profile enables the verify-accept option.

Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.2.1, 15.0.1.1

757464-3 : DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record

Links to More Info: BT757464

Component: Global Traffic Manager (DNS)

Symptoms:
Attempt to delete a DNS Validating Resolver cache record from the 'Key' cache does not remove the record. Also displays a negative TTL for that record.

tmm crash

Conditions:
-- Populate the DNS Validating Resolver Cache.
-- Attempt to delete a record from the 'Key' cache.

Impact:
Undesired behavior due to records not being deleted as instructed. Also negative TTL.

Workaround:
The only workaround is to restart tmm to generate a completely empty DNS cache. Traffic disrupted while tmm restarts.

Fix:
Fixed an issue preventing records from a DNS Validating Resolver's 'Key' sub-cache from being deleted when utilizing the TMSH command:
delete ltm dns cache records key cache

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7

757455-1 : Excessive resource consumption when processing REST requests

Links to More Info: K87920510 , BT757455

757446-1 : Invoking the HTTP::respond iRule command when the HTTP2 profile is present can cause stalled or malformed responses.

Links to More Info: BT757446

Component: Local Traffic Manager

Symptoms:
The BIG-IP system stalls a connection instead of sending the intended HTTP response, or sends a malformed response.

Conditions:
This issue occurs when all of the following conditions are met:

-- The virtual server uses the http2 profile.

-- The virtual server uses an iRule that invokes the HTTP::respond command under the HTTP_REQUEST or HTTP_RESPONSE event.

Impact:
Clients do not get the expected responses, leading to application failures.

Workaround:
None.

Fix:
The HTTP::respond iRule command works as expected under these conditions.

Fixed Versions:
13.1.5, 14.1.2.7

757442-1 : A missed SYN cookie check causes crash at the standby TMM in HA mirroring system

Links to More Info: BT757442

Component: Local Traffic Manager

Symptoms:
In a high availability (HA) mirroring configuration, an L7 packet SYN cookie check may be skipped on the standby unit and eventually causes TMM to crash.

Conditions:
-- L7 traffic being passed to an HA configuration that is configured for mirroring traffic.
-- Failover occurs.

Impact:
TMM crashes on the standby device. No connections shown on the standby unit even when mirroring isenabled.

Workaround:
Do not use HA mirroring.

Fix:
The system now provides SYN cookie checks for L7 mirrored packets on the standby system.

Fixed Versions:
13.1.3, 14.1.4

757441-2 : Specific sequence of packets causes Fast Open to be effectively disabled

Links to More Info: BT757441

Component: Local Traffic Manager

Symptoms:
You see this warning in the logs:

warning tmm[21063]: 01010055:4: Syncookie embryonic connection counter -1 exceeded sys threshold 64000.

Conditions:
-- TCP Fast Open and ECN are both enabled.
-- There are multiple RST segments from the receive window received in SYN_RECEIVED state.

Impact:
TCP Fast open is disabled, as the pre_established_connections becomes very large (greater than a threshold).

Workaround:
TCP ECN option can be disabled.

Fix:
TCP Fast Open is prevented from being disabled when some conditions are met.

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.2.1

757414 : GUI Network Map slow page load with large configuration

Links to More Info: BT757414

Component: TMOS

Symptoms:
Network Map loads very slowly when displaying large configurations.

Conditions:
Open Network Map page with a large configuration, for example, 2500 or more virtual servers, pools, and pool members.

Impact:
The Network Map page loads too slowly to be usable.

Workaround:
None.

Fix:
Network Map no longer loads very slowly when displaying large configurations.

Fixed Versions:
13.1.1.5

757407-2 : Error reading RRD file may induce processes to mutually wait for each other forever

Links to More Info: BT757407

Component: Local Traffic Manager

Symptoms:
If an error occurs while statsd is reading a file that contains performance data, certain control-plane processes may wait for each other indefinitely.

In some instances, error messages about files in the /var/rrd directory may appear in /var/log/ltm.

Conditions:
Errors occur when performance-monitoring processes attempt to read files in the BIG-IP's internal Round-Robin Database.

Impact:
Attempts to issue commands using "tmsh" may hang up.
No "qkview" datasets can be successfully generated.

Workaround:
If damaged data files in /var/rrd can be identified, delete them and run "bigstart restart statsd".

Fixed Versions:
13.1.5

757391-3 : Datagroup iRule command class can lead to memory corruption

Links to More Info: BT757391

Component: Local Traffic Manager

Symptoms:
When using the iRule command to access datagroups within a foreach loop, memory can be corrupted and tmm can crash.

Conditions:
A [class] command used within a foreach loop.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround aside from removing that iRule.

Fix:
tmm no longer crashes under these conditions.

Fixed Versions:
12.1.5, 13.1.3, 14.1.2.5

757359-3 : pccd crashes when deleting a nested Address List

Links to More Info: BT757359

Component: Advanced Firewall Manager

Symptoms:
When removing a nested Address List or Port List, the pccd process might crash.

Conditions:
This might occur under the following conditions:
-- Removing a nested Address List or Port List using a tmsh transaction with an incorrect tmsh command order consistently results in this crash.

-- A high availability (HA) setup with config-sync enabled and there are intermittent problems with HA-connections, or out-of-memory system state, might intermittently result in this crash.

Impact:
pccd crashes with core, restarts, and correctly compiles the new configuration. There is a resulting, small delay in applying the new configuration due to the pccd restart.

Workaround:
-- If the crash occurs as a result of incorrect tmsh commands in a transaction, reorder commands to the parent list is modified or deleted before deleting the nested list.

-- If the crash is an intermittent issue due to problems with HA-connections, or an out-of-memory system state, no action is necessary; pccd correctly compiles new configuration after it restarts.

Fix:
pccd no longer crashes under these conditions, and correctly compiles the new configuration.

Fixed Versions:
13.1.3, 14.1.0.6

757357 : TMM may crash while processing traffic

Links to More Info: K92002212 , BT757357

757306-2 : SNMP MIBS for AFM NAT do not yet exist

Links to More Info: BT757306

Component: Advanced Firewall Manager

Symptoms:
SNMP MIBS for AFM NAT do not yet exist.

Conditions:
This occurs in normal operation.

Impact:
Unable to read values that do not exist in SNMP, meaning that you cannot access information that you need.

Workaround:
None.

Fixed Versions:
13.1.3, 14.1.2, 15.0.1

757279 : LDAP authenticated Firewall Manager role cannot edit firewall policies

Links to More Info: BT757279

Component: Advanced Firewall Manager

Symptoms:
The system posts the following message when the LDAP authenticated Firewall Manager role creates/modifies a firewall policy with rules or upgrading existing firewall policy:
User does not have modify access to object (fw_uuid_config).

Conditions:
-- Log in using an account with the Firewall Manager role.
-- Create/modify firewall policy with rules or upgrade existing firewall policy.

Impact:
Firewall modification operations fail with access to object (fw_uuid_config) error.

Workaround:
None.

Fix:
Firewall manager can now edit firewall policies.

Fixed Versions:
13.1.1.5, 14.1.2.8, 15.1.0.5

757088-3 : TMM clock advances and cluster failover happens during webroot db nightly updates

Links to More Info: BT757088

Component: Traffic Classification Engine

Symptoms:
Webroot database mapping and unmapping takes a very long amount of time on TMM, so you might see clock advances occur. The long interval might result in a failover/state-transition in clustered environment.

Conditions:
-- Webroot database is downloaded.
-- TMM needs to swap to the new instance.

Impact:
TMM does not process traffic because of the long delay in mapping and unmapping, and failover might happen in a clustered environment.

Workaround:
You can avoid this issue by disabling BrightCloud updates, however, your environments will miss the latest updates as a result.

#vi /etc/wr_urldbd/bcsdk.cfg
DoBcap=true
DoRtu=false
DownloadDatabase=false

Fix:
Mapping/Unmapping the database is done asynchronously and the delay is reduced so that the CDP failover does not happen.

Fixed Versions:
12.1.5, 13.1.1.5, 14.1.0.5

757027-3 : BIND Update

Links to More Info: K01713115 , BT757027

757026-3 : BIND Update

Links to More Info: K25244852 , BT757026

757025-3 : BIND Update

Links to More Info: K00040234 , BT757025

757023-4 : BIND vulnerability CVE-2018-5743

Links to More Info: K74009656 , BT757023

756820-1 : Non-UTF8 characters returned from /bin/createmanifest

Links to More Info: BT756820

Component: TMOS

Symptoms:
/bin/createmanifest reads from mcpd values stored for items that are obtained from firmware. These might contain non-UTF8 characters. This program is called in qkview, which then gets updated to iHealth. If any non-UTF8 character is present, the output is omitted (because XML cannot handle non-UTF8 characters).

Conditions:
Data stored in mcpd obtained from firmware contain non-UTF8 characters.

Impact:
The upload to iHealth will not contain any of the manifest data set obtained via createmanifest.

Workaround:
The values can be obtained from the qkview by reading the qkview_run.data, but the convenience of reading these in iHealth is not possible.

Fix:
The corrected program converts any non-UTF8 characters into '%xx', thus outputting compliant UTF8 strings. These do not negatively impact the XML requirement, and the modified string can be uploaded to iHealth (and the non-UTF8 characters can be examined as hexadecimal values).

Fixed Versions:
13.1.4.1

756774-4 : Aborted DNS queries to a cache may cause a TMM crash

Links to More Info: K24401914 , BT756774

756595-2 : Traffic redirection to an internal virtual server may fail.

Links to More Info: BT756595

Component: Policy Enforcement Manager

Symptoms:
Traffic sent by a first virtual server to a second internal virtual server may fail.
Traffic is silently dropped.

Conditions:
One of the following configurations:

- A virtual server configured with a pem policy rule that targets an internal radius virtual server that sends traffic statistics to a radius server.

- A virtual server configured with an iRule that opens a sideband connection to a second internal virtual server using the iRule command "connect".

- A virtual server configured with an iRule that forwards traffic to a second internal virtual server using the iRule command "virtual", where the second virtual server performs source address translation with an LSN pool or with AFM NAT.

Impact:
The traffic sent to the internal virtual server is silently dropped.

Workaround:
Avoid using a PEM policy rule that targets an internal radius virtual server.

Avoid traffic forwarding to an internal virtual server with the iRule commands "connect" or "virtual".

Fix:
The traffic is now successfully sent or redirected to the internal virtual server without any drops.

Fixed Versions:
13.1.5

756538-1 : Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair.

Links to More Info: K15759349 , BT756538

756494-1 : For in-tmm monitoring: multiple instances of the same agent are running on the Standby device

Links to More Info: BT756494

Component: Local Traffic Manager

Symptoms:
The standby device is sending monitor requests at a more frequent interval than what is configured.

Conditions:
-- In-tmm monitoring configured.
-- High availability (HA) configured.

There is no explicit way to reproduce this and it does not occur every time.

Impact:
Multiple instances of in-tmm monitoring may be created and the BIG-IP device may be sending monitoring traffic more frequently than what is configured.

Workaround:
Reboot the BIG-IP system.

Fix:
Fixed an issue causing multiple monitoring instances to be created.

Fixed Versions:
13.1.3.4, 14.1.2.7

756470-3 : Additional logging added to detect when monitoring operations in the configuration exceeds capabilities.

Links to More Info: BT756470

Component: Global Traffic Manager (DNS)

Symptoms:
GTM logs 'no reply from big3d: timed out' messages when the configuration results in more runtime monitoring operations than can be supported in a given environment, but the same message also appears in the log for other reasons.

Conditions:
The GTM configuration results in more runtime monitoring operations than can be supported in a given environment.

Impact:
It is not possible to detect when there are more runtime monitoring operations than can be supported in a given environment without enabling debug logging and performing a complex analysis of the resulting log files.

Workaround:
Enable debug logging and conduct a detailed analysis to determine if monitor requests are scheduled at the configured intervals.

Fix:
There is now a warning message that provides a much clearer indication of the condition:

The list processing time (14 seconds) exceeded the interval value. There may be too many monitor instances configured with a 7 second interval.

Fixed Versions:
13.1.3.4, 14.1.4.5

756458-1 : Linux kernel vulnerability: CVE-2018-18559

Links to More Info: K28241423 , BT756458

756450-2 : Traffic using route entry that's more specific than existing blackhole route can cause core

Links to More Info: BT756450

Component: Local Traffic Manager

Symptoms:
TMM asserts with 'Attempting to free loopback interface'message.

Conditions:
- Using blackhole routes.
- Have a route entry that is more specific than the existing blackhole route.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use /32 blackhole routes.

Fix:
TMM no longer cores when using blackhole routes that are less specific than non-blackhole routes.

Fixed Versions:
11.6.5.1, 12.1.5, 13.1.3, 14.1.2.3

756402-1 : Re-transmitted IPsec packets can have garbled contents

Links to More Info: BT756402

Component: TMOS

Symptoms:
Before re-transmitting a packet, it is discovered to be garbled, mainly in the form of having physical length that no longer matches the logical length recorded inside the packet.

Conditions:
Possibly rare condition that might cause packet freeing while still in use.

Impact:
Likely tunnel outage until re-established.

Workaround:
No workaround is known at this time.

Fix:
This release adds checksums to verify IPsec packets are not altered between first creation and later re-transmission.

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6

756311-1 : High CPU during erroneous deletion

Links to More Info: BT756311

Component: Policy Enforcement Manager

Symptoms:
The utilization of some CPU cores increases and remains high for a long time. Rebooting just one blade can cause the high CPU usage to move to another blade in the chassis.

There might be messages similar to the following in tmm logs:

-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.10.10%0-4a89723e; Instance ID mismatch ERR_OK for subscriber id 310012348494 with 10.1.10.10-0-4a8987ea.

-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.18.10%0-4a8b850c; Look up returned err ERR_OK for subscriber id 3101512411557

Conditions:
The exact conditions under which this occurs are not fully understood, but one way it can be triggered is when a single TMM is crashing on a chassis system.

Impact:
The CPU usage is coming from an erroneous cleanup function, which is only running on a TMM when it's not busy; traffic is not expected to have a significant impact. However, recovering may result in a cluster-wide TMM restart, if the CPU usage does not subside. Traffic disrupted while tmm restarts.

Workaround:
Delete all subscribers from the CLI.

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.2.1

756270-2 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle

Links to More Info: BT756270

Component: Local Traffic Manager

Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.

Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.

Impact:
Handshake failure.

Workaround:
None.

Fix:
This has been fixed to check for the issuer among all certificates that have the same subject name as the CRL issuer.

Fixed Versions:
11.5.9, 11.6.4, 12.1.5, 13.1.1.5, 14.1.0.6

756205-3 : TMSTAT offbox statistics are not continuous

Links to More Info: BT756205

Component: Application Visibility and Reporting

Symptoms:
When BIG-IP systems are manged by BIG-IQ, the device health statistics have gaps (missing samples).

Conditions:
BIG-IP systems managed by BIG-IQ,

Impact:
Missing data on device health, such as CPU load and memory occupancy.

Workaround:
None.

Fix:
Functionality restored - BIG-IP systems send all the data as expected.

Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6

756153-2 : Add diskmonitor support for MySQL /var/lib/mysql

Links to More Info: BT756153

Component: TMOS

Symptoms:
If the disk partition /var/lib/mysql is filled to 100%, diskmonitor does not notify that the partition is nearly exhausted.

Conditions:
The disk partition /var/lib/mysql is filled to 100%.

Impact:
diskmonitor does not notify that disk partition /var/lib/mysql is nearly exhausted.

Workaround:
None.

Fixed Versions:
12.1.4.1, 13.1.3, 14.1.2.7

756102-3 : TMM can crash with core on ABORT signal due to non-responsive AVR code

Links to More Info: BT756102

Component: Application Visibility and Reporting

Symptoms:
ABORT signal is sent to TMM by SOD; TMM aborts with a core.

Conditions:
Non-responsive AVR code. No other special conditions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
13.1.3.2, 14.1.0.6, 15.0.1.1

756094-3 : DNS express in restart loop, 'Error writing scratch database' in ltm log

Links to More Info: BT756094

Component: Global Traffic Manager (DNS)

Symptoms:
DNS express (zxfrd) daemon gets stuck in a restart loop with the messages:
-- In /var/log/ltm:
Error writing scratch database (no error information available), serving database is unchanged. zxfrd will exit and restart.
-- The system posts the following message on the command line every few seconds:
emerg logger: Re-starting zxfrd

Conditions:
An update to an SOA record (and only an SOA) is received through a incremental zone transfer update (IXFR).

Impact:
Zone updates from the DNS master servers are not processed.

Workaround:
As a partial workaround, the DNS express cache files can be removed, forcing zxfrd to pull the entire zone using an AXFR request. To do so, use the following commands, in sequence:

bigstart stop zxfrd
rm /shared/zxfrd/*
bigstart start zxfrd

Note: DNS express will not be able to service DNS responses until the zone transfers have completed. For this reason, this procedure should be carried out on the standby device, if possible.

Fix:
The system now properly handles IXFRs that contain only starting and ending SOA RRs, and no other RRs.

Fixed Versions:
12.1.4.1, 13.1.1.5, 14.1.0.2

756088-1 : The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address

Links to More Info: BT756088

Component: TMOS

Symptoms:
The BIG-IP system unexpectedly responds to ICMP echo requests to a virtual-address that is unavailable, or unexpectedly does not respond to ICMP echo requests to a virtual-address that is available.

The BIG-IP system fails to remove a dynamic route for a virtual-address that is unavailable or fails to add a dynamic route for a virtual-address that is available.

Conditions:
-- There are multiple virtual servers associated with a virtual address.

-- The virtual-address icmp-echo is set to 'all' or 'any'.

-- The virtual-address route-advertisement is set to 'all' or 'any'.

Impact:
The BIG-IP might respond incorrectly to ICMP echo requests sent to a virtual-address.

-- If the virtual-address icmp-echo is set to 'all' or 'any', the BIG-IP may not respond correctly after a virtual-address availability change.

-- If the virtual-address route-advertisement is set to 'all' or 'any', the route for the virtual-address may not advertise properly after a virtual-address availability change.

The BIG-IP might fail to insert or remove a dynamic route for a virtual-address. This might cause the network to direct traffic to a down virtual-address or alternatively, not direct traffic to an up virtual-address.

Workaround:
None.

Fix:
The BIG-IP system now responds correctly to ICMP echo requests and correctly adds/removes dynamic routes to a virtual-address, as appropriate.

Fixed Versions:
13.1.1.5

756071-1 : MCPD crash

Links to More Info: BT756071

Component: TMOS

Symptoms:
mcpd crashes on out of memory.

Conditions:
MCPD experiences a memory leak under one of the following conditions:

- A tmsh command such as the following is run:
tmsh reset-stats ltm virtual

- The ASM or AVR module is provisioned.


In both circumstances, the 'cur_allocs' for one of MCPD's internal memory allocation types generally increases and becomes very high (e.g., millions):

tmctl -I --select cur_allocs memory_stat program=mcpd name=umem_alloc_40

Impact:
MCPD can run out of memory and crash. Traffic disrupted while mcpd restarts.

Workaround:
None.

Fix:
A memory leak that occurred in the MCPD process has been fixed.

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6

755976-1 : ZebOS might miss kernel routes after mcpd deamon restart

Links to More Info: BT755976

Component: TMOS

Symptoms:
After an mcpd daemon restart, sometimes (in ~30% of cases) ZebOS is missing some of kernel routes (virtual addresses).

One of the most common scenario is a device reboot.

Conditions:
-- Dynamic routing is configured.
-- Virtual address is created and Route Advertisement is configured:
imish -e 'sh ip route kernel'
-- mcpd daemon is restarted or device is rebooted.

Impact:
The kernel route (virtual address) is not added to the ZebOS routing table and cannot be advertised.

Workaround:
There are several workarounds; here are two:

-- Restart the tmrouted daemon:
bigstart restart tmrouted

-- Recreate the affected virtual address.

Fix:
The kernel route is now present in the ZebOS routing table after mcpd daemon restart.

Fixed Versions:
13.1.5

755854-1 : TMM crash due to missing classification category

Links to More Info: BT755854

Component: Traffic Classification Engine

Symptoms:
TMM crashes when 'Thin_Client' category is used. The tmm2 log contains messages:

-- notice panic: ../modules/hudfilter/gpa/gpa_config.c:507: Assertion "Category does not exist" failed.

Conditions:
-- TMM is configured for debug mode (which might occur in cases described in K11490: Configuring the Traffic Management Microkernel to use debug mode :: https://support.f5.com/csp/article/K11490).

-- There is a classification configured with a category that does not exist.

Impact:
TMM restart loop. Traffic disrupted while tmm restarts.

Workaround:
Change the category to something that exists to load tmm.debug.

Fix:
TMM no longer crashes with 'Thin_client' category.

Fixed Versions:
13.1.3.6

755727-3 : Ephemeral pool members not created after DNS flap and address record changes

Links to More Info: BT755727

Component: Local Traffic Manager

Symptoms:
When using FQDN node/pool members, ephemeral pool members may not be created for one or more pools after address records change on the DNS server.

Once this condition occurs, ephemeral pool members are no longer created for a given FQDN name in the affected pool.

Conditions:
This issue may occur under rare timing conditions when the following factors are present:

-- Using FQDN nodes/pool members.
-- Changes occur in the address records on the DNS server, causing new ephemeral nodes/pool members to be created and old ephemeral nodes/pool members to be deleted.
-- There is a temporary loss of connectivity to/responsiveness from the DNS server.

Impact:
When this issue occurs, the affected pool may be left with no active pool members. In that case, virtual servers targeting the affected pool become unavailable and stop passing traffic.

Workaround:
When this issue occurs, the ability to create ephemeral pool members can be restored by either of the following actions:

1. Restart the dynconfd daemon:
bigstart restart dynconfd

2. Delete and re-create the FQDN template pool member using the following two commands:
tmsh mod ltm pool affected_pool members del { fqdn_pool_member:port }
tmsh mod ltm pool affected_pool members add { fqdn_pool_member:port { additional field values } }


To ensure that a pool contains active members even if this issue occurs, populate each pool with more than one FQDN pool member, or with an additional non-FQDN pool member.

Fixed Versions:
12.1.5.2, 13.1.3.2, 14.1.2.5, 15.0.1.3

755585-3 : mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction

Links to More Info: BT755585

Component: Local Traffic Manager

Symptoms:
On a VIPRION cluster, if a single transaction creates a policy with the name Drafts/NAME, publishes the policy, and attaches the policy to a virtual server, mcpd restarts on the secondary blades.

Conditions:
-- VIPRION chassis with more than one blade.
-- Single mcp transaction that:
* Creates a policy with 'Drafts/' as part of the policy name.
* Publishes that policy.
* Attaches that policy to a virtual server, either in the same transaction or a later transaction.

Impact:
mcpd restarts on all secondary blades of a cluster.

Workaround:
You can use either of the following workarounds:
-- Do not create policies with 'Drafts/' in the name.
-- Do not create and publish a policy in the same transaction.

Fixed Versions:
13.1.3, 14.1.2.1

755507-3 : [App Tunnel] 'URI sanitization' error

Links to More Info: BT755507

Component: Access Policy Manager

Symptoms:
URI sanitization error with app tunnel (application tunnel). The system posts messages similar to the following:
-- APM log: warning tmm[19703]: 01490586:4: /Common/AP-AD:Common:ff776e4a: Invalid Resource Access For RESOURCENAME. RST due to URI sanitization
-- LTM log: err tmm[19703]: 01230140:3: RST sent from 10.0.0.1:80 to 10.0.0.1:228, [0x2263e2c:7382] Unrecognized resource access (RESOURCENAME)

Conditions:
Access Policy that includes a 'Logon Page' and 'Advanced Resource Assign' (full webtop and app tunnel).

Impact:
APM does not send a response after receiving a request to 'GET /vdesk/resource_app_tunnels_info.xml'.

Workaround:
None.

Fixed Versions:
12.1.5, 13.1.1.5, 14.0.0.5

755475-3 : Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync

Links to More Info: BT755475

Component: Access Policy Manager

Symptoms:
After making changes to the logon page agent field, performing config sync to another device and opening the logon agent in VPE on the sync target device encounters an error. Though this problem described to the logon page agent, this is applicable to any agent that is tied to customization group.

Conditions:
1. Form a failover device group with two devices.

2. On one device, create an access policy with logon page agent. Initiate config sync to sync the policy to other devices. Verify everything is correct on target device (specifically: open VPE for the policy, Logon Page is in the policy, click on the agent, and edit box appears without issue).

3. On source device, launch VPE for the policy, click on Logon Page agent, make changes to Agent (e.g., choose 'password' type for field3. Save the change and make a config sync again.

4. Go to target device, open VPE for the policy, and click on Logon Page is in the policy.

Impact:
Config is not synced properly to another device in the device group.

Workaround:
- Workaround 1:

Step1. On Standby (where the problem happens): delete the policy in question.

Step2. On Active: modify the access policy and Sync it.

* Problem with this workaround: sometimes, you cannot properly delete the access policy in question on the standby (as customization is corrupted, some related config deletion fails).


- Workaround 2:
Step 1. On Standby (where the problem happens): try to open up access policy item using VPE. Error will show the exact location of the file that is missing, for example:

"An error 'customization::getMessages: Unable to get xml dom from /config/filestore/files_d/Common_d/customization_group_d/:Common:MyAccessPolicy_act_logon_page_ag_5678_4' has occured on server... Dialogue loading has failed."

Step 2. On Standby: copy the exact file from active unit to standby unit, change the permission (ownership/group, permission flags) of the file so that it looks similar to active.

Fix:
Target device receives identical configuration as source one after config sync after user updates logon page field in logon agent editing dialog.

Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6

755197-1 : UCS creation might fail during frequent config save transactions

Links to More Info: BT755197

Component: TMOS

Symptoms:
If 'tmsh save sys config' is run simultaneously with 'tmsh save sys ucs <file>', there is the possibility of a race condition where a file gets scheduled to be added to the UCS file, but gets deleted by the save-config before it actually gets saved.

Conditions:
-- Run 'save sys config' at the same time as 'save sys ucs <file>' in tmsh.
-- Files are getting added by one tmsh command, yet deleted by the other. For example, when deleting a file that has not been saved to the configuration, while the system tried to create a UCS that contains that to-be-deleted file.

Note: There are many operations in which 'save sys config' is performed internally, so running the 'save sys ucs <file>' operation might encounter the timing error any time, even when you are not manually running 'save sys config'.

Impact:
The UCS is not created, and system posts messages similar to the following:
-- config/bigip_base.conf/: Cannot stat: No such file or directory.
-- Exiting with failure status due to previous errors.
-- Operation aborted.

This is a rare, timing-related occurrence. Even though the 'save sys ucs <file>' aborts and logs errors, simply re-running the command is likely to succeed.

Workaround:
Re-run the 'save sys ucs <file>' after it aborts. Nothing else needs to be changed or restored.

Fix:
The race condition is avoided and the 'save sys ucs <file>' now succeeds due to files removed by 'save sys config'.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2

755018-4 : Egress traffic processing may be stopped on one or more VE trunk interfaces

Links to More Info: BT755018

Component: TMOS

Symptoms:
Trunk interface members might be missing from tmm on BIG-IP Virtual Edition (VE).

Conditions:
-- Using trunks on VE.
-- May happen after a TMM restart, or after interface link states change.

Impact:
No egress traffic processing on one or more interfaces of a VE trunk.

Workaround:
Modify an attribute of the trunk and then return it to its previous value, for example:

# tmsh modify net trunk <trunk name> link-select-policy maximum-bandwidth
# tmsh modify net trunk <trunk name> link-select-policy auto

Fix:
Traffic is processed on all trunk interfaces.

Fixed Versions:
13.1.3.2, 14.1.2.7, 15.0.1.1

755005-3 : Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations

Links to More Info: BT755005

Component: Application Security Manager

Symptoms:
Illegal Request Length uses Illegal Query String Length template and vice versa, so the incorrect titles are shown in violation details.

Conditions:
Open details of Illegal Request Length or Illegal Query String Length violation in request log.

Impact:
Illegal Request Length uses Illegal Query String Length template and vice versa. Only the titles are wrong. The actual requests are recorded correctly.

Workaround:
None.

Fix:
Correct templates are now used for Illegal Request Length and Illegal Query String Length violations, so the correct titles show.

Fixed Versions:
12.1.5.1, 13.1.1.5, 14.0.0.5, 14.1.0.6

754971-1 : OSPF inter-process redistribution might break OSPF route redistribution of various types.

Links to More Info: BT754971

Component: TMOS

Symptoms:
Enabling inter-process OSPF route redistribution might cause overall problems with OSPF route redistribution.

Conditions:
OSPF is configured with inter-process OSPF route redistribution, for example:

router ospf
network 0.0.0.0/0 area 0
redistribute kernel
redistribute ospf 1234 <--- !

Impact:
Routes might not be redistributed and will not be present in OSPF database. This affects all redistribution types (kernel, static, etc..)

Workaround:
Do not use inter-process OSPF route redistribution.

Fix:
Inter-process OSPF route redistribution is working properly.

Fixed Versions:
13.1.3.5, 14.1.3.1

754944-3 : AVR reporting UI does not follow best practices

Links to More Info: K00432398 , BT754944

754901-3 : Frequent zone update notifications may cause TMM to restart

Links to More Info: BT754901

Component: Global Traffic Manager (DNS)

Symptoms:
When there are frequent zone update notifications, the watchdog for TMM may trip and TMM crash/restarts. There may also be 'clock advanced' messages in /var/log/ltm.

Conditions:
- Using DNS express.
- DNS zone with allow notify.
- Frequent zone NOTIFY messages resulting in zone transfers.

Impact:
TMM restart potentially resulting in failing or impacting services. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Frequent zone update notifications no longer cause TMM to restart.

Fixed Versions:
13.1.3, 14.1.2.5

754855-4 : TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile

Links to More Info: K60344652 , BT754855

754658-1 : Improved matching of response messages uses end-to-end ID

Links to More Info: BT754658

Component: Service Provider

Symptoms:
Some responses incorrectly match requests when their hop-by-hop IDs match. This causes the response to be dropped.

Conditions:
Matching hop-by-hop ID.

Impact:
Responses rarely match the wrong request, but when they do, they will be dropped.

Workaround:
None.

Fix:
Responses are now matched to requests using end-to-end ID as well as hop-by-hop ID. There should be no more incorrect matches.

Fixed Versions:
13.1.3.4, 14.1.2.7

754617-1 : iRule 'DIAMETER::avp read' command does not work with 'source' option

Links to More Info: BT754617

Component: Service Provider

Symptoms:
Configuring a 'source' option with the iRule 'DIAMETER::avp read' command does not work.

The operation posts a TCL error in /var/log/ltm logs:
err tmm3[11998]: 01220001:3: TCL error: /Common/part1 <MR_INGRESS> - Illegal value (line 1) error Illegal value invoked from within "DIAMETER::avp read 444 source [DIAMETER::avp data get 443 grouped]".

Conditions:
Using the 'DIAMETER::avp read' iRule command with a 'source' option.

Impact:
'DIAMETER::avp read' does not work with the 'source' option.

Workaround:
Use 'DIAMETER::avp get data' with the 'source' option, and re-create the header part when needed.

Fixed Versions:
13.1.3.4, 14.1.2.7

754567 : Child clientSSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file

Links to More Info: BT754567

Component: TMOS

Symptoms:
Child client SSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file used by the profile.

Conditions:
The issue is seen intermittently when all of the following conditions are met.
-- The client SSL profile is a child client SSL profile profile, i.e., it has a parent client SSL profile.
-- The child and the parent profile are using the same certificate.
-- The certificate file is updated, for example, by using a command similar to the following:
tmsh modify sys file ssl-cert child.crt { source-path file:///config/ssl/ssl.crt/default.crt app-service none cert-validation-options { } issuer-cert none }

Impact:
The child client SSL profile may unexpectedly end up using a different cert-key-chain from its parent profile.

Workaround:
The inherit-certkeychain flag can be set only in the GUI location: Local Traffic :: Profiles : SSL : Client :: child_profile.

In the row 'Configuration: \ Certificate Key Chain', uncheck the checkbox on the right side. That sets inherit-certkeychain to true (or does not customize the cert-key-chain for the child profile). Once the box is unchecked, the Certificate Key Chain field appears greyed out and filled with parent profile's cert-key-chain.

Fix:
The child profile's inherit-certkeychain flag is no longer unexpectedly set to false after updating the certificate file.

Fixed Versions:
13.1.1.5

754542-4 : TMM may crash when using RADIUS Accounting agent

Links to More Info: BT754542

Component: Access Policy Manager

Symptoms:
TMM may crash when using RADIUS Accounting agent in either per-session or per-request policy.

Conditions:
- APM is provisioned and licensed.
- RADIUS Accounting agent is used in either per-session or per-request policy.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when RADIUS Accounting agent is used in the access policy.

Fixed Versions:
13.1.3, 14.1.0.6

754365-3 : Updated flags for countries that changed their flags since 2010

Links to More Info: BT754365

Component: Application Security Manager

Symptoms:
Old flags for countries that changed their flags since 2010.

Conditions:
Requests from one of the following counties:
-- Myanmar
-- Iraq
-- Libya

Impact:
Old flag is shown.

Workaround:
None.

Fix:
The three flags are now updated in ASM.

Fixed Versions:
12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2

754349 : FTP connections to virtual server drop when both sides of data channel are offloaded via FastL4

Links to More Info: BT754349

Component: Local Traffic Manager

Symptoms:
FTP uploads that are offloaded on both sides drop after the idle timeout period, even though data is flowing.

Conditions:
-- FTP virtual server set up with a standard profile and FastL4 offloading.
-- Attempt a file upload to the virtual server where both client and server side of the data channel are offloaded.

Impact:
Dropped connections; data loss.

Workaround:
You can do either of the following:
-- Enable Inherit Parent Profile on the FTP profile.
-- Turn off FastL4 offloading.

Fix:
-- FTP connections to virtual servers no longer drop when both sides of data channel are offloaded via FastL4.
-- The output of the following command displays the correct acceleration state: tmsh show sys conn all-properties.

Fixed Versions:
13.1.3, 14.0.1.1

754346-1 : Access policy was not found while creating configuration snapshot.

Links to More Info: BT754346

Component: Access Policy Manager

Symptoms:
APMD fails to create configuration snapshot with the following error:

--err apmd[16675]: 01490000:3: AccessPolicyProcessor/AccessPolicyProcessor.cpp func: "dispatchEvent()" line: 1195 Msg: EXCEPTION AccessPolicyProcessor/ProfileAccess.cpp line:234 function: snapshotConfigVariables - AccessPolicy ("/Common/myPolicy") not found while creating configuration snapshot!!!!

If you attempt to modify the policy in question, the system reports a second error:

-- err apmd[16675]: 01490089:3: 00000000: Configuration change notification received for an unknown access profile: /Common/myPolicy

Conditions:
If TMM restarts and new access policy is added before TMM is fully up and running.

Impact:
Configuration snapshot is not created, and users cannot log on.

Workaround:
Recreate the access profile when TMM is stable.

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2

754345-3 : WebUI does not follow best security practices

Links to More Info: K79902360 , BT754345

754330-1 : Monpd might load many CSV files such that stats for AVR are not loaded to the database as quickly as expected

Links to More Info: BT754330

Component: Application Visibility and Reporting

Symptoms:
Monpd attempts to load a batch of CSV files that exceed the partition threshold. This might cause Monpd to falsely detect a corrupted database.

Conditions:
-- Monpd is down for a given interval, and needs to load a batch of CSV files.
-- Monpd gets lower priority for CPU and does not manage loading CSV files within a specific timeframe.
-- Some of the reports are more demanding than others, and create CSV files more often, which makes it harder for Monpd to load efficiently.

Impact:
Stats for AVR might not be loaded to the database within an expected interval.

Workaround:
None.

Fix:
Monpd now checks whether a new partition is required after each CSV file load. When needed, it creates one and aggregates data in the database to avoid this issue.

Fixed Versions:
13.1.1.5

754143-2 : TCP connection may hang after FIN

Links to More Info: K45456231 , BT754143

Component: Local Traffic Manager

Symptoms:
TCP connections hang. Memory usage increases. TMM restarts.

Numerous hanging connections reported similar to the following:
-- config # tmsh show sys conn protocol tcp
Sys::Connections
10.0.0.1:5854 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5847 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5890 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5855 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5891 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none

Conditions:
Pool member fails to respond with an ACK to BIG-IP system serverside FIN (or sends a RST in response to the BIG-IP system's FIN).

Impact:
The BIG-IP system serverside connection eventually times out, and the clientside connection is orphaned.

Those clientside connections hang indefinitely (even past the idle timeout). BIG-IP system memory increases, eventually leading to a possible TMM out-of-memory condition, requiring a TMM restart. Traffic disrupted while tmm restarts.

Workaround:
To delete the orphaned connections, you must restart the Traffic Management Microkernel (TMM) or restart the BIG-IP system. To restart the BIG-IP system, you can use either of the following procedures:

Impact of either workaround: Service will be interrupted. If configured for high availability (HA), the BIG-IP system fails over to another device in the device group.

Rebooting the BIG-IP system
===========================
1. Log in to the Advanced Shell (bash).
2. To restart the system, type the following command:
reboot

Restarting all blades on a VIPRION system
=========================================
1. Log in to bash.
2. To restart all the blades on the VIPRION system, type the following command:
clsh shutdown -r now

Fix:
TCP connections no longer hang under these conditions.

Fixed Versions:
13.1.4.1, 14.1.0.2

754132-3 : A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command

Links to More Info: BT754132

Component: TMOS

Symptoms:
A default route is not propagated in Network Layer Reachability Information (NLRI) by a routing framework on a command: 'clear ip bgp <neighbor router-id> soft out'.

-- Enter to imi(Integrated Management Interface) shell.
[root@hostname:Active:Standalone] config # imish
hostname[0]>

-- Issue a command inside imish. 10.0.0.4 is neighbor BGP router-id.
hostname[0]>clear ip bgp 10.0.0.4 soft out

Conditions:
-- There is a BIG-IP system with the following routing configuration:

imish output:
hostname[0]#sh run
!
no service password-encryption
!
interface lo
!
... <skip other default information, like interfaces.>
!
router bgp 1
bgp router-id 10.17.0.3
bgp graceful-restart restart-time 120
neighbor 10.17.0.4 remote-as 1
!

-- There is a default route, which is advertised by this BGP configuration. Here is one way to check it:

hostname[0]:sh ip ospf database
... <skip less important info>
AS External Link States

Link ID ADV Router Age Seq# CkSum Route Tag
0.0.0.0 10.17.0.3 273 0x80000002 0x5c4e E2 0.0.0.0/0 0

The 'clear ip bgp 10.17.0.4 soft out' command is issued, and there is no NLRI with a default route generated. You can confirm that by running tcpdump and reading what is in the generated Link-state advertisement (LSA), messages or by watching OSPF debug logs.

Note: The source from which you gather the default route and advertise it to the neighbors does not matter. It might be the usual BGP route learned from another router, a locally created route, or it might be configured by 'neighbor <neighbor router-id> default-originate'.

Impact:
A default-route is not propagated in NLRI by 'soft out' request, even with default-originate configured.

Workaround:
There is no specific workaround for 'clear ip bgp <neighbor router-id> soft out' command, but if you want to make routing protocol propagate a NLRI with a default route, you can do either of the following:

-- Remove the default route from advertised routes. This workaround is configuration-specific, so there there are no common steps.
+ If you have default-originate configured for your neighbor, then delete that part of the configuration and re-add it.
+ If you create a default route as a static route, recreate it.
+ And so on.

The idea is to remove a root of default route generation and then add it back.

-- Run a 'soft in' command from your neighbor. If a neighbor you want to propagate a NLRI is a BIG-IP device, or is capable of running this type of command, you can issue a imish command on the neighbor:

# neighbor-hostname[0]: clear ip bgp <neighbor router-id> soft in

Note: This time, the 'soft in' command requests the NLRIs.

Fix:
A NLRI with default route information is successfully propagated on 'clear ip bgp <neighbor router-id> soft out' command.

Fixed Versions:
13.1.3.6, 14.1.4

754109-3 : ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive

Links to More Info: BT754109

Component: Application Security Manager

Symptoms:
When the backend server sends a content-security-policy header where source-src and default-src directives are missing, ASM will modify the header when it does its own JavaScript injection, which might cause a csp policy violation for inline JavaScript code.

Conditions:
-- ASM provisioned.
-- ASM or Bot-Defense/DoS attached on a virtual server.
-- ASM or Bot/Dos does inline injections, like CSRF/CSHUI.

Impact:
Inline JavaScript does not run. The Browser reports a content-security-policy violation.

Workaround:
You can use either of the following workarounds:

-- Disable csp in ASM by running the following commands:
/usr/share/ts/bin/add_del_internal add csp_enabled 0
bigstart restart asm

-- Disable csp in Bot/DoS using an iRule:
when HTTP_REQUEST {
set csp 0
}
when HTTP_RESPONSE {
if { [HTTP::header exists Content-Security-Policy] } {
set csp "[HTTP::header values Content-Security-Policy]"
}
}
when HTTP_RESPONSE_RELEASE {
if { $csp != 0 } {
HTTP::header replace Content-Security-Policy $csp
}
set csp 0
}

Fix:
ASM/Bot/DoSL7 no longer modifies the csp header when both source-src and default-src directives are missing.

Fixed Versions:
13.1.3.4, 14.1.2.3

754103-2 : iRulesLX NodeJS daemon does not follow best security practices

Links to More Info: K75532331 , BT754103

754003-1 : Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate

Links to More Info: K73202036 , BT754003

Component: Local Traffic Manager

Symptoms:
For more information please see: https://support.f5.com/csp/article/K73202036

Conditions:
For more information please see: https://support.f5.com/csp/article/K73202036

Impact:
For more information please see: https://support.f5.com/csp/article/K73202036

Workaround:
None.

Fix:
For more information please see: https://support.f5.com/csp/article/K73202036

Fixed Versions:
13.1.3.2, 14.1.2.3, 15.0.1.3

753975 : TMM may crash while processing HTTP traffic with webacceleration profile

Links to More Info: K92411323 , BT753975

753912 : UDP flows may not be swept

Links to More Info: K44385170 , BT753912

Component: Local Traffic Manager

Symptoms:
Some UDP connection flows do not show in connection table but do show up in stats. This might occur with datagram_lb mode is enabled on the UDP profile under heavy load.

Conditions:
-- UDP profile with datagram_lb mode enabled.
-- System under heavy load.

Impact:
Increased memory utilization of TMM.

Workaround:
None.

Fix:
The system now correctly manages all expired flows.

Fixed Versions:
12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6

753893-1 : Inconsistent validation for firewall address-list's nested address-list causes load failure

Links to More Info: BT753893

Component: Advanced Firewall Manager

Symptoms:
Inconsistent validation for firewall address-list's nested address-lists causes load failure. The operation validates 'addresses' in the address-list but misses the case of modifying the address-list nested in the address-list. The system posts a message similar to the following:

01071a5a:3: Cannot configure mix of IPv4 and IPv6 address(es) in this object.
Unexpected Error: Loading configuration process failed.

Conditions:
-- Modify an address-list's address-lists to contain mixed IPv4 and IPv6 addresses.
-- Save the configuration.
-- Load the configuration.

Impact:
Missing validation for nested address-list modification allows an invalid configuration to be specified and saved into bigip*.conf, which causes load failure.

Note: This might cause upgrade from v12.1.x to fail when the configuration contains a mix of IPv4 and IPv6 within an address-list.

Workaround:
Edit the bigip*.conf file to remove the mix of IPv4 and IPv6 addresses in the nested address-lists.

Fix:
This release contains validation to nested address-lists to check for overlapping IP addresses in the same address family.

Fixed Versions:
13.1.1.5

753860-1 : Virtual server config changes causing incorrect route injection.

Links to More Info: BT753860

Component: TMOS

Symptoms:
Updating the virtual server to use a different virtual address (VADDR) does not work as expected. The old VADDR route should remove and inject the new route for the new virtual address. Instead, it injects incorrect routes into the routing protocols.

Conditions:
-- Change the VADDR on a virtual server.
-- Set route-advertisement on both VADDRs.

Impact:
Incorrect routes are injected into routing protocols.

Workaround:
None.

Fixed Versions:
13.1.3.4, 14.1.2.7

753821-1 : Log messages 'TCP RST from remote system' messages logged if GTM/DNS is licensed but not provisioned

Links to More Info: BT753821

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM/DNS is licensed but not provisioned, there are potentially numerous reset messages every 10 secs in the gtm/logs:
err tmm[29412]: 01230140:3: RST sent from <IP-address:port> to <IP-address:port>, [n] TCP RST from remote system

Conditions:
GTM/DNS is licensed but not provisioned.

Impact:
A message is logged in gtm/logs. This is an informational message, and can be safely ignored.

Workaround:
None.

Fix:
The tmm process no longer attempts to attempt to connect to gtmd if GTM/DNS is not provisioned, so this message no longer occurs.

Fixed Versions:
13.1.5

753805-1 : BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.

Links to More Info: BT753805

Component: Local Traffic Manager

Symptoms:
After failover, a longer time than expected for the virtual server to become available.

Conditions:
-- There is a configuration difference in the pool members before and after the configuration synchronization.
-- Probe status is also different.

Impact:
Virtual server takes longer than expected to become available.

Workaround:
Run full sync (force-full-load-push) from the active BIG-IP system to solve this issue.

Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.3.1

753796-2 : SNMP does not follow best security practices

Links to More Info: K40443301

753790 : Allow 'DIAMETER::persist reset' command in EGRESS events

Links to More Info: BT753790

Component: Service Provider

Symptoms:
The 'DIAMETER::persist reset' command is not allowed in EGRESS events; it is blocked by validation.

Conditions:
In an iRule, attempt to use 'DIAMETER::persist reset' in an EGRESS event for DIAMETER.

Impact:
Unable to reset persistence records on an EGRESS event in DIAMETER through iRules.

Workaround:
None.

Fix:
Fixed iRule validation to allow 'DIAMETER::persist reset' on EGRESS events for DIAMETER.

Fixed Versions:
13.1.3.4

753776-1 : TMM may consume excessive resources when processing UDP traffic

Links to More Info: K07127032 , BT753776

753715-3 : False positive JSON max array length violation

Links to More Info: BT753715

Component: Application Security Manager

Symptoms:
False-positive JSON max array length violation is reported.

Conditions:
-- JSON profile is used.
-- The violation is coming for non-array under certain conditions.

Impact:
The system reports a false-positive violation.

Workaround:
None.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1

753650 : The BIG-IP system reports frequent kernel page allocation failures.

Links to More Info: BT753650

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the following VIPRION blade models:

- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)

Please note the issue is known to occur regardless of whether or not the system is running in vCMP mode, and regardless of whether the system is Active or Standby.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades)
-- 48 MB (49152 KB for B4300 blades)
-- 128 MB (131072 KB for 4450 blades)
-- 96 Mb (98304 KB for 4340N blades)

You must do this on each blade installed in the system.

When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

Fix:
The BIG-IP system no longer experiences kernel page allocation failures on the following blades:

- B2250 (A112)
- B4300 (A108)
- B4340N (A110)

Important: This fix does not eliminate the issue on B4450 (A114) blades. ID950849 tracks the issue on that blade :: https://cdn.f5.com/product/bugtracker/ID950849.html.

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6

753594-3 : In-TMM monitors may have duplicate instances or stop monitoring

Links to More Info: BT753594

Component: Local Traffic Manager

Symptoms:
Most monitored resources (such as pools) report messages similar to the following:

Availability : unknown
Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet.

A fraction of the monitored resources report the correct status based on the state of the resource.

Enabling bigdlog may show instances of messaging containing 'tmm_mid=x:0' (where x can be values like 0, 1, 2 etc.), for example, it is tmm_mid=1:0 in the following example:

[0][11288] 2019-03-08 10:03:04.608: ID 10859 :(_do_ping): post ping, status=UNKNOWN [ tmm?=true td=true tr=false tmm_mid=1:0 addr=::ffff:1.2.37.44:443 mon=/Common/https fd=-1 pend=0 #conn=0 up_intvl=5 dn_intvl=5 timeout=16 time_until_up=0 immed=0 next_ping=[1552068189.684126][2019-03-08 10:03:09] last_ping=[1552068184.684909][2019-03-08 10:03:04] deadline=[1552067610.048558][2019-03-08 09:53:30] on_service_list=True snd_cnt=119 rcv_cnt=0 ]


The following error might appear in /var/log/ltm:

-- failed to handle TMA_MSG_DELETE message: MID 0, error TMA_ERR_INVALID_MID(Monitor ID is invalid or unused)

Conditions:
-- Configure In-TMM monitoring with a sufficiently large number of monitored objects.
-- Modify monitors while pool members are in an offline state or perform rapid modification of In-TMM monitors.

Impact:
Some monitors may be executed multiple times per configured interval on a resource, and some monitors may not be executed at all against resources.

Workaround:
Switch to traditional bigd monitoring instead of In-TMM:

tmsh modify sys db bigd.tmm value disable

Fix:
Rapid modification of in-TMM monitors no longer leaves old monitor instances behind.

Fixed Versions:
13.1.3, 14.1.3.1

753514-1 : Large configurations containing LTM Policies load slowly

Links to More Info: BT753514

Component: Local Traffic Manager

Symptoms:
Very slow performance when loading a configuration, for example, at system start up. During this time, the tmsh process shows high CPU usage.

Conditions:
Big IP 13.1.x, 14.x. Large configuration (1 MB or larger) and at least one, but more likely tens or hundreds of LTM policies defined in the configuration.

Impact:
Slow configuration loading, or in cases with very large configurations, full config load may fail after a long wait. Slowness increases with overall configuration size and number of LTM policies defined.

Workaround:
None.

Fix:
Large configurations containing LTM Policies load normally.

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.2.3

753485-2 : AVR global settings are being overridden by high availability (HA) peers

Links to More Info: K50285521 , BT753485

Component: Application Visibility and Reporting

Symptoms:
Configuration of AVR global settings is being overridden by high availability (HA) peers, and thus report incorrectly to BIG-IQ Data Collection Devices (DCDs).

Conditions:
Configuring HA for systems connected to BIG-IQ.

Impact:
Configuration of BIG-IP systems in HA configuration can override each other. This might result in the following behavior:
-- A common symptom is the 'Stats Last Collection Date' shows up as Dec 31, 1969 or Jan 01, 1970, depending the timezone configuration of the device.
-- The 'Stats Last Collection Date' shows up as '--'.
-- The BIG-IP systems incorrectly identify themselves to BIG-IQ.
-- The BIG-IP systems report to the wrong DCD.
-- The BIG-IP systems report to DCD, even if they are not configured to report at all.
-- The BIG-IP systems do not report at all, even if they are configured to report.

Note: This bug is tightly related to BIG-IQ Bug ID 757423.

Workaround:
Refer to the procedure in K50285521: BIG-IQ system may cause out-of-sync condition between the managed BIG-IP HA pair
:: https://support.f5.com/csp/article/K50285521.

Fix:
Synchronization of relevant fields on AVR global settings are disabled, so this issue no longer occurs.

Fixed Versions:
13.1.3, 14.1.2, 15.0.1

753446-1 : avrd process crash during shutdown if connected to BIG-IQ

Links to More Info: BT753446

Component: Application Visibility and Reporting

Symptoms:
During shutdown of BIG-IP, if it is connected to BIG-IQ then avrd might crash.

Conditions:
BIG-IP is set to shutdown and configured to send statistics to BIG-IQ.

Impact:
No serious impact, since the BIG-IP is already instructed to shutdown, so the process crash is not causing any damage.

Workaround:
N/A

Fix:
Issue is fixed, avrd does not crash during shutdown

Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.2

753370-1 : RADIUS auth might not be working as configured when there is change in RADIUS auth config name.

Links to More Info: BT753370

Component: Access Policy Manager

Symptoms:
RADIUS auth might not be working as configured when there is change in RADIUS auth config name. You might also see an error:

err apmd[14182]: 01490108:3: /Common/:Common:cc55b9e2: RADIUS module: authentication with 'testuser@example' failed: no response from server (0).

Conditions:
In an LTM pool that uses APM AAA RADIUS to authenticate, change (modify/delete) the name of the RADIUS authentication server in config file.

Impact:
When using tmm.default version, intermittently MCP error messages in tmm logs indicate that the RADIUS server cannot be found, and RADIUS authentication does not work as expected.

Workaround:
None.

Fixed Versions:
13.1.3, 14.0.0.5, 14.1.0.6

753368 : Unable to import access policy with pool

Links to More Info: BT753368

Component: Access Policy Manager

Symptoms:
If your exported policy contains a pool object (e.g., Active Directory (AD) or LDAP Auth object) import of such a policy fails.

Conditions:
-- Exported policy contains a pool.
-- Attempt to import that policy.

Impact:
Unable to import certain configurations.

Workaround:
None.

Fix:
Policies with pools are imported successfully.

Fixed Versions:
13.1.1.4

753163-2 : PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days

Links to More Info: BT753163

Component: Policy Enforcement Manager

Symptoms:
No connection request with PCRF/OCS if high availability (HA) failover occurs after 26 days. tmm crash

Conditions:
-- Using PEM.
-- high availability (HA) failover occurs after 26 days.

Impact:
PEM does send the reconnect request within the configured reconnect, so there is no connection initiated with PCRF/OCS.

Workaround:
To restart the connection, restart tmm restart using the following command:
tmm restart

Note: Traffic disrupted while tmm restarts.

Fix:
PEM now initiates the connection with PCRF/OCS under these conditions.

Fixed Versions:
13.1.3, 14.1.2.1

753028-1 : AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule

Links to More Info: BT753028

Component: Advanced Firewall Manager

Symptoms:
When Proxy ARP is enabled for destination addresses in an FW NAT rule performing destination NAT (static-nat/static-pat), forwarding ICMP traffic matching that rule is incorrectly dropped by AFM instead of being forwarded through the BIG-IP system.

Conditions:
-- Proxy ARP is enabled for destination addresses in an FW NAT rule.
-- The BIG-IP system (AFM) receives forwarding ICMP traffic for these (untranslated) destination addresses.

Impact:
Forwarding ICMP traffic is dropped by the BIG-IP system.

Workaround:
You can disable Proxy ARP functionality for FW NAT rules to cause the BIG-IP system (AFM) to handle forwarding ICMP traffic correctly and pass it through the system to the backend.

However, this causes the BIG-IP system to not respond to ARP requests anymore for destination addresses in such rules. As a further mitigation action, you can configure static ARP entries to handle this.

Fix:
The BIG-IP system (AFM) now correctly forwards ICMP traffic through to the backend when Proxy ARP is enabled on destination addresses in the matching FW NAT rule.

Fixed Versions:
13.1.1.4, 14.1.0.6

753014-1 : PEM iRule action with RULE_INIT event fails to attach to PEM policy

Links to More Info: BT753014

Component: Policy Enforcement Manager

Symptoms:
PEM iRule action with RULE_INIT event fails to attach to PEM policy.

Conditions:
Attaching PEM policy with PEM iRule action that contains a RULE_INIT event.

Impact:
PEM fails to update the new iRule action.

Workaround:
Force mcpd to reload the BIG-IP configuration.

To do so, follow the steps in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.

Fix:
The system now continues processing PEM iRule actions if RULE_INIT event is present, so this issue no longer occurs.

Fixed Versions:
12.1.5.3, 13.1.3.2, 14.1.2.7

752930-1 : Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state

Links to More Info: BT752930

Component: Local Traffic Manager

Symptoms:
Virtual Servers left in unknown state. Blade keeps restarting.

Conditions:
Change default route domain (RD) of partition with wildcard Virtual Servers.

Impact:
-- Cannot persist the wildcard virtual server RD configuration.
-- Changing virtual server description after moving route-domain fails.
-- Secondary blade in constant reboot loop or mcpd process restarting loop.

Workaround:
1. Delete wildcard virtual servers before changing default route-domain on partition.

2. Execute the following commands, in sequence, substituting your values for the configuration-specific ones in this example:

# ssh slot2 bigstart stop

# modify auth partition pa-1098-blkbbsi0000csa21ad1142 default-route-domain 109

# save sys config

# clsh rm -f /var/db/mcpdb.bin

# ssh slot2 bigstart start

Note: This recovery method might have to be executed multiple times to restore a working setup.

Fixed Versions:
12.1.5, 13.1.1.5, 14.0.1.1, 14.1.0.6

752835-3 : Mitigate mcpd out of memory error with auto-sync enabled.

Links to More Info: K46971044 , BT752835

Component: TMOS

Symptoms:
If auto-sync is enabled and many configuration changes are sent quickly, it is possible for a peer system to fall behind in syncs. Once it does, it will exponentially get further behind due to extra sync data, leading to the sending mcpd running out of memory and core dumping.

Conditions:
-- Auto-sync enabled in an high availability (HA) pair.
-- High volume of configuration changes made in rapid succession. Typically, this requires hundreds or thousands of changes per minute for several minutes to encounter this condition.

Impact:
Mcpd crashes.

Workaround:
There are no workarounds other than not using auto-sync, or reducing the frequency of system configuration changes.

Fix:
This is not a complete fix. It is still possible for mcpd to run out of memory due to a peer not processing sync messages quickly enough. It does, however, make it more difficult for this scenario to happen, so configuration changes with auto-sync on can be sent somewhat more quickly without crashing mcpd as often.

Fixed Versions:
11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2

752822-3 : SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type

Links to More Info: BT752822

Component: Service Provider

Symptoms:
SIP ALG calls that fail translation during ingress are not cleaned up by the system, which might result in memory being leaked inside the TMM processes.

Conditions:
SIP ALG calls that fail translation during ingress.

Impact:
TMM leaks memory, which can slow down performance and eventually cause TMM to run out of memory and restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now cleans up SIP ALG calls that fail translation during ingress, so this issue no longer occurs.

Fixed Versions:
13.1.1.5, 14.0.1.1, 14.1.0.6

752803-2 : CLASSIFICATION_DETECTED running reject can lead to a tmm core

Links to More Info: BT752803

Component: Traffic Classification Engine

Symptoms:
When the CLASSIFICATION_DETECTED event is run on a serverside flow, and then an iRule command (e.g., to reject a flow) is run, tmm crashes.

Conditions:
-- CLASSIFICATION_DETECTED event runs on a serverside flow.
-- An iRule command runs (e.g., reject a flow).

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes under these conditions.

Fixed Versions:
13.1.3, 14.1.0.6

752782-3 : 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'

Links to More Info: BT752782

Component: Fraud Protection Services

Symptoms:
The 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'.

Conditions:
FPS Provisioning and a DataSafe license.

Impact:
The menu name has changed in this release.

Workaround:
None.

Fix:
'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'.

Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.2

752592-2 : VMware Horizon PCoIP clients may fail to connect shortly after logout

Links to More Info: BT752592

Component: Access Policy Manager

Symptoms:
Sometimes if user closes opened PCoIP desktop and logs out and then logs in again, he can't launch the same desktop anymore.

Conditions:
PCoIP UDP VS has "vdi" profile assigned.

Impact:
User can't open PCoIP remote desktop during short time period (1 minute).

Workaround:
Remove "vdi" profile and assign "remotedesktop" profile to the PCoIP UDP VS:
# tmsh modify ltm virtual <PCoIP UDP VS> profiles delete { vdi }
# tmsh modify ltm virtual <PCoIP UDP VS> profiles add { remotedesktop }

In admin UI the assignment of "remotedesktop" profile can be controlled via "Application Tunnels (Java & Per-App VPN)" checkbox (right under "VDI Profile" dropdown).

Fix:
Assignment of "vdi" profile to PCoIP UDP VS does not cause intermittent connection problems anymore.

Fixed Versions:
13.1.1.5, 14.1.0.2

752530-3 : TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.

Links to More Info: BT752530

Component: Local Traffic Manager

Symptoms:
Fast L4 TCP Analytics reports incorrect goodput when server sequence number and the TMM generated sequence number are different.

Conditions:
This occurs when either of the following conditions are met:

-- tcp-generate-isn is set in the Fast L4 profile.
-- SYN cookie is active.

Impact:
The GUI page Statistics :: Analytics :: TCP :: Goodput page displays incorrect goodput values.

Workaround:
None.

Fix:
Fast L4 TCP Analytics now shows correct goodput values when server sequence number and the TMM generated sequence number are different.

Fixed Versions:
13.1.4.1, 14.1.2.7

752363 : Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled

Links to More Info: BT752363

Component: Advanced Firewall Manager

Symptoms:
Client request fails, due to being dropped on the BIG-IP system.

Conditions:
-- The BIG-IP AFM L4 BDoS feature is enabled.
-- Virtual server setup is such that the client-facing virtual server's destination is forwarded through another virtual server, which is an internally forwarded flow.

Impact:
Client request gets dropped due to BIG-IP AFM dropping the flow.

Workaround:
Disable BDoS feature. The feature can be disabled using the following commands:

-- To disable BDoS globally, run the following command:
modify security dos device-config dos-device-config dynamic-signatures { network { detection disabled mitigation none }}

To disable BDoS globally per-profile, run the following command:
modify security dos profile <profile-name> dos-network modify { test { dynamic-signatures { detection disabled mitigation none } } }
modify security dos profile test protocol-dns modify { test { dynamic-signatures { detection disabled mitigation none } } }

Fix:
The system now handles the looped flows properly, so the BDoS module does not incorrectly cause the packet to be dropped.

Fixed Versions:
13.1.3, 14.1.0.2

752334-3 : Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation

Links to More Info: BT752334

Component: Local Traffic Manager

Symptoms:
When Fast L4 receives out of order TCP packets, TCP analytics may compute wrong goodput value.

Conditions:
When FAST L4 receives out-of-order packets.

Impact:
Fast L4 reports an incorrect goodput value for the connection.

Workaround:
None.

Fix:
Out-of-order packet arrival no longer causes incorrect Fast L4 goodput calculation

Fixed Versions:
13.1.4.1, 14.1.2.7

752078 : Header Field Value String Corruption

Links to More Info: BT752078

Component: Local Traffic Manager

Symptoms:
This is specific to HTTP/2.

In some rare cases, the header field value string can have one or more of its prefix characters removed by the BIG-IP system.

Conditions:
-- The header field value string is exceptionally long, and has embedded whitespace characters.
-- HTTP/2 is used.

Impact:
A header such as:
x-info: very_long_string that has whitespace characters

may be sent to the client as:
x-info: ery_long_string that has whitespace characters

Workaround:
None.

Fix:
The BIG-IP system no longer removes the prefix characters from very long HTTP/2 header field value strings containing embedded whitespace characters.

Fixed Versions:
13.1.1.4, 14.1.0.6

752047-2 : iRule running reject in CLASSIFICATION_DETECTED event can cause core

Links to More Info: BT752047

Component: Traffic Classification Engine

Symptoms:
The CLASSIFICATION_DETECTED iRule event can run very early when classification happens in the classification database (srdb). If the iRule then issues a reject command, tmm cores.

Conditions:
CLASSIFICATION_DETECTED on L4 executing reject command.

Impact:
tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
iRule running reject in CLASSIFICATION_DETECTED event no longer causes tmm core.

Fixed Versions:
13.1.1.5, 14.1.0.6

751869 : Possible tmm crash when using manual mode mitigation in DoS Profile

Links to More Info: BT751869

Component: Advanced Firewall Manager

Symptoms:
tmm crash and restart is possible when using manual mode mitigation in DoS Profile.

Conditions:
When manual mode mitigation is used for any vector that is enabled in the DoS Profile that is attached to a Protected Object.

Impact:
tmm crash and restart is possible. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm crash and restart no longer occurs when using manual mode mitigation in DoS Profile.

Fixed Versions:
13.1.1.5, 14.1.0.5

751710-2 : False positive cookie hijacking violation

Links to More Info: BT751710

Component: Application Security Manager

Symptoms:
A false positive cookie hijacking violation.

Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.

Impact:
False positive violation / blocking.

Workaround:
N/A

Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.2.1

751586-5 : Http2 virtual does not honour translate-address disabled

Links to More Info: BT751586

Component: Local Traffic Manager

Symptoms:
Translate-address disabled on an HTTP/2 virtual server is ignored.

Conditions:
-- HTTP/2 virtual server configured.
-- Translate-address disabled.

Impact:
The traffic is still translated to the destination address to the pool member.

Workaround:
None.

Fix:
Translate-address disabled is working correctly now.

Fixed Versions:
12.1.4.1, 13.1.3.4, 14.1.2.1, 15.1.4

751179-3 : MRF: Race condition may create to many outgoing connections to a peer

Links to More Info: BT751179

Component: Service Provider

Symptoms:
If two different connections attempt to create an outgoing connection to a peer at the same time, multiple connections may be created, even if the peer object is configured for one connection per peer. This is due to a race condition in message routing framework during connection creation.

Conditions:
-- Two different connections attempt to create an outgoing connection to a peer at the same time.
-- The peer is configured for one connection per peer.

Impact:
More than one connection to a peer is created.

Workaround:
None.

Fix:
Only one connection is created under these conditions.

Fixed Versions:
11.6.5.2, 13.1.1.5, 14.1.0.6

751116-3 : DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring

Links to More Info: BT751116

Component: Advanced Firewall Manager

Symptoms:
The DoS visibility screens (Monitoring :: Security :: Reporting : DoS) may display DNS and Network protocol DoS attacks with the incorrect mitigation details.

Conditions:
An attacked object assigned to a DoS profile with either DNS or Network security protocols that are configured to have detect-only or learn-only states for DoS attacks.

Impact:
Network or DNS DoS attacks, detected by a DoS profile with detect-only or learn-only protection, display mitigation as Blocking instead of the configured Transparent protection. This does not affect the reported traffic data found in the DoS visibility dimensions and charts.

Workaround:
None.

Fixed Versions:
13.1.3.4, 14.1.4.2

751036-3 : Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone

Links to More Info: K52035247 , BT751036

751021-3 : One or more TMM instances may be left without dynamic routes.

Links to More Info: BT751021

Component: TMOS

Symptoms:
Inspecting the BIG-IP's routing table (for instance, using tmsh or ZebOS commands) shows that dynamic routes have been learnt correctly and should be in effect.

However, while passing traffic through the system, you experience intermittent failures. Further investigation reveals that the failures are limited to one or more TMM instances (all other TMM instances are processing traffic correctly). The situation does not self-recover and the system remains in this state indefinitely.

An example of a traffic failure can be a client connection reset with cause 'No route to host'. If the client retries the same request, and this hits a different TMM instance, the request might succeed.

Conditions:
This issue is known to occur when all of the following conditions are met:

- The system is a multi-blade VIPRION or vCMP cluster.

- The system just underwent an event such as a software upgrade, a reboot of one or more blades, a restart of the services on one or more blades, etc.

Impact:
Traffic fails intermittently, with errors that point to lack of routes to certain destinations.

Workaround:
You can try to temporarily resolve the issue by restarting the tmrouted daemon on all blades. To do so, run the following command:

# clsh "bigstart restart tmrouted"

However, there is no strict guarantee this will resolve the issue, given the nature of the issue.

Alternatively, you could temporarily replace the dynamic routes with static routes.

Fix:
All TMM instances across all blades now properly learn dynamic routes.

Fixed Versions:
13.1.3.5, 14.1.4

751011-1 : ihealth.sh script and qkview locking mechanism not working

Links to More Info: BT751011

Component: TMOS

Symptoms:
Two qkviews can be started up on a system at the same time, which results in conflicts for each.

Conditions:
Running qkview on one terminal and then ihealth.sh in another.

Impact:
Running of two qkviews at the same time breaks both qkviews since they compete for the same files.

Workaround:
Run either qkview or ihealth.sh, not both simultaneously.

Fix:
Starting a qkview and then running ihealth.sh halts immediately as the system detects that qkview is running.

Fixed Versions:
13.1.1.5, 14.1.0.2

751009-1 : Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out

Links to More Info: BT751009

Component: TMOS

Symptoms:
After generating a Qkview or collecting a tcpdump via the BIG-IP GUI, or using the 'tmsh run util ihealth' command to do the equivalent, the /var/tmp/mcpd.out file is missing.

Conditions:
-- Generating a Qkview or collecting a tcpdump via the BIG-IP GUI.
-- Using the 'tmsh run util ihealth' command to do the equivalent operation.

Impact:
The file /var/tmp/mpcd.out is a debug file used by mcpd, primarily for collecting debug-level log information from MCPD.

The file being deleted causes challenges with trying to collect diagnostic information from a BIG-IP system (turning on mcpd debug logging), because it now requires a service impact (restarting mcpd).

Additionally, may cause challenges in managing disk space on /shared filesystem, as mcpd keeps writing to a deleted file, and it cannot be truncated.

Workaround:
Generating Qkviews by invoking the 'qkview' command directly avoids this issue.

Edit the /usr/bin/ihealth.sh script to remove the corresponding line.

From a bash shell:
1. mount -o remount,rw /usr
2. /bin/cp /usr/bin/ihealth.sh{,751009.bak}
3. sed -i '/\/bin\/rm -f \/var\/tmp\/mcpd.out/d' /usr/bin/ihealth.sh
4. mount -o remount,ro /usr

Note: This workaround does not persist across software installs/upgrades, nor does it ConfigSync or replicate across blades in a VIPRION chassis.

Fix:
The problem line has been removed from the script, so this mcpd debug file is left alone (not deleted) after running ihealth.sh. Note that the GUI version of running qkview uses ihealth.sh script.

Fixed Versions:
13.1.1.4, 14.0.1.1, 14.1.0.2

750922-3 : BD crash when content profile used for login page has no parse parameters set

Links to More Info: BT750922

Component: Application Security Manager

Symptoms:
Bd crashes. No traffic goes through ASM.

Conditions:
-- A Json Login page is configured.
-- The content profile used for the login page does not have parse parameters set.

Impact:
No traffic goes through ASM. Bd crashes.

Workaround:
Set the parse parameters setting.

Fix:
BD no longer crashes when the content profile used for login page has no parse parameters set.

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2

750843-1 : HTTP data re-ordering when receiving data while iRule parked

Links to More Info: BT750843

Component: Local Traffic Manager

Symptoms:
Under certain circumstances tmm can reorder or omit HTTP data segments when they are received while processing an iRule which is parked.

Conditions:
- HTTP iRule execution suspended, e.g., waiting for a table command to return.
- Ingress data is processed during this state.

Impact:
Data corruption or loss can occur.

Workaround:
There is no workaround other than not using iRule suspend commands in HTTP_* events.

Fix:
tmm now handles ingress data correctly when in the parked iRule state.

Fixed Versions:
13.1.1.5, 14.0.0.5

750823-3 : Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD

Links to More Info: BT750823

Component: Access Policy Manager

Symptoms:
Memory usage in TMM keeps going up.

Conditions:
Access::policy evaluate command fails with error message in /var/log/ltm:

TCL error: ... - Failed to forward request to apmd.

Impact:
Memory leaks in TMM, which cause a TMM crash eventually.

Workaround:
Limit the amount of data that will be forwarded to APMD.

Fixed Versions:
13.1.3, 14.1.2.1

750689-1 : Request Log: Accept Request button available when not needed

Links to More Info: BT750689

Component: Application Security Manager

Symptoms:
There are several violations that make requests unlearnable, but the Accept Request Button is still enabled.

Conditions:
This occurs in the following scenarios:

1. Request log has requests with following violations that make requests unlearnable:
- Threat Campaign detected.
- Null character found in WebSocket text message.
- Access from disallowed User/Session/IP/Device ID.
- Failed to convert character.

2. Subviolations of HTTP protocol compliance fails violation:
- Unparsable request content.
- Null in request.
- Bad HTTP version.

3. Only the following violations are detected:
- Access from malicious IP address.
- IP address is blacklisted.
- CSRF attack detected.
- Brute Force: Maximum login attempts are exceeded.

Impact:
Accept Request button is available, but pressing it does not change the policy.

Workaround:
None.

Fix:
The Accept Request button is now disabled when there is nothing to be learned from request.

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6

750631-1 : There may be a latency between session termination and deletion of its associated IP address mapping

Links to More Info: BT750631

Component: Access Policy Manager

Symptoms:
In SWG, if a new request from a client executes iRule command "ACCESS::session exists" when the session has expired previously, the command will return false. However, if command "ACCESS::session create" is executed following the exist command, the session ID of the previous session may be returned.

Conditions:
In SWG, if a new request from a client IP comes into the system right after its previous session has expired.

Impact:
The Access filter will determine that the session ID is stale and, therefore, will redirect the client to /my.policy

Fix:
N/A

Fixed Versions:
13.1.3, 14.1.2.7

750586-1 : HSL may incorrectly handle pending TCP connections with elongated handshake time.

Links to More Info: BT750586

Component: TMOS

Symptoms:
HSL may incorrectly handle TCP connections that are pending 3-way handshake completion that exceed default handshake timeout.

Conditions:
-- HSL or ReqLog configured to send logging data to pool via TCP protocol.
-- TCP 3-way handshake takes longer than 20 seconds (the default handshake timeout) to complete.

Impact:
-- Service interruption while TMM restarts.
-- Failover event.

Workaround:
None.

Fix:
HSL handles unusually long pending TCP handshakes gracefully and does not cause outage.

Fixed Versions:
12.1.5, 13.1.1.5, 14.1.0.6

750496-1 : TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP

Links to More Info: BT750496

Component: Access Policy Manager

Symptoms:
TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP.

Conditions:
Create a basic SSO item.
Create a PRP that has the SSO Assign in it and select the basic SSO item.
Create a PSP that is Start->Allow
Create a VS that uses the PRP, PSP, and an pool.
Delete the SSO item in the UI.
Run traffic through the VS

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not delete the SSO config object referenced by SSO Configuration Select agent in PRP.

Fix:
SSO Configuration Select agent should fail with error code when sso_config cannot be found (i.e. NULL).

Fixed Versions:
13.1.1.4, 14.0.0.5

750460-3 : Subscriber management configuration GUI

Links to More Info: K61002104 , BT750460

750447-1 : GUI VLAN list page loading slowly with 50 records per screen

Links to More Info: BT750447

Component: TMOS

Symptoms:
GUI VLAN list page is loading slowly with there are 3200+ VLANs with the Records Per Screen Preference set to 50.

Conditions:
-- Using a VIPRION system.
-- Configuration containing 3200 or more VLANs.
-- System Preferences Records Per Screen set to 50.

Impact:
Cannot use the page.

Workaround:
Use tmsh or guishell tool to see the VLANs.

You can also try using a smaller value for the Records Per Screen option in System :: Preferences.

Fix:
Improved data retrieval and rendering for the VLAN list page.

Fixed Versions:
13.1.1.5, 14.1.0.2

750356-3 : Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted

Links to More Info: BT750356

Component: Application Security Manager

Symptoms:
In any Split View page (Request Log, Learning, etc.): All user-defined filters are removed if you delete a newly created filter without reloading the page first.

Conditions:
-- Create a new filter.
-- Remove the new filter.

Impact:
The system removes all user-defined filters.

Workaround:
Before you delete a newly created filter, reload the page.

Fix:
Filter removal now completes successfully for all scenarios.

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2

750318-1 : HTTPS monitor does not appear to be using cert from server-ssl profile

Links to More Info: BT750318

Component: TMOS

Symptoms:
An HTTPS monitor using a client certificate configured in the server-ssl profile fails to send the certificate during the SSL handshake.

A tcpdump shows a 0-byte certificate being sent.

Conditions:
-- In-tmm monitoring is disabled (default).
-- The server-ssl profile has been modified but without changing the configured certificate or key.

The resulting message passed from mcpd to bigd will contain only the incremental modification to the profile, which bigd treats as a complete profile, meaning that it is possible for the certificate and key parameters to be lost.

Impact:
SSL handshake might fail to complete and the HTTPS monitor fails.

Workaround:
Restart bigd process by running the following command:
bigstart restart bigd

Fix:
mcpd now sends the full profile configuration to bigd upon modification.

Fixed Versions:
13.1.1.5, 14.1.2.3

750292-4 : TMM may crash when processing TLS traffic

Links to More Info: K54167061 , BT750292

750213-2 : DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.

Links to More Info: K25351434 , BT750213

Component: Global Traffic Manager (DNS)

Symptoms:
FPGA hardware-accelerated DNS Cache can respond improperly to DNS queries that contain EDNS OPT Records. This improper response can take several forms, ranging from not responding with an OPT record, to a query timeout, to a badvers response.

Conditions:
-- Using VIPRION B2250 blades.
-- This may occur if a client sends a query with an EDNS OPT record that has an unknown version or other values that the Hardware-accelerated Cache does not understand. These errors only occur when matching the query to a hardware cached response.

Note: If the response is not in the hardware cache, then the query should be properly handled.

Impact:
Hardware-accelerated DNS Cache drops the request. Clients will experience a timeout for that query.

This is occurring now because of the changes coming to software from certain DNS software vendors that remove specific workarounds on February 1st, 2019. This is known as DNS Flag Day.

Workaround:
None.

Fixed Versions:
12.1.5, 13.1.3, 14.1.2.5

750200-1 : DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode

Links to More Info: BT750200

Component: Local Traffic Manager

Symptoms:
DHCP requests from the client are sent only to the first member in the DHCP server pool.

Conditions:
- BIG-IP system configured as a DHCP Relay.
- DHCP server pool contains more than one DHCP server.

Impact:
- DHCP server load balancing is not achieved.
- If the first DHCP server in the DHCP server pool does not respond or is unreachable, the DHCP client will not be assigned an IP address.

Workaround:
None.

Fixed Versions:
13.1.1.5, 14.0.1.1, 14.1.0.2

750194-2 : Moderate: net-snmp security update

Component: TMOS

Symptoms:
SNMP crashes due to a specially crafted UDP packet by an authenticated user, resulting in Denial of Service.

Conditions:
SNMP traffic enabled

Impact:
SNMP crashes resulting in a denial of service.

Fix:
Patched net-snmp to properly validate input data.

Fixed Versions:
13.1.3.5, 14.1.4

750187-3 : ASM REST may consume excessive resources

Links to More Info: K29149494 , BT750187

750170-1 : SP Connector config changes causes BIG-IP tmm core sometimes during handling of SAML SLO request

Links to More Info: BT750170

Component: Access Policy Manager

Symptoms:
tmm crashes.

Conditions:
This occurs when BIG-IP handles SAML SLO requests, and SP Configuration is changed by the admin around the same time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fix:
When SP configuration is changed by the admin, and when BIG-IP handles SLO requests correctly without any BIG-IP tmm core.

Fixed Versions:
13.1.3

749879-4 : Possible interruption while processing VPN traffic

Links to More Info: K47527163 , BT749879

749785-1 : nsm can become unresponsive when processing recursive routes

Links to More Info: BT749785

Component: TMOS

Symptoms:
imish hangs, and the BIG-IP Network Services Module (nsm) daemon consuming 100% CPU.

Conditions:
-- Dynamic routing enabled
-- Processing recursive routes from a BGP peer with different prefixlen values.

Impact:
Dynamic routing, and services using dynamic routes do not operate. nsm does not recover and must be restarted.

Workaround:
None.

Fix:
nsm now processes recursive route without issues.

Fixed Versions:
12.1.5.3, 13.1.3, 14.1.2.5

749774-3 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled

Links to More Info: BT749774

Component: Global Traffic Manager (DNS)

Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.

Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.

Impact:
Inconsistent behavior.

Workaround:
To allow consistent processing of any EDNS0 queries with ECS information, use a DNS profile where DNS caching is disabled by default, and selectively use the DNS cache only for non-EDNS0 queries.

Fix:
In this release, responses are now consistent when caching is enabled.
When DNS cache is enabled, EDNS0 EDNS Client Subnet (ECS) information is removed from the DNS query as it is not supported

Fixed Versions:
11.5.8, 11.6.3.4, 12.1.4, 13.1.1.4, 14.0.0.4, 14.1.0.1

749738-2 : After upgrade to 13.1.3.3 or 13.1.3.4, B2250 blades may fail to detect HSB and have restarting chmand &start;

Links to More Info: BT749738

Component: TMOS

Symptoms:
When booting after upgrade, BIG-IP system software may not fully start up, preventing normal service

-- In early boot messages in /var/log/ltm:
+ warning chmand[xxxxx]: 012a0004:4: No FPGA HSB LBB PCI device found.

+ emerg chmand[xxxxx]: 012a0000:0: Dataplane INOPERABLE - No HSBe2_v2 found on the platform (A112)

-- In later ltm logs, chmand may be seen restarting every few seconds with these lines, among others, logged each time it starts:
+ notice chmand[xxxxx]: 012a0005:5: Starting ChassisManager (chmand).
+ info chmand[xxxxx]: 012a0006:6: Found platform 'A112' in /PLATFORM.

-- The chmand process may create core in /var/core when it restarts.

Conditions:
-- Upgrade B2250 (A112) blade to software version 13.1.3.3 or 13.1.3.4.

-- This issue occurs on affected BIG-IP versions running directly on the indicated hardware platforms, or running as a vCMP host on the indicated hardware platforms.

Impact:
No service after upgrade.

Note: This might not occur in every configuration. Some multi-blade configurations might encounter this issue where others do not.

Workaround:
If possible, roll back to a previous version and contact F5 Support to get an engineering hotfix containing a fix for this issue.

Fix:
Upgrading BIG-IP software on B2250 blades completes successfully, when BIG-IP software is running directly on the hardware or is running as a vCMP host.

For vCMP deployments, the vCMP host must be running the fixed BIG-IP software in order to resolve this issue.

Fixed Versions:
13.1.3.5, 14.1.2.2

749704-3 : GTPv2 Serving-Network field with mixed MNC digits

Links to More Info: BT749704

Component: Service Provider

Symptoms:
iRules command 'GTP::ie get value' incorrectly decodes Serving-Network field, putting the least significant digit of mobile network codes (MNC) value before the other two.

Conditions:
Using the iRule command 'GTP::ie get value' to retrieve the Serving-Network field from a GTP message (the iRule construction: GTP::ie get value -message $gtp_message 83).

Impact:
The operation returns results in which the least significant digit is inserted before the other two, resulting in incorrect data being returned.

Workaround:
None.

Fix:
The iRule command 'GTP::ie get -message $gtp_message 83' that retrieves the Serving-Network now returns the correctly ordered, three-digit values for mobile country codes (MCC) and mobile network codes (MNC) as a two-element list: {{<MCC> <MNC>} <optional data>}, where the first element is another list containing actual MCC and MNC values, while the second element is optional binary data which follows MCC and MNC. It is the same format as used for ULI field decoding.

Behavior Change:
The iRule command 'GTP::ie get -message $gtp_message 83' that retrieves the Serving-Network now returns the correctly ordered, three-digit values for mobile country codes (MCC) and mobile network codes (MNC) as a two-element list: {{<MCC> <MNC>} <optional data>}, where the first element is another list containing actual MCC and MNC values, while the second element is optional binary data which follows MCC and MNC. It is the same format as used for ULI field decoding.

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6

749689-1 : HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart

Links to More Info: BT749689

Component: Local Traffic Manager

Symptoms:
HTTPS monitor sends different amount of cipher suites in client hello during SSL handshake and sometimes back end server fails to find a desired cipher suite from client hello. As a result, sometimes SSL handshake fails and monitor wrongly marks pool member down.

Conditions:
-- Have an SSL profile to be used by an HTTPS monitor.
-- Load the same config more than once.

Impact:
HTTPS monitor might incorrectly mark pool member down because of a failed SSL handshake.

Workaround:
Restart bigd using the following command:
bigstart restart bigd

Fix:
HTTPS monitor now sends a consistent number of cipher suites in the client hello message during the SSL handshake.

Fixed Versions:
13.1.1.5, 14.1.2.3

749675-3 : DNS cache resolver may return a malformed truncated response with multiple OPT records

Links to More Info: BT749675

Component: Global Traffic Manager (DNS)

Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.

Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).

Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.

Workaround:
A second query will return the cached record, which will only have one OPT record.

Fix:
DNS cache resolver now returns the correct response under these conditions.

Fixed Versions:
11.5.8, 11.6.3.4, 12.1.4, 13.1.1.4, 14.0.0.4, 14.1.0.1

749603-3 : MRF SIP ALG: Potential to end wrong call when BYE received

Links to More Info: BT749603

Component: Service Provider

Symptoms:
When a BYE is received, the media flows for a different call might be closed in error.

Conditions:
If the hash of the call-id (masked to 12 bits) matches the hash of another's call-id.

Impact:
The media flows for both calls will be closed when one receives a BYE command. A call may be incorrectly terminated early.

Workaround:
None.

Fix:
Entire call-id checked before terminating media flows.

Fixed Versions:
13.1.1.5, 14.0.1.1, 14.1.0.2

749508-3 : LDNS and DNSSEC: Various OOM conditions need to be handled properly

Links to More Info: BT749508

Component: Global Traffic Manager (DNS)

Symptoms:
Some LDNS and DNSSEC out-of-memory (OOM) conditions are not handled properly.

Conditions:
LDNS and DNSSEC OOM conditions.

Impact:
Various traffic-processing issue, for example, TMM panic during processing of DNSSEC activity.

Workaround:
None.

Fix:
The system contains improvements for handling OOM conditions properly.

Fixed Versions:
12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6

749464 : Race condition while BIG-IQ updates common file

Links to More Info: BT749464

Component: Application Visibility and Reporting

Symptoms:
The file /var/config/rest/downloads/app_mapping.json is being used by two processes: BIG-IQ and avrd.
This can cause a race-condition between the two and in some rare cases can cause avrd to crash.

Conditions:
BIG-IQ updating /var/config/rest/downloads/app_mapping.json while avrd is reading it.

Impact:
avrd might read incomplete data, and can even core in some rare cases.

Workaround:
None.

Fix:
This race condition no longer occurs.

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2

749461 : Race condition while modifying analytics global-settings

Links to More Info: BT749461

Component: Application Visibility and Reporting

Symptoms:
Updating the analytics global-settings might cause a core for avrd.

The avrd.log contains the following record:
AVRD_CONFIG|NOTICE... 13931|lib/avrpublisher/infrastructure/avr_mcp_msg_parser.cpp:2985| Modified Analytics Global Settings, added "0" offbox TCP addresses

Conditions:
Analytics global-settings are updated either explicitly, using a tmsh command, or implicitly, by internal process script.

Impact:
Might cause a core for avrd. After coring once, avrd is expected to start normally without any additional cores. The configuration change is expected to be applied correctly after restart is complete.

Workaround:
None.

Fix:
This represents a partial fix. See bug 764665 for an additional fix.

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2

749414-2 : Invalid monitor rule instance identifier error

Links to More Info: BT749414

Component: Local Traffic Manager

Symptoms:
Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects.

Conditions:
-- BIG-IP system is configured with nodes, pool-members, and pools with monitors.
-- Modify one of the nodes that is in a pool.
-- Run the following command: tmsh load /sys config
-- Loading UCS/SCF file can trigger the issue also.
-- Nodes share the same monitor instance.
-- default-node-monitor is not configured.

Impact:
-- The system might delete monitor rule instances for unrelated nodes/pool-members.

-- Pool members are incorrectly marked down.

Workaround:
You can use either of the following:

-- Failover or failback traffic to the affected device.

-- Run the following command: tmsh load sys config.

Fixed Versions:
11.6.5.2, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6

749388 : 'table delete' iRule command can cause TMM to crash

Links to More Info: BT749388

Component: TMOS

Symptoms:
TMM SegFaults and restarts.

Conditions:
'table delete' gets called after another iRule command.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
Call 'table lookup' on any key before performing a 'table delete'.
Whether or not the key was added into the database beforehand does not matter.

Fix:
Fixed code to prevent invalid use of internal data structure.

Fixed Versions:
12.1.5.2, 13.1.3.2, 14.1.2.5

749324-2 : jQuery Vulnerability: CVE-2012-6708

Links to More Info: K62532311 , BT749324

749294-2 : TMM cores when query session index is out of boundary

Links to More Info: BT749294

Component: Local Traffic Manager

Symptoms:
TMM cores when the queried session index is out of boundary. This is not a usual case. It is most likely caused by the memory corrupted issue.

Conditions:
When session index equals the size of session caches.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The index boundary check now operates correctly in this situation, so tmm no longer cores.

Fixed Versions:
12.1.5, 13.1.3.2, 14.0.1.1, 14.1.0.2

749222-3 : dname compression offset overflow causes bad compression pointer

Links to More Info: BT749222

Component: Global Traffic Manager (DNS)

Symptoms:
DNS requests receive error response:
-- Got bad packet: bad compression pointer.
-- Got bad packet: bad label type.

Conditions:
When the DNS response is large enough so that dname redirects to an offset larger than 0x3f ff.

Impact:
DNS response is malformed. Because the DNS record is corrupted, zone transfer fails.

Workaround:
None.

Fix:
dname compression offset overflow no longer causes bad compression pointer.

Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6

749184-4 : Added description of subviolation for the suggestions that enabled/disabled them

Links to More Info: BT749184

Component: Application Security Manager

Symptoms:
Missing description of subviolation for the suggestions that enabled/disabled them.

Conditions:
There are suggestions that enabled/disabled subviolations in the security policy.

Impact:
Cannot determine the subviolation for the suggestions that enabled/disabled them.

Workaround:
Open Description in an additional tab in Learning and Blocking settings screen.

Fix:
Added description of subviolation for the suggestions that enabled/disabled them.

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.3

749161-1 : Problem sync policy contains non-ASCII characters

Component: Access Policy Manager

Symptoms:
When access policy contain non-ASCII characters, policy sync either fails or the characters are not sync'ed properly on the target.

Conditions:
-- Using an access profile.

-- Access profile contains non-ASCII characters (code point greater than 0x7f), e.g.,in VPE, add an 'Advanced Resource Assign' agent and specify an expression similar to the following in addition to the resource:

expr { [string tolower [mcget -decode {session.ad.last.attr.memberOf}]] contains [string tolower "CN=Suporte_TransmissãČo,"] || [string tolower [mcget -decodde {session.ad.last.attr.memberOf}]] contains [string tolower "CN=suporte_tx,"]}

-- Start policy sync on the profile.

Impact:
Policy sync fails or does not complete properly for the non-ASCII characters.

Workaround:
None.

Fix:
Policy sync now works properly when the policy contains non-ASCII characters.

Fixed Versions:
13.1.3, 14.1.2.1

749153-1 : Cannot create LTM policy from GUI using iControl

Links to More Info: BT749153

Component: TMOS

Symptoms:
LTM policy cannot be created from GUI using iControl REST.

Conditions:
Using iControl to create an LTM policy.

Impact:
LTM policy cannot be created from the GUI

Workaround:
Create LTM policy using TMSH.

Fix:
Can now create LTM policy from GUI using iControl.

Fixed Versions:
12.1.4.1, 13.1.3.4

749109-1 : CSRF situation on BIGIP-ASM GUI

Links to More Info: BT749109

Component: Application Security Manager

Symptoms:
CSRF situation on the BIG-IP ASM GUI that might potentially lead to resource exhaustion on the device for the moment it is being run.

Conditions:
The following URL accepts a wildcard in the parameter id, making it a heavy URL:

https://BIG-IP/dms/policy/pl_negsig.php?id=*

Impact:
Once multiple requests are sent to the target GUI, it is possible to see httpd process spiking even in core 0 (VMWare).

Workaround:
None.

Fix:
If the query string parameter has a string value the query is not executed.

Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.2

749057-3 : VMware Horizon idle timeout is ignored when connecting via APM

Links to More Info: BT749057

Component: Access Policy Manager

Symptoms:
VMware Horizon has an option to set idle timeout under "View Configuration\Global Settings\General\Client-dependent settings\For clients that support applications". When there is no keyboard or mouse activity for the given time, application sessions should be disconnected (desktop sessions are staying, though).
This settings has no effect when connecting via APM.

Conditions:
VMware Horizon idle timeout setting for applications is configured and remote application is launched via APM.

Impact:
VMware Horizon idle timeout setting for applications has no effect.

Workaround:
None.

Fix:
VMware Horizon idle timeout "For clients that support applications" is now honored when connecting via APM.

Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6

749007-3 : South Sudan, Sint Maarten, and Curacao country missing in GTM region list

Links to More Info: BT749007

Component: TMOS

Symptoms:
South Sudan, Sint Maarten, and Curacao countries are missing from the region list.

Conditions:
-- Creating a GTM region record.
-- Create a GTM any region of Country South Sudan, Sint Maarten, or Curacao.

Impact:
Cannot select South Sudan county from GTM country list.

Workaround:
None

Fix:
South Sudan, Sint Maarten, and Curacao are now present in the GTM country list.

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1

748999-1 : invalid inactivity timeout suggestion for cookies

Links to More Info: BT748999

Component: Application Security Manager

Symptoms:
ASM will report "invalid inactivity timeout" suggestions to delete a cookie, even though the cookies are being sent and are valid.

Conditions:
- Inactivity timeout feature is configured in Policy Builder
- Cookie entity is configured in the policy
- Valid, non-violating traffic containing cookies is passed

Impact:
Since non-violating traffic is not sent to the policy engine, the inactivity timeout timer is never reset, which will eventually lead to suggestions to delete the inactive cookie entities. These suggestions are erroneous because valid cookies are being sent in the traffic.

Workaround:
Ignore the inactive entity suggestions for cookies

Fix:
Inactivity learning for cookies has been deprecated, the feature does not cover cookies anymore.

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2

748976 : DataSafe Logging Settings page is missing when DataSafe license is active

Links to More Info: BT748976

Component: Fraud Protection Services

Symptoms:
DataSafe Logging Settings page is missing when DataSafe license is active

Conditions:
1. DataSafe license is active
2. Logging of Login attempts feature enabled

Impact:
DataSafe Logging Settings page is missing in GUI.

Workaround:
Use tmsh to configure the logging of Login attempts feature.

Fix:
FPS GUI should display Logging Settings page also when DataSafe license is active.

Fixed Versions:
13.1.1.4

748940-1 : iControl REST cert creation not working for non-Common folder

Links to More Info: BT748940

Component: TMOS

Symptoms:
Certificate creation under a non-Common folder using iControl REST does not work.

For example, the user sends the iControl REST message and gets the error message return:

curl -sk -u admin:admin https://10.192.84.16/mgmt/tm/sys/crypto/cert/ -H 'Content-Type: application/json' -X POST -d '{"name":"/my_dir/mmmmm", "common-name":"cn","key":"/my_dir/mmmmm"}' | ~/bin/json-parser-linux64

{
"code": 400,
"message": "Unable to extract key information from \"/config/filestore/files_d/my_dir_d/certificate_key_d/:my_dir:mmmmm_166121_1\"to \"/var/system/tmp/tmsh/87bOS1/ssl.key//my_dir/mmmmm\"",
"errorStack": [],
"apiError": 26214401
}

Conditions:
The user attempts to create an SSL certificate under a non-Common folder using iControl REST.

Impact:
Unable to create an SSL certificate in non-Common folder.

Workaround:
Create the SSL certificate using tmsh.

Fix:
With the fix, certificate can be created under non-Common folder using iControl REST.

Fixed Versions:
13.1.3.4

748902-7 : Incorrect handling of memory allocations while processing DNSSEC queries

Links to More Info: BT748902

Component: Global Traffic Manager (DNS)

Symptoms:
tmm crashes.

Conditions:
-- Heavy DNS traffic using DNS security signatures.
-- Use of external HSM may aggravate the problem.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release corrects the handling of memory allocations while processing DNSSEC queries.

Fixed Versions:
12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6

748851-1 : Bot Detection injection include tags which may cause faulty display of application

Links to More Info: BT748851

Component: Application Security Manager

Symptoms:
The Bot Detection feature / Bot Defense profile includes JavaScript which is injected within <APM_DO_NOT_TOUCH> tags. Some web applications may be displayed incorrectly due to these tags.

Conditions:
- Your application includes JavaScript which dynamically adds HTML elements and expects a certain set of tags in the <head> section of the HTML.
- Bot Detection / Bot Defense are enabled.

Impact:
Some web applications may be displayed incorrectly.

Workaround:
None

Fix:
There is now an ASM Internal Parameter 'inject_apm_do_not_touch' and a db variable 'asm.inject_apm_do_not_touch', which can be disabled (modify sys db asm.inject_apm_do_not_touch value false) to prevent the <APM_DO_NOT_TOUCH> tag from being injected, thus allowing the application to be displayed correctly.

Behavior Change:
This release provides an ASM Internal Parameter 'inject_apm_do_not_touch', and a db variable 'asm.inject_apm_do_not_touch', which can be disabled (the default is enabled) to prevent the <APM_DO_NOT_TOUCH> tag from being injected, thus allowing the application to be displayed correctly.

To disable db variable, run the following command:
modify sys db asm.inject_apm_do_not_touch value false

Fixed Versions:
13.1.1.4

748813-1 : tmm cores under stress test on virtual server with DoS profile with admd enabled

Links to More Info: BT748813

Component: Anomaly Detection Services

Symptoms:
tmm cores

Conditions:
-- Systems under stress testing.
-- Virtual server with DoS profile with admd enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Turn off Behavioral DOS.

Fix:
This tmm core no longer occurs under these conditions.

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.2.3

748502-3 : TMM may crash when processing iSession traffic

Links to More Info: K72335002 , BT748502

748253-3 : Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection

Links to More Info: BT748253

Component: Service Provider

Symptoms:
Depending on the DIAMETER settings of the BIG-IP system, there can be a race condition in a mirrored device cluster where the standby BIG-IP system resets its mirror connection to the active device.

Conditions:
-- MRF DIAMETER in use.
-- The DIAMETER session profile on the BIG-IP system is configured to use a non-zero watchdog timeout.
-- The DIAMETER session profile on the BIG-IP system is configured to use Reset on Timeout.
-- This is more likely to happen if (in the DIAMETER session profile) the Maximum Watchdog Failures is set to 1, and the Watchdog Timeout is configured to be the same value as the remote DIAMETER system.

Impact:
The standby is no longer mirroring the active system, and gets out of sync with it. There may be connections lost if a failover occurs.

Workaround:
To mitigate this issue:

1. Configure the Maximum Watchdog Failures to a value greater than 1.
2. Configure the Watchdog Timeout as something different from the same timeout on the remote peer, preferably to something that will have little overlap (i.e., the two timers should fire at the exact same time very infrequently).

Fix:
Prevented the standby from sending DWR packets to the active device, so that it no longer expects DWA responses that never arrive.

Fixed Versions:
13.1.3, 14.1.2.1

748206 : Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position

Links to More Info: BT748206

Component: TMOS

Symptoms:
Browser becomes unresponsive.

Conditions:
Loading the network map with a virtual server that contains a forwarding rule policy in the second position.

Impact:
Browser becomes unresponsive and must be restarted.

Workaround:
Change the position of the forwarding rule policy.

Fix:
The browser now behaves as expected when loading the network map with a virtual server that contains a forwarding rule policy in the second position.

Fixed Versions:
13.1.1.4, 14.1.0.6

748205-1 : SSD bay identification incorrect for RAID drive replacement &start;

Links to More Info: BT748205

Component: TMOS

Symptoms:
On iSeries platforms with dual SSDs, the 'bay' of a given SSD indicated in the 'tmsh show sys raid' command may be incorrect. If a drive fails, or for some other reason it is intended to be replaced, and you are using the bay number listed from the tmsh command, the wrong drive could be removed from the system resulting in system failure to operate or boot.

Conditions:
iSeries platform with dual SSDs.

Impact:
Removal of the one working drive could result in system failure and subsequent failure to boot

Workaround:
If you discover that you removed the incorrect drive, you can attempt to recover by re-inserting the drive into the bay that it was in, and powering on the device.

The following steps will help to avoid inadvertently removing the wrong drive:

As a rule for systems with this issue:
-- Power should be off when you remove a drive. This makes it possible to safely check the serial number of the removed drive.
-- Power should be on, and the system should be completely 'up' before you add a new drive.

Here are some steps to follow to prevent this issue from occurring.


1. Identify the failed drive, taking careful note of its serial number (SN). You can use any of the following commands to get the serial number:
• tmsh show sys raid
• tmsh show sys raid array
• array
2. Logically remove the failed drive using the following command: tmsh modify sys raid array MD1 remove HD<>
3. Power down the unit.
4. Remove the fan tray and physically remove the failed drive.
5. Manually inspect the SN on the failed drive to ensure that the correct drive was removed.
6. Replace the fan tray.
7. Power on the unit with the remaining, single drive.
8. Once booted, wait for the system to identify the remaining (good) drive. You can confirm that this has happened when it appears in the 'array' command output.
9. Remove fan tray again (with the system running).
10. Install the new drive.
11. Use the 'array' command to determine that the new drive is recognized (Note: the tmsh commands do not show new drive at this stage.)
12. Logically add the new drive using the command command: tmsh modify sys raid array MD1 add HD<>
13. Monitor the rebuild using any of the commands shown in step 1.

Note: You must follow these steps exactly. If you insert the new drive while the system is off, and you then boot the system with the previously existing working drive and the new blank drive present, the system recognizes the blank drive as the working Array member, and you cannot add it to the array. That means system responds and replicates as if 'HD already exists'.

Fixed Versions:
12.1.5, 13.1.3, 14.1.2.5

748187-2 : 'Transaction Not Found' Error on PATCH after Transaction has been Created

Links to More Info: BT748187

Component: TMOS

Symptoms:
In systems under heavy load of transactions with multiple icrd_child processes, the system might post an erroneous 'Transaction Not Found' response after the transaction has definitely been created.

Conditions:
Systems under heavy load of transactions with multiple icrd_child processes.

Impact:
Failure to provide PATCH to a transaction whose ID has been created and logged as created.

Workaround:
If transaction is not very large, configure icrd_child to only run single-threaded.

Fix:
Erroneous 'Transaction Not Found' messages no longer occur under these conditions.

Fixed Versions:
12.1.4, 13.1.1.5, 14.0.1.1, 14.1.0.6

748177-3 : Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character

Links to More Info: BT748177

Component: Global Traffic Manager (DNS)

Symptoms:
Multiple wildcards not matched to the most specific WideIP.

Conditions:
Two wildcard WideIPs differ on a '?' and a non-wildcard character.

Impact:
DNS request gets wrong answer.

Workaround:
There is no workaround at this time.

Fix:
Multiple wildcards are now matched to the most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character.

Fixed Versions:
12.1.4.1, 13.1.1.5, 14.1.0.6

748121-1 : admd livelock under CPU starvation

Links to More Info: BT748121

Component: Anomaly Detection Services

Symptoms:
Due to the resources starvation the worker thread of admd does not get CPU for more than two minutes. At the same time, the configuration thread does get CPU.

The admd heartbeat failure occurs at 120 seconds. The SOD daemon kills admd.

The system posts messages similar to the following:

-- notice sod[6783]: 01140041:5: Killing /usr/bin/admd pid 6732
-- warning sod[6783]: 01140029:4: high availability (HA) daemon_heartbeat ADMD.Anomaly0 fails action is restart.
-- warning sod[6783]: 01140029:4: high availability (HA) daemon_heartbeat ADMD.Publisher0 fails action is restart.

Conditions:
-- High CPU / memory utilization,
-- Very large configuration.

Note: There are no known special configuration requirements to have this occur.

Impact:
admd restarts.
Behavioral DoS does not work.

Workaround:
Reboot the BIG-IP system.

Fix:
admd livelock event no longer occurs in response to CPU starvation in very large configurations.

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.6

748081-2 : Memory leak in Behavioral DoS module

Links to More Info: BT748081

Component: Advanced Firewall Manager

Symptoms:
TMM runs out of memory and restarts.
The memory usage as shown in "tmctl memory_usage_stat", under module line tag "session" is noticed to be high, and keeps growing.

Conditions:
The issue is seen when BDoS feature is configured, and if there exits Custom or Auto Generated BDoS Signatures. When such signatures exist, the BDoS one second timer callback leaks memory.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
1. Disable BDoS feature.
2. Disable all configured and auto generated BDoS signatures using TMSH command:

# cd dos-common
# modify security dos dos-signature all { state disabled }

Fixed Versions:
13.1.1.5, 14.1.0.2

748043-3 : MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP

Links to More Info: BT748043

Component: Service Provider

Symptoms:
SIP Server sends SIP Request to the client.
The SIP Server inserts a different port, so that response are received on a different port.
The Client sends the response on the new requested port.
BIG-IP drops the packet

Conditions:
SIP Server wants the SIP Response to be coming on a different port.

Impact:
SIP Request will not receive the SIP Response

Workaround:
There is no workaround.

Fix:
Fix BIG-IP to process the SIP Response and send it to the SIP Server

Fixed Versions:
13.1.1.5, 14.0.1.1, 14.1.0.2

747968-2 : DNS64 stats not increasing when requests go through DNS cache resolver

Links to More Info: BT747968

Component: Local Traffic Manager

Symptoms:
DNS64 stats are not incrementing when running the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands if responses are coming from DNS cache resolver.

Conditions:
-- DNS responses are coming from DNS cache resolver.
-- Viewing statistics using the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands.

Impact:
DNS64 stats are not correct.

Workaround:
There is no workaround at this time.

Fixed Versions:
11.6.5.3, 12.1.4.1, 13.1.1.5, 14.1.0.6

747926 : Rare TMM restart due to NULL pointer access during AFM ACL logging

Links to More Info: BT747926

Component: Advanced Firewall Manager

Symptoms:
Tmm crashes while performing log ACL match logging.

Conditions:
The problem can happen only with the following configuration:
1) AFM Logging for ACLs enabled.
2) Security Network Logging profile has the property "log-translation-fields enabled"

The problem happens under extremely rare circumstances.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Defensive error handling to avoid the scenario of NULL pointer access.

Fixed Versions:
13.1.1.4, 14.1.0.2

747922-2 : With AFM enabled, during bootup, there is a small possibility of a tmm crash

Links to More Info: BT747922

Component: Advanced Firewall Manager

Symptoms:
During bootup or re-provisioning, with AFM enabled, there is a small possibility of a tmm crash. The tmm process generates a core file and then automatically restart.

Conditions:
-- AFM enabled.
-- sPVA-capable hardware platform.
-- Boot up or re-provision the system.

Impact:
Tmm crashes, coredumps, and then restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The race-condition has been fixed, so this issue no longer occurs.

Fixed Versions:
13.1.3.2, 14.1.0.2

747909-3 : GTPv2 MEI and Serving-Network fields decoded incorrectly

Links to More Info: BT747909

Component: Service Provider

Symptoms:
MEI and Serving-Network vales obtained with GTP::ie get iRule command contains digits swapped in pairs, first digit missing and a random digit added at the back.

Conditions:
Processing GTP traffic with iRules.

Impact:
It is impossible to obtain correct value of MEI and Serving-Network fields of the GTPv2 packets when processing with iRules.

Workaround:
No workaround.

Fix:
Decoding of GTPv2 MEI and Serving-Network fields corrected.

Fixed Versions:
11.6.5.1, 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.0.6

747907-1 : Persistence records leak while the high availability (HA) mirror connection is down

Links to More Info: BT747907

Component: Local Traffic Manager

Symptoms:
Memory might leak on the active unit while the high availability (HA) mirror connection is down.

Conditions:
-- The persistence configured that requires its state to be stored stored on the BIG-IP system.
-- Mirroring is configured on the persistence profile or the virtual server.
-- Mirror connection is down, for example, next active is down/offline/unavailable.

Impact:
Memory leak until the high availability (HA) mirror connection is up. Once mirror connection is up, the system releases the memory.

High CPU may also be observed, and may be more obvious than increased memory use.

Workaround:
-- Disable persistence while high availability (HA) mirror connection is down (e.g., performing maintenance).
-- Disable session mirroring for iRules.
-- Use persistence that does not requires its state to be stored on the BIG-IP system.
-- Restore high availability (HA) connection.

Fix:
Persistence records no longer leak memory while the high availability (HA) mirror connection is down.

Fixed Versions:
13.1.3.2, 14.1.0.6

747905-1 : 'Illegal Query String Length' violation displays wrong length

Links to More Info: BT747905

Component: Application Security Manager

Symptoms:
When the system decodes a query string that exceeds the allowed query string length, the system reports the incorrect 'Illegal Query String Length' violation string length.

Conditions:
-- 'Illegal Query String Length' violation is encountered.
-- The query string is decoded and reported.

Impact:
The system reports the decoded character count rather than bytes. For example, for a Detected Query String Length = 3391, the system posts a Detected Query String Length = 1995.

Workaround:
None.

Fixed Versions:
13.1.1.4, 14.0.1.1

747777-1 : Extractions are learned in manual learning mode

Links to More Info: BT747777

Component: Application Security Manager

Symptoms:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"

Conditions:
Direct cause: Policy contains parameters with dynamic type

Indirect cause: Policy Builder is configured to classify parameters as dynamic (related to bug 717525)

Impact:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"

Workaround:
- Change all dynamic parameters value types to User Input with Alpha Numeric data type

- Unset parameters' dynamic value type (or uncheck all parameters' dynamic classification options in 'Learning And Blocking Settings').

Fix:
Policy Builder does not set extractions for dynamic parameters in manual mode

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2

747725-2 : Kerberos Auth agent may override settings that manually made to krb5.conf

Links to More Info: BT747725

Component: Access Policy Manager

Symptoms:
when apmd starts up, it can override settings in krb5.conf file with those required for Kerberos Auth agent

Conditions:
- Kerberos Auth is configured in an Access Policy,
- administrator made changes to krb5.conf manually
to the section [realms] of the configured realm

Impact:
Kerberos Auth agent behavior is not what administrator expects with the changes.
it may also affect websso(kerberos) to behave properly

Workaround:
None

Fix:
after fix, the configuration file changes are merged.
Kerberos Auth agent adds the lines it requires and does not override existing settings

Fixed Versions:
12.1.4.1, 13.1.3, 14.1.2.5

747628-3 : BIG-IP sends spurious ICMP PMTU message to server

Links to More Info: BT747628

Component: Local Traffic Manager

Symptoms:
After negotiating an MSS in the TCP handshake, the BIG-IP system then sends an ICMP PMTU message because the packet is too large.

Conditions:
-- The server side allows timestamps and the client side does not negotiate them.

-- The client-side MTU is lower than the server-side MTU.

-- There is no ICMP message on the client-side connection.

Impact:
Unnecessary retransmission by server; suboptimal xfrag sizes (and possibly packet sizes).

Workaround:
Disable timestamps or proxy-mss on the server-side TCP profile.

Fixed Versions:
13.1.3.2, 14.1.2.3, 15.0.1.1

747621-2 : Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used

Links to More Info: BT747621

Component: Access Policy Manager

Symptoms:
Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used, e.g. RADIUS server performs two factor authentication.

Conditions:
1. Native VMware Horizon client is used to connect via APM.
2. RADIUS authentication agent is present in Access Policy.
3. RADIUS server asks for challenge response (e.g. 2FA).

Impact:
Authentication fails. User can't get access to VMware Horizon resources.

Workaround:
None.

Fix:
Fixed issue preventing native VMware Horizon client to authenticate with RADIUS challenge.

Fixed Versions:
13.1.1.4, 14.0.0.5

747617-1 : TMM core when processing invalid timer

Links to More Info: BT747617

Component: Local Traffic Manager

Symptoms:
TMM crashes while processing an SSLO iRules that enables the SSL filter on an aborted flow.

Conditions:
SSLO is configured and passing traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround

Fix:
SSL filter will no longer be enabled after connection close.

Fixed Versions:
12.1.5.2, 13.1.1.5, 14.0.1.1, 14.1.0.2

747592-2 : PHP vulnerability CVE-2018-17082

Component: TMOS

Symptoms:
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.

Conditions:
This exploit doesn't need any authentication and can be exploited via POST request. Because of 'Transfer-Encoding: Chunked' header php is echoing the body as response.

Impact:
F5 products not affected by this vulnerability. Actual impact of this vulnerability is possible XSS attack.

Workaround:
No known workaround.

Fix:
The brigade seems to end up in a messed up state if something fails in shutdown, so we clean it up.

Fixed Versions:
11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1

747585-2 : TCP Analytics supports ANY protocol number

Links to More Info: BT747585

Component: Local Traffic Manager

Symptoms:
No TCP analytics data is collected for an ANY virtual server.

Conditions:
1. Provision AVR
2. Create a FastL4 server that accepts all protocols.
3. Attach a TCP Analytics profile
4. Try to run UDP traffic through it.

Impact:
No TCP analytics data is collected for TCP flows when a virtual server's protocol number is ANY.

Workaround:
There is no workaround this time.

Fix:
TCP analytics now supports both ANY and TCP protocol numbers and would collect analytics for TCP flows if protocol number is ANY or TCP.

Fixed Versions:
12.1.5, 13.1.3.4, 14.1.2.1

747560-3 : ASM REST: Unable to download Whitehat vulnerabilities

Links to More Info: BT747560

Component: Application Security Manager

Symptoms:
When using the Whitehat Sentinel scanner, the REST endpoint for importing vulnerabilities (/mgmt/tm/asm/tasks/import-vulnerabilities) does not download the vulnerabilities from the server automatically when no file is provided.

Conditions:
The ASM REST API (/mgmt/tm/asm/tasks/import-vulnerabilities) is used to download vulnerabilities from the server when a Whitehat Sentinel Scanner is configured.

Impact:
Vulnerabilities from the Whitehat server are not automatically downloaded when no file is provided, and it must be downloaded manually, or the GUI must be used.

Workaround:
The ASM GUI can be used to download the vulnerabilities from the Whitehat Server, or the file can be downloaded separately, and provided to the REST endpoint directly.

Fix:
The REST endpoint for importing Scanner Vulnerabilities for the Whitehat Scanner now correctly downloads the vulnerability file automatically when no file is provided.

Fixed Versions:
12.1.5.1, 13.1.3, 14.1.0.6

747550-1 : Error 'This Logout URL already exists!' when updating logout page via GUI

Links to More Info: BT747550

Component: Application Security Manager

Symptoms:
When you try to update the Logout Page, you get an error about the URL existence: Error 'This Logout URL already exists!'

Conditions:
1. Create any Logout page.
2. Try to update it.

Impact:
The properties of the Logout Page cannot be updated.

Workaround:
Delete the logout page and create a new one.

Fix:
This release addresses the issue, so that no error is reported when updating the Logout Page.

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2

747234-4 : Macro policy does not find corresponding access-profile directly

Links to More Info: BT747234

Component: Access Policy Manager

Symptoms:
The discovery task runs but does not apply the 'Access Access Policy' for the access policy for which the Provider is configured.

Conditions:
-- Auto-discovery is enabled for a provider.
-- Discovery occurs.

Impact:
The Access Policy is not applied after successful auto-discovery. The policy must be applied manually.

Workaround:
Apply the Access Policy manually after auto-discovery.

Fix:
Fixed an issue with not automatically applying the access policy after discovery.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2

747203-4 : Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding

Links to More Info: BT747203

Component: TMOS

Symptoms:
-- SYN/ACK packets arriving on a tunnel fail to be matched to an existing flow followed by a RST issued by the BIG-IP system.
-- The BIG-IP system reports 'no flow found'.
-- MAC addresses can contain random values, or fe:fe:fe:fe:fe:fe.

Conditions:
-- Using IKEv2 with both NAT-T and interface mode.
-- The BIG-IP is configured to use several tmm instances.
-- The combination of IP addresses and port numbers result in distributing legs of processing one flow across several tmm instances.

Impact:
NATT/ESP tunnel flows can end with a RST reset.

Workaround:
None.

Fix:
In the ESP proxy, The system now clears a bit in packet metainformation related to forwarding, so a decrypted packet such as SYN/ACK can reach the last tmm needed.

Fixed Versions:
13.1.3.2, 15.0.1.3

747192-2 : Small memory leak while creating Access Policy items

Links to More Info: BT747192

Component: Access Policy Manager

Symptoms:
Memory slowly leaks for every access policy item added: 32 + 80 bytes for each item.

Conditions:
The leak occurs while creating new policy items in Access.

Impact:
After a long uptime interval, mcpd may crash due to lack of memory.

Workaround:
Restart mcpd periodically if you modify Access policies frequently by adding or deleting policy items.

Fix:
Leak was fixed by clearing the leaked objects.

Fixed Versions:
12.1.4.1, 13.1.3.4

747187-3 : SIP falsely detects media flow collision when SDP is in both 183 and 200 response

Links to More Info: BT747187

Component: Service Provider

Symptoms:
A spurious error message is logged ("MR SIP: Media flow creation (...) failed due to collision") and media does not flow.

Conditions:
A SIP server responds to an INVITE with both a 183 "Session Progress" and later a "200 OK" for a single SIP call, and both responses contain an SDP with the same media info.

Impact:
Media does not flow on pinholes for which a collision was detected and reported.

Workaround:
None

Fix:
No collision is detected or logged when multiple messages with SDP recreate the same flows in the same call.

Fixed Versions:
12.1.5.2, 13.1.1.5, 14.0.1.1, 14.1.0.2

747104-3 : LibSSH: CVE-2018-10933

Links to More Info: K52868493 , BT747104

Component: Advanced Firewall Manager

Symptoms:
For more information see: https://support.f5.com/csp/article/K52868493

Conditions:
For more information see: https://support.f5.com/csp/article/K52868493

Impact:
For more information see: https://support.f5.com/csp/article/K52868493

Fix:
For more information see: https://support.f5.com/csp/article/K52868493

Fixed Versions:
12.1.4.1, 13.1.1.4, 14.1.0.2

747099-1 : AWS Cloud VE instance cannot connect to the metadata server to obtain licensing details.

Links to More Info: BT747099

Component: TMOS

Symptoms:
After booting BIG-IP Virtual Edition (VE) in AWS, the device reports being unlicensed and does not pass traffic.

The following chmand errors are visible in the logs:
Curl request to metadata service failed with error(28): 'Timeout was reached'
DossierReq exception: VirtDossier Service: Instance identity retrieval from the metadata failed. Check network connectivity to the instance metadata before retrying

/var/log/kern.log contains error messages:
kernel: [ 47.261935] VF could not set VLAN 1
kernel: [ 47.269080] ixgbevf 0000:00:03.0 eth0: failed to initialize vlan filtering on this port

Conditions:
-- VE in AWS cloud
-- Single NIC configuration
-- Intel ixgbevf NIC driver
-- BIG-IP v13.1.3.3

Impact:
BIG-IP boots into an unlicensed state and does not pass traffic.

Workaround:
None

Fix:
VE can now communicate with the metadata server.

Fixed Versions:
13.1.3.4

747077-1 : Potential crash in TMM when updating pool members

Links to More Info: BT747077

Component: Local Traffic Manager

Symptoms:
In very rare cases, TMM can crash while updating pool members.

Conditions:
The conditions that lead to this are not known.

Impact:
TMM crashes, which can cause a failover or outage.

Workaround:
There is no workaround.

Fix:
Prevent TMM from crashing when updating a pool member.

Fixed Versions:
13.1.3.6

747065-3 : PEM iRule burst of session ADDs leads to missing sessions

Links to More Info: BT747065

Component: Policy Enforcement Manager

Symptoms:
Some PEM sessions that were originally added, later disappear and cannot be added back.

Conditions:
-- Subscriber addition is done by iRule on UDP virtual servers.
-- The sessions are added in a burst.
-- A small fraction of such sessions cannot be added back after delete.

Impact:
Policies available in the missing session cannot be accessed.

Workaround:
Add a delay of at least a few milliseconds between adding multiple session with same subscriber-id and IP address.

Fix:
The release handles the issue that prevented the addition of the new subscriber. Now, even after the bursts of iRule additions, no re-additions fail.

Fixed Versions:
13.1.3.2

746941 : Memory leak in avrd when BIG-IQ fails to receive stats information

Links to More Info: BT746941

Component: Application Visibility and Reporting

Symptoms:
There is an avrd memory leak when it fails to send BIG-IP statistical information to BIG-IQ.

Error messages may appear in the avrd.log file in /var/log/avr:

EXTERNAL_MESSAGES|ERROR|Mar 07 10:10:10.10|10|lib/avrpublisher/infrastructure/avr_http_connection.cpp:0129| (skipped 16 msgs) Can't insert messages to queue - some external log will be lost!

Conditions:
-- BIG-IP is used by BIG-IQ version 6.0.0 or higher.
-- Stats collection is enabled.
-- There is a malfunction in BIG-IQ that prevents it from receiving statistical information that BIG-IP sends (e.g., all data collection devices (DCDs) are down, or there is no network connection between BIG-IP and BIG-IQ systems).

Impact:
The avrd process' memory usage increases over time, leading to avrd restart when usage is too large, and/or avrd usage may starve other control-plane processes of memory. The AVR-related functionality is unavailable while avrd restarts.

Workaround:
Correct connectivity issues between BIG-IP and BIG-IQ.

This correction should be made not only to prevent this memory leak, but for more important functionality, such as visibility and alerts features in BIG-IQ.

Fix:
The avrd process no longer leaks memory under these conditions.

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2

746922-4 : When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.

Links to More Info: BT746922

Component: Local Traffic Manager

Symptoms:
In a situation when a routing entity belonging to the child route domain is searching for an egress point for a traffic flow, it's searching for a routing entry in the child domain first, then if nothing is found, it searches for it in the parent route domain and returns the best found routing entry.

If the best routing entry from the parent route domain is selected, then it is held by a routing entity and is used to forward a traffic flow. Later, a new route entry is added to the child route domain's routing table and this route entry might be better than the current, previously selected, routing entry. But the previously selected entry doesn't get invalidated, thus the routing entity that is holding this entry is forwarding traffic to a less-preferable egress point.

#Example:
RD0(parent) -> RD1(child)
routing table: default gw for RD0 is 0.0.0.0/0%0
pool member is 1.1.1.1/32%1
-
Pool member searches for the best egress point and finds nothing in the routing table for route domain 1, and then later finds a routing entry, but from the parent route domain - 0.0.0.0/0%0.

Later a new gw for RD1 was added - 0.0.0.0/0%1, it's preferable for the 1.1.1.1/32%1 pool member. 0.0.0.0/0%0 should be (but is not) invalidated to force the pool member to search for a new routing entry and find a better one if it exists, as in this case, with - 0.0.0.0/0%1.

Conditions:
1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. New routing entry for child route domain is added.

Impact:
If a new added route is preferable to an existing one in a different route domain, the new, preferable, route is not going to be used by a routing object that has previously selected a route. Thus, traffic flows through these routing objects to an unexpected/incorrect egress point. This might result in undesirable behavior:
-- The route might be unreachable, and all traffic for a specific pool member is dropped.
-- The virtual server cannot find an available SNAT address.
-- Simply, the wrong egress interface is being used.

Workaround:
Use either of these workaround after a new route in child domain is added.

-- Recreate a route.
Recreate a parent route domain's routes. Restart tmrouted daemon if routes are gathered via routing protocols.

-- Recreate a routing object.
- If a pool member is affected, recreate the pool member.
- If a SNAT pool list is affected, recreate it.
- And so on.

Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table.

Fixed Versions:
12.1.4.1, 13.1.3, 14.0.1.1, 14.1.2.7

746877-3 : Omitted check for success of memory allocation for DNSSEC resource record

Links to More Info: BT746877

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may panic from SIGABRT while logging this message:
./rdata.c:25: ldns_rdf_size: Assertion `rd != ((void *)0)' failed.

Conditions:
During memory stress while handling DNSSEC traffic.

Impact:
TMM panic and subsequent interruption of network traffic.

Workaround:
Keeping the workload within normal ranges reduces the probability of encounter.

Fix:
The system now checks for success of memory allocation for DNSSEC resource record, so this issue no longer occurs.

Fixed Versions:
12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6

746823 : AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members

Links to More Info: BT746823

Component: Application Visibility and Reporting

Symptoms:
In a configuration that AVR is set to send telemetry data to external source (like connection with BIG-IQ), and there is large number of config objects in the system, such as virtual servers and pool-members. AVRD is constantly crashing.

Conditions:
1. AVR is set to send telemetry data to external source (like connection with BIG-IQ).
2. Large number of config objects in the system, such as virtual servers and pool-members.

Impact:
AVRD process is crashing and telemetry data is not collected.

Workaround:
N/A

Fix:
The issue is fixed, AVR can handle any number of virtuals/pool-members when sending its telemetry.

Fixed Versions:
13.1.1.4, 14.0.0.5

746771-1 : APMD recreates config snapshots for all access profiles every minute

Links to More Info: BT746771

Component: Access Policy Manager

Symptoms:
When the access profile configurations in APMD and MCPD are out of sync, APMD detects that the config snapshot for one access profile is missing. This triggers AMPD to recreates the config snapshots for all access profiles. The detect-recreate cycle repeats every minute, posting log messages:

-- err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...

-- notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
...

-- err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...

-- notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.

Conditions:
The conditions under which the access profile configurations in APMD and MCPD become out of sync is unknown.

Impact:
TMM memory usage increases due to excessive config snapshots being created.

Workaround:
Restart APMD to clear the APMD and MCPD out-of-sync condition.

Fix:
This issue has been fixed.

Fixed Versions:
13.1.1.4, 14.1.0.2

746768-1 : APMD leaks memory if access policy policy contains variable/resource assign policy items

Links to More Info: BT746768

Component: Access Policy Manager

Symptoms:
If an access policy contains variable/resource assign policy items, APMD will leak memory every time the policy is modified and applied.

Conditions:
1. Access policy has variable/resource assign policy items.
2. The access policy is modified and applied.

Impact:
APMD's memory footprint will increase whenever the access policy is applied.

Workaround:
There is no workaround.

Fix:
Memory growth has been addressed.

Fixed Versions:
12.1.4.1, 13.1.1.4, 14.1.2.1

746731-3 : BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set

Links to More Info: BT746731

Component: Service Provider

Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Firmware-Revision AVPs in DIAMETER Capabilities Exchange Request messages.

Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Firmware-Revision AVP.

Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.

Workaround:
Configure an iRule in the MRF transport-config, for example:

ltm rule workaround {
when DIAMETER_EGRESS {
if {[serverside] && [DIAMETER::command] == "257" } {
DIAMETER::avp flags set 267 0
}
}
}

Fix:
This release always clears the Mandatory bit for Firmware-Revision AVPs in DIAMETER Capabilities Exchange Request messages.

Fixed Versions:
13.1.3.4, 14.1.2.7

746710-2 : Use of HTTP::cookie after HTTP:disable causes TMM core

Links to More Info: BT746710

Component: Local Traffic Manager

Symptoms:
When an iRule disables HTTP with HTTP:disable, subsequent use of HTTP::cookie for that request will cause a TMM core dump.

Conditions:
1) HTTP profile is configured on the virtual.
2) HTTP:disable is called on request.
3) HTTP:cookie is then called on that request.

Impact:
Use of iRules in the above mentioned order will result in a TMM core. Traffic disrupted while tmm restarts.

Workaround:
Do not call HTTP:cookie on requests that have had HTTP disabled by HTTP:disable

Fixed Versions:
13.1.3, 14.1.2.1

746704-1 : Syslog-ng Memory Leak

Links to More Info: BT746704

Component: TMOS

Symptoms:
After a long uptime (almost a year) syslog-ng had consumed 1.1G of virtual memory on BIG-IP.

Conditions:
Memory leak when syslog-ng handles continuous SIGHUP signals.

Impact:
Minimal. This is a leak of virtual memory. If syslog-ng does not read or write to this memory it will not be consume physical memory.

Workaround:
Run this command once a month:
service syslog-ng restart

Fixed Versions:
13.1.3.5, 14.1.2.8

746348-1 : On rare occasions, gtmd fails to process probe responses originating from the same system.

Links to More Info: BT746348

Component: Global Traffic Manager (DNS)

Symptoms:
On rare occasions, some resources are marked 'unavailable', with a reason of 'big3d: timed out' because gtmd fails to process some probe responses sent by the instance of big3d that is running on the same BIG-IP system.

Conditions:
The monitor response from big3d sent to the gtmd on the same device is being lost. Monitor responses sent to other gtmds are sent without issue. The conditions under which this occurs have not been identified.

Impact:
Some resources are marked 'unavailable' on the affected BIG-IP system, while the other BIG-IP systems in the sync group mark the resource as 'available'.

Workaround:
Restart gtmd on the affected BIG-IP system.

Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.2

746266-1 : A vCMP guest VLAN MAC mismatch across blades.

Links to More Info: BT746266

Component: TMOS

Symptoms:
The vCMP guests running on blades in a single chassis report different MAC addresses on a single VLAN upon host reboot for the vCMP guest.

Conditions:
This issue may be seen when all of the following conditions are met:

-- One or more blades are turned off completely via AOM.
-- There are two VLANs.
-- You deploy a multi-slot guest with the higher lexicographic VLAN, and assign the lower VLAN to the guest.
-- Reboot the host.

Impact:
Incorrect MAC addresses are reported by some blades.

Workaround:
None.

Fix:
There is no longer a vCMP guest VLAN MAC mismatch across blades under these conditions.

Fixed Versions:
12.1.5, 13.1.3, 14.1.2.3

746146-2 : AVRD can crash with core when disconnecting/reconnecting on HTTPS connection

Links to More Info: BT746146

Component: Application Security Manager

Symptoms:
AVRD crashes repeatedly when the BIG-IP system is configured to work with BIG-IQ.

Conditions:
-- BIG-IP system is connected to BIG-IQ.
-- Disconnecting/reconnecting on HTTPS connection.

Impact:
Statistics collection is unstable : some stats data are lost during avrd crash.

Workaround:
None.

Fix:
Object associated with HTTPS connection was deleted before the last event on this connection arrived. Object deletion is now deferred, so this issue no longer occurs..

Fixed Versions:
13.1.1.5

746091-3 : TMSH Vulnerability: CVE-2019-19151

Links to More Info: K21711352 , BT746091

746077-1 : If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified

Links to More Info: BT746077

Component: Local Traffic Manager

Symptoms:
DHCP-RELAY overwrites the 'giaddr' field containing a non-zero value. This violates RFC 1542.

Conditions:
DHCP-RELAY processing a message with the 'giaddr' field containing a non-zero value,

Impact:
RFC 1542 violation

Workaround:
None.

Fix:
DHCP-RELAY no longer overwrites the 'giaddr' field containing a non-zero value.

Fixed Versions:
12.1.5.3, 13.1.1.5, 14.1.2.5

745923-4 : Connection flow collision can cause packets to be sent with source and/or destination port 0

Links to More Info: BT745923

Component: Local Traffic Manager

Symptoms:
Symptoms vary based on traffic impacted:

Virtual server may reset a connection with the source and/or destination port set to 0 when the client sends an ACK after a 4-way close

UDP traffic to virtual server with UDP profile immediate timeout configured or datagram load-balancing can collide with existing connections and be incorrectly sent with source and/or destination port 0.

Conditions:
-- Conditions to trigger this issue with TCP traffic:
- 3-way handshake initiated by client to virtual server.
- Client actively closing the connection - 4-way close.
- Client continues to send ACK after 4-way close.

-- Conditions to trigger this issue with UDP traffic:
- UDP profile has timeout immediate configured or datagram load-balancing.
- UDP packet arrives that matches an expiring but still-present connection.

-- Provisioned for AFM.

Impact:
Virtual server performs an incorrect reset with source or destination port 0, or UDP proxy traffic is sent incorrectly with source and/or destination port 0.

Workaround:
None.

Fix:
Connection flow collision no longer causes packets to be sent from source port 0.

Fixed Versions:
13.1.3.5, 14.1.2.5, 15.0.1.4

745825-3 : The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading

Links to More Info: BT745825

Component: TMOS

Symptoms:
This message may be logged while the audit_forwarder is loading the configuration:

audit_forwarder is disabled as the configuration is incomplete. Please define the following db variables: config.auditing.forward.sharedsecret, config.auditing.forward.destination and config.auditing.forward.type. And make sure config.auditing.forward.destination is not set to "::".

These DB variables may all be actually configured correctly, but since the configuration has not loaded yet this message may be logged multiple times.

Conditions:
The audit_forwarder process is starting up and loading the configuration.

Impact:
Confusing error messages in /var/log/ltm. Logging will still work as configured.

Workaround:
There is no workaround.

Fix:
Message has been modified to indicate the possibility of loading the configuration. Message is now logged only once. A new messages is logged indicating when audit_forwarder is enabled.

Fixed Versions:
13.1.3.2, 14.1.0.2

745809 : The /var partition may become 100% full, requiring manual intervention to clear space

Links to More Info: BT745809

Component: TMOS

Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free

Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open on multi-blade VIPRION systems.

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition

Workaround:
This workaround is temporary in nature, and may need to be periodically performed either manually or from a script. While these steps are performed, the BIG-IP REST API are temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:
bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.

Fix:
The system deletes all Zip files in the REST root directory so that the partition-full condition no longer occurs.

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.6

745802-3 : Brute Force CAPTCHA response page truncates last digit in the support id

Links to More Info: BT745802

Component: Application Security Manager

Symptoms:
Brute Force CAPTCHA response page shown to an end-user has a support id and the last digit is truncated.

Conditions:
- ASM Provisioned
- ASM policy attached to a virtual server
- ASM Brute Force Protection enabled in the asm policy
- ASM Brute Force sends captcha mitigation page when a website is under brute force attack.

Impact:
The support id presented to an end-user won't be matched to the one shown in the asm logs

Workaround:
There is no workaround at this time.

Fix:
The code is fixed, correct support id is shown in the captcha response page.

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.2.1

745783-3 : Anti-fraud: remote logging of login attempts

Links to More Info: BT745783

Component: Fraud Protection Services

Symptoms:
There is no support for logging of login attempts to a remote service.

Conditions:
Using high speed logging (HSL) to log login attempts.

Impact:
There is no support for logging of login attempts.

Workaround:
None.

Fix:
FPS now uses HSL to report login attempts using configured templates, rate-limit, and publisher to a remote service.

To enable this feature:

# via tmsh only
tmsh modify sys db antifraud.riskengine.reportlogins value enable

# via tmsh or GUI
tmsh modify sys db antifraud.internalconfig.string1 value "<login attempt log template>"
tmsh modify sys db antifraud.internalconfig.string2 value "<log-rate-exceeded log template>"
tmsh modify sys db antifraud.internalconfig.number1 value "<log-rate-exceeded threshold>"
tmsh modify security anti-fraud profile <fps profile> risk-engine-publisher <publisher>


It is recommended that you use encoding when composing an HTTP template. The default encoding level is 0, meaning 'never encode'.

To change encoding level:

tmsh modify sys db antifraud.internalconfig.number2 value <0/1/2>

Behavior Change:
FPS now includes the ability to perform High Speed Logging (HSL) of all login attempts to specific protected URLs. These events can be forwarded to remote services (e.g. SIEM Server), and, when enabled, can help indicate whether applications are under attack.

Fixed Versions:
13.1.1.3, 14.1.0.3

745733-1 : TMSH command "tmsh show ltm urlcat-query" not performing cloud lookup

Links to More Info: BT745733

Component: Traffic Classification Engine

Symptoms:
TMSH command "tmsh show ltm urcat-query" does not perform cloud lookup when there is no entry in the local database.

Conditions:
- TMSH command "show ltm urlcat-query abc.com" is executed.
- abc.com does not have an entry in the local webroot database.

Impact:
- Cloud lookup is not executed for unknown URL entries.

Fix:
Now the "tmsh show ltm ulcat-query" command performs cloud lookup when there is no entry in the local database.

Fixed Versions:
13.1.3.5, 14.1.0.2

745713-1 : TMM may crash when processing HTTP/2 traffic

Links to More Info: K94563344 , BT745713

745682-2 : Failed to parse X-Forwarded-For header in HTTP requests

Links to More Info: BT745682

Component: Local Traffic Manager

Symptoms:
Failed to parse X-Forwarded-For header. This results in failure when extracting proper values in DOSL7.

Conditions:
-- 'Accept XFF' is enabled in HTTP profile. HTTP profile is added to the virtual server.
-- Bot Defense profile is added to the virtual sever.
-- HTTP request contains 'X-Forwarded-For' header.

Impact:
DOSL7 does not receive the proper values for X-Forwarded-For.

Workaround:
None.

Fix:
DOSL7 now receives the correct value under these conditions.

Fixed Versions:
13.1.3.6, 14.1.3.1

745663-2 : During traffic forwarding, nexthop data may be missed at large packet split

Links to More Info: BT745663

Component: Local Traffic Manager

Symptoms:
When splitting large packages, nexthop data is used for the first small packet, but missed in subsequent packets.

Conditions:
Forward of host LRO packet (e.g., FTP data-channel).

Impact:
Heavy packet loss, re-transmissions, and delays.

Workaround:
None.

Fix:
Transmission time is now relatively consistent and there is no significant packet loss or delay.

Fixed Versions:
13.1.3.5, 14.1.2.8

745654-2 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server

Links to More Info: BT745654

Component: Access Policy Manager

Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.

Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.

Impact:
Low throughput and slow responses from Virtual server.

Workaround:
There is no workaround at this time.

Fix:
Increase the size of websso worker queue, so that tmm and websso process can communicate effectively. This eliminates VS slowness and hence increase throughput.

Fixed Versions:
12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.2

745628-3 : MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message

Links to More Info: BT745628

Component: Service Provider

Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a NOTIFY message has been processed.

Conditions:
This occurs because the NOTIFY message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.

Impact:
Media addresses in the SDP payload are not translated.

Workaround:
There is no workaround.

Fix:
Hairpin mode is not entered when processing NOTIFY messages

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.2

745600-3 : Tmm crash and core using iRule

Links to More Info: BT745600

Component: Access Policy Manager

Symptoms:
Using iRule function access_session_create_cmd(), while session creation in progress, an internal timer gets set to fire after 1000 msec. In the interim, if the connflow is deleted or removed, an internal inconsistency occurs, so when that timer goes off, tmm restarts and generates a core.

Conditions:
-- Creating access session using iRule.
-- The session connection is deleted or removed.
-- The 1000 msec interval passes, and the timer attempts to fire.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The issue no longer occurs, as the internal inconsistency is now prevented.

Fixed Versions:
13.1.3

745574-3 : URL is not removed from custom category when deleted

Links to More Info: BT745574

Component: Access Policy Manager

Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.

Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.

Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.

Workaround:
"bigstart restart tmm" will resolve the issue.

Fix:
Made sure that the deletion takes effect properly and SSL traffic is no longer miscategorized after removal of the URL from the custom category.

Fixed Versions:
12.1.4, 13.1.1.4, 14.0.0.5, 14.1.0.6

745533-4 : NodeJS Vulnerability: CVE-2016-5325

Component: Local Traffic Manager

Symptoms:
It was found that the reason argument in ServerResponse#writeHead() was not properly validated.

Conditions:
iRules LX is running at the BIG-IP.

Impact:
A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request.

Workaround:
N/A.

Fix:
NodeJS updated to patch for CVE-2016-5325

Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6

745531-1 : Puffin Browser gets blocked by Bot Defense

Links to More Info: BT745531

Component: Application Security Manager

Symptoms:
Users using the Puffin Browser are blocked when accessing the Virtual Server when it is protected with either Proactive Bot Defense (within DoSL7 profile) or with the Bot Defense profile.
This applies to all version of the Puffin Browsers: Desktop, Android, iOS.

Conditions:
- Users using the Puffin Browser on Desktop, Android, iOS
- Bot Defense Profile, or: DoSL7 profile with Proactive Bot Defense is used while the "Block Suspicious Browsers" checkbox is enabled

Impact:
Users of the Puffin Browser cannot access the website

Workaround:
None

Fix:
Users of the Puffin Browser can now access the website that is protected by Bot Defense without getting blocked.
For the fix to be applied, both BIG-IP Release and ASU must be installed which contain the fix. Also, it is recommended to enable the following DB variables:
tmsh modify sys db dosl7.proactive_defense_validate_ip value disable
tmsh modify sys db dosl7.cs_validate_ip value disable

Fixed Versions:
13.1.1.4, 14.1.0.2

745514-3 : MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message

Links to More Info: BT745514

Component: Service Provider

Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a SUBSCRIBE message has been processed.

Conditions:
This occurs because the SUBSCRIBE message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.

Impact:
Media addresses in the SDP payload are not translated.

Workaround:
There is no workaround.

Fix:
Hairpin mode is not entered when processing SUBSCRIBE messages

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.0.2

745465-3 : The tcpdump file does not provide the correct extension

Links to More Info: BT745465

Component: TMOS

Symptoms:
The output file from tcpdump generation is named support.tcpdump even though it is a compressed file.

Conditions:
Whenever tcpdump is generated and downloaded.

Impact:
You must rename the file with the correct file extension and then decompress it to access the .dmp files.

Workaround:
Rename the downloaded file from support.tcpdump to <filename>.tar.gz and decompress it.

Fix:
File name changed to support.tcpdump.tar.gz.

Behavior Change:
The tcpdump file has a different name and file extension - support.tcpdump.tar.gz

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5

745404-2 : MRF SIP ALG does not reparse SDP payload if replaced

Links to More Info: BT745404

Component: Service Provider

Symptoms:
When a SIP message is loaded, the SDP is parsed. If modified or replaced, the system does not reparse the modified payload.

Conditions:
This occurs internally while processing SDP in a SIP message.

Impact:
Changes to the SDP are ignored when creating media pinhole flows

Workaround:
None.

Fix:
The SDP payload is now reparsed if modified or replaced.

Fixed Versions:
12.1.5.2, 13.1.3, 14.0.1.1, 14.1.0.2

745397-3 : Virtual server configured with FIX profile can leak memory.

Links to More Info: BT745397

Component: Service Provider

Symptoms:
System memory increases with each transmitted FIX message. tmm crash.

Conditions:
-- Virtual server configured with a FIX profile.
-- FIX profile specifies a message-log-publisher.

Impact:
Memory leak. Specifically, in the xdata cache. Potential traffic disruption while tmm restarts.

Workaround:
If possible, discontinue use of message logging functionality. Removing the message-log-publisher from the FIX profile stops xdata growth.

Fixed Versions:
13.1.3.4

745387-3 : Resource-admin user roles can no longer get bash access

Links to More Info: K07702240 , BT745387

745371-2 : AFM GUI does not follow best security practices

Links to More Info: K68151373 , BT745371

745358-3 : ASM GUI does not follow best practices

Links to More Info: K14812883 , BT745358

745261-1 : The TMM process may crash in some tunnel cases

Links to More Info: BT745261

Component: TMOS

Symptoms:
When Direct Server Return (DSR) or asymmetric routing with a tunnel is deployed, the TMM process may crash.

Conditions:
There are two scenarios that may lead to this issue:

Scenario 1: DSR
- DSR is deployed.


Scenario 2: Asymmetric routing
- The sys db variable connection.vlankeyed is set to 'disable'.
- A VLAN and a tunnel are used to handle asymmetric routing.

Impact:
The TMM process crashes.Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The TMM process no longer crashes.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.8

745257-3 : Linux kernel vulnerability: CVE-2018-14634

Links to More Info: K20934447 , BT745257

745165-3 : Users without Advanced Shell Access are not allowed SFTP access

Links to More Info: K38941195 , BT745165

745103-4 : NodeJS Vulnerability: CVE-2018-7159

Links to More Info: K27228191 , BT745103

745027 : AVR is doing extra activity of DNS data collection even when it should not

Links to More Info: BT745027

Component: Application Visibility and Reporting

Symptoms:
When collecting DNS data, AVR generates data that is used only for BIG-IQ, even if not connected to BIG-IQ.

Conditions:
DNS Statistics collection or DNS-DoS is configured.

Impact:
avrd process is taking more CPU cycles for activity that is not needed. There is no impact to functionality.

Workaround:
None.

Fix:
The system no longer performs extra computation that is not needed in this case.

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2

744959-1 : SNMP OID for sysLsnPoolStatTotal not incremented in stats

Links to More Info: BT744959

Component: Carrier-Grade NAT

Symptoms:
SNMP OID for sysLsnPoolStatTotal is not incremented in stats totals.

Conditions:
This affects all of the global port block allocation (PBA) counters.

Impact:
SNMP OID for sysLsnPoolStatTotal is not incremented when it should be. Stats are not accurate.

Workaround:
None.

Fix:
SNMP OID for sysLsnPoolStatTotal is now incremented in stats totals.

Fixed Versions:
12.1.4.1, 13.1.1.4

744949-3 : MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix

Links to More Info: BT744949

Component: Service Provider

Symptoms:
SIP response messages have the wrong IP address in the FROM header when using NAT64.

Conditions:
If the client's IPv6 address does not match the virtual server's configured IPv6 prefix, the FROM header on a response message will have a different IP address that the request message.

Impact:
The SIP ALG with SNAT system will be unable to establish a call for the client.

Workaround:
There is no workaround at this time.

Fix:
The FROM header will now contain the client's IP address.

Fixed Versions:
13.1.1.5, 14.0.1.1, 14.1.0.2

744937-9 : BIG-IP DNS and GTM DNSSEC security exposure

Links to More Info: K00724442 , BT744937

Component: Global Traffic Manager (DNS)

Symptoms:
For more information please see: https://support.f5.com/csp/article/K00724442

Conditions:
For more information please see: https://support.f5.com/csp/article/K00724442

Impact:
For more information please see: https://support.f5.com/csp/article/K00724442

Workaround:
None.

Fix:
For more information please see: https://support.f5.com/csp/article/K00724442

Behavior Change:
Note: After installing a version of the software that includes the fix for this issue, you must set the following db variables:

-- dnssec.nsec3apextypesbitmap
-- dnssec.nsec3underapextypesbitmap.

These two db variables are used globally (i.e., not per-DNSSEC zone) to configure the NSEC3 types bitmap returned in one-off NODATA responses for apex and under-apex responses, respectively.

When the BIG-IP system is queried for a DNS name in which the DNS name exists and is not of the RR type requested, the NSEC3 types bitmap on the response reflects what you configure for the db variable, minus the queried-for type.

When using these variables:

-- Configure type values as all lowercase.
-- Enclose multiple types in quotation marks (e.g., "txt rrsig").
-- Understand that there is likely no need to change the apex type setting; do so with extreme care. The under-apex settings are what you will find helpful in addressing the negative caching issue.

Fixed Versions:
11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1

744707-4 : Crash related to DNSSEC key rollover

Links to More Info: BT744707

Component: Global Traffic Manager (DNS)

Symptoms:
When running out of memory, a DNSSKEY rollover event might cause a tmm crash and core dump.

Conditions:
-- System has low memory or is out of memory.
-- DNSSKEY rollover event occurs.

Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.

Fix:
Fixed an issue in DNSSEC Key Rollover event that could cause a crash.

Fixed Versions:
12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.6

744685-1 : BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension

Links to More Info: BT744685

Component: Local Traffic Manager

Symptoms:
An intermediate CA certificate should be considered invalid if the certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension. The BIG-IP system does not enforce this.

Conditions:
The SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop.

Impact:
The system might unexpectedly accept the SSL connection while the peer is using an inappropriate certificate.

Workaround:
None.

Fix:
With this fix, if the SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the SSL handshake if the peer's CA certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension.

Behavior Change:
When authenticating a peer's SSL certificate, the system requires a CA certificate to have the 'Basic Constraints' and 'CA:True' in its extension, like this:

X509v3 Basic Constraints: critical
CA:TRUE

If an SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the handshake if the peer's CA certificate does not satisfy this requirement.

Fixed Versions:
13.1.1.4, 14.0.1.1, 14.1.0.2

744595-1 : DoS-related reports might not contain some of the activity that took place

Links to More Info: BT744595

Component: Application Visibility and Reporting

Symptoms:
Occasionally, some telemetry data of DoS related activity is lost.

Conditions:
No specific condition other than using the BIG-IP system anti-DDoS feature.

Impact:
DoS related reports might not contain some of the activity that takes place.

Workaround:
None.

Fix:
Issue was fixed, all telemetry data is collected without errors.

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2

744589-1 : Missing data for Firewall Events Statistics

Links to More Info: BT744589

Component: Application Visibility and Reporting

Symptoms:
Statistical information that is collected for Firewall event, has some data that is getting lost and not reported.

When this is taking place, the following message appears at avrd log:
Some rows of load_stat_firewall_events_<some number> not loaded

Conditions:
AFM is used, no particular condition that leads to this situation of losing some of the stats, usually takes place under heavy activity.

Impact:
Statistical reports of Firewall Events are missing some the the activity that actually took place.

Workaround:
There is no workaround at this time.

Fix:
Issue with missing data was fixed.

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2

744556-1 : Upgrade PingAccess SDK used by BIG-IP APM to v1.1.3

Links to More Info: K01226413 , BT744556

Component: Access Policy Manager

Symptoms:
Upgrading PingAccess SDK from v1.0.0 to v1.1.3

Conditions:
The SDK is upgraded during system upgrade.

Impact:
BIG-IP APM will internally use PingAccess SDK v1.1.3 when interacting with PingAccess servers.

Workaround:
Not Applicable.

Fix:
Upgraded PingAccess SDK used by BIG-IP APM to the v1.1.3, applicable when BIG-IP APM interacts with PingAccess servers.

Fixed Versions:
13.1.1.4

744532-2 : Websso fails to decrypt secured session variables

Links to More Info: BT744532

Component: Access Policy Manager

Symptoms:
Whenever websso tries to decrypt secure session variables, the following error is seen /var/log/apm:

Aug 15 21:36:25 abcd err websso.0[20421]: 014d0028:3: /Common/Test_PRP:Common:2b8e7abc: Master Decrypt failed for user test with error 'ckDecrypt: invalid ciphertext'
Aug 15 21:36:25 abcd info websso.0[20421]: 014d0009:6: /Common/Test_PRP:Common:2b8e7abc: Websso basic authentication for user 'test' using config '/Common/sso_test_obj'

Conditions:
- Per-req policy is attached to virtual server.
- Secure subsession variables are assigned to session variables using Variable Assign Agent in per-req policy.
- SSO Configuration Select agent is used in per-req policy.

Impact:
Single Sign-On (SSO) won't work correctly.

Workaround:
There is no workaround at this time.

Fixed Versions:
13.1.3

744516-1 : TMM panics after a large number of LSN remote picks

Links to More Info: BT744516

Component: Carrier-Grade NAT

Symptoms:
TMM panics with the assertion 'nexthop ref valid' failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.

Conditions:
An LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.

Impact:
TMM restarts. Traffic is interrupted.

Workaround:
There is no workaround.

Fix:
TMM no longer panics regardless of the number of remote picks.

Fixed Versions:
12.1.4, 13.1.1.4, 14.1.0.6

744407-5 : While the client has been closed, iRule function should not try to check on a closed session

Links to More Info: BT744407

Component: Access Policy Manager

Symptoms:
tmm cores. System posts a message:

access::session exists is used during CLIENT_CLOSED iRule event.

Conditions:
-- Client has closed the connection.
-- iRule function tries to check on a closed session.
-- An 'access session::exists' command is used inside the iRule event CLIENT_CLOSED.

Impact:
tmm may core. Traffic disrupted while tmm restarts.

Workaround:
Do not use the iRule command 'access session::exists' inside CLIENT_CLOSED.

Fix:
Command execution of 'access::session exists' is now prevented in the iRule event CLIENT_CLOSED.

Fixed Versions:
13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2

744347-2 : Protocol Security logging profiles cause slow ASM upgrade and apply policy

Links to More Info: BT744347

Component: Application Security Manager

Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.

Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.

Impact:
ASM upgrade and apply policy are delayed.

Workaround:
There is no workaround at this time.

Fixed Versions:
12.1.4, 13.1.1.4, 14.0.0.5, 14.1.0.2

744331 : OpenSSH hardening

Component: TMOS

Symptoms:
The default OpenSSH configuration does not follow best practices for security hardening.

Conditions:
Administrative SSH access enabled.

Impact:
OpenSSH does not follow best practices.

Fix:
The default OpenSSH configuration includes best practices for security hardening.

Fixed Versions:
12.1.5, 13.1.1.4, 14.0.0.5

744280-1 : Enabling or disabling a Distributed Application results in a small memory leak

Links to More Info: BT744280

Component: Global Traffic Manager (DNS)

Symptoms:
Enabling or disabling a Distributed Application results in an 8 byte memory leak.

Conditions:
Enabling or disabling a Distributed Application.

Impact:
8 bytes of memory are leaked every time a Distributed Application is enabled or disabled. If Distributed Applications are repeatedly programmatically enabled and disabled, over time, the system might eventually exhaust all available memory.

Workaround:
None.

Fix:
Enabling or disabling a Distributed Application no longer results in a memory leak.

Fixed Versions:
13.1.3.4, 14.0.0.5, 14.1.2.5

744275-3 : BIG-IP system sends Product-Name AVP in CER with Mandatory bit set

Links to More Info: BT744275

Component: Service Provider

Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.

Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Product-Name AVP.

Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.

Workaround:
Configure an iRule in the MRF transport-config, for example:

ltm rule workaround {
when DIAMETER_EGRESS {
if {[serverside] && [DIAMETER::command] == "257" } {
DIAMETER::avp flags set 269 0
}
}
}

Fix:
This release always clears the Mandatory bit for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.

Fixed Versions:
13.1.3.4, 14.1.0.2

744269-2 : dynconfd restarts if FQDN template node deleted while IP address change in progress

Links to More Info: BT744269

Component: Local Traffic Manager

Symptoms:
The dynconfd daemon may crash and restart if an FQDN template node is deleted (by user action or config sync) while ephemeral nodes are in the process of being created, and deleted as the result of new IP addresses being returned by a recent DNS query.

Conditions:
This may occur on BIG-IP version 14.0.0.3 (and BIG-IP versions 13.1.x or v12.1.x with engineering hotfixes for ID 720799, ID 721621 and ID 726319), under the following conditions:
1. A DNS query returns a different set of IP addresses for one or more FQDN names.
2. While new ephemeral node(s) are being created (for new IP addresses and deleted (for old IP addresses), an FQDN template node is deleted (either by user action or config sync).

Impact:
The dynconfd daemon crashes and restarts.
Ephemeral nodes may not be updated in a timely manner while the dynconfd daemon is restarting.

Fix:
The dynconfd daemon does not crash and restart if an FQDN template node is deleted while ephemeral nodes are in the process of being created and deleted as the result of new IP addresses being returned by a recent DNS query.

Fixed Versions:
12.1.4.1, 13.1.1.4, 14.0.0.5

744252-3 : BGP route map community value: either component cannot be set to 65535

Links to More Info: BT744252

Component: TMOS

Symptoms:
The community value for BGP route map entries should allow values of 1-65535 for both components, but it is not allowing 65535 for either component.

Conditions:
-- Using BGP route map community values.
-- Attempting to set one or both components to 65535.

Impact:
Unable to use the full range of BGP route map community values

Workaround:
There is no workaround at this time.

Fix:
This release allows the usage of 65535 for either (or both) BGP route map community values.

Fixed Versions:
13.1.3.6, 14.1.4

744210-1 : DHCPv6 does not have the ability to override the hop limit from the client.

Links to More Info: BT744210

Component: Local Traffic Manager

Symptoms:
DHCPv6 packet may be dropped by a device after the DHCP relay if the client provided hop limit is 1.

Conditions:
DHCPv6 Relay configured on the BIG-IP.

Impact:
Loss of DHCPv6 service.

Workaround:
There is no workaround at this time.

Fix:
Configurable hop limit over-ride capabilities provided for client sent DHCPv6 packets.

Fixed Versions:
13.1.3.2, 14.1.2.3

744188 : First successful auth iControl REST requests will now be logged in audit and secure log files

Links to More Info: BT744188

Component: TMOS

Symptoms:
Previously, when making a REST request from a client for the first time and it is successful, this action was not logged.

Just subsequent REST calls were logged or initial failed REST calls from a client were logged.

Conditions:
Making a successfully auth-ed initial REST request from a new client to BIG-IP.

Impact:
BIG-IP admins would not know when a new client first made a successful REST call to BIG-IP.

Workaround:
None.

Fix:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.

Here's an example of what shows in audit log:

-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user bart2 - RAW: httpd(pam_audit): user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".

Here's an example of what shows in secure log:

-- info httpd(pam_audit)[26561]: user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user usr2 - RAW: httpd(pam_audit): user=usr2(usr2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".

Subsequent REST calls will continue to be logged normally.

Behavior Change:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.

Subsequent REST calls will continue to be logged normally.

Fixed Versions:
13.1.1.4, 14.0.1.1, 14.1.0.2

744117-5 : The HTTP URI is not always parsed correctly

Links to More Info: K18263026 , BT744117

Component: Local Traffic Manager

Symptoms:
The HTTP URI exposed by the HTTP::uri iRule command, Traffic Policies, or used by ASM is incorrect.

Conditions:
-- HTTP profile is configured.
-- The URI is inspected.

Impact:
If the URI is used for security checks, then those checks might be bypassed.

Workaround:
None.

Fix:
The HTTP URI is parsed in a more robust manner.

Fixed Versions:
12.1.4, 13.1.1.4, 14.0.0.5

744035-4 : APM Client Vulnerability: CVE-2018-15332

Links to More Info: K12130880 , BT744035

743975-2 : TMM crash (SIGFPE) when starting on a vCMP guest

Links to More Info: BT743975

Component: TMOS

Symptoms:
A log message in /var/log/tmm similar to the following:

Assertion 'Hash type successfully set' failed.

Conditions:
A vCMP guest running either:
- v13.x release of 13.1.3.6 or later
- v12.x release of 12.1.5.3 or later

A vCMP hypervisor that is running:
- v13.x release of 13.1.3.4 or lower
- v12.x release or 12.1.5.2 or lower
- v11.x release

Any vCMP guests running v14.x or later are not affected.

Impact:
Tmm may initially fail to start, log an SIGFPE, and then might or might not start normally afterwards. Traffic disrupted while tmm restarts.

Workaround:
Either:

-- Upgrade the vCMP Hypervisor to the latest release.
-- Upgrade the guest to v14.1.0 or later.

It may also help to remove the cached libdag on the guest, and restart tmm by running the following commands on the guest:

rm -f /var/run/libdag.so_* && bigstart restart tmm

Fix:
TMM no longer crashes during startup with SIGFPE

Fixed Versions:
12.1.6, 13.1.4

743961-3 : Signature Overrides for Content Profiles do not work after signature update

Links to More Info: BT743961

Component: Application Security Manager

Symptoms:
JSON profile signature override does not include legacy signature after Automatic Signature Update (ASU).

Conditions:
Signature override on content profile ASU with major update to targeted sig.

Impact:
-- Unexpected block on a previously white-listed signature.
-- Confusing logging for why the signature was blocked (should indicate it was due to using an old signature version).

Workaround:
-- Create the signature override at higher context, e.g., the URL. Removing the URL context override again keeps it fixed.
-- Enforce new version of sig globally.

Fix:
Signature Overrides for Content Profiles now work after signature update.

Fixed Versions:
13.1.1.4, 14.0.0.5

743857 : Clientssl accepts non-SSL traffic when cipher-group is configured

Links to More Info: K21942600 , BT743857

Component: Local Traffic Manager

Symptoms:
Clientssl accepts Non-SSL traffic even when "Non-SSL Connections" is disabled.

Conditions:
In clientssl profile, Cipher Group is configured and one of the "No SSL/TLS/DTLS" option is enabled.

Impact:
Connections to VIP with clientssl profile are not encrypted.
If SSL client authentication is enabled, plaintext request is successful meaning that client can get access to resources otherwise requiring a valid client certificate.

Workaround:
Use Cipher String instead of Cipher Group when configuring clientssl profile.

Fix:
Properly validate cipher suites in a cipher group before use.

Fixed Versions:
13.1.1.4

743826-3 : Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0)

Links to More Info: BT743826

Component: Application Visibility and Reporting

Symptoms:
When a pool member is defined with port any(0), calling the GetPoolMember() function, gives an incorrect error message that the pool member was not found.

Conditions:
Pool member with port any(0)

Impact:
Wrong error message printed to avrd.log

Fix:
Added a flag that indicates whether or not to print an error message to the GetPoolMember() function.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1

743815-3 : vCMP guest observes connflow reset when a CMP state change occurs.

Links to More Info: BT743815

Component: TMOS

Symptoms:
There is a connflow reset when a CMP state change occurs on a vCMP guest. The system posts log messages similar to the following: CMP Forwarder expiration.

Conditions:
-- vCMP configured.
-- Associated virtual server has a FastL4 profile with loose init and loose close enabled.

Impact:
This might interrupt a long-lived flow and eventually cause an outage.

Workaround:
None.

Fix:
The system now drops the connflow instead of resetting it.

Fixed Versions:
11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7

743810-1 : AWS: Disk resizing in m5/c5 instances fails silently.

Links to More Info: BT743810

Component: TMOS

Symptoms:
Resizing the disk in an m5/c5 instance in AWS has no impact on the disk size, and this operation fails silently.

Conditions:
BIG-IP system deployed in AWS with m5/c5 instance type that uses NVME disks instead of the usual native paravirt disks.

Impact:
Disk resizing fails; administrators cannot grow the instance disk in response to their requirements and instance utilization post-deployment.

Workaround:
There is no workaround.

Fix:
AWS: Disk resizing now works as expected.

Fixed Versions:
13.1.1.2

743803-2 : IKEv2 potential double free of object when async request queueing fails

Links to More Info: BT743803

Component: TMOS

Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.

Conditions:
When an async IPsec crypto operation fails to queue.

Impact:
Restart of tmm. All tunnels lost must be re-established.

Workaround:
No workaround known at this time.

Fixed Versions:
12.1.5, 13.1.1.4, 14.0.0.3, 14.1.0.6

743790-3 : BIG-IP system should trigger a high availability (HA) failover event when expected HSB device is missing from PCI bus

Links to More Info: BT743790

Component: TMOS

Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might drop off the PCI bus, resulting in the BIG-IP system not being able to pass traffic. However, no high availability (HA) failover condition is triggered, so the BIG-IP system stays active.

Conditions:
HSB drops off the PCI bus. This is caused in response to certain traffic patterns (FPGA issue) that are yet to be determined.

Impact:
No failover to standby unit after this error condition, causing site outage.

Workaround:
None.

Fix:
Now the active BIG-IP system fails over to the standby when HSB on the active unit drops off the PCI bus.

Fixed Versions:
12.1.5, 13.1.1.4

743437-1 : Portal Access: Issue with long 'data:' URL

Links to More Info: BT743437

Component: Access Policy Manager

Symptoms:
HTML page may contain a very long 'data:' URL. Portal Access cannot handle such URLs correctly.

Conditions:
HTML page with very long 'data:' similar to the following example:

data:image/png;base64,...

Such URLs might be several megabytes long.

Impact:
The rewrite plugin cannot process HTML pages with very long URLs and restarts. The page is not sent to the end user client; web application may not work correctly.

Workaround:
There is no workaround at this time.

Fix:
Now Portal Access handles very long 'data:' URLs correctly.

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2

743257-1 : Fix block size insecurity init and assign

Links to More Info: BT743257

Component: Local Traffic Manager

Symptoms:
After an HA failover the block size insecurity checks were creating conditions for an infinite loop. This causes tmm to be killed by sod daemon via SIGABRT.

Conditions:
Rare not reproducible.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.

Fix:
The init and assign of block size insecurity were modified and debug checks added. A possible loop condition in ssl renegotiation was removed.

Fixed Versions:
13.1.3.2, 14.0.0.5, 14.1.2.5

743150-1 : Increase the limit of the maximum allowed timestamp for OAuth token processing for OAuth Client

Links to More Info: BT743150

Component: Access Policy Manager

Symptoms:
During OAuth token processing for OAuth Client, if the timestamp is set to a value greater than INT32_MAX (2147483647), the BIG-IP system posts an error message, but the error is not descriptive enough to assist in troubleshooting. The error message appears similar to the following:
err apmd[14229]: 01490290:3: /Internet/Oauth_OpenAM_Preprod:Internet:46ea50d9:/Internet/server_act_oauth_client_ag: OAuth Client: failed for server '/Internet/server1' using 'authorization_code' grant type (client_id=oidc), error: stoi

Conditions:
-- OAuth token processing for OAuth Client.
-- Timestamp value greater than INT32_MAX.

Impact:
The APM end user is not granted access because the the policy does not complete successfully.

Workaround:
None.

Fix:
The maximum allowed timestamp is increased from INT32_MAX (2147483647) to 6249223209600, and now includes more descriptive error messages for better troubleshooting when the BIG-IP system receives invalid timestamps.

Fixed Versions:
13.1.1.4

743105-6 : BIG-IP SNAT vulnerability CVE-2021-22998

Links to More Info: K31934524 , BT743105

743082-1 : Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members &start;

Links to More Info: BT743082

Component: TMOS

Symptoms:
Upgrading to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 might result a configuration that fails to load due to a stray colon-character that gets added to the configuration file.

Conditions:
-- Upgrade from pre-12.1.3 to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2.
-- GTM Pool Members.

Impact:
Configuration fails to load.

Workaround:
Remove stray colon-character from bigip_gtm.conf.

Fix:
Fixed an issue preventing configurations from loading into 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from a version before 12.1.3.

Fixed Versions:
12.1.5.2, 13.1.1.2, 14.0.0.3

742860 : VE: Predictable NIC ordering based on PCI coordinates until ordering is saved.

Links to More Info: BT742860

Component: TMOS

Symptoms:
The order of interfaces in BIG-IP Virtual Edition (VE) is determined by the Linux kernel. The order of interfaces on BIG-IP systems tmm does not match the one determined by the Linux.

Conditions:
-- Repeatedly deploy BIG-IP configurations within KVM with many (e.g., 6 or more) interfaces.
-- Observe the order of devices on the PCI bus and the order that they are enumerated within tmm (1.1, 1.2, 1.3, etc.).

Impact:
Sometimes the order between the two does not match. This makes it difficult to reliably use the order with automation to ensure the right devices belong to the correct VLANs, and other operations.

Workaround:
Interrogate the MAC addresses of interfaces to map them against NIC definitions to determine the order.

Fix:
There is now a predictable NIC ordering based on PCI coordinates until ordering is saved.

Behavior Change:
The NIC ordering is now based on PCI co-ordinates, so you no longer need to interrogate the MAC addresses of interfaces to map them against NIC definitions to determine the order.

Fixed Versions:
13.1.3.6, 14.1.4

742829-3 : SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0

Links to More Info: BT742829

Component: Service Provider

Symptoms:
The BIG-IP system incorrectly handles SDP media ports. UAC sends SDP message body publishing capable of handling voice, text, and video. UAS responds, publishing voice, text and video not desired by setting video port to '0'. The BIG-IP system does not honor the fact that UAS does not want video, and translates video port '0' to an ephemeral port, causing the UAC to believe it must open a video channel. When the UAC sends a video connection request, the BIG-IP system sends the request to the wrong port, i.e., to the media port for text, which causes the connection to fail.

Conditions:
RTP media port defined in the SIP message is set to 0.

Impact:
Improper media channel creation.

Workaround:
You can use an iRule workaround to remove the media attributes with ports set to 0 at the ingress, and update the message body size accordingly.

Fixed Versions:
13.1.1.4, 14.0.1.1, 14.1.0.2

742628-5 : A tmsh session initiation adds increased control plane pressure

Links to More Info: BT742628

Component: TMOS

Symptoms:
Under certain circumstances, the Traffic Management Shell (tmsh) can consume more system memory than expected.

Conditions:
-- Multiple users or remote processes connecting to the BIG-IP administrative command-line interface.

-- You are running certain versions of BIG-IP software, specifically:
- 12.1.x versions earlier than 12.1.5.3.
- 13.1.x versions earlier than 13.1.3.4.
- Any 14.x version earlier than 14.1.4, except 14.1.2.6.
- 15.0.x versions earlier than 15.0.1.2.
- 15.1.x versions earlier than 15.1.0.4.

Impact:
Increased control plane pressure. Various delays may occur in both command-line and GUI response. Extreme instances may cause one or more processes to terminate, with potential disruptive effect. Risk of impact from this issue is increased when a large number of automated tmsh sessions are created.

Workaround:
For users with administrative privilege (who are permitted to use the 'bash' shell), the login shell can be changed to avoid invoking tmsh when it may not be needed:

tmsh modify /auth user ADMINUSERNAME shell bash

Fix:
This issue is fixed in the following releases:
-- 12.1.5.3 and later
-- 13.1.3.4 and later
-- 14.1.2.6
-- 14.1.4 and later
-- 15.0.1.2 and later
-- 15.1.0.4 and later
-- 16.0.0 and later

Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.6, 14.1.4, 15.0.1.4, 15.1.0.2

742627-2 : SSL session mirroring may cause memory leakage if HA channel is down

Links to More Info: BT742627

Component: Local Traffic Manager

Symptoms:
If SSL session mirroring is enabled, but the HA channel is down, attempts to mirror may result in memory leakage.

Conditions:
- SSL session mirroring enabled
- HA channel is down

Impact:
Memory leakage over time resulting in eventual memory pressure leading to performance degradation and possible TMOS restart.

Workaround:
Ensuring that the HA peer is present and connected will avoid the leakage. Otherwise, no reasonable workaround exists short of disabling SSL session mirroring.

Fix:
SSL session mirroring no longer leaks memory when the HA channel is down.

Fixed Versions:
13.1.1.4, 14.0.0.5

742549-1 : Cannot create non-ASCII entities in non-UTF ASM policy using REST

Links to More Info: BT742549

Component: Application Security Manager

Symptoms:
You cannot create non-ASCII entities (such as URLs and parameters) in a non-UTF-8 policy using REST.

Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII entries using REST.

Impact:
You cannot create an entity (such as a URL or parameter) which contains non-ASCII characters using REST.

Workaround:
Use UTF-8.

Fixed Versions:
13.1.3.6, 14.1.2.7, 15.1.0.5

742237-2 : CPU spikes appear wider than actual in graphs

Links to More Info: BT742237

Component: Local Traffic Manager

Symptoms:
Graphs of CPU usage show spikes that are wider than actual CPU usage.

Conditions:
CPU usage has spikes.

Impact:
Graphs of CPU spikes appear to last longer than they actually last.

Workaround:
Perform the following procedure:

1. Run the following command to record the 5-second average rather than the 1-second average:

sed -i.bak 's/TMCOLNAME "ratio"/TMCOLNAME "five_sec_avg.ratio"/;s/TMCOLNAME "cpu_ratio_curr"/TMCOLNAME "cpu_ratio_5sec"/g' /config/statsd.conf

2. Restart statsd to load the new configuration:

bigstart restart statsd

Fix:
CPU samples for graphs are averaged over longer time to more closely represent actual time between samples.

Fixed Versions:
12.1.5, 13.1.3.2, 14.1.2.1

742226-2 : TMSH platform_check utility does not follow best security practices

Links to More Info: K11330536 , BT742226

742184-1 : TMM memory leak

Links to More Info: BT742184

Component: Local Traffic Manager

Symptoms:
-- High TMM memory utilization;
-- Aggressive sweeper activated;
-- the 'packet', 'xdata' and 'xhead' caches in the memory_usage_stat tmstat table have high 'allocated' and 'curr_allocs' numbers with a steadily increasing profile.

Conditions:
A fastL4 and a L7 profile (e.g. HTTP) are assigned to a virtual server.

Impact:
Degraded performance, possible TMM crash due to out-of-memory condition.

Workaround:
Do not add a L7 profile to a fastL4 virtual server.

Fix:
No memory leak in the TMM.

Note: there are limits to what L7 profiles such as HTTP can do when attached to fastL4 virtual servers, and this fix does not change them.

For more information see:
-- https://support.f5.com/csp/article/K16446
-- https://support.f5.com/csp/article/K16783

Fixed Versions:
13.1.3, 14.1.0.2

742078-2 : Incoming SYNs are dropped and the connection does not time out.

Links to More Info: BT742078

Component: Local Traffic Manager

Symptoms:
There is a hard-coded limit on the number of SYNs forwarded on a FastL4 connection. This might cause a problem when a connection is reused, for example, if a connection is not correctly closed.

Conditions:
-- SYN forwarding on FastL4 connections.
-- The number of SYNs on a single connection reaches the hard-coded limit.

Impact:
If the number of SYNs on a single connection reaches this limit, subsequent incoming SYNs are dropped and the connection might not time out.

Workaround:
There is no workaround.

Fix:
The following command enables the forwarding of an an unlimited number of SYNs:
tmsh modify sys db tm.dupsynenforce value disable

Fixed Versions:
11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6

742037-3 : FPS live updates do not install when minor version is different

Links to More Info: BT742037

Component: Fraud Protection Services

Symptoms:
Install update file with a different minor version.
For example, install update file versioned 13.1.1 on BIG-IP version 13.1.0.

Conditions:
FPS is licensed and provisioned.

Impact:
FPS engine and signature cannot be updated.

Workaround:
N/A

Fix:
The minor version in update file is now ignored and only the major version is validated.

Fixed Versions:
13.1.1.4, 14.0.0.5

741993-1 : The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured.

Links to More Info: BT741993

Component: Anomaly Detection Services

Symptoms:
The BIG-IP system does not answer the request matching the L7 policy that disabled DOSL7 when BADOS is configured. The connection hangs.

Conditions:
1. Create a DoS profile Behavioral & Stress-based (D)DoS Detection.
2. Create an L7 policy to disable DoS profile (even on all URLs).
3. Attach both to a virtual server.
4. Send a request to the virtual server.

Impact:
Connection hangs.

Workaround:
There is no workaround other than disabling the Behavioral & Stress-based (D)DoS Detection from the DoS profile.

Fix:
The system now correctly handles a disabled DOSL7 policy.

Fixed Versions:
13.1.1.4, 14.0.0.5

741951-2 : Multiple extensions in SIP NOTIFY request cause message to be dropped.

Links to More Info: BT741951

Component: Service Provider

Symptoms:
When SIP NOTIFY messages are sent with a request URI that contains multiple client extensions, the system does not forward the message as expected.

Conditions:
SIP NOTIFY messages sent with a request URI that contains multiple client extensions.

Impact:
NOTIFY message is not forwarded.

Workaround:
None.

Fix:
Improved SIP URI parser now correctly handles multiple extensions in a URI.

Fixed Versions:
11.6.5.2, 12.1.5.2, 13.1.1.4, 14.0.0.5

741919 : HTTP response may be dropped following a 100 continue message.

Links to More Info: BT741919

Component: Local Traffic Manager

Symptoms:
When a 100 response a quickly followed by another HTTP response (2xx/4xx), the second response might be dropped.

Conditions:
When a 100 response is quickly followed by another HTTP response (i.e., a 2xx/4xx response arrives within a few microseconds).

Impact:
The second response might be dropped, so the end user client might not receive all the HTTP responses coming from the server.

Note: This does not happen all the time, and depends on how the underlying data packets are formed and delivered to the HTTP filter.

Workaround:
You can use either of the following workarounds:
-- Use an iRule to disable the HTTP filter in the HTTP_REQUEST event.

-- Disable LRO by running the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable

Fixed Versions:
12.1.4.1, 13.1.1.4, 14.0.0.5

741902-3 : sod does not validate message length vs. received packet length

Links to More Info: BT741902

Component: TMOS

Symptoms:
sod may crash or produce unexpected behavior.

Conditions:
If a malformed network failover packet is received by sod, it may cause an invalid memory access.

Impact:
sod may crash, causing a failover.

Workaround:
None.

Fix:
sod validates the received packet length and does not reference invalid memory.

Fixed Versions:
11.6.5.2, 12.1.5.2, 13.1.3.2

741862-2 : DNS GUI may generate error or display names with special characters incorrectly.

Links to More Info: BT741862

Component: Global Traffic Manager (DNS)

Symptoms:
-- If a DNS object name (such as a Server or Link) contains a special character, the name may be truncated after the special character when displayed in the GUI.

For example:
DNS -> GSLB -> Server :
- Select a server with name containing a special character (such as # or &).
- Go to Devices, Virtual Servers or Links tab.
- Click on the tab again or go to another tab.

DNS -> GSLB -> Links :
- Select a link with name containing special character (such as # or &).
- Go to Servers or Virtual servers tab, click on the tab again or go to other tab.

In such cases, the characters after the special character disappear in the Server and/or Link name.


-- Certain DNS GUI operations may generate an error such as:
"An error has occurred while trying to process your request."

For example:
DNS -> GSLB -> Pools -> Pool List :
- Select a Pool
- Go to Members tab
- Click Manage

Conditions:
-- The DNS object name may be displayed incorrectly if it contains a special character such as:
#
&

-- An error can occur on BIG-IP versions prior to 15.0.0 that contain the fix for ID1045421 (such as Engineering Hotfixes on versions 14.1.x or 13.1.x with a fix for ID1045421).

Impact:
-- DNS object names display incorrectly and may not be selectable for subsequent operations in the GUI.

-- You may not be able to manage DNS objects in certain contexts in the GUI.

Workaround:
Use the Command Line Interface (tmsh) to manage DNS objects.

Fix:
-- DNS object names containing special characters are displayed properly in the GUI.
-- GUI operations to manage DNS objects do not generate errors in the presence of the fix for ID1045421 on BIG-IP versions prior to 15.0.0.

Fixed Versions:
13.1.5

741858-1 : TMM may crash while processing Portal Access requests

Links to More Info: K52206731 , BT741858

741767-2 : ASM Resource :: CPU Utilization statistics are in wrong scale

Links to More Info: BT741767

Component: Application Visibility and Reporting

Symptoms:
Security :: Reporting : ASM Resources : CPU Utilization have the wrong scale for statistics.

Conditions:
Having the 'CPU Utilization' statistics under 'ASM Resources' available.

Impact:
Wrong scale of statistics.

Workaround:
To work around this issue:

1. Edit the following file: /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
2. Remove all division by 100 on 'formula' of each entity.
3. Save the change and restart monpd (bigstart restart monpd).

Fix:
Scale is now fixed and is not pre-divided by 100.

Fixed Versions:
13.1.1.4, 14.0.1.1

741761-1 : admd might fail the heartbeat, resulting in a core

Links to More Info: BT741761

Component: Anomaly Detection Services

Symptoms:
When the system is under heavy I/O stress, admd might fail the heartbeat (which is required by sod, the failover daemon), so sod kills the admd daemon, resulting in a core.

Conditions:
-- System is under heavy I/O stress.
-- admd fails the heartbeat.

Impact:
The system generates an admd core file. Traffic disrupted while admd restarts.

Workaround:
None.

Fixed Versions:
13.1.1.4, 14.0.0.5

741752-1 : [BADOS] state file is not saved when virtual server reuses a self IP of the device

Links to More Info: BT741752

Component: Anomaly Detection Services

Symptoms:
BADOS state file is not saved.

Conditions:
Virtual server reuses a self IP of the device.

Impact:
After admd restarts, learned information - baseline and good dataset can disappear.

Workaround:
None.

Fix:
This system now handles this situation without impact, so the state file is saved as expected.

Fixed Versions:
13.1.1.4

741676-1 : Intermittent crash switching between tunnel mode and interface mode

Links to More Info: BT741676

Component: TMOS

Symptoms:
Changing the policy mode for an IPsec tunnel can crash when switching back and forth between tunnel mode and interface mode.

Conditions:
Changing mode in ipsec-policy from tunnel to interface, or vice versa.

Impact:
A tmm restart, after a core, interrupts all IPsec tunnel service until new SAs are negotiated to replace the old ones.

Workaround:
Start with desired mode, tunnel or interface, and avoid changing the value from one to the other.

Fix:
Changing mode between tunnel and interface now works as expected.

Fixed Versions:
13.1.5, 14.1.2.8

741535-1 : Memory leak when using SAML or Form-based Client-initiated SSO

Links to More Info: BT741535

Component: Access Policy Manager

Symptoms:
With SAML or Form-based Client-initiated SSO configured, BIG-IP system memory usage increases with every HTTP request that is proxied to the backend. The type of memory that increases is tmjail. You can view memory usage using the following command: tmsh sys show memory.

At some point, the BIG-IP system enables connection evictions in order to reduce the memory pressure, which causes service disruptions. You might see the following warning log messages.

-- warning tmm[20537]: 011e0002:4: sweeper_segment_cb_any: Aggressive mode /Common/default-eviction-policy activated (0) (global memory).
-- warning tmm1[20537]: 01010290:4: TCP: Memory pressure activated.
-- err tmm1[20537]: 011e0003:3: Aggressive mode sweeper: /Common/default-eviction-policy (100000000000b) (global memory) 413 Connections killed.

Conditions:
SAML or Form-based Client-initiated SSO is used.

Impact:
Potential service disruption.

Workaround:
No workaround other than not using SAML or Form-based Client-initiated SSO.

Fix:
The memory leak associated with SAML or Form-based Client-initiated SSO no longer occurs.

Fixed Versions:
13.1.3

741449-1 : alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts

Links to More Info: BT741449

Component: Fraud Protection Services

Symptoms:
JAVASCRIPT_THRESHOLD alert should contain 2 timestamps:
1. component-validation cookie timestamp (set on cookie creation)
2. current BIG-IP timestamp

currently, these timestamps are not available in the alert details

Conditions:
JAVASCRIPT_THRESHOLD alert is triggered

Impact:
it is impossible to analyze the alert

Workaround:
There is no workaround at this time.

Fix:
FPS should always include both timestamps when triggering the JAVASCRIPT_THRESHOLD alert

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2

741423-2 : Secondary blade goes offline when provisioning ASM/FPS on already established config-sync

Links to More Info: BT741423

Component: TMOS

Symptoms:
When provisioning ASM for the first time on a device that is already linked in a high availability (HA) config-sync configuration, any other cluster device that is on the trust domain experiences mcpd restarting on all secondary blades due to a configuration error.

The system logs messages similar to the following in /var/log/ltm:
-- notice mcpd[12369]: 010718ed:5: DATASYNC: Done initializing datasync configuration for provisioned modules [ none ].
-- err mcpd[9791]: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.
-- err mcpd[9791]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.... failed validation with error 16908342.
-- notice mcpd[12369]: 0107092a:5: Secondary slot 2 disconnected.

Conditions:
-- Cluster devices are joined in the trust for high availability (HA) or config-sync.
-- Provisioning ASM or FPS on clusters which are already joined in a trust.
-- ASM and FPS have not been provisioned on any of the devices: this is the first ASM/FPS provisioning in the trust.

Impact:
Traffic on all secondary blades is interrupted while mcpd restarts. Then, traffic is resumed.

Workaround:
Before provisioning ASM/FPS (but after setting up a trust configuration):

1. On the device on which ASM/FPS is about to be provisioned, create the datasync-global-dg device group and add all of the available devices.

For example, if there are two devices in the Trust Domain: test1.lab.com and test2.lab.com, and you plan to provision ASM/FPS for the first time on test1.lab.com, first run the following command from test1.lab.com:

tmsh create cm device-group datasync-global-dg devices add { test1.lab.com test2.lab.com }

2. Do not sync the device group.
3. Then on test1.lab.com, you can provision ASM/FPS.

Fix:
Secondary blades no longer go offline when provisioning ASM/FPS on already established high availability (HA) or config-sync configurations.

Fixed Versions:
12.1.4, 13.1.1.4, 14.0.0.5

740969-1 : Menu visibility issue with newly activated license. &start;

Links to More Info: K65151021 , BT740969

Component: SSL Orchestrator

Symptoms:
-- iApps, DNS, and Acceleration menus are getting hidden when activating a new license or re-activating an existing license.
-- Running the Setup wizard does not complete.

Conditions:
-- Post 14.x SSL Orchestrator (SSLO) add-on license.
-- Attempt to the iApps, DNS, and Acceleration menus.
-- Attempt to run the Setup wizard.

Impact:
Menus are not visible. Cannot use DNS and Acceleration menu and features. Also there is impact on BIG-IP setup wizard.

This occurs because v14.0.0 introduced 'SSLo as a licensed add-on'. The new license is incompatible with / causes problems when trying to use those add-on licenses in earlier software versions.

Workaround:
None.

Fix:
iApps, DNS, and Acceleration menus now stay visible when activating a new license or re-activating an existing license, and running the Setup wizard completes as expected.

Fixed Versions:
12.1.4.1, 13.1.1.4

740963-2 : VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart

Links to More Info: BT740963

Component: Local Traffic Manager

Symptoms:
VIP-on-VIP traffic might cause TCP retransmit bursts, which in certain situations can cause tmm to restart.

Conditions:
- Virtual server handling TCP traffic.
- iRule using the 'virtual' command.

Impact:
Temporary memory consumption and potential for tmm to restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TCP retransmit bursts are now handled gracefully.

Fixed Versions:
12.1.5, 13.1.1.4, 14.0.0.5

740777-1 : Secondary blades mcp daemon restart when subroutine properties are configured

Links to More Info: BT740777

Component: Access Policy Manager

Symptoms:
Secondary blades' MCP daemons restart with the following error messages:
-- err mcpd[26818]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested Subroutine Properties (/Common/confirm_10 /Common/confirm_10) was not found.... failed validation with error 16908342.

Conditions:
When a subroutine is configured in the access policy.

Impact:
The secondary blade MCP daemon restarts. Cannot use subroutine in the access policy.

Workaround:
There is no workaround other than to not use subroutine in the access policy.

Fix:
You can now use subroutines in the access policy.

Fixed Versions:
12.1.4, 13.1.1.2

740719-2 : ASM CSP header parser does not honor unsafe-inline attribute within script-src directive

Links to More Info: BT740719

Component: Application Security Manager

Symptoms:
Browser reports Content-Security-Policy error when ASM modifies the 'Content-Security-Policy' (CSP) header.

Conditions:
1. ASM provisioned.
2. ASM policy attached to a virtual server.
3. CSRF or Ajax blocking page enabled within ASM policy
4. Backend server sends 'Content-Security-Policy' header with 'script-src' 'unsafe-inline' directive.

Impact:
Browser posts 'Content-Security-Policy' error and stops JavaScript execution.

Workaround:
Disable 'Content-Security-Policy' header parsing for ASM policies. To do so, follow these steps:

1. In /usr/share/ts/bin/add_del_internal, run the following command:
add csp_enabled 0

2. Restart ASM by running the following command:
bigstart restart asm

Fix:
ASM 'Content-Security-Policy' header parser no longer modifies the 'Content-Security-Policy' header when there is 'script-src' 'unsafe-inline' directive arriving from a backend server. This is correct behavior.

Fixed Versions:
13.1.1.2, 14.0.0.5

740589-3 : Mcpd crash with core after 'tmsh edit /sys syslog all-properties'

Links to More Info: BT740589

Component: TMOS

Symptoms:
Syslog-ng consumes more than 95% CPU starving other processes of CPU time. This leads to eventual mcpd crash with core.

Conditions:
Configuring nonexistent local IP addresses and remote log server.

Impact:
Abnormal CPU usage. Potential eventual mcpd crash with core. Traffic disrupted while mcpd restarts.

Workaround:
To mitigate the issue, you can use either of the following:

-- Follow these two steps:
1. Remove the remote log server from the configuration.
2. Replace the nonexistent local IP addresses with self IP addresses.

-- Configure the remote destination host with a unique parameter in the configuration so that syslog does not get confused if there are multiple entries:
udp(192.0.2.1 port(512) localip(192.0.2.200) persist-name(r1));
udp(192.0.2.1 port(512) localip(192.0.2.201) persist-name(r2));
udp(192.0.2.100 port(512) localip(192.0.2.200) persist-name(r3));
udp(192.0.2.100 port(512) localip(192.0.2.201) persist-name(r4));

Fix:
Fixed circular loop due to configuration with empty (duplicate) persist-name

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1

740490-1 : Configuration changes involving HTTP2 or SPDY may leak memory

Links to More Info: BT740490

Component: Local Traffic Manager

Symptoms:
If virtual servers which have HTTP2 or SPDY profiles are updated, then the TMM may leak memory.

Conditions:
-- A virtual server has a HTTP2 or SPDY profile.
-- Any configuration object attached to that virtual server changes.

Impact:
The TMM leaks memory, and may take longer to execute future configuration changes. If the configuration changes take too long, the TMM may be restarted by SOD.

Workaround:
None.

Fix:
The TMM no longer leaks memory when virtual servers that contain a HTTP2 or SPDY profile are reconfigured.

Fixed Versions:
12.1.4, 13.1.1.4, 14.0.0.5

740413-3 : Sod not logging Failover Condition messages

Links to More Info: BT740413

Component: TMOS

Symptoms:
When a failsafe fault occurs, sod does not log a message indicating that the device is unable to become Active.

Conditions:
Failsafe fault.

Impact:
No 'Failover Condition'messages logged in /var/log/ltm.

Workaround:
None.

Fixed Versions:
13.1.3.2

740345-1 : TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled.

Links to More Info: BT740345

Component: TMOS

Symptoms:
TMM generates cores files on the device.

Conditions:
Issue is seen when connection mirroring, session mirroring and OCSP stapling is enabled.

Impact:
If a failover happens when a SSL handshake is in progress,
TMM restarts and a core file is generated on the standby device. Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6

740228-1 : TMM crash while sending a DHCP Lease Query to a DHCP server

Links to More Info: BT740228

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
- DHCP Lease Query is enabled on the BIG-IP system.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes while sending a DHCP Lease Query to a DHCP server.

Fixed Versions:
12.1.5.3, 13.1.3, 14.0.0.5

740086 : AVR report ignore partitions for Admin users

Links to More Info: BT740086

Component: Application Visibility and Reporting

Symptoms:
The behavior of AVR's reporting feature changed after an upgrade.

Reports generated for specific partition include data from all partitions.

Conditions:
-- Users with Admin role.
-- AVR provisioned.
-- AVR profile configured and attached to a virtual server.
-- User with Admin role creates Scheduled Reports or uses GUI to view AVR reports.

Impact:
AVR GUI pages or Scheduled Reports defined for one partition include AVR data from other partitions.

Workaround:
One workaround is to have non-Admin users generate reports.

For non-Admin users, the partition is honored.

Fix:
AVR GUI pages or Scheduled Reports defined for one partition now show all users AVR data from only that partition.

Fixed Versions:
13.1.1.4, 14.0.0.5

739971-2 : Linux kernel vulnerability: CVE-2018-5391

Links to More Info: K74374841 , BT739971

739970-2 : Linux kernel vulnerability: CVE-2018-5390

Links to More Info: K95343321 , BT739970

739963-2 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup

Links to More Info: BT739963

Component: Local Traffic Manager

Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.

Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.

Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.

Workaround:
To restore the state of the member, remove it and add it back to the pool.

Fixed Versions:
12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.2

739947-1 : TMM may crash while processing APM traffic

Links to More Info: K42465020 , BT739947

739945-2 : JavaScript challenge on POST with 307 breaks application

Links to More Info: BT739945

Component: Application Security Manager

Symptoms:
A JavaScript whitepage challenge does not reconstruct when the challenge is on a POST request and the response from the back-end server is 307 Redirect. This happens only if the challenged URL is on a different path than the redirected URL. This prevents the application flow from completing.

Conditions:
- JavaScript challenge / CAPTCHA is enabled from either Bot Defense, Proactive Bot Defense, Web Scraping, DoSL7 Mitigation or Brute Force Mitigation.
- The challenge is happening on a POST request on which the response from the server is a 307 Redirect to a different path.

Impact:
Server is not able to parse the request payload and application does not work. This issue occurs because the TS*75 cookie is set on the path of the challenged URL, so the redirected URL does not contain the cookie, and the payload is not reconstructed properly to the server.

Workaround:
As a workaround, you can construct an iRule to identify that the response from the server is 307 Redirect, retrieve the TS*75 cookie from the request, and add to the response a Set-Cookie header, setting the TS*75 cookie on the '/' path.

Fix:
Having a JavaScript challenge on a POST request with 307 Response no longer prevents the application from working.

Fixed Versions:
12.1.4, 13.1.1.5, 14.0.1.1, 14.1.0.2

739939-1 : Ping Access Agent Module leaks memory in TMM.

Links to More Info: BT739939

Component: Access Policy Manager

Symptoms:
Whenever a ping access request traverses through apm_ivs (internal virtual server) to the Ping Access Agent (e.g., Cache-Miss), a memory leak occurs.

Conditions:
Ping Access Agent request that is not served from local cache (e.g., in the Cache-Miss case).

Impact:
The slow memory leak might eventually cause TMM to restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Ping Access Agent Module no longer leaks memory in TMM.

Fixed Versions:
13.1.1.2, 14.0.0.5

739927-3 : Bigd crashes after a specific combination of logging operations

Links to More Info: BT739927

Component: Local Traffic Manager

Symptoms:
Bigd crashes. Bigd core will be generated.

Conditions:
1. Boot the system and set up any monitor.
2. Enable and disable bigd.debug:
-- tmsh modify sys db bigd.debug value enable
-- tmsh modify sys db bigd.debug value disable
3. Enable monitor logging.

Impact:
Bigd crashes.

Workaround:
None.

Fix:
Bigd no longer crashes under these conditions.

Fixed Versions:
11.5.9, 11.6.4, 12.1.4, 13.1.3.2

739900-1 : All Policies are created with 3 new Signature Sets After Creation of a Policy using Application Ready Templates

Links to More Info: BT739900

Component: Application Security Manager

Symptoms:
When a Security Policy is created using new versions of some Application Ready Templates, three new Signature Sets are created that are set to automatically be added to policies subsequently created.

Conditions:
A Security Policy is created using one of the following updated Application Ready Templates:
* Drupal
* Joomla
* SAP Netweaver
* Sharepoint
* Wordpress

Impact:
Three new Signature Sets are created with the option 'Assign To Policy By Default' enabled. As a result, the system adds these Signature Sets to subsequently created policies. This may provide enforcement for unexpected or undesired Attack Signatures.

Workaround:
To prevent the newly created signature being added to subsequently created policies, disable 'Assign To Policy By Default'.

You can also remove the signatures from new policies after they have been created.

Fix:
The Application Ready Templates now create the new signatures with the option 'Assign To Policy By Default' disabled, so they are no longer automatically added to subsequently created policies.

Fixed Versions:
13.1.3

739872-2 : The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover

Links to More Info: BT739872

Component: TMOS

Symptoms:
Running the 'load sys config verify' command for a configuration that would alter the high availability (HA) Group score for a Traffic Group can cause the HA group score to be updated.

Conditions:
Run 'load sys config verify' with configuration data that affects a Traffic Group's HA Group score.

Impact:
Unintended failover.

Workaround:
None.

Fix:
HA Group scores are no longer updated when running 'load sys config verify' commands.

Fixed Versions:
12.1.5.3, 13.1.3.4

739846-3 : Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection

Links to More Info: BT739846

Component: Global Traffic Manager (DNS)

Symptoms:
When the big3d runs out of memory for iQuery connections, a segmentation fault might occur.

Conditions:
-- Not enough memory to create additional iQuery connections.
-- Receive an new iQuery connection.

Impact:
Segmentation fault and big3d restarts. No statistics collection or auto-discovery while big3d restarts.

Workaround:
None.

Fix:
The big3d process no longer gets a segmentation fault when reaching the limits of the memory footprint while trying to establish iQuery connections.

Fixed Versions:
11.5.9, 11.6.4, 12.1.4.1, 13.1.1.4, 14.0.0.3

739744-1 : Import of Policy using Pool with members is failing

Links to More Info: BT739744

Component: Access Policy Manager

Symptoms:
Import of Policy using Pool with members is failing with an error Pool member node (/Common/u.x.y.z%0) and existing node (/Common/u.x.y.z) cannot use the same IP Address (u.x.y.z)

Conditions:
Policy has pool attached to it with resource assign or chained objects

Impact:
Policy is not being imported on the same box

Workaround:
There is no workaround at this time.

Fix:
ng-import is now importing policy correctly.

Fixed Versions:
12.1.4, 13.1.1.4

739716-2 : APM Subroutine loops without finishing

Links to More Info: BT739716

Component: Access Policy Manager

Symptoms:
Some APM subroutines never finish. In authentication use cases, the end-users will continue to see logon pages, even after submitting correct credentials. In SWG confirm-and-continue use cases, the end-users will continue to see confirm boxes, even if they had already clicked "continue".

Conditions:
APM with a subroutine. Reproducibility will vary by platform and deployment.

Impact:
Subroutines never finish. End-users are not able to access resources.

Workaround:
TMM restart does resolve the issue.

Fix:
The memory corruption issue was resolved and the subroutines now correctly finish.

Fixed Versions:
13.1.1.2, 14.0.0.5

739674-1 : TMM might core in SWG scenario with per-request policy.

Links to More Info: BT739674

Component: Access Policy Manager

Symptoms:
TMM can core when Secure Web Gateway (SWG) is configured, and SSL is resumed through per-request policy.

Conditions:
-- SWG is configured.
-- SSL is resumed through per-request policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM does not core now when using SWG scenario with per-request policy.

Fixed Versions:
13.1.1.2

739638-2 : BGP failed to connect with neighbor when pool route is used

Links to More Info: BT739638

Component: Local Traffic Manager

Symptoms:
BGP peering fails to be established.

Conditions:
- Dynamic routing enabled.
- BGP peer connect through a pool route or ECMP route.

Impact:
BGP dynamic route paths are not created.

Workaround:
Use a gateway route.

Fix:
BGP peering can be properly established through a pool route.

Fixed Versions:
12.1.4.1, 13.1.3.2, 14.0.1.1

739618-1 : When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy

Links to More Info: BT739618

Component: Application Security Manager

Symptoms:
When using AWAF or MSP license, you cannot use the BIG-IP Configuration Utility to set rule to control ASM in an LTM policy.

Conditions:
- AWAF or MSP license

Impact:
Admin cannot use the BIG-IP Configuration Utility create LTM policy that controls ASM, and must use TMSH.

Workaround:
Use TMSH to create the rule instead of GUI:
For example:
create ltm policy Drafts/test99 controls add { asm } requires add { http } rules add { rule1 { actions add { 0 { asm enable policy dummy2 }} ordinal 1 }}

Fix:
Users can now create LTM rule in the BIG-IP Configuration Utility that controls ASM if have AWAF or MSP license.

Fixed Versions:
13.1.3.2, 14.1.2.3, 15.1.0.2

739570-2 : Unable to install EPSEC package &start;

Links to More Info: BT739570

Component: Access Policy Manager

Symptoms:
Installation of EPSEC package via tmsh fails with error:

Configuration error: Invalid mcpd context, folder not found (/Common/EPSEC/Images).

Conditions:
-- EPSEC package has never been installed on the BIG-IP device.
-- Running the command:
tmsh create apm epsec epsec-package <package_name>.iso local-path /shared/apm/images/<package_name>.iso

Impact:
First-time installation of EPSEC package through tmsh fails.

Workaround:
You can do a first-time installation of EPSEC with the following commands:

tmsh create sys folder /Common/EPSEC
tmsh create sys folder /Common/EPSEC/Images
tmsh install Upload/<package_name>.iso

Fix:
When EPSEC package is installed through tmsh command, the folder /Common/EPSEC/Images gets created if it does not exist.

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1

739507 : Improved recovery method for BIG-IP system that has halted from a failed FIPS integrity check

Links to More Info: BT739507

Component: TMOS

Symptoms:
After FIPS 140-2 license is installed on BIG-IP FIPS-certified hardware devices, the system halts while booting upon performing the FIPS integrity check.

Console shows messages similar to:
Starting System Logger Daemon...
[ OK ] Started System Logger Daemon.
[ 14.943495] System halted.

Conditions:
-- The BIG-IP device has a license that includes the FIPS 140-2 option (FIPS full-box license).
-- System element monitored by FIPS 140-2 integrity check has changed.
-- The device is rebooted.

Impact:
The device halts and cannot be used.

Workaround:
Workaround:
[1] Connect a terminal to the BIG-IP serial console port.
[2] From the console, enter the GRUB menu and boot into a partition that does not have a FIPS 140-2-enabled license, or into TMOS Maintenance.
[3] Mount config from the inactive partition (see K51222154: Mounting the filesystem of an inactive partition :: https://support.f5.com/csp/article/K51222154) that was halted, and examine the contents of /config/f5_public/fipserr, which shows the files that were changed, leading to failure of the FIPS 140-2 license-enabled partition.
[4] Restore those files to their original ones.
[5] Truncate the inactive partition's /config/f5_public/fipserr, e.g., by running:
cat /dev/null > /mnt/test/f5_public/fipserr
[6] Reboot.

If the system still halts, repeat from Step [1] above, until this no longer happens.

Fix:
If your device is running a version where ID 739507 is fixed:

[1] Connect a terminal to the BIG-IP serial console port
[2] From the serial console, enter the GRUB menu.
[3] Before the countdown expires, use the Up Arrow and Down Arrow keys to stop the countdown, and select the appropriate boot image.
[4] Press the key 'E' to start the edit options. A new GRUB menu displays.
[5] Use the Up Arrow and Down Arrow keys to navigate to the line that starts with 'linux', or the first line that starts with 'module'.
[6] Add a space, followed by NO_FIPS_INTEGRITY=1 (do not press ENTER).
[7] Press the Ctrl-X sequence or the F10 key to restart the system using the modified options.

The machine boots into the partition containing FIPS 140-2-enabled license.

[8] Examine the content of file /config/f5_public/fipserr to ascertain the cause of the FIPS module startup error.
[9] Fix the problem reported in the aforementioned error file.
[10] Run the test tool /usr/libexec/sys-eicheck.py to ensure that no fatal error is reported, such as:

Integrity Check Result: [ FAIL ]

If fatal errors persist, do not reboot (otherwise the system foes into the halt state, and the steps starting from Step [1] will need to be repeated). Instead, fix the problematic files reported. Rerun the test tool until no error is seen.

Note: You can find information on the sys-eicheck (FIPS) utility in the AskF5 Non-Diagnostic Article K00029945: Using the sys-eicheck (FIPS) utility :: https://support.f5.com/csp/article/K00029945.

[11] Truncate the file /config/f5_public/fipserr:
cat /dev/null > /config/f5_public/fipserr

Fixed Versions:
13.1.1.2, 14.1.4, 15.1.0.5

739505 : Automatic ISO digital signature checking not required when FIPS license active &start;

Links to More Info: BT739505

Component: TMOS

Symptoms:
Automatic ISO digital signature checking occurs but is not required when FIPS license active.

The system logs an error message upon an attempt to install or update the BIG-IP system:
failed (Signature file not found - /shared/images/BIGIP-13.1.0.0.0.1868.iso.sig)

Conditions:
When the FIPS license is active, digital signature checking of the ISO is automatically performed. This requires that both the ISO and the digital signature (.sig) file are uploaded to the system.

Impact:
Installation does not complete if the .sig file is not present or not valid. Installation failure.

Workaround:
To validate the ISO on the BIG-IP system, follow the procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140.

Fix:
The restriction of requiring automatic signature checking of the ISO is removed. The procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140 to perform the checks on or off the BIG-IP system is still valid, but that checking is optional.

Fixed Versions:
13.1.1.2, 14.1.4, 15.1.2.1, 16.0.1.1

739446-2 : Resetting SSL-socket correctly for AVR connection

Links to More Info: BT739446

Component: Application Visibility and Reporting

Symptoms:
SSL socket is being corrupted.

Conditions:
The conditions under which this occurs have not been fully identified.

Impact:
AVR fails to make an SSL connection and report externally correctly.

Workaround:
None.

Fix:
Resetting the SSL-connection whenever required.

Fixed Versions:
13.1.1.4

739379-2 : Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error

Links to More Info: BT739379

Component: Local Traffic Manager

Symptoms:
In situation where multiple SSL forward proxies are connected via virtual targeting, the SNI value extracted from ClientHello and saved in 1st layer of SSL forward proxy may get overwritten by the 2nd layer of SSL forward proxy. When this happens, certification verification will fail when 1st layer of SSL forward proxy attempts to validate certificate.

Conditions:
Two SSL forward proxies connected via virtual command in iRule.

Impact:
Client traffic gets random reset.

Workaround:
None.

Fix:
The search scope of storing parsed SNI is now local to each SSL forward proxy.

Fixed Versions:
13.1.1.4, 14.0.0.5

739349-1 : LRO segments might be erroneously VLAN-tagged.

Links to More Info: BT739349

Component: Local Traffic Manager

Symptoms:
Segments being processed for large receive offload (LRO) (the action the system performs to aggregate multiple incoming packets within a buffer before passing them up)
might be erroneously VLAN-tagged when LRO is enabled.

Conditions:
-- TCP LRO enabled.
-- Egress VLAN untagged.

Impact:
Egress traffic might sometimes be tagged.

Workaround:
Disable TCP LRO. To enable or disable LRO functionality, you can use the following command syntax:

tmsh modify sys db tm.tcplargereceiveoffload value <enable | disable>

Fix:
The system now ensures that fragment packet flags are correctly set.

Fixed Versions:
13.1.1.4, 14.0.1.1, 14.1.0.2

739345 : Reporting invalid signature id after specific signature upgrade

Links to More Info: BT739345

Component: Application Security Manager

Symptoms:
An incorrect/invalid signature id is reported.

Conditions:
The signature was changed in an upgrade.

Impact:
Not able to confirm successful signature update.

Workaround:
When the signature id prefix is 6, replace it with 2 when looking for the actual signature.

Fix:
Fixed a reporting issue with signature ids after upgrade.

Fixed Versions:
13.1.1.4

739285-1 : GUI partially missing when VCMP is provisioned

Links to More Info: BT739285

Component: TMOS

Symptoms:
GUI may be partially missing.

Conditions:
VCMP must be provisioned.

Impact:
GUI may be partially missing.

Workaround:
Use tmsh or deprovision VCMP.

Fix:
the GUI now works as expected when VCMP is provisioned.

Fixed Versions:
13.1.1.2

739277 : TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode

Links to More Info: BT739277

Component: Anomaly Detection Services

Symptoms:
TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode

Conditions:
-- The virtual server is deleted during POST data.
-- BADOS configured in standard/aggressive mode.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can work around this issue using either of the following options if you plan to delete a virtual server:

-- First detach the DoS protection profile.
-- Remove BADOS configuration or change BADOS mitigation to Conservative.

Fix:
This release corrects an TMM crash that occurred when the virtual server was deleted during POST data and BADOS was in standard/aggressive mode.

Fixed Versions:
13.1.1.2, 14.0.0.5

739272-1 : Incorrect zombie counts in PBA stats with long PBA block-lifetimes

Links to More Info: BT739272

Component: Carrier-Grade NAT

Symptoms:
Due to a truncation error, a long Port Block Allocation (PBA) block lifetime can cause the PBA zombie stats to get incremented before the block lifetime expires and even though a zombie block has not been created.

Conditions:
Large Scale NAT (LSN) pool or Firewall NAT source-translation with a Port Block Allocation Block Lifetime greater than 65535.

Impact:
This bug affects only the 'Active Zombie Port Blocks', 'Total Zombie Port Blocks Created', and 'Total Zombie Port Blocks Deleted' counters. It does not convert active blocks to zombie blocks before the block lifetime expires.

Workaround:
There is no workaround.

Fix:
The 'Active Zombie Port Blocks', 'Total Zombie Port Blocks Created' counters are now incremented only when the PBA block lifetime expires.

Fixed Versions:
13.1.1.5

739190 : Policies could be exported with not patched /Common partition

Links to More Info: BT739190

Component: Access Policy Manager

Symptoms:
Policies could be exported with not patched /Common partition and it's heading to profiles that are not being imported.

Conditions:
Policy has objects outside of partition of the policy.

Impact:
Policy cannot be imported on the same system it was exported from.

Workaround:
There is no workaround.

Fix:
Proper naming of partitions has been restored, import is back to working.

Fixed Versions:
13.1.1.2

739126 : Multiple VE installations may have different sized volumes

Links to More Info: BT739126

Component: TMOS

Symptoms:
When installing a 2nd, 3rd, (or more) version of BIG-IP to a Virtual Edition (VE) instance, the sizes of the non-shared volumes may be smaller than the first. This can be an issue if, for example, /var is smaller and fills up due to UCS archives, data gathered during troubleshooting, etc.

Conditions:
Install an additional version of BIG-IP to an existing VE instance.

Impact:
Disk volumes may run out of space sooner than expected, leading to issues when that space is needed for other operations.

Workaround:
Provision additional disk space to expand the available storage.

Fix:
In this release, the installer handles this condition without issue.

Fixed Versions:
13.1.1.2

739003-1 : TMM may crash when FastL4 is used on ePVA-capable BIG-IP platforms

Links to More Info: BT739003

Component: Local Traffic Manager

Symptoms:
TMM may crash when FastL4 is used on ePVA-capable BIG-IP platforms.

Conditions:
-- The virtual server has FastL4 profile assigned.
-- There is an iRule configured.
-- The iRule uses SERVER_CONNECTED event.
-- The pool member is route-able but does not exist.

Impact:
Traffic disrupted while tmm restarts. iRules that depend on the SERVER_CONNECTED event do not work properly.

Workaround:
None.

Fix:
TMM no longer crashes when FastL4 is used on ePVA-capable BIG-IP platforms.

Fixed Versions:
13.1.1.4

738985-2 : BIND vulnerability: CVE-2018-5740

Component: TMOS

Symptoms:
deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c.

Conditions:
"deny-answer-aliases" feature is explicitly enabled

Impact:
Crash of the BIND process and loss of service while the process is restarted

Workaround:
Only servers which have explicitly enabled the "deny-answer-aliases" feature are at risk and disabling the feature prevents exploitation.

Fix:
BIND patched to correct CVE-2018-5740

Fixed Versions:
13.1.1.4, 14.0.0.3

738945-2 : SSL persistence does not work when there are multiple handshakes present in a single record

Links to More Info: BT738945

Component: Local Traffic Manager

Symptoms:
SSL persistence hangs while parsing SSL records comprising multiple handshake messages.

Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.

Impact:
SSL persistence parser fails to parse such messages correctly. The start of the record may be forwarded on to server but then connection will stall and eventually idle timeout.

Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.

After changing or disabling persistence, the transaction succeeds and no longer hangs.

Fixed Versions:
12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2

738943-5 : imish command hangs when ospfd is enabled

Links to More Info: BT738943

Component: TMOS

Symptoms:
- dynamic routing enabled
- ospfd protocol enabled
- imish hangs

Conditions:
- running imish command

Impact:
ability to show dynamic routing state using imish

Workaround:
restart ospfd daemon

Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1

738887-3 : BIG-IP SNMPD vulnerability CVE-2019-6608

Component: TMOS

Symptoms:
https://support.f5.com/csp/article/K12139752

Conditions:
https://support.f5.com/csp/article/K12139752

Impact:
https://support.f5.com/csp/article/K12139752

Workaround:
https://support.f5.com/csp/article/K12139752

Fix:
https://support.f5.com/csp/article/K12139752

Fixed Versions:
11.6.4, 12.1.4, 13.1.1.4, 14.0.0.3

738881-2 : Qkview does not collect any data under certain conditions that cause a timeout

Links to More Info: BT738881

Component: TMOS

Symptoms:
Qkview enforces a timeout mechanism in various locations for its submodules. In certain conditions, when a timeout occurs, Qkview should still be able to collect what data it can before doing this check.

Conditions:
A particular timeout is encountered during a Qkview operation.

Impact:
Data that might have been collected is not, which might result in missing helpful diagnostic information.

Workaround:
Work around the issue by increasing the qkview timeout, for example:
qkview -t 720

Fix:
Changed the timeout check to occur after important data collection.

Fixed Versions:
13.1.3.4

738864-1 : javascript functions in href are learned from response as new URLs

Links to More Info: BT738864

Component: Application Security Manager

Symptoms:
New urls representing javascript functions are learned from response.

Conditions:
Learn from response is turned on and URLs learning set to 'Always'

Impact:
Wrong URLs are created and added to the policy (not really interfering with enforcement but adds redundant noise to the policy)

Workaround:
Either:
- Change URL learning from 'Always' to any of the other learning options (Compact \ Selective \ Never).
- Disable learn from response

Fix:
javacript functions are no longer learned from responses as new URLs.

Fixed Versions:
13.1.1.4, 14.0.0.5

738669-2 : Login validation may fail for a large request with early server response

Links to More Info: BT738669

Component: Fraud Protection Services

Symptoms:
in case of large request/response, if FPS needs to store ingress and ingress chunks in buffer for additional processing (ingress :: for parameter parsing, egress :: for login validation's banned/mandatory strings check or scripts injection), if the server responds fast enough, the buffer may contain mixed parts of request/response. This may have several effects, from incorrectly performing login-validation to generating a tmm core file.

Conditions:
-- Login validation is enabled and configured to check for banned/mandatory string.
-- A username parameter is configured.
-- There are no parameters configured for encrypt/HTML Field Obfuscation (HFO), and no decoy parameters.
-- There is a large request and response.
-- The system response very quickly.

Impact:
This results in one or more of the following:
-- Login validation failure/skip.
-- Bad response/script injection.
-- tmm core. In this case, traffic is disrupted while tmm restarts.

Workaround:
None.

Fix:
FPS now handles ingress/egress buffers separately, so this issue no longer occurs.

Fixed Versions:
12.1.3.7, 13.1.1.2

738647-2 : Add the login detection criteria of 'status code is not X'

Links to More Info: BT738647

Component: Application Security Manager

Symptoms:
There is a criterion needed to detect successful login.

Conditions:
Attempting to detect successful login when the response code is not X (where 'x' = some code).

Impact:
Cannot configure login criteria.

Workaround:
None.

Fix:
This release adds a new criterion to the login criteria.

Fixed Versions:
12.1.4, 13.1.1.5, 14.0.0.5

738614-2 : 'Internal error' appears on Goodput GUI page

Links to More Info: BT738614

Component: Application Visibility and Reporting

Symptoms:
The Statistics :: Analytics : TCP : Goodput GUI page displays 'Internal Error', and data does not display.

Conditions:
This can occur on multi-blade VIPRION systems.

Impact:
You are unable to see statistics for TCP Goodput on a multi-blade system.

Workaround:
1. Edit /etc/avr/monpd/monp_tcp_measures.cfg file:

-- In [cs_avg_conn_goodput_rcv_m] section replace existing value of merge_formula parameter with the following one:
merge_formula=IF(SUM(cs_avg_conn_goodput_rcv_m)=0,"N/A",ROUND(SUM(cs_numendings_m*cs_avg_conn_goodput_rcv_m)/SUM(cs_numendings_m),2))

-- In [cs_avg_conn_goodput_snt_m]section replace existing value of merge_formula parameter with the following one:
merge_formula=IF(SUM(cs_avg_conn_goodput_snt_m)=0,"N/A",ROUND(SUM(cs_numendings_m*cs_avg_conn_goodput_snt_m)/SUM(cs_numendings_m),2))

-- In both aforementioned sections add the following parameter:
merge_deps=cs_numendings_m

2. Restart the monpd daemon:
tmsh restart sys service monpd

Fix:
Fixed an issue with Goodput statistics on multi-blade systems.

Fixed Versions:
13.1.1.5, 14.0.0.5

738582-1 : Ping Access Agent Module leaks memory in TMM.

Links to More Info: BT738582

Component: Access Policy Manager

Symptoms:
While handling Ping Access Request, if the internal events passing between modules fail, it might cause a memory leak inside TMM.

Conditions:
Internal events passing between Ping Access Request processing modules fail.

Impact:
Ping Access Agent Module leaks memory in TMM.

Workaround:
None.

Fixed Versions:
13.1.1.2, 14.0.0.5

738523-2 : SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages

Links to More Info: BT738523

Component: Local Traffic Manager

Symptoms:
When monitoring an SMTP server that emits multi-line '250' responses to the initial 'HELO' message, the monitor fails. If monitor logging is enabled on the pool member, the system posts an error similar to the following in the monitor log:

09:50:08.580145:(_Tcl /Common/mysmtp): ERROR: failed to complete the transfer, Failed to identify domain.

Conditions:
-- Monitoring an SMTP server.
-- SMTP server is configured to return a multi-line '250' response to the initial 'HELO' message.

Impact:
The pool member is marked down even though it is actually up.

Workaround:
None.

Fix:
The system now handles multi-line '250' responses to the initial 'HELO' message.

Fixed Versions:
12.1.4.1, 13.1.1.5, 14.0.1.1

738521-1 : i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.

Links to More Info: BT738521

Component: Local Traffic Manager

Symptoms:
A trunk configured between a BIG-IP i4x00/i2x00 platform and an upstream switch may go down due to the presence of the VLAN tag.

Conditions:
LACP configured between a BIG-IP i4x00/i2x00 platform and an upstream switch.

Impact:
Trunks are brought down by upstream switch.

Workaround:
There are two workarounds:

-- Configure the trunk as 'untagged' in one of the VLANs in which it's configured.
-- Disable LACP.

Fix:
The system no longer transmits a VLAN tag for LACP PDUs, so this issue no longer occurs.

Fixed Versions:
12.1.4, 13.1.1.4, 14.0.0.5

738445-2 : IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup

Links to More Info: BT738445

Component: TMOS

Symptoms:
INVALID_SPI notification does not delete the IPsec-SA with the SPI value that appears in the notify payload. This occurs because the handler of INVALID-SPI notifications performs the following incorrect actions:

-- Fetches SPI from payload as if it's a string, rather than the network byte order integer it actually is.

-- Attempts phase 2 lookup via selector ID (reqid) rather than SPI.

Either alone prevents finding the SA to delete.

Conditions:
An IKEv1 IPsec peer sends an INVALID-SPI notification to the BIG-IP system.

Impact:
The IPsec-SA with that SPI cannot be found and is not deleted.

Workaround:
From the BIG-IP command line, you can still manually delete any IPsec-SA, including the invalid SPI, using the following command:
# tmsh delete net ipsec ipsec-sa spi <spi number>

Fix:
SPI is now extracted correctly from the payload as a binary integer, and the phase 2 SA lookup is done with a proper SPI search, which also requires a match in the peer address.

Fixed Versions:
12.1.5, 13.1.3.2, 14.0.1.1

738430-1 : APM is not able to do compliance check on iOS devices running F5 Access VPN client

Links to More Info: BT738430

Component: Access Policy Manager

Symptoms:
Compliance check against Microsoft Intune fails when an APM end user attempts a VPN connection from a managed iOS device running the F5 Access VPN client.

Conditions:
-- APM policy is configured to use Microsoft Intune for device compliance check.
-- APM end user is attempting VPN connection using the F5 Access VPN client on an iOS device.

Impact:
APM is not able to do compliance checks on the device, and VPN connection fails.

Workaround:
None.

Fix:
APM can now check iOS devices for compliance against Microsoft Intune.

Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6

738397-1 : SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.

Links to More Info: BT738397

Component: Access Policy Manager

Symptoms:
For a BIG-IP system configured as IdP, in the SAML-IdP-initiated case: If the IdP has a Per-Request policy (in addition to a V1 policy), such that the Per-Request policy has a subroutine or a subroutine macro with a logon page, the system reports access failure on running the policy.

The error logged is similar to the following: '/Common/sso_access:Common:218f759e: Authorization failure: Denied request for SAML resource /Common/saml_resource_obj1&state=000fffff032db022'.

Conditions:
-- BIG-IP system configured as IdP.
-- SAML IdP initiated case in which the following is true:
+ The IdP has a Per-Request policy (in addition to a V1 policy).
+ That Per-Request policy has a subroutine or a subroutine macro with a logon page.

Impact:
Access is denied. The request URI has '&state=<per-flow-id>' appended to the SAML Resource name.

Workaround:
None.

Fix:
The system now checks for additional query parameters in the request_uri while extracting Resource name so it is not incorrectly set to 'ResourceName&state=<per-flow-id>' which causes the access failure.

Fixed Versions:
12.1.3.7, 13.1.1.2, 14.0.0.5

738330-1 : /mgmt/toc endpoint issue after configuring remote authentication

Links to More Info: BT738330

Component: TMOS

Symptoms:
'Invalid username or password.' error on the /mgmt/toc page after configuring remote authentication.

Conditions:
When remote auth is configured.

Impact:
Cannot configure remote authentication.

After configuring remote authentication, you can login to the mgmt/toc area with the admin user, but using a remote auth user ended up with 'You are not authorized to use this resource'.

Workaround:
On BIG-IP versions since 14.1.0.6 and 13.1.1.5:

Enable 'Fallback to Local' in the remote auth config section on the BIG-IP system:
tmsh modify auth source fallback true.

Both local BIG-IP user 'admin' and LDAP user are now able to authenticate and access https://XX.XX.XX.XX/mgmt/toc.

On other versions of BIG-IP software, there is no workaround.

Fix:
When source type is set to a remote auth method, login now succeeds. If the remote server is unavailable, authentication now falls back to local authentication, if authentication source fallback is set to true.

Behavior Change:
This release allows fallback to local authentication. When the authentication source type is set to a remote authentication source, if the remote server is unavailable, authentication now falls back to local authentication, if authentication source fallback is set to true.

Fixed Versions:
13.1.3.5, 14.1.2.5, 15.0.1.4

738284-4 : Creating or deleting rule list results in warning message: Schema object encode failed

Links to More Info: BT738284

Component: Advanced Firewall Manager

Symptoms:
"Schema object encode failed: No foreign keys found for nested object" warning message is logged into /var/log/ltm while creating or deleting the rule list.

Jul 25 05:44:49 localhost.localdomain warning icr_eventd[4778]: 01a10008:4: Schema object encode failed: No foreign keys found for nested object with tag 17547

Conditions:
Observed when creating or deleting rule list in /var/log/ltm

tmsh create security firewall rule-list rule-list1
tmsh delete security firewall rule-list rule-list1

Impact:
The warning message has no impact on functionality and can be ignored.

Fix:
Log message has been changed to log at the debug level.

Fixed Versions:
13.1.3.2, 14.1.2.3, 15.0.1.1

738236-2 : UCS does not follow current best practices

Links to More Info: K25607522 , BT738236

738211-3 : pabnagd core when centralized learning is turned on

Links to More Info: BT738211

Component: Application Security Manager

Symptoms:
pabnagd (the process responsible for automated and manual policy building operations) restarts and generates a core file. This might result in a loss of learning progress.

Note: This is a very rarely occurring issue.

Conditions:
Centralized learning is enabled for a policy.

Impact:
If there are locally learned policies, the system might lose some number of hours of learning progress. How many hours might be lost depends on the version, as follows:

-- For 13.1.0: 24 hours (12 hours, on average).
-- For 14.0.0: 1 hour (1/2 hour, on average).

Workaround:
None.

Fix:
The pabnagd process no longer restarts/cores when centralized learning is enabled.

Fixed Versions:
13.1.1.4, 14.0.0.5

738197-2 : IP address from XFF header is not taken into account when there are trailing spaces after IP address

Links to More Info: BT738197

Component: Application Visibility and Reporting

Symptoms:
X-FORWARDED-FOR (XFF) header is ignored by BIG-IP ASM even though usage of XFF is enabled in HTTP profile.

In DoS statistics, the original source IP is reported (instead of one taken from XFF).

Conditions:
There are spaces after IP address in the XFF header.

Impact:
Source IP is not reported as expected in all BIG-IP reports.

Workaround:
Configure the proxy server to not add trailing spaces after the IP address in the XFF header.

Fix:
Trailing spaces are now ignored when extracting IP addresses from XFF headers in AVR.

Fixed Versions:
13.1.1.5

738119-2 : SIP routing UI does not follow best practices

Links to More Info: K23566124 , BT738119

738046-2 : SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby

Links to More Info: BT738046

Component: Local Traffic Manager

Symptoms:
For FastL4 connections, SERVER_CONNECTED currently doesn't fire on the standby device. If the standby device then becomes active, the first packet from the server on an existing FastL4 connection causes SERVER_CONNECTED to fire. Depending on what the iRule does in SERVER_CONNECTED, a variety of results can occur, including TMM coring due to commands being executed in unexpected states.

Conditions:
-- High availability configuration.
-- Mirrored FastL4 virtual server.
-- Attached iRule contains a SERVER_CONNECTED event.

Impact:
SERVER_CONNECTED does not fire when expected on standby device. When the standby device becomes active, the SERVER_CONNECTED iRule may cause TMM to core with traffic being disrupted while TMM restarts.

Workaround:
None.

Fix:
SERVER_CONNECTED now fires when expected on the standby device.

Fixed Versions:
12.1.5, 13.1.1.4

738032-2 : BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed.

Links to More Info: BT738032

Component: Local Traffic Manager

Symptoms:
The BIG-IP system maintains an SSL session cache for SSL (https) monitors. After changing the properties of an SSL monitor that might affect the operation of SSL, the BIG-IP continues to reuse an existing SSL session ID.

Conditions:
-- The BIG-IP system has cached session ID from previous SSL session.
-- SSL properties of monitor that might affect the operation of SSL are changed.
-- Monitor is using bigd.

Impact:
Sessions still use cached session ID. If session continues to succeed, session uses cached session ID till expiry.

Workaround:
-- Restart bigd.
-- Remove the monitor from the object and re-apply.
-- Use in-tmm monitors.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1

737910-2 : Security hardening on the following platforms

Links to More Info: K18535734 , BT737910

737867-1 : Scheduled reports are being incorrectly displayed in different partitions

Links to More Info: BT737867

Component: Application Visibility and Reporting

Symptoms:
When navigating to 'Local traffic :: Profiles : Analytics : Schedule reports', scheduled analytics reports are being displayed in the list regardless of selected partition. However, you can only open reports belonging to the selected partition, even if they belong to 'Common'.

Conditions:
-- System configured with multiple partitions.
-- Viewing scheduled analytics reports of the selected partition.

Impact:
It makes it difficult to modify reports from a different partition.

Workaround:
Switch to the report's partition before editing it.

Fix:
Report's partition is now indicated in the list and correct handling is performed according to standard partition rules.

Fixed Versions:
13.1.1.2, 14.0.1.1

737863-1 : Advanced Filters for Captured Transactions not working on Multi-Blade Platforms

Links to More Info: BT737863

Component: Application Visibility and Reporting

Symptoms:
On multi-blade systems, when you navigates to System :: Logs : Captured Transactions, click on Expand Advanced Filters, choose something, and click Update, the GUI reports a 'Could not get captured events' message.

Conditions:
-- Multi-blade systems.
-- AVR provisioned.
-- AVR HTTP Analytics Profile configured with 'Internal Traffic Capturing Logging Type' option enabled.

Impact:
The Captured Transactions filter does not work.

Workaround:
None.

Fix:
The Captured Transactions filter now works as expected.

Fixed Versions:
13.1.1.5, 14.0.0.5

737813-1 : BIG-IP is unable to send statistics to BIG-IQ DCD node using IPv6 address

Links to More Info: BT737813

Component: Application Visibility and Reporting

Symptoms:
When IPv6 is used for transferring data from BIG-IP systems to BIG-IQ DCD nodes, no traffic arrives to the BIG-IQ.

Conditions:
-- DCD node uses IPv6 interface for collecting data from BIG-IP systems.
-- BIG-IP is registered on BIG-IQ as 'BIG-IP device' the regular way (not necessary via IPv6 management interface).

Impact:
No statistics from BIG-IP systems are collected.

Workaround:
Use IPv4 addresses instead.

Fix:
You can now use IPv6 addresses in BIG-IP systems, and statistics arrive to the BIG-IQ.

Fixed Versions:
13.1.1.4, 14.0.0.5

737758-2 : MPTCP Passthrough and VIP-on-VIP can lead to TMM core

Links to More Info: BT737758

Component: Local Traffic Manager

Symptoms:
If a FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled, TMM may produce a core upon receiving certain traffic.

Conditions:
A FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with a TCP profile attached that has MPTCP passthrough enabled, and certain traffic is received.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not using an iRule with the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled.

Fix:
If MPTCP passthrough is enabled, the system now processes incoming MPTCP connections coming from the loop device as if MPTCP is disabled.

Fixed Versions:
12.1.4, 13.1.1.4, 14.0.0.3

737731-2 : iControl REST input sanitization

Links to More Info: K44885536 , BT737731

737603-1 : Apmd leaks memory when executing per-session policy via iRule

Links to More Info: BT737603

Component: Access Policy Manager

Symptoms:
Apmd leaks memory when executing per-session policy via iRule.

Conditions:
-- APM is licensed and provisioned.
-- Per-session policy is executed via iRules or APM-based System Authentication is used.

Impact:
Apmd leaks memory.

Workaround:
None.

Fix:
Apmd no longer leaks memory when per-session policy is executed via Rules.

Fixed Versions:
13.1.3, 14.0.1.1

737574-2 : iControl REST input sanitization &start;

Links to More Info: K20541896 , BT737574

737565-2 : iControl REST input sanitization

Links to More Info: K20445457 , BT737565

737550 : State Mirroring between BIG-IP 13.0.x and 13.1.x systems may cause TMM core on standby system during upgrade &start;

Links to More Info: BT737550

Component: Local Traffic Manager

Symptoms:
BIG-IP devices running 13.0.x (13.0.x or a 13.0.x point release) and 13.1.x software versions in a High-Availability (HA) configuration with state mirroring enabled may cause a standby system to produce a TMM core file.

Conditions:
-- State mirroring configured on two or more BIG-IP systems (state mirroring is enabled by default).
-- For VIPRION clusters or VIPRION-based vCMP guests, the systems are configured to mirror 'Between Clusters'.
-- The active system is running v13.0.x, and the standby system is running v13.1.x, e.g., as a result of an in-progress upgrade.

Impact:
TMM may crash on a standby system during upgrade.

This issue should not disrupt traffic, because the TMM is coring only on the standby unit.

Workaround:
To workaround this issue, disable State Mirroring prior to upgrading, and re-enable it once both devices are running v13.1.x, or complete the upgrade of both devices to v13.1.x.

1. You can disable mirroring using either the GUI or the command line.

1a. In the GUI:
-- Set the Primary and Secondary Local Mirror Address configurations to 'None' under Device Management :: Devices :: [Self] device :: Mirroring Configuration.

1b. From the command-line:
-- Run the following command:
tmsh modify cm device <name-of-self-device> mirror-ip any6 mirror-secondary-ip any6 && tmsh save sys config


Important: This action results in connection state loss on failover.


2. Once all devices are running the same software version, re-enable state mirroring by re-adding the device mirror IPs removed previously.

Note: F5 recommends that BIG-IP systems run with the same software version on all devices.

Fix:
TMM on standby no longer cores during upgrade.

Fixed Versions:
13.1.1

737536-1 : Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.

Links to More Info: BT737536

Component: TMOS

Symptoms:
The use case is the following:
|OSPF 1|---|Network1|------[|OSPF process 1|---BIG-IP system---|OSPF process 2|]-----|Network2|---|OSPF 2|

Attempting to redistribute default route received from OSPF process that is peering with the Internet to OSPF process 2. However, if that route is removed (e.g., an Internet link goes down), OSPF process 2 removes the associated route and the 'default-information originate' command is the ideal choice, because as long as the OSPF process 1 default route is in the routing table, the default route is redistributed into OSPF process 2. If that route is gone, OSPF process 2 immediately removes it from routing table. Enabling 'default-information originate' on OSPF process 2 does not affect the outcome, and a default route is not injected like it should be.

Conditions:
-- On the BIG-IP system, OSPF routing protocol is enabled on a route-domain.
-- Routing configuration example:

OSPF router config examples:
***
OSPF 1:
!router ospf 1
ospf router-id 10.13.0.7
redistribute ospf
network 10.13.0.0/16 area 0.0.0.1
default-information originate

OSPF 2:
router ospf 1
ospf router-id 10.14.0.5
redistribute ospf
network 10.14.0.0/16 area 0.0.0.1

BIG-IP system:
router ospf 1
ospf router-id 10.13.0.2
network 10.13.0.0/16 area 0.0.0.1
router ospf 2
ospf router-id 10.14.0.9
network 10.14.0.0/16 area 0.0.0.1
***

-- Enable 'default-information originate' on BIG-IP OSPF process 2 should allow OSPF process 2 to receive advertised default route from BIG-IP OSPF process 1 if such exists.

# expected OSPF routers configuration on the BIG-IP system:
router ospf 1
ospf router-id 10.13.0.2
network 10.13.0.0/16 area 0.0.0.1
router ospf 2
ospf router-id 10.14.0.9
network 10.14.0.0/16 area 0.0.0.1
default-information originate

Impact:
A default route from OSPF process 1 is not advertised into OSPF process 2 routing table.

Workaround:
None.

Fix:
Enabling 'default-information originate' on OSPF process 2 forces OSPF process 2 to receive a default route from OSPF process 1 if such exists.

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2

737500-2 : Apply Policy and Upgrade time degradation when there are previous enforced rules

Links to More Info: BT737500

Component: Application Security Manager

Symptoms:
When there are previously enforced rules present in the system, the time to apply changes made to a policy, and the time to upgrade the configuration to a new version suffers.

Conditions:
-- Signature Staging is enabled.
-- Updated Signature Enforcement is set to 'Retain previous rule enforcement and place updated rule in staging'.
-- Signatures are enforced on a policy.
-- A new ASM Signature Update is installed, which modifies the matching rule for some enforced signatures.

Impact:
The time to apply changes made to a policy, and the time to upgrade the configuration to a new version, suffers from a inefficiently performing query related to the existence of previously enforced rules.

Workaround:
There is no workaround at this time.

Fix:
Query indexing and performance is fixed: Apply Policy executes in the same time whether there are previously enforced rules in the system or not.

Enforcing all signatures in a set now correctly removes the previously enforced rule from the signature.

Fixed Versions:
13.1.1.2, 14.0.0.5

737445-2 : Use of TCP Verified Accept can disable server-side flow control

Links to More Info: BT737445

Component: Local Traffic Manager

Symptoms:
Unexpectedly high memory usage, aggressive sweeper messages, TCP memory pressure messages in logs.

Conditions:
Verified Accept is enabled in TCP profiles that are associated with virtual servers.

Impact:
Excessive memory usage.

Workaround:
There is no workaround other than disabling Verified Accept.

Fix:
Fixed server-side flow control.

Fixed Versions:
13.1.1.2, 14.0.0.3

737443-5 : BIG-IP APM client for Linux and macOS vulnerability CVE-2018-5546

Links to More Info: K54431371 , BT737443

737442-2 : Error in APM Hosted Content when set to public access

Links to More Info: K32840424 , BT737442

737441-5 : Disallow hard links to svpn log files

Links to More Info: K54431371 , BT737441

737437-2 : IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages

Links to More Info: BT737437

Component: TMOS

Symptoms:
The BIG-IP system might fail to re-establish an IKEv1 phase 1 security association (ISAKMP-SA) when the Initiator starts the exchange using UDP port 4500. The exchange progresses to the point of NAT detection, whereupon the BIG-IP system stops using the Non-ESP marker and sends malformatted ISAKMP.

Conditions:
All of the following must be true:
-- The BIG-IP system is an IKEv1 Responder.
-- ISAKMP phase 1 negotiation starts on UDP port 4500.
-- NAT is detected on only one side during the phase 1 exchange.

Impact:
-- Establishment of an ISAKMP-SA will fail until the peer device switches to UDP port 500.
-- The remote peer may send INVALID-SPI messages quoting SPI numbers that do not exist.

Workaround:
To help workaround this issue, you can try the following:
-- Make sure the BIG-IP system is always the Initiator.
-- Bypass NAT.
-- Configure both the BIG-IP system and remote peer to use address IDs that are not the same as the IP addresses used in the ISAKMP exchange, thus causing the BIG-IP system to think there is NAT on both sides.

Fix:
The BIG-IP system now keeps the Non-ESP marker when NAT is detected.

Fixed Versions:
12.1.5, 13.1.1.4, 14.0.1.1

737397-3 : User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP

Links to More Info: BT737397

Component: TMOS

Symptoms:
Unable to archive certificates or keys using GUI and iControlSOAP.

Conditions:
When the user is in Certificate Manager role.

Impact:
Unable to backup certificates or keys.

Workaround:
None.

Fix:
User with Certificate Manager role is now able to archive certificates using GUI and iControlSOAP

Fixed Versions:
13.1.1.4, 14.0.0.5

737368-1 : Fingerprint cookie large value may result in tmm core.

Links to More Info: BT737368

Component: Fraud Protection Services

Symptoms:
The JavaScript component calculates part of the fingerprint cookie value. In some rare cases, large values are generated and may result in tmm core.

Conditions:
A large value (more than 35 characters) inside the fingerprint cookie.

Impact:
Memory overrun, tmm core in some cases. Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
FPS will check the value and truncate it if it exceeds the maximum length.

Fixed Versions:
13.1.1.2, 14.0.1.1

737355-1 : HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files

Links to More Info: BT737355

Component: Access Policy Manager

Symptoms:
HTTP Strict-Transport-Security (HSTS) headers are missing for some APM-generated files.

Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS enabled.
-- HTTP GET requests for APM renderer files, including CSS, JS, and image files from the webtop.

Impact:
Without these headers, the user agent (browser) may switch to non-secure communication.

Workaround:
None.

Fix:
When the HTTP profile is configured with HSTS enabled, all APM renderer files are now sent with HSTS headers.

Fixed Versions:
13.1.1.2

737332-3 : It is possible for DNSX to serve partial zone information for a short period of time

Links to More Info: BT737332

Component: Global Traffic Manager (DNS)

Symptoms:
During zone transfers into DNS Express, partial zone data may be available until the transfer completes.

Conditions:
-- Two zones being transferred during the same time period
+ zone1.example.net
+ zone2.example.net

-- Transfer of zone1 has started, but not finished.

-- zone2 starts a transfer and finishes before zone1 finishes, meaning that the database might be updated with all of the zone2 data, and only part of the zone1 data.

Impact:
Partial zone data will be served, including possible NXDOMAIN or NODATA messages. This happens until zone1 finishes and saves to the database, at which time both zones' data will be complete and correct.

Workaround:
The workaround is to limit the number of concurrent transfers to 1. However this severely limits the ability of DNS Express to update zones in a timely fashion if there are many zones and many updates.

Fix:
All zone transfers are now staged until they are complete. The zone transfer data is then saved to the database. Only when the zone data has completed updating to the database will the data be available to queries.

Fixed Versions:
12.1.4, 13.1.1.5

737322-4 : tmm may crash at startup if the configuration load fails

Links to More Info: BT737322

Component: TMOS

Symptoms:
Under certain circumstances, tmm may crash at startup if the configuration load fails.

Conditions:
This might occur after a configuration loading failure during startup, when TMM might take longer than usual to be ready.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes at startup if the configuration load fails.

Fixed Versions:
12.1.5.3, 13.1.3.6

737098-3 : ASM Sync does not work when the configsync IP address is an IPv6 address

Links to More Info: BT737098

Component: TMOS

Symptoms:
If the configsync IP address of the device is configured to be an IPv6 address, changes in ASM configuration do not synchronize across the cluster.

Conditions:
Devices in a Device Group have an IPv6 address set as their configsync IP address.

Impact:
ASM configuration does not synchronize across the Device Group.

Workaround:
Set the configsync IP address to be an IPv4 address and restart the asm_config_server process. To restart the asm_config_server process, run the following command:
pkill -f asm_config_server

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2

737064-2 : ACCESS::session iRule commands may not work in serverside events

Links to More Info: BT737064

Component: Access Policy Manager

Symptoms:
-- 'ACCESS::session sid' will returns empty.
-- 'ACCESS::session data get <varname>' returns empty.

Conditions:
-- Using IP-based sessions
-- ACCESS::session iRule commands in a serverside iRule event, such as HTTP_PROXY_CONNECT.
-- Using SSL Bypass. Note: This issue is known to occur when using SSL Bypass, but this is not the only configuration that exhibits the problem.

Impact:
iRules may not work as expected.

Workaround:
There is no workaround at this time.

Fix:
The ACCESS::session iRules now work in serverside events when doing IP-based sessions.

Fixed Versions:
13.1.1.2

735832-1 : RAM Cache traffic fails on B2150

Links to More Info: BT735832

Component: Performance

Symptoms:
Rendering pages from RAM Cache fails. System does not pass RAM Cache traffic on B2150 platform.

Conditions:
-- VIPRION B2150 blade.
-- Attempting to pass traffic from RAM Cache.

Impact:
B2150 does not pass any RAM Cache traffic.

Workaround:
None.

Fix:
RAM Cache traffic now succeeds on B2150.

Fixed Versions:
12.1.5, 13.1.1.5

735565-1 : BGP neighbor peer-group config element not persisting

Links to More Info: BT735565

Component: TMOS

Symptoms:
neighbor peer-group configuration element not persisting after restart

Conditions:
- dynamic routing enabled
- BGP neighbor configured with peer-group
- BIG-IP or tmrouted daemon restart

Impact:
BGP peer-group configuration elements don't persist

Workaround:
Reconfigure BGP neighbor peer-group after restart

Fix:
BGP neighbor peer-group configuration is properly save to configuration, and persists after restart

Fixed Versions:
12.1.4.1, 13.1.3, 14.0.1.1

734846-3 : Redirection to logon summary page does not occur after session timeout

Links to More Info: BT734846

Component: TMOS

Symptoms:
After a BIG-IP Administrator user session times out, the user is not automatically redirected to the logon summary page, despite being configured to do so.

Conditions:
-- The BIG-IP system is configured to redirect to the logon summary page immediately after logging in, using the following db variable:
ui.users.redirectsuperuserstoauthsummary = true

-- The BIG-IP Administrator users' session automatically times out.

Impact:
The system does not comply with government security requirements that BIG-IP Administrator users be sent automatically to the logon summary. BIG-IP Administrator users must manually navigate to the logon summary page

Workaround:
Manually navigate to the logon summary page.

Fixed Versions:
13.1.3.4

734822-3 : TMSH improvements

Links to More Info: K77313277 , BT734822

734595-2 : sp-connector is not being deleted together with profile

Links to More Info: BT734595

Component: Access Policy Manager

Symptoms:
If a profile is connected to an SSO SAML IdP configuration with an SP connector, the sp-connector is not available for delete when the profile is deleted.

Conditions:
-- Profile is connected to an SSO SAML IdP configuration with an SP connector.
-- Deleting the profile and attempting to delete the sp-connector.

Impact:
The SP connector is not listed for delete when the profile is deleted.

Workaround:
To delete the SP connector, run the following command:
tmsh delete apm sso saml-sp-connector NAME

Fix:
SP connectors are now available for delete when profile is deleted.

Fixed Versions:
13.1.1.2

734539-3 : The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads

Links to More Info: BT734539

Component: TMOS

Symptoms:
When an IKEv1 peer sends an INVALID-SPI payload, and BIG-IP system cannot find the phase-two Security Association (SA) for that SPI but can find phase-one SA involved; the racoon daemon may crash if there are additional INVALID-SPI payloads afterward.

Conditions:
-- An INVALID-SPI notification is received.
-- That phase-two SA is already gone.
-- The phase-one parent SA is still around.
-- Subsequent notification INVALID-SPI payloads involve the same phase-one SA.

Impact:
The v1 racoon daemon cores, interrupting traffic until new tunnels can be established after racoon restarts.

Workaround:
There is no workaround at this time.

Fix:
The system no longer destroys the parent phase-one SA when an INVALID-SPI notification cannot find the target phase-two SA, so this issue does not occur.

Fixed Versions:
12.1.5, 13.1.3, 14.0.1.1

734527-1 : BGP 'capability graceful-restart' for peer-group not properly advertised when configured

Links to More Info: BT734527

Component: TMOS

Symptoms:
BGP neighbor using peer-group with 'capability graceful-restart' enabled (which is the default). However, on the system, peer-group defaults to disable. Because there is no config statement to enable 'capability graceful-restart' after restart, it gets turned off after config load, which also turns it off for any BGP neighbor using it.

Conditions:
- Neighbor configured to use peer-group.
- Peer-group configured with capability graceful-restart, but with the default: disabled.

Impact:
Because peer-group is set to disable by default, and there is no operation to enable it after restart, 'capability graceful-restart' gets turned off after config load, and neighbors using it from peer-group get turned off as well.

Workaround:
Re-issue the commands to set peer-group 'capability graceful-restart' and 'clear ip bgp *' to reset BGP neighbors.

Fix:
The peer-group now has 'capability graceful-restart' enabled by default, so this issue no longer occurs.

Behavior Change:
In this release, peer-group has 'capability graceful-restart' enabled by default.

Fixed Versions:
11.6.5.1, 12.1.4, 13.1.1.2, 14.0.0.3

734446-2 : TMM crash after changing LSN pool mode from PBA to NAPT

Links to More Info: BT734446

Component: Carrier-Grade NAT

Symptoms:
TMM crashes after changing LSN pool mode from PBA to NAPT when long lived connections are killed due to the PBA block lifetime and zombie timeout expiring.

Conditions:
An LSN pool using PBA mode with a block lifetime and zombie timeout set and long lived connections.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Instead of changing the LSN pool mode from PBA to NAPT, create a new LSN pool configured for NAPT and change the source-address-translation pool on the virtual servers that use the PBA pool.

The PBA pool can be deleted after the virtual servers are no longer using it.

Fix:
TMM no longer crashes after changing LSN pool mode from PBA to NAPT.

Fixed Versions:
11.6.4, 12.1.4, 13.1.1.2, 14.0.0.3

734291-2 : Logon page modification fails to sync to standby

Links to More Info: BT734291

Component: Access Policy Manager

Symptoms:
Changes in the login page of VPE do not sync to standby.

Conditions:
1. You make changes to the logon page on the active device, making changes to the username or any other field on the login page of VPE.
2. You sync to standby, and it succeeds.

Impact:
When you access in standby device, the customization error failure message appears, and the dialog fails to open in VPE. You cannot see the changes made on the active device from standby device.

Workaround:
Do not make changes to fields on the login page.

Fix:
Changes in the login page of VPE now sync to standby.

Fixed Versions:
13.1.1.5, 14.1.0.6

734276-2 : TMM may leak memory when SSL certificates with VDI or EAM in use

Links to More Info: BT734276

Component: Local Traffic Manager

Symptoms:
TMM 'method' memory usage grows over time when VDI and serverssl *or* EAM and clientssl are configured on the same VIP.

Conditions:
One or both of the following:

-- VDI and serverssl are configured on the same VIP
-- EAM and clientssl are configured on the same VIP

Impact:
TMM memory usage grows over time leading to eventual performance degradation and potential traffic outage if TMM cores.

Workaround:
No workaround short of not using these combinations of features.

Fix:
TMM no longer leaks memory when VDI and serverssl *or* EAM and clientssl are configured together on the same VIP.

Fixed Versions:
13.1.1.4

734228-1 : False-positive illegal-length violation can appear

Links to More Info: BT734228

Component: Application Security Manager

Symptoms:
A false-positive illegal-length violation.

Conditions:
A chunked request where the request length is more than half of the configured max-request length.

Impact:
False-positive illegal-length violation.

Workaround:
Configure a higher max request length violation.

Fix:
Fixed a false-positive request-length violation.

Fixed Versions:
13.1.1.4, 14.0.1.1, 14.1.2.3

733585-3 : Merged can use %100 of CPU if all stats snapshot files are in the future

Links to More Info: BT733585

Component: TMOS

Symptoms:
Merged uses %100 of CPU if it cannot remove the oldest snapshot file, due to all snapshot files having timestamps in the future.

Conditions:
All stats snapshot file having timestamps in the future, release has the fix for issue 721740, but not this issue.

Impact:
Merged using %100 of the CPU.

Workaround:
Remove snapshot stats files that have timestamps in the future and restart merged.

Fix:
Correctly exit cleanup logic when all stats snapshot files have timestamps in the future.

Fixed Versions:
13.1.1.2

731168-2 : BIG-IP may attempt to write to an out of bounds memory location, causing the bd daemon to crash.

Links to More Info: BT731168

Component: Application Security Manager

Symptoms:
The bd daemon crashes

Conditions:
-- ASM provisioned and passing traffic
-- Other conditions are unknown

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fix:
A possible out of bounds write was fixed.

Fixed Versions:
13.1.5, 14.1.4.5

727467-1 : Some iSeries appliances can experience traffic disruption when the high availability (HA) peer is upgraded from 12.1.3 and earlier to 13.1.0 or later.

Links to More Info: BT727467

Component: TMOS

Symptoms:
-- CPU core 0 can be seen utilizing 100% CPU.
-- Other even cores may show a 40% increase in CPU usage.
-- Pool monitors are seen flapping in /var/log/ltm.
-- System posts the following messages:
+ In /var/log/ltm:
- err tmm4[21025]: 01340004:3: high availability (HA) Connection detected dissimilar peer: local npgs 1, remote npgs 1, local npus 8, remote npus 8, local pg 0, remote pg 0, local pu 4, remote pu 0. Connection will be aborted.
+ In /var/log/tmm:
- notice DAGLIB: Invalid table size 12
- notice DAG: Failed to consume DAG data

Conditions:
-- Active unit on a pre-12.1.3.1 release.
-- Standby peer upgraded to a 13.1.0 or later release.
-- Device is an iSeries device (i5600 or later).

Important: This issue may also affect iSeries high availability (HA) peers on the same software version if the devices do not share the same model number.

Note: Although this also occurs when upgrading to 12.1.3.8 and 13.0.x, the issue is not as severe.

Impact:
- High CPU usage.
- Traffic disruption.

Workaround:
Minimize impact on affected active devices by keeping the upgraded post-13.1.0 unit offline as long as possible before going directly to Active.

For example, on a 12.1.3 unit to be upgraded (pre-upgrade):
-- Run the following command: tmsh run sys failover offline persist
-- Run the following command: tmsh save sys config
-- Upgrade to 13.1.0.8.
-- Unit comes back up on 13.1.0.8 as 'Forced Offline' and does not communicate with the active unit running 12.1.3 at all.
-- Set up high availability (HA) group and make sure the 12.1.3 Active unit's high availability (HA) score is lower than 13.1.0.8.
-- To cause the 13.1.0.8 unit to go directly to Active and take over traffic, run the following command on the unit running 13.1.0.8:
tmsh run sys failover online

At this point, the 12.1.3 unit starts to show symptoms of this issue, however, because it is no longer processing traffic, there is no cause for concern.

Fix:
This release introduces a new bigdb variable DAG.OverrideTableSize. To prevent the issue on an upgraded post-13.1.0 unit, set DAG.OverrideTableSize to 3.

In order to return the system to typical CPU usage, you must set the db variable, and then restart tmm by running the following command:
bigstart restart tmm

(Restarting tmm is required for 13.1.1.2 and newer 13.1.1.x releases.)

Note: Because the restart is occurring on the Standby unit, no traffic is disrupted while tmm restarts.

Fixed Versions:
13.1.1.2, 14.0.0.5

727297-3 : GUI TACACS+ remote server list should accept hostname

Links to More Info: BT727297

Component: TMOS

Symptoms:
Cannot add hostnames to the Remote - TACACS+ server list in the GUI.

Conditions:
-- On the System :: Users : Authentication page with Remote - TACACS+ specified.
-- Add hostname to the server list.

Impact:
Validation does not accept a hostname. Cannot add hostname as a server.

Workaround:
Use tmsh to add a hostname.

Fix:
The system now allows hostname to be added with proper validation in this case.

Fixed Versions:
13.1.1.2

727292-1 : SSL in proxy shutdown case does not deliver server TCP FIN

Links to More Info: BT727292

Component: Local Traffic Manager

Symptoms:
Connection is not torn down.

Conditions:
HTTPS server disconnects connection when in handshake.

Impact:
Potential resource exhaustion.

Workaround:
You can mitigate this condition in either of the following ways:

-- Wait for system to clean up lingering connections.

-- Use tmsh to clean up connections. (Note: Sometimes this might not work as expected depending on conditions.)

-- If this happens on the config-sync channel, use a different self-ip for config-sync on the affected device.

Fix:
SSL server side handles this error situation by sending out all remaining egress data and sending a shutdown signal to lower filters.

Fixed Versions:
12.1.5, 13.1.1.5

727288-3 : Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC

Links to More Info: BT727288

Component: Service Provider

Symptoms:
Diameter message routing framework sends Capabilities-Exchange-Request (CER)/Device-Watchdog-Request (DWR) with hop-by-hop (h2h) ID and end-to-end (e2e) ID set to 0 as the server.

Conditions:
Diameter Message Routing Framework (MRF) in use

Impact:
The BIG-IP system sends CER and DWR to remote peers.
However, the BIG-IP system sends e2e=0 and h2h=0 as the server ID in the CER and DWR requests. This does not comply with RFC 6733 (https://tools.ietf.org/html/rfc6733).

Workaround:
Use an DIAMETER_EGRESS iRule event to change the hop-by-hop ID and end-to-end server ID.

Fixed Versions:
13.1.3.4

727222-1 : 206 Partial Content responses from ramcache have malformed Content-Range header

Links to More Info: BT727222

Component: Local Traffic Manager

Symptoms:
When ramcache serves a 206 Partial Content response from cache, the Content-Range header repeats the name:

Content-Range: Content-Range: bytes 0-5/28

Conditions:
Request from client for partial document (Range header) against a virtual server with a web-acceleration profile having no applications (ramcache), where the requested document is present in ramcache.

Impact:
The client may mishandle the response, as the Content-Range header is malformed. This may cause additional traffic as the client may retrieve the entire document in a subsequent request due to the malformed response.

Workaround:
Remove the duplicate portion of the Content-Range header using an iRule at HTTP_RESPONSE_RELEASE time.

Fix:
The Content-Range header is now correctly formed for 206 Partial Content responses served from ramcache.

Fixed Versions:
13.1.1.2

727212-1 : Subscriber-id query using full length IPv6 address fails.

Links to More Info: BT727212

Component: Carrier-Grade NAT

Symptoms:
FW NAT / CGNAT modules query the subscriber ID using IPv6 address. If the query is done using the IPv6 mask, under some circumstances the query fails.

Conditions:
The network is using an IPv6 mask other than 128. Subscribers are created using the masked IP address as the key. If NAT module uses the complete IP address as the query key, the subscriber will not be found.

Impact:
Logs contain UNKNOWN subscriber-id.

Workaround:
There is no workaround at this time.

Fix:
Subscriber ID queries using IPv6 address are now returning the subscriber-id.

Fixed Versions:
13.1.1.4, 14.0.0.5

727206 : Memory corruption when using SSL Forward Proxy on certain platforms

Links to More Info: BT727206

Component: Local Traffic Manager

Symptoms:
When using SSL Forward proxy, memory corruption can occur, which can eventually lead to a tmm crash.

Conditions:
Client SSL profile on a virtual server with SSL Forward proxy enabled.

-- Using the following platforms:
- vCMP host
- 2000s / 2200s
- 5000s / 5200v
- 5050s / 5250v / 5250v-F
- 10350V-F

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes under these conditions.

Fixed Versions:
12.1.4.1, 13.1.1.4, 14.0.0.5

727107-2 : Request Logs are not stored locally due to shmem pipe blockage

Links to More Info: BT727107

Component: Application Security Manager

Symptoms:
An unknown issue causes the communication layer between pabnagd and asmlogd to be become stuck. Messages similar to the following appear in pabnagd.log:

----------------------------------------------------------------------
account |NOTICE|... src/Account.cpp:183|Skipped 36 repeated messages. Request Log protobuf subscription queue is full. Message dropped.
rqlgwriter |WARNIN|... src/RequestLogWriter.cpp:137|Skipped 599 repeated messages. No space to write in shmem.

Messages similar to the following appear in pabnagd.log:

Conditions:
Request Logs are not stored locally due to shmem pipe blockage.

Impact:
Event logs stop logging locally.

Workaround:
Restart policy builder with:
killall -s SIGHUP pabnagd

Fix:
The policy builder now detects the blockage, and restarts the connection with the request logger.

Fixed Versions:
12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1

727044-2 : TMM may crash while processing compressed data

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing compressed data.

Conditions:
Compression enabled
Hardware compression disabled

Impact:
TMM crash leading to a failover event.

Workaround:
No workaround.

Fix:
TMM now correctly processes compressed traffic

Fixed Versions:
12.1.4, 13.1.1.2, 14.0.0.3

727031-1 : TMM restart in B2250 vCMP systems, and ping/monitor failures in non-B2250 vCMP systems.

Links to More Info: BT727031

Component: Access Policy Manager

Symptoms:
-- On B2250 blades the Traffic Management Microkernel (TMM) may experience a series of panics and restarts.

The system reports a related message in /var/log/tmm:
vdag failed to attach

-- On other types of BIG-IP systems (e.g., iSeries) ICMP monitors (or manual pings from the command line) may fail, indicating incorrectly that a node which is known to be up is down, and a packet capture will show ICMP echo reply packets arriving, but being ignored.

Conditions:
-- Guest BIG-IP instance in a vCMP configuration.
-- Guest is running BIG-IP v13.1.3.5.
-- Host is running a software version other than BIG-IP v13.1.3.5.
-- For the tmm panic issue, the host is a B2250 blade.

Impact:
-- For B2250 configurations, tmm restarts. Traffic disrupted while tmm restarts.

-- For non-B2250 configurations, ICMP monitors are incorrectly marked down.

Workaround:
None.

Note: If installing 13.1.3.5 on a vCMP host or guest, please contact F5 Support and ask for an engineering hotfix with the fix for this issue. Install it on the vCMP host and all guests on that host running 13.1.3.5.

Fix:
TMM disruption no longer occurs from disaggregation in vCMP systems.

Fixed Versions:
12.1.5.3, 13.1.3.6

726983-4 : Inserting multi-line HTTP header not handled correctly

Links to More Info: BT726983

Component: Local Traffic Manager

Symptoms:
Using an iRule to insert an HTTP header that contains an embedded newline followed by whitespace is not parsed properly. It can result in the new header being incorrectly split into multiple headers.

Conditions:
iRule which adds a header containing embedded newline followed by whitespace:
HTTP::header insert X-Multi "This is a\n multi-line header"

Impact:
New header does not get parsed properly, and its values are treated like new header values. In some cases the tmm may be restarted.

Workaround:
Ensure that the trailing whitespace text is not present (if not legitimately there). For manipulation of HTTP Cookie headers, use the HTTP::cookie API rather than directly via HTTP::header.

Fix:
Inserting multi-line HTTP header parsed correctly

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1

726895 : VPE cannot modify subroutine settings

Links to More Info: K02205915 , BT726895

Component: Access Policy Manager

Symptoms:
Open per-request policy in Visual Policy Editor (VPE) that has a subroutine. Click 'Subroutine Settings / Rename.

Numeric values like the inactivity timeout are displayed as 'NaN. Attempts to modify the values results in MCP validation errors such as one of these:
- Unable to execute transaction because of:
- Unable to execute transaction because of: 01020036:3: The requested user role partition (admin Common) was not found.

Conditions:
-- Per-request policy in the VPE.
-- Subroutine in the per-request policy.
-- Attempt to change the values.

Impact:
All fields say 'NaN', and error when trying to modify properties. Subroutine settings like the Inactivity Timeout and Gating Criteria cannot be modified through the VPE

Workaround:
Use tmsh to modify these values, for example:

tmsh modify apm policy access-policy <policy_name> subroutine properties modify { all { inactivity-timeout 301 } }

Fix:
The issue has been fixed; it is now possible to view and modify subroutine settings in the VPE.

Fixed Versions:
12.1.3.7, 13.1.1.2

726872-2 : iApp LX directory disappears after upgrade or restoring from UCS &start;

Links to More Info: BT726872

Component: iApp Technology

Symptoms:
After BIG-IP version upgrade or restoring from UCS, iApps/Application Services/Applications LX screen displays instances of iApps LX, but their UI is not functional. That is caused by the software defect causing iApp LX directory to disappear from /var/config/rest/iapps.

Conditions:
Initial startup after BIG-IP version upgrade or restoring from UCS.

The more iApps LX instances and the more configuration they use, the more likely this issue is to occur, for example, this issue occurs with 90 or more instances of f5-ddos-hybrid-defender iApp LX.

Impact:
The iAppLX code is removed from the system, which makes iAppLX UI unusable. The configuration deployed by iApp LX instances remains in effect. The iApp LX configuration data remain intact, and the UI can be completely restored after manual installation of iApp LX code.

Workaround:
To workaround this issue, follow these steps:

1. Copy iAppLX code from an unaffected BIG-IP system to the BIG-IP system impacted by this defect, for example,
/var/config/rest/iapps/f5-ddos-hybrid-defender
2. Create a symlink to the UI code for UI to work, for example:
ln -sfvn /var/config/rest/iapps/f5-ddos-hybrid-defender/presentation /var/iapps/www/f5-ddos-hybrid-defender
3. Restart restjavad:
bigstart restart restjavad
4. Restart restnoded:
bigstart restart restnoded

Fix:
iApp LX directory no longer disappears after upgrading or restoring from UCS

Fixed Versions:
13.1.1.2, 14.0.1.1

726734-1 : DAGv2 port lookup stringent may fail

Links to More Info: BT726734

Component: Local Traffic Manager

Symptoms:
Under certain circumstances tmm might not be able to find a local port, and the connection may fail. This happens, for example, for active FTP with mirroring enabled.

Conditions:
Active FTP with mirroring enabled.

Impact:
Connection cannot get established.

Workaround:
There is no workaround other than to disable mirroring.

Fix:
TMM is now always able to find a local port.

Fixed Versions:
13.1.3.2, 14.1.2.8

726665-2 : tmm core dump due to SEGFAULT

Links to More Info: BT726665

Component: Policy Enforcement Manager

Symptoms:
tmm core dump due to SEGFAULT.

Conditions:
System under load in network. Other conditions required to recreate this are unknown, but indicated a potential memory-handling issue.

Impact:
The blade reboots resulting in failover. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The apparent memory-handling issue leading to the SEGFAULT has been corrected, so the tmm core and failover no longer occur.

Fixed Versions:
13.1.3, 14.0.1.1

726647-3 : PEM content insertion in a compressed response may truncate some data

Links to More Info: BT726647

Component: Policy Enforcement Manager

Symptoms:
HTTP compressed response with content insert action can truncate data.

Conditions:
PEM content insertion action with compressed HTTP response.

Impact:
Data might be truncated.

Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.

Fix:
HTTP compressed response with content insert action no longer truncates data.

Fixed Versions:
12.1.4.1, 13.1.1.2, 14.0.0.3, 14.1.0.2

726616-1 : TMM crashes when a session is terminated

Links to More Info: BT726616

Component: Access Policy Manager

Symptoms:
TMM crashes when it is releasing the memory used by a session that is terminated. Either one of the following error messages might appear in the TMM log:

-- notice panic: ../kern/umem.c:4166: Assertion "valid type" failed.

-- notice panic: ../kern/page_alloc.c:705: Assertion "vmem_hashlist_remove not found" failed.

Conditions:
The memory used by a session is corrupted during the lifetime of the session. This issue happens infrequently.

Impact:
TMM restarts, causing service interruption if the BIG-IP system is not part of a high-availability setup.

Workaround:
There is no workaround at this time.

Fix:
TMM no longer crashes when removing an access session.

Fixed Versions:
13.1.1.2, 14.0.0.5

726592-1 : Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop

Links to More Info: BT726592

Component: Access Policy Manager

Symptoms:
Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop. This could be triggered by invalid state of our control plane daemons.

Conditions:
This is an extremely rare situation that can be caused by invalid logsetting config messaging between our daemons. However, once it happens it can impact multiple daemons at the same time causing all of them to hang.

Impact:
Once this happens it can impact multiple daemons (apmd, apm_websso, localdbmgr) at the same time causing all of them to hang.

Workaround:
There is no workaround at this time, you can recover by restarting the daemons that hang.

Fix:
We have fixed a memory corruption that can break the linkages in our data structure which would cause certain traversals to loop indefinitely.

Fixed Versions:
12.1.4, 13.1.1.2

726537-1 : Rare TMM crash when Single Page Application is enabled on DoSL7

Links to More Info: BT726537

Component: Application Security Manager

Symptoms:
There is a rare TMM crash that may happen when Single Page Application is enabled on the DoS Application profile.

Conditions:
Single Page Application is enabled on the DoS Application profile.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Rare TMM crash no longer occurs when Single Page Application is enabled on DoSL7.

Fixed Versions:
13.1.1.4, 14.0.0

726518-4 : Tmsh show command terminated with CTRL-C can cause TMM to crash.

Links to More Info: BT726518

Component: Local Traffic Manager

Symptoms:
TMM crash when running show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name]

Conditions:
-- Running the command:
show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name].
- The command is terminated by the client connection, aborting with CTRL-C.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not terminate tmsh show commands with CTRL-C.

Fixed Versions:
13.1.3.6, 14.1.2.8, 15.1.2

726487-2 : MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.

Links to More Info: BT726487

Component: TMOS

Symptoms:
The MCPD daemon on secondary VIPRION or vCMP blades exits and restarts, logging errors similar to the following:

-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.

-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.

Or:

--- err mcpd[8320]: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).

--- err mcpd[8320]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).... failed validation with error 17236027.

Or:

err mcpd[12620]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Invalid static route modification. A destination change from 172.25.0.1%500 to 172.25.0.1 is not supported... failed validation with error 17237812.

Conditions:
This issue occurs when all of the following conditions are met:

-- VIPRION or vCMP platform with more than one blade.
-- A partition with a non-default route domain.
-- Either:
+ Creating a pool member in that partition while a configuration save is taking place at the same time (either system- or user-initiated).
+ Modifying a route in that partition while a configuration save is taking place at the same time (either system- or user-initiated).

Impact:
If the system is Active, traffic is disrupted as the secondary blades restart. The capacity of the system will be reduced until all blades are on-line again. Additionally, depending on the system configuration, the system may fail over to its peer (if one exists).

Workaround:
There is no workaround other than not to create pool members or modify routes from one client while saving configuration changes in another client. However, this does not help if the configuration save operation was system-initiated.

Fix:
MCPD on secondary blades no longer restarts if a pool member is created or a route is modified in a partition that uses a non-default route domain at the same as the configuration is being saved.

Fixed Versions:
12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.6

726412-2 : Virtual server drop down missing objects on pool creation

Links to More Info: BT726412

Component: Global Traffic Manager (DNS)

Symptoms:
Available virtual servers are not populated in the drop down list during Pool creation.

Conditions:
Virtual server names containing single quote, backslash, or greater-than and less-than signs: ' \ < >.

Impact:
Unable to add available virtual servers to pools.

Workaround:
After pool creation, go into that newly created pool, click 'Members', and then click 'Manage', and use the Virtual Server drop-down list to add any virtual servers.

Fix:
Fixed the drop down for virtual servers. Now virtual servers get loaded in the drop-down list during pool creation.

Fixed Versions:
12.1.4.1, 13.1.3

726409-4 : Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077

Component: TMOS

Symptoms:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or
possibly have unspecified other impact by leveraging use of the accept system call.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

Conditions:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439

Impact:
denial of service

Workaround:
don't allow login

Fix:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439

Fixed Versions:
11.5.9, 11.6.4, 12.1.4.1, 13.1.1.2, 14.0.0.3

726393-4 : DHCPRELAY6 can lead to a tmm crash

Links to More Info: K36228121 , BT726393

726377-1 : False-positive cookie hijacking violation

Links to More Info: BT726377

Component: Application Security Manager

Symptoms:
A false-positive cookie hijacking violation.

Conditions:
-- Several sites are configured on the policy, without subdomains.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.

Impact:
False positive violation / blocking.

Workaround:
Cookie hijacking violation when the device ID feature is turned off is almost never relevant, as it should be able to detect only cases where some of the TS cookies were taken. The suggestion is to turn off this violation.

Fix:
False-positive cookie hijacking violation no longer happens working with multiple domains on some scenarios.

Fixed Versions:
13.1.1.4

726327-2 : NodeJS debugger accepts connections from any host

Links to More Info: K37111863 , BT726327

726319-2 : 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses

Links to More Info: BT726319

Component: Local Traffic Manager

Symptoms:
When FQDN nodes and pool members are used in LTM pools, a message similar to the following may be logged if the DNS server returns a different set of IP address records to resolve the FQDN name:

err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.

Conditions:
This message may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name, and new ephemeral pool members are created corresponding to the new IP addresses.

This may occur intermittently depending on timing conditions.

Impact:
These log messages are cosmetic and do not indicate any impact to traffic or BIG-IP operations.

Workaround:
None.

Fix:
'The requested Pool Member ... already exists' messages are no longer logged occasionally when an FQDN pool member name resolves to different IP addresses.

Fixed Versions:
13.1.1.4, 14.0.0.3

726317-4 : Improved debugging output for mcpd

Links to More Info: BT726317

Component: TMOS

Symptoms:
In some cases, mcpd debugging output is insufficient for diagnosing a problem.

Conditions:
Using debugging in mcpd, specifically, setting log.mcpd.level to debug.

Impact:
None. Has no effect without log.mcpd.level set to debug.

Workaround:
None.

Fix:
New output helps F5 engineers diagnose mcpd problems more easily.

Fixed Versions:
12.1.5, 13.1.3.4, 14.1.0.6

726303-1 : Unlock 10 million custom db entry limit

Links to More Info: BT726303

Component: Traffic Classification Engine

Symptoms:
Cannot add more than 10 million custom db entries.

Conditions:
This happens when you try to add more than 10 million custom db entries.

Impact:
Not able to add more than 10 million entries.

Workaround:
There is no workaround at this time.

Fix:
This release provides a sys db var, tmm.urlcat.no_db_limit, to allow growth beyond the existing limit of 10 million custom db entries.

Fixed Versions:
12.1.3.7, 13.1.1.2

726255-2 : dns_path lingering in memory with last_access 0 causing high memory usage

Links to More Info: BT726255

Component: Global Traffic Manager (DNS)

Symptoms:
dns_path not released after exceeding the inactive path ttl.

Conditions:
1. Multiple tmm's in sync group
2. Multiple dns paths per GTM needed for load balancing.

Impact:
High memory usage.

Workaround:
There is no workaround at this time.

Fix:
dns_path memory will be released after ttl.

Fixed Versions:
11.5.9, 11.6.5.1, 12.1.3.7, 13.1.1.4, 14.0.0.3

726239-4 : interruption of traffic handling as sod daemon restarts TMM

Links to More Info: BT726239

Component: Local Traffic Manager

Symptoms:
When the receiving host in a TCP connection has set its send window to zero (stopping the flow of data), following certain unusual protocol sequences, the logic in the TMM that persists in probing the zero window may enter an endless loop.

Conditions:
When the TCP implementation is probing a zero-window connection under control of a persist timer.

Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This fix handles a rare TMM crash when TCP persist timer is active.

Fixed Versions:
11.5.9, 11.6.3.3, 12.1.4, 13.1.1.2, 14.0.0.3

726176-4 : Platforms using RSS hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve

Links to More Info: BT726176

Component: Local Traffic Manager

Symptoms:
The BIG-IP system running RSS DAG hash attempts to reuse ports while pool members remain in a TIME_WAIT state and are unable to process new connections.

Conditions:
This issue occurs when all of the following conditions are met:

-- You are running on a BIG-IP platform using RSS DAG hash, for instance, Z100 and 2000/4000-series hardware platform
-- You have the FastL4 profile associated with a virtual server.
-- The virtual server is configured with source-port preserve.

Impact:
Traffic throughput may be degraded.

Workaround:
Set source-port to change.

Fix:
Platforms running RSS DAG hash now reuse source port at the correct rate when virtual server sets source-port preserve.

Fixed Versions:
13.1.3.2, 14.1.2.3, 15.0.1.1

726154-2 : TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies

Links to More Info: BT726154

Component: Advanced Firewall Manager

Symptoms:
TMM might restart when changing firewall or NAT configurations on a virtual server with the same name as a route-domain.

Conditions:
- There is a virtual server and a route-domain that have the same name in the configuration.
- A firewall or NAT policy is being attached or removed from one or both of the virtual server or route-domain.

Impact:
TMM might halt and traffic processing temporarily ceases. TMM restarts and traffic processing resumes.

Workaround:
There is no workaround other than not to use the same name for virtual server and route-domain objects.

Fix:
TMM no longer crashes under the conditions described. Firewall and NAT configurations are applied correctly on virtual servers with the same names as route-domains.

Fixed Versions:
12.1.5.3, 13.1.1.2

726090-1 : No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense

Links to More Info: BT726090

Component: Application Security Manager

Symptoms:
Device ID challenges are not logged in the Bot Defense Request Log (local and remote) when associating the Bot Defense logging profile to the virtual server.

Conditions:
-- Device ID is enabled on the ASM Policy.
-- DoS profile with Proactive Bot Defense is not associated with the virtual server.

Impact:
There are no logs to show the browser challenges and the requests from clients that do not support JavaScript.

Workaround:
There is no workaround at this time.

Fix:
Requests are now logged to the Bot Defense Request Log with Device ID enabled on the ASM Policy and no associated DoS profile.

Fixed Versions:
13.1.1.2, 14.0.0.5

726089-2 : Modifications to AVR metrics page

Links to More Info: K44462254 , BT726089

726039 : Information is not updated after installing FPS live update via GUI

Links to More Info: BT726039

Component: Fraud Protection Services

Symptoms:
The GUI does not display the updated information after installing an update.

Conditions:
FPS is licensed and provisioned.

Impact:
Cosmetic only.

Workaround:
Refreshing the page.

Fix:
The information is updated after installing an update.

Fixed Versions:
13.1.1.4

726001-1 : Rapid datagroup updates can cause type corruption

Links to More Info: BT726001

Component: Local Traffic Manager

Symptoms:
'invalid class type" error message in /var/log/ltm.

Conditions:
Using external datagroups and updating them before the previous update has finished, such as with:

-- Executing config-sync.

-- echo "create sys file data-group dg-test source-path file:///var/tmp/dg_test type string separator :=; create ltm data-group external dg-test external-file-name dg-test; modify sys file data-group dg-test source-path file:///var/tmp/dg_test" | tmsh -a

Impact:
iRule fails.

Workaround:
Ensure that changes to a datagroup are done processing (by looking for the 'finished' message in the LTM logs) before updating them again.

Fix:
Rapid updates no longer cause type corruption.

Fixed Versions:
13.1.3

725985-1 : REST API takes more than 20 seconds when 1000+ virtual servers with SNAT-Pool configured

Links to More Info: BT725985

Component: TMOS

Symptoms:
REST API takes more than 20 seconds to complete the GET request when there are 1000+ virtual servers configured with the same SNAT-Pool.

Conditions:
-- A large number (1000+) of virtual servers.
-- Configured with the same SNAT pool.

Impact:
REST API takes more than 20 seconds to response to the GET request.

Workaround:
None.

Fix:
Under these conditions, now the response time is approximately 5 seconds.

Fixed Versions:
13.1.3.5

725950 : Regcomp() leaks memory if passed an invalid regex.

Links to More Info: BT725950

Component: TMOS

Symptoms:
Because of memory leak, big3d's memory usage increased over time

Conditions:
Pass invalid expression to regcomp.

Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory.

Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}

Fix:
Fixed a memory leak in big3d

Fixed Versions:
13.1.3.2

725878-2 : AVR does not collect all of APM TMStats

Links to More Info: BT725878

Component: Application Visibility and Reporting

Symptoms:
AVR does not collect all of APM TMStats

Conditions:
Using AVR to view APM stats.

Impact:
Cannot view all values.

Workaround:
None.

Fix:
This release now provides stats for the following:
-- License Stats :: show apm license
-- Session Stats (ACL Stats) :: show apm acl
-- Access Profile Stats :: show apm profile access
-- OAuth Client Stats :: show apm aaa oauth-server
-- OAuth Profile Stats :: show apm profile oauth
-- Network Access Stats :: show net tunnels ppp

Behavior Change:
This release now provides stats for the following:
-- License Stats :: show apm license
-- Session Stats (ACL Stats) :: show apm acl
-- Access Profile Stats :: show apm profile access
-- OAuth Client Stats :: show apm aaa oauth-server
-- OAuth Profile Stats :: show apm profile oauth
-- Network Access Stats :: show net tunnels ppp

Fixed Versions:
13.1.1.4, 14.0.1.1

725867-2 : ADFS proxy does not fetch configuration for non-floating virtual servers

Links to More Info: BT725867

Component: Access Policy Manager

Symptoms:
If the virtual address of a virtual server has a non-floating traffic group (e.g., traffic-group-local-only), ADFS proxy does not perform periodic configuration updates, including listing allowed URIs from ADFS, and thus blocks all the requests (by responding with 404).

Conditions:
-- Virtual address of virtual server has non-floating traffic group.

-- ADFS proxy feature is enabled on the virtual server.

Impact:
All the requests to ADFS are blocked.

Workaround:
Set floating traffic group for virtual address (e.g., traffic-group-1).

Fix:
ADFS proxy now fetches configuration from ADFS for non-floating virtual servers.

Fixed Versions:
13.1.1.2, 14.0.0.5

725815-1 : vlangroup usage may cause a excessive resource consumption

Links to More Info: K72442354 , BT725815

725801-4 : CVE-2017-7889: Kernel Vulnerability

Links to More Info: K80440915 , BT725801

725791-4 : Potential HW/HSB issue detected

Links to More Info: K44895409 , BT725791

Component: TMOS

Symptoms:
There are a number of High-Speed Bridge (HSB) stats registers that monitor the errors in HSB SRAM that are critical for passing traffic, for example, RQM_CRC_ERROR Count 0, RQM_CRC_ERROR count 1, RQM_CRC_ERROR Count 2, etc. Any errors in any of these registers may indicate a hardware error in the HSB SRAM that impedes traffic through embedded Packet Velocity Acceleration (ePVA). In that case, ePVA-accelerated flow might fail.

With a burst of CRC errors in the SRAM for ePVA transformation cache, it does not trigger a failover and causes a silent traffic outage on the FastL4 VIP with hardware traffic acceleration. This occurs because the health check watchdog packets are still functioning correctly, and the current TMOS software primarily monitors watchdog packets tx/rx failures to trigger failover.

In these cases, there might be the following messages in /var/log/tmm*:

Device error: hsb_lbb* tre2_crc_errs count *

Conditions:
Traffic is offloaded to HSB hardware for acceleration.

Impact:
Hardware accelerated traffic drop.

Workaround:
Switch traffic to software acceleration.

Fix:
Including traffic-critical registers in failover triggers, helps failover happen quickly with minimum disruption to traffic in the case of SRAM hardware failures.

Fixed Versions:
11.6.5.2, 12.1.5.2, 13.1.1.5, 14.1.0.6

725696-1 : A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted

Links to More Info: BT725696

Component: TMOS

Symptoms:
When OCSP Stapling is enabled on a client SSL profile, certain uncommon operations might result in a tmm timer queue getting into a loop, which results in tmm being aborted by sod. tmm restart

Conditions:
-- There are SSL handshakes waiting for an OCSP response, and one of the following:
+ There is a CMP transition.
+ There are changes made to the OCSP object.

Impact:
tmm restarts. Traffic interrupted while tmm restarts.

Workaround:
There is no workaround other than disabling OCSP stapling.

Fix:
The timer issue has been corrected.

Fixed Versions:
13.1.1.2, 14.0.0.3

725635-2 : CVE-2018-3665: Intel Lazy FPU Vulnerability

Links to More Info: K21344224 , BT725635

725612-1 : syslog-ng does not send any messages to the remote servers after reconfiguration

Links to More Info: BT725612

Component: TMOS

Symptoms:
Changing syslog remote server IP address (tmsh sys syslog remote-servers) requires a syslog-ng process restart to take effect. Syslog operations do not use the new remote destination address on syslog service reconfiguration.

Conditions:
1. Add a Remote Syslog server (Server A) using System :: Logs :: Configuration :: Remote Syslog.
2. Click Update (Syslog messages go out toward Server A).
3. Remove Server A from configuration.
4. Add new Server B (different IP address).
5. Click Update.

Impact:
After reconfiguring remote syslog host IP addresses, syslog messages continue to be sent to the previously configured addresses.

Workaround:
Restart the syslog service using the following command:

bigstart restart syslog-ng

Messages will now properly be sent toward Server B (the new IP address).

Fix:
Syslog operations now use the new remote destination address on syslog service reconfiguration.

Fixed Versions:
13.1.1.2, 14.0.0.3

725551-4 : ASM may consume excessive resources

Links to More Info: K40452417 , BT725551

725545-1 : Ephemeral listener might not be set up correctly

Links to More Info: BT725545

Component: Local Traffic Manager

Symptoms:
When ephemeral listeners are set up across a cluster, the transaction might fail.

Conditions:
When using Network Access tunnel with proxy ARP and no SNAT.

Impact:
The client-assigned IP address might intermittently fail to be resolved via ARP on the serverside/leasepool VLAN.

Workaround:
None.

Fix:
The ephemeral listener is now set up correctly.

Fixed Versions:
13.1.1.2, 14.0.0

725505-2 : SNAT settings in network resource are not applied after FastL4 profile is updated

Links to More Info: BT725505

Component: Access Policy Manager

Symptoms:
When the admin updates a FastL4 profile, the iRule associated with the internal virtual server (the APM forward virtual server) is removed.

This iRule sets up the SNAT setting, however, since the iRule is removed, the SNAT setting is not applied to new network access connections.

Conditions:
-- Using network access.
-- FastL4 profile is updated.

Impact:
When accessing the backend resource, the BIG-IP system uses the self IP address as the source IP address instead of the IP address configured under the network access resource. Traffic disrupted while tmm restarts.

Workaround:
Restart tmm.

Restarting tmm re-creates the forward virtual servers and attach the relevant iRule.

Fixed Versions:
13.1.3.2

725412-1 : APM does not follow current best practices for HTTP headers

Component: Access Policy Manager

Symptoms:
APM does not follow current best practices for HTTP headers

Conditions:
APM enabled

Impact:
HTTP headers not generated as intended

Workaround:
None.

Fix:
APM now follows current best practices for HTTP headers

Fixed Versions:
13.1.1.2, 14.0.0

725040-3 : Auto-update fails for F5 Helper Applications on Linux

Links to More Info: BT725040

Component: Access Policy Manager

Symptoms:
A pop-up error message is displayed for failed auto-update for F5 Helper Applications on Linux.

Conditions:
Linux users using F5 Helper Applications (f5epi and f5vpn) to establish a VPN tunnel.

Impact:
Linux users are not updated to the new releases.

Workaround:
Reinstall F5 Helper Applications manually.

Fix:
Auto-update succeeds for F5 Helper Applications on Linux

Fixed Versions:
13.1.3.2

724906-1 : sasp_gwm monitor leaks memory over time

Links to More Info: BT724906

Component: Local Traffic Manager

Symptoms:
The Server/Application State Protocol (SASP) monitor, sasp_gwm memory usage slowly increases over time.

Conditions:
The Server/Application State Protocol (SASP) monitor is configured.
The leakage occurs during normal operation of the monitor and is not tied to any specific user or traffic action.

Impact:
sasp_gwm grows over time and eventually the system may be pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.

Workaround:
Periodic restarts of sasp_gwm processes avoids the growth affecting the system.

Fix:
The sasp_gwm monitor no longer leaks memory when processing messages.

Fixed Versions:
13.1.1.2, 14.0.0.3

724868-1 : dynconfd memory usage increases over time

Links to More Info: BT724868

Component: Local Traffic Manager

Symptoms:
dynconfd memory usage slowly increases over time as it processes various state-related messages.

Conditions:
No special conditions as dynconfd is a core LTM process. Large numbers of pool members combined with flapping might increase the rate of memory usage increase.

Impact:
dynconfd grows over time and eventually the system is pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.

Workaround:
Periodic restarts of dynconfd avoids the growth affecting the system.

Fix:
dynconfd no longer leaks memory when processing messages.

Fixed Versions:
12.1.4, 13.1.1.2, 14.0.0.3

724847 : DNS traffic does not get classified for AFM port misuse case

Links to More Info: K95010813 , BT724847

Component: Traffic Classification Engine

Symptoms:
When DNS query name has a label length of greater than 23 bytes, it does not get classified as DNS.

Conditions:
-- AFM provisioned.
-- A port misuse policy for DNS and a service policy configured.
-- DNS query name with label length of greater than 23 bytes.

Impact:
DNS does not get classified properly for some cases.

Workaround:
There is no workaround at this time.

Fix:
Allowed DNS label length is now 64 bytes, so any DNS query name where each label name is fewer than 64 byes is now properly classified.

Fixed Versions:
13.1.1.4, 14.0.0

724824-4 : Ephemeral nodes on peer devices report as unknown and unchecked after full config sync

Links to More Info: BT724824

Component: Local Traffic Manager

Symptoms:
After a Full Configuration Sync is performed in a device cluster, Ephemeral (FQDN) nodes on peers to the device initiating the Configuration Sync will report their status as Unknown with monitor status of Unchecked.

Note: The nodes are still monitored properly by the peer devices even though they are not reported as such.

Conditions:
-- Full configuration sync performed in a device cluster.
-- Ephemeral (FQDN) nodes configured.

Impact:
Monitor status on the peer devices is reported incorrectly.

Workaround:
Any of the following three options will correct reporting status on the peer devices:

-- Restart bigd

-- Cause monitoring to the FQDN nodes to fail for at least one probing interval, and then restore monitoring accessibility.

-- Disable and then re-enable the FQDN node

Each of these workarounds results in the reported status of the FQDN node on the peer reporting correctly again. The workarounds do not prevent a subsequent configuration sync from placing the FQDN nodes back into Unknown status on peers, however.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2

724746-1 : Incorrect RST message after 'reject' command

Links to More Info: BT724746

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends RST containing 'Internal error in tcpproxy invalid state for repick' instead of the more accurate message: 'iRule execution (reject command)'.

Conditions:
Virtual server with a HTTP profile, and an iRule using the 'reject' command.

Impact:
Investigating RST causes may be confusing.

Workaround:
None

Fix:
TMM sends correct the RST message.

Fixed Versions:
13.1.4

724680-4 : OpenSSL Vulnerability: CVE-2018-0732

Links to More Info: K21665601 , BT724680

724571-1 : Importing access profile takes a long time

Links to More Info: BT724571

Component: Access Policy Manager

Symptoms:
It takes a long time for the 'Apply Access Policy' link to show up on the admin UI after importing an access profile.

Conditions:
-- Access policy with many macros.
-- Import exported profile multiple times with Reuse Existing Objects checked
-- As the number of imports increases, so does the latency.

Impact:
The imported access policy takes a long time to be imported and ready to use.

Workaround:
None.

Fixed Versions:
13.1.1.2

724564-1 : A FastL4 connection can fail with loose-init and hash persistence enabled

Links to More Info: BT724564

Component: Local Traffic Manager

Symptoms:
The BIG-IP system fails to create a connection after 3WHS when using loose-init and hash persistence.

This can happen if traffic is redirected from one BIG-IP system to another, with the second BIG-IP system failing to create the connection, causing an interruption of traffic on that connection.

Conditions:
-- Virtual server configured with hash persistence.
-- FastL4 profile with loose-init enabled.

Impact:
Traffic fails when redirected from one BIG-IP system to another.

Workaround:
There is no workaround other than to disable hash persistence.

Fix:
A FastL4 connection no longer fails with loose-init and hash persistence enabled.

Fixed Versions:
13.1.1.4

724556-2 : icrd_child spawns more than maximum allowed times (zombie processes)

Links to More Info: BT724556

Component: TMOS

Symptoms:
icrd_child is issued a SIGTERM. The SIGTERM might not succeed in destroying the process, especially if the system is under a lot of load. This leads to zombie processes.

Conditions:
-- The icrd_child process is issued a SIGTERM that does not successfully destroy the icrd_child process.
-- System under heavy load.

Impact:
There are zombie icrd_child processes consuming memory.

Workaround:
Restart the system.

Fix:
Introduced the following configuration in /etc/icrd.conf: sigkillDelaySeconds

If set to 0, or if missing from icrd.conf, SIGKILL will not be issued after SIGTERM is issued to the icrd_child process.

If set to greater than 0, after the specified delay, SIGKILL will be issued after SIGTERM is issued to the icrd_child process if icrd_child process is not terminated.

A 'safe' number for the delay may be 3 seconds, but will depend on your configuration.

Behavior Change:
Introduced the following configuration in /etc/icrd.conf: sigkillDelaySeconds

If set to 0, or if missing from icrd.conf, SIGKILL will not be issued after SIGTERM is issued to the icrd_child process.

If set to greater than 0, after the specified delay, SIGKILL will be issued after SIGTERM is issued to the icrd_child process if icrd_child process is not terminated.

A 'safe' number for the delay may be 3 seconds, but will depend on your configuration.

Fixed Versions:
12.1.5.3, 13.1.3.2, 14.1.2.7

724532-2 : SIG SEGV during IP intelligence category match in TMM

Links to More Info: BT724532

Component: Advanced Firewall Manager

Symptoms:
TMM restart while matching traffic from source IP to IP Intelligence category.

Conditions:
Multiple configuration changes that include deleting the custom IP intelligence categories.

Impact:
TMM restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer restarts while matching traffic from source IP to IP Intelligence category.

Fixed Versions:
12.1.4, 13.1.1.2

724414-2 : ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled

Links to More Info: BT724414

Component: Application Security Manager

Symptoms:
When ASM inspects WebSocket frames, the bd daemon memory is leaking; eventually ASM stops inspecting traffic and sends resets or bypass requests.

Conditions:
ASM module is provisioned.
-- ASM policy and WebSocket profile are attached to a virtual server.
-- WebSocket URL has JSON profile attached to it.
-- JSON profile has parse parameters flag enabled (this is the default).

Impact:
ASM may reset connections; failover might occur.

Workaround:
There are two workarounds:
-- Remove JSON profile from WebSocket URL in the ASM policy.

-- Disable parse parameters flag in the json profile.

Fix:
The system now frees the allocated memory when it finishes the inspect of a WebSocket frame.

Fixed Versions:
13.1.1.2, 14.0.0.5

724339-1 : Unexpected TMUI output in AFM

Links to More Info: K04524282 , BT724339

724335-1 : Unexpected TMUI output in AFM

Links to More Info: K21042153 , BT724335

724327-1 : Changes to a cipher rule do not immediately have an effect

Links to More Info: BT724327

Component: Local Traffic Manager

Symptoms:
If a cipher rule is changed, and a cipher group that uses the rule is attached to an SSL profile, the change does not take effect until something else on the SSL profile changes.

Conditions:
-- A cipher group is used by an SSL profile.
-- One of its cipher rules changes.

Impact:
Unexpected behavior occurs because the cipher rule change does not take effect immediately.

Workaround:
After changing the cipher rule that's used by a cipher group, make a change to any SSL profile that uses the associated cipher group.

Fix:
Any changes to a cipher rule or cipher group now takes immediate effect.

Fixed Versions:
13.1.1.4, 14.1.0.2

724214-3 : TMM core when using Multipath TCP

Links to More Info: BT724214

Component: Local Traffic Manager

Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic interrupted while TMM restarts.

Workaround:
There is no workaround other than to disable MPTCP.

Fix:
TMM no longer produces a core.

Fixed Versions:
11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5

724213-1 : Modified ssl_profile monitor param not synced correctly

Links to More Info: K74431483 , BT724213

Component: Local Traffic Manager

Symptoms:
After modifying the ssl_profile attribute on an HTTPS monitor on a device in a high availability (HA) configuration, and after performing a full ConfigSync, the corresponding monitor on the peer-sync unit does not have the updated value.

Conditions:
-- An HTTPS monitor is used on BIG-IP systems in an high availability (HA) configuration.
-- The ssl_profile field is modified on an HTTPS monitor.
-- A sync-to-peer (full ConfigSync, not incremental sync) is attempted to propagate the modified ssl_profile value to the peer units.

Impact:
The ssl_profile value for the HTTPS monitor on the peer unit is set to none, resulting in the two devices reporting themselves as in-sync, but having potentially different HTTPS monitor configurations.

Workaround:
-- Do not run HTTPS monitors using in-tmm monitors,
-- Use the traditional HTTPS monitor configuration for SSL-attributes (cipherlist, key, cert, and compatibility attributes on HTTPS monitor).

Note: Using these attributes generates deprecation warnings, but the configuration still takes effect.

Fix:
After modifying the ssl_profile attribute on an HTTPS monitor on a system within an high availability (HA) configuration, and after performing a full ConfigSync, the corresponding monitor on the peer unit now receives the updated monitor attribute, as expected.

Fixed Versions:
13.1.1.2, 14.0.0.3

724143-1 : IKEv2 connflow expiration upon ike-peer change

Links to More Info: BT724143

Component: TMOS

Symptoms:
Altering the definition of an ike-peer does not expire the connflow used for the tunnel, so it remains in use for the tunnel.

Conditions:
-- Making any change to an IKEv2 ike-peer, even insignificant changes such as a description change.
-- Running a system version that has new attribute auth-rule inside ike-peer.

Note: This is not likely to occur in older system versions where no ike-peer state exists inside a connflow, because any ike-peer changes do replace the associated objects. In those cases, even though the same connflow is used, the system uses new algorithms for the ike-peer.

Impact:
In effect, you cannot change the configuration of the flow by changing the peer definition.

Workaround:
There is no workaround at this time.

Fix:
Changes in ike-peer now expire any existing connflow for that ike-peer. This affects only a system version that has new attribute auth-rule inside ike-peer.

Fixed Versions:
13.1.1.4, 14.0.0.5

724109-4 : Manual config-sync fails after pool with FQDN pool members is deleted

Links to More Info: BT724109

Component: TMOS

Symptoms:
If a user, deletes a fqdn pool on one BIG-IP in a cluster and then run a manual config sync with another BIG-IP, the change fails to sync with the other BIG-IPs in the cluster.

Conditions:
- Create fqdn pool in one BIG-IP
- Save sys config
- Run config sync
- Delete fqdn pool
- Save sys config
- Run config sync manually

Result: After deleting fqdn pool in BIG-IP and config sync with another BIG-IP, Manual config sync failed. Still, we can see the deleted fqdn pool in another BIG-IP

Impact:
FQDN pool delete failed in another BIG-IP and manual config sync operation is failed.

Workaround:
The workaround for this issue is to use auto-sync.

Fixed Versions:
12.1.5.3, 13.1.3.2, 14.1.2.1, 15.0.1.1

724032-1 : Searching Request Log for value containing backslash does not return expected result

Links to More Info: BT724032

Component: Application Security Manager

Symptoms:
Searching within Request Log for a value containing backslash does not return the expected result. This happens because escaping of backslashes in REST API access is handled differently with 'eq' and 'contains' filters.

Conditions:
Searching within Request Log for a value containing backslash.

Impact:
Search within Request Log record containing backslash does not return the expected result.

Workaround:
Backslashes in REST API requests should be doubled when searching using 'contains' filter, but must not be doubled when searching with 'eq' filter.

Fix:
Searching within Request Log for a value containing backslash returns the expected result.

Fixed Versions:
13.1.1.2, 14.0.0.5

723794-3 : PTI (Meltdown) mitigation should be disabled on AMD-based platforms

Links to More Info: BT723794

Component: TMOS

Symptoms:
Platforms with AMD processors freeze when the PTI (Page Table Isolation) mitigation is enabled, after a period ranging from several hours to several days.

You can find information about which versions have the PTI (Meltdown) mitigations enabled in the AskF5 Article: Bug ID 707226: DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations :: https://cdn.f5.com/product/bugtracker/ID707226.html.

Conditions:
-- AMD-based platforms:
+ BIG-IP B4100 blades
+ BIG-IP B4200 blades
+ BIG-IP 6900 and NEBS appliances
+ BIG-IP 89x0 appliances
+ BIG-IP 6400 FIPS and NEBS platforms
+ BIG-IP 110x0 appliances

-- The database variable kernel.pti is set to enable (to address PTI (Meltdown)).

Impact:
System locks up and is rebooted by the watchdog timer.

Workaround:
Set the database variable kernel.pti to disable by running the following command:

tmsh modify sys db kernel.pti value disable

According to AMD, these AMD processors are not vulnerable to PTI (Meltdown), so there is no reason to leave the db variable enabled.

Fix:
PTI (Page Table Isolation) mitigation is no longer enabled on AMD-based platforms.

Fixed Versions:
11.6.5.1, 12.1.4.1, 13.1.1.5

723792-2 : GTM regex handling of some escape characters renders it invalid

Links to More Info: BT723792

Component: Global Traffic Manager (DNS)

Symptoms:
The memory footprint of big3d increases.

Conditions:
GTM monitor recv string such as the following: ^http\/\d\.\d[23]\d\d

Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory. The monitor marks the server it is monitoring UP as long as the server returns any response.

Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}

Fix:
Fixed handling of escape characters. Recv strings that previously failed to compile will now compile.

Fixed Versions:
12.1.4, 13.1.1.2, 14.0.0.3

723790-1 : Idle asm_config_server handlers consumes a lot of memory

Links to More Info: BT723790

Component: Application Security Manager

Symptoms:
Idle asm_config_server handlers needlessly uses a large amount of memory.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a big XML ASM policy and then leaving the BIG-IP system idle. Relevant asm_config_server handler process increases its memory consumption and stays that way, holding on to the memory until it is released with a restart.

Impact:
Unnecessary memory consumption.

Workaround:
1) Lower the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server:
---------------
# perl -pi.bak -e 's/MaxMemorySize=471859200/MaxMemorySize=262144000/' /etc/ts/tools/asm_config_server.cfg
---------------

2) Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------

Notes:
-- The provided workaround does not permanently fix the issue. Instead it alleviates the symptoms of memory pressure, by (1) lowering the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server, and (2) freeing up all the memory that is currently taken by all asm_config_server processes.
-- This workaround does not cause any down time; the asm_config_server processes automatically start within ~30 seconds.

Fixed Versions:
12.1.5, 13.1.1.5, 14.0.0.5, 14.1.0.6

723722-2 : MCPD crashes if several thousand files are created between config syncs.

Links to More Info: BT723722

Component: TMOS

Symptoms:
If more than several thousand (typically 20,000, but number varies by platform) files, for example SSL certificates or keys, are created between config syncs, the next config sync operation will take too long and mcpd will be killed by sod.

Conditions:
Creation of several thousand SSL certificates or keys followed by a config sync operation.

Impact:
Traffic is disrupted while the MCPD process restarts.

Workaround:
Run a config sync operation after every ~5000 files created.

Fix:
MCPD no longer crashes if several thousand files are created between config sync operations.

Fixed Versions:
12.1.4, 13.1.1.2, 14.0.0.3

723579-4 : OSPF routes missing

Links to More Info: BT723579

Component: TMOS

Symptoms:
When newer link-state advertisement (LSA) (with greater seq) comes in, the Open Shortest Path First (OSPF) discards the old one by marking it DISCARD. The SPF calculation function suspends the calculation every 100 vertexes. If the discard happens during such a suspend, then after the calculation resumes, the discarded LSAs are ignored,n which can cause route unreachable, and eventually route withdraws.

Conditions:
A very large number (~500, beyond best practices) of routers in a single OSPF area.

Impact:
Intermittent route flaps occur that might cause unreachable destination or increased network traffic due to the non-optimal route choice.

Workaround:
There is no workaround.

Fix:
The 'vertex threshold' IMISH parameter is now provided for OSPF/OSPF6, and it is meant to control the amount of vertexes calculated in one bunch (the default value is 100). This value can be increased to prevent LSA discards.

Fixed Versions:
13.1.1.4

723553-1 : BIG-IP installations on RAID systems (old style) may not boot &start;

Links to More Info: BT723553

Component: TMOS

Symptoms:
Kernel panic at boot time with specific message similar to the following:

mdadm: Devices UUID-<...> and UUID-<...> have the same name: /dev/md<X>.

Conditions:
-- System is a RAID platform, with an an earlier style RAID configuration such as the following:
+ 10000s / 10200v
+ 10050s / 10250v
+ 10055s / 10255v

-- System has been upgraded through v14.1.0 and then downgraded to v14.0.0 or earlier.

Note: For RAID platforms such as i15600 / i15800 and newer, this is not an issue.

Impact:
The downgraded v14.0.0 or earlier version does not boot.

Workaround:
To downgrade, boot and install the desired software version from external media.

Fix:
The duplicate device error no longer occurs during installation; the failure no longer occurs.

Fixed Versions:
13.1.3

723402-2 : Apmd crashes running command: tmsh restart sys service all

Links to More Info: BT723402

Component: Access Policy Manager

Symptoms:
Rarely occurring apmd crash.

Conditions:
-- APM is licensed and provisioned.
-- Running the command: tmsh restart sys service all.

Impact:
Apmd crashes and cenerates a core file. Traffic may be disrupted while apmd restarts.

Workaround:
None.

Fix:
Apmd no longer crashes during tmsh restart sys service all.

Fixed Versions:
13.1.3

723300-2 : TMM may crash when tracing iRules containing nameless listeners on internal virtual servers

Links to More Info: BT723300

Component: Local Traffic Manager

Symptoms:
TMM may crash when tracing iRules containing nameless listeners on internal virtual servers.

Conditions:
-- Using iRule tracing.
-- Internal virtual servers.
-- Listener iRule, where the listener has no name.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when tracing iRules containing nameless listeners on internal virtual servers.

Fixed Versions:
13.1.1.2, 14.0.0

723298-2 : BIND upgrade to version 9.11.4

Links to More Info: BT723298

Component: TMOS

Symptoms:
The BIG-IP system is running BIND version 9.9.9.

Conditions:
BIND on BIG-IP system.

Impact:
BIND 9.9 Extended Support Version was supported until June, 2018.

Workaround:
None.

Fix:
BIND version has been upgraded to 9.11.4.

Fixed Versions:
12.1.4, 13.1.1.4, 14.0.0.3

723288-2 : DNS cache replication between TMMs does not always work for net dns-resolver

Links to More Info: BT723288

Component: Global Traffic Manager (DNS)

Symptoms:
System DNS resolvers (net dns-resolver objects) do not share DNS reply information between the dns resolver instances across TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.

Conditions:
There are no LTM DNS *cache* objects present in the BIG-IP configuration.

Impact:
A performance impact resulting from each TMM having to perform unnecessary DNS lookups.

Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.

Note: This workaround is effective even without a DNS license (although in that case, the placeholder object must be created using tmsh, as the GUI menu would not be available without a DNS license.)

Fixed Versions:
11.6.5.3, 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.6

723278-1 : Radius Accounting-Request (STOP) always includes AVP Framed-IP-Address=0.16.0.0 when Network Access rescource configured with IPv4 & IPv6

Links to More Info: BT723278

Component: Access Policy Manager

Symptoms:
When VPN tunnel is terminated, 'Radius Accounting-Request (STOP)' always includes AVP Framed-IP-Address=0.16.0.0 instead of the assigned IPv4 addr to the PPP tunnel.

Conditions:
-- Network Access resource is configured with both IPv4 and IPv6.
-- PPP IP address can be either static (obtained from RADIUS) or dynamic (obtained from the lease pool).
-- Using an Edge client or a browser.
-- VPN tunnel is terminated.

Impact:
APM sends 'Radius Accounting-Request (STOP)' that includes the AVP Framed-IP-Address=0.16.0.0 value instead of the assigned IPv4 client IP address.

Workaround:
Configure only IPv4 IP addresses for the Network Access resource.

Fix:
Include Framed IP Address in RADIUS Acct STOP message only when it is a valid IPv4 address.

Fixed Versions:
13.1.3.2

723130-1 : Invalid-certificate warning displayed when deploying BIG-IP VE OVA file

Links to More Info: K13996 , BT723130

Component: TMOS

Symptoms:
The OVA signing certificate that signs BIG-IP Virtual Edition (VE) OVA files expired. When deploying a BIG-IP VE from an OVA file, an invalid-certificate warning might be displayed due to the expired OVA signing certificate.

Conditions:
This issue may be encountered during the creation of new instances of BIG-IP VE in clients that check the validity of the OVA signing certificate (e.g., VMware).

Note: Existing BIG-IP VE instances are not subject to this issue.

Impact:
There might be questions about the integrity of the OVA file, and in some cases, might not be able to deploy a new instance from an OVA file.

Workaround:
None.

Fix:
The expired OVA signing certificate has been replaced with a valid signing certificate.

Fixed Versions:
11.5.8, 11.6.3.3, 12.1.3.6, 13.1.1, 14.0.0

723061-1 : Possible tmm core during high load, or when an ASM policy is enabled by other modules

Links to More Info: BT723061

Component: Application Security Manager

Symptoms:
TMM may crash if other modules enable ASM conditionally (e.g., 'ASM::enable' in an iRule) or if the BIG-IP system is under heavy memory load.

Conditions:
-- DoSL7 profile or Bot Defense profile is attached to a virtual server.

Along with either of the following:

-- The BIG-IP system is experiencing high load (low memory).

-- An ASM policy is enabled by another module or configuration, such as an APM Access policy or an ASM::enable iRule command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use 'ASM::enable' (or similar) to enable an ASM policy, when using DoSL7 or Bot Defense profiles attached to virtual servers.

Fix:
No tmm core occurs during high load or when an ASM policy is enabled by other modules

Fixed Versions:
13.1.5

722969-2 : Access Policy import with 'reuse' enabled instead rewrites shared objects

Links to More Info: BT722969

Component: Access Policy Manager

Symptoms:
If a policy is exported and then imported with 'reuse' it rewrites objects on the server instead of simply reusing them.

Conditions:
-- Exporting profile A.
-- Importing profile B, with 'reuse' configured.
-- The objects in both profiles are named the same and are the same type.

Impact:
-- 'Reused' objects on the system are modified.
-- Policy A requires 'apply', because objects shared with Policy B are overwritten.

Workaround:
None.

Fix:
Access policy import with 'reuse' option enabled no longer rewrites shared objects

Fixed Versions:
12.1.4.1, 13.1.1.2, 14.0.0

722893-1 : TMM can restart without a stack trace or core file after becoming disconnected from MCPD.

Links to More Info: K30764018 , BT722893

Component: Local Traffic Manager

Symptoms:
The TMM - Host interface may stall when the kernel memory is fragmented, causing TMM and MCPD to become disconnected with one another.

MCPD logs 'Removed publication with publisher id TMM<x>' and TMM restarts cleanly.

TMM often logs '01010020:2: MCP Connection aborted, exiting' after a delay of seconds to minutes or more with a timestamp at time of event.

If this issue occurs during early TMM startup, then TMM logs 'MCP connection expired early in startup; retrying'.

Note that it is possible for TMM not to be able to properly restart after encountering this issue until the underlying memory condition has cleared. This can potentially carry on indefinitely.

Conditions:
This occurs when the following conditions are met:
-- Linux kernel memory fragmentation exists.
-- Another operation is occurring, including (among others):
+ Config-Sync with full reload is initiated.
+ Running tcpdump.

Impact:
The system will be inoperative and unable to pass traffic while TMM restarts. A redundant system will fail over to its peer.

Workaround:
If TMM fails to properly start for a prolonged period of time as a result of this issue, you can try to recover the system by restarting TMM (bigstart restart tmm), restarting the services (bigstart restart), or rebooting the system (reboot).

IMPORTANT: This is not a permanent workaround, just a way to temporarily recover the system until you can upgrade to a version of the software that contains a fix for this issue.

Fix:
The internal interface driver has been improved, allowing it to work in low and/or fragmented-memory conditions.

Fixed Versions:
13.1.1.2, 14.0.0

722707-4 : mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall

Links to More Info: BT722707

Component: Local Traffic Manager

Symptoms:
The 'debug' log for a 'mysql' monitor may incorrectly report data being received from the database when network routing is configured to drop packets from that database, causing confusion when diagnosing packet traffic. This might be stimulated by configuring the firewall to enable traffic to/from the 'mysql' database, and then (after the 'mysql' monitor successfully connecting with the database) changing firewall rules to drop packets returned *from* the database.

Conditions:
-- A 'mysql' monitor successfully connects to the 'MySql' database.
2. Once connection is established, firewall rules are changed to 'DROP' packets returned from the 'MySQL' database, resulting in several entries in the 'mysql' monitor 'debug' log that incorrectly suggest packets were received from the 'MySQL' database.

Impact:
Several log entries may be made in the 'mysql' debug log suggesting packets were received from the 'MySQL' database (after a previous successful database probe connection), when in fact those packets were dropped due to changes in the firewall rules. These log entries may confuse debugging scenarios, but will typically self-correct (such as after three log message entries).

Workaround:
When configuring network traffic for 'MySQL' database resources, ensure symmetry for traffic handling (either bi-directional packet routing between 'bigd' and the 'MySQL' database is supported, or neither 'send' nor 'receive' packet routing to the 'MySQL' database is supported).

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1

722691 : Available datagroup list does not contain datagroups with the correct type.

Links to More Info: BT722691

Component: TMOS

Symptoms:
Available datagroup list contains only datagroups with type string and is not repopulated with datagroups that have a different type to match when the operand/selector changes.

Conditions:
-- Using the GUI.
-- Operand or selector in a condition is changed to a combination that is not compatible with string-type datagroups.

Impact:
Cannot assign a non string-type datagroup to a condition.

Workaround:
Use TMSH to configure the policy rule condition.

Fix:
Datagroups list is repopulated with datagroups of the appropriate type when its rule condition's operand or selector is changed.

Fixed Versions:
13.1.1.4

722682-2 : Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load &start;

Links to More Info: BT722682

Component: TMOS

Symptoms:
Loading configuration process failed after upgrade when pool member names contain colons. The system posts errors similar to the following:
01070226:3: Pool Member 443:10.10.10.10 references a nonexistent Virtual Server
Unexpected Error: Loading configuration process failed.

Conditions:
-- GTM pool member has colon in its name.
-- Upgrade to any of the following versions:
+ 12.1.3.x
+ Any 13.0.x
+ All 13.1.x earlier than 13.1.1.2
+ 14.0.x earlier than 14.0.0.3

Impact:
The system removes the part of the pool member name that precedes the colon, and configuration load fails. For example, when the configuration contains a pool member named example_pm:443:10:10:10:10, the system removes the part of the pool member name that precedes the first colon, in this case, example_pm, leaving the pool member name 443:10.10.10.10.

Workaround:
After upgrade, add two backslash characters, \\ before the first colon, : character.

1. Upgrade the BIG-IP DNS system to the new version of software.
2. SSH to log into the bash prompt of the BIG-IP DNS system.
3. Run the following command to add the string \\ in front of the first colon character, : in the name of each affected GTM pool member:

for j in $(find /config/ -name bigip_gtm.conf); do for i in $(awk '$0 ~ /^gtm server.*:/ {gsub("[/:]"," ",$0); print $4}' ${j}); do sed -i "s, /Common/${i}, /Common/${i}\\\\\\\,g" ${j} | grep " /Common/${i}"; done; done

4. Run the following command: load sys config gtm-only

Fix:
Configuration load no longer fails when upgrading with a configuration that contains BIG-IP DNS pools with members whose names contain colon characters.

Fixed Versions:
12.1.4.1, 13.1.1.2, 14.0.0.3

722677-4 : BIG-IP HSB vulnerability CVE-2019-6604

Links to More Info: K26455071 , BT722677

722594-2 : TCP flow may not work as expected if double tagging is used

Links to More Info: BT722594

Component: Local Traffic Manager

Symptoms:
TCP flow may have an incorrect ACK number, and the flow may stall or reset. The BIG-IP system sends an ACK that is higher than it should be based on the data received from the client.

Conditions:
Double tagging is used.

Impact:
TCP connection fails.

Workaround:
Change the db variable tm.tcplargereceiveoffload value to disable.

Fix:
TCP flow now has the correct ACK number when double tagging is used.

Fixed Versions:
13.1.1.2, 14.0.0

722423-1 : Analytics agent always resets when Category Lookup is of type custom only

Links to More Info: BT722423

Component: Access Policy Manager

Symptoms:
Analytics errors out with a log that says you cannot use custom lookup only along with analytics (/var/log/apm). Even if the Analytics agent is set to disable RST on failure, the agent will send a RST.

Conditions:
In the per-request policy, Category Lookup agent is set to custom lookup only.

Impact:
This configuration leads to an Analytics agent with 'RST on Failure' disabled. The BIG-IP Admin cannot make the choice to disable RST on failure for this particular setup (even though it is a misconfiguration).

Workaround:
You can avoid the RST and error by modifying the configuration to use a standard category lookup before the analytics agent.

Using a custom-only 'Category Lookup' immediately followed by 'Response Analytics' is not a valid configuration. In this configuration, Analytics cannot run the way it is supposed to because it does not have the right information. 'Response Analytics' gives the option to choose what to do on error: RST, or continue on, implying that the non-RST option is valid. If the admin chooses to not reset, the system should log the error and continue. In this case, the system actually does send a RST, even though the RST is not what the BIG-IP admin intended to configure.

Fix:
Disabling RST on failure now works properly in this scenario now. The configuration is still technically incorrect, but now the system takes the correct specified action-upon-error.

Fixed Versions:
13.1.1.2, 14.0.0.5

722392-2 : AVR: analytics statistics are displayed even if they are disabled

Links to More Info: BT722392

Component: Application Visibility and Reporting

Symptoms:
Some entities are being collected for AVR internal (DB based) reports, even though they are set as disabled on AVR profile.

Conditions:
-- DoS profile enabled on a virtual server.
-- IP/URLs are disabled on AVR profile for that virtual server.

Impact:
AVR does not adhere to its own settings for some entities.

Workaround:
None.

Fix:
BIG-IP checks all conditions prior publishing the entities, and if an entity should not be collected for AVR, it will be published as "Aggregated" on internal (DB based) reports.

Fixed Versions:
13.1.3.5

722387-3 : TMM may crash when processing APM DTLS traffic

Links to More Info: K97241515 , BT722387

722380-2 : The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.

Links to More Info: BT722380

Component: TMOS

Symptoms:
On platforms with HSB, if an HSB lockup occurs, then TMM panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. In certain cases, the reboot occurs before the core file is fully written, resulting in a truncated core.

Conditions:
-- Any platform with HSB.
-- An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.

Impact:
The reboot happens after the core dump begins before it completes, resulting in a truncated core dump, which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Reboot is delayed until TMM core file is completed.

Fixed Versions:
12.1.5.2, 13.1.1.5

722363-2 : Client fails to connect to server when using PVA offload at Established

Links to More Info: BT722363

Component: Local Traffic Manager

Symptoms:
A client can fail to connect to the server on subsequent attempts if using FastL4 with hardware (HW) acceleration.

When this issue occurs, the profile_bigproto_stat/rxsynatestablished stat is non-zero.

Conditions:
A FastL4 virtual server is configured with offload_state = EST.

Impact:
Clients fail to connect to the server.

Workaround:
There is no workaround other than to disable PVA acceleration.

Fixed Versions:
11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.3

722337-3 : Always show violations in request log when post request is large

Links to More Info: BT722337

Component: Application Security Manager

Symptoms:
The system does not always show violations in request log when post request is large.

Conditions:
A large post request with many parameters is sent.

Impact:
Although the violations is handled correctly, it is not reported.

Workaround:
Disable learning mode.

The internal parameter pb_sampling_high_cpu_load can define what is seen as high CPU load above which sampling does not take place. The default is 60.

-- Using a lower value reduces the chances of sampling data.
-- Using 0 makes sampling never happen and thus this issue does not occur (this slows down automatic policy building).

Fixed Versions:
13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1.1

722230-5 : Cannot delete FQDN template node if another FQDN node resolves to same IP address

Links to More Info: BT722230

Component: TMOS

Symptoms:
If multiple FQDN nodes and corresponding pool members are created, with FQDN names that resolve to the same (or a common) IP address, you may not be able to delete any of the affected FQDN nodes even after its corresponding FQDN pool member has been deleted.

Conditions:
This occurs under the following conditions
-- Multiple FQDN template nodes exist with FQDN names that resolve to the same (or a common) IP address.
-- FQDN pool members exist for each FQDN template node, with corresponding ephemeral pool members for each which share the same IP address.
-- One of the FQDN pool members is removed from its pool.
-- You attempt to delete the corresponding FQDN template node.

Impact:
The FQDN template node remains in the configuration and cannot be deleted, while an ephemeral node or pool member exists with an IP address corresponding to that FQDN name.

Workaround:
To work around this issue:
1. Remove all remaining conflicting FQDN pool members (with FQDN names that resolve to the shared/conflicting IP address).
2. Delete the desired FQDN node.
3. Re-create the remaining FQDN pool members to replace those removed in step 1.

Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.3.1, 15.0.1.4, 15.1.0.2

722091-3 : TMM may crash while processing HTTP traffic

Links to More Info: K64208870 , BT722091

722013 : MCPD restarts on all secondary blades post config-sync involving APM customization group

Links to More Info: BT722013

Component: Access Policy Manager

Symptoms:
After performing a series of specific config-sync operations between multi-blade systems, the MCPD daemon restarts on all secondary blades of one of the systems.

Each affected blade will log an error message similar to the following example:

-- err mcpd[5038]: 01070711:3: Caught runtime exception, Failed to collect files (snapshot path () req (7853) pmgr (7853) not valid msg (create_if { customization_group { customization_group_name "/Common/Test-A_secure_access_client_customization" customization_group_app_id "" customization_group_config_source 0 customization_group_cache_path "/config/filestore/files_d/Common_d/customization_group_d/:Common:Test-A_secure_access_client_customization_66596_1" customization_group_system_path "" customization_group_is_system 0 customization_group_access 3 customization_group_is_dynamic 0 customization_group_checksum "SHA1:62:fd61541c1097d460e42c50904684def2794ba70d" customization_group_create_time 1524643393 customization_group_last_update_time 1524643393 customization_group_created_by "admin" customization_group_last_updated_by "admin" customization_group_size 62 customization_group_mode 33188 customization_group_update_revision 1

Conditions:
This issue occurs when all of the following conditions are met:

- You have configured a device-group consisting of multi-blade systems (such as VIPRION devices or vCMP guests).

- Systems are provisioned for APM.

- The device-group is configured for incremental manual synchronizations.

- On one system (for example, source_system), you create an APM configuration object (for example, a connectivity profile) that causes the automatic creation of an associated customization group.

- You synchronize the configuration from the source_system to the device-group.

- On the source_system, you create a new configuration object of any kind (for example, an LTM node).

- Instead of synchronizing the newest configuration to the device-group, you synchronize the configuration from another device in the device-group to the source_system (which effectively undoes your recent change).

- The MCPD daemon restarts on all secondary blades of the source_system.

Impact:
While the MCPD daemon restarts, the blade is offline, and many other BIG-IP daemons need to restart along with MCPD.

-- If the source_system is Active, the load capacity of the system temporarily decreases proportionally to the number of blades restarting. Additionally, if the systems use the min-up-members or HA-Group features, losing a certain number of secondary blades may trigger a failover.

-- If the source_system is Standby, some of the previously mirrored information may become lost as TMM on secondary blades restarts along with MCPD. Should this system later become the Active system, traffic may be impacted by the lack of previously mirrored information.

Workaround:
None.

Fix:
The MCPD daemon no longer restarts on secondary blades after config-sync of APM.

Fixed Versions:
12.1.3.7, 13.1.1.2, 14.0.0.5

721985 : PAYG License remains inactive as dossier verification fails.

Links to More Info: BT721985

Component: TMOS

Symptoms:
- BIG-IP is deployed in a cloud environment (AWS/Azure/GCE) with PAYG licenses. The license won't activate on the startup.

Conditions:
- There are multiple ways this can happen but all of those come down to user networking issue where the http calls to the cloud metadata service fails.

- This can be a simple routing issue to the metadata service or a firewall issue.

Impact:
As license activation fails, the instance becomes unusable.

Workaround:
User should look at /var/log/ltm to determine the networking issue that is causing the dossier verification failure. This would be typically printed in the following way:

Curl request to metadata service failed with error(<error-code>): '<error-message>'

By resolving this networking error, license activation should succeed.

Fix:
PAYG License remains inactive as dossier verification fails.

Fixed Versions:
13.1.1, 14.0.0.1

721924-2 : BIG-IP ARM BGP vulnerability CVE-2018-17539

Links to More Info: K17264695 , BT721924

721895 : Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)

Component: Global Traffic Manager (DNS)

Symptoms:
big3d advertises a TLSv1.0 version. Even though big3d requires previously exchanged certificates to validate a connection request, the TLSv1.0 advertisement triggers various vulnerability scanners and is flagged.

Conditions:
Running a vulnerability scanner or other SSL test tool.

Impact:
The scanner or tool reports that big3d might potentially accept a TLSv1.0 connection request (which is considered insecure). Vulnerability scanners then flag the BIG-IP system as vulnerable.

Workaround:
Although there is no workaround, because big3d accepts connections only from clients that match the certificates on the BIG-IP system, the risk is minimal.

In addition, you can deploy firewall rules to accept connections only on port 4353 from know BIG-IP systems.

Fix:
This version adds a db variable for the big3d
big3d.minimum.tls.version. By default the value is 'TLSv1'. You can also specify TLSV1.1 or TLSV1.2 (the setting is case insensitive).

After changing the DB variable, restart big3d. Change the value on all BIG-IP systems that are subject to scans. This includes GTM as well as LTM configurations.

Fixed Versions:
11.5.7, 11.6.4, 12.1.4.1, 13.1.0.8, 14.0.0.5

721805 : Traffic Policy edit to datagroup errors on adding ASM disable action

Links to More Info: BT721805

Component: TMOS

Symptoms:
Adding an ASM disable action will trigger a message similar to the following:

transaction failed:010716de:3: Policy '/Common/Drafts/TD180420-07', rule 'test'; target 'asm' action 'disable' does not support parameter of type 'policy'.

Conditions:
Using the GUI to submit a rule with a 'disable asm' action and a condition with datagroup.

Impact:
Cannot create a 'disable asm' action.

Workaround:
Create the rule using tmsh.

Fix:
You can now use the GUI to submit a rule with a 'disable asm' action and a condition with datagroup.

Fixed Versions:
13.1.1.5

721752-2 : Null char returned in REST for Suggestion with more than MAX_INT occurrences

Links to More Info: BT721752

Component: Application Security Manager

Symptoms:
Unable to view ASM event log details for a majority of violations.

Conditions:
Suggestion with more than MAX_INT (2,147,483,647) occurrences.

Impact:
Null char returned in REST for Suggestion with more than MAX_INT occurrences.

Workaround:
Use the following sql command:

UPDATE PLC.PL_SUGGESTIONS set occurrence_count = 2147483647 where occurrence_count < 0;

Fix:
Null char is no longer returned in REST for Suggestion with more than MAX_INT occurrences.

Fixed Versions:
12.1.3.7, 13.1.1.4, 14.0.0.5

721741-3 : BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative

Links to More Info: BT721741

Component: Application Security Manager

Symptoms:
bd log spits this error.
-------
ECARD_POLICY|NOTICE|May 24 04:49:42.035|4143|table.h:2408|IPTableList::del_object key not found in table
ECARD|ERR |May 24 04:49:42.035|4143|table.h:0398|KEY_UPDATE: Failed to REMOVE data will continue to add
-------

Conditions:
Configuring IP Address Exceptions in certain order - w/ and w/o route domain.

Impact:
BD and BD_Agent out-of-sync for IP Address Exception, causes false positives / false negatives

Workaround:
There is no workaround at this time.

Fix:
System no longer generates these false positive/negative log entries.

Fixed Versions:
12.1.3.7, 13.1.1.2, 14.1.0.2

721740-2 : CPU stats are not correctly recorded when snapshot files have timestamps in the future

Links to More Info: BT721740

Component: TMOS

Symptoms:
One symptom is that a message similar to the following comes out in the log files frequently.

May 24 16:31:53 lusia_60.F5.COM warning merged[6940]: 011b0914:4: No individual CPU information is available.

Merged CPU stats will be 0.

Conditions:
If all of the snapshot stats files have timestamps in the future, CPU stats will not be correctly merged.

Impact:
Frequent error messages in the logs, and incorrect merged CPU stats.

Workaround:
Remove all of the stats snapshot files that have timestamps in the future and restart merged.

Fix:
Merged has been update to correctly deal with the case where all of the stats snapshot file have timestamps in the future, and will correctly merge the CPU stats.

Fixed Versions:
13.1.1.2

721704-1 : UDP flows are not deleted after subscriber deletion

Links to More Info: BT721704

Component: Policy Enforcement Manager

Symptoms:
UDP flows continue to live till UDP idle time occurs, even after the subscriber is gone and the option for immediate deletion of the flow is enabled.

Conditions:
-- The option to delete flows upon subscriber deletion is enabled.
-- The UDP flow is established with an idle time greater than the re-evaluate timeout.

Impact:
The UDP flows continue to be alive after the required time, but only act to drop the traffic.

Workaround:
To work around this issue:
1. Modify the UDP idle timer to a suitable value.
2. Force delete the UDP flow from CLI.

Fix:
UDP flows are now deleted after subscriber deletion.

Fixed Versions:
13.1.1.2

721621-1 : Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node

Links to More Info: BT721621

Component: Local Traffic Manager

Symptoms:
If an LTM pool is configured with only FQDN members, the DNS server resolves the FQDN to IP addresses that match statically-configured LTM nodes, and the IP address records returned by the DNS server change, an ephemeral pool member may not be added to the pool for the new IP address.

When in this state, if the FQDN template pool member is deleted from the pool, a new ephemeral pool member may be added corresponding to the last IP address record returned by the DNS server.

Conditions:
This may occur when:
1. Static nodes are configured which match addresses that may be returned in the DNS query for a given FQDN name.
2. An FQDN node is created with autopopulate disabled, for an address which may resolve to the same address as one of the static nodes.
3. This FQDN node is added (as a pool member) with autopopulate disabled, to a pool with no other non-FQDN members.
4. The DNS server resolves the FQDN name to an address that matches one of the static nodes.
5. A subsequent DNS query resolves the FQDN name to a different address that matches a different static node.

Impact:
In this case:
-- The original ephemeral member is removed from the pool.
-- A new ephemeral member for the new address may NOT be added to the pool.
-- In this state, if the FQDN template member is deleted from the pool, a new ephemeral member (i.e., the missing ephemeral with new IP address) is re-added to the pool.

Note. This symptom can occur only if the statically-configured node is created prior to an ephemeral pool member being created for the same IP address. If an ephemeral pool member and node are created first, it is not possible to create a statically-configured node or pool member using the same IP address.

Overall, traffic for the affected pool may not be sent to correct pool member (new ephemeral address).

If no other members are defined in the pool, traffic will be interrupted.

Workaround:
This issue can be prevented by:
-- Avoiding configuring a static (non-FQDN) node with an IP address that matches any address that might be returned by the DNS server when resolving the FQDN.
-- Adding a statically-configured pool member to the pool in addition to the FQDN template member.

Once the symptom occurs, recovery is possible by performing either of the following actions:
-- Delete the statically-configured node with the conflicting IP address.
-- Recreate the node using the following procedure:
1. Delete the FQDN template member from the pool.
2. Delete the orphaned ephemeral member from the pool.
3. Re-add the FQDN template member to the pool.

Fix:
When an FQDN pool member address resolves to the same IP address as an existing static node, the corresponding ephemeral pool member is successfully created and deleted as expected, including when the IP address returned by the DNS query changes.

Fixed Versions:
12.1.4.1, 13.1.1.4, 14.0.0.3

721571-1 : State Mirroring between BIG-IP 12.1.3.* and 13.* or 14.* systems may cause TMM core on standby system during upgrade &start;

Links to More Info: BT721571

Component: Local Traffic Manager

Symptoms:
BIG-IP devices running 12.1.3.x (12.1.3 or a 12.1.3 point release) and 13.x or 14.x software versions in a high-availability (HA) configuration with state mirroring enabled may cause a standby system to produce a TMM core file.

Conditions:
-- The HA configuration is one of the following:
+ The active system is running v12.1.3.x, and the standby system is running v13.x or v14.x, as a result of an in-progress upgrade.
+ The active system is running v13.x or v14.x and the standby system is running v12.1.3.x.
-- State mirroring configured on two or more BIG-IP systems.
-- For VIPRION clusters or VIPRION-based vCMP guests, the systems are configured to mirror 'Between Clusters'.

Impact:
TMM may crash on a standby system during upgrade.

This issue should not disrupt traffic, because the TMM is coring only on the standby unit.

Workaround:
To workaround this issue, disable State Mirroring prior to upgrading, and re-enable it once both devices are running v13.x or v14.x, or complete the upgrade of both devices to v13.x or v14.x.

1. You can disable mirroring using either the GUI or the command line.

1a. In the GUI: -- Set the Primary and Secondary Local Mirror Address configurations to 'None' under Device Management :: Devices :: [Self] device :: Mirroring Configuration.

1b. From the command-line: -- Run the following command:
tmsh modify cm device <name-of-self-device> mirror-ip any6 mirror-secondary-ip any6 && tmsh save sys config

Important: This action results in connection state loss on failover.

2. Once all devices are running the same software version, re-enable state mirroring by re-adding the device mirror IP addresses removed previously.

Note: F5 recommends that BIG-IP systems in HA configurations run with the same software version on all devices.

Fix:
Tmm no longer crashes on a standby device when upgrading from 12.1.3.x.

Fixed Versions:
13.1.0.8

721570-1 : TMM core when trying to log an unknown subscriber

Links to More Info: K20285019 , BT721570

Component: Carrier-Grade NAT

Symptoms:
Using CGNAT or FW-NAT with subscriber-id logging enabled can cause a TMM core when the subscriber ID is unknown.

Conditions:
-- A LSN pool or FW-NAT source translation that has a logging profile with subscriber-id enabled.
-- A PEM profile that allows unknown subscribers.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Config PEM to deny connections from unknown subscribers.

Fix:
The system no longer crashes. It logs 'unknown' for unknown subscribers.

Fixed Versions:
13.1.1.2, 14.0.0

721526-2 : tcpdump fails to write verbose packet data to file

Links to More Info: BT721526

Component: TMOS

Symptoms:
On some BIG-IP platforms, tcpdump is unable to write verbose packet data to a file (e.g., 'tcpdump -nni 2.1:nn -e -vvv -s 0 -w /tmp/dump.pcap').

Conditions:
Use tcpdump with -w and -v options on a front panel interface that is actively sending/receiving traffic.

This occurs on the following hardware:

-- BIG-IP 5000,7000, 10000, i5000, i7000, i10000, i11000, and i15000 platforms.
-- VIPRION B4400, B4300, B2200, and B2100 blades.

Impact:
Cannot use tcpdump to write verbose packet data to file.

Workaround:
There is no workaround at this time.

Fix:
The tcpdump operation is now able to write verbose packet data to file.

Fixed Versions:
12.1.5.3, 13.1.3

721512 : Config tool fails to configure management-ip when default routes exist for both IPv4 and IPv6.

Links to More Info: BT721512

Component: TMOS

Symptoms:
Configuration tool fails to configure management-ip when default routes exist for both IPv4 and IPv6.

Conditions:
This can happen in following two scenarios:
-- A configured IPv4 management-ip that is switched to IPv6.
-- A configured IPv6 management-ip that is switched to IPv4.

Impact:
Cannot successfully change an IPv4 or IPv6 management-ip address using config.

For either of the above cases, if the IP addresses are switched back to IPv4/IPv6, the config tools fails to configure management-ip with this error:

ERROR: route_mgmt_entry count is 2

Workaround:
Manually delete the default6 (if current management-ip is IPv4) or default (if current management-ip is IPv6) management-route by running the following command:

tmsh delete sys management-route <default/default6>

Fix:
Config tool now works to configure management-ip when default routes exist for both IPv4 and IPv6, so you can switch back and forth between IPv4 and IPv6 IP addresses without error.

Fixed Versions:
13.1.1

721474-1 : AVR does not send all SSLO statistics to offbox machine.

Links to More Info: BT721474

Component: Application Visibility and Reporting

Symptoms:
When using the 'use-offbox' option, AVR does not send SSLO statistics to the offbox system.

Conditions:
-- AVR provisioned.
-- Use-offbox is enabled.

Impact:
SSLO statistics are not available for BIG-IQ analytics.

Workaround:
There is no workaround.

Fix:
AVR now sends SSLO statistics to offbox systems when the 'use-offbox' option is enabled.

Fixed Versions:
13.1.0.8, 14.0.0

721408-4 : Possible to create Analytics overview widgets in '[All]' partition

Links to More Info: BT721408

Component: Application Visibility and Reporting

Symptoms:
When creating new widgets, they are created under the currently set partition. If the partition is '[All]' (not a real partition), this name will be used to create the widgets.

In newer version of BIG-IP software (v13.x or later), there is validation that disallows using non-existent partitions. When upgrading configurations that contain the '[All]' designation on the widgets, the operation fails because of those objects that have the invalid partition.

Conditions:
Using BIG-IP software v11.x (or similar) to create widgets while in the read-only '[All]' pseudo-partition.

Impact:
Upgrade to v13.x or later fails.

Workaround:
Manually edit the configuration files and change '[All]' to 'Common', after which the upgrade should succeed.

Fix:
It is no longer possible to create widgets while not in an actual writeable partition.

Fixed Versions:
13.1.3.5

721399-2 : Signature Set cannot be modified to Accuracy = 'All' after another value

Links to More Info: BT721399

Component: Application Security Manager

Symptoms:
ASM Signature Set cannot be modified to Accuracy = 'All' after another value was used previously.

Conditions:
-- ASM Signature Set has a value set for Accuracy filter.
-- Accuracy is subsequently set to 'All'.

Impact:
The change to Accuracy = 'All' does not take effect. ASM Signature Set cannot be modified to Accuracy = 'All'.

Workaround:
You can use either of the following workarounds:

-- Delete and re-create the Signature Set with the desired value.
-- Modify the filter to a value that will match all results (such as Accuracy is greater than or equal to 'Low').

Fix:
ASM Signature Set can now be set to Accuracy = 'All' after a value was previously set.

Fixed Versions:
12.1.5, 13.1.1.5

721375-1 : Export then import of config with RSA server in it might fail

Links to More Info: BT721375

Component: Access Policy Manager

Symptoms:
If an exported policy configuration contains both an RSA server as well as the RSA-provided sdconf.rec and sdstatus.12 config files, policy import might fail.

Conditions:
-- RSA server and access profile are in the same, non-Common partition.
-- Exported policy contains an RSA server as well as both the RSA-provided sdconf.rec and sdstatus.12 config files.

Impact:
Unable to import the exported configuration. This occurs because of how the names for the files are resolved in the exported configuration.

Workaround:
Although there is no actual workaround, you can avoid this issue if the profile is outside of the partition. That case uses a different name resolution during the export, so import works as expected.

Fix:
You can now successfully import an exported policy containing an RSA server as well as both sdconf.rec and sdstatus.12 files.

Fixed Versions:
12.1.3.7, 13.1.1.2

721364 : BIG-IP per-application VE BYOL license does not support three wildcard virtual servers

Links to More Info: BT721364

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) admin can create only 1 wildcard virtual servers for per-application BYOL license.

Note: If you are using BIG-IQ 6.0.0 or 6.0.1 to manage AWS-based, per-app BIG-IP VE systems running versions 13.1.0.5 through 13.1.0.8, you must use the following AWS templates:

-- Default-AWS-f5-HTTPS-WAF-lb-template
-- Default-AWS-f5-HTTPS-offload-lb-template

For these two templates, ports 443 and 80 (for HTTP redirect) are hard-coded in an iRule, which enable this functionality.

Conditions:
Per-app VE with BYOL license.

Impact:
Per-app VE with BYOL license does not work as expected.

Workaround:
N/A

Fix:
Per-app VE BYOL license now supports three wildcard virtual servers.

Fixed Versions:
13.1.1, 14.0.0.1

721350-2 : The size of the icrd_child process is steadily growing

Links to More Info: BT721350

Component: TMOS

Symptoms:
The resident segment size (rss) for the icrd_child process continues to increase on issuing iCR GET requests. This increase is permanent and the rss does not drop back to its original size.

Conditions:
The following is an example config under which this issue occurs. Note this is an illustrative example; the actual issue might occur for various config objects.

GET tm/ltm/virtual?expandSubcollections=true wherein the virtual has some profiles associated with it.

ltm pool p-http { }
ltm virtual novel-1000 {
...
pool p-http
profiles {
analytics { }
http { }
tcp { }
}
....
}


# tmctl proc_pid_stat 'proc_name=icrd_child' -s proc_name,ppid,vsize,rss

On subsequent GET requests the rss size continues to increase.

Impact:
Increase in the rss of the icrd_child process. This increase could lead to icrd_child core or swapping of processes into the rss due to limited memory left for other processes.

Workaround:
There is no workaround.

Fix:
The memory leak was identified and fixed.

Fixed Versions:
13.1.1.2

721342 : No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments.

Links to More Info: BT721342

Component: TMOS

Symptoms:
No Per-App Virtual Edition (VE) LTM or Per-App VE WAF images for various cloud environments.

Conditions:
Various Cloud environments (i.e., Azure, Google, AWS).

Impact:
No options to use various Per-App VE features.

Workaround:
None.

Fix:
There are now offerings for various cloud environments (Azure, Google, AWS). There are two types of Per-App VE LTM and two of Per-App VE WAF images.

Fixed Versions:
13.1.1, 14.0.0.1

721261-1 : v12.x Policy rule names containing slashes are not migrated properly

Links to More Info: BT721261

Component: Local Traffic Manager

Symptoms:
When migrating from v12.x to v13.0.x, 13.1.x, or 14.0.x, LTM polices that have rules containing the slash character will not migrate properly, and roll-forward migration will fail.

Conditions:
-- BIG-IP systems running v12.x.
-- Configuration contains LTM Policy rules whose names include the slash (/) character.
-- Upgrading to v13.0.x, 13.1.x, or 14.0.x.

Impact:
Roll-forward migration fails with the error: illegal characters in rule name.

Workaround:
Edit the rule names within LTM Policies, replacing the now-illegal slash (/) character with a legal alternative, such as the underscore (_).

Alternately, prior to migration, rename the rules on the v12.x system, and then perform the upgrade.

Fix:
BIG-IP software v12.x Policy rule names containing slashes are properly migrated.

Fixed Versions:
13.1.1.2, 14.0.0.5

721016 : vcmpd fails updating VLAN information on vcmp guest

Links to More Info: BT721016

Component: TMOS

Symptoms:
VLANs are not properly attached to a vCMP guest. They are absent from the VLAN shared memory segment.

In the host /var/log/ltm, this message is observed:
err vcmpd[7839]: 01510004:3: Error updating vlan shm seg: -39

In the guest, these messages are observed:
warning chmand[8827]: 012a0004:4: VcmpShmIntf::querySeg: err code -30
warning chmand[8827]: 012a0004:4: readShmData: vCmpShmIntf: Query segment error
warning chmand[8827]: 012a0004:4: VcmpShmIntf::querySeg: err code -30

Conditions:
-- vCMPd provisioned on a BIG-IP system.
-- vCMP guests deployed.
-- More than 3259 VLANs attached to guests from host.

Impact:
Cannot use newly deployed VLAN in the guest. Running the following command does not show the attached VLANs.
$ tmsh list net vlan in the guest

Workaround:
None.

Fixed Versions:
13.1.1.4

720961-1 : Upgrading in Intelligence Community AWS environment may fail

Links to More Info: BT720961

Component: TMOS

Symptoms:
After importing an AWS instance into the Intelligence Community (IC) AWS environment you cannot upgrade to 13.1.0.2 (or later) because their license fails to validate afterwards.

Conditions:
-- Manually imported BIG-IP image into AWS IC.
-- Upgraded to 13.1.0.2 or newer.

Impact:
The system fails to validate the license after rebooting into the new software. Licenses are inoperative after the upgrade.

Workaround:
To work around this issue, perform the following procedure:
1. Redeploy a BYOL image from the IC marketplace.
2. Move over the license.
3. Configure the system.

Fix:
This release provides improved license validation to address this situation by detecting the IC environment, but allowing prior licenses to function.

Fixed Versions:
13.1.1, 14.0.0.1

720819-2 : Certain platforms may take longer than expected to detect and recover from HSB lock-ups

Links to More Info: BT720819

Component: TMOS

Symptoms:
In the unlikely event of a HSB lock-up, certain BIG-IP platforms may take longer than expected to detect and recover from the condition.

For instance, it may take several minutes for an affected unit to detect the condition and initiate the predefined failsafe action.

Instead, the recovery mechanism should trigger almost instantaneously.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP system is an i56xx/i58xx, i76xx/i78xx, or i106xx/i108xx platform.

-- The HSB locks-up due to a different issue.

Impact:
Traffic is negatively impacted until the BIG-IP system detects and remedies the condition. This might take up to 15 minutes before remedied by a reboot, depending on other traffic being processed.

Workaround:
None.

Fix:
The HSB lock-up is now promptly detected and remedied.

Fixed Versions:
12.1.4.1, 13.1.1.5

720799-2 : Virtual Server/VIP flaps with FQDN pool members when all IP addresses change

Links to More Info: BT720799

Component: Local Traffic Manager

Symptoms:
When using FQDN pool members, if all ephemeral members are removed and replaced by a DNS query that returns an entirely new set of IP addresses (no overlap with previous DNS query results), all ephemeral pool members are removed before the new ephemeral pool members are created.

This results in a brief moment when there are no ephemeral members (that can receive traffic) in the pool.

Conditions:
A DNS query for the FQDN node in which the pool members belong, returns an entirely new set of IP addresses (no overlap with previous DNS query results).

Impact:
The brief moment during which there are no ephemeral members (that can receive traffic) in the pool can cause a Virtual Server or Virtual Address using that pool to flap.

Workaround:
It is possible to work around this issue by:
1. Adding a pool member with a statically-configured IP address.
2. Including multiple FQDN pool members in the pool, to limit the effect of the ephemeral members changing for a single FQDN pool member.

Fix:
When using FQDN pool members, ephemeral members whose IP addresses are not present in the most DNS query results are not immediately deleted from the pool.

To prevent the brief condition in which there are no ephemeral members in the pool (which can cause a Virtual Server or Virtual Address using that pool to flap), creation of new ephemeral nodes and pool members occurs immediately, but deletion of old new ephemeral nodes and pool members occurs after a delay.

The duration of the delay follows the fqdn 'down-interval' value configured for the associated FQDN template node.

Fixed Versions:
12.1.4.1, 13.1.1.4, 14.0.0.3

720757-1 : Without proper licenses Category Lookup always fails with license error in Allow Ending

Links to More Info: BT720757

Component: Access Policy Manager

Symptoms:
When a per-request policy's Category Lookup agent queries Standard Categories with an expired SWG/URLF license (and has 'RST on failure' disabled), the execution always ends with the following log messages:

Error: Global concurrent url filter session limit reached

The connection is aborted.

Conditions:
Category Lookup agent set to query the urldb engine (standard categories) with either no SWG/URLF license or an expired license.

Impact:
Even if 'RST on failure' is disabled, traffic cannot reach the allow ending successfully.

Workaround:
Remove the Category Lookup with standard category lookup from the per-request policy if the licenses do not allow for its use.

Fix:
The allow ending is now reached successfully and does not error out if Category Lookup fails due to licensing errors but is set to disable 'RST on failure'.

Fixed Versions:
13.1.1.2, 14.0.0.5

720756-1 : SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS

Links to More Info: BT720756

Component: TMOS

Symptoms:
The SNMP query for platform marketing name is 'unknown' for i11400-DS/i11600-DS/i11800-DS.

Conditions:
-- On licensed system, check OID marketing name.
-- Using i11400-DS/i11600-DS/i11800-DS platforms.

Impact:
Cannot tell the actual platform name in the SNMP query.

Workaround:
There is no workaround at this time.

Fix:
SNMP platform name is now reported correctly on BIG-IP i11400-DS/i11600-DS/i11800-DS platforms.

Fixed Versions:
12.1.3.6, 13.1.1

720713-2 : TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail

Links to More Info: BT720713

Component: TMOS

Symptoms:
When a BIG-IP iSeries i5800, i7800, or i10800 device is configured as a vCMP host and at least one vCMP guest is running (or ever ran), TMM traffic to the vCMP host may fail.

Note: Management port traffic to/from the device is unaffected.

Note: TMM traffic to/from the vCMP guests running on the device is unaffected. This issue affects only the vCMP host.

The most visible symptom is that TMM on the vCMP host fails to answer ARP requests that it receives for its own Self-IP addresses.

Conditions:
This issue occurs when all of the following conditions apply:

- BIG-IP iSeries i5800, i7800, or i10800 device in vCMP host mode.

- At least one vCMP guest is deployed or was deployed, at some point.

Impact:
Inability to communicate to/from the vCMP host via its Self-IP addresses.

Workaround:
Ensure that the host is running a compatible version of BIG-IP. For more information on supported host/guest versions, see K14088: vCMP host and compatible guest version matrix, available at https://support.f5.com/csp/article/K14088

Fix:
The vCMP host continues to handle traffic correctly once a guest is started.

Fixed Versions:
12.1.4, 13.1.1.2, 14.0.0.3

720695-1 : Export then import of APM access Profile/Policy with advanced customization is failing

Links to More Info: BT720695

Component: Access Policy Manager

Symptoms:
An exported policy containing advanced customization fails to import.

Conditions:
-- Export policy containing advanced customization.
-- Import the same policy.

Impact:
Import fails.

Workaround:
None.

Fix:
Access policy import containing advanced customization now succeeds.

Fixed Versions:
12.1.3.6, 13.1.0.8, 14.0.0

720651-2 : Running Guest Changed to Provisioned Never Stops

Links to More Info: BT720651

Component: TMOS

Symptoms:
After changing a vCMP guest status to provisioned the guest remains running showing a status of stopping.

Conditions:
-- Guests deployed on a BIG-IP VCMP host.
-- Changing the state from deployed to provisioned.

Impact:
Guests do not stop and change status until vcmpd process is restarted, which is likely to impact running guests.

Workaround:
There is no workaround.

Fix:
The guest now stops when the state is changed from deployed to provisioned.

Fixed Versions:
12.1.4, 13.1.1, 14.0.0.3

720610 : Automatic Update Check logs false 'Update Server unavailable' message on every run

Links to More Info: BT720610

Component: TMOS

Symptoms:
The Automatic Update Check operation erroneously logs a message indicating that the Update Server is unavailable on every run, successful or not.

Conditions:
The BIG-IP system is configured to run the Automatic Update Check feature.

Impact:
Misleading 'PHONEHOME: Update Server unavailable' messages in the log file, implying that the update server is not available.

Workaround:
None.

Fix:
The Automatic Update Check operation no longer logs false messages.

Fixed Versions:
13.1.3, 14.1.2.7

720585-1 : Signatures generated by Behavioral DOS algorithm can create false-positive signatures

Links to More Info: BT720585

Component: Anomaly Detection Services

Symptoms:
There is probability that the generated signatures will block unknown traffic (the traffic that was not presenting before the attack) even if it's not necessary from service health perspective

Conditions:
Run attack traffic.
In parallel run unknown traffic.
It should exceed the learned baseline together with the good traffic.

Impact:
The signatures may block unknown traffic even if it's not necessary from S/H perspective

Workaround:
There is no workaround at this time.

Fix:
Implement adaptive ratio threshold for covering current bad traffic samples. The ratio increases as long as the health is not good.
If the health returns to good levels (below one) the ratio is restarted to the initial value.

Fixed Versions:
13.1.1.2, 14.0.0.5

720569-1 : Disaggregation algorithm distributing traffic unequally across CPU cores on Virtual Edition

Links to More Info: BT720569

Component: TMOS

Symptoms:
After a period of time, Inet port exhaustion error messages begin to be reported, and traffic starts to fail:
crit tmm1[17985]: 01010201:2: Inet port exhaustion on <ip_address> to <ip_address>.


CPU cores are unevenly loaded by the tmm process. Typically odd cores will have a more loaded tmm thread.

Conditions:
BIG-IP system uses unic, sock or virtIO drivers

Impact:
The system reports Inet port exhaustion error messages, and traffic starts to fail.

Where CPU use by the tmm process is very uneven as the busiest cores reach near maximum connections will be offloaded at an early stage to less used tmm threads on quieter cores. This means the uneven CPU usually has a minimal impact itself.

Workaround:
None.

Fix:
Disaggregation algorithm has been improved to avoid unequal distribution.

Fixed Versions:
12.1.5.3, 13.1.3.5

720461-2 : qkview prompts for password on chassis

Links to More Info: BT720461

Component: TMOS

Symptoms:
Qkview prompts for a password when executing getnodedates from the chassis module.

Conditions:
SSH auth keys are missing or corrupted.

Impact:
This blocks collecting qkview.

Workaround:
Edit the /user/bin/getnodedates script and add -oBatchMode=yes for the SSH command as shown in the following example:

$date = `/usr/bin/ssh -q -oBatchMode=yes -oStrictHostKeyChecking=no $ip /bin/date`;

Fix:
The qkview is no longer blocked with a password prompt.

Fixed Versions:
12.1.4, 13.1.1.2

720460-1 : Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly

Links to More Info: BT720460

Component: Local Traffic Manager

Symptoms:
The sys db compression.strategy is used to control the compression-provider selection. When it is set to 'softwareonly', compression somehow still selects a hardware accelerator.

Conditions:
This always happens when compression.strategy is set to 'softwareonly'.

Impact:
Compression.strategy set to 'softwareonly' does not work, and if there is a problem in a hardware accelerator, compression will still select the hardware accelerator, even though software compression is desired.

Workaround:
There is no workaround.

Fix:
The system now supports software compression when the sys db variable compression.strategy is set to 'softwareonly'.

Fixed Versions:
13.1.1

720440-1 : Radius monitor marks pool members down after 6 seconds

Links to More Info: BT720440

Component: Local Traffic Manager

Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.

Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.

Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.

Workaround:
There is no workaround at this time.

Fix:
The maximum length of time that the radius probe will wait for has been increased from 6 seconds to 30 seconds.

Fixed Versions:
12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.0.5

720391-2 : BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'

Links to More Info: BT720391

Component: TMOS

Symptoms:
BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' and 'unknown' when OID sysObjectID is queried.

Conditions:
1. Execute 'tmsh show sys hardware'.
2. Query for OID sysObjectID using snmpwalk.

Impact:
System is reported as 'none', when it should be i7800-D. Platform with dual SSD not correctly identified using tmsh command or snmpwalk.

Workaround:
None.

Fix:
Added new SNMP OID for BIG-IP i7800 Dual SSD, reported as BIG-IP i7800-D, which is the correct designation.

Fixed Versions:
12.1.3.6, 13.1.1, 14.0.0.3

720293-3 : HTTP2 IPv4 to IPv6 fails

Links to More Info: BT720293

Component: Local Traffic Manager

Symptoms:
An IPv4-formatted virtual server with an IPv6-formatted pool member cannot establish the connection to the pool member if HTTP2 is configured.

Conditions:
-- IPv4 virtual Server.
-- IPv6 pool member.
-- HTTP2 profile.

Impact:
Traffic connection does not establish; no traffic passes.

Workaround:
None.

Fix:
In this release, an IPv4-formatted virtual server with an IPv6-formatted pool member works with HTTP2.

Fixed Versions:
12.1.3.7, 13.1.1.2, 14.0.0.3

720269-2 : TACACS audit logging may append garbage characters to the end of log strings

Links to More Info: BT720269

Component: TMOS

Symptoms:
When using TACACS audit logging, you might see extra 'garbage' characters appended to the end of logging strings.

Conditions:
Using audit forwarding with a remote TACACS server.

Impact:
Confusing log messages. Remote TACACS logging might stop altogether after some time.

Workaround:
There is no workaround at this time.

Fix:
Prevented extra characters from being appended to TACACS audit logs.

Fixed Versions:
12.1.4.1, 13.1.1.5, 14.0.1.1

720219 : HSL::log command can fail to pick new pool member if last picked member is 'checking'

Links to More Info: K13109068 , BT720219

Component: Local Traffic Manager

Symptoms:
This occurs in certain configurations where the HSL::log command is using a remote high speed log (HSL) pool with failing pool members. If a pool member goes into a 'checking' state and the command attempts to send the log via that pool member, it can fail to send and all future log commands from that iRule will also fail, if that pool member is actually unavailable.

Conditions:
-- Using HSL::log command.
-- iRule with a remote high speed logging configured.

Impact:
Failure to send log messages via HSL.

Workaround:
Follow this procedure:
1. Change the 'distribution' method of the remote high speed config to something else.
2. Save the configuration.
3. Change the method back.

Fix:
This issue no longer occurs. If a 'down' pool member is picked, it will eventually be bypassed to find an 'up' pool member, if possible.

Fixed Versions:
12.1.5, 13.1.3, 14.0.1.1, 14.1.0.2

720214-1 : NTLM Authentication might fail if Strict Update in iApp is modified

Links to More Info: BT720214

Component: Access Policy Manager

Symptoms:
Exchange Proxy NTLM Authentication failure when iApp strict updates is disabled initially and then turned on. NTLM authentication fails with STATUS_NO_LOGON_SERVERS.

Conditions:
The Strict Update option in the iApp is modified.

Impact:
Any service using NTLM authentication will be disrupted.

Workaround:
Restart ECA and NLAD modules to work correctly again. To do so, run the following commands:

bigstart restart nlad
bigstart restart eca

Fix:
NTLM authentication now works as expected when Strict Update in the iApp is modified.

Fixed Versions:
13.1.0.8, 14.0.0

720189-1 : VDI settings in APM Webtop have the incorrect URL for Citrix Receiver client download

Links to More Info: BT720189

Component: Access Policy Manager

Symptoms:
VDI settings have HTML5 package URL instead of Citrix Receiver download link. Hyperlink directs to HTML5 package link.

Conditions:
-- Citrix VDI is configured in Replacement mode.
-- HTML5 package is configured using Citrix client bundle.
-- Citrix HTML5 client bundle is used with Connectivity profile attached to the virtual server.

Impact:
The incorrect package is downloaded to the APM Webtop user.

Workaround:
None.

Fix:
Fixed the hyperlink for Citrix Receiver download in VDI settings of Webtop.

Fixed Versions:
13.1.0.8, 14.0.0

720136-1 : Upgrade may fail on mcpd when external netHSM is used

Links to More Info: BT720136

Component: Local Traffic Manager

Symptoms:
When upgrading from 13.1 to 14.1, there might be deadlock between mcpd and mcpd. "bigstart status pkcs11d" might return
"pkcs11d down, waiting for mcpd to release running semaphore".

Conditions:
Upgrading from 13.1 to 14.1 for BIG-IP with external netHSM enabled.

Impact:
External netHSM is not functional or the whole appliance/blade is not functional.

Workaround:
Try reinstalling external netHSM.

Fix:
The fix broke the circular dependency between mcpd's validation and pkcs11d.

Fixed Versions:
13.1.1.4

720110-2 : 0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session.

Links to More Info: BT720110

Component: TMOS

Symptoms:
Neither learned nor default-originate default routes (0.0.0.0/0) are sent to the BGP peer if the BGP peer has terminated the BGP session with TCP FIN, without the BGP notify message.

Conditions:
-- BGP session is terminated without BGP notify (just TCP FIN).
-- Either learned (not originated in the BIG-IP system) and default-originate (originated in the BIG-IP system) routes are not sent.

Impact:
Default routes are not propagated in the network after the BGP peer restart.

Workaround:
There is no workaround at this time.

Fix:
Default routes are now always sent after the BGP session reset. Consistent behavior between BGP session reset with and without BGP notify message.

Fixed Versions:
12.1.4.1, 13.1.1.4

720104-1 : BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'

Links to More Info: BT720104

Component: TMOS

Symptoms:
BIG-IP i2800/i2600 650W AC PSU is missing marketing name under 'show sys hardware' and displays 'unknown' when OID sysObjectID is queried.

Conditions:
-- Execute 'tmsh show sys hardware'.
-- Query for OID sysObjectID using snmpwalk.
-- Using BIG-IP i2800/i2600 platforms.

Impact:
System reports an empty marketing name when queried. Platform with 650W AC PSU not identified using tmsh command or snmpwalk.

Workaround:
There is no workaround at this time.

Fix:
Added new SNMP OID for BIG-IP i2800/i2600 650W AC PSU.

Fixed Versions:
12.1.3.6, 13.1.1, 14.0.0.3

720045-1 : IP fragmented UDP DNS request and response packets dropped as DNS Malformed

Links to More Info: BT720045

Component: Advanced Firewall Manager

Symptoms:
AFM/DHD treats the IP fragmented UDP DNS packet (request or response) as DNS Malformed packet and drops these packets.

Conditions:
-- AFM/DHD is enabled (provisioned and licensed).
-- DNS Malformed vector is enabled at Device context (by default, it's always enabled).
-- AFM/DHD receives fragmented IP packet for UDP DNS request or response.

Impact:
AFM/DHD incorrectly treats such packets as DNS malformed and drops them.

If AFM/DHD receives any DNS request/response UDP packet that is fragmented at the IP layer, the system drops the packet, interrupting DNS service between client/servers through BIG-IP systems.

Workaround:
None.

Fix:
This issue is now fixed, as follows:

a) For IP fragmented UDP DNS request packet, AFM parses the first IP fragment to retrieve the L4 (UDP) header and DNS header and Question section.

- If this information is available in the first IP fragment, AFM processes the packet for further DoS checks.
- If this information is not available in first IP fragment, AFM drops the fragment as DNS Malformed.

b) For IP fragmented UDP DNS response packet, AFM parses the first IP fragment to retrieve the L4 (UDP) header and DNS header and Question section.

- If this information is available in the first IP fragment, AFM processes the packet for further DOS checks.
- If, however, this information is not available in first IP fragment, default behavior is that AFM allows such fragmented DNS response packet through. This behavior can be changed to drop incomplete IP fragmented DNS response packet by setting db variable 'Dos.dns.respfrag.allow' to 'false'.

Fixed Versions:
13.1.1.2, 14.0.0

719770-2 : tmctl -H -V and -l options without values crashed

Links to More Info: BT719770

Component: TMOS

Symptoms:
When the -H, -V or -l options were passed to tmctl without a following value, then tmctl crashed.

Conditions:
Use one of these options without the required value.

Impact:
Core file. No other impact.

Workaround:
Be sure to pass the required value with these options.

Fix:
The missing value is now reported as an error.

Fixed Versions:
13.1.1.2, 14.0.0.5

719644-2 : If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions &start;

Links to More Info: BT719644

Component: Global Traffic Manager (DNS)

Symptoms:
When an LTM configuration has virtual server names containing period (.), a GTM configuration with auto-discovery enabled is upgraded from v11.5.x to a later version might lose consistency.

Conditions:
-- Upgrading GTM from v11.5.x to later versions (e.g., BIG-IP DNS v12.x).
-- Auto-discovery is enabled.
-- LTM configuration containing virtual server names containing the period character (.).
-- The same virtual server name is used in multiple partitions.

Impact:
The configuration after the upgrade might be affected in the following ways:
-- Missing virtual servers.
-- Deletion of some pool members.
-- Virtual servers with incorrect addresses.

Workaround:
There is no workaround at this time.

Fix:
This release supports GTM upgrades from 11.x to BIG-IP DNS 12.x and later versions for cases where:
-- Auto-discovery is enabled.
-- LTM virtual server name a period character (.).
-- The same virtual server name is used in multiple partitions.

Fixed Versions:
12.1.3.7, 13.1.1.2, 14.0.0.3

719600-2 : TCP::collect iRule with L7 policy present may result in connection reset

Links to More Info: BT719600

Component: Local Traffic Manager

Symptoms:
If an iRule utilizing TCP::collect and HTTP_REQUEST is on a virtual server with an L7 policy, the policy engine may cause the connection to be unexpectedly reset with a 'policy execution error' reset cause, and 'Unable to resume pending policy event on connflow' will be logged to /var/log/ltm.

Conditions:
TCP::collect and HTTP_REQUEST iRule with L7 policy on virtual server.

Impact:
Connections may be unexpectedly reset and errors logged to /var/log/ltm.

Workaround:
At the start of the HTTP_REQUEST event, issue an 'after 1' command to allow the policy engine to reach a consistent state before proceeding with the remainder of the iRule.

Fixed Versions:
13.1.1.2, 14.0.0.3

719597 : HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0

Links to More Info: BT719597

Component: TMOS

Symptoms:
When two VIPRION chassis with B2250 blades try to form a high availability (HA) connection, with one running v12.1.1 and the other running v13.1.0, HA connections between TMMs on Active and TMMs on Standby might fail.

Conditions:
-- Two VIPRION chassis with B2250 blades.
-- One blade running v12.1.1 and the other running v13.1.0.
-- Try to configure HA connection.

Impact:
Fail to form HA connection.

Workaround:
There is no workaround other than installing the same software on both blades.

Fix:
A new sys db mhdag.bitshift is added to support HA configurations using B2250 blades running v12.1.1 and v13.1.x. Set mhdag.bitshift to 5 on VIPRION chassis with B2250 blades running v13.1.x by running the following command: tmsh modify sys db mhdag.bitshift value 5

HA between VIPRION chassis running v12.1.1 and v13.1.x with B2250 blades now works as expected.

Fixed Versions:
13.1.0.8, 14.0.0.3

719589-3 : GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic

Links to More Info: BT719589

Component: Access Policy Manager

Symptoms:
GUI and CLI category lookup test tool (Access Policy :: Secure Web Gateway : Database Settings : URL Category Lookup) can return different categories compared to the actual data-plane traffic

Conditions:
Access Policy, Secure Web Gateway : Database Settings : URL Category Lookup or command line lookup using 'urldb -c' construction.

Impact:
Some websites may be categorized differently depending on whether or not the IP is passed in. Correct category may not be returned.

Workaround:
None.

Fixed Versions:
13.1.3.2, 14.1.2.7

719555 : Interface listed as 'disable' after SFP insertion and enable

Links to More Info: BT719555

Component: TMOS

Symptoms:
If an unpopulated front panel interface is disabled, then an SFP inserted and the interface re-enabled, TMSH will continue to display the interface as 'disabled' in 'tmsh show net interface output' commands.

Conditions:
-- BIG-IP appliance or blade.
-- Unpopulated front panel interface is disabled.
-- SFP inserted and the interface re-enabled.
-- Running the command: tmsh show net interface output.

Impact:
Output of the command shows the interface is disabled even though it is enabled and fully operational.

Workaround:
This issue is cosmetic; the interface is functional so it may be used.

To correctly identify the enabled/disabled state of the interface, use the following command: tmsh list net interface

Fixed Versions:
13.1.5, 14.1.4, 15.1.1

719554-2 : Linux Kernel Vulnerability: CVE-2018-8897

Links to More Info: K17403481 , BT719554

719459-2 : Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled

Links to More Info: BT719459

Component: Application Security Manager

Symptoms:
Policy builder suggests adding already existing URLs (as HTTPS) learned from response.

Conditions:
-- Differentiate HTTP and HTTPS URLs is disabled.
-- Learn-from response is enabled.
-- Server responses contain HTTPS links for HTTP requests instead of using protocol-relative URLs.

Impact:
This is a cosmetic issue in that incorrect suggestions are created. There is no impact to functionality.

Workaround:
Add the incorrect suggestions to the 'ignore' list.

Fix:
Policy builder no longer creates suggestions to add already existing URLs.

Fixed Versions:
13.1.0.8, 14.0.0.5

719396-1 : DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot.

Links to More Info: K34339214 , BT719396

Component: TMOS

Symptoms:
DHCP Client on the BIG-IP system sends host-name 'localhost' in DISCOVER packet after first boot.

Note: The problem goes away after the first boot.

Conditions:
-- DHCP is enabled (this is the default on BIG-IP systems).
-- Initial startup.

Impact:
This can affect the lease given out by the DHCP server in the given network if the DHCP server is configured in such a way as to dynamically update the DNS based on the host-name option in the lease.

Workaround:
-- Empty the /var/lib/dhclient/dhclient.leases file.
-- Run the following command: bigstart restart dhclient

Fix:
DHCP Client on the BIG-IP system no longer sends 'localhost' as the host-name in DISCOVER packet after first boot.

Fixed Versions:
13.1.1, 14.0.0.1

719338-4 : Concurrent management SSH connections are unlimited

Links to More Info: BT719338

Component: TMOS

Symptoms:
There is no limit to the number of users that can login concurrently onto a BIG-IP system.

Conditions:
Multiple users are logged into the BIG-IP device through SSH at the same time.

Impact:
System can potentially run out of memory.

Workaround:
Provide a way to limit the number of concurrent user SSH sessions.

Fix:
There are new db variables available for specifying SSH session limits, overall, per-user, and for a specific user.

-- Command: modify sys global-settings ssh-session-limit [enable/disable]
Specifies enable/disable of ssh session limit feature.
+ Enables the feature; feature is functional with default values.
+ Defaults: feature is not enabled for admin/root privileged user.
+ Total session limit for all users is 10 sessions.


-- Command: modify sys global-settings ssh-root-session-limit [enable/disable]
Specifies enable/disable of SSH session limit feature for root user.
+ Enables feature for admin/root privileged user.
+ Total session limit for all users is still 10 sessions.


-- Command: modify sys global-settings ssh-max-session-limit <value>
Specifies a global maximum number of SSH sessions.
+ Changes the default global setting limit of 10 to the specified value.


-- Command: modify sys global-settings ssh-max-session-limit-per-user <value>
Specifies a global maximum number of SSH sessions for each user.
+ Sets the maximum session limit per user.
+ Total sessions on the system are still enforced by the setting for ssh-max-session-limit.


-- Command: create auth user <> session-limit <value>
Specifies a user-specific SSH sessions limit.
+ Sets the maximum number of sessions for a particular user.
+ Total sessions on the system are still enforced by the setting for ssh-max-session-limit.

Behavior Change:
There are new db variables available for specifying SSH session limits, overall, per-user, and for a specific user.

-- Command: modify sys global-settings ssh-session-limit [enable/disable]
Specifies enable/disable of ssh session limit feature.
+ Enables the feature; feature is functional with default values.
+ Defaults: feature is not enabled for admin/root privileged user.
+ Total session limit for all users is 10 sessions.


-- Command: modify sys global-settings ssh-root-session-limit [enable/disable]
Specifies enable/disable of SSH session limit feature for root user.
+ Enables feature for admin/root privileged user.
+ Total session limit for all users is still 10 sessions.


-- Command: modify sys global-settings ssh-max-session-limit <value>
Specifies a global maximum number of SSH sessions.
+ Changes the default global setting limit of 10 to the specified value.


-- Command: modify sys global-settings ssh-max-session-limit-per-user <value>
Specifies a global maximum number of SSH sessions for each user.
+ Sets the maximum session limit per user.
+ Total sessions on the system are still enforced by the setting for ssh-max-session-limit.


-- Command: create auth user <> session-limit <value>
Specifies a user-specific SSH sessions limit.
+ Sets the maximum number of sessions for a particular user.
+ Total sessions on the system are still enforced by the setting for ssh-max-session-limit.

Fixed Versions:
13.1.4, 14.1.4, 15.1.1

719304-2 : Inconsistent node ICMP monitor operation for IPv6 nodes

Links to More Info: BT719304

Component: Local Traffic Manager

Symptoms:
While running ping from different blades in a multi-blade environment, pings fail from blades that do not have the tmm that is responsible for pinging the node.

Conditions:
The blade that does not contain the owning tmm is responsible for the node monitors.

Impact:
The node will be incorrectly marked as being unavailable/down.

Workaround:
You can use the following workarounds:
-- Statically assign the NDP entries.
-- Set the route to a gateway that has a non-zero host portion in the address.

Fixed Versions:
13.1.3, 14.1.4

719247-2 : HTTP::path and HTTP::query iRule functions cannot be set to a blank string

Links to More Info: K10845686 , BT719247

Component: Local Traffic Manager

Symptoms:
The HTTP::path and HTTP::query iRule functions generate an error if called with an argument that is a blank string, resulting in connection termination.

Conditions:
In an iRule where the argument is a blank string:
HTTP::path ""
HTTP::query ""

Impact:
Error encountered while executing iRule "HTTP::query $blank", and the connection is terminated with an error in the logs similar to the following:
-- err tmm[17219]: 01220001:3: TCL error: /Common/ir_1-4045405141_query <HTTP_REQUEST>

Workaround:
To set HTTP::query to blank, use the following function:
HTTP::uri [HTTP::path]

To set HTTP::path to blank, use the following function:
HTTP::uri [HTTP::query]

Fix:
HTTP::path and HTTP::query iRule functions now accept blank string arguments.

Fixed Versions:
13.1.1.4, 14.0.0.5

719192 : In VPE Agent VMware View Policy shows no properties

Links to More Info: BT719192

Component: Access Policy Manager

Symptoms:
When opened in Visual Policy Editor (VPE) VMware View, the policy shows an empty properties page instead of the expected policy options.

Conditions:
Open a policy in VPE VMware View.

Impact:
Unable to configure VMware view policy from VPE.

Workaround:
Use tmsh to configure VMware View policies.

Fix:
Properties are now displayed correctly in Visual Policy Editor (VPE) VMware View.

Fixed Versions:
13.1.0.8

719186-2 : Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts

Links to More Info: BT719186

Component: Fraud Protection Services

Symptoms:
Multipart/form-data requests are not supported in FPS. FPS-protected pages which have the enhanced data-manipulation feature enabled, may generate a false-positive 'missing strong integrity parameter' alert for multipart/form-data requests.

Conditions:
-- FPS profile attached to a virtual server.
-- Multipart/form-data requests to a URL.
-- Enhanced data-manipulation feature enabled on a protected URL.

Impact:
False-positive 'missing strong integrity parameter' alert.

Workaround:
Use the ANTIFRAUD::disable_alert iRule command to drop the alert:

(set the static::drop_alert variable, probably matching URL name and checking that Content-Type header starts with 'multipart/form-data')

when ANTIFRAUD_ALERT {
if {$static::drop_alert eq 1 &&
[ANTIFRAUD::alert_type] eq "vtoken" &&
[ANTIFRAUD::alert_component] eq "no_strong_integrity_param" } {
ANTIFRAUD::disable_alert
set static::drop_alert 0
}
}

Fix:
FPS no longer sends automatic-transaction alerts for unsupported requests, so multipart/form-data requests no longer generate false positive 'missing strong integrity parameter' alerts.

Fixed Versions:
13.1.0.8, 14.0.1.1

719149-2 : VDI plugin might hang while processing native RDP connections

Links to More Info: BT719149

Component: Access Policy Manager

Symptoms:
Rarely, during processing of native RDP connections, the VDI plugin might hang, which prevents launch of VDI resources (Native RDP, Citrix, VMware View) from the APM Webtop.

Conditions:
APM Webtop is configured with native RDP resource.

Impact:
VDI resources (Native RDP, Citrix, VMware View) cannot be launched from APM Webtop.

Workaround:
None.

Fix:
Fixed rare VDI plugin hang caused by processing of native RDP connections.

Fixed Versions:
13.1.0.8, 14.0.0

719079-1 : Portal Access: same-origin AJAX request may fail under some conditions.

Links to More Info: BT719079

Component: Access Policy Manager

Symptoms:
Portal Access may reject response to same-origin AJAX request if host names in request and its origin differ in case.

Conditions:
Same-origin AJAX request with a host name whose case differs from the case of the origin page's host name, for example:

Request page: https://example.com/some/file
Page with URL: https://Example.com/origin/page.html

Impact:
Web application may not work correctly.

Workaround:
Use an iRule to remove 'F5_origin' parameter from the AJAX requests, for example:

when HTTP_REQUEST {
if { [ HTTP::path ] contains "/iNotes/Forms9.nsf/iNotes/Proxy/" and [ HTTP::query ] contains "F5_origin=" } {
regsub {F5_origin=[0-9a-f]+&F5CH=I} [ HTTP::query ] {F5CH=I} query
HTTP::query $query
}
}

Fix:
Now Portal Access handles same-origin AJAX requests correctly when host name case differs from the host name of origin page.

Fixed Versions:
13.1.1.4

719005-1 : Login request may arrive corrupted to the backend server after CAPTCHA or CSID mitigation

Links to More Info: BT719005

Component: Application Security Manager

Symptoms:
Login request arrives corrupted (specifically, some of the characters in the payload are changed).

Conditions:
-- A brute force CAPTCHA or CSID mitigation happens.
-- Specific traffic conditions.

Impact:
Login request fails.

Workaround:
None.

Fix:
CAPTCHA or CSID request-handling now works as expected.

Fixed Versions:
13.1.0.8, 14.0.0.5

718885-3 : Under certain conditions, monitor probes may not be sent at the configured interval

Links to More Info: K25348242 , BT718885

Component: Global Traffic Manager (DNS)

Symptoms:
When sufficient resources are configured with the same monitor interval, and the monitor timeout value is no more than two times the monitor interval, the monitored resource may be marked as unavailable (due to a timeout) then immediately changed to available.

Conditions:
Monitor interval is lower than the number of resources configured with the same monitor interval.

Impact:
Monitor probes are not consistently performed at the configured interval.

Workaround:
Set the monitor interval to a value greater than the number of resources monitored using that same interval value.

The key to this workaround is to ensure that the sum of the resources monitored at a given interval is not greater than the interval. That can be accomplished several ways depending on your configuration and requirements.

For example, if the monitoring interval is 30 seconds and there are 40 different monitors with a 30-second interval and each monitor is assigned to exactly one resource, there are at least two options:

-- Change the interval for 10 of the monitors to a different value.

-- Set the monitor interval to 40.

Note: If you change the monitor interval, make sure to also change the timeout value to follow best practices:
timeout value = (3 x interval) + 1.

Fix:
Monitoring is now consistently performed at the configured interval regardless of the number of resources with the same monitor interval.

Fixed Versions:
12.1.3.7, 13.1.1.2, 14.0.0

718817-2 : Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail.

Links to More Info: BT718817

Component: TMOS

Symptoms:
Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest fails due to a race condition.

There are log entries in /var/log/liveinstall.log:

-- error: status 256 returned by command: F5_INSTALL_SESSION_TYPE=install tmsh -f save sys ucs /var/tmp/kRf24pKXTQ.ucs.
-- info: tar: config/.ucs_base_mac: Cannot stat: No such file or directory.
-- info: Unexpected Error: UCS saving process failed.

Conditions:
-- Installing onto secondary VIPRION blade or onto VIPRION-based vCMP guest.

Impact:
Software installation fails.

Workaround:
You can use either workaround:
-- Add 'ignore .ucs_base_mac' to the 'monitor dir /config' stanza in /etc/csyncd.conf on all blades, and then restart csyncd on all blades by running "clsh bigstart restart csyncd"

-- Retry the installation until it succeeds.

Fixed Versions:
13.1.1.4, 14.0.0.3

718772-2 : The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists)

Links to More Info: BT718772

Component: Anomaly Detection Services

Symptoms:
The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists).

Conditions:
Attack with traffic with 'unknown' header, for example
'Upgrade-Insecure-Requests: 1'.

Impact:
In the GUI, when the signature with the predicate 'unknown_header' is edited, this predicate is empty (instead of exists / does not exist).

Workaround:
There is no workaround.

Fix:
1. Change 'http.unknown_header' predicate into 'http.unknown_header_exists'.
2. Keep supporting the old format 'http.unknown_header'.

Fixed Versions:
13.1.0.8, 14.0.0.5

718685-1 : The measured number of pending requests is two times higher than actual one

Links to More Info: BT718685

Component: Anomaly Detection Services

Symptoms:
The measured number of pending requests is two times higher than actual.

Conditions:
Virtual server configured with a Behavioral DoS profile.

Impact:
Server stress mechanism is more sensitive than planned. A temporary traffic spike can cause unnecessary DoS mitigation start.

Note: The admd process provides stress-based DoS detection and mitigation control. When admd is not running, there is no stress-based anomaly detection or behavioral statistics aggregation.

Workaround:
Modify the adm.health.sensitivity value.

For example, to change health sensitivity from 50 to 500, run the following command:
tmsh modify sys db adm.health.sensitivity value 500

Fix:
Fixed initial adm flow sampling, so that the measured number of pending requests now equals actual.

Fixed Versions:
13.1.0.8

718655 : DNS profile measurement unit name is incorrect.

Links to More Info: BT718655

Component: Application Visibility and Reporting

Symptoms:
DNS profile statistics values are incorrect.

Conditions:
DNS profile statistics are collected and reported using the following command:
tmsh show analytics dns-profile report view-by vs-name/name measures { measures-list}

Impact:
Unexpected values are reported. Although the values are correct, the metric label is misleading. The values reported do not match individual totals, but rather the average/second over the data range, for example, when the statistics collected represent 3000 requests in 600 seconds, the system reports the following values:

/Common/test-dns | 10.00
_listener | 0.00


A more accurate label for each metric is 'average_<metric_name>', as follows:

average_per_second_/Common/test-dns | 10.00
average_per_second__listener | 0.00

Workaround:
None.

Fix:
In this release, the values for DNS profile statistics are more accurately labeled.

Fixed Versions:
13.1.1.5

718525-1 : PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting

Links to More Info: BT718525

Component: TMOS

Symptoms:
After removing the mcpd binary database and restarting, occasionally there are errors similar to the following in /var/log/ltm:

warning postgres[7663]: [3-1] ERROR: duplicate key value violates unique constraint "vlan_pkey"

(The object type may be something other than 'vlan_pkey'.)

Conditions:
This occurs when you remove the mcpd binary database and reboot the system.

Impact:
The configuration does not load until 'bigstart restart' is executed.

Workaround:
None.

Fix:
The 'duplicate key value' errors are no longer seen when removing the mcpd binary database and restarting.

Fixed Versions:
13.1.1.2, 14.0.0.3

718405-1 : RSA signature PAYLOAD_AUTH mismatch with certificates

Links to More Info: BT718405

Component: TMOS

Symptoms:
IPsec IKEv2 negotiation with other vendors may fail to establish tunnels when certificate authentication is configured, using either RSA signature or DSS.

The value of PAYLOAD_AUTH does not match when the BIG-IP system compares it with what the remote peer sends. The same certificate works when the BIG-IP system is the initiator, but not when another vendor is the initiator.

Conditions:
Interoperating with other vendors under IKEv2 while using certificates.

Impact:
IKEv2 tunnels fail to establish, failing the second IKE_AUTH exchange in the protocol.

Workaround:
Use pre-shared key authentication.

Fix:
BIG-IP systems now correctly build -- and verify -- AUTH payloads for RSA signatures and DSS, which should match other vendors and succeed, resulting in IKEv2 tunnels being created using certificates.

The DSS signature is no longer DER encoded, and the RSA signature now includes the 15-byte DER prefix (mandated by RFC3447, page 42) before the 20-byte SHA1 digest is signed by RSA.

Fixed Versions:
13.1.1.4, 14.1.0.6

718397-1 : IKEv2: racoon2 appends spurious trailing null byte to ID payloads

Links to More Info: BT718397

Component: TMOS

Symptoms:
IPsec clients implementing RFC5996 correctly cannot interoperate with the BIG-IP system when the peers-id-type is anything other than address, because racoon2 inside BIG-IP appends a null byte to any string-based ID type (for both peers_id and my_id). This makes the IKE_AUTH exchange fail, usually because the ID_I from the initiator cannot match the peers-id-value in config for that ike-peer, because there is a one-byte difference between the compared strings.

Conditions:
When any non-BIG-IP client initiates an IKE negotiation using any id-type that is not IPv4 or IPv6. In particular, fqdn and asn1dn for peers-id-type in local BIG-IP configurations.

Impact:
IKE negotiation fails during the second IKE_AUTH exchange of messages, preventing any tunnel from being established. Outage with a non-BIG-IP client is permanent until the config is changed to use peers-id-type=address.

Workaround:
Use peers-id-type=address to interoperate with non-BIG-IP clients for IPsec.

Fix:
Because RFC5996 forbids trailing null bytes in ID payloads, the BIG-IP software was actually not compliant with the RFC by encoding payloads this way itself. It only worked because both initiator and responder did the same thing. Now the BIG-IP software does not add the extra trailing null byte into ID payloads and local ID values, so the BIG-IP system can accept IKE_AUTH messages from non-BIG-IP clients.

Note: this fix creates an incompatibility with previous BIG-IP version when peers-id-type is any other type than address.

Fixed Versions:
13.1.1.4, 14.0.0.5

718210-2 : Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused

Links to More Info: BT718210

Component: Local Traffic Manager

Symptoms:
In very rare circumstances, connections that use virtual targeting virtual server and time-wait recycle result in a connection being improperly reused.

Conditions:
Virtual server targeting virtual server (usually occurs in an iRule) with time-wait recycle being used on the virtual server's TCP profile.

Note: This is the default value, so any virtual servers defined internally are using it.

Impact:
A connection might be reused even though it is a new one. TMM can crash and restart. Traffic disrupted while tmm restarts.

Note: This is an extremely rare issue.

Workaround:
None.

Fix:
This issue has been fixed.

Fixed Versions:
12.1.4.1, 13.1.1.4, 14.0.0.5

718189-2 : Unspecified IP traffic can cause low-memory conditions

Links to More Info: K10751325 , BT718189

718152 : ASM GUI request log does not load on cluster

Links to More Info: K14591455 , BT718152

Component: Application Security Manager

Symptoms:
The ASM Request Log fails to load, and it keeps reading 'Loading Requests Log...'.
'Security :: Event Logs :: Application :: Requests'.

Conditions:
-- Any cluster device (vCMP or not), even if there is a single blade in use.
-- Running BIG-IP v13.1.0.4, v13.1.0.5, v13.1.0.6, or v13.1.0.7. (Other releases are not affected.)

Impact:
Cannot view the Request Log in the GUI.

Workaround:
None

Fix:
The ASM request log can now be loaded correctly on cluster devices.

Fixed Versions:
13.1.0.8

718136-2 : 32-bit F5 VPN and Endpoint Inspector apps are discontinued on Linux

Links to More Info: BT718136

Component: Access Policy Manager

Symptoms:
32-bit F5 VPN and Endpoint Inspector apps are not available for new installation or update on Linux.

Conditions:
Use a browser (Mozilla Firefox or Google Chrome) to establish network access (VPN) for 32-bit F5 VPN and Endpoint Inspector apps.

Impact:
APM end user cannot establish network access (VPN) on 32-bit Linux using a browser. APM does not offer 32-bit F5 VPN and Endpoint Inspector apps for installations or update.

Workaround:
Use 32-bit CLI VPN client.

Fix:
Because of increased size, low usage, and industry trends, F5 has discontinued support of the desktop Linux 32-bit VPN and Endpoint Inspection apps.

Fixed Versions:
13.1.1.4, 14.0.0

718071-1 : HTTP2 with ASM policy not passing traffic

Links to More Info: BT718071

Component: Local Traffic Manager

Symptoms:
HTTP2 traffic does not pass traffic if an ASM policy is applied.

Conditions:
-- HTTP2 virtual server.
-- ASM policy applied.

Impact:
Traffic does not pass.

Workaround:
No workaround.

Fix:
HTTP2 and ASM now work correctly together.

Fixed Versions:
12.1.3.6, 13.1.0.8, 14.0.0

717909 : tmm can abort on sPVA flush if the HSB flush does not succeed

Links to More Info: BT717909

Component: Advanced Firewall Manager

Symptoms:
When the BIG-IP system comes up, or when tmm/dwbld/iprepd restarts, tmm does a flush of sPVA. If the operation does not succeed, the system can wait for 10 seconds, which might cause an abort due to heartbeat failure. tmm crash

Conditions:
-- BIG-IP system comes up, or tmm/dwbld/iprepd restart.
-- HSB flush does not succeed within ~3 seconds (it is supposed to succeed within ~3 seconds unless something is wrong with the HSB).

Impact:
tmm will have to be restarted. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
The system now checks asynchronously to determine whether or not the flush sPVA has succeeded.

Fixed Versions:
13.1.1, 14.0.0

717900-2 : TMM crash while processing APM data

Links to More Info: K27044729 , BT717900

717896-2 : Monitor instances deleted in peer unit after sync

Links to More Info: BT717896

Component: Local Traffic Manager

Symptoms:
An incremental-sync from a modified-node that was set to 'user-down' causes the target-node on the target-device to have only a single monitor instance, rather than the several monitor instances that were present on the from-node.

During the incremental sync, the system issues several messages similar to the following: err mcpd[6900]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 24913.

Conditions:
-- In high availability (HA) configurations.
-- A node is modified, and then manually set to 'user-down'.
-- That node has more than one associated monitor.
-- An incremental-sync occurs to the paired device.

Impact:
After incremental-sync, a single monitor instance exists for the node on a 'backup' unit in an HA configuration, rather than the several monitor instances that exist for that node on the 'active' unit; and that node session is 'enabled' (where the 'from-node' was 'disabled); and that node status may be 'up' (where the 'from-node' was 'user-down'), and later transition to 'down' from a monitor-fail.

Thus, after incremental-sync, the target-node may then be 'down', while the active unit in the HA configuration continues to function as expected.

Workaround:
There are several workarounds:
-- Perform a 'full-sync' (rather than an 'incremental-sync').
-- Ensure the node is 'user-up' (not 'user-down') before the incremental-sync.
-- Perform 'tmsh load sys config' on the target unit. In this case, the 'Invalid monitor rule instance identifier' messages will be seen, but the configuration will successfully load, and the target-unit will run correctly with the expected configuration.

Fix:
An incremental-sync from a modified-node that was set to 'user-down' successfully replicates the several monitor instances on that node to the target-node on the backup device in an HA configuration.

Fixed Versions:
12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2

717888 : TMM may leak memory when a virtual server uses the MQTT profile.

Links to More Info: K26583415 , BT717888

717832 : Remove unneeded files from UCS backup directories

Links to More Info: BT717832

Component: TMOS

Symptoms:
When using auto scale cloud formation templates, the system creates large bigip.ucs files that require additional storage space.

Conditions:
Deploy BIG-IP as part of auto scale cloud formation template (CFT).

Impact:
Large bigip.ucs file created requires additional storage space and might increase network traffic. (Size greater than 100 MB.)

Workaround:
Delete /config/cloud/* directories from the bigip.ucs file.

Fix:
This system no longer saves /config/cloud/ directories in UCS files, so the issue no longer occurs.

Fixed Versions:
13.1.1

717806-4 : In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured

Links to More Info: BT717806

Component: Local Traffic Manager

Symptoms:
Load average peaks are observed when a high number of monitors (>= 200) are configured across 'n' bigd instances.

Conditions:
When a high number of monitors are configured across 'n' bigd instances. CPU load peaks appear and disappear periodically.

Impact:
No performance impact

Workaround:
None

Fixed Versions:
13.1.5

717785-1 : Interface-cos shows no egress stats for CoS configurations

Links to More Info: BT717785

Component: TMOS

Symptoms:
No egress packet counts per CoS queue are reported on B21x0 and 5x00/7x00 platforms. The issue affects the egress packet statistics reporting per CoS queue only. The operation of the CoS feature is not affected and the egress packets statistics reporting per external interface is also not affected.

Conditions:
-- Valid 8 HW CoS feature configuration has been enabled and passing traffic.
-- BIG-IP 5x00/7x00 platforms and VIPRION 21x0 blades.
-- Running the show net interface-cos command.

Impact:
Egress packet statistics reported per CoS queue shows no counts.

Workaround:
None.

Fix:
This release supports per egress CoS queue packet count statistics reporting for BIG-IP 5x00/7x00 platforms and VIPRION 21x0 blades.

Fixed Versions:
13.1.1.2

717756-2 : High CPU usage from asm_config_server

Links to More Info: BT717756

Component: Application Security Manager

Symptoms:
Use of Automatic policy builder might result in high CPU usage of asm_config_server (and ASM slowdown).

Conditions:
- Automatic policy builder.
- Several entity types learning in 'Add all entities' configuration.

Impact:
ASM availability impacted.

Workaround:
-- Switch to Manual policy builder.
-- Set entity types learning to compact / selective / never.

Fix:
Policy builder no longer puts unnecessary load on ASM configurations.

Fixed Versions:
13.1.0.8, 14.0.0

717742-5 : Oracle Java SE vulnerability CVE-2018-2783

Links to More Info: K44923228 , BT717742

717654-2 : TMM may crash when flooded to the Virtual Servers with SSL Forward Proxy

Links to More Info: BT717654

Component: SSL Orchestrator

Symptoms:
TMM may crash when SSL traffic is flooded to a virtual server that has SSL Forward Proxy enabled. It may happen when connections are suddenly aborted when the handshake is in progress.

Conditions:
-- TLS virtual server with SSL forward proxy enabled
-- The virtual server passes network traffic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed the TMM crash when virtual server has SSL Forward Proxy enabled and connections are aborted before handshake is completed.

Fixed Versions:
13.1.1.5, 14.0.0

717525-1 : Behavior for classification in manual learning mode

Links to More Info: BT717525

Component: Application Security Manager

Symptoms:
- Extractions are added to parameters in manual mode.
- In manual learning mode on 'fallback to default' URL classification is not ended properly (resulting in repetitive audit log attempts to end URL classification).
- In manual learning mode on 'fallback to default', parameter staging is set to true.
- The system writes errors to pabnagd.log.

Conditions:
- Manual learning mode.
- Classification is on for either parameters or URLs.
- Any option of 'Learn Dynamic Parameters' is turned on (even if checkbox is disabled).

Impact:
- URL content types are not enforced in manual mode.
- Parameters are getting staged automatically in manual mode.
- Parameters are classified as dynamic (value type).
- Extractions are added to dynamic parameters

Workaround:
- Update the URLs manually (any update will take them out of classification).
- Manually unstage parameters with 'fallback to default'.
- Unset parameters' dynamic value type (or uncheck all parameters' dynamic classification options in 'Learning And Blocking Settings').

Fix:
- URLs end classification successfully on 'fallback to default' in manual mode.
- Parameters staging is not changed on 'fallback to default' in manual mode.
- Parameters are not classified as dynamic in manual mode.
- Extractions are not added to dynamic parameters in manual mode.
- No errors in pabnagd.log.

Fixed Versions:
13.1.1.5, 14.0.0.5

717346-2 : [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total

Links to More Info: K13040347 , BT717346

Component: Local Traffic Manager

Symptoms:
WebSocket profile statistics for current and maximum connections are always very large, even right after restarting the system. The numbers are several orders of magnitude larger than the statistics for total connections.

Conditions:
Rarely occurring, unstable network could be one of the reasons.

Impact:
Cannot use stats for troubleshooting.

Workaround:
Reset the stats using the following command:
# tmsh reset-stats ltm profile websocket

Fixed Versions:
13.1.1.2, 14.0.0.3, 16.0.1.1

717276-5 : TMM Route Metrics Hardening

Links to More Info: K20622530 , BT717276

717113-2 : It is possible to add the same GSLB Pool monitor multiple times

Links to More Info: BT717113

Component: Global Traffic Manager (DNS)

Symptoms:
After adding a monitor in the Web GUI and updating, the monitor does not get removed from the Available list and can be added again.

Conditions:
This issue affects the GSLB Pool create and properties pages.

Impact:
The impact is only for those adding the monitor. No extra system resources are used when adding multiple identical monitors to a pool.

Workaround:
None.

Fix:
Once a monitor is added via the Web GUI, that monitor is now removed from the Available list.

Fixed Versions:
13.1.1.4

717100-3 : FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member

Links to More Info: BT717100

Component: Local Traffic Manager

Symptoms:
FQDN ephemeral pool members and corresponding FQDN ephemeral nodes may not be created if multiple FQDN template pool members are created rapidly, without the corresponding FQDN template nodes being created first.

The missing FQDN ephemeral pool members may be created an hour after initial operations.

Conditions:
This may occur when all of the following conditions are true:
-- Multiple FQDN template pool members are created rapidly, such as during config load or multiple FQDN template pool members created in a single tmsh cli transaction, without the corresponding FQDN template nodes being created first.
-- The FQDN names in the newly-created FQDN template nodes all resolve to the same IP address.

Impact:
One or more FQDN ephemeral pool members may not be created, which could result in a pool with no members, and any virtual servers using that pool to fail to pass traffic.

Workaround:
The following steps, alone or in combination, may help avoid this issue:

1. Avoid rapid creation of multiple FQDN template pool members (such as by creating multiple in a single tmsh CLI transaction).
2. Create the corresponding FQDN template nodes first, before creating the FQDN template pool members.

Once this issue occurs (such as, after a config load), you can recover from this condition by deleting and recreating the FQDN template pool members that have no corresponding FQDN ephemeral pool members.

In addition, creating the corresponding FQDN template nodes first, with an FQDN 'interval' value set to a shorter timeout than the default (3600 seconds) allows automatic recovery from this condition after the configured FQDN 'interval' period (instead of after the default period of one hour).

Fix:
Ephemeral pool members are now created for each pool under these conditions.

Fixed Versions:
12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2

716992-2 : The ASM bd process may crash

Links to More Info: K75432956 , BT716992

716952-2 : With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete.

Links to More Info: BT716952

Component: Local Traffic Manager

Symptoms:
When TCP Nagle enabled, the data sent from server is handled by the SSL filter to offload data processing. The SSL filter forwards the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message to TCP4 filter. Because Nagle is enabled, this leaves the last offloaded packet 'stuck' in the TCP4 filter.

Conditions:
-- Nagle is enabled.
-- SSL filter is in the chain.

Impact:
The last data packet waits until all other packets have been ACKd.

Workaround:
None.

Fix:
SSL filter now holds the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message if an offloaded data packet is still in progress.

Fixed Versions:
13.1.3.2

716940-2 : Traffic Learning screen graphs shows data for the last day only

Links to More Info: BT716940

Component: Application Security Manager

Symptoms:
Traffic Learning screen graphs shows data for the last day only.

Conditions:
Visit Learning screen 1 hour after policy creation.

Impact:
Statistics shown are for the last day. No statistics for longer or for shorter periods of time.

Workaround:
There is no workaround.

Fix:
Statistics are shown for the correct time interval, at most 2 weeks/policy creation date. Possible statistics intervals are as follows: 1 hour, 1 day, 2 weeks.

Fixed Versions:
13.1.0.8, 14.0.0.5

716922-2 : Reduction in PUSH flags when Nagle Enabled

Links to More Info: BT716922

Component: Local Traffic Manager

Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.

Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.

Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.

Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.

Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.

Mote: To take advantage of some of the Nagle benefits, use 'Auto'.

Fix:
Revised PUSH flag setting logic to set the flag in cases where sending is Nagle-limited.

Fixed Versions:
11.5.7, 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.3

716900-2 : TMM core when using MPTCP

Links to More Info: K91026261 , BT716900

716788-2 : TMM may crash while response modifications are being performed within DoSL7 filter

Links to More Info: BT716788

Component: Application Security Manager

Symptoms:
TMM might crash when a response is modified by the DoSL7 filter while injecting an HTML response from a backend server.

Conditions:
-- ASM provisioned.
-- DoS application profile is attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts, failover may occur.

Workaround:
There is no workaround other than to remove the DoS application profile from the virtual server.

Fix:
Response modification handler has been modified so that this issue no longer occurs.

Fixed Versions:
12.1.3.7, 13.1.0.8, 14.0.0.5

716782-2 : AVR should add new field to the events it sends: Microtimestamp

Links to More Info: BT716782

Component: Application Visibility and Reporting

Symptoms:
When AVR sends events to 'offbox' devices, the time stamp it uses is in seconds resolution.

Conditions:
Viewing AVR events in external logs.

Impact:
Measurement is in seconds.

Workaround:
None.

Fix:
This release adds a Microtimestamp field for AVR events (external log only).

Fixed Versions:
13.1.1.4, 14.0.0

716747-2 : TMM my crash while processing APM or SWG traffic

Component: Access Policy Manager

Symptoms:
Under certain circumstances, TMM may crash when processing APM or SWG.

There will be a log message in /var/log/apm near the time of crash with this:

err tmm[20598]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_initiate_swgt_policy_done, Line: 17000.

Conditions:
APM or SWG enabled.

Impact:
TMM crash, leading to a failover event.

Workaround:
There is no workaround at this time.

Fix:
TMM now processes APM and SWG traffic as expected.

Fixed Versions:
12.1.3.6, 13.1.0.8, 14.0.0

716746 : Possible tmm restart when disabling single endpoint vector while attack is ongoing

Links to More Info: BT716746

Component: Advanced Firewall Manager

Symptoms:
tmm restarts.

Conditions:
-- AFM DoS single endpoint (sweep or flood) vector is configured.
-- The attack is ongoing.
-- The attack vector is being mitigated in hardware (HW).
-- The vector is manually disabled.

Impact:
tmm can crash and restart. Traffic disrupted while tmm restarts.

Workaround:
If you do not want to mitigate, set the mitigation_threshold to infinite.

Note: Do not disable the single endpoint vectors when an attack is ongoing and the vector is being mitigated in HW.

Fix:
tmm no longer restarts when disabling single endpoint vector while an attack is ongoing.

Fixed Versions:
13.1.0.7, 14.1.4.2, 15.1.3, 16.0.1.2

716716-2 : Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core

Links to More Info: BT716716

Component: Local Traffic Manager

Symptoms:
TMM cores when the system has a kernel route configured, but no matching TMM route.

Conditions:
The scenario that can lead to this state is unknown.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
Either remove the kernel route, or add a matching TMM route.

Fix:
This release prevents the core that occurred when the kernel has a route that has no corresponding TMM route.

Fixed Versions:
12.1.4.1, 13.1.1.4, 14.0.0.3

716714-1 : OCSP should be configured to avoid TMM crash.

Links to More Info: BT716714

Component: Local Traffic Manager

Symptoms:
TMM generates a core if OCSP is not configured in the SSL profile.

Conditions:
OCSP not configured in the SSL profile.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than configuring OCSP in SSL profiles.

Fix:
In this release, TMM skips processing OCSP if it is not enabled.

Fixed Versions:
13.1.1.4, 14.0.1.1, 14.1.0.2

716469 : OpenSSL 1.0.1l fails with 512 bit DSA keys

Links to More Info: BT716469

Component: TMOS

Symptoms:
In certain cases with FIPS enabled the box would fail to boot because of attempts to use 512 bit DSA keys.

Conditions:
During BIG-IP booting and fips is enabled.

Impact:
BIG-IP failed to boot.

Workaround:
There is no workaround at this time.

Fix:
Boot will no longer fail with OpenSSL and 512 bit DSA keys.

Fixed Versions:
13.1.1

716392-1 : Support for 24 vCMP guests on a single 4450 blade

Links to More Info: BT716392

Component: TMOS

Symptoms:
Cannot create more than 12 vCMP guests per blade.

Conditions:
-- Using vCMP.
-- VIPRION blades.

Impact:
Cannot configure more than 12 vCMP guests.

Workaround:
None.

Fix:
This release supports 24 vCMP guests on 4450 blades. Increased vCMP density ensures that all guests can access the hardware capabilities available from the BIG-IP platforms and VIPRION blades.

Behavior Change:
This release supports 24 vCMP guests on VIPRION 4450 blades. Increased vCMP density ensures that all guests can access the hardware capabilities available from BIG-IP platforms and VIPRION blades.

Fixed Versions:
13.1.0.7, 14.0.0.2

716391-2 : High priority for MySQL on 2 core vCMP may lead to control plane process starvation

Links to More Info: K76031538 , BT716391

Component: TMOS

Symptoms:
vCMP guest with only 2 cores (or 2 cores per blade for multi-blade guests) may undergo control plane process starvation, which could lead to failover due to CPU starvation of sod.

Conditions:
-- A device using Intel Hyper-Threading Technology is configured with only 2 cores (or 2 cores per blade for multi-blade vCMP guests).
-- A module using MySQL is provisioned, MySQL, for example BIG-IP ASM and BIG-IP Analytics (AVR). These other modules also implicitly provision AVR: ASM, AFM, DOS, APM, PEM, and vCMP.

Impact:
Control plane processes may experience CPU starvation, including failover due to CPU starvation of sod. This is a rarely occurring issue.

Workaround:
Revert to pre-11.5.1 HF4 behavior by setting the scheduler.splitplanes.asmopt database key to false.

IMPORTANT: You should not revert to pre-11.5.1 HF4 behavior unless requested by F5 Support. However, if required, you can disable this new behavior and revert to pre-11.5.1-HF4 behavior. For instructions on how to do so, see K16469: Certain BIG-IP ASM control plane processes are now pinned to the highest-numbered logical CPU core :: https://support.f5.com/csp/article/K16469.

Fixed Versions:
11.5.9, 11.6.4, 12.1.3.7, 13.1.1.2, 14.0.0.5

716318-2 : Engine/Signatures automatic update check may fail to find/download the latest update

Links to More Info: BT716318

Component: Fraud Protection Services

Symptoms:
Engine/Signatures automatic update check may fail to find/download the latest update if the timestamp of the factory update file is later than the timestamp of the update file in downloads.f5.com.

Note: This issue is relevant only for engineering hotfixes.

Conditions:
This occurs when the following conditions are met:
-- Engineering hotfix.
-- The factory update file timestamp is later than the timestamp of the update file in downloads.f5.com.

Impact:
Automatic update check will detect the wrong update file.

Workaround:
Manually check, and then download and install the update file from downloads.f5.com, if needed.

Fix:
The factory update file timestamp is now set to 0, unless there is a reason to install the factory file over the current update file in downloads.f5.com.

Fixed Versions:
12.1.3.7, 13.1.0.8, 14.0.0.5

716213-1 : BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic

Links to More Info: BT716213

Component: Local Traffic Manager

Symptoms:
When APM connects to Active Directory Federation Services (ADFS), a blank page is observed. The log file /var/log/ltm exhibits a TCP reset issued by the BIG-IP system. The TCP capture informs that the issue is due to an out-of-bounds error that occurs when traffic gets parsed by the SSL Persistence Parser (SSID).

Conditions:
-- SSL persistence (SSID) is enabled for a virtual host.
-- APM connects to ADFS.

Impact:
A blank page is observed due to the TCP reset.

Workaround:
No workaround is available.

Fix:
The SSL persistence parser now validates the handshake message data-bytes are available prior to fetching them, so the bounds error does not get raised.

Fixed Versions:
12.1.3.7, 13.1.1.2, 14.0.0.5

716167-1 : The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp

Links to More Info: BT716167

Component: Local Traffic Manager

Symptoms:
The MTU of the tmm_bp kernel interface may be out-of-sync with the value of sys db vlan.backplane.mtu as well as out-of-sync with the MTU displayed by the following command:
tmsh show /net vlan all-properties -hidden.

Conditions:
This issue occurs on first-boot after upgrading to versions later than v12.1.1 HF1.

Impact:
From the data plane perspective, this issue can cause excessive IP fragmentation on tmm_bp VLAN and high CPU usage.

In some cases it also causes packet loss.

From the config perspective, this issue has a few smaller impacts:
-- Fragmented packets on the tmm_bp interface for those packets greater in length than the actual MTU of this interface as given by the kernel in response to the command:
ip address list dev tmm_bp | egrep -i mtu or $ifconfig tmm_bp.

Note: This has no impact to the running system. Fragmented packets are reassembled in order for TCP clients of the tmm_bp interface.

-- The sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp as given by either of the following commands:
ip address list dev tmm_bp
ifconfig tmm_bp

-- Similarly, the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the Net::Vlan tmm_bp as returned by the command:
tmsh show net vlan -hidden tmm_bp

Paraphrasing: The value of VLAN tmm_bp MTU (as found in vlan.backplane.MTU) is not applied to the corresponding kernel interface.

Workaround:
A series of subsequent restarts rolls the correct setting by issuing the following commands, in sequence:
tmsh stop sys service all
tmsh start sys service all

To verify the setting is correct, issue the command:
ip addr show dev tmm_bp ; tmsh show net vlan -hidden tmm_bp \; list sys db vlan.backplane.mtu

Fixed Versions:
13.1.3.4, 14.1.0.2

716166-4 : Dynamic routing not added when conflicting self IPs exist

Links to More Info: BT716166

Component: TMOS

Symptoms:
Missing dynamic route in dynamic routing daemon as shown via 'show ip route'.

Conditions:
When a self IP host address is the same as the network address of the dynamic route being propagated. For example: self IP 10.10.10.0/31 versus dynamic route 10.10.10.0/24; or 10.10.0.0/24 versus dynamic route 10.10.0.0/16.

Impact:
Propagation of the dynamic route to the kernel, TMM.

Workaround:
There is no workaround other than not creating self IPs on the network address of a prefix.

Fixed Versions:
11.6.5.1, 12.1.4.1, 13.1.3

715969-1 : CVE-2017-5703: Unsafe Opcodes exposed in Intel SPI based products

Links to More Info: K19855851 , BT715969

715923-1 : When processing TLS traffic TMM may terminate connections unexpectedly

Links to More Info: K43625118 , BT715923

715883 : Tmm crash due to invalid cookie attribute

Links to More Info: BT715883

Component: Local Traffic Manager

Symptoms:
Tmm crash due to invalid request-side cookie attribute.

Conditions:
While processing an HTTP request, an iRule tries to add a cookie attribute to a cookie that is only valid in an HTTP response (for instance, an 'expires' attribute).

Impact:
TMM cored. Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
13.1.1.2, 14.0.0.3

715820-1 : vCMP in HA configuration with VIPRION chassis might cause unstable data plane

Links to More Info: BT715820

Component: TMOS

Symptoms:
When multiple vCMP guests are deployed in a high availability (HA) with VIPRION chassis, the data plane cluster might become unstable. When this issue occurs, the system posts repeated log messages in /var/log/ltm similar to the following:

-- CDP: exceeded 1/2 timeout for PG 3

Conditions:
-- Multiple vCMP guests are deployed.
-- HA configured.
-- Using VIPRION chassis.

Impact:
Unstable data plane might cause traffic disruption/packet drops.

Workaround:
None.

Fix:
This issue no longer occurs.

Fixed Versions:
13.1.0.8

715785-2 : Incorrect encryption error for monitors during sync or upgrade

Links to More Info: BT715785

Component: Local Traffic Manager

Symptoms:
The system logs an error message similar to the following in /var/log/ltm:

err mcpd[6823]: 01071768:3: Encryption of the field (password) for object (<monitor name>) failed.

This may cause a configuration sync to fail, or an upgrade to fail.

Conditions:
The exact conditions are unknown, however it may occur under these circumstances:

-- Performing a config sync operation.
-- Performing an upgrade.

Impact:
Inability to sync peer devices, or an inability to upgrade.

Workaround:
There is no workaround at this time.

Fix:
This error is no longer triggered erroneously.

Fixed Versions:
13.1.1.2, 14.0.0.5

715756-2 : Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only

Links to More Info: BT715756

Component: Local Traffic Manager

Symptoms:
When filesystems critical to TMOS functional operation are mounted read-only, clusterd on that blade should trigger a primary election if it was primary. Either way, the cluster should be informed of this critical error state.

Conditions:
A critical filesystem (e.g., '/', '/var', '/var/run', '/config', '/shared') has been mounted read-only.

Impact:
The blade with read-only filesystems and degraded functionality might stay primary and claim to be passing traffic.

Workaround:
There is no workaround other than to avoid mounting filesystems read-only on a BIG-IP system.

Fix:
The blade with read-only filesystems and degraded functionality now yields primaryship to a more healthy cluster member.

Fixed Versions:
13.1.1.2

715750-2 : The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.

Links to More Info: K41515225 , BT715750

Component: Local Traffic Manager

Symptoms:
Upon receiving a FIN midstream in an SSL connection, the BIG-IP system will immediately proxy the FIN to the remote host on the peer side. At this point, depending on the specific configuration of the remote host on the peer side, the BIG-IP system may exhibit behaviors that may be deemed undesirable.

For instance, if the remote host on the peer side acknowledges the FIN but ignores it and keeps sending data to the BIG-IP system, the BIG-IP system will drop all ingress data (i.e., not proxy it) while keeping the side that transmitted the original FIN open indefinitely.

Once the remote host on the peer side completes transmitting data and sends a FIN of its own, the BIG-IP system will finally release the side that sent the original FIN by allowing it to close.

Conditions:
This issue occurs when the following conditions are met:

-- A standard virtual server with the clientssl and serverssl profiles in use.

-- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.

Impact:
There is no real impact to the BIG-IP system because of this issue. However, both the client and the server can be negatively impacted by this issue.

For example, if the original FIN was received by the BIG-IP system on the clientside:

-- The client connection is not allowed to close for potentially a very long time. During this time, the client does not receive anything other than Keep-Alive packets from the BIG-IP system. This can delay or adversely impact applications on the client.

-- The server continues to send data to the BIG-IP system unnecessarily. After accounting for the fact this could be a lot of data and many connections could be in this state, the server and/or its surrounding network could become impacted/congested. At a minimum, this might cause a waste of resources.

Workaround:
There is no workaround at this time.

Fix:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.

Behavior Change:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.

Fixed Versions:
11.6.5.1, 12.1.3.7, 13.1.1.2, 14.0.0.3

715747 : TMM may restart when running traffic through custom SSLO deployments.

Links to More Info: BT715747

Component: Local Traffic Manager

Symptoms:
TMM restarts with a SIGSEGV signal and dumps core.

Conditions:
This issue is known to happen when passing traffic through some custom SSLO deployments (e.g., iRule-based configurations).

Impact:
TMM restarts. If the system is in a high availability configuration, a failover occurs. Traffic disrupted while TMM restarts.

Workaround:
There is no workaround at this time.

Fix:
TMM no longer restarts.

Fixed Versions:
13.1.0.8, 14.0.0

715467-2 : Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY

Links to More Info: BT715467

Component: Local Traffic Manager

Symptoms:
If the 'A' record for an FQDN node is removed or replaced on the DNS server, then the BIG-IP system does not remove the old ephemeral pool member or create the new pool member and node.

Conditions:
-- FQDN nodes.
-- Pool members with a service port of ANY.

Impact:
Ephemeral pool member and nodes are not removed or updated when the DNS 'A' record is removed or changed.

Workaround:
There is no workaround at this time.

Fix:
Upon a DNS 'A' record being removed or changed, the ephemeral pool members and nodes based on the old value are removed or changed.

Fixed Versions:
12.1.5, 13.1.1.2, 14.0.0.3

715448-2 : Providing LB::status with a GTM Pool name in a variable caused validation issues

Links to More Info: BT715448

Component: Global Traffic Manager (DNS)

Symptoms:
When utilizing an LB::status iRule where the GTM Pool name was provided in a variable, instead of directly written into the command, the system posts the following error message: Can't read 'monkey': no such variable.

Conditions:
LB::status pool a <Variable containing string>.

Impact:
Unable to use LB::status iRule.

Workaround:
There is no workaround at this time.

Fix:
Can now use LB::status iRule command to display the status of a GTM Pool when the name of the pool is provided in a variable.

Fixed Versions:
12.1.3.7, 13.1.0.8, 14.0.0.3

715250-1 : TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED

Links to More Info: BT715250

Component: Access Policy Manager

Symptoms:
TMM generates a core and restarts when RPC resumes iRule event ACCESS_SESSION_CLOSED.

Conditions:
Plugin RPC call has iRule event ACCESS_SESSION_CLOSED configured.

Impact:
System instability, failover, traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fixed Versions:
12.1.3.6, 13.1.0.8

715207-3 : coapi errors while modifying per-request policy in VPE

Links to More Info: BT715207

Component: Access Policy Manager

Symptoms:
System reports errors about coapi in /var/log/ltm when modifying a per-request policy in the Visual Policy Editor (VPE).

err coapi: PHP: requested conversion of uninitialized member.

Conditions:
-- The per-request policy being modified is attached to the virtual server.
-- Using VPE.

Impact:
The impact can vary by version.
-- In some versions it represents a stray error log.
-- In other versions the 'Accepted Languages' in the Logon Page agent does not have the full list.
-- In other versions, there are server 500 errors when modifying agents.

Workaround:
To work around this issue, perform the following procedure: 1. Remove the per-request policy from the virtual server.
2. Modify the policy.
3. Add the policy back to the virtual server.

Fix:
Now per-request access policies can be simultaneously used and edited without causing spurious 'coapi' log errors.

Fixed Versions:
12.1.3.6, 13.1.0.8, 14.0.0

715153-1 : AVR can generate many files in /var/avr/loader folder, which might cause disk-usage problem

Links to More Info: BT715153

Component: Application Visibility and Reporting

Symptoms:
-- The folder /var/avr/loader contains many files (e.g., more than 1500 files).
-- monpd is not running.

Conditions:
This occurs when the following conditions are met:
-- Avrd is running.
-- monpd is down.

Impact:
AVR writes many files to /var/avr/loader. Depending on disk usage, this might cause disk-usage problems.

Workaround:
There are two possible workarounds:
-- Restart monpd. When monpd starts up, it deletes the files under /var/avr/loader.
-- Delete all files under /var/avr/loader.

Fix:
There is now a limit for the /var/avr/loader folder, so that it can contain no more than 1100 files. This prevents disk-usage problems.

Fixed Versions:
13.1.0.7, 14.0.0

715128-1 : Simple mode Signature edit does not escape semicolon

Links to More Info: BT715128

Component: Application Security Manager

Symptoms:
When creating a user-defined ASM Signature in Simple mode, semicolon followed by space cannot be used in a keyword.

Conditions:
-- Using a user-defined ASM Signature in Simple mode.
-- There is a semicolon followed by a space in a keyword.

Impact:
The signature cannot be created.

Workaround:
The signature can be created in Advanced Mode by escaping semicolon as "|3B|".

Fixed Versions:
13.1.0.8, 14.0.0.5

715110 : AVR should report 'resolutions' in module GtmWideip

Links to More Info: BT715110

Component: Application Visibility and Reporting

Symptoms:
AVR does not report 'resolutions' in GtmWideip module.

Conditions:
One of the following modules is provisioned: AVR, AFM, or DNS/GTM.

Impact:
There are no statistics reported on 'resolutions' in GtmWideip module.

Workaround:
There is no workaround.

Fix:
AVR now reports 'resolutions' in GtmWideip module.

Fixed Versions:
13.1.0.8, 14.1.0.2

715032-5 : iRulesLX Hardening

Links to More Info: K73302459 , BT715032

Component: Local Traffic Manager

Symptoms:
iRulesLX does not follow current best practices and should be updated to ensure layered protections.

Conditions:
-iRulesLX in use

Impact:
iRulesLX does not follow current best practices.

Workaround:
None.

Fix:
iRulesLX now follows current best practices.

Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5

714974-2 : Platform-migrate of UCS containing QinQ fails on VE &start;

Links to More Info: BT714974

Component: TMOS

Symptoms:
If you are doing platform-migrate from a hardware device to a Virtual Edition (VE) guest, and the UCS that came from the hardware device has a QinQ VLAN configuration, then the upgrade will fail.

Conditions:
-- VLAN with a QinQ configuration exists on the hardware configuration.
-- UCS file is saved on the hardware device.
-- UCS is copied to a VE guest.
-- Attempt to load the configuration using the following command: load sys ucs <UCS filename> no-license platform-migrate.

Impact:
The UCS load will fail and generate an error:

01071bd8:3: The tag-mode for requested member <VLAN name> has to be 'none' on platforms that do not support QinQ. Unexpected Error: Loading configuration process failed.

Workaround:
None.

Fix:
The configuration now loads successfully, disables QinQ on the associated VLAN, and warns that this action was automatically taken.

Fixed Versions:
13.1.1.2

714961-1 : antserver creates large temporary file in /tmp directory

Links to More Info: BT714961

Component: Access Policy Manager

Symptoms:
SWG Analytics (running through the antserver daemon) creates a large temporary file in the /tmp directory due to a lack of write permissions on the appropriate directory.

Conditions:
-- SWG provisioned.
-- Viewing SWG Analytics.

Impact:
/tmp is temporarily populated with a large file that might fill up the directory if it is already close to capacity.

Workaround:
There is no workaround at this time.

Fix:
System now writes to /shared/tmp/ant_server so that it no longer writes to /tmp, so the issue no longer occurs.

Fixed Versions:
13.1.0.8, 14.0.0

714903-2 : Errors in chmand

Links to More Info: BT714903

Component: TMOS

Symptoms:
VIPRION cluster does not form; only primary blade stays online. Chassis manager chmand generated a core file. System logs the following error in ltm log: err clusterd[11162]: 013a0004:3: Error adding cluster mgmt addr, HAL error 7.

Conditions:
-- Restoring UCS.
-- Chassis starting up.
-- System in stressed condition, where there is very little or no memory available.

Impact:
Cluster does not form.

Workaround:
None.

Fix:
These errors in chmand are fixed.

Fixed Versions:
12.1.4.1, 13.1.1.2, 14.0.0.5

714879-3 : APM CRLDP Auth passes all certs

Links to More Info: K34652116 , BT714879

714749-2 : cURL Vulnerability: CVE-2018-1000120

Component: TMOS

Symptoms:
It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.

Conditions:
BIG-IP systems are not affected by this vulnerability.

Impact:
None.

Workaround:
None.

Fix:
Patched CVE-2018-1000120

Fixed Versions:
13.1.1.2, 14.0.0.3

714716-2 : Apmd logs password for acp messages when in debug mode

Links to More Info: K10248311 , BT714716

Component: Access Policy Manager

Symptoms:
Apmd logs password when executing policy via iRule.

Conditions:
-- APM is licensed and provisioned
-- Executing policy via iRule using iRule command 'ACCESS::policy evaluate'.
-- Clear text password is supplied for authentication
-- Debug mode active

Impact:
Apmd logs clear text password

Fix:
Apmd now no longer logs password in debug mode when evaluating policy via iRule.

Fixed Versions:
11.6.3.2, 12.1.4.1, 13.1.1.4, 14.0.0

714700-2 : SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy

Links to More Info: BT714700

Component: Access Policy Manager

Symptoms:
To address a vulnerability in their CredSSP implementation Microsoft released set of updates for all versions of Windows (https://aka.ms/credssp). Although the APM implementation is not affected by this vulnerability, the Microsoft Windows Server fix introduces compatibility issues. The update adds new Group Policy 'Encryption Oracle Remediation', which, if set to 'Force Updated Clients' on the server might break SSO for APM's native RDP resources.

Conditions:
-- RDP server has https://aka.ms/credssp update installed.
-- 'Encryption Oracle Remediation' Group Policy on the RDP server is set to 'Force Updated Clients'.

Impact:
SSO for native RDP resources does not work.

Workaround:
Set 'Encryption Oracle Remediation' Group Policy on the RDP server to 'Mitigated'.

Fix:
SSO for native RDP resources is now compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy.

Fixed Versions:
13.1.0.8, 14.0.0

714654-2 : Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM

Links to More Info: BT714654

Component: TMOS

Symptoms:
While creating a static route, tmrouted disconnects with error: existing entry is not a dynamic.

Conditions:
Creating a static route for a network that already has an advertised dynamic route.

Impact:
TMM's connection to tmrouted goes down, which results in loss of the dynamic route for TMM.

Workaround:
There is no workaround other than not creating a static route for routes received through dynamic routing.

Fix:
Creating static routes for advertised dynamic route no longer causes the tmrouted-to-TMM connection to drop.

Fixed Versions:
12.1.4.1, 13.1.1.2

714642-1 : Ephemeral pool-member state on the standby is down

Links to More Info: BT714642

Component: Local Traffic Manager

Symptoms:
On a standby BIG-IP system, an ephemeral pool-members state remains user-down after re-enabling an FQDN node on the primary system.

Conditions:
Re-enabling a forced-down FQDN node on the primary system.

Impact:
On the standby system, the ephemeral pool-members are in state: user-down, (forced-down in GUI).

Workaround:
None.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1

714626-2 : When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect.

Links to More Info: BT714626

Component: TMOS

Symptoms:
When the BIG-IP system is behind a proxy server, the licensing process does not work, despite having set the db variables for proxy.host, proxy.port, proxy.protocol, etc.

Conditions:
-- The BIG-IP system is behind a proxy server that gates internet access.
-- Attempting to license (or revoke the license of) the BIG-IP system is not possible using GUI or tmsh since communications with the license server will fail.

Impact:
The --proxy option is required in order to use the SOAPLicenseClient to license, reactivate the license, or revoke the license of the BIG-IP system.

Workaround:
Instead of using GUI or tmsh, run the following command, substituting your proxy specification for <proxy> and your license registration key for <reg-key>:

/usr/local/bin/SOAPLicenseClient --proxy <proxy> --basekey <reg-key> --certupdatecheck

Fix:
Licensing/revoke licensing works as expected by simply setting the tmsh sys db variables proxy.host, proxy.port, etc.

Fixed Versions:
13.1.1.5, 14.0.0

714559-2 : Removal of HTTP hash persistence cookie when a pool member goes down.

Links to More Info: BT714559

Component: Local Traffic Manager

Symptoms:
When HTTP cookie hash persistence is configured the cookie is removed when a pool member goes down. This is incorrect if pool members are using session replication.

Conditions:
- Cookie hash persistence is configured.
- A pool member that the persistence record points to goes down.
- Pool members are using session replication.

Impact:
Connected clients must establish a new session.

Workaround:
To configure HTTP cookie hash persistence, use an iRule similar to the following:

when CLIENT_ACCEPTED {
persist cookie hash JSESSIONID
}

Fix:
HTTP hash persistence cookie is no longer removed when a pool member goes down.

If you need to remove the cookie, use an iRule similar to the following:

when PERSIST_DOWN {
HTTP::cookie remove JSESSIONID
}

Fixed Versions:
12.1.4, 13.1.1.4

714384-3 : DHCP traffic may not be forwarded when BWC is configured

Links to More Info: BT714384

Component: Local Traffic Manager

Symptoms:
DHCP traffic may not be forwarded when BWC is configured on the system.

Conditions:
-- DHCP virtual server configured.
-- BWC policy configured and attached to the route-domain.

Impact:
DHCP traffic may not be forwarded.

Workaround:
There is no workaround other than to remove the BWC policy.

Fix:
DHCP traffic is now forwarded when BWC is configured,

Fixed Versions:
13.1.1.2, 14.0.0.3

714369 : ADM may fail when processing HTTP traffic

Links to More Info: K62201098 , BT714369

714350 : BADOS mitigation may fail

Links to More Info: K62201098 , BT714350

714334-1 : admd stops responding and generates a core while under stress.

Links to More Info: BT714334

Component: Anomaly Detection Services

Symptoms:
admd stops responding and generates a core while under stress.

Conditions:
-- The BIG-IP system is under stress.
-- CPU starvation is occurring.

Impact:
admd core and restart.

Note: The admd process provides stress-based DoS detection and mitigation control. When admd is not running, there is no stress-based anomaly detection or behavioral statistics aggregation.

Workaround:
None.

Fix:
This issue no longer occurs.

Fixed Versions:
13.1.0.8, 14.0.0.5

714303-1 : X520 virtual functions do not support MAC masquerading

Links to More Info: K25057050 , BT714303

Component: TMOS

Symptoms:
MAC masquerading is not supported when using X520 virtual functions (VFs) via SR-IOV in Virtual Edition (VE). This is due to a lack of functionality in the underlying hardware.

Conditions:
-- Use SR-IOV VFs as interfaces within VE.
-- Configure MAC masquerading with a shared MAC that should follow the active system after traffic group failovers.

Impact:
MAC masquerading does not function in this environment.

Workaround:
None.

Fix:
MAC masquerading is now supported when using X520 VFs via SR-IOV in VE with following prerequisites:

-- VFs must have MAC addresses before deploying the BIG-IP system.

-- Trust mode must be set on the host.

-- The DB variable, tm.macmasqaddr_per_vlan must be set to true if VFs belong to the same PF.

-- The driver version must match the following:
+ Driver: ixgbe
+ Version: 5.1.0-k-rh7.5
+ Firmware-version: 0x80000656

Fixed Versions:
13.1.1, 14.0.0.1

714176-4 : UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed

Links to More Info: BT714176

Component: TMOS

Symptoms:
-- UCS archive restore fails
-- The Traffic Management Shell (TMSH) and/or /var/log/ltm file show following error message:
01071769:3: Decryption of the field (privatekey) for object (9717) failed. Unexpected Error: Loading configuration process failed.

Conditions:
- Restoring configuration from UCS.
- The UCS is being restored on a different BIG-IP system with a different master key.

Impact:
-- The UCS configuration is not applied.
-- The BIG-IP is not in a fully operational state.

Workaround:
If you encounter this error and dynad is not in use (dynamic debug) you can manually edit bigip_base.conf.

1. Locate the dynad config in /config/bigip_base.conf file:

For example, the dynad config will look like:
sys dynad key {
key $M$jV$VX7HMp5q346nsTYDYFPnYdJLrBPyQSCrDTJYAz4je7KXJAC38fxtDJL35KtF66bq
}

2. Modify the dynad configuration lines to:
sys dynad key {
key "test"
}

3, Save the updated bigip_base.conf file
4. Load the configuration with command: tmsh load sys config

Fix:
The log message is improved to provide the BIG-IP administrator with more specific detail that the dynad key failed to be decrypted.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1

713951-5 : tmm core files produced by nitrox_diag may be missing data

Links to More Info: BT713951

Component: Local Traffic Manager

Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.

Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.

Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
When the nitrox_diag utility generates a tmm core file, that file now includes data for all tmm threads instead of only one.

Fixed Versions:
11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0.3

713947-1 : stpd repeatedly logs "hal sendMessage failed"

Links to More Info: BT713947

Component: TMOS

Symptoms:
On non-primary clustered blades in a BIG-IP chassis environment, stpd may repeatedly log "hal sendMessage failed"

Conditions:
Two or more blades clustered in a chassis with STP enabled on one or more ports.

Impact:
All BIG-IP blades

Workaround:
No workaround except to ignore log messages - they are spurious and have no ill effect on the system besides log spam.

Fixed Versions:
13.1.1.2

713934-2 : Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response

Links to More Info: BT713934

Component: Local Traffic Manager

Symptoms:
Received malformed Truncated DNS response.

Conditions:
-- Using iRule 'DNS::question name' to shorten the name.
-- DNS response is longer than 4096 UDP limit.

Impact:
DNS request might not be resolved correctly.

Workaround:
There is no workaround at this time.

Fix:
In this release, when DNS::query name changes the query name, the software ensures that the request is updated with proper lengths.

Fixed Versions:
12.1.3.6, 13.1.0.8, 14.0.0.3

713932-1 : Commands are replicated to PostgreSQL even when not in use.

Links to More Info: BT713932

Component: TMOS

Symptoms:
In MCP, PostgreSQL is used only by AFM. Even when AFM is not provisioned, however, commands are being replicated to PostgreSQL.

Conditions:
AFM is not provisioned.

Impact:
Unnecessary CPU cycles spent by MCP replicating commands to PostgreSQL.

Workaround:
None.

Fix:
Prevented replication of commands to PostgreSQL when it is not in use.

Fixed Versions:
13.1.1.2, 14.0.0.3

713820-1 : Pass in IP address to urldb categorization engine

Links to More Info: BT713820

Component: Access Policy Manager

Symptoms:
Category lookup results might be inaccurate. In some cases, the system returns 'uncategorized' when the reference (Forcepoint) returns a specific category.

Conditions:
Category Lookup agent is in per-request policy using the categorization engine to lookup up a website's classification.

Impact:
Actions leveraging categorization results are applied incorrectly.

Workaround:
None.

Fix:
This release can now pass in more information to the urldb categorization engine, which supports finer-grained categorization.

Fixed Versions:
13.1.1.2

713813-2 : Node monitor instances not showing up in GUI

Links to More Info: BT713813

Component: TMOS

Symptoms:
Navigating to Local Traffic :: Monitors :: <some_monitor> should show a list of nodes with some_monitor assigned to them. GUI does not list related nodes under Instances tab.

Conditions:
-- At Local Traffic :: Monitors :: <some_monitor>.
-- Under the Instances tab.

Impact:
No instances listed. Cannot use the GUI to determine which nodes are associated with a monitor.

Workaround:
Use tmsh to list nodes associated with a monitor.

Fix:
The GUI now lists all associated nodes under Local Traffic :: Monitors :: <some_monitor> :: Instances tab.

Fixed Versions:
13.1.1.2

713708 : Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI

Links to More Info: BT713708

Component: TMOS

Symptoms:
On the BIG-IP GUI, under System :: Software Management :: Update Check, after pressing 'Check now', the 'Available Update' shows a long string 'OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install' instead of the EPSEC version, e.g.: epsec-1.0.0-679.0.

Conditions:
-- Under System :: Software Management :: Update Check.
-- Press 'Check now'.

Impact:
Cannot determine what version is available by viewing 'Available Update'. Although this is how all the other updates work, it can result in a confusing BIG-IP user experience.

Workaround:
To have the browser show the link's destination address, view the browser's status fields while hovering the cursor over the following link text: OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install.

Fix:
The output now shows the version, e.g.: epsec-1.0.0-679.0.

Fixed Versions:
13.1.4.1

713690-3 : IPv6 cache route metrics are locked

Links to More Info: BT713690

Component: Local Traffic Manager

Symptoms:
Under certain circumstances IPv6 route metrics are locked for the lifetime of a route metrics cache entry.

Conditions:
Under certain circumstances IPv6 route metrics cache entries are created locked.

Impact:
IPV6 route metrics are locked for the lifetime of a route metrics cache entry. When receiving subsequent icmpv6 packet to big messages with a larger MTU, the value does not get updated.

Workaround:
None.

Fix:
IPv6 route metrics are not locked anymore.

Fixed Versions:
12.1.3.7, 13.1.1.4, 14.0.0.5

713655-2 : RouteDomainSelectionAgent might fail under heavy control plane traffic/activities

Links to More Info: BT713655

Component: Access Policy Manager

Symptoms:
If per-session access policy requests route domain selection during policy evaluation, the agent might hang and fail to retrieve route domain information. APMD might restart and produce a core file.

Conditions:
-- Policy sync operation.
-- System receives a query for route domain information.
-- There is a heavy load of control plane traffic to process.

Impact:
Poor performance and/or APMD restarts with a core file, causing brief disruption of the authentication service.

Workaround:
None.

Fix:
Route domain selection operations no longer fail under heavy control-plane traffic/activities.

Fixed Versions:
12.1.3.7, 13.1.1.2, 14.0.0.5

713614-6 : Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)

Links to More Info: BT713614

Component: TMOS

Symptoms:
Warning similar to below, referencing a non-floating self IP:
Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)

Conditions:
Virtual Server is defined using the same IP address as a non-floating self IP.

Impact:
Virtual Server does not fail over with floating traffic group as expected.

Fixed Versions:
13.1.5, 15.1.0.5

713612-1 : tmm might restart if the HTTP passthrough on pipeline option is used

Links to More Info: BT713612

Component: Local Traffic Manager

Symptoms:
The TMM may crash if the HTTP profile's 'passthrough_pipeline' field is set to 'passthrough'.

Conditions:
-- HTTP profile is configured as a transparent proxy.
-- HTTP profile has the 'passthrough_pipeline' field is set to 'passthrough'.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
tmm no longer crashes when HTTP switches to passthrough mode in some cases.

Fixed Versions:
13.1.1.2

713533-2 : list self-ip with queries does not work

Links to More Info: BT713533

Component: Local Traffic Manager

Symptoms:
"list net self" command always returns all Self IPs, regardless of the regex patterns.

Conditions:
list net self always returns all Self IPs

Impact:
You are unable to filter the Self IP list using a regex pattern.

Fix:
You can now use pattern matching to list Self IPs

Fixed Versions:
12.1.3.6, 13.1.0.8, 14.0.0.3

713491-2 : IKEv1 logging shows spi of deleted SA with opposite endianess

Links to More Info: BT713491

Component: TMOS

Symptoms:
Sometimes the IKEv1 racoon daemon logs a 32-bit child-SA spi with octets in backwards order (reversing the endianness).

Conditions:
When an SA is deleted.

Impact:
Logging typically shows a network byte order spi in the wrong order. Cosmetic interference with logging interpretation.

Workaround:
There is no workaround at this time.

Fix:
The spi values are shown in the correct endianness now.

Fixed Versions:
12.1.3.6, 13.1.1.4, 14.0.0.3

713390-1 : ASM Signature Update cannot be performed on hourly billing cloud instance

Component: Application Security Manager

Symptoms:
ASM Signature Update cannot be performed on hourly billing cloud (AWS) instance. Licenses on these devices cannot be updated and have a fixed Service Check Date (SCD), which must be more recent to allow ASM Signature Update.

Conditions:
Attempt to perform ASM Signature Update on hourly billing cloud (AWS) instance.

Impact:
Performing ASM Signature Update fails.

Workaround:
There is no workaround at this time.

Fix:
ASM Signature Update can now be performed on hourly billing cloud instance.

Fixed Versions:
13.1.0.8

713380 : Multiple B4450 blades in the same chassis run into inconsistent DAG state

Links to More Info: K23331143 , BT713380

Component: TMOS

Symptoms:
Multiple B4450 blades in the same chassis can run into inconsistent DAGv2 state.

Conditions:
More than one B4450 blade in the same chassis.

Impact:
Inconsistent DAG state can cause traffic disruption.

Workaround:
Restart tmm on one blade in the chassis and force the blades to reform the cluster in data plane.

Fix:
Multiple B4450 blades in the same chassis no longer experiences an inconsistent DAG state.

Fixed Versions:
13.1.1.4

713282-1 : Remote logger violation_details field does not appear when virtual server has more than one remote logger

Links to More Info: BT713282

Component: Application Security Manager

Symptoms:
Remote logger violation_details field appears empty.

Conditions:
-- More than one remote logger is attached to the virtual server.
-- A violation occurs.
-- Viewing the associated log.

Impact:
Violation_details field appears empty in logs.

Workaround:
There is no workaround at this time.

Fix:
Remote logger violation_details field is now populated as expected when the virtual server has more than one remote logger.

Fixed Versions:
12.1.3.7, 13.1.0.8, 14.0.0.5

713273 : BIG-IP sys db variable avr.stats.internal.maxentitiespertable resets back to default value on services restart

Links to More Info: BT713273

Component: Application Visibility and Reporting

Symptoms:
After a BIG-IP system reset, a modified setting for the BIG-IP sys db variable avr.stats.internal.maxentitiespertable returns to the default value.

Conditions:
1. avr.stats.internal.maxentitiespertable value is modified from the default.
2. The BIG-IP system restarts.

Impact:
avr.stats.internal.maxentitiespertable returns to its default value.

Workaround:
After BIG-IP system reset, specify the value of avr.stats.internal.maxentitiespertable again.

Fix:
A modified avr.stats.internal.maxentitiespertable value no longer returns to the default value after BIG-IP system restart.

Fixed Versions:
13.1.0.7, 14.0.0

713156-1 : AGC cannot do redeploy in Exchange and ADFS use cases

Links to More Info: BT713156

Component: Access Policy Manager

Symptoms:
In AGC exchanges or Active Directory Federation Services (ADFS) configurations, the system creates an SSL HTML form and SSO HTML form control object. Because of the limitation of ICRD, the system cannot directly delete SSO HTML form control objects.

Conditions:
-- Redeploy occurs in an AGC exchange ADFS configuration.
-- Modifying existing configurations.

Impact:
Redeploy fails, configuration remain unmodified.

Workaround:
Do a undeploy, followed by a deploy.

Fix:
Redeploy now succeeds when using AGC with Exchange and ADFS use cases.

Fixed Versions:
13.1.0.8, 14.0.0

713111-1 : When ASM and APM are configured on the same virtual server, ASM might report some errors in its logging.

Links to More Info: BT713111

Component: Access Policy Manager

Symptoms:
When APM (SSO feature) and ASM are configured on the same virtual server, WebSSO recreates requests on 401 responses. Such requests have the same support ID, so ASM logs errors.

Conditions:
APM (WebSSO) and ASM are configured on same virtual server.

Impact:
ASM might potentially block such requests, so APM SSO functionality may not work.

Workaround:
There is no workaround except to not configure APM (WebSSO) and ASM on same virtual server.

Fix:
This issue has been fixed.

Fixed Versions:
13.1.0.8

713066-1 : Connection failure during DNS lookup to disabled nameserver can crash TMM

Links to More Info: K10620131 , BT713066

Component: Global Traffic Manager (DNS)

Symptoms:
TMM restart as a result of a DNS lookup to disabled nameserver.

Conditions:
DNS lookup that tries to connect to a nameserver that is not reachable for some reason.

This could be an explicit 'RESOLV::lookup' command in iRule, or it could be DNS lookups internally triggered by APM or HTTP.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
Verify connectivity to nameserver.

As an alternative, refrain from using RESOLV::lookup in iRules.

Fix:
This issue is now fixed.

Fixed Versions:
12.1.3.6, 13.1.0.8, 14.0.0

713051 : PB generates a suggestion to add a disallowed filtetype with empty name.

Links to More Info: BT713051

Component: Application Security Manager

Symptoms:
Policy Builder (PB) generates a suggestion to add a disallowed filtetype with empty name.

When trying to accept suggestion, you get a message 'action failed'.

Conditions:
This is a timing-related issue that occurs when trying to accept an incorrectly presented suggestion.

Impact:
An incorrect suggestion is issued that cannot be accepted. There is no specific impact on functionality.

Workaround:
Delete the suggestion, or mark it as ignored so it does not reappear.

Fix:
PB no longer issues the incorrect suggestion.

Fixed Versions:
13.1.3

712924-1 : In VPE SecurID servers list are not being displayed in SecurID authentication dialogue

Links to More Info: BT712924

Component: Access Policy Manager

Symptoms:
In VPE SecurID servers list are not being displayed in SecurID authentication dialogue. List is displaying only None.

Conditions:
Always when adding SecureID authentication action.

Impact:
Inability to (re)configure SecureId via VPE.

Workaround:
Manually modify RSA AAA server in SecurID Auth Agent via tmsh:

tmsh modify apm policy agent aaa-securid <aaa agent> server <securid server name>

Fixed Versions:
12.1.3.6, 13.1.0.6

712919-1 : Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server.

Links to More Info: K54802336 , BT712919

Component: Local Traffic Manager

Symptoms:
When an iRule is removed from a Virtual Server, especially one with explicitly specified high priority (with 'priority' keyword), other iRules on the same Virtual Server may become 'invisible', i.e., they are present but some of them are no longer executed. It may affect all the events or only certain types of them. Under certain conditions the issue may even disappear upon removing another iRule, particularly if it has low priority and handles the same event as the one which introduced the problem.

Conditions:
Removing an iRule from a Virtual Server.

Impact:
Some or all iRules on given Virtual Servers stop being executed.

Workaround:
Restart or reload the configuration.

If removing iRules needs to be performed in run-time and it triggers the problem, you can prevent the issue by having any iRule (even an empty one) for the same event as the iRule which is going to be removed, but with higher priority e.g.. with attribute priority 1'.

Fix:
Corrected scanning of iRules stored behind the one which is being deleted.

Fixed Versions:
13.1.3, 14.0.1.1, 14.1.2.3

712876-2 : CVE-2017-8824: Kernel Vulnerability

Links to More Info: K15526101 , BT712876

712819-2 : 'HTTP::hsts preload' iRule command cannot be used

Links to More Info: BT712819

Component: Local Traffic Manager

Symptoms:
Using the 'HTTP::hsts preload' iRule command in the GUI, you might see error message similar to the following:
01070151:3: Rule [/Common/test] error: /Common/test:3: error: ["invalid argument preload; expected syntax spec: "][HTTP::hsts preload enable].

The message is incorrect: the command has the correct format. However, the system does not run it.

Conditions:
Using the 'HTTP::hsts preload' iRule command in the GUI.

Impact:
The command does not run. Cannot use the 'HTTP::hsts preload' iRule command in the GUI.

Workaround:
None.

Fix:
'HTTP::hsts preload' iRule command now works as expected.

Fixed Versions:
13.1.0.8, 14.0.0.3

712738-1 : fpdd may core dump when the system is going down

Links to More Info: BT712738

Component: TMOS

Symptoms:
fpdd may core dump when the system is going down. This is because the LED manager in the daemon cannot use the hal library to talk to other daemons.

Conditions:
The problem happens when the system is going down.

Impact:
This is a rarely occurring issue. When it happens, fpdd creates a core file. The LEDs may not reflect the status right before the shutdown. But the LEDs are reinitialized after the bootup.

Workaround:
None.

Fix:
fpdd no longer core dumps when the system is going down.

Fixed Versions:
13.1.1.4

712710 : TMM may halt and restart when threshold mode is set to stress-based mitigation

Links to More Info: BT712710

Component: Advanced Firewall Manager

Symptoms:
When auto-DoS vector's threshold mode is set to stress-based mitigation, but the vector is in disabled state, TMM may halt and restart.

Conditions:
-- Threshold mode is set to stress-based mitigation.
-- Vector is disabled.

Impact:
TMM restarts. Traffic disrupted while TMM restarts.

Workaround:
There is no workaround other than not setting threshold mode to stress-based mitigation if the vector is disabled.

Fix:
TMM no longer restarts when threshold mode is set to stress-based mitigation and the vector is in disabled state.

Fixed Versions:
13.1.0.7, 14.0.0

712664-2 : IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address

Links to More Info: BT712664

Component: Local Traffic Manager

Symptoms:
As a result of a known issue IPv6 NS may be dropped if corresponds for host on remote VLAN of transparent vlangroup and matches a Virtual address with disabled ARP setting

Conditions:
- transparent vlan-group
- Virtual Address with ARP disabled
- Virtual Address corresponds to remote IPv6 host address

Impact:
NS for the host is dropped.
Traffic will not reach the remote host as resolution does not complete.

Workaround:
Do not use overlapping Virtual-addresses with ARP disabled, or enable ARP.

Fix:
IPv6 NS is no longer dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address.

Fixed Versions:
12.1.3.7, 13.1.1.5, 14.0.0.3

712637-2 : Host header persistence not implemented

Links to More Info: BT712637

Component: Local Traffic Manager

Symptoms:
Online documentation describes a persistence mechanism which uses the HTTP Host: header. However, this mechanism is not implemented, and attempts to use it generates an error.

Conditions:
Online help for ltm persistence says that Host persistence can be enabled via iRule, but attempting to do so generates an error 'invalid argument host'.

Impact:
Although this does not impact any existing functionality, the documented function is not available.

Workaround:
There is no workaround at this time.

Fix:
LTM Host: header persistence is implemented.

Fixed Versions:
13.1.1.2, 14.0.0.3

712475-3 : DNS zones without servers will prevent DNS Express reading zone data

Links to More Info: K56479945 , BT712475

Component: Local Traffic Manager

Symptoms:
DNS Express does not return dig requests.

Conditions:
DNS Express is configured a zone without a server.

Impact:
DNS Express does not return dig requests.

Workaround:
You can use either of the following workarounds:
-- Remove the zone without the server.
-- Configure a server for the zone.

Fix:
DNS zones without servers no longer prevent DNS Express reading zone data.

Fixed Versions:
12.1.3.6, 13.1.0.8, 14.0.0

712437-3 : Records containing hyphens (-) will prevent child zone from loading correctly

Links to More Info: K20355559 , BT712437

Component: Local Traffic Manager

Symptoms:
The dig command returns no record with SOA from the parent zone even though dnsxdump shows that the record exists.

Conditions:
-- Parent zone has a record containing - (a hyphen) and the preceding characters match the child zone. For example,
myzone.com -- parent
foo.myzone.com -- child

-- In myzone.com, you have a record of the following form:
foo-record.myzone.com

Impact:
DNS can not resolve records correctly.

Workaround:
None.

Fix:
DNS now handles the case in which the parent zone has a record containing - (a hyphen) and the preceding characters match the child zone.

Fixed Versions:
12.1.3.6, 13.1.0.8, 14.0.0

712429 : Serverside packets excluded from DoS stats

Links to More Info: BT712429

Component: Advanced Firewall Manager

Symptoms:
BIG-IP systems configured with L4 DoS Protection might not provide sufficiently granular DDoS detection and mitigation to ensure that legitimate traffic is not impacted.

Conditions:
Configured for DDoS detection and mitigation.

Impact:
Legitimate traffic might be impacted.

Workaround:
None.

Fix:
The following DoS vectors no longer count serverside packets.

-- Single-Endpoint Flood
-- Global-Device level aggregate vectors
-- Bad-actor/attacked-dst for all vectors

Additionally, hardware-accelerated, device-level (global) aggregate DoS vectors are now programmed dynamically when traffic is detected, rather than at configuration time.

These behavior changes provide greater granularity in DDoS detection and mitigation to ensure that legitimate traffic is not impacted.

Behavior Change:
The following DoS vectors no longer count serverside packets.

-- Single-Endpoint Flood
-- Global-Device level aggregate vectors
-- Bad-actor/attacked-dst for all vectors

Additionally, hardware-accelerated, device-level (global) aggregate DoS vectors are now programmed dynamically when traffic is detected, rather than at configuration time.

These behavior changes provide greater granularity in DDoS detection and mitigation to ensure that legitimate traffic is not impacted.

Fixed Versions:
13.1.0.7

712401-1 : Enhanced administrator lock/unlock for Common Criteria compliance

Links to More Info: BT712401

Component: TMOS

Symptoms:
The Network Device and Firewall collaborative Protection Profiles v2.0 require certain behavior for locking and unlocking administrative-user accounts on the BIG-IP system. BIG-IP software needs to be enhanced for compliance with those requirements.

Conditions:
The ccmode script must be run to activate these enhancements. Also, see the Common Criteria Guidance document (published when the certificate is obtained) for more details.

Impact:
Without these enhancements activated, the BIG-IP system is not compliant with Common Criteria requirements.

Workaround:
Risk acceptance for Common Criteria non-compliance.

Fix:
To meet Common Criteria requirements, the BIG-IP system is enhanced in two areas:

1. The primary administrative user account (generally 'admin') can be locked out, as any other administrative-user account can be. However, it is never locked out when signing in from the serial console.

2. Locked out administrative-users are unlocked only after an administrator-specified time period has passed. The default is 10 minutes, and is set in the ccmode script.

Fixed Versions:
13.1.0.8

712362-3 : ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase

Links to More Info: BT712362

Component: Application Security Manager

Symptoms:
When the WebSocket HTTP handshake response comes without 'Switching Protocols' reason phrase at the first line, the ASM does not follow up WebSocket frames on the WebSocket's connection.

The system posts the following messages in /ts/log/bd.log:
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0269|101 Switching Protocols HTTP status arrived, but the websocket hanshake failed.
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0270|Possible reasons are websocket profile isn't assigned on a virtual server or handshake is illegal.

Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- WebSocket backend server sends 101 response without the 'Switching Protocols' phrase.

Impact:
WebSocket frames stalls.

Workaround:
#1 Change the backend server:
Change WebSocket backend server to return 101 response to include the 'Switching Protocols' reason phrase:

HTTP/1.1 101 Switching Protocols


#2 Use an irRule:
when SERVER_CONNECTED {
TCP::collect 15
}
when SERVER_DATA {
if { [TCP::payload 15] contains "HTTP/1.1 101 \r\n" } {
TCP::payload replace 0 12 "HTTP/1.1 101 Switching Protocols"
}
}

Fix:
This release correctly handles 101 responses even without the 'Switching Protocols' reason phrase.

Fixed Versions:
12.1.3.6, 13.1.0.8, 14.0.0.5

712336-2 : bd daemon restart loop

Links to More Info: BT712336

Component: Application Security Manager

Symptoms:
Continuous BD restarts after period where /var was full and then cleaned

Conditions:
/var was full and then cleaned

Impact:
Continuous BD restarts

Workaround:
A) Make a spurious change in a policy and apply it.
OR
B) Restart ASM

Fixed Versions:
12.1.5.3, 13.1.5, 14.1.4.4

712335-1 : GTMD may intermittently crash under unusual conditions.

Links to More Info: BT712335

Component: Global Traffic Manager (DNS)

Symptoms:
GTMD may intermittently crash when an unexpected error occurs while creating a statistics row for a resource added to the configuration.

Conditions:
-- A pool member is added to the system.
-- There is an unexpected failure to create the associated statistics row.

Impact:
GTMD restarts. Global traffic functionality is not available while GTMD is restarting.

Workaround:
There is no workaround at this time.

Fix:
GTMD no longer intermittently crashes when a pool member is added to the system, but there is an unexpected failure to create the associated statistics row.

Fixed Versions:
12.1.6, 13.1.4, 14.1.2.7

712266-1 : Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware

Links to More Info: BT712266

Component: TMOS

Symptoms:
Messages like the following may show up in /var/log/ltm:

-- crit tmm5[28908]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=11): ctx dropped.

This occurs because the decompression of large compressed data failed.

Conditions:
This issue occurs when compressed data cannot be decompressed in a single request to the Nitrox 3 hardware accelerator.

Impact:
Requests fail with a connection reset.

Workaround:
Use zlib software decompression.

Fix:
This release fixes this decompression issue in the Nitrox 3 driver.

Fixed Versions:
13.1.1

712118 : AVR should report on all 'global tags' in external logs

Links to More Info: BT712118

Component: Application Visibility and Reporting

Symptoms:
AVR reports only 'ssgName' from the global tags.

Conditions:
-- A BIG-IQ operation configures the 'tag file' (/var/config/rest/downloads/app_mapping.json) on the BIG-IP system.
-- Statistics are sent to the BIG-IQ system.

Impact:
Not all the tags are sent to the BIG-IQ system.

Workaround:
There is no workaround at this time.

Fix:
AVR now reports statistics on all tags to the BIG-IQ system.

Fixed Versions:
13.1.0.8, 14.0.0

712102-2 : customizing or changing the HTTP Profile's IPv6 field hides the field or the row

Links to More Info: K11430165 , BT712102

Component: TMOS

Symptoms:
Customizing or changing the HTTP Profile's IPv6 field hides the field or the row.

Conditions:
Customizing or changing the HTTP Profile's IPv6 field.

Impact:
The HTTP Profile's IPv6 field cannot be customized or changed.

Workaround:
Use tmsh to set the HTTP Profile's IPv6 field.

Fix:
Customizing or changing the HTTP Profile's IPv6 field does not hide the field or the row.

Fixed Versions:
13.1.1.2

711981-5 : BIG-IP system accepts larger-than-egress MTU, PMTU update

Links to More Info: BT711981

Component: Local Traffic Manager

Symptoms:
A Path MTU (PMTU) message can lead to the BIG-IP system to falsely assume an egress MTU on the related flow to be larger than the interface egress MTU.

Conditions:
A valid PMTU message.

Impact:
BIG-IP sends larger-than-configured interface egress MTU messages.

Workaround:
None.

Fix:
The BIG-IP system now limits the flow egress MTU to the interface egress MTU.

Fixed Versions:
11.6.5.3, 12.1.3.7, 13.1.1.4, 14.0.0.5

711929-1 : AVR should not send statistic on hidden rows for module InterfaceTraffic and module InterfaceHealth

Links to More Info: BT711929

Component: Application Visibility and Reporting

Symptoms:
AVR sends data on all interfaces, hidden and not hidden. It should send information only on not-hidden interfaces.

Conditions:
-- Tmstat table interface_stat exists.
-- Viewing statistics for module InterfaceTraffic and module InterfaceHealth.

Impact:
Irrelevant data is sent.

Workaround:
None.

Fix:
AVR now sends data only on not-hidden interfaces.

Fixed Versions:
13.1.0.6, 14.0.0

711708-1 : Default disabled DoS profile cannot be attached to virtual server because of BADOS '2 virtual servers limitation'

Links to More Info: BT711708

Component: Anomaly Detection Services

Symptoms:
Configuration error: DoS profile with behavioral detection
cannot be attached to a virtual server because use is limited to 2 virtual servers when the DoS profile does not have BADOS configuration.

Conditions:
Intermittent reproduction when more than 2 virtual servers and DoS profile pairs configured.

Impact:
Cannot assign DoS profile to virtual servers.

Workaround:
Modify the DoS profile configuration: enable/disable BADOS features (bad actors/signatures) and try to reassign DoS profile to the virtual server.

Fix:
There is no 2-virtual server limitation when no BADOS is configured.

Fixed Versions:
13.1.3.2

711683-2 : bcm56xxd crash with empty trunk in QinQ VLAN

Links to More Info: BT711683

Component: TMOS

Symptoms:
When an empty trunk (no members) is configured 'tagged' in a QinQ VLAN, bcm56xxd will continuously crash.

Conditions:
Trunk with no members, configured as 'tagged' in a QinQ VLAN.

Impact:
bcm56xxd continuously crashes.

Workaround:
Use either of the following workarounds:
-- Add members to the trunk.

-- Remove the trunk from the QinQ VLAN.

Fix:
Do not program QinQ switch hardware if the trunk has no members.

Fixed Versions:
13.1.1.2

711641-1 : MRF DIAMETER: Add log events to log when stale messages are removed from pending request queue

Links to More Info: BT711641

Component: Service Provider

Symptoms:
There is no way to know when a stale pending request entry is removed from the pending request queue.

Conditions:
A stale pending request entry is removed from the pending request queue.

Impact:
There is no log message indicating that this has occurred, making it impossible to track which request did not receive an answer message.

Workaround:
None.

Fix:
New log events have been added to account for these requests.

Fixed Versions:
13.1.3.4

711570-3 : PEM iRule subscriber policy name query using subscriber ID, may not return applied policies

Links to More Info: BT711570

Component: Policy Enforcement Manager

Symptoms:
PEM::subscriber config policy get <subscriber id> does not return policy names

Conditions:
PEM iRule using subscriber ID to get policy name.

Impact:
Subscriber policy names are not returned.

Workaround:
Use PEM::subscriber config policy get <IP address> instead.

Fix:
Subscriber policy names are now returned when running PEM iRules using subscriber ID to get policy names.

Fixed Versions:
12.1.3.6, 13.1.0.8

711427-2 : Edge Browser does not launch F5 VPN App

Links to More Info: BT711427

Component: Access Policy Manager

Symptoms:
On Microsoft Windows v10, use Edge Browser to establish VPN. Edge Browser does not launch F5 VPN App.

Conditions:
On Windows 10, use Edge Browser to establish VPN.

Impact:
APM end user cannot establish VPN tunnel using Edge Browser.

Workaround:
Use Mozilla Firefox or Google Chrome.

Fix:
You can now use Windows 10 to launch Edge Browser to establish VPN connections.

Fixed Versions:
13.1.1.2, 14.0.0

711405-1 : ASM GUI Fails to Display Policy List After Upgrade

Links to More Info: K14770331 , BT711405

Component: Application Security Manager

Symptoms:
After upgrade to version 13.1.0 or later, ASM GUI fails to display the Policy List.

Conditions:
Using an 11.5.0 to 11.5.4-HF1 version that is affected by the issue of policies with duplicate REST IDs that occurred after restoring from policy history or using Policy Diff to compare policies.

Impact:
ASM GUI starting using the REST API from version 13.1.0, so any systems that have been affected by this issue on a previous version now cause the GUI to fail to display the Policy List.

Workaround:
On the device run the following script:
---------------------------------
perl -MF5::DbUtils -MF5::Utils::Rest -MF5::ASMConfig::Entity::Policy -e '$dbh = F5::DbUtils::get_dbh();
$dbh->begin_work();
$dbh->do("UPDATE PLC.PL_POLICIES a SET a.rest_uuid = \"\" WHERE a.rest_uuid IN ( SELECT rest_uuid FROM (SELECT rest_uuid FROM PLC.PL_POLICIES GROUP BY rest_uuid having count(*) > 1) b)");
F5::Utils::Rest::populate_uuids(dbh => $dbh);
$dbh->commit();'
---------------------------------
Note: In a management environment, this change must be pushed to the peer as a full sync. The easiest way to do so is to ensure that the ASM sync device group is in manual sync mode, and to push the config to the peers from the device where the script was run.

Fix:
This data inconsistency is now repaired on upgrade, and the GUI loads the policy list successfully.

Fixed Versions:
13.1.0.8, 14.0.0.5

711281-5 : nitrox_diag may run out of space on /shared

Links to More Info: BT711281

Component: Local Traffic Manager

Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.

Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.

Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.

Workaround:
The only workaround is to ensure there is enough free space for the files to be created.

In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.

Fix:
nitrox_diag now clears the older data before gathering new data, instead of after. Note, however, that if there is insufficient free space on /shared to collect the raw data, the operation still cannot succeed.

Fixed Versions:
11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0.3

711249-1 : NAS-IP-Address added to RADIUS packet unexpectedly

Links to More Info: BT711249

Component: TMOS

Symptoms:
RADIUS authentication request contains NAS-IP-Address attribute with value 127.0.0.1.

Conditions:
VIPRION (single or multiblade) with no cluster member IP addresses configured.

Impact:
Authentication does not work as it has invalid/unrecognized source NAS-IP-Address.

Workaround:
Configure cluster member IP address or define hostname and address via global-settings remote-host.

Fixed Versions:
12.1.4, 13.1.0.8, 14.0.0.3

711093-1 : PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled

Links to More Info: BT711093

Component: Policy Enforcement Manager

Symptoms:
PEM sessions may stay in the marked-for-delete state after session deletion.

Conditions:
This occurs if Gx final usage reporting response comes before Gy delete response (CCA).

Impact:
PEM sessions remain in marked-for-delete state.

Workaround:
None.

Fix:
PEM sessions no longer stay in the marked-for-delete state after session delete

Fixed Versions:
12.1.3.6, 13.1.0.6, 14.0.0.3

711011-2 : 'API Security' security policy template changes

Links to More Info: BT711011

Component: Application Security Manager

Symptoms:
Parameter-related Learn/Alarm/Block settings in 'API Security' security policy template should be 'ON' by default.

Conditions:
Learn/Alarm/Block settings in 'API Security' security policy template.

Impact:
Settings not active.

Workaround:
None.

Fix:
Parameter-related Learn/Alarm/Block settings in 'API Security' security policy template are now 'ON' by default.

Fixed Versions:
13.1.0.6, 14.0.0

710996-2 : VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP

Links to More Info: BT710996

Component: Local Traffic Manager

Symptoms:
The behavior of outgoing IPv6 management and IPv4 management traffic from the primary blade differs:
IPv4 traffic is sourced from the cluster IP
IPv6 traffic is sourced from the cluster member IP

Conditions:
IPv6 configured on the 'cluster' address and 'cluster member' address.

Impact:
The blade IP address, rather than the cluster floating IP, will be used as the source IP when querying the RADIUS server for remote-auth login against the management port.

Workaround:
There is no workaround at this time.

Fixed Versions:
13.1.0.8

710976-1 : Network Map can take a long time to load.

Links to More Info: BT710976

Component: TMOS

Symptoms:
Network map loading time is directly proportional to the number of profiles/policies associated with a virtual server. When there are a significant number, the network map can take many tens of seconds to load. When there are fewer associated profiles/policies, loading time is shorter.

For example, consider a configuration that contains virtual servers with a large number of associated profiles/policies.

In the following example config, the virtual server has two associated profiles. The time to load the network map page increases with each additional profile/policy.

# tmsh list ltm virtual vs
ltm virtual virtual server {
creation-time 2018-03-06:18:27:53
destination 0.0.0.0:any
ip-protocol tcp
last-modified-time 2018-03-06:18:27:53
mask any
profiles {
myhttp { }
tcp { }
}
rules {
myrule
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
socks-tunnel
}
vs-index 5
}

Conditions:
-- Navigate to Local Traffic >> Network Map in the BIG-IP Configuration utility.

-- The configuration contains a significantly large number of profiles/policies associated with the virtual server.

Impact:
It takes tens of seconds to load the network map page.
It takes time to load modules in GUI operations.

Workaround:
None.

Fix:
The data loading performance was improved to load the page faster.

Fixed Versions:
13.1.0.8, 14.0.0.3

710947-1 : AVR does not send errdef for entity DosIpLogReporting.

Links to More Info: BT710947

Component: Application Visibility and Reporting

Symptoms:
AVR does not send errdef for entity DosIpLogReporting.

Conditions:
-- AVR is configured.
-- View the DosIpLogReporting report.

Impact:
There is no errdef for module DosIpLogReporting

Workaround:
None.

Fix:
Added errdef for module DosIpLogReporting.

Fixed Versions:
13.1.0.6, 14.0.0

710930-1 : Enabling BigDB key bigd.tmm may cause SSL monitors to fail

Links to More Info: BT710930

Component: Local Traffic Manager

Symptoms:
When bigd.tmm is enabled, SSL monitors may begin to fail.

Conditions:
-- The in-tmm monitoring feature is enabled via the bigd.tmm db variable (it is disabled by default)
-- The cipher string of the attached SSL profile uses keywords that are invalid with TMM.

Impact:
The cipher string will no longer be valid when bigd.tmm is enabled and the keywords will need to be modified or removed. SSL monitors begin to fail after modifying bigd.tmm.

Workaround:
Modify or remove incompatible keywords from the ciphers string; the in-tmm monitoring feature only allows ciphers that are allowed by SSL profiles.

Fixed Versions:
13.1.3.5, 14.1.3.1

710884-1 : Portal Access might omit some valid cookies when rewriting HTTP request.

Links to More Info: BT710884

Component: Access Policy Manager

Symptoms:
Portal Access is not sending certain cookies to the backend application.

Conditions:
-- Request path and cookie path are equal.
-- The last character of request path is not a forward slash (/).

Impact:
Backend application does not receive some cookies and may decide that APM end users are not authenticated, when they are.

Workaround:
There is no workaround at this time.

Fix:
Fixed an issue in Portal Access which could cause web-applications to lose some valid cookies.

Fixed Versions:
13.1.1.2, 14.0.0.5

710870 : Temporary browser challenge failure after installing older ASU

Links to More Info: BT710870

Component: Application Security Manager

Symptoms:
After installing an older ASM Signature Update (ASU) may cause the browser challenge to fail for the first few minutes after provisioning ASM.

Conditions:
-- Using BIG-IP version 13.1.0.5.
-- Installing an ASU from before April 2018.

Impact:
Browsers remain on whitepage after receiving a browser challenge.

Note: The problem should go away after 10-to-15 minutes of provisioning ASM, when more versions of JavaScript are generated.

Workaround:
Install the latest ASU.

Fix:
The browser challenges will succeed even after installing an older ASU.

Fixed Versions:
13.1.0.6

710857-2 : iControl requests may cause excessive resource usage

Links to More Info: K64855220

710827-2 : TMUI dashboard daemon stability issue

Links to More Info: K44603900 , BT710827

710755-1 : TMM crash when route information becomes stale and the system accesses stale information.

Links to More Info: BT710755

Component: Advanced Firewall Manager

Symptoms:
The crash happens intermittently when the route information becomes stale and the system accesses the stale information.

Conditions:
Route information is stale. This usually happens when a connection is waiting for a reply, and in-between route information (applicable for both static and dynamic routes) becomes stale (e.g., change of network-related configuration). If the connection is already filled with old route information, accessing that can cause this crash

Impact:
This condition can lead to a crash as the route information is no longer valid, and can lead to illegal memory access. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now fetches the latest egress route/interface information before accessing it.

Fixed Versions:
12.1.4, 13.1.1.2, 14.0.0

710705-2 : Multiple Wireshark vulnerabilities

Links to More Info: K34035645 , BT710705

710701-1 : "Application Layer Encryption" option is not saved in DataSafe GUI

Links to More Info: BT710701

Component: Fraud Protection Services

Symptoms:
"Application Layer Encryption" checkbox will remain enabled if un-checked via DataSafe GUI and will not be saved.

Conditions:
- Install DataSafe license
- Provision FPS
- Create URL

Impact:
Cannot enable/disable "Application Layer Encryption" via DataSafe GUI.

Workaround:
Application Layer Encryption can be enabled or disabled via TMSH command line or REST API.

Fix:
"Application Layer Encryption" option is saved if changed via DataSafe GUI.

Fixed Versions:
13.1.0.6, 14.0.0

710666-1 : VE with interface(s) marked down may report high cpu usage

Links to More Info: BT710666

Component: TMOS

Symptoms:
The "tmm" process may appear to be running at 90% or above in linux cpu reporting utilities such as "top" or "ps", even if the system is not handling a large amount of traffic.

In this case, "tmsh show sys tmm-info" continues to report tmm's cpu usage accurately.

Conditions:
- BIG-IP Virtual Edition
- One or more interfaces configured and used in the BIG-IP configuration is marked down

Impact:
tmm consumes cpu cycles even when idle. This may impact other guests running on the same hardware if the hypervisor has oversubscribed its cpu resources.

Workaround:
Disable any interface that is currently marked down.

For example:
tmsh modify net interface 1.1 disabled

and then restart tmm:
bigstart restart tmm

Fixed Versions:
13.1.1.4

710564 : DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0

Links to More Info: BT710564

Component: Local Traffic Manager

Symptoms:
The DNS filter returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0.

Conditions:
- Virtual Server configured with 'DNS Profile' set to 'dns' or a 'dns'-derived profile.
- DNS queries with EDNS0 ECS option set.

Impact:
If the response ECS Scope Netmask has a value other than '0', LTM drops it, causing timeout and retry on client side.

Workaround:
There is no workaround at this time.

Fixed Versions:
12.1.4.1, 13.1.1.5

710424-2 : Possible SIGSEGV in GTMD when GTM persistence is enabled.

Links to More Info: BT710424

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM persistence is enabled, GTMD may occasionally crash and restart. The gtmd process reports a SIGSEGV when persistence is enabled.

As a result of this issue, you may encounter one or more of the following symptoms:

-- The gtmd process reports a SIGSEGV and produces a core file.
-- The gtmd process restarts, which prevents clients from receiving answers to requests.

Conditions:
This issue occurs when the following condition is met:

Persistence is enabled for the wide IP pools.

Impact:
The gtmd process may occasionally restart, which prevents clients from receiving answers to requests.

Workaround:
Disable persistence on wide IP pools.

Fix:
The gtmd process no longer crashes and restarts when persistence is enabled.

Fixed Versions:
11.6.5.2, 12.1.3.4, 13.1.0.6, 14.0.0

710327-1 : Remote logger message is truncated at NULL character.

Links to More Info: BT710327

Component: Application Security Manager

Symptoms:
When a request including binary null character has been sent to an remote logger, configured for ASM, the request will arrive to the remote destination and will be truncated exactly at binary NULL character.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM remote logger attached to a virtual server.
-- Request including binary NULL character is sent to the remote logger destination.

Impact:
Partial request is logged at the remote logger destination.

Workaround:
None.

Fix:
Binary NULL character is now escaped before being sent to the remote logger destination, so the request is no longer truncated.

Fixed Versions:
12.1.3.6, 13.1.0.8, 14.0.0

710315-1 : AVR-profile might cause issues when loading a configuration or when using config sync

Links to More Info: BT710315

Component: Application Visibility and Reporting

Symptoms:
Some fields in AVR-profile contain lists of items. Those lists can be set only if the relevant flag is set to 'true'. In case of a flag configuration change, the system must keep the lists as they were and not reset them, so they can be available in case the flag changes back again.

Validation settings were created such that the lists flag is set to 'true' by default, but this can cause the load/merge process to break if the list was set, and afterwards the flag was set to 'false'.

Conditions:
Setting the relevant flag to 'false' after creating a list of items.

The relevant fields in AVR-profile that have that logic are:
-- IPs-list.
-- Subnets-list.
-- Countries-list.
-- URLs-list.

Impact:
Management load and sync process may not work as expected.

Workaround:
None.

Fix:
Validation for those fields when the associated flag is set to 'false' will be skipped in a load/merge scenario.

Fixed Versions:
13.1.0.8, 14.0.0

710314-1 : TMM may crash while processing HTML traffic

Links to More Info: K94105051 , BT710314

710305-1 : When ASM and APM are configured on the same virtual server, ASM could throw some errors in its logging.

Links to More Info: BT710305

Component: Access Policy Manager

Symptoms:
When ASM and APM WebSSO are on the same virtual server, WebSSO might generate a new request. When that happens, ASM might see multiple requests with same support ID. This can cause issues with ASM and log errors.

Conditions:
When APM WebSSO is configured (only for Basic, NTLM, Kerberos).

Impact:
ASM stops processing the HTTP requests that have duplicate support IDs, causing an issue to ASM/APM end users.

Workaround:
None.

Fix:
When ASM and APM WebSSO are on same virtual server, WebSSO no longer generates a new request, so duplicate support IDs are no longer created.

Fixed Versions:
13.1.0.8

710277-1 : IKEv2 further child_sa validity checks

Links to More Info: BT710277

Component: TMOS

Symptoms:
A tmm restart can occur when a child_sa is rekeyed at expiration time, provided a race condition occurs.

Conditions:
Encountering the issue in which rekeying a child_sa might core when race conditions allowed that child_sa to be destroyed while in use.

Impact:
Restart of tmm and outage of IPsec tunnels until renegotiated.

Workaround:
None.

Fix:
The validity of a child_sa and its traffic selector are checked now before use, to prevent failure when freed objects are accidentally used.

Fixed Versions:
12.1.5, 13.1.1.4, 14.0.0.5

710262-1 : Firewall is not updated when adding new rules

Links to More Info: BT710262

Component: Advanced Firewall Manager

Symptoms:
When adding new rules into existing firewall policies, firewall may be not updated, so new rules are not used in traffic processing.

If on-demand-compilation mode is enabled, firewall may remain in quiescent state instead of compilation-pending state after adding rules.

Conditions:
-- Firewall rules are added into existing firewall policies.
-- No rules are deleted or modified.

Impact:
Firewall is not updated and new rules do not affect data traffic.

If on-demand-compilation mode is enabled, firewall remain in quiescent state instead of going to compilation-pending state after adding rules.

Workaround:
Make additional changes to firewall rules in order to start firewall update, for esample:

-- Add a placeholder rule, and then delete it.

-- Modify a rule (e.g. by adding an IP address), and then revert the modification by removing that IP address.

Fix:
When adding new rules, firewall is now always updated.

If on-demand-compilation mode is enabled, firewall goes to the compilation-pending state after adding rules.

Fixed Versions:
13.1.1.5

710246-2 : DNS-Express was not sending out NOTIFY messages on VE

Links to More Info: BT710246

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express is not sending out NOTIFY messages on BIG-IP Virtual Edition (VE).

Conditions:
-- DNS Express configured to send out NOTIFY messages.
-- Running on BIG-IP VE configuration.

Impact:
DNS secondary servers serving stale data.

Workaround:
There is no workaround at this time.

Fix:
DNS Express now sends out NOTIFY messages on VE.

Fixed Versions:
12.1.3.7, 13.1.1.4, 14.0.0.3

710244-3 : Memory Leak of access policy execution objects

Links to More Info: K27391542 , BT710244

710232-2 : platform-migrate fails when LACP trunks are in use

Links to More Info: BT710232

Component: TMOS

Symptoms:
Use of the platform-migrate option might fail due to some configurations being invalid on the new system. The error message generated appears as follows:

01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform.

Conditions:
You have a trunk with LACP enabled.
-- You are migrating from a hardware platform to a Virtual Edition (VE).

Impact:
Configuration fails to migrate.

Workaround:
After taking the old system offline, but before saving the UCS, disable LACP on all trunks.

Fixed Versions:
13.1.1.2, 14.0.0.3

710221-2 : Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled

Links to More Info: K67352313 , BT710221

Component: Local Traffic Manager

Symptoms:
In an high availability (HA) configuration where an FQDN template-node on the 'active' unit is 'Force Offline', and the configuration is synchronized to the 'standby' unit, upon 'Enable' on that FQDN template-node in the 'active' unit (and the configuration is synchronized to the 'standby' unit), the ephemeral nodes associated with that FQDN template node remain Unavailable on the 'standby' unit.

Conditions:
HA configuration is configured with 'active' sync.
-- FQDN template-node is configured.
-- After ephemeral nodes are refreshed on the 'active' unit, it transitions to the 'standby' unit.
-- The FQDN template node on the (new-'active') unit is 'Force Offline' by the user.
-- The user explicitly 'Enable' that FQDN template node on the 'active' unit.

Impact:
The ephemerals on the 'standby' unit remain unavailable, even though the associated FQDN template node is 'available'. However, as no traffic is routed to the 'standby' unit, traffic is unaffected. Upon transition from 'standby' to' active', the ephemeral nodes will be refreshed and traffic should continue.

Workaround:
You can use either of these configuration options to prevent this issue from occurring:
-- Select 'Disabled' (rather than 'Force Offline') for the FQDN template node on the 'active' unit.
-- Configure the node without using FQDN.

Fix:
Upon 'Force Offline' and then 'Enable' for an FQDN template node on an 'active' unit in an high availability (HA) configuration, the ephemerals on the 'standby' unit will reflect the re-enabled status based on the associated FQDN template-node on the 'active' unit.

Fixed Versions:
13.1.1.2, 14.0.0.3

710148-2 : CVE-2017-1000111 & CVE-2017-1000112

Links to More Info: K60250153 , BT710148

710140-1 : TMM may consume excessive resources when processing SSL Intercept traffic

Links to More Info: K20134942 , BT710140

710116-1 : VPN clients experience packet loss/disconnection

Links to More Info: BT710116

Component: Access Policy Manager

Symptoms:
VPN clients experience packet loss/disconnection.

Conditions:
In certain scenarios, the tunnel establishment procedure might leak a small memory. If the tmm is running for a longer duration, this small leak can accumulate and result in out-of-memory condition

Impact:
Connections start to drop as tmm runs out of memory. TMM will eventually run out of memory and connections could be terminated. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
A rare memory leak during APM VPN establishment has been corrected.

Fixed Versions:
13.1.0.8, 14.0.0

710110-1 : AVR does not publish DNS statistics to external log when usr-offbox is enabled.

Links to More Info: BT710110

Component: Application Visibility and Reporting

Symptoms:
AVR does not send DNS statistics to external logs when analytics global setting usr-offbox is enabled, if the following security analytics settings are set to disable:
-- collected-stats-internal-logging.
-- collected-stats-external-logging.

Conditions:
-- Security analytics settings collected-stats-internal-logging is disabled.
-- Security analytics settings collected-stats-external-logging is disabled.
-- Analytics global settings usr-offbox is enabled.

Impact:
DNS statistic are not sent to external log.

Workaround:
To work around this issue, perform the following procedure:
1. Provision ASM or AFM.
2. Run the tmsh command to set to enabled the security analytics setting collected-stats-external-logging.
2. Deprovision ASM/AFM.

Fix:
AVR now publishes DNS statistics to external logs when usr-offbox is enabled, as expected.

Fixed Versions:
13.1.0.6, 14.0.0

710032-1 : 'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system.

Links to More Info: BT710032

Component: Global Traffic Manager (DNS)

Symptoms:
The BIG-IP system posts a 'No Access' error message instead of the virtual server's properties.

Conditions:
-- At least two BIG-IP systems in a sync group.
-- One of the BIG-IP systems has a partition that does not exist on the other with an LTM virtual server on that partition.
-- The issue occurs when a GSLB Server discovers that LTM virtual server and displays it on its virtual server page.

Note: This same error message displays for GSLB pool member properties accessed by navigating to GSLB :: pools :: [pool] :: members :: Member : Address. The differing issues have been fixed in differing releases. You can find information about the similar issue in the AskF5 Bug Tracker article for 722734.

Impact:
It makes the GSLB Server's virtual server's properties page unavailable in this case.

Workaround:
Use either of the following workaroudns:
-- Use TMSH to view or edit the properties of that virtual server.

-- Create partitions on the GTM device to match those appearing to be referenced in the object names.

Fix:
Partition checking has been disabled for virtual servers on the GTM side, since a virtual server owned by a server is always in the partition of that server (/Common).

Fixed Versions:
13.1.0.8, 14.0.0.3

710028-2 : LTM SQL monitors may stop monitoring if multiple monitors querying same database

Links to More Info: BT710028

Component: Local Traffic Manager

Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.

When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:

[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'

then multiple, periodic instances of the following message, referencing the same connection string:

Abandoning hung SQL query: '<query string>' for: '<connection string>'

or:

<connection string>(<thread-number>): Hung SQL query; abandoning

Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.

And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.

Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.

Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.

To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.

Fix:
LTM SQL monitors continue monitoring when multiple monitors/ query the same server and database.

Fixed Versions:
11.5.9, 11.6.3.3, 12.1.4, 13.1.1.4, 14.0.0.5

709972-6 : CVE-2017-12613: APR Vulnerability

Links to More Info: K52319810 , BT709972

709952-1 : Disallow DHCP relay traffic to traverse between route domains

Links to More Info: BT709952

Component: Local Traffic Manager

Symptoms:
DHCP traffic can traverse between route domains, e.g., when working with a route domain with a parent. Under certain circumstances, this is not desired.

Conditions:
DHCP relay in use on a route domain with a parent relationship or strict isolation disabled.

Impact:
The DHCP server side flow might get established to the parent route domain, and will persist even after the route in its own route domain becomes available again.

Workaround:
There is no workaround at this time.

Fix:
A db key has been introduced, tmm.dhcp.routedomain.strictisolate, which allows enforcement of route domain traversal if desired/configured.

Fixed Versions:
13.1.1.5

709936 : Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.

Links to More Info: BT709936

Component: TMOS

Symptoms:
/var/log/boot.log has this error:
dhcp_config: save error: 01070911:3: The requested host (ntp-servers-ip) is invalid for servers in ntp (/Common/ntp).

Conditions:
- The BIG-IP system has DHCP enabled for management interface.
- Multiple NTP servers or domain-search are specified in the dhclient lease (stored at /var/lib/dhclient/dhclient.leases).

Impact:
- DNS and NTP servers are not configured in MCPD.
- Name resolution can break.

Workaround:
None.

Fix:
Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.

Fixed Versions:
13.1.0.7, 14.0.0.1

709828-2 : fasthttp can crash with Large Receive Offload enabled

Links to More Info: BT709828

Component: Local Traffic Manager

Symptoms:
fasthttp and lro can lead to a tmm crash.

Conditions:
fasthttp and lro enabled. (lro is enabled by default >= 13.1.0)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use fasthttp

Fix:
fasthttp with lro enabled no longer causes tmm to crash.

Fixed Versions:
13.1.0.8, 14.0.0.3

709688-3 : dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733

Links to More Info: K08306700 , BT709688

709670-2 : iRule triggered from RADIUS occasionally fails to create subscribers.

Links to More Info: BT709670

Component: Policy Enforcement Manager

Symptoms:
The subscriber can not be added with the same IP address after retries. This is a rarely occurring issue: if the daily average of subscriber additions is ~30000 subscribers, 5 to 6 subscribers face this problem (0.02%).

Conditions:
Running iRule to create PEM sessions from RADIUS packets using the 'PEM::subscriber create' command.

Impact:
Intermittently (a few operations per day), the command silently fails. No session is created, and no TCL error is produced. Subscriber addition requires manual intervention.

Workaround:
Trigger a RADIUS START using a different IP address for the subscriber.

Fixed Versions:
12.1.5, 13.1.1.2, 14.0.0.5

709610-3 : Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM

Links to More Info: BT709610

Component: Policy Enforcement Manager

Symptoms:
Session replacement fails as a result of a race condition between multiple RADIUS Accounting Start and Stop messages for the same subscriber.

Conditions:
This occurs when the following conditions are met:
-- These SysDB variables are set as follows:
sys db tmm.pem.session.radius.retransmit.timeout {
value "0"
}
sys db tmm.pem.session.provisioning.continuous {
value "disable"
}

-- Actions occur in the following order:
1. PEM receives RADIUS START with subscriber ID1 and IP1.
2. PEM receives RADIUS STOP with subscriber ID1 and IP1.
3. PEM receives RADIUS START with subscriber ID1 and IP2.
4. PEM receives RADIUS STOP with subscriber ID1 and IP2.

-- The time interval between steps 1 and 2 is very small (less than ~1ms).

Impact:
Subscriber session creation via PEM may fail.

Workaround:
There is no workaround other than to leave SysDbs variables set to the default values.

Fix:
The system now handles PEM subscriber session updates properly, so this issue no longer occurs.

Fixed Versions:
12.1.3.6, 13.1.0.6, 14.0.0.3

709544-2 : VCMP guests in HA configuration become Active/Active during upgrade &start;

Links to More Info: BT709544

Component: TMOS

Symptoms:
When devices in a Device Service Cluster (DSC) are upgraded, multiple devices might become Active simultaneously.

During upgrade, the process erroneously clears the management-ip during reboot, and then synchronizes to other members of the DSC. If the system is not performing an upgrade, the error is repaired as the device starts up, and has no visible effect. If an upgrade is being performed, the management-ip cannot be repaired, and the DSC members lose contact with each other, so they all become Active.

Conditions:
-- Running on VIPRION chassis systems, either natively, or as a vCMP guest.
-- Upgrading from any affected versions (TMOS v12.1.3, TMOS v13.0.0, TMOS v13.0.1, TMOS v13.1.0), to any other version.

Impact:
When multiple devices become Active simultaneously, traffic is disrupted.

Workaround:
There is no workaround other than to remain in Active/Active state until upgrade is complete on all chassis in the DSC are finished. See K43990943: VIPRION systems configured for high availability may become active-active during the upgrade process :: https://support.f5.com/csp/article/K43990943 for more information on how to mitigate this issue.

Fix:
The erroneous management-ip change is not made, and the HA failover mechanism operates correctly across upgrade.

Fixed Versions:
12.1.4.1, 13.1.3, 14.0.0

709444-2 : "NTP not configured on device" warning seen when NTP symmetric key authentication is configured

Links to More Info: BT709444

Component: TMOS

Symptoms:
When NTP symmetric key authentication is configured, as per https://support.f5.com/csp/article/K14120, and the BIG-IP is part of a device service cluster, then a warning similar to this will be seen periodically in /var/log/ltm:

warning mcpd[6317]: 01071af0:4: NTP not configured on device 1.2.3.4 - within a trust

Conditions:
- NTP symmetric key authentication must be configured.
- The BIG-IP must be part of a device service cluster.
- Non-authenticated NTP servers must not be in-use.

Impact:
Incorrect NTP warnings are seen periodically in /var/log/ltm.

Workaround:
There is no workaround at this time.

Fix:
Prevented this warning from being emitted when NTP symmetric key authentication is in-use in a device service cluster.

Fixed Versions:
13.1.1.2

709383-2 : DIAMETER::persist reset non-functional

Links to More Info: BT709383

Component: Service Provider

Symptoms:
When the iRule DIAMETER::persist reset is called, it is meant to remove existing persistence records from diadb. Without this bug fix, calling DIAMETER::persist reset has no effect and the persistence record remains.

Conditions:
Diameter session profile has persistence enabled and an iRule attempts to remove a persistence record.

Impact:
You are unable to remove diameter persistence entries.

Workaround:
none

Fix:
DIAMETER::persist reset now functions properly. You can delete diameter persistence records with this iRule.

Fixed Versions:
13.1.1.2

709334-1 : Memory leak when SSL Forward proxy is used and ssl re-negotiates

Links to More Info: BT709334

Component: Local Traffic Manager

Symptoms:
When looking at tmsh show sys memory you will see
ssl_compat continue to grow and fails to release memory.

Conditions:
-SSL Forward Proxy In use
-SSL Re-negotiations happening

Impact:
Eventually memory reaper will kick in.

Workaround:
There is no workaround at this time.

Fix:
ssl_compat now properly releases connections on re-negotiation.

Fixed Versions:
12.1.3.6, 13.1.0.6, 14.0.0

709319-2 : Post-login client-side alerts are missing username in bigIQ

Links to More Info: BT709319

Component: Fraud Protection Services

Symptoms:
A client-side alert that contains a FPS-Username header with a value, but an empty fpm_username parameter - will be reported with "Unknown" username in bigIQ.

Conditions:
1. post login (alert is sent after submitting username parameter) client side alerts
2. alert-pool points to bigIQ IP (not Alert-Server)

Impact:
Post login client side alerts are missing username (will show as "Unknown" in bigIQ, works well with Alert-Server).

Workaround:
Route all client-side alerts to another virtual server and strip of the empty fpm_username parameter from payload/query-string.

Fix:
FPS will always send username in the fpm_username parameter in case it was empty and FPS has username value.

Fixed Versions:
13.1.0.6, 14.0.0

709274-1 : RADIUS Accounting requests egress on different Self IP addresses than they did pre-v13.1.0

Links to More Info: BT709274

Component: Access Policy Manager

Symptoms:
RADIUS Accounting requests egress different self IP addresses.
* START accounting message egresses floating self IP addresses.
* STOP accounting message egresses local self IP addresses.

Some RADIUS messages will come from floating IP addresses, some from self IP addresses. The RADIUS server should be configured to accept all self- and floating-IP addresses of all the devices in the high availability (HA) group, to ensure all messages are received.

Conditions:
RADIUS server configured with pool option.

Impact:
Causes RADIUS server to be unable to reconcile accounting messages.

Workaround:
You can reconcile accounting messages by tracking them through the Acct-Session-Id in RADIUS AVP's message, which is the same for the corresponding START and STOP messages to uniquely identify the session.

Fix:
RADIUS START and STOP messages now egress the same interface.

Fixed Versions:
13.1.0.8, 14.0.0

709256-2 : CVE-2017-9074: Local Linux Kernel Vulnerability

Links to More Info: K61223103 , BT709256

709192-1 : GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart

Links to More Info: BT709192

Component: TMOS

Symptoms:
The export operation of SSL keys and certificate into a .tgz archive file fails when the httpd daemon is restarted.

Conditions:
-- Export SSL Keys and certificates into archive file.
-- httpd is restarted.

Impact:
Export of SSL Keys and certificates into archive file does not work immediately after httpd restart via GUI/iControl.

Workaround:
After httpd restart, perform other operation like creating a key/cert before exporting archive file.

Fix:
The system allows exporting SSL keys and certificate to be archived into .tgz files after httpd restart.

Fixed Versions:
13.1.1.2, 14.0.0.3

709133-2 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur

Links to More Info: BT709133

Component: Local Traffic Manager

Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error can occur.

Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- An error occurs when reading the certificate serial number.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not setting the tmm.ssl.loggingcreatedcerts BigDB variable.

Fix:
Double-free removed.

Fixed Versions:
13.1.0.8, 14.0.0.3

709132-1 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur

Links to More Info: BT709132

Component: Local Traffic Manager

Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a buffer overflow can occur.

Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- A malformed certificate with a serial number length equal to 256 bytes is parsed during forging.

Impact:
A off-by-one error causes one byte to write off the end of an array.

Workaround:
There is no workaround other than to not set tmm.ssl.loggingcreatedcerts BigDB variable.

Fix:
Buffer no longer overflows.

Fixed Versions:
13.1.0.8, 14.0.0.3

708968-2 : OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address

Links to More Info: BT708968

Component: TMOS

Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not created in TMM when passed from Dynamic Routing protocols like OSPFv3.

Conditions:
- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.

Impact:
- Route entry is not created in TMM, packets addressed to such a destination might not be delivered at all or might not be delivered using the most efficient route.
- Connection between TMM and tmrouted is restarted that is a small performance overhead.

Workaround:
- If possible IPv4 address or IPv4-compatible IPv6 address should be passed instead of IPv4-mapped IPv6 address, however this depends on other routers.

Fixed Versions:
13.1.3, 14.0.1.1

708956-1 : During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'

Links to More Info: K51206433 , BT708956

Component: TMOS

Symptoms:
During system bootup, the system occasionally posts the following error message and the system does not come up:
Dataplane INOPERABLE - only 1 HSBes found on this platform.

Conditions:
This occurs occasionally at system bootup.
-- Using the following platforms:
i4600, i4800, i10600, i10800, i2600, i2800, i7600, i7800, i5600, i5800, i15600, i15800, i12600, i12800, HERCULON i2800, HERCULON i5800, HERCULON i10800, i11600, i11800, i11800-DS, i5820-DF, i7820-DF.

Impact:
System does not come up.

Workaround:
Reboot system.

Because this condition only happens occasionally, rebooting typically corrects the issue.

Fix:
This release fixes a race condition that might have occurred while reading FPGA firmware loading status.

Fixed Versions:
12.1.3.5, 13.1.0.8, 14.0.1.1

708888-1 : Some DNS truncated responses may not be processed by BIG-IP

Links to More Info: K79814103 , BT708888

Component: Advanced Firewall Manager

Symptoms:
On 13.1.x DNS responses with truncated bit set are dropped when AFM DNS DoS is enabled.

Conditions:
-- AFM DNS DoS is enabled.
-- Using 13.1.x.

Impact:
Clients do not receive truncated DNS responses.

Workaround:
Disable DNS DoS protection by changing the dos.dnsport variable to another port for which there is no valid traffic. For instance:

tmsh modify sys db dos.dnsport value 54

Fixed Versions:
13.1.0.6, 14.0.0

708840 : 13.0.0-to-13.1.0 upgrade operation on VIPRION 2250 blades might fail if global whitelist is configured

Links to More Info: BT708840

Component: Advanced Firewall Manager

Symptoms:
Upgrading from 13.0.0 to 13.1.0 on VIPRION 2250 blades might fail if global whitelist is configured. After the upgrade, the system will stay offline.

Conditions:
-- Global whitelist configured.
-- Running on VIPRION 2250 blades.

Impact:
System fails to run normally.

Workaround:
Remove global whitelist before upgrading to 13.1.0, add it back after upgrading.

Fix:
This issue no longer occurs in fixed versions, so you can upgrade from 13.0.0 to a post-13.1.0 version of the software without encountering this issue.

Fixed Versions:
13.1.0.5, 14.0.0

708830-2 : Inbound or hairpin connections may get stuck consuming memory.

Links to More Info: BT708830

Component: Carrier-Grade NAT

Symptoms:
When inbound or hairpin connections require a remote Session DB lookup, and the lookup request or response messages get lost, the connections can get stuck in an embryonic state. They remain stuck in this state until they time out and expire. In this state, UDP connections queue inbound packets. If the client application continues to send packets, the connection may never expire. The queued packets accumulate, consuming memory. If the memory consumption becomes excessive, connections may be killed and 'TCP: Memory pressure activated' and 'Aggressive mode activated' messages appear in the logs.

Conditions:
-- An LSN pool with inbound and/or hairpin connections enabled.
-- Lost Session DB messages due to heavy load or hardware failure.
-- Remote lookups are more likely when using PBA mode or NAPT mode with default DAG.

Impact:
Excessive memory consumption that leads to dropped connections.

Workaround:
There is no workaround at this time.

Fix:
When Session DB messages are lost, the connection is killed and any queued packets are discarded. If the client application resends packets, they are treated as new connections.

Fixed Versions:
12.1.4.1, 13.1.1.2, 14.0.0

708653-1 : TMM may crash while processing TCP traffic

Links to More Info: K07550539 , BT708653

708484-2 : Network Map might take a long time to load

Links to More Info: BT708484

Component: TMOS

Symptoms:
Network Map loading time is directly proportional to the number of profiles/policies associated with a virtual server. When there are a significant number, Network Map might take many tens of seconds to load; when there are fewer associated profiles/policies, loading time is shorter.

For example, consider a configuration that contains virtual servers with a large number of associated profiles/policies.

In the following example config, the virtual server has two associated profiles. The time to load the Network Map page increases with each additional profile/policy.

# tmsh list ltm virtual vs
ltm virtual vs {
creation-time 2018-03-06:18:27:53
destination 0.0.0.0:any
ip-protocol tcp
last-modified-time 2018-03-06:18:27:53
mask any
profiles {
myhttp { }
tcp { }
}
rules {
myrule
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
socks-tunnel
}
vs-index 5
}

Conditions:
-- Navigate to Local Traffic :: Network Map in the BIG-IP Configuration Utility.

-- The configuration contains a significantly large number of profiles/policies associated with the virtual server.

Impact:
It takes tens of seconds to load the Network Map page.

Workaround:
None.

Fixed Versions:
13.1.0.8, 14.0.0.3

708421-2 : DNS::question 'set' options are applied to packet, but not to already parsed dns_msg

Links to More Info: K52142743 , BT708421

Component: Global Traffic Manager (DNS)

Symptoms:
For certain types of iRules, using the DNS command DNS::question for type AAAA, when the DNS transparent cache is involved in the filter, the type can be reverted.

Conditions:
-- DNS transparent cache.

-- Using an iRule similar to the following:
when DNS_REQUEST {
DNS::question type AAAA
}

Impact:
When the packet goes to the pool, the type is reverted.

Workaround:
Enable gslb or dnsx on the profile.

Fixed Versions:
12.1.5.2, 13.1.3.5

708389 : BADOS monitoring with Grafana requires admin privilege

Links to More Info: BT708389

Component: Anomaly Detection Services

Symptoms:
Current Grafana monitoring requires admin privilege.
Grafana stores its internal database in unencrypted format, so the admin password can be extracted from a compromised computer.

Conditions:
Monitoring using Grafana.

Impact:
Guest user cannot access data needed for Grafana.

Workaround:
None.

Fix:
There is now a REST call to pool the Grafana statistics. This allows any user (including guest), not just admin or root, to access data needed for Grafana.

Behavior Change:
This release introduces the following tmsh commands:
-- tmsh run util admdb - for help
+ list-element path_folder - lists folder
+ view-element path_file - view file contents
+ list-metrics path vs
+ table-query base_path db sRate tsfiles ts metric_columns_aliases

The path must be under /shared/admdb, for example:

-- run util admdb list-element /shared/admdb/default/_a_l_l

-- run util admdb view-element /shared/admdb/default/_a_l_l/info.sysinfo/1000/1522229248000.txt

-- run util admdb table-query /shared/admdb default 1000 '[1522233344000]' '[1522234774492,1522235074492]' '[["info.attack",["v0"],"Attack"],["sig.health",["v0"],"Health"],["info.learning",["v0"],"Learning"],["info.learning",["v2"],"Learned samples"]]'

Fixed Versions:
13.1.0.6, 14.0.0.5

708305-2 : Discover task may get stuck in CHECK_IS_ACTIVE step

Links to More Info: BT708305

Component: Device Management

Symptoms:
The discover tasks is running periodically after user creates the task. But it may get stuck in the middle steps and fail to run periodically.

Conditions:
When HA failover group is set up and a discover task is created on one of the devices.

Impact:
The discover task will periodically pull the OpenID information and update oauth jwt and jwk configurations in MCP. If the task sticks, the jwt and jwk configuration will not sync to the latest version and may cause access policy fail.

Workaround:
If the task is stuck in any step that is not SLEEP_AND_RUN_AGAIN for more than one minute, manually cancel and delete the task and create the same task again.

Fix:
Discover task no longer gets stuck in CHECK_IS_ACTIVE step.

Fixed Versions:
13.1.0.6, 14.0.0

708249-2 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit

Links to More Info: BT708249

Component: Local Traffic Manager

Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.

Conditions:
Run the nitrox_diag command.

Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.

Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0

Fix:
Nitrox_diag utility now uses the -s0 command to generate QKView files, so there is no longer a 5 MB maximum file size limit, and the full QKView file is created.

Fixed Versions:
11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0.3

708189 : OAuth Discovery Auto Pilot is implemented

Links to More Info: BT708189

Component: Access Policy Manager

Symptoms:
This now adds a new capability to allow user to select a period to have OAuth auto discovery automatically pull down JWT keys.

Conditions:
Follow the new added UI and configure frequency to start.

Impact:
No impact, it has usability improvement over manual discovery.

Workaround:
There is no workaround.

Fix:
New auto pilot capability is added for usability.

Fixed Versions:
13.1.0.5

708114-1 : TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed

Links to More Info: K33319853 , BT708114

Component: Local Traffic Manager

Symptoms:
TMM crashes when receiving the HUDEVT_SSL_OCSP_RESUME_CLNT_HS after the SSL connection is closed.

Conditions:
-- The SSL connection has been closed.
-- SSL receives the HUDEVT_SSL_OCSP_RESUME_CLNT_HS message.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now ensures that SSL can still properly process the messages, even when the SSL connection is closed.

Fixed Versions:
11.6.3.2, 12.1.3.6, 13.1.0.6, 14.0.0

708068-2 : Tcl commands like "HTTP::path -normalize" do not return normalized path.

Links to More Info: BT708068

Component: Local Traffic Manager

Symptoms:
When using HTTP::path with the -normalized parameter:

"%2E%2E" is converted to ".." (expected)
"/foo/../bar" is converted to "/bar" (expected)
"/foo/%2E%2E/bar" is converted to "/foo/../bar" (unexpected)

Conditions:
The TCL command HTTP::path -normalize does not return normalized path as expected.

Impact:
Unexpected result.

Workaround:
There is no workaround.

Fix:
The TCL command HTTP::path -normalize should return normalized path.

Fixed Versions:
12.1.4, 13.1.1.4, 14.0.0.5

708054-1 : Web Acceleration: TMM may crash on very large HTML files with conditional comments

Links to More Info: BT708054

Component: TMOS

Symptoms:
Web Acceleration feature may not handle big HTML file with improper conditional comments inside in some cases. TMM may crash processing such files if Web Acceleration profile is attached to VIP.

Conditions:
- HTML file with conditional comments inside:
<!--[if condition...]> ... <![endif]-->

- The size of "condition" from the pattern above is comparable with RAM size of BIG-IP box, i.e. ~8-10GB.

Impact:
TMM crash interrupts all active sessions.

Workaround:
There is no workaround at this time.

Fix:
Now Web Acceleration feature can handle long HTML conditional comments correctly.

Fixed Versions:
12.1.3.4, 13.1.0.6, 14.0.0

708005-1 : Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources

Links to More Info: K12423316 , BT708005

Component: Access Policy Manager

Symptoms:
When using VMware View HTML5 client, end users are able to authenticate and see available View resources on the APM webtop. However, any attempt to launch the resource (desktop or application) in HTML5 mode momentarily appears to function, but then redirects to the initial APM login page.

Conditions:
This occurs when the following conditions are met:
-- BIG-IP APM is protecting VMware Horizon View 7.4 resources.
-- End user tries to launch a View resource from the APM webtop using the Horizon View HTML5 client.

Impact:
End user cannot launch VMware View resources with View HTML5 client.

Workaround:
You can use the following workarounds:

-- If you are already running Horizon 7.4, use native View clients instead.

-- If you have not upgraded to Horizon 7.4, stay on an older Horizon release until this issue is resolved.

-- If you are running BIG-IP APM release 13.1.0, you can add the following iRule to the virtual server that handles HTML5 client connections:

when HTTP_REQUEST {
if { ([info exists tmm_apm_view_uuid]) &&
([HTTP::method] == "GET") &&
([HTTP::uri] ends_with "/portal/webclient/sessiondata")} {
HTTP::cookie remove "sessionDataServiceId"
}
}

when HTTP_RESPONSE {
if { ([info exists tmm_apm_view_uuid]) } {
set cookieNames [HTTP::cookie names]
foreach aCookie $cookieNames {
set path [HTTP::cookie path $aCookie]
if {[string length $path] > 0} {
HTTP::cookie path $aCookie "/f5vdifwd/vmview/$tmm_apm_view_uuid$path"
}
}
}
}

Important:
-- After applying the iRule and before attempting a connection, be sure to clear all cache and cookies from the client systems. Otherwise, the test operation may need to be executed before exhibiting successful behavior.
-- The iRule workaround is for BIG-IP APM release 13.1.0. It is not supported for older BIG-IP releases.

Fix:
Horizon View version 7.4 in HTML5 mode now functions correctly with APM.

Fixed Versions:
13.1.0.6, 14.0.0

707990-2 : Unexpected TMUI output in SSL Certificate Instance page

Links to More Info: K41704442 , BT707990

707961-2 : Unable to add policy to virtual server; error = Failed to compile the combined policies

Links to More Info: K50013510 , BT707961

Component: Local Traffic Manager

Symptoms:
LTM policy does not compile if it has more than one similar condition, and some of them refer to datagroup and others to non-datagroup types. The policy compiles if similar conditions all refer to datagroups or to non-datagroups.

010716d8:3: Compilation of ltm policies for virtual server /Common/vs_name failed; Failed to compile the combined policies.

Conditions:
-- LTM policy that has more than one similar condition.
-- Some conditions refer to datagroup types.
-- Some conditions refer to non-datagroup types.

Following is an example of such an LTM policy (i.e., referring to both datagroup and non-datagroup types):

ltm policy /Common/example_ltm_policy {
published-copy /Common/block_URI
requires { http }
rules {
example_Rule {
conditions {
0 {
http-host
host
datagroup /Common/example_datagroup <------ Datagroup
}
1 {
http-host
host
values { example.com } <------ Non-Datagroup
}
}
}
}
strategy /Common/first-match
}

Impact:
LTM policy does not compile. Cannot use the policy.

Workaround:
Create a datagroup for the non-datagroup type and use it in policy instead.

Fix:
LTM Policy compiles if it has more than one similar condition, and some of them refer to datagroup and others to non-datagroup types.

Fixed Versions:
13.1.0.8, 14.0.0.3

707951-2 : Stalled mirrored flows on HA next-active when OneConnect is used.

Links to More Info: BT707951

Component: Local Traffic Manager

Symptoms:
-- 'tmctl -d blade tmm/umem_usage_stat | grep xdata' may show increased memory usage.
-- 'tmsh show sys connect' shows idle flows.

Conditions:
- OneConnect profile is configured.
- High availability (HA) mirroring is enabled.

Impact:
- Some flows are mirrored incorrectly.
- Stalled flows may occupy a lot of memory.

Workaround:
Disable OneConnect.

Fix:
Stalled mirrored flows no longer appear when OneConnect is used.

Fixed Versions:
12.1.3.6, 13.1.1.2, 14.0.0.3

707740-4 : Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination

Links to More Info: BT707740

Component: TMOS

Symptoms:
When attempting to delete a GTM monitor, the system indicates that it is in use, even after removing that monitor from all GTM virtual servers. The system posts a message similar to the following:
01070083:3: Monitor /Common/mon-A is in use.

Conditions:
1. Attach a GTM monitor to multiple GTM virtual servers in the same transaction, where both of the virtual servers are monitoring the same ip:port.
2. Remove the monitor from all virtual servers.
3. Attempt to delete the monitor from the configuration.

Impact:
Cannot delete the unused monitor.

Workaround:
After removing the monitor from all virtual servers, reload the GTM configuration using the following command:
tmsh load sys config gtm-only

You can now delete the monitor.

Fix:
You can now delete an unused GTM monitor, if that monitor was attached to multiple GTM virtual servers of the same ip+port combination.

Fixed Versions:
11.5.9, 11.6.4, 12.1.4.1, 13.1.1.2, 14.0.0.5

707691-4 : BIG-IP handles some pathmtu messages incorrectly

Links to More Info: BT707691

Component: Local Traffic Manager

Symptoms:
FastL4 virtual servers incorrectly handle some pathmtu messages, such as ICMPv4 unreachable/fragmentation needed and ICMPv6 packet too big.

Conditions:
This occurs when the following conditions are true:
-- The client sends a window scaling factor greater than 0 (zero).
-- The server sends a window scaling factor equal to 0 (zero).
-- The pmtu message is within the window, but does not reflect the exact expected sequence number. The delta is bigger than the advertised window scaled at a factor of 0 (zero).

Impact:
pmtu message is erroneously ignored.

Workaround:
There is no workaround at this time.

Fix:
This issue no longer occurs.

Fixed Versions:
13.1.1.4, 14.0.0.5

707676-1 : Memory leak in Machine Certificate Check agent of the apmd process

Links to More Info: BT707676

Component: Access Policy Manager

Symptoms:
The apmd process leaks a small amount of memory in Machine Certificate Check agent

Conditions:
- Machine Certificate Check agent is configured in an Access Policy
- inspected machine certificate is revoked by CRL

Impact:
The apmd process may grow in size. This may lead to high memory utilization and instability in BIG-IP.

Workaround:
There is no workaround

Fix:
A memory leak in the APM Machine Certificate check agent has been corrected.

Fixed Versions:
13.1.0.4, 14.0.0

707631-2 : The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI

Links to More Info: BT707631

Component: TMOS

Symptoms:
The 'SYN Challenge Handling' setting of a TCP profile can be reverted to defaults when a TCP profile is updated using the BIG-IP management GUI.

Conditions:
The SYN Challenge Handling settings of a TCP profile have previously been set to non-default values, and a configuration change is later made to the same TCP profile using the GUI.

Impact:
Loss of TCP profile syn challenge configuration settings

Workaround:
In the GUI, specifically set the SYN Challenge Handling fields after making an update to other TCP profile fields, or use tmsh to make the changes instead

SYN Challenge

GUI Setting: Nominal
TMSH:
syn-cookie-enable enabled
syn-cookie-whitelist disabled

GUI Setting: Challenge and Remember
TMSH:
syn-cookie-enable enabled
syn-cookie-whitelist enabled


GUI Setting: Disable Challenges:
syn-cookie-enable disabled
syn-cookie-whitelist disabled

Fix:
Now syn challenge handling setting isn't overwritten when tcp profile is updated

Fixed Versions:
13.1.1.2

707585-1 : Use native driver for 82599 NICs instead of UNIC

Links to More Info: BT707585

Component: TMOS

Symptoms:
-- Lower performance in TPS.
-- Increased CPU consumption for throughput.

Conditions:
-- Running BIG-IP Virtual Edition (VE) (UNIC is the default Virtual Function Network Driver for VE).
-- High data rates, perhaps particularly when connection mirroring is configured.

Impact:
Lower TPS performance numbers and higher CPU usage in throughput tests.

Workaround:
In case of UNIC, extra CPUs must be allocated to handle SoftIRQs for higher performance.

Fix:
This release provides a native driver based on F5's physical platforms.

Fixed Versions:
13.1.0.7, 14.0.0.1

707509-1 : Initial vCMP guest creations can fail if certain hotfixes are used

Links to More Info: BT707509

Component: TMOS

Symptoms:
vCMP guest fails to enter the 'provisioned' or 'deployed' states and similar messages can be seen in /var/log/ltm:

-- vcmpd[14254]: 01510003:2: Guest (guest_name): Install failed.
-- vcmpd[14254]: 01510004:3: Guest (guest_name): Install to VDisk /shared/vmdisks/guest_name.img FAILED: Child exited with non-zero exit code: 255

Conditions:
Creating vCMP guest using certain hotfix images, such as BIG-IP HF software released as partial .iso software images, and engineering hotfixes.

Impact:
vCMP guest cannot be created.

Workaround:
1. Create and deploy the vCMP guest using the full .iso base software image.
2. Log in to the vCMP guest once it has finished starting up.
3. Apply the hotfix image or engineering hotfix.

Fix:
Guest creation succeeds.

Fixed Versions:
12.1.5, 13.1.1.2

707447-1 : Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.

Links to More Info: BT707447

Component: Local Traffic Manager

Symptoms:
SSL SNI mechanism creates a hash containing a mapping between SAN entries in a given profile's certificate and the profile. This hash is owned by the default SNI profile, however is held by the other profiles on the VIP without a reference. If a connection utilizes SNI to use a non-default SNI profile *and* the default SNI profile reinitializes its state for any reason, the prf->sni_certsn_hash can be cleared and freed, leaving the existing connection(s) with profiles that refer to the freed hash. If then the connection attempts a renegotiation that causes the hash to be used, the freed hash can cause a fault should it have been reused in the meantime (i.e. the contents are invalid).

The fix: When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from
non-default SNI profile, stop the search and return NULL.

Conditions:
SNI configured with one default SNI profile, one or multiple SNI profiles. The default SNI profile is changed and renegotiation with SNI(with non-default SNI profile) is issued.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
There is no workaround at this time.

Fix:
When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from non-default SNI profile, stop the search and return NULL.

Fixed Versions:
12.1.3.6, 13.1.0.6, 14.0.0

707445-3 : Nitrox 3 compression hangs/unable to recover

Links to More Info: K47025244

Component: TMOS

Symptoms:
LTM logs show the following message:

Nitrox 3, Hang Detected: compression device was reset

When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.

Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.

Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.

Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.

Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.

There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:

A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).

Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.

Fix:
Compression device reset recovery made more robust for some compression failures.

Fixed Versions:
11.5.9, 11.6.3.3, 12.1.3.6, 13.1.0.8

707391-2 : BGP may keep announcing routes after disabling route health injection

Links to More Info: BT707391

Component: TMOS

Symptoms:
As a result of a known issue BIG-IP with BGP configured may continue to announce routes even after disabling the virtual address or disabling route announcement on the virtual address.

Conditions:
BGP configured with multiple routes announced via Virtual-address route announcements.
Configuration changes made on the BGP configuration itself.
Virtual address or its route health announcement disabled.

Impact:
Prefixes continue to exist in the BGP table even after disabling the virtual address (visible via imish with the "show ip bgp" command); which will continue to announce the prefix to configured peers.

Workaround:
Workaround would be to restart the dynamic routing process.

Fix:
BGP may no longer keeps announcing routes after disabling route health injection

Fixed Versions:
12.1.4, 13.1.1.2, 14.0.0.3

707320-2 : Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs

Links to More Info: BT707320

Component: TMOS

Symptoms:
A pre-12.0.0 WideIP with ipv6-no-error-response enabled and a IPv4 last-resort-pool will only spawn an A-type WideIP after the upgrade

Conditions:
Pre-12.0.0 WideIP with an IPv4 last-resort-pool and ipv6-no-error-response enabled.

Impact:
Loss of the AAAA-type WideIP configuration item

Workaround:
There is no workaround at this time.

Fix:
Fixed issue where upgrading a Pre-12.0.0 WideIP with a last-resort-pool with only IPv4 pool members, and ipv6-no-error-respons enabled would only create an A-Type WideIP after the upgrade. Now, the AAAA-type WideIP will also be greated, with no-error-response enabled.

Fixed Versions:
13.1.3.5, 14.0.0

707310-2 : DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)

Links to More Info: BT707310

Component: Global Traffic Manager (DNS)

Symptoms:
It is possible that when performing a sufficiently large DNSSEC signed zone transfer (e.g., ~1 KB records) that the final packet (or several packets) of NSEC3s and RRSIGs could be missing from the zone. This issue can be detected using a free third-party tool such as ldns-verify-zone or some other DNSSEC validating tool.

Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc.), or from DNS Express.

Impact:
The DNSSEC signed zone transfer could be incomplete, that is missing some NSEC3s and RRSIGs. An incomplete DNSSEC zone is considered an invalid zone.

Workaround:
There is no workaround at this time.

Fix:
DNSSEC signed zone transfers from general authoritative DNS Servers as well as from DNS Express are now complete regardless of the number of records in the zone.

Fixed Versions:
12.1.3.6, 13.1.0.8, 14.0.0

707267 : REST Framework HTTP header limit size increased to 8 KB

Links to More Info: BT707267

Component: TMOS

Symptoms:
HTTP Header size limit causing 'Error getting auth token from login provider' GUI messages.

Conditions:
A client uses an HTTP Header larger than 4 KB to make a request to the REST framework.

Impact:
Users cannot login or access certain pages in the GUI.

Workaround:
Clear browser cookies, or otherwise reduce the size of the HTTP headers, so that the entire content HTTP headers is smaller than 4 KB.

Fix:
The HTTP header size limit for the REST Framework has been increased to 8 KB to match the limit set by Apache.

Fixed Versions:
13.1.1.2, 14.0.0.3

707246-1 : TMM would crash if SSL Client profile could not load cert-key-chain successfully

Links to More Info: BT707246

Component: Local Traffic Manager

Symptoms:
TMM would crash if SSL Client profile could not load cert-key-chain successfully, and SSL is working in the fwd-proxy-mode.

Conditions:
1. SSL is working in the fwd-proxy-mode.
2. SSL could not load the cert-key-chain in the clientssl profile successfully. There could be couple of reasons:

2.1.We fail to configure the password required by the cert-key-chain.
2.2.Configured cert-key-chain type is not supported.
2.3.cert-key-chain name is incorrect.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure the cert-key-chain in the clientssl profile correctly.

Fix:
If we fail to load the cert-key-chain in the clientssl profile, and ssl is working in the fwd-proxy-mode, we will mark the corresponding ssl clientssl profile as invalid, then we will not accept the incoming SSL handshake destined to this profile.

Fixed Versions:
13.1.0.6, 14.0.0

707244-3 : iRule command clientside and serverside may crash tmm

Links to More Info: BT707244

Component: Local Traffic Manager

Symptoms:
Using clientside and serverside command in iRules may crash tmm.

Conditions:
Using such HTTP commands as HTTP::password in clientside and serverside nesting script.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this point.

Fix:
Fix clientside and serverside command do not work with certain HTTP commands.

Fixed Versions:
13.1.0.8, 14.0.0

707226 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations

Links to More Info: BT707226

Component: TMOS

Symptoms:
Mitigations might CVE-2017-5754 Meltdown/PTI (Page Table Isolation) can negatively impact performance.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Conditions:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) enabled.

Impact:
Meltdown/PTI mitigations may negatively impact performance.

Workaround:
Disable CVE-2017-5754 Meltdown/PTI mitigations.

To turn off mitigations for CVE-2017-5754 Meltdown/PTI, run the following command:

tmsh modify sys db kernel.pti value disable

Note: Turning off these mitigations renders the system vulnerable to CVE-2017-5754 Meltdown; but in order to take advantage of this vulnerability, they must already possess the ability to run arbitrary code on the system. Good access controls and keeping your system up-to-date with regards to security fixes will mitigate this risk on non-VCMP systems. vCMP systems with multiple tenants should leave these mitigations enabled.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Fix:
On releases that provide mitigations for CVE-2017-5754 Meltdown/PTI, the protection is enabled by default, but can be controlled using db variables.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Fixed Versions:
11.5.6, 11.6.3.1, 12.1.3.3, 13.0.1, 13.1.0.4, 14.0.0

707207-1 : iRuleLx returning undefined value may cause TMM restart

Links to More Info: BT707207

Component: Local Traffic Manager

Symptoms:
When an iRulesLX rule returns an undefined value, TMM may restart. An example of an undefined value is one where
its jsonrpc v2.0 representation is missing required fields, such as "result".

Conditions:
iRulesLX is licensed, and a rule is run that returns an undefined value.

Impact:
Traffic is interrupted.

Workaround:
There is no workaround at this time.

Fix:
A TMM restart resulting from an iRulesLX rule returning an undefined value was fixed.

Fixed Versions:
12.1.3.6, 13.1.0.8, 14.0.0.5

707186-1 : TMM may crash while processing HTTP/2 traffic

Links to More Info: K45320419 , BT707186

707147-1 : High CPU consumed by asm_config_server_rpc_handler_async.pl

Links to More Info: BT707147

Component: Application Security Manager

Symptoms:
During a period of heavy learning from Policy Builder, typically due to Collapse Common elements, the backlog of events can cause a process to consume high CPU.

Conditions:
1) Automatic Policy Builder is enabled
2) An element is configured to "Always" learn new entities, and collapse common elements
3) An extended period of heavy learning due to traffic is enountered

Impact:
A process may consume high CPU even after the high traffic period is finished.

Workaround:
Kill asm_config_server.pl (This will not affect traffic)

Optionally modify one of the following
A) Learn "Always" to another mode
B) Turn off Collapse common URLs
C) Change from Automatic Learning to Manual

Fixed Versions:
12.1.3.6, 13.1.0.8, 14.0.0

707109-1 : Memory leak when using C3D

Links to More Info: BT707109

Component: Local Traffic Manager

Symptoms:
When using the Client Certificate Constrained Delegation Support (C3D) feature, memory can leak.

Conditions:
Traffic passes through a virtual server with C3D enabled.

Impact:
Memory is leaked.

Workaround:
There is no workaround.

Fix:
When using C3D memory no longer leaks.

Fixed Versions:
13.1.0.8, 14.0.0

707100 : Potentially fail to create user in AzureStack

Links to More Info: BT707100

Component: TMOS

Symptoms:
Using Microsoft Azure Stack on the BIG-IP Virtual Edition (VE) configured with password authentication, the system sometimes fails to create the provided user, which means that the VE admin cannot ssh in after deployment. Note that an unexpected reboot causes this to occur during provisioning, and that Microsoft might have already fixed this issue.

Conditions:
Azure Stack VE provisioned with password authentication.

Impact:
Admin loses provisioned VE instance because there is no way to ssh in.

Workaround:
Deploy VE with key authentication.

Fix:
Extra handling was added to make user creation work even with unexpected reboots happening during Azure Stack provisioning.

Fixed Versions:
13.1.0.7, 14.0.0.1

707054-1 : SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162

Links to More Info: BT707054

Component: Advanced Firewall Manager

Symptoms:
User cannot configure SYN Cookie MSS values for Fast L4 Profiles outside of 256-9162.

Conditions:
Under syncookie activated condition, SYN Cookie MSS value is set to < 256.

Impact:
Under syncookie activated condition, server side MSS lower than SYN Cookie MSS lower limit cannot be honored on client side. As a result, server side MSS discards data segment if larger than SYN Cookie MSS lower limit.

Fix:
This ID allows to configured 128-9162.

Fixed Versions:
13.1.1.2

707013 : vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest

Links to More Info: BT707013

Component: TMOS

Symptoms:
-- clusterd restarts on secondary blade.

-- Messages similar to the following are logged in each secondary blade's /var/log/ltm file as clusterd restarts:

Management IP (<guest_management_ip>) already in use by (vcmp guest <guest_name>)

-- Messages similar to the following are logged in the primary blade's /var/log/ltm file when clusterd restarts on a secondary blade:

notice clusterd[3676]: 013a0006:5: Hello from slot 1.
notice clusterd[3676]: 013a0006:5: Informing MCP about slot ID 1 member status.
notice clusterd[3676]: 013a0006:5: Goodbye from slot 1.

Conditions:
-- Power-cycling a blade reproduces the issue most of the time.
-- Possibly specific to platform:
+ This issue has been seen multiple hardware platforms, including B2100, B2150, B2250, and PB300.
+ Issue does not reproduce under the same conditions on a VIPRION 4800.

Impact:
Secondary slot on VIPRION hypervisor is in 'INOPERATIVE' state.

Workaround:
On the vCMP Host, copy the file /shared/db/cluster.conf from the primary to each secondary cluster members. For each secondary blade's slot, use a command similar to the following:

scp /shared/db/cluster.conf slot<slot number>:/shared/db/cluster.conf

Note: Implementing the workaround does not prevent the issue from recurring. An upgrade to an unaffected version is recommended.

Fixed Versions:
13.1.1.5, 14.0.1.1, 14.1.0.2

707003-3 : Unexpected syntax error in TMSH AVR

Links to More Info: BT707003

Component: TMOS

Symptoms:
The following tmsh command does not work: tmsh show analytics http report view-by virtual measures { transactions } drilldown

It fails with the following error message: 'Syntax Error: "drilldown" property requires at least one of (device device-list) to be specified before using.'

Conditions:
Whenever the affected tmsh command is run.

Impact:
The following tmsh command will not run: tmsh show analytics http report view-by virtual measures { transactions } drilldown

Workaround:
There is no workaround besides not running the affected command.

Fix:
The following command now works as expected: tmsh show analytics http report view-by virtual measures { transactions } drilldown

Fixed Versions:
12.1.3.6, 13.1.1.2, 14.0.0

706998-3 : Memory leak when OCSP is configured in clientSSL profile for C3D, or in serverSSL profile for server authentication

Links to More Info: BT706998

Component: TMOS

Symptoms:
There is a memory leak when OCSP is configured in the clientSSL profile for C3D feature, or in serverSSL profile for server certificate authentication.

Conditions:
OCSP is configured in the clientSSL profile for C3D feature, or in serverSSL profile for server certificate authentication.

Impact:
TMM will run out of memory.

Workaround:
There is no workaround at this time.

Fix:
The memory leak has been fixed.

Fixed Versions:
13.1.0.4, 14.0.0

706845-2 : False positive illegal multipart violation

Links to More Info: BT706845

Component: Application Security Manager

Symptoms:
A false positive multipart violation.

Conditions:
Uploading a file with a filename value that is encoded in non utf-8 encoding.

Impact:
A false positive violation, request rejected.

Workaround:
Might be workaround using an irule

Fix:
Corrected ASM multipart parsing.

Fixed Versions:
12.1.3.6, 13.1.0.8

706835 : When cloning a profile, URL parameters are not shown

Links to More Info: BT706835

Component: Fraud Protection Services

Symptoms:
In Fraud Protection Service GUI, cloning a profile and then navigating to a URL, its parameters are not shown.

Conditions:
Provision and license Fraud Protection Service.

Impact:
Fraud Protection Service GUI.

Workaround:
Navigating again from Profiles will show the parameters.

Fix:
Parameters are now shown on first attempt after cloning a profile.

Fixed Versions:
13.1.0.6

706804-1 : SNMP trap destination configuration of network option is missing "default" keyword

Links to More Info: BT706804

Component: TMOS

Symptoms:
When SNMP trap destinations are configured, the user can specify the network that the traps are transmitted out from. By default, the routing table is consulted. Use the network keyword to overwrite this with either "management" or "other". There is also a "default" keyword, which was removed since it was confusing. However, this broke backward compatibility of the REST API; so, it was put back.

Conditions:
Including the "network default" keywords in trap configuration reports an error with version 13.0.0 where the "default" keyword was removed.

Impact:
Existing scripts may encounter errors if they used this keyword.

Workaround:
Don't use the "default" keyword with the snmp trap destination network configuration.

Fix:
The "default" keyword was put back.

Fixed Versions:
13.1.1.2

706771-1 : FPS ajax-mapping property may be set even when it should be blocked

Links to More Info: BT706771

Component: Fraud Protection Services

Symptoms:
Ajax mapping may be set only when 1) ajax-encryption is enabled OR 2) ajax-integrity AND strong-integrity are enabled.

The bug allows to set ajax-mapping even for the following (invalid) configuration:

ajax-encryption: disabled
ajax-integrity: enabled
strong-integrity: disabled

Conditions:
1)
ajax-encryption: disabled
ajax-integrity: enabled
strong-integrity: disabled

2)
non-empty ajax-mapping

Impact:
System will set the ajax-mapping field when it should have been blocked.

Workaround:
There is no workaround at this time.

Fix:
FPS should block ajax-mapping configuration when the pre-conditions weren't met.

Fixed Versions:
13.1.0.6, 14.0.0

706750-1 : Changing CGNAT SIP ALG profile log settings while handling traffic may cause tmm crash.

Links to More Info: BT706750

Component: Service Provider

Symptoms:
Altering the router profile log settings (log publisher and logging profile) may cause the tmm to crash when handling traffic.

Conditions:
-- CGNAT SIP ALG.
-- Changing log settings while handling traffic.

Impact:
TMM may crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Changing CGNAT SIP ALG profile log settings while handling traffic no longer causes tmm core.

Fixed Versions:
13.1.1.2, 14.0.0

706688 : Automatically add additional certificates to BIG-IP system in C2S and IC environments

Links to More Info: BT706688

Component: TMOS

Symptoms:
In order to function properly, the BIG-IP system's failover and autoscale features need extra certificates (which are used inside C2S environments) and endpoint URL. The extra certificates must be pointed to by the $AWS_CA_BUNDLE environment variable. The BIG-IP system's failover and autoscale feature use AWS CLI commands. Those AWS CLI commands need to have the $AWS_CA_BUNDLE pointing to the certificate files location and endpoint URL. These must be configured manually.

Conditions:
-- BIG-IP is running in AWS C2S (Commercial Cloud Services) where the domain is either c2s.ic.gov or sc2c.sgov.gov.

-- The BIG-IP system is configured to do failover or autoscale in those environments.

Impact:
Requires manual copying of the extra certificates, which are pointed to by AWS_CA_BUNDLE, to the BIG-IP system.

Workaround:
None.

Fix:
In this release, you can add all the needed certificates' URLs in the AWS user-data. The BIG-IP system then automatically downloads and stores the certificate and sets the $AWS_CA_BUNDLE environment variable and endpoint-url.

To use the functionality, when launching the BIG-IP system from the AWS web console, specify the C2S certificate URL and test URL in the following format:

c2s-keys-urls=url1,url2,url3;c2s-cert-test-url=ec2.us-iso-east-1.c2s.ic.gov:443;

Where the syntax explanation is as follows:
1. The string literal : c2s-keys-urls=
2. List of comma separated URLs.
3. A semicolon (;).
4. The string literal : c2s-cert-test-url=
5. A URL which is of following format
<A service name (e.g., ec2)>.<The region where it is running (e.g., us-iso-east-1)>.<the domain name :443 (e.g., c2s.ic.gov:443)>

Example: ec2.us-iso-east-1.c2s.ic.gov:443;

Fixed Versions:
13.1.0.7, 14.0.0.1

706665-2 : ASM policy is modified after pabnagd restart

Links to More Info: BT706665

Component: Application Security Manager

Symptoms:
ASM policy modifications might occur after the the pabnagd daemon is restarted. Modifications include the following:

-- Length attributes might change from 'any' to a low auto learning value.
-- Check signature / metachars might change from unchecked to checked.

This applies for the following entity types:
filetypes, URLs, parameters, cookies, WS URLs, content profiles.

Conditions:
-- Configuration containing a policy in which automatic learning mode is configured.
-- Restart of pabnagd (the automated policy-building operations daemon).

Impact:
ASM policy is modified.

Workaround:
Switch policy builder to manual learning mode.

Fix:
Prevent unwanted adjust operations from being called on policy-catchup complete.

Fixed Versions:
13.1.0.8, 14.0.0

706651-1 : Cloning URL does not clone "Description" field

Links to More Info: BT706651

Component: Fraud Protection Services

Symptoms:
When cloning URL using the "Clone URL" feature in FPS/DataSafe GUI, description field is not cloned to new URL.

Conditions:
Provision and license FPS/DataSafe.

Impact:
Not all expected configuration values of the URL are cloned.

Workaround:
There is no workaround.

Fix:
Description field is now cloned to the new URL.

Fixed Versions:
13.1.0.6, 14.0.0

706642-2 : wamd may leak memory during configuration changes and cluster events

Links to More Info: BT706642

Component: WebAccelerator

Symptoms:
wamd memory consumption increases over time.

Conditions:
-- AAM is provisioned so wamd is running.
-- User-initiated configuration change and/or other internal configuration or cluster events.

Impact:
wamd grows slowly over time, eventually crashing due to lack of memory. Temporary outage of services provided by wamd such as PDF linearization, invalidation, etc.

Workaround:
No workaround available.

Fix:
wamd n longer leaks memory during configuration changes and cluster events.

Fixed Versions:
11.5.9, 11.6.4, 12.1.4, 13.1.1.2, 14.0.0.3

706631-2 : A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.

Links to More Info: BT706631

Component: Local Traffic Manager

Symptoms:
According to RFC2818, if the certificate sent by the TLS server has a valid Common Name, but the Subject Alternative Name does not match the Authenticate Name in the server-ssl profile, the connection should be terminated.

Conditions:
-- A server-ssl profile is enabled on a virtual server and has the 'authenticate-name' property set.

-- The TLS server presents a certificate in which the Subject Alternative Name does not match the configured authenticate-name.

-- Common Criteria mode licensed and configured.

Impact:
A TLS connection succeeds which should fail.

Workaround:
There is no workaround at this time.

Fix:
A remote TLS server certificate with a bad Subject Alternative Name is now rejected when Common Criteria mode is licensed and configured.

Fixed Versions:
12.1.3.4, 13.1.0.6, 14.0.0

706534-1 : L7 connection mirroring may not be fully mirrored on standby BIG-IP system

Links to More Info: BT706534

Component: Local Traffic Manager

Symptoms:
L7 connection mirroring may not be fully mirrored on the standby BIG-IP system

Conditions:
-- L7 virtual server with mirroring enabled
-- Connections with transfer of substantial size.

Impact:
-- Connections may be mirrored initially but removed after some time.
-- If there is a failover these connections may not be correctly handled.

Workaround:
Disable LRO via the following command:

tmsh modify sys db tm.tcplargereceiveoffload value disable

Fix:
BIG-IP now fully mirrors all L7 connections

Fixed Versions:
13.1.0.4, 14.0.0

706521-5 : The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password

Links to More Info: K21404407 , BT706521

Component: TMOS

Symptoms:
TACACS Shared Key is not encrypted in the DB key and is visible to admin and a read-only user.

Conditions:
Configure TACACS+ auditing forwarder.

Impact:
Exposes sensitive information.

Workaround:
None.

Fix:
The sensitive data is not exposed, and this issue is fixed.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1

706423-1 : tmm may restart if an IKEv2 child SA expires during an async encryption or decryption

Links to More Info: BT706423

Component: TMOS

Symptoms:
TMM may discard an existing child-SA via timer during the moment it is in use for encryption or decryption. And in another spot, an error aborting negotiation can cause multiple timers associated with one child-SA, which fight one another.

Conditions:
Errors in IPsec config that fail negotiation can happen when a child-SA is in a state that does not manage timers correctly.

A config with short SA lifetime, causing frequent re-keying, can have the effect of searching for a race condition when expire happens during active use in crypto.

Impact:
TMM restarts, disrupting traffic and causing HA failover.

Workaround:
Ensure that the IPsec IKEv2 configuration in the IPsec policy is correct (the same) on both IPsec peers. Also, ensure SA lifetime has longer duration, instead of merely seconds. (The default is one day.)

Fix:
Now we ensure only one timer can be associated with a child-SA related to short-term progress toward maturity during negotiation, even if an error happens.

Now we also ensure a child-SA is safe during async crypto operations, even if they expire while currently in use.

Fixed Versions:
12.1.3.6, 13.1.1.2, 14.0.0.3

706361 : IPS stats tables are empty after upgrade from 13.1.0 to 14.0.0 &start;

Links to More Info: BT706361

Component: Application Visibility and Reporting

Symptoms:
The IPS stats tables are empty after upgrade from 13.1.0 to 14.0.0.

Conditions:
-- Upgrade from 13.1.0 to 14.0.0.
-- AVR is NOT provisioned.
-- Viewing IPS stats tables.

Impact:
All statistics that relate to IPS are lost.

Workaround:
Before upgrading, run the following SQL command:

update AVR_CONF_FACT_TABLES set export_dir='/shared/avr_afm' where fact_name="AVR_STAT_IPS";

Fix:
The IPS stats tables are now saved in the '/shared_avr_afm' export directory.

Fixed Versions:
13.1.0.8

706354-2 : OPT-0045 optic unable to link

Links to More Info: BT706354

Component: TMOS

Symptoms:
The OPT-0045 optical transceiver when inserted into a 40G port does not function. The following error appears in /var/log/ltm:
Invalid module for bundle configuration of interface <portNumber>.0.

Conditions:
OPT-0045 in a 40G port.

Impact:
Optic does not work; interface does not come up.

Workaround:
None.

Fix:
This release supports the OPT-0045 optical transceiver.

Fixed Versions:
12.1.4, 13.1.1.2, 14.0.0

706339-1 : TMM crashes due to memory leaking while processing SSL forward proxy traffic

Links to More Info: K30392060 , BT706339

Component: SSL Orchestrator

Symptoms:
SSL forward proxy can leak memory while forging the server certificate. TMM might eventually halt and restart when available memory is exhausted.

Conditions:
SSL forward proxy is enabled.

Impact:
Traffic disrupted or failover event occurs while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Fixed the memory leak in the SSL module.

Fixed Versions:
13.1.1.4, 14.0.0

706305-1 : bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled

Links to More Info: BT706305

Component: TMOS

Symptoms:
bgpd may crash on a BIG-IP system configured for dynamic routing announcing multiple overlapping aggregate-addresses with extended asn capabilities enabled.

Conditions:
- BGP enabled on route-domain
- BGP configured to announce several overlapping aggregate-addresses
- BGP configured with extended-asn-cap enabled.

Impact:
Inability for the unit to use BGP

Workaround:
Disabling extended-asn-cap or not announcing multiple overlapping aggregate addresses may allow to workaround this issue.

Fix:
bgpd no longer crashes with overlapping aggregate addresses and extended-asn-cap enabled

Fixed Versions:
12.1.3.4, 13.1.0.6, 14.0.0

706276-1 : Unnecessary pop-up appears

Links to More Info: BT706276

Component: Fraud Protection Services

Symptoms:
A pop-up dialog box appears when 'Enhanced Data Integrity Check' is clicked.

Conditions:
-- Provision and license FPS.
-- Add URL.
-- Disable 'Check Full AJAX for Data Manipulation'.

Impact:
Unnecessary dialog box appears.

Workaround:
None.

Fix:
The pop-up does not appear.

Fixed Versions:
13.1.0.6

706176-1 : TMM crash can occur when using LRO

Links to More Info: K51754851 , BT706176

706169-3 : tmsh memory leak

Links to More Info: BT706169

Component: TMOS

Symptoms:
tmsh is leaking approximately 24 KB for every 'save sys config' call.

Conditions:
this occurs under the following conditions:
-- In tmsh, run the following command repeatedly:
save sys config
-- In the GUI, modify the configuration and click Update, change pages, or otherwise cause a save to the configuration.

Impact:
This results in a memory leak, and a possible out-of-memory condition.

Workaround:
None.

Fix:
tmsh no longer leaks memory when performing configuration-save operations.

Fixed Versions:
13.1.1.2, 14.0.0.3

706128-2 : DNSSEC Signed Zone Transfers Can Leak Memory

Links to More Info: BT706128

Component: Global Traffic Manager (DNS)

Symptoms:
TMM might leak memory when performing DNSSEC signed zone transfers. You can detect this issue by examining system memory before and after performing zone transfers.

For example:

tmsh show sys memory raw | grep dnssec

Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc) or from DNS Express.

Impact:
TMM leaks memory related to the signed zone transfer.

Workaround:
There is no workaround at this time.

Fix:
TMM no longer leaks DNSSEC zone transfer related memory.

Fixed Versions:
12.1.3.6, 13.1.0.8, 14.0.0

706104-3 : Dynamically advertised route may flap

Links to More Info: BT706104

Component: TMOS

Symptoms:
ZebOS may repeatedly add and delete the routes from protocol daemons. This may cause the protocol daemons to delete and re-advertise the default route.

Conditions:
- Dynamic routing in use
- Kernel routes redistributed into a routing protocol
- Static route configure in TMOS
- Route advertisement enabled on the virtual-address that's the same as the static route

Impact:
Route flapping may cause instability in the network, including inability to reach the default network advertised by the BIG-IP.

Workaround:
Since the static route will be redistributed in the same way as the virtual-address, there is no need to enable route-advertisement on the VIP virtual-address. Disabling this will resolve the problem.

The problem will also be resolved by moving the route from tmsh into ZebOS.
- In imish config mode, "ip route <route> <gateway>"
- In tmsh, "delete net route <route>"

Fix:
Configuring a static route in TMOS and enabling route-advertisement on the same virtual-address no longer causes route flapping in ZebOS.

Fixed Versions:
12.1.4, 13.1.1.4

706102-2 : SMTP monitor does not handle all multi-line banner use cases

Links to More Info: BT706102

Component: Local Traffic Manager

Symptoms:
An SMTP monitor does not handle all multi-line banner use cases, such as when the banner is physically split across two packets. This issue is due to attempting to parse the banner value from the first packet without a portion of the banner value that may arrive in a second packet.

Conditions:
An SMTP monitor is configured; and uses a multi-line banner; and the SMTP monitor banner is split across two physical packets.

Impact:
The SMTP monitor sends an RST after the first packet, and marks the resource down.

Workaround:
Use an SMTP monitor with a single-line banner. Or, rather than using an SMTP monitor, instead use a TCP monitor with send/recv strings.

Fix:
An SMTP monitor handles all use cases that include a multi-line banner.

Fixed Versions:
12.1.4, 13.1.1.4, 14.0.0.5

706087 : Entry for SSL key replaced by config-sync causes tmsh load config to fail

Links to More Info: BT706087

Component: TMOS

Symptoms:
After config-sync, the secondary unit's key file does not match the passphrase stored for the key. This is a generic problem where config-sync is not synchronizing any differing file-objects on the secondary unit that happen to have the same cache_path as the primary.

Conditions:
If the cache_path of the encrypted key happens to be the same on the HA-pair, but the keys are different and have different passphrases.

Impact:
Secondary unit will fail to load the config during boot-up, so it will be offline. Other file-objects that had the same cache_path but where different files do not sync. The latter may not be noticed since nothing fails on the secondary unit.

Workaround:
Check if the cache_path of the encrypted key is the same on both systems prior to config-sync and that the sha1sum are different. If this is the case, remove the key on one of the systems and re-install the key and make sure the cache_path name is different.

Fix:
The key files (in the cache_path) will sync despite having the same name. The problem goes away. The same goes for any file-object that happened to have the same cache_path prior to sync.

Fixed Versions:
13.1.0.6, 14.0.0

706086-3 : PAM RADIUS authentication subsystem hardening

Links to More Info: K62750376 , BT706086

705925-1 : Websocket Message Type not displayed in Request Log

Links to More Info: BT705925

Component: Application Security Manager

Symptoms:
You are unable to filter for websocket message types.

Conditions:
This is encountered on ASM when viewing the request log.

Impact:
Websocket Message Type not available to be displayed in Request Log.

Workaround:
N/A

Fix:
Websocket Message Type correctly displayed in Request Log

Fixed Versions:
13.1.1.4, 14.0.0

705818-1 : GUI Network Map Policy with forward Rule to Pool, Pool does not show up

Links to More Info: BT705818

Component: TMOS

Symptoms:
When a Virtual Server has a Policy with a rule to forward request to a Pool, the Pool should be associated to the Virtual Server on the Network Map.

Conditions:
Create a Virtual Server with a Policy to forward requests to a Pool.

Impact:
The relationship of the Virtual Server to the Pool via the indirect Policy Rule is not visible in the network map.

Workaround:
No workaround to the visual.

Fix:
Associate Virtual Server with Policy that forwards requests to a Pool on the Network Map.

Fixed Versions:
13.1.0.8, 14.0.0

705799-2 : TMSH improvements

Links to More Info: K77313277 , BT705799

705794-2 : Under certain circumstances a stale HTTP/2 stream might cause a tmm crash

Links to More Info: BT705794

Component: Local Traffic Manager

Symptoms:
A HTTP/2 stream is getting overlooked when cleaning up a HTTP/2 flow.

Conditions:
The only known condition is that the closing_stream is not empty. Exact entrance conditions are not clear.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
HTTP/2 flows are now properly cleaned up to prevent a tmm crash.

Fixed Versions:
11.6.3.3, 12.1.3.4, 13.1.0.6, 14.0.0

705774-1 : Add a set of disallowed file types to RDP template

Links to More Info: BT705774

Component: Application Security Manager

Symptoms:
Universally dangerous filetypes are not included in RDP policy template.

Conditions:
The user creates a new policy using the RDP template.

Impact:
Universally dangerous filetypes are not disallowed.

Workaround:
Dangerous filetypes can be added to policies created from RDP template.

Fix:
Universally dangerous filetypes are now included in RDP policy template.

Fixed Versions:
13.1.0.4, 14.0.0

705768-5 : The dynconfd process may core and restart with multiple DNS name servers configured

Links to More Info: BT705768

Component: Local Traffic Manager

Symptoms:
The dynconfd daemon may crash with a core and restart when processing a DNS query when there are multiple DNS name servers configured, or when the list of DNS name servers is changed.

Conditions:
This may occur rarely when FQDN nodes are configured and multiple DNS name servers are configured, including when a name server is added to or removed from the system DNS configuration while a DNS query is active.

Impact:
Resolution of FQDN names for FQDN nodes and pool members may be briefly interrupted while the dynconfd daemon restarts. This may cause a delay in propagation of DNS zone changes to the BIG-IP configuration.

Workaround:
This issue occurs rarely. There is currently no known workaround.

Fix:
The dynconfd process no longer cores and restarts with multiple DNS name servers configured.

Fixed Versions:
12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2

705655-2 : Virtual address not responding to ICMP when ICMP Echo set to Selective

Links to More Info: BT705655

Component: TMOS

Symptoms:
If the virtual server's availability has taken the virtual address 'down', enabling the virtual server does not cause it to go 'up'.

Conditions:
-- ICMP Echo is set to Selective for the virtual address.
-- Disable the virtual server.
-- Enable the virtual server.

Impact:
The virtual address does not come up again. This affects the availability status of the virtual-address, and icmp-echo or route-advertisement for the virtual-address.

Workaround:
To work around this issue, do the following:
1. Set ICMP Echo to Always.
2. Disable the virtual-server.
3. Change virtual-address availability calculation back to the desired state.

Fix:
Virtual address now correctly responds to ICMP when ICMP Echo is set to Selective.

Fixed Versions:
13.1.3.5

705611-2 : The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used

Links to More Info: BT705611

Component: Local Traffic Manager

Symptoms:
The TMM may later crash after a configuration change done under load if the HTTP/2 profile is used.

Conditions:
A configuration change occurs. The configuration change is large enough, or the TMM load large enough that the change is not synchronous. The change involves a HTTP/2 profile.

Data traffic progresses through a partially initialized HTTP/2 virtual server, potentially causing a later crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Large configuration changes to the TMM involving a HTTP/2 profile will no longer potentially cause a TMM crash.

Fixed Versions:
12.1.3.4, 13.1.0.6, 14.0.0

705593-5 : CVE-2015-7940: Bouncy Castle Java Vulnerability

Component: Device Management

Symptoms:
An attacker could extract private keys used by Bouncy Castle in elliptic curve cryptography with a few thousand queries.

Conditions:
No specific conditions.

Impact:
None. BIG-IP software does not use the impacted library features.

Fix:
Version 1.59 of the library is installed on the BIG-IP system at the following paths:
/usr/share/java/rest/libs/bcprov-1.59.jar
/usr/share/java/rest/libs/bcpkix-1.59.jar

Fixed Versions:
13.1.0.6, 14.0.0

705559-1 : FPS: false positive "no strong integrity param" when none of the configured data-integrity params are present in request

Links to More Info: BT705559

Component: Fraud Protection Services

Symptoms:
A false positive "no strong integrity param" is sent when none of the configured data-integrity parameters are present in the request.

Conditions:
1. a protected URL has at least one parameter configured with data0integrity check enabled
2. enhanced data manipulation is enabled
3. a request without any of the data-integrity parameters is sent to the protected URL

Impact:
A false positive "no strong integrity param" alert is sent.

Workaround:
There is no workaround at this time.

Fix:
"No strong integrity param" alert should be suppressed in case that none of the data-integrity parameters were sent.

In case that forcing all data-integrity parameters was enabled (tmsh modify sys db antifraud.autotransactions.parameternameintegrity value enable) - the alert will be sent.

Fixed Versions:
13.1.0.4, 14.0.0

705503-3 : Context leaked from iRule DNS lookup

Links to More Info: BT705503

Component: Global Traffic Manager (DNS)

Symptoms:
The memory usage increases, and stats are inaccurate.

Conditions:
Call RESOLV::lookup from an iRule.

Impact:
Memory leak that accumulates over time and inaccurate stats.

Workaround:
There is no workaround other than not using RESOLV::lookup in an iRule.

Fix:
Memory leak no longer occurs.

Fixed Versions:
12.1.3.6, 13.1.0.4, 14.0.0

705476-2 : Appliance Mode does not follow design best practices

Links to More Info: K28003839 , BT705476

705456-1 : Enabling HTTP-to-HTTPS redirection in a vCMP guest can prevent some Host-Guest Management features from working

Links to More Info: BT705456

Component: TMOS

Symptoms:
-- ISOs of type block-device-image do not show up on vCMP Guests and are not available for installation when HTTP-to-HTTPS redirection is enabled.
- Guest health status is not viewable from the host when HTTP-to-HTTPS redirection is enabled.

Conditions:
VCMP Guest has HTTP-to-HTTPS redirection enabled.

Impact:
-- Not all available images are installable.
-- Guest health status is not visible from the host.

Workaround:
Use the corresponding workaround:

-- Manually copy images to vCMP guests.
-- Check guest health status by logging into the host.

Fix:
Configured iControl REST to allow appropriate daemons access when HTTP-to-HTTPS redirection is enabled.

Fixed Versions:
13.1.1.2, 14.0.0

705442-1 : GUI Network Map objects search on Virtual Server IP Address and Port does not work

Links to More Info: BT705442

Component: TMOS

Symptoms:
Searching for a Virtual Server using the IP Address and Port of the Virtual Server does not work.

Conditions:
Create a Virtual Server with name vs1 and address.

Impact:
CAnnot search using an IP Address to filter Virtual Server results.

Workaround:
There is no workaround at this time.

Fix:
We now include the Virtual Server's IP Address and Port as searchable values.

Fixed Versions:
13.1.1.4

705387 : HTTP/2, ALPN and SSL

Links to More Info: BT705387

Component: Local Traffic Manager

Symptoms:
The SSL filter will not always add the ALPN extension.

Conditions:
If the negotiated cipher is not HTTP/2 compliant, the SSL filter may not add the ALPN extension.

Impact:
The failure to add the ALPN extension may result in the failure to negotiate the proper protocol.

Workaround:
There is no workaround at this time.

Fixed Versions:
13.1.3.6

705161-1 : BIG-IP ASM and BIG-IP AFM/BIG-IP Analytics vulnerability CVE-2018-5505

Links to More Info: K23520761 , BT705161

705112-2 : DHCP server flows are not re-established after expiration

Links to More Info: BT705112

Component: Local Traffic Manager

Symptoms:
DHCP relay agent does not have server flows connecting to all active DHCP servers after a while.

Conditions:
- More than one DHCP servers configured for a DHCP virtual.
- Server flows timeout in 60 seconds

Impact:
DHCP server traffic not load balanced.

Workaround:
None.

Fix:
A new logic to re-establish server flows is introduced to ensure a relay agent will have all DHCP servers connected.

Fixed Versions:
11.5.9, 12.1.4.1, 13.1.3, 14.1.2.5, 15.1.0.2

705037-2 : System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart

Links to More Info: K32332000 , BT705037

Component: TMOS

Symptoms:
It is possible for the BIG-IP system to present duplicate if_index statistics of network objects, either viewed internally or polled via SNMP.

Conditions:
-- High availability (HA) configuration.
-- Tunnels configured.
-- If dynamic routing is configured, additional impact may be noted.

Impact:
-- Unreliable or confusing statistics via SNMP polling.

-- If dynamic routing is also configured, possible nsm daemon restart, which may lead to loss of dynamic routes.

Workaround:
None.

Fix:
System no longer exhibits duplicate if_index statistics.

Fixed Versions:
12.1.4, 13.1.3, 14.0.1.1, 14.1.2.3

704804-1 : The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address

Links to More Info: BT704804

Component: TMOS

Symptoms:
The NAS-IP-Address in RADIUS remote authentication requests is set to the loopback address, not the management IP.

Conditions:
This applies to remote authentication for the control plane, not APM.

Impact:
Login may be impacted.

Workaround:
There is no workaround at this time.

Fix:
NAS-IP-Address Attribute is now set correctly when the the BIG-IP system is configured to use RADIUS authentication.

Fixed Versions:
12.1.3.3, 13.1.0.8, 14.0.0.3

704764-3 : SASP monitor marks members down with non-default route domains

Links to More Info: BT704764

Component: Local Traffic Manager

Symptoms:
The LTM SASP monitor marks pool members down, whose address include non-default route domains.

Conditions:
1. Using the SASP health monitor to monitor a pool or pool member.
2. The address of the pool member includes a non-default route domain, such as:

ltm pool rd_test {
members {
test_1:http {
address 12.34.56.78%99
}
}
monitor my_sasp
}

Impact:
Pool members with non-default route domains will never be marked up by the SASP monitor.

Workaround:
Do not specify non-default route domains in the addresses of pool members monitored by the SASP health monitor.

The SASP protocol does not support the use of route domains in member addresses. Thus, the SASP GWM (Global Workload Manager) will ignore route domain information included in the member addresses when registered by the SASP monitor in BIG-IP, and will report the status of members using addresses without route domains.

Therefore, even with a fixed version of the SASP monitor, BIG-IP LTM administrators must be careful to avoid configuring multiple pool members with the same address except for different route domains, to be monitored by the SASP monitor. If case of such a configuration error, the status of the member reported by the SASP GWM may not accurately reflect the status of one or more of the pool members with matching IP addresses.

Fix:
The LTM SASP monitor will correctly report the status of pool members configured with addresses that include a non-default route domain, if the SASP GWM is monitoring members with matching addresses (minus route-domain information).

Fixed Versions:
13.1.1.2, 14.0.0.3

704755-1 : EUD_M package could not be installed on 800 platforms

Links to More Info: BT704755

Component: TMOS

Symptoms:
Attempts to install the EUD_M EUD package fail on 800 platforms even though they are supposed to be supported.

Conditions:
Attempt to install EUD_M package on 800 platforms.

Impact:
Cannot install EUD_M package on a platform that is claimed to support it.

Workaround:
None.

Fix:
EUD_M package can now be installed on 800 platforms as expected.

Fixed Versions:
13.1.1.2, 14.0.0.3

704733-1 : NAS-IP-Address is sent with the bytes in reverse order

Links to More Info: BT704733

Component: TMOS

Symptoms:
The NAS-IP-Address has the address of the local device sent with the bytes in reverse order (e.g., 78.56.30.172, where 172.30.56.78 is expected).

Conditions:
-- This affects IPv4 addresses only.
-- BIG-IP system is configured for RADIUS authentication.

Impact:
The server may be configured to check the NAS-IP-Address before allowing logins, in which case it would fail.

Workaround:
There is no workaround at this time.

Fix:
This has been corrected.

Fixed Versions:
12.1.3.3, 13.1.0.8, 14.0.0.3

704666-1 : memory corruption can occur when using certain certificates

Links to More Info: BT704666

Component: Local Traffic Manager

Symptoms:
If a certificate has an extremely long common name, or an extremely long alternative name and is attached to an SSL profile, memory corruption can occur when loading the profile.

Conditions:
An SSL profile is loaded with a certificate containing an extremely long common name or subject alternative name.

Impact:
TMM could crash.

Workaround:
Do not use certificates with extremely long common names

Fix:
A length check has been added to avoid corruption when using extremely long common names.

Fixed Versions:
12.1.3.4, 13.1.0.6, 14.0.0

704643-1 : Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule

Links to More Info: BT704643

Component: Application Security Manager

Symptoms:
When adding or modifying a user-defined Attack Signature in Simple Edit Mode, backslashes preceding a forward slash are mistakenly doubled in regular expression keywords within the Signature.

Conditions:
-- Add or modify a user-defined Attack Signature with a regular expression keyword containing an escaped forward slash in Simple Edit Mode.

Impact:
The backslash escaping the forward slash is doubled, which changes the enforced signature rule.

Workaround:
Create or modify the Signature rule using Advanced Edit Mode.

Fix:
When adding or modifying a user-defined Attack Signature in Simple Edit Mode, backslashes preceding a forward slash are handled correctly in regular expression keywords within the Signature rule.

Fixed Versions:
13.1.0.8, 14.0.1.1

704587-2 : Authentication with UTF-8 chars in password or handling of IP addresses fail due to byte-array processing in iRules

Links to More Info: BT704587

Component: Access Policy Manager

Symptoms:
This issue can have a number of observable effects, including:
1. APM end users cannot login to the server. The log contains a message similar to the following: iRule err 'bad IP address format'.
2. When using the HTTP::header insert command, an iRule produces the following error: bad IP address format.
3. An iRule may produce other 'bad format' errors when processing inputs containing UTF-8 characters or other objects that are handled as byte arrays.

Conditions:
The corresponding conditions under which the above-described symptoms may occur include:
1. APM end users who have UTF-8 characters in their password.
2. An iRule uses the 'HTTP::header insert' command to insert the '[HTTP::header True-Client-IP]' object.
3. An iRule processes other input containing IP addresses (such as 'IP::addr') or UTF-8 characters or other objects that are handled as byte arrays.

These symptoms may occur when low-level Tcl functions servicing iRule APIs parse UTF-8 characters into strings. The Tcl marshaling routines used by some iRule functions (including HTTP::header insert) coerce some arguments into the bytearray type, which receives special treatment when coerced into other objects (such as IP addresses). Under certain conditions, when a string is coerced into a bytearray, the coercion fails and the error noted in the logs is produced.
Because APM user authentication is implemented via iRules, the handling of UTF-8 characters in iRules affects APM user authentication when the user password contains UTF-8 characters.

These symptoms may occur on affected versions of BIG-IP software due to underlying changes in the low-level Tcl implementation.

Impact:
For the above-described symptoms, the corresponding impacts include:
1. APM authentication service is unavailable.
2. An iRule fails when using the HTTP::header insert command.
3. Other iRules may fail when using other APIs that process IP addresses (such as 'IP::addr') or strings containing UTF-8 characters or other objects that are handled as byte arrays.

Workaround:
1. To work around the APM authentication symptom, add a Variable Assign agent after the Logon Page with following assignment:

(check the secure checkbox)
session.logon.last.password = set pass [mcget -secure session.logon.last.password]; binary scan $pass c* chars; set newpass ""; foreach {ch} $chars { append newpass [format %c [expr $ch & 0xFF]] }; return $newpass

2. To work around errors processing 'HTTP::header insert' commands, avoid processing string variables with the 'HTTP::header insert' command. You can first convert the string to an IP address with IP::addr. For example:

Change
HTTP::header insert X-Forwarded-For $myip1
To
HTTP::header insert X-Forwarded-For [IP::addr $myip1 mask "255.255.255.255"]

where $myip1 could be a string representation of an ip address defined earlier with "set myip1 "78.210.81.133"

3. It may be possible to work around other iRule errors related to processing IP addresses (such as 'IP::addr') or UTF-8 characters or other objects that are handled as byte arrays by troubleshooting the iRule to determine the source of the error, and assigning the value to another string variable before further processing.

Fix:
Special UTF-8 characters (including in user passwords authenticated using APM), IP addresses, and other objects that are handled as byte arrays in iRules are now handled properly.

Fixed Versions:
13.1.1.5, 14.0.0.5

704580-1 : apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP

Links to More Info: K05018525 , BT704580

704555-2 : Core occurs if DIAMETER::persist reset is called if no persistence key is set.

Links to More Info: BT704555

Component: Service Provider

Symptoms:
tmm crashes and restarts.

Conditions:
The system is configured to use a custom persistence key, but no persistence key has been set and DIAMETER::persist reset command is used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid using DIAMETER::persist reset if a persistence key has not been set.

Fix:
System ignores the reset command if the key has not been set

Fixed Versions:
13.1.1.5, 14.0.0.5

704552 : Support for ONAP site licensing

Links to More Info: BT704552

Component: TMOS

Symptoms:
ONAP site licensing not supported.

Conditions:
-- Attempting to use ONAP site licensing

Impact:
BIG-IP system does not license.

Workaround:
None.

Fix:
Ported ONAP site licensing support to this version of the software.

Behavior Change:
This version of the software supports ONAP site licensing.

Fixed Versions:
13.1.0.7, 14.0.0.2, 14.1.4.1

704528-2 : tmm may run out of memory during IP shunning

Links to More Info: BT704528

Component: Advanced Firewall Manager

Symptoms:
If no AppIQ is configured on an AFM-provisioned system, over time the system can run out of memory causing tmm to crash/restart.

Conditions:
-- Blacklist profile is configured with blacklist categories.
-- AppIQ is not configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
If no AppIQ is configured, the system now handles the shunned IP's that are to be sent to ECM server.

Fixed Versions:
13.1.1.2, 14.0.0

704512-1 : Automated upload of qkview to iHealth can time out resulting in error

Links to More Info: BT704512

Component: TMOS

Symptoms:
The automated upload of qkview files to iHealth via the support page of the BIG-IP GUI can time out waiting for an analysis from iHealth. Sometimes, iHealth can take several minutes to complete analysis, and this is a realistic scenario.

If the BIG-IP system times-out waiting for completion of the analysis, the link to the iHealth record is not stored.

Conditions:
iHealth takes longer than three minutes to complete analysis of a qkview file after uploading.

Impact:
Support history will not contain links to completed qkviews.

Workaround:
Run qkview from the command line and upload to iHealth manually.

Fix:
The iHealth link is now stored immediately after the qkview is successfully uploaded, and the timeout is not considered an error.

Fixed Versions:
13.1.1.2, 14.0.0

704450-3 : bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration

Links to More Info: BT704450

Component: Local Traffic Manager

Symptoms:
A rarely seen scenario exists where 'bigd' crashes when the BIG-IP system is under extremely heavy load, due to 'bigd' running with an incomplete configuration and attempting to interact with 'mcpd' prior to being fully configured by 'mcpd'. This may occur when 'mcpd' is sufficiently delayed in configuring 'bigd' upon 'bigd' process start (at system-start, or upon 'bigd' process re-start), such that 'bigd' attempts to report monitoring results to 'mcpd' prior to fully receiving its configuration (from 'mcpd').

Conditions:
BIG-IP is under heavy load; and 'bigd' process is (re-)started; and 'mcpd' is delayed in relaying the full configuration to 'bigd'; and 'bigd' attempts to report monitoring results to 'mcpd'.

Impact:
Monitoring is delayed while bigd is restarting. If the load lasts for a long enough period of time, bigd might repeatedly fail to start and monitoring will not resume. In some cases 'bigd' may run with an incomplete configuration.

Workaround:
Reduce the load on the system.

Fix:
'bigd' does not crash and runs with complete configuration when (re-)starting when BIG-IP runs under heavy configuration resulting in 'mcpd' delaying its configuration of 'bigd'.

Fixed Versions:
12.1.5.2, 13.1.3.2, 14.1.0.2

704435-1 : Client connection may hang when NTLM and OneConnect profiles used together

Links to More Info: BT704435

Component: Local Traffic Manager

Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC), if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.

Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.

Impact:
A client connection is not serviced, and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.

Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller are not pooled, but all other features are retained.

Fix:
Fixed a problem that prevented NTLM and OneConnect profiles from working properly on the same LTM virtual server.

Fixed Versions:
13.1.0.6

704381-5 : SSL/TLS handshake failures and terminations are logged at too low a level

Links to More Info: BT704381

Component: Local Traffic Manager

Symptoms:
SSL/TLS handshake failures and terminations are being logged at too low of a level (INFO).

Conditions:
-- SSL/TLS connections are received or sent.
-- Handshake failures are logged.

Impact:
Sometimes other errors are produced, and the cause is a SSL/TLS handshake failure, but this failure is not being logged.

Workaround:
There is no workaround.

Fix:
SSL/TLS handhake failures and terminations are now logged at a higher level (WARNING).

Fixed Versions:
11.6.5.1, 12.1.3.6, 13.1.0.8, 14.0.0.3

704369-2 : TMM on BIG-IP restarts if a dos profile is attached to a virtual with sip-routing enabled

Links to More Info: BT704369

Component: Advanced Firewall Manager

Symptoms:
TMM restarts on a BIG-IP if a dos profile is attached to a virtual with sip-routing enabled

Conditions:
1. A virtual with sip-routing enabled.
2. A dos profile is attached to this virtual

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
There is no workaround at this time.

Fix:
After fix, tmm is not restarting any more.

Fixed Versions:
13.1.1.2, 14.0.0

704336-1 : Updating 3rd party device cert not copied correctly to trusted certificate store

Links to More Info: BT704336

Component: TMOS

Symptoms:
When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.

Conditions:
Updating Device certificate which also includes multiple intermediate and root certificates.

Impact:
The Trusted Device and Trusted server Certificates do not include intermediate CA and root certificates.

Workaround:
Manually copy/append the missing intermediate and root certificate to /config/big3d/client.crt and /config/gtm/server.crt.

Fix:
The fix will now add all the intermediate and root certificate including device certificate to Trusted Server and Trusted Device certificate bundle.

Fixed Versions:
12.1.3.6, 13.1.1.2

704282-2 : TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy

Links to More Info: BT704282

Component: TMOS

Symptoms:
Rarely, TMM halts and restarts when calculating the BWC pass rate for dynamic bwc policy.

Conditions:
-- Using BWC dynamic bwc policy.
-- Fair share rate is low.

For this to happen, the fair share rate of the instance of dynamic policy has to be less than than 32 times the average packet size of the instance of policy.

For example, if the average packet size is 1 KB, then the fair share would be under 32 KB.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
F5 does not recommend running the BWC under 64Kbps.

Either decrease the number of subscribers or increase the max-rate of dynamic policy.

Fix:
TMM no longer halts and restarts when calculating the BWC pass rate for dynamic bwc policy when fair share rate is low.

Fixed Versions:
12.1.3.6, 13.1.0.6

704247-2 : BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted

Links to More Info: BT704247

Component: TMOS

Symptoms:
BIG-IP .iso images may fail to install if multiple copies of the same image are present and have been deleted.

Conditions:
-- Have multiple copies of the same image .iso in the /shared directory on a BIG-IP system.
-- Delete one of them.

Impact:
Installation attempt of the remaining image(s) might fail.

Workaround:
Restart the lind process, so the installation can continue.

Fix:
The BIG-IP system now installs an image if multiple copies of the same image are present and have been deleted

Fixed Versions:
12.1.3.7, 13.1.0.8, 14.0.0.3

704236-1 : TMM crash when attaching FastL4 profile

Links to More Info: BT704236

Component: Anomaly Detection Services

Symptoms:
TMM crashes and generates a core file.

Conditions:
-- FastL4 profile is attached to a virtual server.
-- L4 stats profile is defined.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes under these conditions.

Fixed Versions:
13.1.1.4, 14.0.0

704207-1 : DNS query name is not showing up in DNS AVR reporting

Links to More Info: BT704207

Component: Advanced Firewall Manager

Symptoms:
DNS query name is not showing up in DNS AVR reporting.

Conditions:
Sending traffic to Virtual with DNS profile.

Impact:
No query information for DNS is reported in AVR.

Workaround:
There is no workaround at this time.

Fix:
After fix, the query name is now showing up in AVR reporting.

Fixed Versions:
13.1.0.4, 14.0.0

704198-3 : Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance

Links to More Info: K29403988 , BT704198

Component: Global Traffic Manager (DNS)

Symptoms:
Orphaned monitor_instance records in mcpd. Secondary blade restarting in a loop.

Conditions:
Modify the monitor for GTM objects using tmsh with replace-all-with.

Impact:
There is an leaked/extra monitor instance. Restarting the secondary slot results in a restart loop.

Workaround:
Impact of workaround: Might change the primary slot.

Restart services using the following command:
# bigstart restart

Fixed Versions:
12.1.5.2, 13.1.3.4, 14.1.2.5

704184-6 : APM MAC Client create files with owner only read write permissions

Links to More Info: K52171282 , BT704184

704143-1 : BD memory leak

Links to More Info: BT704143

Component: Application Security Manager

Symptoms:
A BD memory leak.

Conditions:
websocket traffic with specific configuration

Impact:
Resident memory increases, swap getting used.

Workaround:
Make sure the web socket violations are not due to bad websocket URL configuration, that they are turned on in Learn/Alarm or block and that there is a local logger configured and attached.

Fixed Versions:
12.1.3.6, 13.1.1.2, 14.0.0

704073-1 : Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm

Links to More Info: K24233427 , BT704073

Component: Local Traffic Manager

Symptoms:
'bad transition' OOPS messages may be repeatedly logged to /var/log/ltm and /var/log/tmm over time, polluting the log files.

Conditions:
Although there are no definitive user-discernible conditions, use of SSL functionality might increase the likelihood of logging.

Impact:
Log pollution and potential for performance degradation.

Workaround:
Suppress the logging using the following command:
tmsh modify sys db tmm.oops value silent

Fix:
The 'bad transition' OOPS logging has been demoted to internal, debug builds only.

Fixed Versions:
12.1.3.2, 13.1.0.4

703959 : Manual thresholds for DoS Protection Dynamic Signatures are not accepted via TMUI

Links to More Info: BT703959

Component: Advanced Firewall Manager

Symptoms:
Manual thresholds for DoS Protection Dynamic Signatures are not accepted via TMUI. The 'Infinite' values for detection and mitigation are retained. No error message is returned.

Conditions:
Attempting to configure manual AFM detection and mitigation threshold for DoS Protection Dynamic Signatures using the Management GUI.

Impact:
The BIG-IP system Administrator is not aware that config change failed to be applied.

Workaround:
Manual thresholds for Dynamic Signatures can be configured using TMSH.

Fix:
You can now change manual detection and mitigation threshold via TMUI.

Fixed Versions:
13.1.0.4

703940-2 : Malformed HTTP/2 frame consumes excessive system resources

Links to More Info: K45611803 , BT703940

703914-2 : TMM SIGSEGV crash in poolmbr_conn_dec.

Links to More Info: BT703914

Component: Local Traffic Manager

Symptoms:
TMM cores in poolmbr_conn_dec function.

Conditions:
A connection limit is reached on a VS having an iRule using LB::reselect and a pool using request queueing.

Impact:
TMM core, traffic interruption, possible failover.

Workaround:
Do not use LB::reselect, disable request queueing on a pool associated with the VS.

Fix:
TMM correctly handles LB:reselect on virtual servers with pools using request queueing.

Fixed Versions:
12.1.3.6, 13.1.0.6, 14.0.0

703869 : Waagent updated to 2.2.21

Links to More Info: BT703869

Component: TMOS

Symptoms:
Microsoft updates waagent via an opensource process, but it is not compatible with BIG-IP software, and so cannot be upgraded outside of BIG-IP releases. Without this, Microsoft will not support older releases of BIG-IP systems in their environment.

Conditions:
Using Microsoft Azure.

Impact:
Microsoft does not support the version of waagent shipped as part of BIG-IP software.

Workaround:
None.

Fix:
Waagent was updated to 2.2.21 from Microsoft along with F5 changes for compatibility with BIG-IP software.

Fixed Versions:
12.1.3.3, 13.1.0.7, 14.0.0.1

703848-1 : Possible memory leak when reusing statistics rows in tables

Links to More Info: BT703848

Component: TMOS

Symptoms:
The handling of the pointers to memory in the statistics tables includes a path that zeros out a pointer to more memory that should be free'd. This means the memory is not free'd for that case.

Conditions:
This condition is usually only hit when the entire file is being deleted and so it doesn't matter that the list is not fully traversed.

Impact:
When slabs are being reused this bug may cause a memory leak.

Workaround:
There is no workaround at this time.

Fix:
The code has been fixed to properly follow the list.

Fixed Versions:
13.0.1, 13.1.0.4

703835-2 : When using SCP into BIG-IP systems, you must specify the target filename

Links to More Info: K82814400 , BT703835

703833-1 : Some bot detected features might not work as expected on Single Page Applications

Links to More Info: BT703833

Component: Application Security Manager

Symptoms:
Some client side features do not work correctly when enabling single page application.

Conditions:
Enabling single page application (on DoS or ASM), and Web Scraping-> Persistent Client Identification

Impact:
Captcha challenge causes a loop of ajax requests.

Workaround:
There is no workaround at this time.

Fix:
Fixing Persistent Client Identification for Single Page Applications.

Fixed Versions:
13.1.0.4

703793-3 : tmm restarts when using ACCESS::perflow get' in certain events

Links to More Info: BT703793

Component: Access Policy Manager

Symptoms:
tmm will restart when using 'ACCESS::perflow get' if the per-request policy has not been started yet.

Conditions:
Use 'ACCESS::perflow get' iRule in an event that runs before the per-request policy (e.g., CLIENT_ACCEPTED).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Initialization of certain variables was reworked so that the iRule command will not cause a core anymore if the per-flow value is unavailable due to the per-request policy not having been started yet.

Fixed Versions:
12.1.3.7, 13.1.0.6, 14.0.0

703761-2 : Disable DSA keys for public-key and host-based authentication in Common Criteria mode

Component: TMOS

Symptoms:
On a BIG-IP system configured for Common Criteria (CC) mode, DSA keys can still be used for key-based authentication to the BIG-IP system.

Conditions:
-- Running a CC release with CC Mode enabled.
-- Attempt to SSH-connect to the BIG-IP system from another system with a DSA key.
-- That DSA key is present in the BIG-IP system's authorized_keys file.

Impact:
If the key is in the BIG-IP system's authorized_keys file, public-key authentication succeeds, when DSA authentication should be disabled in CC mode.

Workaround:
There is no workaround at this time.

Fix:
DSA SSH keys are now disabled for public-key and host-based authentication in Common Criteria mode, as expected.

Fixed Versions:
12.1.3.4, 13.1.0.6

703702 : Fixed iControl REST not listing GTM Listeners

Links to More Info: BT703702

Component: Global Traffic Manager (DNS)

Symptoms:
When using iControl REST to get a list of GTM Listeners, no listeners will be returned.

Conditions:
Use iControl REST to get a list of GTM Listeners

Impact:
Cannot get a list of GTM Listeners by iControl REST

Workaround:
Use iControl REST to get a list of all LTM Virtual Servers, and then look for virtual-servers with a DNS Profile

Fix:
Fixed issue preventing iControl REST from returning a list of GTM Listeners

Fixed Versions:
13.1.0.4

703669-2 : Eventd restarts on NULL pointer access

Links to More Info: BT703669

Component: TMOS

Symptoms:
The loop that reads /config/eventd.xml to load configuration data processes data in 1024-byte chunks. If the size of the file is a multiple of 1024 bytes, the end of file condition that terminates the file read does not occur until the subsequent read. The subsequent read returns zero (0) bytes and passes an empty buffer to the parser, which causes eventd to restart repeatedly.

Conditions:
The length of the file /config/eventd.xml is a multiple of 1024 bytes.

Impact:
Causes eventd to crash.

Workaround:
To work around the problem, insert whitespace in /config/eventd.xml to pad the file to a size that is not a multiple of 1024 bytes.

Fixed Versions:
13.1.1.2, 14.0.0.3

703580-1 : TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.

Links to More Info: BT703580

Component: Local Traffic Manager

Symptoms:
TLS1.1 handshake failure on guest. The following error appears in /var/log/ltm:
warning tmm[11611]: 01260009:4: Connection error: ssl_hs_cn_vfy_fin:2339: corrupt Finished (20)

Conditions:
-- Using the VIPRION 42xx/43xx and B21xx blades.
-- Running BIG-IP software earlier than v12.1.3 (for example v12.1.2-hf2) on the vCMP host system.
-- Deploying vCMP guest running v12.1.3.
-- Using TLS1.1.

Impact:
TLS1.1 handshake fails on the guest.

Workaround:
Use the same software version on the vCMP host and vCMP guests.

Fix:
TLS1.1 handshake no longer fails running v12.x/v13.x vCMP guest with earlier BIG-IP software version on vCMP host.

Fixed Versions:
12.1.3.6, 13.1.1.2

703545-1 : DNS::return iRule "loop" checking disabled

Links to More Info: BT703545

Component: Global Traffic Manager (DNS)

Symptoms:
In ID 517347, checking was added to attempt to detect infinite loops caused by improper use of the DNS::return iRule command.

This is occasionally catching false positive loops resulting in connections being dropped incorrectly.

Conditions:
A virtual with a DNS profile that is using the udp profile instead of the udp_gtm_dns profile. An iRule that uses the DNS::return command.

Impact:
If a loop is erroneously detected, the connection will be dropped.

Workaround:
Where possible use the udp_gtm_dns profile instead of udp on virtuals with a DNS profile.

Where possible, use a "return" command immediately after the "DNS::return" command to prevent accidentally calling DNS::return multiple times.

Fix:
The loop detection logic has been removed.

Fixed Versions:
13.1.0.8, 14.0.0

703517 : BIG-IP ASM and BIG-IP AFM/BIG-IP Analytics vulnerability CVE-2018-5505

Links to More Info: K23520761 , BT703517

703515-3 : MRF SIP LB - Message corruption when using custom persistence key

Links to More Info: K44933323 , BT703515

Component: Service Provider

Symptoms:
If the custom persistence key is not a multiple of 3 bytes, the SIP request message may be corrupted when the via header is inserted.

Conditions:
Custom persistence key is not a multiple of 3 bytes

Impact:
The SIP request message may be corrupted when the via header is inserted.

Workaround:
Pad the custom persistence key to a multiple of 3 bytes in length.

Fix:
All persistence key lengths work as expected.

Fixed Versions:
11.6.3.2, 12.1.3.6, 13.1.0.8

703429-2 : Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services

Links to More Info: BT703429

Component: Access Policy Manager

Symptoms:
Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services through F5 BIG-IP APM virtual server. The application closes just after entering the credentials.

Conditions:
-- Citrix Receiver for Android (v3.13.1) is used.
-- PNAgent replacement mode is configured for BIG-IP APM virtual server.

Impact:
No access to published Applications and Desktops through Citrix Receiver for Android.

Workaround:
None.

Fix:
System now provides valid data to Citrix Receiver for Android client.

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.4

703298-2 : Licensing and phonehome_upload are not using the sync'd key/certificate

Links to More Info: BT703298

Component: TMOS

Symptoms:
After config-sync, the secondary unit's key passphrase does not decrypt the cached key file.

Conditions:
The original file for f5_api_com.key is used instead of the cached file.

Impact:
phonehome_upload will fail on the secondary unit because the passphrase doesn't match the key file.

Workaround:
After sync, copy the file /config/filestore/files_d/Common_d/certificate_key_d/:Common:f5_api_com.key_xxxx over to /config/ssl/ssl.key/f5_api_com.key using the following commands:

# cd /config/filestore/files_d/Common_d/certificate_key_d
# cp -a :Common:f5_api_com.key_xxxx /config/ssl/ssl.key/f5_api_com.key :Common:f5_api_com.key_xxxx

Once the /config/ssl/ssl.key file is in sync, then loading the config with either cached or un-cached file will work fine.

Fix:
The system now removes the source-path files and only keeps the cache-path files. phonehome_upload now will work on the standby unit after a config-sync. Without the source-path files which do not get sync'd, there is no danger of re-loading them.

Fixed Versions:
13.1.0.6, 14.0.0

703266-2 : Potential MCP memory leak in LTM policy compile code

Links to More Info: BT703266

Component: Local Traffic Manager

Symptoms:
Failure in processing LTM policy may result in MCP memory leak

Conditions:
When Centralized Policy Management (CPM) fails to process LTM policy

Impact:
MCP memory leak

Workaround:
There is no workaround at this time.

Fix:
This fix handles rare MCP memory leak which may occur if CPM fails to process LTM policy

Fixed Versions:
13.1.1.2

703233 : Some filters don't work in Security->Reporting->URL Latencies page

Links to More Info: BT703233

Component: Application Visibility and Reporting

Symptoms:
If a filter by Virtual Servers or URLs in Security->Reporting->URL Latencies page, the data is not filtered.

Conditions:
No special condition.

Impact:
It it impossible to filter data in the aforementioned page.

Workaround:
There is no workaround at this time.

Fix:
An incorrect SQL query was applied to the statistics database upon such data request. The SQL query is fixed.

Fixed Versions:
13.1.0.4

703208-1 : PingAccessAgent causes TMM core

Links to More Info: BT703208

Component: Access Policy Manager

Symptoms:
PingAccessAgent can cause TMM to core due to accessing freed memory.

Conditions:
It happens in edge case situation. Exact steps are still under investigation. Suspicion is that the client aborts the connection while TMM/PingAccessAgent module is still awaiting response from the PingAccessAgent back-end server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fixed Versions:
13.1.0.6, 14.0.0

703196-5 : Reports for AVR are missing data

Links to More Info: BT703196

Component: Application Visibility and Reporting

Symptoms:
Some data collected by AVR is missing on some aggregation levels and thus missing from the reports.

Conditions:
Using AVR statistics.

Impact:
Expected AVR statistics may be missing.

Workaround:
Run the following shell command on BIG-IP:

sed -i "s|\(\s\)*SET\ p_aggr_to_ts.*$|$1$(grep "SET p_aggr_to_ts" /var/avr/avr_srv_code.sql | sed 's/truncate(/CEILING/' | sed 's/,0)//')|" /var/avr/avr_srv_code.sql

Fix:
Time-range selection for aggregation is fixed and now statistics should be aggregated correctly to the next level.

Fixed Versions:
13.1.3.2

703191-2 : HTTP2 requests may contain invalid headers when sent to servers

Links to More Info: BT703191

Component: Local Traffic Manager

Symptoms:
HTTP requests handled by an HTTP/2 virtual server may have blank header names when proxied through to the server or when handled via iRules.

Conditions:
-- Virtual server has the HTTP/2 profile assigned.
-- Client and the BIG-IP system negotiate/use HTTP/2.

Impact:
HTTP/2 applications may generate CSRF-related errors. Alternately, the server may return intermittent (and from the client's perspective, spurious) 400 Bad Request responses.

Workaround:
There is no workaround other than to remove the HTTP/2 profile from the virtual server.

Fixed Versions:
13.1.0.6

703171-1 : High CPU usage for apmd, localdbmgr and oauth processes

Links to More Info: BT703171

Component: Access Policy Manager

Symptoms:
High CPU Usage for apmd, localdbmgr, and oauthd with large configurations.

Conditions:
-- APM provisioned.
-- BIG-IP has a large configuration (i.e., a large number of virtual servers).
-- One of the following:
+ A full config sync happens from one device (with a large configuration) to another device.
+ When loading BIG-IP configurations that contain a large number of virtual servers.

Impact:
Depending on the operation:
+ The process on the second device exhibits high CPU usage
+ The loading device exhibits high CPU usage.

APM end user traffic might not be processed by APM until it is done processing all the config changes. The amount of time service is down depends on how large the configuration is.

Workaround:
None.

Fix:
Startup processing of apmd, localdbmgr, and oauthd have been optimized to reduce the CPU usage.

Fixed Versions:
13.1.0.6, 14.0.0

703165-5 : shared memory leakage

Links to More Info: BT703165

Component: Advanced Firewall Manager

Symptoms:
Processes that require shared memory to operate are failing (e.g. pabnagd).

Conditions:
Many shmem segments allocated and used by tmm.

Impact:
Potential failures in any process that requires shared memory segments, causing lack of services such as learning (bd+pabnagd), request logging (pabnagd+asm-config), etc.

Workaround:
There is no workaround at this time.

Fixed Versions:
13.1.3.5, 14.1.2.8

703045-1 : If using TMSH commands with deprecated attributes in iApp, the upgrade will fail.

Links to More Info: BT703045

Component: TMOS

Symptoms:
TMSH commands with deprecated attributes will fail if used in iApp.

Conditions:
TMSH commands with deprecated attributes will fail if used in iApp. This is so whether the iApp is activated during the upgrade process or simply run under iApp service at the user display.

Impact:
TMSH commands will not execute like create command will result in no objects (e.g., monitor, virtual server, etc.) being created.

Workaround:
Try to avoid deprecated attributes of the object in the iApp.

Fix:
All TMSH commands should handle deprecated attributes of objects consistently across TMSH command line, CLI Script and iApp and like so:

- run TMSH commands to full execution with only warning message.
- full execution means objects action should be executed without error and no something amiss silently either.

Fixed Versions:
13.1.1.2, 14.0.0.3

703039-2 : Empty results on /tm/sys/config-diff/stats

Links to More Info: BT703039

Component: TMOS

Symptoms:
The /tm/sys/config-diff/stats REST API endpoint returns an empty response.

This issue also causes the /tm/services endpoint to return a 400 response.

Conditions:
-- You have two scf files, e.g., f1 and f2, that you want to diff via the REST API.
-- You diff the files via /tm/sys/config-diff/stats?options=f1,f2.
-- This device is part of a Big-IQ DNS sync group.

Impact:
The endpoint returns an empty response.

Workaround:
None.

Fix:
Fixed an issue with the config-diff/stats endpoint

Fixed Versions:
13.1.3.6, 14.0.0

702946-3 : Added option to reset staging period for signatures

Links to More Info: BT702946

Component: Application Security Manager

Symptoms:
In cases where a staging period was started, but no traffic passed through security policy, you might want to reset the staging period when traffic starts, but there is no option to do so.

Conditions:
Staging enabled for signatures in policy.

Impact:
There is a suggestion to enforce the signature before any traffic can influence this decision.

Workaround:
If all signatures are staged, you can enforce them all, and then enable staging again.

Note: Apply policy is required between actions.

Fix:
Added option to reset the staging period for all or specific signatures. In modal windows shown after clicking 'Change properties...' on the Policy Signatures screen, when 'No' is not selected for 'Perform Staging', the system presents a checkbox: Reset Staging Period.

Fixed Versions:
12.1.3.2, 13.1.0.4

702936-1 : TMM SIGSEGV under specific conditions.

Links to More Info: BT702936

Component: Anomaly Detection Services

Symptoms:
TMM SIGSEGV when running heavy traffic with LTM, ASM, AVR, and FPS provisioned when span port is enabled. tmm crash

Conditions:
-- LTM, ASM, AVR, and FPS are provisioned.
-- Span port is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This issue no longer occurs.

Fixed Versions:
13.1.1.4

702792-1 : Upgrade creates Server SSL profiles with invalid cipher strings &start;

Links to More Info: K82327396 , BT702792

Component: Local Traffic Manager

Symptoms:
Upgrade of BIG-IP creates Server SSL profiles for custom HTTPS monitors that may have an invalid Ciphers attribute. This does not prevent the configuration from loading, but attempting to modify the existing SSL profile or create a new one with matching configuration fails with the following message:

01070312:3: Invalid keyword 'kedh' in ciphers list for profile /Common/name-of-server-ssl-profile

Conditions:
Custom HTTPS monitors configured prior to an upgrade result in these profiles being created during the upgrade.

The default HTTPS cipherlist is 'DEFAULT:+SHA:+3DES:+kEDH', which is a valid OpenSSL cipher list, but is not a valid Client SSL / Server SSL cipher list.

Note that issues where the configuration fails to load and shows a similar error message may be due to ID705730, see https://cdn.f5.com/product/bugtracker/ID705730.html

Impact:
Upgrade creates configurations that are challenging to manage as a result of MCPD validation.

Workaround:
Reconfigure the cipher list to be valid according to both the OpenSSL cipher list and the Client SSL / Server SSL cipher list expectations.

For instance, use "DEFAULT:+SHA:+3DES:+EDH" instead of "DEFAULT:+SHA:+3DES:+kEDH".

Fix:
Upgrade no longer creates Server SSL profiles with invalid cipher strings.

Fixed Versions:
13.1.1.4, 14.0.0

702738-1 : Tmm might crash activating new blob when changing firewall rules

Links to More Info: K32181540 , BT702738

Component: Advanced Firewall Manager

Symptoms:
TMM crashes with core when changing firewall rules. TMM can enter a crash-loop, so it will crash again after restarting.

Conditions:
Updating, removing, or adding firewall rules.

Specific characteristics of change that can cause this issue are unknown; this issue occurs rarely.

Impact:
Data traffic processing stops.

Workaround:
There are two workaround options:
Option A
1. Delete all policies.
2. Create them again without allowing blob compilation.
3. Repeat steps 1 and 2 until all the policies have been created (enable on-demand-compilation).

Option B
Modify all the rules simultaneously.

For example, the following steps will resolve this issue:
1. Enable on-demand-compilation
2. Select an IP address that is not used in any rules, e.g., 1.1.1.1.
3. Add that IP address to all the rules/source in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses add { 1.1.1.1 } } } }

4. Delete the IP address (restore rules) in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses delete { 1.1.1.1 } } } }
5. Disable on-demand-compilation. Doing so starts new blob compilation.

Fix:
TMM no longer crashes when changing firewall rules.

Fixed Versions:
12.1.3.4, 13.1.1

702705-2 : Core observed during lease query testing when RADIUS Authentication is configured in DHCP profile

Links to More Info: BT702705

Component: Policy Enforcement Manager

Symptoms:
Tmm may halt and restart when RADIUS Authentication is configured in DHCP profile.

Conditions:
1. RADIUS Authentication is configured in a DHCP profile.
2. DHCP response does not have proper info.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
This version handles these conditions, so tmm does not halt and restart.

Fixed Versions:
13.1.0.6

702520-2 : Same AZ failover in AWS fails in some configurations with two or more objects sharing the same IP address.

Links to More Info: K53330514 , BT702520

Component: TMOS

Symptoms:
BIG-IP fails to reattach floating addresses to local interfaces during failover, when two or more objects are configured with the same IP address in a given traffic group.

Failover fails with the following error in /var/log/ltm: err logger: /usr/libexec/aws/aws-failover-tgactive.sh (traffic-group-1): Failed to reassign some or all address(es): <IP address> <the same IP address> on interface <eni address>.

Conditions:
-- AZ AWS failover.
-- Same IP address is used for two or more virtual addresses, self IPs, NAT, SNAT translation.

Note: Having two virtual servers with the same IP address (but different ports) does not cause the problem. Also, there is no conflict when using the same IP address for different traffic groups.

Impact:
Failover will fail; some or all IP addresses will not be transferred to the active BIG-IP system.

Workaround:
The only workaround is to change the configuration to use unique IP addresses for conflicting objects.

Fix:
This issue has been resolved.

Fixed Versions:
13.1.0.4

702487-3 : AD/LDAP admins with spaces in names are not supported

Links to More Info: BT702487

Component: Access Policy Manager

Symptoms:
If admin is imported from Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) and the name contains spaces, Visual Policy Editor (VPE), import/export/copy/delete, etc., fail, and post an error message similar to the following: sourceMCPD::loadDll User 'test user' have no access to partition 'Common'.

Note: Names containing spaces are not supported on BIG-IP systems.

Conditions:
-- Admin name containing spaces is imported from AD or LDAP.
-- Attempt to perform operations in VPE.

Impact:
VPE, import/export/copy/delete do not work.

Workaround:
There is no workaround other than to not use admin names containing spaces.

Fix:
VPE and utilities operations are now supported, even for admins with spaces in names. However, F5 recommends against using spaces in admin names, and recommends that you modify the admin name to remove the spaces.

Fixed Versions:
12.1.3.4, 13.1.0.6

702472-3 : Appliance Mode Security Hardening

Links to More Info: K87659521 , BT702472

702469-3 : Appliance mode hardening in scp

Links to More Info: K73522927 , BT702469

702457-2 : DNS Cache connections remain open indefinitely

Links to More Info: BT702457

Component: Global Traffic Manager (DNS)

Symptoms:
Resize / Clearing the DNS cache while a lot of traffic is running can cause numerous connections to remain open indefinitely. tmm crash

Conditions:
Resize / Clear the DNS Cache while it is resolving connections.

Impact:
Connections remain open forever, using up memory

Workaround:
If you are encountering this, you can remove these connections by restarting tmm:

tmsh restart sys service tmm

Impact of workaround: Traffic disrupted while tmm restarts.

Fix:
Fixed an issue where the DNS Cache kept connections open indefinitely when clearing or resizing a cache with active resolutions occurring.

Fixed Versions:
12.1.5.3, 13.1.1.4, 14.0.0.5

702450-1 : The validation error message generated by deleting certain object types referenced by a policy action is incorrect

Links to More Info: BT702450

Component: Local Traffic Manager

Symptoms:
When deleting certain objects that are referenced by policy actions, you may see a validation error like this:

# tmsh delete ltm virtual test-vs
01071726:3: Cannot delete policy action '/Common/test-vs'. It is in use by ltm policy '/Common/test-policy'.

The referenced object is not a "policy action" in this case, but is a virtual server.

Conditions:
LTM policies must be in use, and at least one policy action must forward to an object. The user must attempt to delete that object.

Impact:
Possible confusion at the error message.

Workaround:
There is no workaround at this time.

Fix:
Made the error message accurately reflect what the user was attempting to delete.

Fixed Versions:
11.6.4, 12.1.5, 13.1.1.2, 14.0.0.5

702439 : Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset

Links to More Info: K04964898 , BT702439

Component: Local Traffic Manager

Symptoms:
If the HTTP/2 configuration header_table_size is changed from the default value of 4096, then streams will be reset with a RST_STREAM error.

Conditions:
The header_table_size field in the HTTP/2 profile is changed from the default.

Impact:
HTTP/2 connections will be unusable.

Workaround:
Set the header table size argument back to its default.

Fix:
The HTTP/2 filter correctly handles the dynamic header table resize notifications triggered by a non-default header table size. Streams will not be reset with a RST_STREAM error.

Additionally, the BIG-IP system will now send the correct number of dynamic header table resize notifications when the table is resized by the client multiple times between header blocks.

Fixed Versions:
13.1.0.4

702419 : Protocol Inspection needs add-on license to work

Links to More Info: BT702419

Component: Protocol Inspection

Symptoms:
Protocol Inspection does not work.

Conditions:
-- AFM is licensed and provisioned through 'Good' or 'Better' license, but no add-on subscription license for Protocol Inspection. Alternately, AFM licensed as an add-on module to another module (typically LTM).
-- Protocol Inspection profile configured and applied to a Virtual Server or referenced in a firewall rule in an active firewall policy.
-- Upgrade to 13.1.0.3 or later.
-- Attempt to use Protocol Inspection functionality.

Impact:
Protocol Inspection functions that used to work no longer work.

Workaround:
Activate an add-on subscription or obtain an AFM standalone license. Protocol Inspection functionality now requires one of these.

Fix:
Protocol Inspection now requires an add-on license to work.

Note: If you previously had Protocol Inspection configured without an add-on license installed, the features are not applied to traffic until the add-on license is obtained, even though the interface allows you to configure them.

Behavior Change:
The Protocol Inspection (PI) Intrusion Detection and Prevention System functionality now requires either an add-on subscription or an AFM standalone license for any of the features to work. A 'Good' or 'Better' license no longer enables the PI features.

Note: The Configuration Utility allows you to configure inspection profiles, compliance checks, and signatures, but they are not applied to traffic. There is no feedback that they are not applied. The operations simply fail silently.

Fixed Versions:
13.1.0.3

702310-1 : The ':l' and ':h' options are not available on the tmm interface in tcpdump

Links to More Info: BT702310

Component: TMOS

Symptoms:
The ':l' and ':h' options are not available on the tmm interface in tcpdump.

Conditions:
Running tcpdump.

Impact:
Packet capture on the tmm interface from the Linux side or the host side of tmm interface is not possible.

Workaround:
There is no workaround at this time.

Fix:
The tmm interface now accepts ':l' and ':h' and packets on this interface can be captured from the Linux side or the host side.

Fixed Versions:
13.1.3

702278-2 : Potential XSS security exposure on APM logon page.

Component: Access Policy Manager

Symptoms:
Potential XSS security exposure on APM logon page.

Conditions:
-- A LTM virtual server with an Access Policy assigned to it.
-- The Access Policy is configured to use a 'Logon Page' VPE agent, followed by AAA agent with 'Max Logon Attempts Allowed' set to a value greater than 1.

Impact:
Potential XSS security exposure.

Workaround:
1. Using APM Advance Customization UI, remove setOrigUriLink(); call in logon.inc from the next JS function:

369 function OnLoad()
370 {
371 var header = document.getElementById("credentials_table_header");
372 var softTokenHeaderStr = getSoftTokenPrompt();
373 if ( softTokenHeaderStr ) {
374 header.innerHTML = softTokenHeaderStr;
375 }
376 setFormAttributeByQueryParams("auth_form", "action", "/subsession_logon_submit.php3");
377 setFormAttributeByQueryParams("v2_original_url", "href", "/subsession_logon_submit.php3");
378 // ===> REMOVE THIS ONE setOrigUriLink();
----

Fix:
Potential security exposure has been removed from APM logon page.

Fixed Versions:
12.1.3.4, 13.0.1, 13.1.0.6, 14.0.0

702263-1 : An access profile with large number of SAML Resources (greater than 200) causes APM error ERR_TOOBIG while loading.

Links to More Info: BT702263

Component: Access Policy Manager

Symptoms:
Using a SAML SP-initiated use case (APM is IdP) and having a large Access Policy with 200 or more SAML resources assigned to users. Each time a new SAML resource is added to that Access Policy, the entire SSO service becomes unusable. No new sessions can be established. The system generates internal metadata that consists of the names of all the SAML resources along with its SSO name. This has a limit of size 4 KB. When this limit is reached, the system logs errors similar to the following:

-- err tmm3[15840]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_TOOBIG. File: ../modules/hudfilter/access/access.c, Function: access_create_saml_meta_data, Line: 21001


-- err tmm3[15840]: 014d1014:3: /Common/SAML_SSO_access:Common:7a34161c:SAML SSO: Error(16) Unable to find SAML SSO/SP Connector object matching SAML Authn Request.

Conditions:
A SAML SSO Access policy has a large number of SAML Resources assigned to it (such that the combined length of their names is greater-than-or-equal-to 4 KB).

Impact:
The system logs an error on running the Access Policy, the whole SSO service becomes unusable. No new sessions can be established.

Workaround:
Delete any unused SAML resources from SAML SSO access policy so that the combined length of the names of all SAML resources assigned to Access policy is less than 4 KB.

Fix:
The system now allocate memory dynamically for the internally stored metadata, so it can handle large lists of assigned SAML resource objects.

Fixed Versions:
13.1.0.4

702232-1 : TMM may crash while processing FastL4 TCP traffic

Links to More Info: K25573437 , BT702232

702227-3 : Memory leak in TMSH load sys config

Links to More Info: BT702227

Component: TMOS

Symptoms:
When loading a configuration, either through tmsh load sys config or the corresponding iControl REST command, the TMSH or icrd_child processes can leak memory.

Conditions:
When configuration is loaded via TMSH or iControl REST.

Impact:
The TMSH process memory or icrd_child process memory continues to grow every time the config is loaded.

Workaround:
If memory consumption grows in the TMSH process, restart the TMSH process.

If memory consumption grows in iControl REST, restart the REST service using the following command: bigstart restart restjavad.

Fix:
There is no longer a memory leak when loading configuration in TMSH or iControl REST.

Fixed Versions:
13.1.1.2, 14.0.0.3

702222-1 : RADIUS and SecurID Auth fails with empty password

Links to More Info: BT702222

Component: Access Policy Manager

Symptoms:
If password value is empty, the following error message will be logged in /var/log/apm:

err apmd[14259]: 014902f0:3: /Common/profile_name:Common:eb69a5gd: RADIUS Agent: Failed to read Password Source session variable:

Conditions:
This occurs only when following conditions are met:
- RADIUS or SecurID auth agent is included in the access policy.
- Empty password value is used for authentication.

Impact:
User may not be authenticated.

Workaround:
- Add variable assignment agent before RADIUS/SecurID auth agent in the access policy.
- Set 'session.logon.last.password' (or whatever password source is used for authentication) to a random value.

Fix:
RADIUS/SecurID auth agent allows empty password value for authentication.

Fixed Versions:
13.1.0.4

702151-1 : HTTP/2 can garble large headers

Links to More Info: BT702151

Component: Local Traffic Manager

Symptoms:
The HTTP/2 filter may incorrectly encode large headers.

Conditions:
A header that encodes to larger than 2048 bytes may be incorrectly encoded.

Impact:
The garbled header may no longer conform to the HPACK spec, and cause the connection to be dropped. The garbled header may be correctly formed, but contain incorrect data.

Fix:
The HTTP/2 filter correctly encodes large HTTP headers.

Fixed Versions:
11.6.3.3, 12.1.3.6, 13.1.0.8

702008-1 : ASM REST: Missing DB Cleanup for some tables

Links to More Info: BT702008

Component: Application Security Manager

Symptoms:
Finished REST tasks that are not deleted by the client that initiated them are meant to be cleaned periodically. Certain tasks are not included in this cleanup job.

Conditions:
The following tasks are not reaped automatically if left uncleaned by the REST client that initiated them:

From 13.0.x:
-- /mgmt/tm/asm/tasks/apply-server-technologies
-- /mgmt/tm/asm/tasks/bulk
-- /mgmt/tm/asm/tasks/export-policy-template
-- /mgmt/tm/asm/tasks/export-requests
-- /mgmt/tm/asm/tasks/import-policy-template

From 13.1.0:
-- /mgmt/tm/asm/tasks/export-data-protection
-- /mgmt/tm/asm/tasks/import-data-protection
-- /mgmt/tm/asm/tasks/import-certificate
-- /mgmt/tm/asm/tasks/policy-diff
-- /mgmt/tm/asm/tasks/policy-merge
-- /mgmt/tm/asm/tasks/update-enforcer

Impact:
DB space usage grows with each ASM REST task that is not cleaned up.

Workaround:
REST Clients that initiate tasks can delete them after verifying the task has reached a final state.

Fix:
REST tasks left behind are now be pruned by the DB Cleanup process.

Fixed Versions:
13.1.0.8

701898-1 : Certain virtual address route-advertisement settings break upgrades from 13.0.0 hotfix rollups

Links to More Info: BT701898

Component: TMOS

Symptoms:
Upgrading from a version of 13.0.0 other than the base build may result in failure depending on the values of the virtual address route-advertisement setting. If set to 'selective', 'any', or 'all', the configuration will fail to load after the upgrade with an error similar to the following example in the /var/log/ltm file:

load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- Loading schema version: 13.0.0 Syntax Error:(/config/bigip.conf at line: 1790) invalid property value "route-advertisement":"selective"

Conditions:
- Upgrading from a version of 13.0.0 other than the base (i.e. HF1 or later).
- Upgrading to 13.1.0 or later.
- At least one virtual address with its route-advertisement value set to 'selective', 'any', or 'all'.

Impact:
Configuration will not load. If the unit being upgraded is a stand-alone unit, this will result in a traffic outage.

Workaround:
If you become aware of this issue prior to upgrading:

1. Note any virtual address route-advertisement settings that are 'selective', 'any', or 'all'.

2. Change all of these values to either 'enabled' or 'disabled' (note that this will change the route advertisement behavior temporarily).

3. Perform the upgrade. The goal of this step is to have the BIG-IP system perform an installation while carrying forward the new, modified configuration. Note that if your chosen destination (i.e. HD1.3) already exists and contains the very software you want to install (i.e. 13.1.1.2), then you must first delete the destination before you can re-use it. This is because, by design, the BIG-IP system will not perform an installation if the desired software is already present in the destination boot location. Attempting such an installation would just result in the BIG-IP system immediately rebooting to activate that boot location, without performing any installation and thus defeating the point of this workaround.

4. Once the upgrade completes, change the route advertisement settings back to their original values.


If you become aware of this issue after the upgrade has already failed:

1. Boot back into the old/working boot location.

2. Delete the boot location containing the failed installation.

3. Follow the procedure detailed under 'If you become aware of this issue prior to upgrading'.

Fix:
Upgrades from 13.0.0 hotfix rollups involving certain virtual address route-advertisement settings no longer fail.

Fixed Versions:
13.1.1.5, 14.0.0

701889-1 : Setting log.ivs.level or log-config filter level to informational causes crash

Links to More Info: BT701889

Component: Service Provider

Symptoms:
Certain log messages for internal virtual server (IVS) at 'informational' log level, cause TMM to crash when they are logged. The messages are logged at the end of an HTTP transaction to or from an IVS.

Conditions:
Information level logging enabled:

- sys db log.ivs.level informational or
- log-config filter level set to info

A transaction that passes HTTP to/from an internal virtual server.

Impact:
TMM crashes and restarts, causing loss of connections.

Workaround:
Avoid setting log.ivs.level to 'informational' or higher level and/ log-config filter level to 'info' or higher. By default the level is 'error' which does not trigger the bug.

Fix:
Informational messages for internal virtual server (IVS) are logged as expected and TMM does not crash.

Fixed Versions:
13.1.0.6

701856-1 : Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart

Links to More Info: BT701856

Component: Application Security Manager

Symptoms:
In rare circumstance, when Policy Builder restarts continuously (in response to a different issue in which there are many shmem segments allocated and used by tmm), ASM-config Event Dispatcher memory usage grows uncontrollably.

Conditions:
In rare circumstances, Policy Builder restarts continuously (in response to a different issue in which there are many shmem segments allocated and used by tmm).

Impact:
ASM-config Event Dispatcher memory usage grows continuously until the device eventually fails over.

Workaround:
Restart asm_config_server on all devices using the following command:
killall asm_config_server.pl

Fix:
ASM-config Event Dispatcher memory usage remains stable even upon multiple Policy Builder restarts.

Fixed Versions:
12.1.3.7, 13.1.1.2

701841-2 : Unnecessary file recovery_db/conf.tar.gz consumes /var disk space

Links to More Info: BT701841

Component: Application Security Manager

Symptoms:
A file, /ts/var/install/recovery_db/conf.tar.gz ,is saved unnecessarily during UCS file save, and consumes /var disk space.

Conditions:
UCS file is saved.

Impact:
The /var filesystem can become full; this may degrade system performance over time, and can eventually lead to traffic disruptions.

Workaround:
Manually delete /ts/var/install/recovery_db/conf.tar.

Fix:
Unnecessary file recovery_db/conf.tar.gz is no longer written.

Fixed Versions:
12.1.3.2, 13.1.0.4

701826 : qkview upload to ihealth fails or unable to untar qkview file

Links to More Info: BT701826

Component: TMOS

Symptoms:
qkview upload to ihealth fails unable to untar qkview file.

Conditions:
When qkview file is untarred, it creates a same directory name in loop as below and fails to untar successfully.

.../dir1/
.../dir1/dir1/
.../dir1/dir1/dir1/
...

This happens due to dangling symlink dir1 which points to nothing.

[root@localhost:Active:Standalone] config # ls -l /config/bigip/auth/pam.d/dir1
lrwxrwxrwx. 1 root root 64 2018-01-30 08:56 /config/bigip/auth/pam.d/dir1 ->
[root@localhost:Active:Standalone] config # stat /config/bigip/auth/pam.d/dir1
File: `/config/bigip/auth/pam.d/dir1' -> `'
Size: 64 Blocks: 8 IO Block: 4096 symbolic link
Device: fd16h/64790d Inode: 112045 Links: 1
Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2018-01-30 08:56:20.000000000 -0800
Modify: 2018-01-30 08:56:20.000000000 -0800
Change: 2018-01-31 08:39:35.000000000 -0800
[root@localhost:Active:Standalone] config #

Impact:
Unable to untar qkview or qkview upload to ihealth fails.

Workaround:
Identify the dangling symlink and delete. Then generate qkview or use ihealth to generate qkview and upload to ihealth.

Fix:
Qkview tool will identify dangling symlink and handle safely to avoid looping.

Fixed Versions:
13.1.1.2

701800-2 : SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x

Links to More Info: K29064506 , BT701800

Component: Access Policy Manager

Symptoms:
Mac RDP client 10.x shows credentials prompt when SSO-enabled native RDP resource is launched from the APM Webtop. If the user enters credentials manually, the RDP client will display an error message.

Conditions:
-- Mac RDP client is of version 10.x (e.g., 10.1.6).
-- Native RDP resource is assigned to the webtop.
-- SSO is enabled on the RDP Resource.

Impact:
RDP resource cannot be launched.

Workaround:
Add the following to 'Custom Parameters' of SSO-enabled RDP resources:
full address:s:%{session.server.network.name}
promptcredentialonce:i:1

Fix:
SSO-enabled native RDP resources now can be launched from APM Webtop with Mac RDP client 10.2.0.

Fixed Versions:
13.1.1.2, 14.0.0.5

701792-2 : JS Injection into cached HTML response causes TCP RST on the fictive URLs

Links to More Info: BT701792

Component: Application Security Manager

Symptoms:
TCP RST being sent when a browser requests a fictive URL that starts with either of the following strings:
-- /TSPD/xxx...xxx?type=x
-- /TSbd/xxx...xxx?type=x.

Conditions:
This occurs in either of the following scenarios:
-- ASM policy is attached to a virtual server, and any of the following is enabled: Cross-Site Request Forgery (CSRF), Web Scraping/Single Page Application/AJAX Blocking internal.

-- DoS profile with Single Page Application enabled is attached to a virtual server.

Impact:
CSRF/Web Scraping/Single Page Application/AJAX Blocking page features might not work. This happens intermittently when the back-end server's HTML page (the one where the fictive URL is injected) is cached in the browser for more than two days.

Workaround:
Use an iRule to disable caching for HTML pages where a fictive URL is injected.

Fix:
The system now includes a new ASM Internal Parameter 'disable_cache_upon_injection', disabled by default. When it is enabled, ASM disables cached headers to HTML responses where a fictive URL is injected.

Fixed Versions:
13.1.1.4

701785-2 : Linux kernel vulnerability: CVE-2017-18017

Links to More Info: K18352029 , BT701785

701740-1 : apmd leaks memory when updating Access V2 policy

Links to More Info: BT701740

Component: Access Policy Manager

Symptoms:
A small leak occurs in the apmd process when processing mcp notifications about configuration updates.

Conditions:
-- Changing an Access Policy configurations.
-- apmd receives a notification about it.

Impact:
apmd grows in size very slowly. The issue does not have any immediate and significant impact on BIG-IP system functionality.

Workaround:
There is no workaround at this time.

Fix:
apmd no longer leaks a small amount when processing MCP notifications.

Fixed Versions:
13.1.0.4

701737-1 : apmd may leak memory on destroying Kerberos cache

Links to More Info: BT701737

Component: Access Policy Manager

Symptoms:
ampd leaks memory in AD Query agent.

Conditions:
The leak happens in response to any of the following conditions:
-- A Kerberos cache reset is requested (any of the caches - GROUP/PSO/KERBEROS).
-- Change to associated AAA AD Server were made and new Access Policy is applied.
-- AD Query was not able to make ldap_bind to KDC and the error is NOT a timeout (e.g., invalid administrator password).

Impact:
The ampd leaks memory and might cause unstable behavior.
The apmd process, or some other daemon may be killed by OOM killer when it tries to allocate memory.

Workaround:
There is no workaround at this time.

Fix:
AD Query agent no longer causes apmd memory leak during group cache update.

Fixed Versions:
13.1.0.4

701736-1 : Memory leak in Machine Certificate Check agent of the apmd process

Links to More Info: BT701736

Component: Access Policy Manager

Symptoms:
apmd process leaks memory in Machine Certificate Check agent

Conditions:
Machine Certificate Check agent is configured in an Access Policy.

Impact:
apmd may grow in size. This may lead to the apmd process or another process, to be killed by OOM-killer

Workaround:
There is no workaround at this time.

Fix:
An apmd memory leak in the Machine Certificate Check agent has been fixed.

Fixed Versions:
13.1.0.4

701690-1 : Fragmented ICMP forwarded with incorrect icmp checksum

Links to More Info: K53819652 , BT701690

Component: Local Traffic Manager

Symptoms:
Large fragmented ICMP packets that traverse the BIG-IP might have their source or destination IP addresses changed and transmitted with the checksum incorrectly calculated.

Conditions:
A FastL4 virtual server able to transmit ICMP frames (ip-protocol ICMP or any), or SNAT/NAT only when a fragmented ICMP packet is received and is expected to be passed through the virtual server (or SNAT or NAT).

Impact:
Large ICMP echo packets (greater than MTU) will be dropped by the recipient due to the checksum error. No echo response will be seen.

Workaround:
Turn on IP fragment reassembly on the FastL4 profile associated with the virtual server.

Fixed Versions:
13.1.1.2

701680-2 : MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds

Links to More Info: BT701680

Component: Service Provider

Symptoms:
Applying rate-limiting to MBLB SIP or Diameter virtual servers might cause the virtual server to periodically stop sending packets to the pool member server for a few seconds.

Conditions:
-- MBLB SIP or Diameter virtual server.
-- Rate-limited is applied.

Impact:
The virtual server might intermittently stop sending packets to the pool member server for a few seconds.

Workaround:
There is no workaround at this time.

Fix:
MBLB rate-limited virtual server now correctly sends packets to the server.

Fixed Versions:
12.1.4.1, 13.1.3

701678-2 : Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded

Links to More Info: BT701678

Component: Local Traffic Manager

Symptoms:
TMM may periodically stop sending packets to the server for a few seconds when the configured virtual server rate-limited value is exceeded.

Conditions:
-- Virtual configured with rate-limit.
-- Uses a UDP profile (i.e., not using TCP or FastL4).
-- The idle-timeout is set to immediate.

Impact:
The virtual server might intermittently stop sending packets to the pool member server for a few seconds.

Workaround:
None.

Fix:
UDP rate-limited virtual server now correctly sends packets to the server.

Fixed Versions:
12.1.4, 13.1.1.4, 14.0.0

701639-1 : Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by BIG-IP as SP.

Links to More Info: BT701639

Component: Access Policy Manager

Symptoms:
Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by the BIG-IP system as SP. They are sent as is. This is a behavior change from v12.1.2/v12.1.3/v13.0.0, where, the value gets substituted in the SP's AuthnRequest sent to IDP.

Conditions:
On configuring Requested Authentication Context Class in SP to define a session variable similar to the following:
%{session.client.type}

Impact:
The generated Authentication Request does not have the session variable resolved. The string is sent as is. The Authentication Request fails and the session cannot be established.

Workaround:
None.

Fix:
The system now resolves the session variable in the configured Authentication Context Class for SP while generating the Authentication Request.

Fixed Versions:
13.1.0.4, 14.0.0

701637 : Crash in bcm56xxd during TMM failover

Links to More Info: BT701637

Component: Advanced Firewall Manager

Symptoms:
During a TMM failover, such as after an upgrade to a later version of software, bcm56xxd might crash.

Conditions:
TMM failover.

Impact:
Restart of bcm56xxd; temporary loss of network connectivity.

Workaround:
There is no workaround at this time.

Fix:
Bcm56xxd no longer crashes and restarts on a TMM failover.

Fixed Versions:
13.1.1

701626-2 : GUI resets custom Certificate Key Chain in child client SSL profile

Links to More Info: K16465222 , BT701626

Component: TMOS

Symptoms:
In the GUI, editing a client SSL profile or selecting a different parent profile changes the Certificate Key Chain to default (i.e., /Common/default.crt and /Common/default.key).

Conditions:
This happens in the following scenario:

1. Using the GUI, create a client SSL profile.
2. Configure the new profile to inherit from a client SSL profile other than the default, clientssl.
3. Click the Custom box for Certificate Key Chain and select a different cert and key from the default.
4. Click Update.
5. In the GUI, change any setting in the newly created profile, or select a different parent profile (but not the clientssl profile).
6. Click Update again.

Impact:
The system resets Certificate Key Chain to default, even though the Custom box is checked.

Workaround:
To work around this issue in the GUI, click the Custom checkbox next to the 'Certificate Key Chain' option in the parent profile. This will set the value of inherit-certkeychain to false , preventing the issue from occurring.

You can also use tmsh to update parent profile settings to avoid the occurrence of this issue..

Fix:
GUI no longer resets custom Certificate Key Chain in child client SSL profiles.

Fixed Versions:
11.6.3.3, 12.1.3.4, 13.1.0.6

701538-2 : SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured

Links to More Info: BT701538

Component: Local Traffic Manager

Symptoms:
SSL handshake fails if the client initiates the handshake with TLS false start (specifically, client SSL sends the SSL record data to the server before the Server sends out the CSS is FINISHED notification).

Conditions:
1. Client initiates the SSL handshake with False Start.
2. The BIG-IP system has SSL hardware acceleration enabled (which is default for for non-virtual edition (VE) versions).

Impact:
The BIG-IP system sends the RST to tear down the connection in TLS false start.

Workaround:
There are no true workarounds. You must disable one of the conditions to workaround the issue:

-- Disable TLS False Start. (Note: this might not be feasible because it needs to be done on all clients.)
-- Disable SSL acceleration.
-- Disable AES-GCM ciphers in the client SSL profile. Without AES-GCM, clients do not try to use TLS false start and still be able to use (EC)DHE.

Fix:
The system no longer processes application data before verifying that the finished message arrives and handshake is complete.

Fixed Versions:
12.1.3.5, 13.1.1

701529-1 : Configuration may not load or not accept vlan or tunnel names as "default" or "all"

Links to More Info: BT701529

Component: TMOS

Symptoms:
As a result of a known issue, configurations containing vlan or tunnels named "default" or "all" are no longer accepted.

Conditions:
Attempting to configure this will result in a log message similar to the following:

root@(f5-ve)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net tunnels tunnel default profile ppp
01070712:3: Cannot create tunnel 'default' in rd1 - ioctl failed: Invalid argument

Impact:
A configuration that contained this in earlier versions and upgraded to the affected version will fail to load.

Workaround:
Change or rename all instances of vlans and/or tunnels named "default" or "all"

Fixed Versions:
13.1.3.4, 14.1.2.7

701447-1 : CVE-2017-5754 (Meltdown)

Links to More Info: K91229003 , BT701447

701445-1 : CVE-2017-5753 (Spectre Variant 1)

Links to More Info: K91229003 , BT701445

701359-4 : BIND vulnerability CVE-2017-3145

Links to More Info: K08613310

701327-2 : failed configuration deletion may cause unwanted bd exit

Links to More Info: BT701327

Component: Application Security Manager

Symptoms:
Immediately after the deletion of a configuration fails, bd exists.

Conditions:
When deleting a configuration fails.

Impact:
Unwanted bd restart.

Workaround:
None.

Fix:
bd will exit upon a failed configuration only when configured to exit on failure.

Fixed Versions:
12.1.3.2, 13.1.0.4

701288-1 : Server health significantly increases during DoSL7 TPS prevention

Links to More Info: BT701288

Component: Anomaly Detection Services

Symptoms:
Mitigation of DoSL7 TPS affects server health value.

Conditions:
-- DoSL7 TPS configured together with BADOS.
-- DoSL7 TPS is active.

Impact:
-- Incorrect Server Health reporting.
-- Might activate Behavioral DoS (BADoS) false-attack detection when attacks mitigated by DoSL7 TPS are stopped.

Workaround:
None.

Fix:
Server health now displays the actual backend server state, and does not incorrectly grow.

Fixed Versions:
13.1.0.8, 14.0.0

701253-5 : TMM core when using MPTCP

Links to More Info: K16248201 , BT701253

701249-1 : RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1

Links to More Info: BT701249

Component: TMOS

Symptoms:
RADIUS requests from BIG-IP have attribute NAS-IP-Address = 127.0.0.1, which might cause authentication to fail.

The NAS-IP-Address is essentially the resource an end user client is trying to authenticate to. This is typically the management IP address of the BIG-IP system, but the BIG-IP system always sends 127.0.0.1 instead. That might fail or it might work, depending on how the server is configured.

Conditions:
This is an issue for all RADIUS authentication requests that use the attribute NAS-IP-Address.

Note: This affects remote control plane authentication only, not APM or other uses of RADIUS.

Impact:
BIG-IP system always sends 127.0.0.1 instead of the BIG-IP system's management IP address. RADIUS server might not service the request, so authentication fails.

Workaround:
There is no workaround.

Fixed Versions:
12.1.3.3, 13.1.0.8, 14.0.0.3

701244-1 : An incorrect data manipulation in cipher encrypt and decrypt could cause TMM crash with SIGABRT

Links to More Info: K81742541 , BT701244

Component: Local Traffic Manager

Symptoms:
TMM receives SIGABRT from failover daemon, sod, due to heartbeat failure shortly after TMM starts up.

Conditions:
In some rare scenarios, TCP fast open encrypt/decrypt key may not be properly initialized when traffic comes into the BIG-IP system.

Impact:
Multiple TMM threads can get into a loop, causing heartbeat failure. TMM restarts, Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The incorrect data manipulation in cipher encrypt and decrypt has been fixed.

Fixed Versions:
13.1.0.6

701202-3 : SSL memory corruption

Links to More Info: K35023432 , BT701202

Component: Local Traffic Manager

Symptoms:
In some instances random memory can be corrupted causing TMM core.

Conditions:
SSL is configured (either client-ssl or server-ssl) and SNI is used to select a non-default profile.

Impact:
TMM crash, disrupting traffic.

Workaround:
There is no workaround at this time.

Fix:
The memory corruption issue has been fixed.

Fixed Versions:
12.1.3.4, 13.1.0.6

701147-2 : ProxySSL does not work properly with Extended Master Secret and OCSP

Links to More Info: K36563645 , BT701147

Component: Local Traffic Manager

Symptoms:
SSL handshake fails if the BIG-IP system is operating in ProxySSL mode, while client and server negotiate to use the Extended Master Secret and OCSP features together.

Conditions:
1. Virtual server is configured to work in ProxySSL mode.
2. Client and server negotiate the SSL handshake with the Extended Master Secret.
3. Client and Server negotiate to use the OCSP.

Impact:
ProxySSL does not work properly with Extended Master Secret and OCSP simultaneously.

Workaround:
None.

Fix:
Included the certificate status message in the calculation of Extended Master Secret.

Fixed Versions:
13.1.0.6

701056-1 : User is not able to reset their Active Directory password

Links to More Info: BT701056

Component: Access Policy Manager

Symptoms:
When Active Directory is used for authenticating APM users and the user is required to change password on next APM logon, APM fails to update the password.

Conditions:
- APM is licensed and provisioned
- Active Directory is used for authenticating the users
- When logging on to APM, user is asked to change the password

Impact:
User is not able to change the password.

Workaround:
There is no workaround.

Fix:
APM end users can now successfully reset the password.

Fixed Versions:
13.1.1.2

700895-1 : GUI Network Map objects in subfolders are not being shown

Links to More Info: K34944451 , BT700895

Component: TMOS

Symptoms:
Objects created in subfolders under a partition are not showing up in the GUI Network Map when selecting the partition.

Conditions:
-- Create a virtual server under a subfolder.
-- View Network Map while /Common is the active partition.

For example:

1. Create a subfolder such as /Common/subfolder.
2. In that subfolder, create a virtual server such as /Common/subfolder/virtualserver1.
3. Select /Common as the partition.
4. View the Network Map.

The virtual server /Common/subfolder/virtualServer1 is not shown on the Network Map.

Impact:
Cannot see the objects in the subfolder.

Workaround:
Select the partition 'All[Read Only]' to see all objects in subfolders.

Fixed Versions:
13.1.0.8

700889-3 : Software syncookies without TCP TS improperly include TCP options that are not encoded

Links to More Info: K07330445 , BT700889

Component: Local Traffic Manager

Symptoms:
When sending a software syncookie and there is no TCP timestamp option, tmm sends back TCP options like window scaling (WS), sackOK, etc. The values for these options are encoded in the timestamp field which is not sent. When the final ACK of the 3WHS arrives (without a timestamp), there is no way to know that the BIG-IP system negotiated the use of SACK, WS and other options that were encoded in the timestamp. This will leave the client believing that options are enabled and the BIG-IP believing that they are not.

Conditions:
TCP timestamps are disabled by the client, or in the TCP profile.

Impact:
In one known case, the client was Windows 7 which apparently disables timestamps by default. Users might experience poor connection performance because the client believed it was using WS, and that the BIG-IP system would scale up the advertised window. However, the BIG-IP system does not using WS in this case, and used the window size from the TCP header directly, causing the BIG-IP system to send small packets (believing it had filled the window) and wait for a response.

Workaround:
Specifically prevent the WS issue by lowering the send_buffer_size and receive_window_size to less than or equal to 65535.

Fix:
Added dependency between the window scale option and the timestamp option in a SYN/ACK response.

Fixed Versions:
11.6.3.3, 12.1.3.6, 13.1.0.8

700862-1 : tmm SIGFPE 'valid node'

Links to More Info: K15130240 , BT700862

Component: Local Traffic Manager

Symptoms:
A rare TMM crash with tmm SIGFPE 'valid node' may occur if the host is unreachable.

Conditions:
The host is unreachable.

Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This fix handles a rare TMM crash when the host is unreachable.

Fixed Versions:
12.1.3.4, 13.1.0.4

700827-4 : B2250 blades may lose efficiency when source ports form an arithmetic sequence.

Links to More Info: BT700827

Component: TMOS

Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic

Conditions:
Source ports used to connect to B2250 blade form an arithmetic sequence.

For example, some servers always use randomly selected even source port numbers. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.

Impact:
Traffic imbalance between tmm threads may result in sub-optimal performance.

Workaround:
Randomize source ports when connecting via a BIG-IP system.

Fix:
This release introduces a new variable you can use to mitigate the issue:
mhdag.pu.table.size.multiplier

1. Set the variable to to 2 or 3 as appropriate on the vCMP host.
2. Restart tmm on all blades.
3. Restart tmm on the host.
4. Restart tmm on all guests.

Note: Restarting tmm on the guests only does nothing; restarting on the host only means that the guests still use old DAG settings and have high inter-TMM forwarding traffic, resulting in a worse condition than originally experienced.

Behavior Change:
This release introduces a new variable to mitigate this issue:
mhdag.pu.table.size.multiplier.

You must set the variable to 2 or 3 on the host, and then restart tmm on all host blades and then all guests to mitigate the issue.

Fixed Versions:
12.1.4, 13.1.1.4, 14.0.0.5

700812-1 : asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview

Links to More Info: BT700812

Component: Application Security Manager

Symptoms:
asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview.

Conditions:
Try to deploy a qkview on a BIG-IP using the asmrepro tool
while BIG-IP has a 4 element version like 13.1.0.1.

Impact:
Cannot deploy a 4 element version qkview on a BIG-IP using the asmrepro tool.

Workaround:
n/a

Fix:
asmrepro now handles the version number properly.

Fixed Versions:
12.1.3.6, 13.1.0.4

700757-1 : vcmpd may crash when it is exiting

Links to More Info: BT700757

Component: TMOS

Symptoms:
vcmpd may crash when it is exiting. The system logs an error message similar to the following in /var/log/ltm:

err vcmpd[14604]: 01510000:3: Uncaught exception: basic_string::_S_create

It's possible that vcmpd will then not start up, logging errors similar to the following in /var/log/ltm:

umount(/var/tmstat-vcmp/<guest name>) failed: (16, Device or resource busy

Conditions:
vCMP must be in use.

Impact:
vcmpd cores, but does so when already exiting. It is possible that vcmpd will then be unable to restart itself, and will need to be manually restarted.

Workaround:
If vcmpd cannot restart itself, you can manually restart it by running the following command:

tmsh restart sys service vcmpd

Fix:
Prevented vcmpd from crashing when exiting.

Fixed Versions:
11.6.4, 12.1.4, 13.1.1.2

700726-2 : Search engine list was updated, and fixing case of multiple entries

Links to More Info: BT700726

Component: Application Security Manager

Symptoms:
Default search engine list does not identify current search engines, and blocks traffic unnecessarily. Part of the issue is that when adding custom search engines, there may be multiple search engines which match the User-Agent header, and this causes the match to fail.

Conditions:
Site accessed by search engines.

Impact:
Traffic from search engines is blocked unnecessarily.

Workaround:
Manually add search engines.

Fix:
Search engine list has been updated to reflect current common search engine usage. Also, this version removes the check of multiple search engines, so that now when multiple Search Engines are matched, the Search Engine bypasses the challenges.

Fixed Versions:
12.1.3.6, 13.1.0.4, 14.0.0

700724-2 : Client connection with large number of HTTP requests may cause tmm to restart

Links to More Info: BT700724

Component: Access Policy Manager

Symptoms:
tmm may restart while processing client request

Conditions:
- PingAccess profile is configured on the virtual server.

- Client connection sends over 64k HTTP requests that result in BIG-IP's connection to the PingAccess policy server.

Impact:
Traffic will be disrupted while TMM restarts.

Workaround:
Modify HTTP profile used by affected virtual to specify the limit of HTTP requests per connection "maximum requests per connection" to be less then 64k, e.g. 63000 or less.

Fix:
Traffic will no longer be disrupted when client sends over 64k uncached requests on the same TCP connection.

Fixed Versions:
13.0.1, 13.1.0.4

700712-1 : MariaDB binary logging takes up disk space

Links to More Info: BT700712

Component: TMOS

Symptoms:
When there is a lot of traffic on BIG-IP machine the DB grows quite fast and reaches max disk partition size.
Most of the disk space is occupied by mysqld-bin.00000X files.

Conditions:
-- A module that uses MariaDB is provisioned (examples: ASM or AVR).
-- Traffic is heavy.

Impact:
-- Disk space: DB grows quite fast and reaches max disk partition size.
-- Performance.

Workaround:
There is no workround at this time.

Fix:
MariaDB binary logging disabled.

Fixed Versions:
13.1.3.2

700696-1 : SSID does not cache fragmented Client Certificates correctly via iRule

Links to More Info: BT700696

Component: Local Traffic Manager

Symptoms:
The last few bytes of a very large-sized Client Certificate (typically greater than 16,384 bytes) are not cached correctly if the certificate is received fragmented by the SSL Session ID (SSID) parser.

Conditions:
-- Client Authentication is enabled.
-- A very large Client Certificate is supplied (typically greater than 16,384 bytes).
-- SSL Session ID Persistence is enabled.
-- The iRule CLIENTSSL_CLIENTCERT is enabled.

Impact:
The client certificate is not stored on the BIG-IP device correctly. The last few bytes are missing.

Workaround:
Disable the CLIENTSSL_CLIENTCERT iRule when SSL Session ID (SSID) persistence is in use. Even though the Client Certificate does not get cached, that is preferable to caching an incorrect client certificate.

Fix:
This release supports caching of fragmented client certificates in the SSL Session ID (SSID) persistence feature to properly cache very large-size client certificates (typically exceeding 16,384 bytes).

Fixed Versions:
12.1.3.7, 13.1.1.2

700597-1 : Local Traffic Policy on HTTP/2 virtual server no longer matches

Links to More Info: BT700597

Component: Local Traffic Manager

Symptoms:
Local Traffic Policies may not match properly when a virtual server is handling HTTP/2 traffic.

Conditions:
Virtual server with Local Traffic Policy and HTTP/2 profile.

Impact:
Traffic fails to pass through the virtual server, or fails to be processed as expected.

Workaround:
If able, use HTTP rather than HTTP/2. Or disable the policy. Otherwise there is no workaround.

Fix:
Traffic now processed as expected.

Fixed Versions:
13.1.0.8

700576-1 : GUI - Server SSL Profile shows irrelevant options when "Server Certificate" is set to "Ignore"

Links to More Info: BT700576

Component: TMOS

Symptoms:
In the GUI, the ServerSSL Profile options "Expire Certificate Response Control" and "Untrusted Certificate Response Control" are shown as stand alone options, yet those settings are not honored when the "Server Certificate" option is set to "Ignore" (default).

Conditions:
Create server SSL profile with "Server Certificate" option is set to "Ignore" (default).
It shows "Expire Certificate Response Control" and "Untrusted Certificate Response Control" options, yet those settings are not honored.

Impact:
No functional Impact, it may cause confusion allowing view/modify for irrelevant options.

Workaround:
No functional Impact, Expire Certificate Response Control" and "Untrusted Certificate Response Control" options can be ignored when "Server Certificate" option is set to "Ignore" (default).

Fix:
"Expire Certificate Response Control" and "Untrusted Certificate Response Control" server SSL profile options are hidden when "Server Certificate" option is set to "Ignore" (default).

Fixed Versions:
13.1.1.2, 14.0.0

700571-4 : SIP MR profile, setting incorrect branch param for CANCEL to INVITE

Links to More Info: BT700571

Component: Service Provider

Symptoms:
BIG-IP SIP profile MR does not maintain the Via 'branch parameter' ID when the Via header insertion is enabled for INVITE and CANCEL for the same INVITE.

Conditions:
This happens only when the following conditions are both met:
-- The transport connection that issued INVITE has been terminated.
-- A new transport is used to issue CANCEL

Impact:
The result is different branch IDs for the BIG-IP system-generated Via header. INVITE is only cancelled on the calling side, while on the called side, the line will ring until time out.

Workaround:
None.

Fix:
The branch parameter value calculation now remains consistent throughout the connection.

Fixed Versions:
11.6.3.2, 12.1.3.6, 13.1.0.4

700556-1 : TMM may crash when processing WebSockets data

Links to More Info: K11718033 , BT700556

700527-3 : cmp-hash change can cause repeated iRule DNS-lookup hang

Links to More Info: BT700527

Component: Global Traffic Manager (DNS)

Symptoms:
An iRule that uses RESOLV::lookup can hang repeatedly when cmp-hash configuration is changed.

Conditions:
-- iRule is in the middle of a call to RESOLV::lookup.
-- A change is made to VLAN cmp-hash configuration.

Impact:
The iRule call can hang repeatedly.

Workaround:
Restart the TMM. This will interrupt client traffic while TMM restarts.

Fix:
The iRule connection is reestablished when the pending query expires, so subsequent RESOLV::lookup calls do not hang per TMM.

Fixed Versions:
12.1.3.2, 13.1.0.4

700522-1 : APMD may unexpectedly restart when worker threads are stuck

Links to More Info: BT700522

Component: Access Policy Manager

Symptoms:
APMD restarts and logs a message about all threads being stuck.

Conditions:
A race condition allows the busy thread count to remain higher than the actual value. If it reaches the maximum thread count, APMD will restart.

Impact:
APMD can restart unexpectedly.

Workaround:
There is no workaround.

Fix:
A rare APM timing condition leading to an unexpected restart of services has been corrected.

Fixed Versions:
13.1.0.6

700433-1 : Memory leak when attaching an LTM policy to a virtual server

Links to More Info: K10870739 , BT700433

Component: Local Traffic Manager

Symptoms:
BIG-IP LTM policies may cause an mcpd process memory leak.

As a result of this issue, you may encounter one or more of the following symptoms:

-- Latency when configuring the BIG-IP system.
-- Error messages logged in /var/log/ltm similar to the following example:
01140029:4: HA daemon_heartbeat mcpd fails action is restart.
-- The mcpd process may generate a core file in the /var/core directory.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your configuration includes one or more virtual servers with an associated BIG-IP LTM policy.
-- The BIG-IP LTM policy has at least one rule.
Note: Rules with actions or conditions can leak increased amounts of memory.

-- You delete and add BIG-IP LTM policies that are associated with the virtual server.
Note: This modification causes the memory leak to increase over time.

Impact:
The mcpd process might run slower as memory is consumed, and can fail when all system memory is exhausted. Devices in a high availability (HA) configuration may experience a failover event.

Workaround:
None.

Fix:
The system now prevents MCP from leaking memory when attaching an LTM policy to a virtual server.

Fixed Versions:
11.6.4, 12.1.3.6, 13.1.1.2

700426 : Switching partitions while viewing objects in GUI can result in empty list

Links to More Info: K58033284 , BT700426

Component: TMOS

Symptoms:
In LTM Pool List, Node List, and Address Translations pages, switching partitions while viewing objects in the GUI can result in empty list.

Conditions:
This issue is present when all of the following conditions are met:
-- One partition contains multiple pages of objects.
-- The page count in one partition is greater than the page count in another.
-- The active page number is greater than 1.
-- You switch to a partition whose max number of pages is lower than the active page number.

For example, in the GUI:
1. Create two non-Common partitions.
2. In one partition, create enough pools so that they do not fit on one page.
3. In the second partition, create only enough pools for one page.
4. On the Local Traffic :: Pools list page in the first partition, navigate to the second page of objects.
5. Switch to the other partition.
6. Note that the displayed page contains no objects.

Impact:
The list of pools is empty despite the fact that there are pools available.

Workaround:
Return to the first page of objects before switching to any other partition.

Fix:
The system now resets to the first page if the page number is greater than the page count, so the partition's objects display correctly.

Fixed Versions:
13.1.1.2

700393-3 : Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash

Links to More Info: K53464344 , BT700393

Component: Local Traffic Manager

Symptoms:
Tmm might crash due to a stale/stalled HTTP/2 stream.

Conditions:
HTTP/2 profile in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Stale/stalled HTTP2 streams are handled correctly to prevent a tmm crash.

Fixed Versions:
11.6.3.3, 12.1.3.4, 13.1.0.6, 14.0.0

700386-2 : mcpd may dump core on startup

Links to More Info: BT700386

Component: TMOS

Symptoms:
mcpd may generate a core file upon startup, with a message being logged that overdog restarted it because mcpd failed to send a heartbeat for five minutes.

Conditions:
This can happen only at startup.

Impact:
mcpd restarts, but resumes normal operation.

Workaround:
None.

Fix:
mcpd no longer generates a core on startup.

Fixed Versions:
12.1.4, 13.1.1.2

700322-2 : Upgrade may fail on a multi blade system when there are scheduled reports in configuration &start;

Links to More Info: BT700322

Component: Application Visibility and Reporting

Symptoms:
Unable to upgrade to newer version or hotfix fail. Secondary slot always fails upgrade with the following error in var/log/liveinstall.log:

error: status 256 returned by command: F5_INSTALL_SESSION_TYPE=install tmsh -f save sys ucs /var/tmp/fbSBcyXrsz.ucs
info: >++++ result:
info: Saving active configuration...
info: Thrift: Tue Dec 19 10:53:45 2017 TSocket::open() connect() <Host: localhost Port: 9090>Connection refused
info: Error during config save.
info: Unexpected Error: UCS saving process failed.

Conditions:
1) System has two or more slots (multi-blade)
2) There are scheduled reports in configuration.

Impact:
Upgrade fails.

Workaround:
1) Save configuration for scheduled reports aside.
2) Remove all scheduled reports from configuration.
3) Perform upgrade.
4) Add scheduled reports back to configuration.

Fix:
On secondary blades monpd listens on slot-specific local address 127.0.3.X, so tmsh should use this address when it establishes connection to monpd (instead of 127.0.0.1)

Fixed Versions:
13.1.1.5

700320 : tmm core under stress when BADOS configured and attack signatures enabled

Links to More Info: BT700320

Component: Anomaly Detection Services

Symptoms:
Tmm core under stress. Note: This issue has a very low probability of occurring.

Conditions:
-- Out of memory.
-- BADOS configured.
-- Attack signatures enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None, except to not configure attack signatures.

Fix:
Added protection for the case when context adm_filters allocation is failed.

Fixed Versions:
13.1.0.2

700315-2 : Ctrl+C does not terminate TShark

Links to More Info: K26130444 , BT700315

Component: TMOS

Symptoms:
A running TShark process on the BIG-IP system has problems exiting when the user is finished capturing and presses CTRL+C while listening on a tmm VLAN or 0.0.

Conditions:
-- Using TShark on a tmm VLAN or 0.0.
-- Pressing Ctrl+C to exit.

Impact:
TShark does not exit as expected when pressing CTRL+C.

Workaround:
To recover, you can move the process to the background (CTRL+Z) and then halt the process, by running a command similar to the following: kill -9 'pidof tshark'

Fix:
Ctrl+C now terminates TShark as expected.

Fixed Versions:
12.1.3.6, 13.1.0.4

700250-3 : qkviews for secondary blade appear to be corrupt

Links to More Info: K59327012 , BT700250

Component: TMOS

Symptoms:
Normally, a qkview created on a multi-blade system will include a qkview for every blade on the system. Those qkview files have an error that makes the tar-ball appear corrupt.

Conditions:
Running a qkview on a system with blades.
Attempt to access the tar-ball using the following command: tar -tvzf 127.3.0.2.qkview | tail.

Impact:
The system posts the following messages:
gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now


Confuses troubleshooters into thinking that the blade qkview files are corrupt, which they are not.

Workaround:
None.

Fix:
By not always writing an errant newline, the problem is solved.

Fixed Versions:
13.1.1.2

700247 : APM Client Software may be missing after doing fresh install of BIG-IP VE

Links to More Info: K60053504 , BT700247

Component: TMOS

Symptoms:
apm client software checks is broken in VM created with BIG-IP-13.1.0.1.0.0.8.ALL-scsi.ova.

Conditions:
Any software instance created by deployment of any OVA for the affected software versions.

Impact:
APM endpoint inspection feature (for Mac, windows and Linux clients). [Users affected]
Configuration of APM client software check APM Visual policy editor. [Admin UI]
APM Client package @ Connectivity / VPN : Connectivity : Profiles if you select "Web Browser Add-ons for BIG-IP Edge Client" option. [Admin UI]

Workaround:
Try the "epsec refresh" commands again after removing all environment locks on the shared RPM database using the following command:

rm /shared/lib/rpm/__db.*
epsec refresh

Fix:
After deployment of a new OVA for the fixed version(s), the problem no longer occurs.

Fixed Versions:
13.1.0.2

700143-2 : ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages

Links to More Info: BT700143

Component: Application Security Manager

Symptoms:
Attempting to delete request logs by a filter (10,000 at a time), only works once. Subsequent delete by filter actions do not remove additional earlier logs.

Conditions:
System has over 10,000 ASM request logs by a selected filter, and delete all by filter is used multiple times.

Impact:
Only the latest 10,000 events are deleted.

Workaround:
No work around for deleting by a filter.
Delete all (without filter) works, and deleting selected requests works.

Fix:
Deletion by filter correctly deletes subsequent sets of 10,000 rows per action.

Fixed Versions:
12.1.3.2, 13.1.0.8

700118-1 : rrset statistics unavailable

Links to More Info: BT700118

Component: Global Traffic Manager (DNS)

Symptoms:
When cache entries of any kind are deleted, the rrset statistics for the cache may not be available

Conditions:
This occurs when dns cache entries are deleted

Impact:
Rrset statistics may not be available

Fix:
Update RRset ID when cached RRset is deleted

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5

700090-2 : tmm crash during execution of a per-request policy when modified during execution.

Links to More Info: BT700090

Component: Access Policy Manager

Symptoms:
Modify/delete of per-request policy during heavy traffic flow causes tmm to crash.

Conditions:
While a per-request policy (macro) is getting executed.
Admin deletes the parent policy item (at the same time).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not deleting per-request policies during heavy traffic flow.

Fix:
Per-request access policies edited during execution are now held until not in use, so this issue no longer occurs.

Fixed Versions:
13.1.0.6, 14.0.0

700086-1 : AWS C5/M5 Instances do not support BIG-IP VE

Links to More Info: BT700086

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) does not function on AWS C5/M5 instances.

Conditions:
BIG-IP VE on AWS C5/M5 instances.

Impact:
Cannot use BIG-IP VE on AWS C5/M5 instances.

Workaround:
None.

Fix:
BIG-IP VE now functions on AWS C5/M5 Instances.

Fixed Versions:
13.1.1, 14.0.0.1

700061-4 : Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file

Links to More Info: BT700061

Component: Local Traffic Manager

Symptoms:
Restarting service MCPD or rebooting the BIG-IP device adds Unix 'other' read file permissions for key files.
Key files Unix permission changes from '-rw-r-----' to
'-rw-r--r--'

Conditions:
1. Restarting the service MCPD
2. Rebooting BIG-IP device.

Impact:
Key file Unix read permission changes from '-rw-r-----' to
'-rw-r--r--'

Workaround:
There is no workaround at this time.

Fix:
Fix made sure restart of service MCPD and reboot of device does not change key files Unix read permissions from '-rw-r-----' to
'-rw-r--r--'

Fixed Versions:
12.1.3.6, 13.1.0.8

700057-4 : LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved

Links to More Info: BT700057

Component: Local Traffic Manager

Symptoms:
After upgrading to an affected build, the default key will have incorrect group ownership.

Conditions:
Upgrade or load a .ucs with SSL keys configured.

Impact:
File permissions are not preserved in the .ucs file. The httpd process will not be able to use the default key, so anything using it will fail.

Workaround:
Run the following two commands:
tmsh save /sys config
tmsh load /sys config

Fix:
The system now preserves correct permissions for default.key across upgrade and ucs load.

Fixed Versions:
11.6.4, 12.1.3.6, 13.1.0.6

700056-1 : MCPD process may lock up and restart when applying Local Traffic Policy to virtual server

Links to More Info: BT700056

Component: Local Traffic Manager

Symptoms:
The mcpd process becomes unresponsive while attempting to load the configuration, or attempting to apply a configuration change that associates a particular local traffic policy to a virtual server. The mcpd process may also periodically restart every 5 minutes.

Conditions:
- Virtual servers configured.
- Specific policies configured and attached used by virtual servers.

Only policies configured in a specific way will trigger this situation. The specifics are not well understood, however, the vast majority of Local Traffic Policies are unaffected by this issue.

Impact:
Traffic disrupted while mcpd restarts.

Workaround:
There is no workaround.

Fix:
mcpd is responsive when an LTM Policy is attached to a virtual server, or when an already-attached policy is updated.

Fixed Versions:
13.1.0.8, 14.0.0.3

700035-5 : /var/log/avr/monpd.disk.provision not rotate

Links to More Info: BT700035

Component: Application Visibility and Reporting

Symptoms:
the log file may fill-up /var partition

Conditions:
there is no special condition for this issue - if the log is big it won't rotate

Impact:
the log file may fill-up /var partition

Workaround:
1. gzip /var/log/avr/monpd.disk.provision
2. touch /var/log/avr/monpd.disk.provision

Fix:
added /var/log/avr/monpd.disk.provision to the rotate mechanisem.

Fixed Versions:
13.1.3.4

699979-2 : Support for Safenet Client Software v7.x

Links to More Info: BT699979

Component: Local Traffic Manager

Symptoms:
The BIG-IP system is not compatible with SafeNet v7.x.

Conditions:
Attempting to use a BIG-IP system with the Safenet v7.x client software.

Impact:
No support provided for the SafeNet network HSMs.

Workaround:
There is no workaround other than using an HSM with the supported SafeNet client software.

Fix:
The BIG-IP system now supports SafeNet v7.x in the following configuration:

-- Client software: 7.1.
-- HSM software: 7.1.
-- HSM firmware 7.0.2.

Fixed Versions:
13.1.1.5

699720-1 : ASM crash when configuring remote logger for WebSocket traffic with response-logging:all

Links to More Info: BT699720

Component: Application Security Manager

Symptoms:
ASM may crash when configuring remote logger for WebSocket traffic virtual server.

Conditions:
-- Virtual server handling WebSocket traffic.
-- ASM remote logger on the same virtual server.

Impact:
ASM crash; system goes offline.

Workaround:
Use either of the following workarounds:

-- Remove remote logger.
-- Have response logging for illegal requests only.

Fix:
The system now handles memory correctly and avoids crashing in this specific scenario.

Fixed Versions:
12.1.3.2, 13.1.0.2

699686-1 : localdbmgr can occasionally crash during shutdown

Links to More Info: BT699686

Component: Access Policy Manager

Symptoms:
When localdbmgr process is restarted, occasionally, the process crashes and a core file will be generated.

Conditions:
-- APM is provisioned.
-- localdbmgr process is restarted.

Impact:
Although the process restarts, there is no impact to the APM functionality.

Workaround:
None.

Fix:
localdbmgr no longer crashes during shutdown.

Fixed Versions:
13.1.0.6, 14.0.0

699624-1 : Config with custom 'SIP' or 'Firepass' monitor fails to load after upgrade &start;

Links to More Info: BT699624

Component: Local Traffic Manager

Symptoms:
A configuration that contains custom 'SIP' or 'FirePass' monitors that is upgraded from a version earlier than v13.1.0 may either fail to load, or may result in a configuration that loads the first time after the upgrade, but cannot be re-loaded from the text config files.

If the BIG-IP system has partitions other than 'Common', the initial configuration load may fail with an error such as:

01070726:3: monitor /Common/sip-monitor in partition Common cannot reference SSL profile monitor parameter /Common/sip-monitor 1 SSL_PROFILE_NAME= in partition name-of-other-partition

If the BIG-IP system only has a 'Common' partition, the initial configuration load will succeed, but subsequent attempts to load the configuration (e.g., 'tmsh load sys config') may fail with this error:

Syntax Error:(/config/bigip.conf at line: 63) "user-defined" unknown property

Which corresponds to a SIP or FirePass monitor in the configuration such as:

ltm monitor sip /Common/test_sip_monitor {
cipherlist DEFAULT:+SHA:+3DES:+kEDH
compatibility enabled
debug no
defaults-from /Common/sip
destination *:*
filter 488
interval 5
mode tcp
time-until-up 0
timeout 16
user-defined SSL_PROFILE_NAME /Common/test_sip_monitor_ssl_profile
}

Conditions:
Custom 'SIP' or 'FirePass' monitor is configured, and the config is upgraded from a version earlier than v13.1.0 to version v13.1.0.

Impact:
After upgrade, the configuration fails to load with an error such as:

01070726:3: monitor /Common/sip-monitor in partition /Common cannot reference SSL profile monitor parameter /Common/sip-monitor 1 SSL_PROFILE_NAME= in partition name-of-other-partition.

Alternatively, the configuration loads after upgrade, but the config file is corrupted, and will fail to load (such as after a system restart, or upon explicit 'tmsh load sys config'), with an error such as:

Syntax Error:(/config/bigip.conf at line: 63) "user-defined" unknown property

Workaround:
Remove custom 'SIP' and 'FirePass' monitors from the configuration, and re-create them manually after upgrade is complete.

Fix:
In this release, a configuration that contains a custom 'SIP' or 'FirePass ' monitor from a version earlier than v13.1.0 now loads correctly and continues to load as expected.

Fixed Versions:
13.1.0.2

699598-2 : HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR or TCP RST

Links to More Info: BT699598

Component: Local Traffic Manager

Symptoms:
HTTP/2 requests with a large body may result in the BIG-IP system sending RST_STREAM with FRAME_SIZE_ERROR or TCP RST (Internal Error).

Conditions:
-- HTTP/2 profile is configured on the virtual server.
-- HTTP/2 request has body size greater than 16 KB.

Impact:
-- HTTP/2 stream is reset with FRAME_SIZE_ERROR, or TCP
connection is reset. Transfer does not complete.
-- Client unable to send POST request with large body.

Workaround:
None

Fix:
Large HTTP/2 requests are now processed as expected.

Fixed Versions:
12.1.5, 13.1.0.8, 14.0.0.3

699531-1 : Potential TMM crash due to incorrect number of attributes in a PEM iRule command

Links to More Info: BT699531

Component: Policy Enforcement Manager

Symptoms:
TMM crash.

Conditions:
An iRule with a PEM iRule command that does not have the minimum number of attributes.

Impact:
Loss of service. Traffic disrupted while tmm restarts.

Workaround:
Make sure the PEM iRule command is called with at least the minimum number of parameters.

For example, make sure to call 'PEM::subscriber config policy referential set' with referential policies.

Fix:
The system now provides the correct number of attributes, preventing a NULL pointer dereference.

Fixed Versions:
12.1.3.6, 13.1.0.6, 14.0.0.3

699515-1 : nsm cores during update of nexthop for ECMP recursive route

Component: TMOS

Symptoms:
The Net­work Services Module daemon (nsm) cores while processing updates for ECMP recursive route nexthop.

Conditions:
Dynamic routing enabled.
BGP peers provides ECMP routes with recursive nexthop.

Impact:
Failures passing traffic using the dynamic routes.

Workaround:
There is no workaround.

Fix:
nsm is able to process ECMP route updates without problem.

Fixed Versions:
13.1.1.5, 14.1.2.5

699512-1 : UDP packet may be dropped when queued in parallel with another packet

Links to More Info: BT699512

Component: Global Traffic Manager (DNS)

Symptoms:
UDP packets may be dropped.

Conditions:
-- UDP packets are received in quick succession with matching IP/Port pairs.
-- The UDP virtual server does not use datagram LB mode.
-- One of the following:
+ A DNS profile is attached to a virtual server.
+ Rate limit is applied.

Impact:
UDP packets may be dropped.

Workaround:
Configure the virtual server with a UDP profile with datagram LB mode enabled.

Fix:
Added a new queue mechanism in IP proxy to handle datagram packets received in quick succession from same source/port.

Fixed Versions:
13.1.3.2

699455-4 : SAML export does not follow best practices

Links to More Info: K50254952 , BT699455

699454-4 : Web UI does not follow current best coding practices

Component: Advanced Firewall Manager

Symptoms:
The web UI does not follow current best coding practices while processing URL DB updates.

Conditions:
Authenticated web UI user.

Impact:
UI does not respond as intended.

Workaround:
None.

Fix:
The web UI now follows current best coding practices while processing URL DB updates.

Fixed Versions:
12.1.4, 13.1.1.2, 14.0.0.3

699453-4 : Web UI does not follow current best coding practices

Links to More Info: K20222812 , BT699453

699452-4 : Web UI does not follow current best coding practices

Links to More Info: K29280193

699451-3 : OAuth reports do not follow best practices

Links to More Info: K30500703 , BT699451

699431-3 : Possible memory leak in MRF under low memory

Links to More Info: BT699431

Component: Service Provider

Symptoms:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.

Conditions:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.

Impact:
The table entry will be remain until the box resets.

Workaround:
There is no workaround at this time.

Fix:
The code has been fixed to remove the table entry when a memory allocation failure occurs while adding the record.

Fixed Versions:
12.1.3.2, 13.1.1.4

699346-3 : NetHSM capacity reduces when handling errors

Links to More Info: K53931245 , BT699346

699339-3 : Geolocation upgrade files fail to replicate to secondary blades

Links to More Info: K24634702 , BT699339

Component: Global Traffic Manager (DNS)

Symptoms:
Geolocation upgrade files fail to replicate to secondary blades.

Conditions:
-- Multiblade VIPRION platforms/vCMP guests.
-- Upgrading geolocation files on the primary blade.
-- Viewing the geolocation files on the secondary blades.

Impact:
Geoip database is not updated to match primary blade.

Workaround:
Use either of the following workarounds:

-- Use the root account to manually create the /shared/GeoIP/v2 directory on secondary blades, and then run geoip_update_data on primary blade.

-- On primary blade:
1. Edit /etc/csyncd.conf as shown below.
2. Restart csyncd.
3. Run geoip_update_data.

To edit /etc/csyncd.conf:

Merge the following two terms:
monitor dir /shared/GeoIP {...)
monitor dir /shared/GeoIP/v2 {...}

into one term, as follows:
monitor dir /shared/GeoIP {
queue geoip
pull pri2sec
recurse yes
defer no
lnksync yes
md5 no
post "/usr/local/bin/geoip_reload_data"
}

Fix:
Geolocation upgrade files now correctly replicate to secondary blades.

Fixed Versions:
12.1.3.4, 13.1.0.4

699298-2 : 13.0.0 Hotfix HF3 3.0.1679 TMM CORED due to SIGSEGV.

Links to More Info: BT699298

Component: Local Traffic Manager

Symptoms:
TMM may crash when woodside congestion-control is in use.

Conditions:
When woodside congestion-control is in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Other congestion control algorithms can be used as a workaround.

Fix:
This fix handles a rare TMM crash when woodside congestion-control is in use.

Fixed Versions:
13.0.1, 13.1.0.4

699281-1 : Version format of hypervisor bundle matches Version format of ISO

Links to More Info: BT699281

Component: TMOS

Symptoms:
Recently F5 incorporated 4th element into versioning scheme. 4th and 5th are separated by dash (instead of dot) in ISO name. This change/bug insures that names of hypervisor bundles also use dash between 4th and 5th elements.

Conditions:
Applies to hypervisor bundles (for example ova files for vmware).

Impact:
Version format in names of hypervisor bundles matches version format of ISO file

Workaround:
Version format in names of hypervisor bundles matches version format of ISO file

Fix:
Version format in names of hypervisor bundles matches version format of ISO file (usage of dash between 4th and 5th elements).

Fixed Versions:
12.1.3.2, 13.1.0.4

699273-1 : TMM Core During FTP Monitor Use

Links to More Info: BT699273

Component: Local Traffic Manager

Symptoms:
TMM Cores.

Conditions:
When the FTP monitor is used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Turn off FTP monitoring.

Fix:
The tmm no longer cores when using a FTP monitor.

Fixed Versions:
13.1.1.2

699267-2 : LDAP Query may fail to resolve nested groups

Links to More Info: BT699267

Component: Access Policy Manager

Symptoms:
LDAP Query agent may fail to resolve nested groups for a user.
/var/log/apm logfile contains the following error messages when 'debug' log level is enabled for Access Profile:
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while getting group membership down with error (No such object.).
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while querying LDAP with error (No such object.).

Conditions:
LDAP Query agent is configured in an Access Policy.
'Fetch groups to which the user or group belong' option is enabled

Impact:
LDAP Query agent fails.
unable to get user identity.
unable to finalize Access Policy.

Fix:
after fix, LDAP Query resolves all nested groups as expected and session.ldap.last.attr.memberOf attributes contains user's groups

Fixed Versions:
11.6.3.3, 12.1.3.4, 13.1.0.8

699135-1 : tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip

Links to More Info: BT699135

Component: Global Traffic Manager (DNS)

Symptoms:
tmm cores with SIGSEGV in dns_rebuild_response.

Conditions:
1. Create a wideip of type other than A/AAAA.
2. Create a iRule with a host command for the previously created wideip.
3. Create a related zonerunner record with the same name and type.
4. Dig against the wideip with type any.
5. Observe that tmm cores.

Impact:
tmm cores.

Workaround:
Don't use host command for non type A/AAAA wideips.

Fixed Versions:
12.1.3.4, 13.1.0.4

699103-1 : tmm continuously restarts after provisioning AFM

Links to More Info: BT699103

Component: Traffic Classification Engine

Symptoms:
tmm continuously restarts when the Webroot database is getting downloaded to a BIG-IP system with less than 16 GB RAM and AFM provisioned.

Conditions:
-- Webroot URL categorization configured for Traffic Classification.
-- BIG-IP system with less than 16 GB RAM.
-- AFM is provisioned.

Impact:
tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than to ensure that more than 16 GB RAM is available when AFM is provisioned.

Fix:
The BIG-IP system with less than 16 GB RAM and AFM provisioned now prevents downloading the Webroot database or any updates if it is not already downloaded.

Note: If the Webroot database already exists before upgrade to this release, Webroot lookup will continue to work.

Fixed Versions:
13.1.0.7, 14.0.0

699091-2 : SELinux denies console access for remote users.

Links to More Info: BT699091

Component: TMOS

Symptoms:
SELinux denies console access for remote users if they are attempting to log in for the first time. This occurs because the user has not logged in before, so no entries exist for them in the userrolepartitions file.

Conditions:
-- Remote authentication is enabled.
-- BIG-IP system user attempts to log in to the console as their first login.

Impact:
Certain remote users may not be able to log in to the console.

Workaround:
Login as a remote user using SSH or the GUI.

Fix:
Allow login to connect to MCP to announce remote user login and set user role partition access.

Fixed Versions:
12.1.5.3, 13.1.3.5

699012-1 : TMM may crash when processing SSL/TLS data

Links to More Info: K43121447 , BT699012

698992-1 : Performance degraded

Links to More Info: BT698992

Component: Performance

Symptoms:
Portal access performance had a slight performance degradation. This was identified to be due to a new queuing strategy implemented to improve per-request policy auth use-case performance for higher end platforms in the 13.0 release. The nature of the problem is such that overall system degradation may be observed if APM is provisioned and per-request policy is not used.

Conditions:
APM is provisioned, but functionality is not related to per-request policy.

Impact:
Performance will be slightly lower under load.

Workaround:
None.

Fix:
The queuing strategy was altered to take minimal CPU resources when idle.

Fixed Versions:
13.1.0.8

698984-1 : Auto-disable TMM.HTTP.TCL.Validation when APM is provisioned

Links to More Info: BT698984

Component: Access Policy Manager

Symptoms:
The db variable Tmm.HTTP.TCL.Validation is enabled by default. This db variable should be disabled when APM is provisioned/enabled, and when ACCESS::restrict_irule_event is disabled and HTTP_RESPONSE_RELEASE events are detected with the assigned iRules.

Conditions:
Steps to Reproduce:
1. Define the following iRule in the virtual server.

when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
set u [ HTTP::uri ]
log local0. "XXX: [ HTTP::uri ]"
}
when HTTP_RESPONSE_RELEASE {
log local0. "XXX: [ HTTP::status ] [ HTTP::header Location ]"
set l [ HTTP::header Location ]
if { $l starts_with {/my.policy} } {
append l {?modified_by_irule=1}
HTTP::header replace Location $l
} elseif { $l starts_with {/renderer/agent_logon_page_form.eui} } {
# Next response will be the real response to the client.
ACCESS::log "XXX: lp_seen"
set lp_seen 1
}
if { [ HTTP::status ] == 200 && [ info exists lp_seen ] && $lp_seen == 1 } {
unset lp_seen
HTTP::header insert X-MyAppSpecialHeader 1
}
}
2. Configure START :: LOGON PAGE :: ALLOW policy.
3. Access the virtual server.

Impact:
TCP reset triggered when it should not. With respect to the specific condition described, the system should post the logon page.

Workaround:
Manually disable Tmm.HTTP.TCL.Validation.

Fix:
Tmm.HTTP.TCL.Validation is now disabled automatically when APM provisioned during the upgrades. This is correct behavior.

Fixed Versions:
13.1.1.2

698947-2 : BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.

Links to More Info: BT698947

Component: TMOS

Symptoms:
The BIG-IP system may incorrectly drop packets from a GRE point-to-point tunnel with auto-lasthop disabled.

Conditions:
The auto-lasthop of a GRE point-to-point tunnel is disabled.

Impact:
The decapsulated packets may be dropped in the BIG-IP system.

Fix:
The BIG-IP system correctly processes decapsulated packets from a GRE point-to-point tunnel.

Fixed Versions:
12.1.3.6, 13.1.1.4

698940-1 : Add new security policy template for API driven systems - "API Security"

Links to More Info: BT698940

Component: Application Security Manager

Symptoms:
No security policy template for API Security for API driven systems.

Conditions:
-- Using API.
-- Attempting to define REST API protection, Web Socket protection.

Impact:
No policy template.

Workaround:
None.

Fix:
Added new security policy template for API driven systems - 'API Security'.

Fixed Versions:
13.1.0.2

698919-3 : Anti virus false positive detection on long XML uploads

Links to More Info: BT698919

Component: Application Security Manager

Symptoms:
A false positive virus-detected violation. The description of the violation explains that the ICAP server was not contacted.

Conditions:
-- A long XML upload or payload.
-- The assigned XML profile is configured to be inspected by the ICAP server.

Impact:
Violation is detected where no violation has occurred (false positive violation).

Workaround:
Increase the internal parameter max_raw_request_len to the required length of the XML.

Note: This workaround will affect the amount of logged data from ASM.

Fix:
Fixed a false positive virus-detected violation related to long XML uploads.

Fixed Versions:
12.1.3.2, 13.1.0.4

698916-1 : TMM crash with HTTP/2 under specific condition

Links to More Info: BT698916

Component: Local Traffic Manager

Symptoms:
TMM may crash when upgrading an HTTP/1.1 connection to an HTTP/2 connnection.

Conditions:
-- HTTP/2 gateway enabled.
-- Pool member supports protocol switching.

Impact:
TMM crash, leading to a failover event.

Workaround:
There is no workaround other than removing the HTTP/2 profile from the virtual server.

Fix:
TMM properly handles protocol upgrade requests from pool members when HTTP/2 is enabled, so no crash occurs.

Fixed Versions:
12.1.3.6, 13.1.0.4

698875-1 : Qkview Security Hardening

Component: TMOS

Symptoms:
Qkview does not follow best practices for sanitizing and anonymizing collected data

Conditions:
Qkview created

Impact:
Under certain conditions, Qkviews may include sensitive information, which may in turn be uploaded to iHealth

Workaround:
None.

Fix:
Qkview now follows best practices for sanitizing and anonymizing collected data

Fixed Versions:
13.1.1.2

698813-2 : When processing DNSX transfers ZoneRunner does not enforce best practices

Links to More Info: K45435121 , BT698813

698619-2 : Disable port bridging on HSB ports for non-vCMP systems

Links to More Info: BT698619

Component: TMOS

Symptoms:
Internal packets flooded on internal switch interfaces by the HSB can be bridged back to the HSB on BIG-IP 5000/7000 and VIPRION B2100 blades configured to enable port bridging by the switch.

Conditions:
-- Packets being flooded from the HSB to VLAN members when adding/deleting VLANs.
-- Non-vCMP systems.
-- Virtual server configured for Direct Server Return (DSR or nPath Routing).

Impact:
This can result in packet flooding back to the HSB and potential network saturation.

Workaround:
None.

Fix:
Port bridging on HSB interfaces in the switch for non-vCMP systems is now disabled on BIG/IP 5000/7000. However, this issue still occurs on B2100 blades as port bridging is required on that platform for chassis data plane support.

Fixed Versions:
12.1.4, 13.1.1.5

698461-1 : Tmm may crash in fastl4 TCP

Links to More Info: BT698461

Component: Local Traffic Manager

Symptoms:
Tmm crash and BIG-IP fail over.

Conditions:
Virtual with fastl4 and TCP profile configured and used.
LRO is used.

Impact:
Traffic disrupted while tmm restarts.

Fix:
The crash is fixed.

Fixed Versions:
13.1.0.4, 14.0.0

698437-1 : Internal capacity increase

Links to More Info: BT698437

Component: Local Traffic Manager

Symptoms:
tmm restarts unexpectely.

Conditions:
Internal to the tmm, a capacity limit is exceeded.

Impact:
Traffic is disrupted while tmm restarts.

Workaround:
N/A

Fix:
Tmm does not experience unexpected restart due to insufficient internal capacity.

Fixed Versions:
13.1.1.5

698429-1 : Misleading log error message: Store Read invalid store addr 0x3800, len 10

Links to More Info: BT698429

Component: TMOS

Symptoms:
On rare occasions, messages like these can appear in /var/log/ltm:

Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash computed from read key:9d:e6:90:...
Oct 20 14:21:04 localhost err mcpd[4139]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Symmmetric Unit Key decrypt
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071027:5: Master key OpenSSL error: 1506270960:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:587:
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Attempting Master Key migration to new unit key.
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning mcpd[4139]: 012a0004:4: halStorageRead: unable to read storage on this platform.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Cannot open unit key store
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Reloading the RSA unit to support config roll forward.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...

These messages are due to a transient failure reading the system's unit key from the virtual EEPROM on a vCMP guest. The error handling from this failure causes misleading messages, but it does successfully read the unit key during this error recovery.

Conditions:
These messages can only happen on a vCMP guest with SecureVault, and are very rare.

Impact:
None. These messages do not indicate an actual problem with the system.

Fixed Versions:
12.1.5.3, 13.1.0.6

698424-1 : Traffic over a QinQ VLAN (double tagged) will not pass

Links to More Info: K11906514 , BT698424

Component: Local Traffic Manager

Symptoms:
Traffic on a QinQ VLAN will not pass.

Conditions:
This issue exists when a VLAN is configured as a QinQ VLAN (i.e., a double-tagged VLAN).

Impact:
Traffic on a QinQ VLAN will not pass.

Workaround:
Disabling LRO may workaround this issue.

Fix:
Traffic on a QinQ VLAN now passes successfully.

Fixed Versions:
13.1.0.4

698396-1 : Config load failed after upgrade from 12.1.2 to 13.x or 14.x &start;

Links to More Info: BT698396

Component: Traffic Classification Engine

Symptoms:
Sys load fails with following errors,
....
Loading schema version: 14.0.0
0107153e:3: Application id out of the valid range of [8192-16384).
Unexpected Error: Loading configuration process failed.

Conditions:
When an CEC IM is applied to 12.1.2 and then when we upgrade to 13.x or 14.x, sys load will fail.

Impact:
System will fail to come to Active state after upgrade.

Workaround:
It can be fixed by manually deleting /var/libdata/dpi/conf/classification_update.conf

Fixed Versions:
13.1.0.2

698379-2 : HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(

Links to More Info: K61238215 , BT698379

Component: Local Traffic Manager

Symptoms:
Uploads for the HTTP2 virtual server fail intermittently with HTTP2 error error_code=FLOW_CONTROL_ERROR.

Conditions:
HTTP2 virtual server configured.

Impact:
Uploads for the HTTP2 virtual server might fail intermittently.

Workaround:
None.

Fix:
Uploads for the HTTP2 virtual server do not fail intermittently anymore.

Fixed Versions:
12.1.3.6, 13.1.0.4

698376-3 : Non-admin users have limited bash commands and can only write to certain directories

Links to More Info: K46524395 , BT698376

698338-1 : Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection

Links to More Info: BT698338

Component: Service Provider

Symptoms:
The system may core.

Conditions:
-- Egress messages are queued waiting for MR_EGRESS event to be raised.
-- Current MR event exits with an error, thus aborting the connection.

Impact:
The system cores and will restart.

Workaround:
None.

Fix:
The system now returns pending messages back to the originator if the connection aborts due to an iRule error.

Fixed Versions:
11.6.5.2, 12.1.3.6, 13.1.0.4

698333-1 : TMM core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families)

Links to More Info: K43392052 , BT698333

Component: Advanced Firewall Manager

Symptoms:
TMM would core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families).

Conditions:
This occurs in the following scenario:
-- Enable Network and DNS BDOS simultaneously (on DoS Device config).
-- Generate dynamic signature that has both network and DNS metrics.
-- Wait for signature to be moved to 'past' (persist) state.
-- Disable either network or DNS BDOS (but not both).
-- TMM cores if the traffic matches this signature.

Impact:
Traffic interruption due to TMM restart. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
In this release, if the dynamic signature is disabled for a specific family on a parent context (but not disabled for other family on that context), any past attack signature for the context is now deleted from the system.

Fixed Versions:
13.1.1.2, 14.0.0

698226-1 : Filters under Security :: Reports :: DoS :: URL Latencies work incorrectly

Links to More Info: BT698226

Component: Application Visibility and Reporting

Symptoms:
When filtering data by a field in the 'Security :: Reports :: DoS :: URL Latencies' form, the filtering fails and the monpd process crashes.

Conditions:
There is some statistical data for DoS.

Impact:
Reports based on GUI filters are not complete.

Workaround:
No workaround.

Fix:
The system now creates the correct query for this filter, so the issue no longer occurs.

Fixed Versions:
13.1.0.8

698182 : Upgrading from 13.1.1 to newer release might cause config to not be copied over &start;

Links to More Info: BT698182

Component: Advanced Firewall Manager

Symptoms:
Upgrading from 13.1.1 to newer release might cause config to not be copied over. This is due to the UUID being available on the older release but not on the newer one.

Conditions:
Upgrade or loading a UCS from 13.1.1 to newer release.

Impact:
Config cannot be loaded or fails.

Workaround:
Copy config and remove UUID-specific schema before loading the config.

Fix:
When upgrading to a version in which UUID is not supported, the system now automatically copies the config and removes UUID-specific schema before loading it.

Fixed Versions:
13.1.1

698084-3 : IPsec log messages in /var/log/ltm missing module ID to reach bigiq logs

Links to More Info: K03776801 , BT698084

Component: TMOS

Symptoms:
Some groups of messages logged by tmipsecd are missing the errdefs annotation that identifies IPsec as the module. Messages reported when tunnels go up and down, or problems with listeners, go only to ltm logs, with no visibility to bigiq logs.

Conditions:
Missing the IPsec module subset ID.

Impact:
Missing IPsec messages in the bigiq logs.

Workaround:
No workaround at this time.

Fix:
The IPsec module subset ID has been added to tmipsecd log messages, so those messages will reach bigiq logs. Some log messages previously appearing only in /var/log/ltm now also appear in ipsec.log and also reach bigiq logs.

Fixed Versions:
13.1.1.2

698080-3 : TMM may consume excessive resources when processing with PEM

Links to More Info: K54562183 , BT698080

698000-3 : Connections may stop passing traffic after a route update

Links to More Info: K04473510 , BT698000

Component: Local Traffic Manager

Symptoms:
When a pool is used with a non-translating virtual server, routing updates may lead to an incorrect lookup of the nexthop for the connection.

Conditions:
-- Pool on a non-translating virtual server.
-- Routing update occurs.

Impact:
Connections may fail after routing updates. New connections will not be affected.

Workaround:
Use a route to direct traffic to the ultimate destination rather than using a pool to indicate the nexthop.

Fix:
Routing updates no longer interrupts traffic to connections using a pool member to reach the nexthop.

Fixed Versions:
11.6.3, 12.1.3.2, 13.1.0.4

697988-3 : During config sync, if many client-ssl profiles are on a virtual server the CPU may briefly spike to 100%

Links to More Info: K34554754 , BT697988

Component: Local Traffic Manager

Symptoms:
During config sync, if many (hundreds) of client-ssl profiles are attached to a virtual server, the CPU may spike to 100%.

Conditions:
-- Many (hundreds) of client-ssl profiles are attached to a virtual server.
-- Config sync is executed.

Impact:
If enough client-ssl profiles are attached, the watchdog could fire, crashing tmm and causing service disruption. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not attaching hundreds of client-ssl profiles to a virtual server, or disabling config sync.

Fix:
Issue no longer occurs when there are 2000+ client-ssl profiles attached to a virtual server and config sync is executed.

Fixed Versions:
13.1.1.2

697766-1 : Cisco IOS XR ISIS routers may report 'Authentication TLV not found'

Links to More Info: BT697766

Component: TMOS

Symptoms:
When peering with ISIS to Cisco IOS XR routers, messages similar to the following may be seen

isis[1003]: %ROUTING-ISIS-5-AUTH_FAILURE_DROP : Dropped L2 LSP from TenGigE0/0/0/1 SNPA 0001.47fd.a801 due to authentication TLV not found.

Conditions:
The BIG-IP system is configured for dynamic routing using the ISIS protocol, and is peered with an IOS XR router, or with another BIG-IP system running software older than than version 11.6.1.

In addition, authentication needs to be configured, and a value needs to be set for lsp-refresh-interval, or for max-lsp-lifetime. For example:


router isis isisrouter
is-type level-2-only
authentication mode md5
authentication key-chain keychain-isis
lsp-refresh-interval 5
max-lsp-lifetime 65535
net 49.8002.00c1.0000.0000.f523.00

Impact:
This is a cosmetic issue. Routing is not impacted. LSPs containing actual routing information do contain the Auth TLV, as expected.

Workaround:
None.

Fix:
This issue no longer occurs.

Fixed Versions:
13.1.1.5

697756-1 : Policy with CSRF URL parameter cannot be imported as binary policy file

Links to More Info: BT697756

Component: Application Security Manager

Symptoms:
A policy with at least 1 CSRF URL parameter defined cannot be imported as a binary policy file.

Conditions:
A policy has at least 1 CSRF URL parameter defined.

Impact:
The policy cannot be imported as a binary policy file.

Workaround:
There is no workaround at this time.

Fix:
A policy with CSRF URL parameters defined can now be imported as a binary policy file.

Fixed Versions:
13.1.0.4

697718-1 : Increase PEM HSL reporting buffer size to 4K.

Links to More Info: BT697718

Component: Policy Enforcement Manager

Symptoms:
Before this fix, PEM HSL reporting buffer size is limited by 512 bytes.

Conditions:
If any PEM HSL flow reporting stream goes beyond 512 bytes, it will be truncated.

Impact:
Part of PEM HSL flow reporting information will be lost.

Fix:
We increase PEM HSL reporting buffer size to 4K, which should be enough for uses cases we currently know.

Fixed Versions:
12.1.3.6, 13.1.0.6

697636-3 : ACCESS is not replacing headers while replacing POST body

Links to More Info: BT697636

Component: Access Policy Manager

Symptoms:
If the first request for a session is a POST, APM will save the POST to replay after the policy completes. When the POST is restored after policy completion and released to the backend, the headers are the same as the most recent client request, not the original POST. In particular, the Content-Length header will not match the original POST.

Conditions:
First request for the session is a POST.

Impact:
Backend servers may complain of an incomplete HTTP POST due to a mismatching Content-Length header.

Workaround:
None.

Fix:
Now, the system takes all headers from the original POST, except the Authorization header that Kerberos RBA needs, which is taken from the most recent client request.

Fixed Versions:
13.0.1, 13.1.0.4

697616-2 : Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests

Links to More Info: BT697616

Component: TMOS

Symptoms:
Failure in SSL traffic in vCMP configurations. The system logs the following device error:
-- crit tmm[17083]: 01010025:2: Device error: crypto codec qat-crypto0-0 queue is stuck.
-- warning sod[7759]: 01140029:4: high availability (HA) crypto_failsafe_t qat-crypto0-0 fails action is failover.

Conditions:
-- vCMP guests when performing crypto operations.
-- i5600, i5800, i7600, i7800, i10600, i10800, i12600, i12800, i15600, i15800 platforms.

Impact:
The 'crypto queue stuck' message is reported, and failover will be triggered.

Workaround:
None.

Fix:
The 'crypto queue stuck' issue on vCMP platforms no longer occurs.

Fixed Versions:
12.1.3.5, 13.1.1

697615-1 : Neurond may restart indefinitely after boot, with neurond_i2c_config message

Links to More Info: K65013424 , BT697615

Component: TMOS

Symptoms:
The neurond daemon may continually restart after a reboot. The problem may persist even after a reboot of the BIG-IP system. Manually stopping and starting neurond will not resolve the problem.

Conditions:
- This occurs only on BIG-IP platforms that contain a specific hardware part running v13.1.0.
- The issue happens only after a reboot of the BIG-IP system.

Impact:
The BIG-IP system constantly logs messages similar to the following:

emerg logger: Re-starting neurond


The /var/log/neurond logfile contains messages similar to the following:

-- neurond_i2c_config_steps: STEP 20 Checking for Lane Alignment
-- neurond_i2c_config_steps: Timeout waiting for good rx_align for ILK1 of NSP
-- neurond_i2c_config: neurond_i2c_config_steps failed.

Workaround:
If you are not using FIX features, disabling the neurond service is a safe option.

If your configuration relies on the FIX feature, a cold reboot by removing the BIG-IP system from the power may resolve the problem. However, multiple retries are sometimes necessary to get the part to initialize.

Fix:
This release increases the number of initialization retries to handle this condition, so continual restarts no longer occur.

Fixed Versions:
13.1.1

697590-4 : APM iRule ACCESS::session remove fails outside of Access events

Links to More Info: BT697590

Component: Access Policy Manager

Symptoms:
ACCESS::session remove fails

Conditions:
iRule calling ACCESS::session remove outside of Access events.

Impact:
APM iRule ACCESS::session remove fails to remove session

Workaround:
Use "ACCESS::session modify" and set the timeout/lifetime to something small, like 1 second. This should cause the session to be deleted due to timeout almost immediately, but note that it will show up in logs as timeout.

Fixed Versions:
13.1.3.2, 14.1.2.1, 15.0.1.1

697516 : Upgrading using a ucs or scf file does not autogenerate uuids when current config has the uuid-default-autogenerate flag enabled

Links to More Info: BT697516

Component: Advanced Firewall Manager

Symptoms:
Upgrading using a UCS or SCF file does not autogenerate uuids when the current config has the uuid-default-autogenerate flag enabled. This might cause issues when upgrading from older versions where uuids need to be quickly generated for existing firewall policies, rule lists, and management rules.

Conditions:
Upgrading from an older version with an existing security policy which has no uuids configured.

Impact:
Requires manually configuration of uuids for rules that come in from the older config.

Workaround:
Generate uuids for all policies, rule-lists, and management rules using the following three tmsh commands:

-- tmsh modify sec fire policy all rules modify { all { uuid auto-generate}}
-- tmsh modify sec fire rule-list all rules modify { all { uuid auto-generate}}
-- tmsh modify sec fire management-ip-rules rules modify { all { uuid auto-generate}}

Optionally, to ensure rules created in the future have uuids autogenerated issue the following tmsh command:

-- tmsh modify sec firewall uuid-default-autogenerate mode enabled

Fix:
No fix provided, Current behavior causes the uuid-default-autogenerate flag to be overwritten to disabled by the ucs load process. Workaround has been provided to mitigate against this behavior.

Fixed Versions:
13.1.1

697452-1 : Websso crashes because of bad argument in logging

Links to More Info: BT697452

Component: Access Policy Manager

Symptoms:
Websso would crash because of bad argument in logging

Conditions:
Only when kerberos sso is configured

Impact:
Websso would crash and so single sign on may fail.

Workaround:
The workaround is not configure kerberos SSO

Fix:
This issue has been fixed.

Fixed Versions:
13.0.1, 13.1.0.6

697424-1 : iControl-REST crashes on /example for firewall address-lists

Links to More Info: BT697424

Component: TMOS

Symptoms:
Making a call to /example on firewall address-list crashes iControl-REST.

Conditions:
Making a call to /example on firewall address-list.

Impact:
The icrd_child process crashes.

Workaround:
There is no workaround other than not calling /example on firewall address-lists.

Fixed Versions:
12.1.4, 13.1.1.4

697421 : Monpd core when trying to restart

Links to More Info: BT697421

Component: Application Visibility and Reporting

Symptoms:
Monpd tries to restart and tries to access a non-initiated variable

Conditions:
Monpd tries to restart due to change of primary blade

Impact:
Monpd cores

Workaround:
N/A

Fix:
Adding sanity check to the non-initiated variable before trying to access it

Fixed Versions:
13.1.0.2

697363-1 : FPS should forward all XFF header values

Links to More Info: BT697363

Component: Fraud Protection Services

Symptoms:
For BIG-IP alerts, FPS will insert a single XFF with the client IP and discard all XFF values/headers in the original request (the request which triggered the alert)

Conditions:
Alert generated on BIG-IP side.

Impact:
Original XFF information will be lost: only a single XFF header (containing client IP) will be present.

Workaround:
None.

Fix:
FPS now copies all original XFF headers to the generated alert.

Fixed Versions:
13.1.0.4

697303-1 : BD crash

Links to More Info: BT697303

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.

Impact:
BD crash, failover, and traffic disturbance.

Workaround:
Turn off the internal parameter relax_unicode_in_json.

Fix:
BD no longer crashes under these conditions.

Fixed Versions:
11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.4

697269-1 : Request logging is briefly suspended after policy creation

Links to More Info: BT697269

Component: Application Security Manager

Symptoms:
Local request log is not showing some requests.

Conditions:
This can occur in either of these conditions

-- Making changes to a policy and/or assigning it to a virtual server can cause the issue.
-- A failover event moves the virtual server and policy to the other slot.

Impact:
Request logging is briefly suspended. Some log messages are not logged.

Workaround:
None.

Fix:
All expected requests are present from the local log after policy creation.

Fixed Versions:
13.1.3.4

697259-2 : Different versioned vCMP guests on the same chassis may crash.

Links to More Info: K14023450 , BT697259

Component: Local Traffic Manager

Symptoms:
The vCMP guest TMM crashes soon after startup.

Conditions:
-- You are using BIG-IP software versions 12.1.0-12.1.2.
-- vCMP guests are deployed in a chassis.
-- You configure a new guest running unaffected software alongside an existing or new guest running affected software. In other words, the issue occurs if you mix guests running affected and non-affected versions in a single vCMP host.

Impact:
vCMP guests running older versions of the software might crash. Blades continuously crash and restart. Traffic cannot pass. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Different versioned vCMP guests on the same chassis no longer crash.

Fixed Versions:
12.1.3.7, 13.1.0.6

696908-1 : Updating iRule causes TMM to crash

Links to More Info: BT696908

Component: Local Traffic Manager

Symptoms:
A tmm core occurs when reloading an iRulesLX (iLX) Plugin. You might see error messages:

notice ** SIGFPE **
pgo_use x86_64 vadc TMM Version 13.1.3.2.0.0.4
panic: Tcl Object 5600092578f8 is currently on free list

Conditions:
iRulesLXPlugin was reloaded into Workspace.

Impact:
Crash in TMM caused by updating an iLX instance. Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
13.1.3.4

696835-1 : Secondary Authentication or SSO fail after changing AD or LDAP password

Links to More Info: BT696835

Component: Access Policy Manager

Symptoms:
APM end users cannot login, or single sign-on (SSO) can fail after changing AD or LDAP password

Conditions:
-- APM is licensed and provisioned.
-- Active Directory or LDAP Auth agent is used in the policy for authenticating the users.
-- When logging on to APM, user is asked to change the password.

Impact:
Authentication and SSO actions that rely on session.logon.last.password fail.

Workaround:
There is no workaround.

Fix:
APM SSO works fine after changing AD or LDAP password.

Fixed Versions:
13.1.1.5

696808-1 : Disabling a single pool member removes all GTM persistence records

Links to More Info: BT696808

Component: Global Traffic Manager (DNS)

Symptoms:
Disabling a single pool member removes all GTM persistence records.

Conditions:
1. WideIP with persistence enabled.
2. drain-persistent-requests no.
3. GTM pool member toggled from enabled to disabled.

Impact:
All GTM persistence records are accidently cleared.

Workaround:
Set drain-persistent-requests yes.

Fix:
When drain-persistent-requests is set to no, only the persistence records associated with the affected pool members are cleared when a resource is disabled.

Fixed Versions:
12.1.3.4, 13.1.0.4

696789-1 : PEM Diameter incomplete flow crashes when TCL resumed

Links to More Info: BT696789

Component: Policy Enforcement Manager

Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, and the irule is resumed because of timeout.

Conditions:
PEM Diameter flow not fully created, suspended by iRule, and the iRule is resumed by timeout.

Impact:
The tmm will restart and all flows will reset.

Fix:
The PEM diameter flow is now created in such a way to prevent any crash by iRule resumed by timeout.

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.4

696755 : HTTP/2 may truncate a response body when served from cache

Links to More Info: BT696755

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide a client-side HTTP/2 Gateway protocol implementation in conjunction with HTTP 1.x on a server side. A response can be cached on the BIG-IP system with a web acceleration profile. Sometimes a response served from cache is prematurely marked with END_STREAM flag, causing the client to ignore the rest of the response body.

Conditions:
BIG-IP system has a virtual server for which HTTP/2 and Web Acceleration profiles are configured.

Impact:
Some clients' browsers do not retry a resource, causing incorrect rendering of an HTML page.

Workaround:
Adding the following iRule causes the body to be displayed:

when HTTP_RESPONSE_RELEASE {
set con_len [string trim [HTTP::header value Content-Length]]
HTTP::header remove Content-Length
HTTP::header insert Content-Length "$con_len"
}

Fix:
With provided fix, HTTP/2 end users no longer experience the problem of incorrect page rendering due to this issue.

Fixed Versions:
13.1.0.8, 14.1.0.6, 15.1.3, 16.0.1.2

696732-3 : tmm may crash in a compression provider

Links to More Info: K54431534 , BT696732

Component: TMOS

Symptoms:
TMM may crash with the following panic message in the log files:

panic: ../codec/compress/compress.c:1161: Assertion "context active" failed.

Conditions:
-- Running on the following platforms: BIG-IP i-series or VIPRION 4400 blades.
-- Virtual servers are performing compression.

Impact:
TMM crashes, Traffic disrupted while tmm restarts.

Workaround:
Do not use compression, or use software compression instead of hardware compression. To configure for software compression, run the following command:

tmsh modify sys db compression.strategy value softwareonly

Fixed Versions:
12.1.3.5, 13.1.1

696731-3 : The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled

Links to More Info: K94062594 , BT696731

Component: TMOS

Symptoms:
The standard LinkUp/LinkDown traps are issued when a port's status changes; that is, the link goes up or down. Additionally, the network manager can administratively enable and disable ports. For some platforms, there is no reliably issued standard LinkUp/LinkDown trap when a port is administratively enabled/disabled.

Conditions:
Administrative disabling an interface on BIG-IP

Impact:
May issue only the F5 Link change trap and not the additional standard MIB trap. The standard LinkUp/LinkDown traps may not be issued.

Workaround:
Use the F5-proprietary MIB: 1.3.6.1.4.1.3375.2.4.0.37 F5-BIG-IP-COMMON-MIB::BIG-IPExternalLinkChange trap to track administrative changes to links.

Fixed Versions:
13.1.1.2

696669-1 : Users cannot change or reset RSA PIN

Links to More Info: BT696669

Component: Access Policy Manager

Symptoms:
User is not able to reset the PIN when RSA SecurID or RADIUS Auth agent is included in access policy.

Conditions:
- APM is licensed and provisioned.
- RSA SecurID or RADIUS Auth agent is included in an access policy.
- APM end user is challenged to reset the PIN or reenter the PIN/token.

Impact:
APM end users cannot reset the PIN or do not get authenticated.

Workaround:
There is no workaround.

Fix:
APM users can now successfully reset the PIN or reenter the token.

Fixed Versions:
13.1.1.2

696642-1 : monpd core is sometimes created when the system is under heavy load.

Links to More Info: BT696642

Component: Application Visibility and Reporting

Symptoms:
When system is under heavy load, aggregation of statistics tables in the database sometimes takes too much time and watchdog is triggered. When that happens, watchdog aborts the application and produces a core file.

Conditions:
-- System under heavy load.
-- Setting and resetting DoS profile on virtual servers.
-- Using AVR.
-- Displaying aggregated statistics.

Impact:
System produces monpd core file, when no real crash occurs.

Workaround:
None.

Fix:
Watchdog trigger no longer creates core by default under these conditions.

Fixed Versions:
13.1.0.8

696544-1 : APM end users can not change/reset password when auth agents are included in per-req policy

Links to More Info: BT696544

Component: Access Policy Manager

Symptoms:
Users cannot change password when AD, Radius or LocalDb auth agents are included in per-req policy.

Conditions:
- Per-req policy is attached to Virtual Server.
- AD Auth, Radius Auth or LocalDB auth agents are included in per-req policy.
- End user is challenged to change/reset the password.

Impact:
Users can not change password.

Fix:
Users now can successfully change or reset the password.

Fixed Versions:
13.1.1.2

696525-1 : B2250 blades experience degraded performance.

Links to More Info: BT696525

Component: Performance

Symptoms:
B2250 blades have degraded performance by up to 17%. This is caused by connections not being offloaded to hardware as often as expected.

Conditions:
This occurs when the FastL4 profile is configured to offload to hardware and the service provider DAG is configured and in use on B2250 blades.

Impact:
Performance will be degraded due to more connections being handled in software.

Workaround:
None.

Fix:
The performance issue for the B2250 blades has been fixed.

Fixed Versions:
13.1.0.1

696383-1 : PEM Diameter incomplete flow crashes when sweeped

Links to More Info: BT696383

Component: Policy Enforcement Manager

Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, the sweeper may encounter a tmm crash.

Conditions:
-- PEM Diameter flow not fully created.
-- The flow is suspended by an iRule.
-- There is a CMP state change (likely) or a manual cluster-mirror change (less likely) while the flow is suspended.

Impact:
The tmm restarts and all flows reset. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The PEM diameter flow is now created in such a way to prevent any crash by the sweeper.

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.4

696348-2 : "GTP::ie insert" and "GTP::ie append" do not work without "-message" option

Links to More Info: BT696348

Component: Service Provider

Symptoms:
When adding "GTP::ie insert" and "GTP::ie append" without "-message" option to iRule, there is warning message:

[The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:VALUE"1290 38]

Conditions:
Using "GTP::ie insert" or "GTP::ie append" command without "-message" option

Impact:
The commands still be executed during runtime but the warning message may confuse user.

Fix:
There is no warning message when using "GTP::ie insert" and "GTP::ie append" without "-message" option.

Fixed Versions:
13.1.3.4, 14.1.2.7, 15.1.0.5

696333-1 : Threat campaign filter does not return campaign if filter contains quotation marks

Links to More Info: BT696333

Component: Application Security Manager

Symptoms:
A threat campaign is not displayed in the GUI on the Security :: Application Security : Threat Campaigns page.

Conditions:
Filtering for a campaign name that contains a quotation mark.

Impact:
Threat campaign filter by name does not work.

Workaround:
There is no workaround other than not using quotation marks.

Fix:
REST escaping now supports this configuration..

Fixed Versions:
13.1.1.4

696294-1 : TMM core may be seen when using Application reporting with flow filter in PEM

Links to More Info: BT696294

Component: Policy Enforcement Manager

Symptoms:
TMM core with flow filter when Application reporting action is enabled

Conditions:
If Application reporting is enabled along with flow filter

Impact:
TMM restart causing service interruption

Fix:
Initialize the application start buffer so as to prevent the TMM core

Fixed Versions:
12.1.3.6, 13.1.0.6

696265-5 : BD crash

Links to More Info: K60985582 , BT696265

Component: Application Security Manager

Symptoms:
BD crash.

Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.

Impact:
Potential traffic disturbance and failover.

Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.

Fix:
Fixed a BD crash scenario.

Fixed Versions:
11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.4

696260-1 : GUI Network Map as Start Screen presents database error

Links to More Info: K53103420 , BT696260

Component: TMOS

Symptoms:
If the Network Map is set as the Preferences Start Screen, the GUI will display a database error page.

Conditions:
Set System :: Preferences : Start Screen to Network Map.

Impact:
Error page is displayed.

Workaround:
Navigate to the Network Map via the left navigation menu: Local Traffic :: Network Map.

Fix:
The Screen Start now launches successfully into the Network Map page.

Fixed Versions:
13.1.0.8

696212-1 : monpd does not return data for multi-dimension query

Links to More Info: BT696212

Component: Application Visibility and Reporting

Symptoms:
When querying 'time-series' data for multiple-dimensions, most multi-dimension queries receive an empty response.

Conditions:
This occurs because the order of entities in the query is not sorted by priority.

Impact:
The corresponding dashboard displays incorrect statistics.

Workaround:
There is no workaround at this time.

Fix:
The monpd process now performs two queries in order to get the 'time-series' data for multi-dimensions:
-- The first query gets the top entities.
-- The second query gets data that is 'drilled down' by the top entities, the ones received from the first query.

Fixed Versions:
13.1.0.8

696201-1 : Anomaly threshold floor calculation (for bins with very low learnt threshold) during signature generation

Links to More Info: BT696201

Component: Advanced Firewall Manager

Symptoms:
AFM might generate a dynamic signature for those bins that have a very low learnt threshold during the learning phase, if the current traffic rate spikes and increases above the anomaly threshold floor db variable value as specified by l4bdos.anomaly.threshold.floor

Conditions:
AFM dynamic signature feature is enabled.

Impact:
This might cause AFM to generate signatures with higher false positives.

This is specifically due to incorrect application of db variable setting 'l4bdos.anomaly.threshold.floor' that should be interpreted as the 'floor' value of learnt thresholds for any bin. So, if the learnt threshold of a bin is lower than this db variable, the baseline threshold of the bin should be set to the db variable for anomaly detection phase.

Workaround:
There is no workaround at this time.

Fix:
This issue is fixed by making sure that db variable 'l4bdos.anomaly.threshold.floor' is used as the 'floor' value of baseline thresholds for those bins that have a learnt threshold lower than this db variable.

Fixed Versions:
13.1.1.2

696191-1 : AVR-related disk partitions can get full during upgrade &start;

Links to More Info: BT696191

Component: Application Visibility and Reporting

Symptoms:
Disk is full during upgrade preparation when Application Visibility and Reporting (AVR) data exported from the MySQL DB to the disk.

Conditions:
-- Upgrading from 13.1.x to a newer version.
-- AVR is provisioned.

Impact:
If /shared/avr and /shared/avr_afm are full, the upgrade could fail.

Workaround:
Delete all data from AVR DB before upgrade:

touch /var/avr/init_avrdb
bigstart restart monpd

As the upgrade can cause the disk to fill, here is an alternative workaround:

1. Save UCS file for backup purposes.
2. Manually move the contents from /shared/avr to /shared/tmp/avr:
--------
# mkdir /shared/tmp/avr
# mv /shared/avr/* /shared/tmp/avr
--------
3. Delete /shared/tmp/avr and files under this directory and check whether disk usage for /shared/avr has come down.

Fix:
AVR data compression has been introduced, single partition (/shared/avr) is used instead of two partitions (/shared/avr_afm, /shared/avr).

As a result, a need for disk space is considerably reduced.

Fixed Versions:
13.1.3.2

696113-3 : Extra IPsec reference added per crypto operation overflows connflow refcount

Links to More Info: BT696113

Component: TMOS

Symptoms:
The size of the refcount field in connflow became smaller, making the length of some crypto queues in IPsec able to reach and exceed the maximum refcount value.

Conditions:
When a large data transfer under an IPsec SA creates a queue of crypto operations longer than the connflow's refcount can handle, the refcount can overflow.

Impact:
Unexpected tmm failover after refcount overflow.

Workaround:
There is no workaround at this time.

Fix:
An object tracking crypto operations now adds a sole reference to the connflow as long as the count of crypto operation pending is nonzero.

Fixed Versions:
12.1.3.6, 13.1.0.6

696073-2 : BD core on a specific scenario

Links to More Info: BT696073

Component: Application Security Manager

Symptoms:
bd process crashes, and core file created in the /shared/core/ directory.

Conditions:
Specific request and response characteristics that relates to CSP headers sent by the server.

Impact:
Failover in high availability units.

Workaround:
Disable CSP headers handling in ASM by running the following commands:

/usr/share/ts/bin/add_del_internal add csp_enabled 0
bigstart restart asm

Fix:
The system now reinitializes the CSP headers before each response headers event, so this issue no longer occurs.

Fixed Versions:
13.1.0.4

696049-1 : High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running

Links to More Info: BT696049

Component: Service Provider

Symptoms:
High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running.

Conditions:
Multiple response messages arrive on a connection while an asynchronous Tcl command is running on that connection.

Impact:
High CPU load might occur as multiple responses will be assigned the same request_sequence_number.

Workaround:
None.

Fix:
Request_sequence_numbers are not assigned to response messages until the Tcl event is executed for that message. This avoids assigning the same number to multiple events.

Fixed Versions:
11.5.6, 11.6.3.2, 12.1.3.6, 13.1.0.4

695985-2 : Access HUD filter has URL length limit (4096 bytes)

Links to More Info: BT695985

Component: Access Policy Manager

Symptoms:
Access HUD filter cannot process a URL if it is longer than 4096 bytes.

Conditions:
Any URL with a request consisting of more than 4096 bytes.

Impact:
The URL cannot be processed, and client gets a RST.

Workaround:
None.

Fix:
In this release, the URL length limit increased to 8192 bytes.

Fixed Versions:
13.1.1.5, 14.0.0.5, 14.1.0.6

695968-1 : Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.

Links to More Info: BT695968

Component: Policy Enforcement Manager

Symptoms:
Memory leak resulting in a potential OOM scenario.

Conditions:
1. PEM configured with Gx
2. Flaky Diameter connection
3. Subscriber creation via PEM

Impact:
Potential loss of service.

Workaround:
There is no workaround at this time.

Fix:
Freed Diameter messages appropriately.

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.4

695953-1 : Custom URL Filter object is missing after load sys config TMSH command

Links to More Info: BT695953

Component: Access Policy Manager

Symptoms:
Cannot see the custom URL Filter object that is created either through TMSH/GUI. If the filter object is referred in an Access Policy, the policy fails to load when running the command: load sys config. The system logs errors similar to the following:

01070712:3: Values (/Common/custurlfilter) specified for URL Filter Lookup Agent (/Common/prp_act_url_filter_lookup_ag): foreign key index (name_FK) do not point at an item that exists in the database.
Unexpected Error: Loading configuration process failed.

Conditions:
-- Configure custom URL Filter object
-- SWG is not provisioned.

Impact:
The access policy fails to load if it refers the URL Filter object. Running the 'load sys config' command in TMSH removes the filter.

Workaround:
You can use either of the following workarounds:
-- Provision SWG, and recreate the URL Filter.
-- Edit bigip.conf to include the URL Filter object.

Fix:
Now during 'load sys config', custom URL filters get saved properly.

Fixed Versions:
13.0.1, 13.1.0.4

695925-1 : Tmm crash when showing connections for a CMP disabled virtual server

Links to More Info: BT695925

Component: Local Traffic Manager

Symptoms:
Tmm crashes when performing 'tmsh show sys connection' and there is a connection from a secondary blade to a CMP-disabled virtual server.

Conditions:
This occurs when all of the following conditions are met:

-- There is a CMP-disabled virtual server, or a floating self-IP address defined.

-- There is a connection to that server from the control plane of a secondary blade (this can include monitoring traffic).

-- Connections are displayed that include the connection from the secondary blade ('tmsh show sys connection').

Impact:
Tmm crashes and restarts impacting traffic.

Workaround:
Do not use 'cmp-enabled no' virtual servers when there will be connections from the BIG-IP control plane to the virtual server.

Avoid using tmsh show sys connection.

Fixed Versions:
11.6.4, 12.1.4, 13.1.1.2

695901-1 : TMM may crash when processing ProxySSL data

Links to More Info: K46940010 , BT695901

695878-4 : Signature enforcement issue on specific requests

Links to More Info: BT695878

Component: Application Security Manager

Symptoms:
Request payload does not get enforced by attack signatures on a certain policy configuration with specific traffic.

Conditions:
-- The violation 'Request exceeds max buffer size' is turned off.

-- The request is longer than the max buffer size (i.e., a request is larger than the internal long_request_buffer_size).

Impact:
Attack signatures are not enforced on the payload of this request at all.

Workaround:
Turn on the violation in blocking 'Request exceed max buffer size'.

Fix:
The operation now looks into part of the payload for the attack signatures enforcement.

Fixed Versions:
11.5.6, 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1

695707-5 : BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection

Links to More Info: BT695707

Component: Local Traffic Manager

Symptoms:
BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection.

Conditions:
Close an MPTCP connection.

Impact:
If a DATA_ACK is not received for the DATA_FIN, the connection will stall until it times out.

Workaround:
There is no workaround at this time.

Fix:
Keep the retransmission timer running if an MPTCP connection can retransmit a DATA_FIN.

Fixed Versions:
13.1.0.4

695563-1 : Improve speed of ASM initialization on first startup

Component: Application Security Manager

Symptoms:
ASM initialization on first startup takes a long time.

Conditions:
Provision ASM.

Impact:
ASM initialization takes a long time.

Workaround:
There is no workaround at this time.

Fix:
ASM initialization on first startup is faster.

Fixed Versions:
13.1.0.4

695072-2 : CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558

Links to More Info: K23030550 , BT695072

694922-5 : ASM Auto-Sync Device Group Does Not Sync

Links to More Info: BT694922

Component: Application Security Manager

Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.

Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device

Impact:
ASM configuration is not correctly synchronized between devices

Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic

Fix:
Devices no longer spuriously enter an untrusted state

Fixed Versions:
11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.4

694897-2 : Unsupported Copper SFP can trigger a crash on i4x00 platforms.

Links to More Info: BT694897

Component: TMOS

Symptoms:
PFMAND can crash when an unsupported Proline Copper SFP is inserted in the 1G interfaces.

Conditions:
-- Using Proline CuSFP, Part number FCLF8521P2BTLTAA.
-- Inserted into 1 GB interfaces.
-- On i4x00 platforms.

Impact:
PFMAND cores.

Workaround:
Use only F5 branded Copper SFPs

Fix:
This release updates SFP string parsing in PFMAND to account for NULL terminated vendor information.

Fixed Versions:
13.1.0.6

694849-1 : TMM crash when packet sampling is turned for DNS BDOS signatures.

Links to More Info: BT694849

Component: Advanced Firewall Manager

Symptoms:
TMM crashes upon traffic matching a DNS BDOS signature if packet sampling is turned on by enabling db variable (l4bdos.signature.sample.packet.frequency).

Conditions:
DB variable l4bdos.signature.sample.packet.frequency is modified to a non-zero value (to collect DNS packet info upon matching a DNS dynamic signature).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable the packet sampling feature for BDOS signatures by setting the db variable l4bdos.signature.sample.packet.frequency to default value (0).

Fix:
TMM no longer crashes when packet sampling is turned on and traffic matches DNS BDOS signature.

Fixed Versions:
13.1.1.2

694778-1 : Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size

Links to More Info: BT694778

Component: Local Traffic Manager

Symptoms:
SSO-enabled Native RDP resources cannot be accessed via hardware (HW) BIG-IP systems with 'Intel Cave Creek' coprocessor (i.e., SSL connection cannot be established with the db variable 'crypto.hwacceleration' enabled, and RSA key used).

Conditions:
The failure might occur in the following scenario:
-- Running on Intel Cave Creek Engine (e.g., BIG-IP 2000 (C112) or 4000 (C113)).
-- Client OS is Mac, iOS, or Android.
-- HW crypto is enabled
-- Using a virtual server with a client SSL profile and 2048 bit RSA key on.
-- Native RDP resource with enabled SSO is used on hardware BIG-IP with 'Intel Cave Creek' coprocessor.
-- Output buffer size differs from RSA private key size.

Impact:
-- SSL connection fails.
-- RDP client cannot launch the requested resource (desktop/application).

Workaround:
There is no workaround other than to disable crypto HW acceleration with following command:
tmsh modify sys db crypto.hwacceleration value disable

Fix:
SSL connection can now be established as expected. SSO-enabled Native RDP resources now can now be accessed via hardware BIG-IP systems with 'Intel Cave Creek' coprocessor (e.g., BIG-IP 2000 (C112) or 4000 (C113) platforms) from Mac, iOS, and Android clients.

Fixed Versions:
12.1.3.5, 13.1.1

694740-3 : BIG-IP reboot during a TMM core results in an incomplete core dump

Links to More Info: BT694740

Component: TMOS

Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then HSB panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On this platform, the reboot occurs before the core file is fully written, resulting in a truncated core.

Conditions:
An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.

Impact:
The reboot happens before the core dump completes, resulting in an incomplete core dump which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.

Workaround:
No workaround; does not hinder device operation, but does prevent post-crash analysis.

Fix:
Reboot is delayed until TMM core file is completed.

Fixed Versions:
12.1.3.6, 13.1.0.4

694717-1 : Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.

Links to More Info: BT694717

Component: Policy Enforcement Manager

Symptoms:
TMM crashes

Conditions:
PEM iRule command that would result in an inter-TMM lookup on a long lived flow that would result in the PEM iRule command being hit several times. For example, a long lived flow with multiple HTTP transactions.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Always release the connFlow reference associated with the TCL command to avoid a memory leak and potential crash.

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.4

694696-5 : On multiblade Viprion, creating a new traffic-group causes the device to go Offline

Links to More Info: BT694696

Component: TMOS

Symptoms:
All devices in the failover device group will go offline, resulting in traffic disruption and possible failovers.

Conditions:
When a new traffic-group is created on a multiblade Viprion system that is a member of a sync-failover device group.

Impact:
Traffic to all other traffic-groups is disrupted for several seconds.

Workaround:
There is no workaround at this time.

Fix:
Creating a new traffic-group does not disrupt existing traffic-groups.

Fixed Versions:
12.1.3.2, 13.1.0.8

694656-1 : Routing changes may cause TMM to restart

Links to More Info: K05186205 , BT694656

Component: Local Traffic Manager

Symptoms:
When routing changes are made while traffic is passing through the BIG-IP system, TMM might restart. This isn't a general issue, but can occur when other functionality is in use (such as Firewall NAT).

Conditions:
-- Routing changes occurring while BIG-IP is active and passing traffic.

-- Dynamic routing, due to its nature, is likely increase the potential for the issue to occur.

-- Usage of Firewall NAT functionality is one specific case known to contribute to the issue (there may be others).

Impact:
TMM restarts, resulting in a failover and/or traffic outage.

Workaround:
If dynamic routing is not in use, avoiding static route changes may avoid the issue.

If dynamic routing is in use, there is no workaround.

Fix:
TMM now properly manages routing information for active connections.

Fixed Versions:
12.1.3.7, 13.1.0.6

694624-1 : SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor

Links to More Info: BT694624

Component: Access Policy Manager

Symptoms:
APM Webtop's SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113)) from Mac, iOS and Android clients. Each launch attempt generates following errors in /var/log/apm:
... err vdi[123] ... {45.C} RsaDecryptData error: AsyncError:5: InvalidData
... err vdi[123] ... {45.C} An exception is thrown: handshake: decryption failed or bad record mac

Conditions:
Native RDP resource with enabled SSO is used on hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113)).
The client OS is Mac, iOS or Android.

Impact:
RDP client can't launch requested resource (desktop/application).

Workaround:
Disable crypto HW acceleration with following command:
tmsh modify sys db crypto.hwacceleration value disable

Fix:
SSO enabled Native RDP resources now can be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113) platforms) from Mac, iOS and Android clients.

Fixed Versions:
13.0.1, 13.1.0.4

694547-2 : TMSH save sys config creates unneeded generate_config processes.

Links to More Info: K74203532 , BT694547

Component: TMOS

Symptoms:
When saving a configuration through TMSH or iControl REST, the system creates an unneeded process named generate_config.

Conditions:
Run tmsh save sys config, or the same command through iControl REST.

Impact:
One generate_config process is generated per save operation. If config save occurs often, these extraneous processes can slowly fill up the process table.

Workaround:
There is no real workaround except to not save the config often enough to fill up process table with these extraneous processes.

If this issue has already occurred, you can recover by locating the parent process that has an associated zombie process, and restart the parent process to purge the zombie processes. icrd_child and/or scriptd are the parent processes known to cause this issue. To find out which daemon to restart and how to restart it, perform the following procedure:

Impact of workaround: Restarting any daemon on the BIG-IP system may cause service disruption, and F5 recommends performing this procedure only during a scheduled maintenance period. For more information about daemons' functions, refer to K05645522: BIG-IP daemons (13.x) (https://support.f5.com/csp/article/K05645522).

1. If you are still logged on to the tmsh command-line utility that was performing the configuration-save operation, exit from it first.
2. Login to the BIG-IP system's advanced shell using an account with Administrator credentials.
3. Locate the zombie process and its parent process using the following command:
ps --forest | grep -B1 generate_config.*defunct

4. With the parent process name discovered in the previous step, restart the associated daemon using the following commands that apply:
-- For the icrd_child process: tmsh restart /sys service restjavad
-- For the scriptd process: tmsh restart /sys service scriptd

Fix:
tmsh save sys config no longer generates generate_config processes.

Fixed Versions:
13.1.0.8

694319-1 : CCA without a request type AVP cannot be tracked in PEM.

Links to More Info: BT694319

Component: Policy Enforcement Manager

Symptoms:
May cause diagnostic issues as not all CCA messages cannot be tracked.

Conditions:
1. PEM with Gx/Gy configured
2. PCRF sends CCA's without a request type AVP

Impact:
May hamper effective diagnostics.

Workaround:
Mitigation:
Configure the PCRF to always include a request type in its CCAs.

Fix:
Add a statistics counter to track CCA's that do not request type AVPs.
Name of new counter:cca_unknown_type

Fixed Versions:
12.1.3.2, 13.1.0.4

694318-1 : PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.

Links to More Info: BT694318

Component: Policy Enforcement Manager

Symptoms:
Subscriber sessions in PEM will be stuck in a "Marked for Delete" state.

Conditions:
1. PEM provisioned with Gx.
2. PCRF responds to a CCR-t with a DIAMETER_TOO_BUSY return code and no Request type AVP.

Impact:
Subscriber sessions stuck in delete pending resulting in a potential increase in memry consumption over a period of time.

Workaround:
Mitigation:
PCRF (remote Diameter end point) must send a CCA-t with a request type AVP in case a DIAMETER_TOO_BUSY return code is present.

Fix:
Handle the DIAMETER_TOO_BUSY return code on a CCA-t regardless of the request type AVP.

Fixed Versions:
12.1.3.2, 13.1.0.4

694274-1 : [RHSA-2017:3195-01] Important: httpd security update - EL6.7

Links to More Info: K23565223 , BT694274

694078-1 : In rare cases, TMM may crash with high APM traffic

Links to More Info: BT694078

Component: Access Policy Manager

Symptoms:
Intermittent tmm core under load.

Conditions:
-- Provision APM (at least).

-- Additional required conditions are not well understood.

-- Seems more likely to occur when APM is provisioned with other modules, especially ASM or AVR.

Impact:
The BIG-IP system stops processing traffic while the TMM restarts.

Workaround:
None.

Fix:
Tmm core no longer occurs with high APM traffic.

Fixed Versions:
13.1.0.8

694073-3 : All signature update details are shown in 'View update history from previous BIG-IP versions' popup

Links to More Info: BT694073

Component: Application Security Manager

Symptoms:
If you are running a BIG-IP release named with 4 digits (e.g., 12.1.3.1), all signature update details are shown only in 'View update history from previous BIG-IP versions' popup. The 'Latest update details' section is missing.

Conditions:
Running a BIG-IP software release named with 4 digits (e.g., 12.1.3.1).

Impact:
Low and incorrect visibility of signature update details.

Workaround:
Signature update details can be viewed in 'View update history from previous BIG-IP versions' popup.

Fix:
Signature updates are now shown correctly for all versions.

Fixed Versions:
11.6.3, 12.1.3.2, 13.1.0.2

693996-5 : MCPD sync errors and restart after multiple modifications to file object in chassis

Links to More Info: K42285625 , BT693996

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
Making multiple changes to the same file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.

Fixed Versions:
11.5.9, 11.6.5.1, 12.1.5, 13.1.1.2

693979 : Autoscale is not functional because of the change in file permission of the /shared/vadc/aws/iid-document document

Links to More Info: BT693979

Component: TMOS

Symptoms:
The /shared/vadc/aws/iid-document's file permission changed and as a result the autoscale feature was failing.

Conditions:
Whenever autoscale is triggered

Impact:
The autoscale feature does not work

Workaround:
The permission of /shared/vadc/aws/iid-document was never set explicitly. It inherited file permission flags from /shared/vadc/. We set the file permission explicitly.

Fix:
The autoscale feature is functional after changing file permissions of /shared/vadc/aws/iid-document.

Fixed Versions:
13.1.0.2

693966-1 : TCP sndpack not reset along with other tcp profile stats

Links to More Info: BT693966

Component: Local Traffic Manager

Symptoms:
TCP sndpack stat added is not being properly reset when a tmsh reset-stats command is issued.

Conditions:
When tmsh reset-stats command is issued.
-- tmsh reset-stats /ltm profile tcp <profile-name>

Impact:
TCP sndpack stat doesn't reset when tmsh reset-stats command is issued.

Workaround:
There is no workaround.

Fix:
With this fix, TCP sndpack stat will reset when tmsh reset-stats command is issued.

Fixed Versions:
13.1.1.2

693964-1 : Qkview utility may generate invalid XML in files contained in Qkview

Links to More Info: BT693964

Component: TMOS

Symptoms:
When Qkview runs, it may gather XML files that are not well-formed, and contain ASCII control characters. This is most commonly seen with mcp_module.xml.

An XML validator may report an error such as:

mcp_module.xml:536081: parser error : PCDATA invalid Char value 29
<msgs></msgs>
^

Conditions:
-- Running Qkview.
-- An ASCII control character exists within a certain string field.

Impact:
The control character will be written verbatim into XML without encoding. Automated tools (e.g., iHealth) that attempt to process these files may fail.

Workaround:
iHealth automatically detects and corrects this issue in uploaded Qkviews.

You can analyze the XML files with some other tool, a tar.gz, so it can be unpacked, the XML files edited to correct the formatting, and then repacked. The xmllint command-line tool (present on the BIG-IP system) can also recover valid XML by removing the invalid characters.

To do so, you can run a command similar to the following:

xmllint --recover mcp_module.xml --output mcp_module.xml

Fix:
Qkview no longer writes control characters in XML text, but instead processes them as expected.

Fixed Versions:
13.1.0.6

693910-4 : Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)

Links to More Info: BT693910

Component: Local Traffic Manager

Symptoms:
Some MAC addresses might experience delayed forwarding after the interface on which they are learned transition to a STP blocked state. This is because the FDB entries are not being flushed on these interfaces after they change to a block state. Traffic destined to these MAC addresses gets dropped until their associated entries in the FDB age out.

Conditions:
MAC addresses are learned on a STP forwarding interface that transitions to a blocked interface following a topology change.

Impact:
Traffic interruption for up to a few minutes for MAC addresses learned on the affected interface.

Workaround:
None.

Fix:
FDB entries are now flushed by interface whenever an interface transitions to a STP block state.

Fixed Versions:
12.1.4, 13.1.0.6

693901-4 : Active FTP data connection may change source port on client-side

Links to More Info: BT693901

Component: Local Traffic Manager

Symptoms:
The active FTP data connection on the client-side may use source port other than what was configured in the 'Data Port' parameter of the FTP profile.

Conditions:
FTP profile is attached to a virtual server and the 'Data Port' parameter is either left as default (20) or defined as a specific value.

Impact:
Active FTP data connection may be blocked by firewalls that expect a pre-defined source port.

Workaround:
None.

Fix:
Now strict preserve source port mode is applied for the active FTP data connection when the 'Data Port' parameter is defined. The source port mode of the control plane FTP virtual is used when the 'Data Port' parameter is set to 0.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.4

693884-1 : ospfd core on secondary blade during network unstability

Links to More Info: BT693884

Component: TMOS

Symptoms:
ospfd core on secondary blade while network is unstable.

Conditions:
-- Dynamic routing configured with OSPF on a chassis.
-- During a period of network instability.

Impact:
Dynamic routing process ospfd core on secondary blade.

Workaround:
None.

Fixed Versions:
12.1.4, 13.1.1.4

693844-1 : APMD may restart continuously and cannot come up

Links to More Info: K58335157 , BT693844

Component: Access Policy Manager

Symptoms:
apmd process cannot start correctly and restarts in an infinite loop. When apmd initializes the Allow Ending agent, the process tries to load all resources (including ACLs, the webtop, and all resources for every webtop, app tunnels, rdp, etc.). The most likely configuration to encounter this issue is with ACLs. For example, if you have thousands of ACL records, the Allow agent pulls them all at once. If the mcpd process is consumed with other operations, it might be that apmd cannot initialize the Allow agent in 30 secs, so it restarts, at which point the process tries to load all resources, cannot complete within the 30 seconds, and restarts in a loop.

Conditions:
Too many resources assigned in an Access Policy profile
for example thousands of ACLs configured.

apmd cannot initialize the Allow Ending agent in 30 seconds and decides it has stopped responding. Then it restarts by it's own, but problem is not solved, so it restarts in a loop

Impact:
APM end users cannot authenticate.

Workaround:
Reduce amount of resources so every agent can initialize within the 30-second timeframe.

Fixed Versions:
13.1.0.4

693810-6 : CVE-2018-5529: APM Linux Client Vulnerability

Links to More Info: K52171282 , BT693810

693780-1 : Proactive Bot Defense sends CAPTCHA to the UC browser on iOS devices

Links to More Info: BT693780

Component: Application Security Manager

Symptoms:
When a request arrives from UCBrowser running on iOS and without TSPD_101 (proactive bot defense cookie). The big-ip respond with captcha challenge.

Conditions:
Dos profile attached to a virtual.
Dos profile has application security enabled.
Dos profile has proactive bot defense enabled.

Impact:
UC browser end-user presented with captcha challenge.

Workaround:
Increase proactive bot defense score.
list sys db dosl7.browser_legit_min_score_captcha
sys db dosl7.browser_legit_min_score_captcha {
value "60"
}

Fix:
User agent parser has been changed (adjusted) for the UC browser. The UC browser is detected as safari ios.

Fixed Versions:
13.1.0.4

693744-4 : CVE-2018-5531: vCMP vulnerability

Links to More Info: K64721111 , BT693744

693694-1 : tmsh::load within IApp template results in unpredicted behavior

Links to More Info: BT693694

Component: iApp Technology

Symptoms:
tmsh::load command within IApp template triggers transaction within transaction and it is not supported by the MCP. One of the unexpected behavior seen is with the template having ASM policy and LTM policy. IApp framework doesn't let user to reconfigure the application service without turning off strict updates and also on rerunning, breaks association of LTM Policy with ASM Policy

Conditions:
tmsh::load command need to be used in in template to create ASM policy. With this tmsh::create there is no issue seen.

Impact:
Association b/w LTM Policy and ASM Policy broken

Workaround:
Use tmsh::create or tmsh::modify to create/update ASM policy through IApp template

Fixed Versions:
13.1.0.8

693663-1 : Proactive Bot Defense sends CAPTCHA to the Firefox browser on iOS only in desktop mode

Links to More Info: BT693663

Component: Application Security Manager

Symptoms:
When a request arrives from Firefox running on iOS in desktop mode and without TSPD_101 (proactive bot defense cookie). The big-ip respond with captcha challenge.

Conditions:
Dos profile attached to a virtual.
Dos profile has application security enabled.
Dos profile has proactive bot defense enabled.

Impact:
Firefox (iOS desktop mode only) end-user presented with captcha challenge.

Workaround:
Increase proactive bot defense score.
list sys db dosl7.browser_legit_min_score_captcha
sys db dosl7.browser_legit_min_score_captcha {
value "60"
}

Fix:
User agent parser has been changed (adjusted) for the Firefox browser running in desktop mode. The browser is detected as safari pc and the browser version is taken from Mac version number.

Fixed Versions:
13.1.0.4

693611-3 : IKEv2 ike-peer might crash on stats object during peer modification update

Links to More Info: K76313256 , BT693611

Component: TMOS

Symptoms:
A crash occurs upon passing traffic through the IPsec interface.

Conditions:
When an ike-peer is updated, or first defined at startup.

Impact:
Tmm restarts on crash. Traffic disrupted while tmm restarts.

Workaround:
No workaround is known at this time.

Fix:
IKEv2 ike-peer no longer crashes on stats object during peer modification update.

Fixed Versions:
13.1.1.2

693582-1 : Monitor node log not rotated for certain monitor types

Links to More Info: BT693582

Component: Local Traffic Manager

Symptoms:
When Monitor Logging is enabled for an LTM node or pool member using certain monitor types, the monitor node log under /var/log/monitors/ is not rotated or compressed when log rotation occurs.

Conditions:
-- This occurs if Monitor Logging is enabled for an LTM node or pool member, and the LTM node or pool member uses any of the following monitor types:
- icmp
- gateway-icmp
- external

-- This also can happen with tcp-half-open if the monitor is down.

Impact:
Depending on the affected BIG-IP software version in use, effects may include the following symptoms:

1. The active monitor node log is not rotated (not renamed from *.log to *.log.1).

2. The active monitor node log is rotated (renamed from *.log to *.log.1), but subsequent messages are logged to the rotated log file (*.log.1) instead of to the 'current' log file name (*.log).

3. The active monitor node log is not compressed (*.log.2.gz) when log rotation occurs.

Workaround:
To allow logging to the correct monitor node log file to occur, and for rotated monitor node log files to be compressed, disable Monitor Logging for the affected node or pool members.

-- If symptom #1 occurs, Monitor Logging can be re-enabled after log rotation has occurred.

-- To address symptoms #2 or #3, Monitor Logging can be re-enabled immediately.

For more information on Monitor Logging, see:
K12531: Troubleshooting health monitors :: https://support.f5.com/csp/article/K12531.

Fix:
Monitor node logs are now rotated/compressed as expected.

Fixed Versions:
12.1.4, 13.1.3.2

693578-2 : switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0

Links to More Info: BT693578

Component: TMOS

Symptoms:
switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0

Conditions:
None

Impact:
switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0

Workaround:
None

Fix:
No fix.

Fixed Versions:
13.1.1.2

693491-1 : ASM with Web Acceleration Profile can rarely cause TMM to core

Links to More Info: BT693491

Component: Local Traffic Manager

Symptoms:
TMM cores after running web traffic. TMM stays down following the crash, even after traffic has stopped.

Conditions:
When ASM is provisioned with web acceleration profile.

Impact:
Data forwarding which causes tmm to core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Tmm no longer cores under these conditions.

Fixed Versions:
13.1.3.2

693388-2 : Log additional HSB registers when device becomes unresponsive

Links to More Info: BT693388

Component: TMOS

Symptoms:
HSB becomes unresponsive, and logs no registers to indicate the state of the device. There is no logging of additional registers to assist in diagnosing the failure.

Conditions:
It is unknown under what conditions the HSB becomes unresponsive.

Impact:
Limited visibility into the HSB state when it becomes unresponsive.

Workaround:
None.

Fix:
There is now logging of additional registers to assist in diagnosing the failure.

The registers can be seen in the TMM log files when there is either an HSB transmitter or receive failure.

Fixed Versions:
12.1.4.1, 13.1.3

693360-5 : A virtual server status changes to yellow while still available

Links to More Info: K52035247 , BT693360

693359-1 : AWS M5 and C5 instance families are supported

Links to More Info: BT693359

Component: TMOS

Symptoms:
AWS has announced support for M5 and C5 instance families. No previous BIG-IP Virtual Edition (VE) software supports these new AWS instance families.

Conditions:
Attempting to install pre-v14.0.0.1 VE software on M5 and C5 instance families.

Impact:
The system experiences a kernel panic and might crash.

Workaround:
None.

Fix:
All necessary components are added to support AWS M5 and C5 instance families.

Behavior Change:
No previous BIG-IP Virtual Edition (VE) software supports the newly announced AWS M5 and C5 instance families. Version 14.0.0.1 officially supports the AWS M5 and C5 instance families.

Fixed Versions:
13.1.1, 14.0.0.1

693312-1 : vCMPd may crash when processing bridged network traffic

Links to More Info: K03165684 , BT693312

693308-1 : SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain

Links to More Info: BT693308

Component: Local Traffic Manager

Symptoms:
When a very large Client Certificate Chain, typically exceeding 16,384 bytes, is received by BIG-IP on a virtual service, and Session Persistence is enabled, the handshake hangs.

Conditions:
[1] SSL client authentication is enabled on the backend server
[2] No SSL profile is specified on the BIG-IP device for the virtual service, on both, client and server side
[3] An SSL connection is initiated from the front-end client, via the BIG-IP's virtual service, to the backend server.
[4] The client certificate chain is passed to the BIG-IP device as part of initiating the connection.

Impact:
The backend server will not be securely accessible via SSL because the connection hangs

Workaround:
Disable SSL Session Persistence.

Fix:
Whenever a fragmented message is received by a BIG-IP virtual service, subsequent messages contain a 5-byte header, each, which should be accounted for. Upon taking this into consideration, no more multiple-of-5 bytes are found missing while the message is being parsed by the Session Persistence parser, and the parser no longer hangs.

Fixed Versions:
12.1.3.7, 13.1.0.8

693244-2 : BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned

Links to More Info: BT693244

Component: Local Traffic Manager

Symptoms:
BIG-IP silently drop the serverside TCP flow, when it receives a client-side reset and the server-side flow is still in the SYN-SENT state.

Conditions:
BIG-IP receives a client-side reset when client-side TCP flow is in ESTABLISHED state and server-side TCP flow is in SYN-SENT state, serverside flow is silently dropped.

Impact:
Since serverside pool member does not receive the RST, it remains in SYN-RECEIVED state until it runs out of syn retransmissions and eventually, due to timeout, it returns to LISTEN state.

Fix:
BIG-IP resets serverside TCP flow with RST when it receives a client-side reset and the server-side flow is still in the SYN-SENT state.

Fixed Versions:
13.1.0.6, 14.0.0.3

693106-1 : IKEv1 newest established phase-one SAs should be found first in a search

Links to More Info: BT693106

Component: TMOS

Symptoms:
Some IKEv1 implementations might delete "duplicate" phase one IKE SAs, even though not yet expired, keeping only the most recently negotiated IKE-SA. If this happens, and BIG-IP uses an older SA to negotiate, then phase two negotiation can fail.

If at all possible, we want BIG-IP to prefer the newest SA for a given remote peer. If a peer deletes a second SA without notifying BigIP, preferring a newest SA may mitigate the problem.

Conditions:
The situation seems mostly easily arranged when two peers initiate a new IKE-SA at the same time, so that both are negotiated concurrently, since neither has yet been established. Afterward, there are two IKE-SAs for one remote peer, nearly the same age.

If the other end deletes a duplicate without sending a DELETE message to BigIP, we might accidently use the older SA of a pair.

Impact:
If BIG-IP picks a mature IKE-SA for phase two negotiation that has been deleted by a peer, then BIG-IP's attempt to negotiate a new phase two SA will fail.

Workaround:
Try to configure other IPsec implementations to avoid deleting duplicate IKE-SAs.

Fix:
At the momenet a new IKE-SA is established, we now move that SA to the head of the hashmap bucket searched for that remote peer in the future. This makes us more likely to use the newest SA from the perspective of a remote peer, the next time we initiate another phase two negotiation ourselves.

Fixed Versions:
12.1.3.6, 13.1.1.4

693007-1 : Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC

Links to More Info: BT693007

Component: Global Traffic Manager (DNS)

Symptoms:
The current IPv4 address for b.root-servers.net is 192.228.79.201. The IPv4 address for b.root-servers.net will be renumbered to 199.9.14.201, effective 2017-10-24. The older number will be invalid after that date.

Conditions:
Several profiles contain the b.root-servers.net IPv4 address as 192.228.79.201.

Impact:
The impact is likely minimal, at most a single timeout for pending TLD queries when they happen to round-robin onto an old IP address, probably not more often than the hint's TTL, which is more than a month, and even this should cause a timeout only when the old IP actually stops responding.

Workaround:
Update the root hints for all affected profiles manually except the hardwired ones.

Fix:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24.

Behavior Change:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24, according to InterNIC. The old IPv4 address (192.228.79.201) will continue to answer queries for at least 6 months.

Fixed Versions:
12.1.3.6, 13.1.0.4

692970-2 : Using UDP port 67 for purposes other than DHCP might cause TMM to crash

Links to More Info: BT692970

Component: Local Traffic Manager

Symptoms:
DHCP relay presumes that a flow found via lookup is always a server-side flow of type DHCP relay. Hence TMM can crash when DHCP relay makes a server connection if UDP port 67 is used for another purpose, in which case a wrong DHCP server flow could be selected.

Conditions:
A UDP port 67 is configured for a purpose other than DHCP relay.

Impact:
TMM restart causes traffic interruption or failover.

Workaround:
Do not use UDP port 67 for other virtual servers, or configure a drop listener on certain VLANs that cannot avoid using UDP port 67.

Fix:
TMM no longer crashes with DHCP flow validation.

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.4

692941-1 : GTMD and TMM SIGSEGV when changing wide IP pool in GTMD

Links to More Info: BT692941

Component: Global Traffic Manager (DNS)

Symptoms:
Changing wide IP causes gtmd and tmm core under certain conditions.

Conditions:
-- GTM pool is removed when it is referenced by a persist record.
-- That record is accessed before it is purged.

Impact:
gtmd and/or tmm core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Changing wide IP no longer causes gtmd and tmm core when GTM pool is removed when it is referenced by a persist record, and that record is accessed before it is purged.

Fixed Versions:
11.5.9, 12.1.3.2, 13.1.0.4

692890-3 : Adding support for BIG-IP 800 in 13.1.x

Links to More Info: BT692890

Component: TMOS

Symptoms:
Installing software version 13.1.0 fails on BIG-IP 800.

# tmsh show sys soft


---------------------------------------------------------Sys::Software Status
Volume Product Version Build Active Status
---------------------------------------------------------
HD1.1 BIG-IP 13.1.0 0.0.1868 no failed (Failed to install.)
HD1.2 BIG-IP 13.0.0 0.0.1645 yes complete
HD1.3 BIG-IP 11.6.0 0.0.401 no complete

---------------------------
Sys::Software Update Check
---------------------------
Check Enabled true
Phonehome Enabled true
Frequency weekly
Status none
Errors 0

The system logs the following messages in /var/log/liveinstall.log:

info: Hardware is lm capable
info: System is lm capable
info: Adding application-package ltm7-application/noarch to transaction.
info: Adding application-package ros7-application/noarch to transaction.
info: Adding application-package sam-main/noarch to transaction.
info: Adding application-package sum-application/noarch to transaction.
info: Adding application-package ts-application/noarch to transaction.
info: Adding application-package wa-master/noarch to transaction.
info: Adding application-package (lm) woc-application-lm/noarch to transaction.
error: Product has no root package for Mercury
error: couldn't get package list file for LTM.ROS.SAM.SUM.TS.WA.WOC group Terminal error: Failed to install.
*** Live install end at 2018/01/02 13:29:45: failed (return code 255) ***

Conditions:
-- Installing/upgrading to v13.1.x.
-- Using the BIG-IP 800 platform.

Impact:
Install/upgrade will fail.

Workaround:
None.

Fix:
Installation now completes successfully on the BIG-IP 800 platform.

Fixed Versions:
13.1.0.4

692753-1 : shutting down trap not sent when shutdown -r or shutdown -h issued from shell

Links to More Info: BT692753

Component: TMOS

Symptoms:
Shutting down trap not sent when shutdown -r or shutdown -h issued from shell.

Conditions:
When user access the linux shell and issues "shutdown -h" or "shutdown -r", the BIG-IP does not send shutting down trap.

Impact:
None.
Since this is user triggered command, the user is aware of the shutdown event, so the lack of trap is not critical.

Workaround:
None

Fix:
The shutdown trap is sent when user issues "shutdown -r" or "shutdown -h" from the linux shell.

Fixed Versions:
13.1.0.4

692683-1 : Core with /usr/bin/tmm.debug at qa_device_mgr_uninit

Links to More Info: BT692683

Component: TMOS

Symptoms:
Running a debug version of tmm (/usr/bin/tmm.debug) on BIG-IP 2xxx and 4xxx platforms, crashes at qa_device_mgr_uninit when issuing either of the following commands:
-- bigstart stop tmm
-- bigstart restart tmm

Conditions:
Running a debug version of tmm.
-- BIG-IP 2xxx and 4xxx platforms.
-- Running either of the following commands:
+ bigstart stop tmm
+ bigstart restart tmm

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not using a debug version of tmm on BIG-IP 2xxx and 4xxx platforms.

Fix:
tmm no longer halts and restarts under these conditions.

Fixed Versions:
13.1.0.6

692557-1 : When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted.

Links to More Info: BT692557

Component: Access Policy Manager

Symptoms:
After processing signed authentication requests from external SAML SP, SAML IdP may corrupt a block of tmm memory.

Conditions:
- BIG-IP system is configured as SAML IdP.
- IdP is configured with external SP's signing certificate.
- External SP sends signed authentication request.

Impact:
Various possible negative effects, including TMM core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
BIG-IP as SAML IdP no longer causes memory corruption when handling certain traffic.

Fixed Versions:
13.0.1, 13.1.0.4

692328-1 : Tmm core due to incorrect memory allocation

Links to More Info: BT692328

Component: Advanced Firewall Manager

Symptoms:
In a rare condition after providing afm, we get a tmm core.
You will see the following line in avrd.log
/usr/bin/avrinstall -c20 -t10 -s2401000 --provisionAVR=0 --provisionASM=0 --provisionAFM=0 --provisionPBD=0 --provisionAPM=0 --provisionFPS=0 --provisionPEM=0 --provisionVCMP=0

Conditions:
AFM provisioned.
Attack started.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
We check that the shared memory was allocated correctly before reporting on an attack.

Fixed Versions:
13.1.0.4

692310-2 : ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body

Links to More Info: K69250459 , BT692310

Component: Service Provider

Symptoms:
When a modified HTTP v1.1 request or response is returned from an ICAP server and has no body (and also no content-length), a 'Transfer-Encoding: chunked' header is added and a zero-length chunk is appended.

Conditions:
-- HTTP profile.
-- Either request-adapt or response-adapt profile.
-- Modified HTTP v1.1 request/response has no body (and no content-length header).

Impact:
The HTTP server or client to which the modified request or response is destined, receives invalid HTTP and might behave in an unexpected manner.

Workaround:
Use an iRule to detect the lack of a Content-Length header in the modified request or response, and insert 'Content-Length: 0'.

For example with modified request:

when ADAPT_REQUEST_HEADERS {
if {([HTTP::method] eq "GET") and (not [HTTP::header exists 'Content-Length'])} {
HTTP::header insert Content-Length 0
}
}

Similarly when ADAPT_RESPONSE_HEADERS {} for a response.

Fix:
A modified HTTP v1.1 request or response with no body is never 'chunked'.

Fixed Versions:
13.1.0.8

692307-3 : User with 'operator' role may not be able to view some session variables

Links to More Info: BT692307

Component: Access Policy Manager

Symptoms:
When a user with 'operator' role tries to view the session variables, the GUI may show the following error: An error has occurred while trying to process you request.

Conditions:
This occurs when there is a huge blob of data associated with the user whose session variable is being viewed. For example Active Directory (AD) user accounts with thumbnailphoto and userCertificate user attributes containing binary data.

Impact:
User cannot view the session variables for those particular sessions. This data is available, however, via clicking on the Session ID.

Workaround:
Find this data via clicking on the session ID.

Fix:
User with 'operator' role can now view all expected session variables

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.4

692279-1 : Request logging is briefly suspended after policy re-assignment

Links to More Info: BT692279

Component: Application Security Manager

Symptoms:
Requests are not logged locally

Conditions:
This can occur in either of these conditions

-- Making changes to a policy and/or assigning it to a virtual server can cause the issue.
-- A failover event moves the virtual server and policy to the other slot.

Impact:
Request logging is briefly suspended. Some log messages are not logged.

Workaround:
None.

Fix:
Requests are logged to the local logger immediately after policy assignment.

Fixed Versions:
13.1.3.5

692189-1 : errdefsd fails to generate a core file on request.

Links to More Info: BT692189

Component: TMOS

Symptoms:
Should errdefsd crash or be manually cored for the purpose of gathering diagnostic information, no core file will be generated.

Conditions:
Forcing errdefsd to core for diagnostic purposes.

Impact:
Increased communication required with F5 Support when attempting to diagnose problems with errdefsd.

Workaround:
1. Add the following lines to the official errdefsd script, /etc/bigstart/scripts/errdefsd:
16a17,19
> # set resource limits, affinity, etc
> setproperties ${service}
>
2. Run the following command: bigstart restart errdefsd

Fix:
errdefsd now generates a core file when forced to core.

Fixed Versions:
12.1.4, 13.1.1.2

692179-1 : Potential high memory usage from errdefsd.

Links to More Info: BT692179

Component: TMOS

Symptoms:
errdefsd memory usage grows with each config-sync or config update.

Conditions:
Ever increasing errdefsd memory usage is visible when the following conditions are met:
-- Config updates are frequent.
-- management-port logging is not being used.

Impact:
In extreme cases, errdefsd memory usage might increase userland memory-pressure. Note, however, that it isn't actually using the extra memory, so while Virtual Memory Size (VSZ) might be high, Resident Set Size (RSS) need not be.

Workaround:
A workaround for this problem is to periodically send logs to a management-port destination. The destination may be as simple as a dummy UDP port on 127.0.0.1. Adding such a destination to the publisher for an existing, active log source will work. errdefsd just needs a reason to process and flush accumulating configurations.

Fix:
The changes in this bug force errdefsd to check for config changes once every second in addition to checking whenever management-port destination logs come in.

Fixed Versions:
12.1.3.6, 13.1.1.2

692165-1 : A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token

Links to More Info: BT692165

Component: TMOS

Symptoms:
For some HTTP requests, a request-log profile can log nothing for the $VIRTUAL_POOL_NAME token (which expands to an empty string in the resulting logs).

Conditions:
- The virtual server where the request-log profile is used also uses OneConnect.

- The client uses HTTP Keep-Alive and sends multiple HTTP requests over the same TCP connection.

Impact:
For all HTTP requests the client sends except the first one, the $VIRTUAL_POOL_NAME token logs nothing. As a result, a BIG-IP Administrator may struggle to determine which pool serviced which request.

Workaround:
The $SERVER_IP and $SERVER_PORT tokens work for all requests, and so if those are also being logged it may be possible to deduce the pool name from that information.

However, there is no workaround to make the $VIRTUAL_POOL_NAME token work all of the time.

Fixed Versions:
12.1.5, 13.1.3.5

692158-1 : iCall and CLI script memory leak when saving configuration

Links to More Info: BT692158

Component: TMOS

Symptoms:
Whenever an iCall script or CLI script saves the configuration, the scriptd process on the device leaks memory.

Conditions:
Use of iCall or CLI scripts to save the configuration.

Impact:
Repeated invocation might cause the system to run out of memory eventually, causing tmm to restart and disrupting traffic.

Workaround:
There is no workaround other than not saving the configuration from iCall or CLI scripts.

Fix:
scriptd process on the device no longer leaks memory when iCall and CLI scripts are used to save the configuration.

Fixed Versions:
12.1.3.6, 13.1.1.2, 14.0.0

692123 : GET parameter is grayed out if MobileSafe is not licensed

Links to More Info: BT692123

Component: Fraud Protection Services

Symptoms:
GET parameter is grayed out if MobileSafe is not licensed.

Conditions:
-- Provision FPS on a system whose license has at least one active feature.
-- Do not license MobileSafe.

Impact:
In FPS Parameter's list, the GET method is always grayed out.

Workaround:
Use either of the following workarounds:
-- License MobileSafe.
-- Use TMSH or REST.

Fix:
The GET method is not grayed out if MobileSafe is not licensed.

Fixed Versions:
12.1.3.2, 13.1.0.2

692095-1 : bigd logs monitor status unknown for FQDN Node/Pool Member

Links to More Info: K65311501 , BT692095

Component: Local Traffic Manager

Symptoms:
While monitoring FQDN nodes or pool members, bigd may log the current or previous monitor status of the node or pool member as 'unknown' in messages where that state internally could have been logged as 'checking' or 'no address' for FQDN template nodes. Other states for FQDN configured nodes or pool members log monitor status as expected. Messages are similar to the following:

notice bigd[####]: 01060141:5: Node /Common/node_name monitor status unknown [ ip.address: unknown ] [ was up for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: unknown ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: up ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status unknown. [ ] [ was unchecked for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status up. [ ] [ was unknown for ##hrs:##mins:##sec ]

Conditions:
This may occur of the FQDN template node or pool member is in a 'checking' or 'no address' state.
The 'checking' state may occur if the DNS resolution of the FQDN node or pool member name is in progress.
The 'no address' state may occur if no IP addresses were returned by the DNS server for the configured FQDN node or pool member name.

Impact:
Unable to triage state of FQDN nodes or pool members identified in these log messages, to determine whether further troubleshooting is required, or what specific problem condition might require further investigation.

Workaround:
None.

Fix:
An FQDN-configured node or pool member logs each internal monitor status, including for scenarios of 'checking' and 'no address' for FQDN template nodes which were previously logged as 'unknown'.

Fixed Versions:
11.6.3.3, 12.1.3.2, 13.1.0.8

691945-1 : Security Policy Configuration Changes When Disabling Learning

Links to More Info: BT691945

Component: Application Security Manager

Symptoms:
When Learning is enabled in either manual or automatic mode, and is then disabled. This was considered to be the end of the learning process, and so changes are automatically made to the default wildcard entities ("*" URL, Parameter, Filetype) such as removing the element from staging.

The user is not notified of these changes, and they may not be expected, leading to undesired security enforcement.

Conditions:
-- Learning is enabled in Manual or Automatic mode.
-- Learning is then disabled.

Impact:
Unexpected changes to the default wildcard elements in the policy can lead to undesired security enforcement.

Workaround:
The audit log shows all changes that were made to the policy, and undesired changes can be remedied before the policy changes are applied.

Fix:
No changes are made to the default wildcard entities upon disabling of learning.

Fixed Versions:
12.1.4.1, 13.1.1.5

691897-3 : Names of the modified cookies do not appear in the event log

Links to More Info: BT691897

Component: Application Security Manager

Symptoms:
A modified domain cookies violation happened. When trying to see additional details by clicking the violation link, the name and value of the modified cookie is empty.

Conditions:
A modified domain cookies violation happens.

Note: This can happen only if there are also non-modified or staged cookies.

Impact:
Expected violation details are not displayed.

Workaround:
There is no workaround at this time.

Fix:
Issue with modified domain cookie violation details is now fixed.

Fixed Versions:
12.1.3.6, 13.1.0.8

691806-1 : RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state

Links to More Info: K61815412 , BT691806

Component: Local Traffic Manager

Symptoms:
The BIG-IP system resets connection with RST if it receives FIN/ACK in SYN-RECEIVED state.

Conditions:
The BIG-IP system receives FIN/ACK when it is in SYN-RECEIVED state.

Impact:
The BIG-IP system resets connection with RST.

Workaround:
None.

Fix:
The BIG-IP system now responds with FIN/ACK to early FIN/ACK.

Fixed Versions:
11.5.7, 11.6.3.3, 12.1.3.6, 13.1.0.4

691785-1 : The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes

Links to More Info: BT691785

Component: Local Traffic Manager

Symptoms:
The bcm570x driver will cause TMM to core with the log message:

panic: ifoutput: packet_data_compact failed to reduce pkt size below 4.

Conditions:
-- Running on a platform that uses the bcm570x driver (BIG-IP 800, 1600, 3600).
-- A packet larger than 6144 bytes is transmitted from the BIG-IP system.

Impact:
TMM core. Failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Removed the panic statement that caused TMM to core. TMM will now log an error and drop the packet instead.

Fixed Versions:
13.1.1.2

691670-5 : Rare BD crash in a specific scenario

Links to More Info: BT691670

Component: Application Security Manager

Symptoms:
BD crash or False reporting of signature ID 200023003.

Conditions:
JSON/XML/parameters traffic (should not happen with the enforce value signature).

Impact:
Failover, traffic disturbance in the core case. False positive violation or blocking in the other scenario.

Workaround:
Removing attack signature 200023003 from the security policy stops the issue.

Fix:
Fix a bug in the signatures engine that causes a false positive reporting of a signature. In some rare cases, this false reporting may cause a crash.

A newly released attack signature update changes the signature in a way that it no longer causes the issue to happen.

Fixed Versions:
11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.2

691609-1 : 1NIC: Configuration error: Clearing IP on interface mgmt failed - Cannot assign requested address &start;

Links to More Info: BT691609

Component: TMOS

Symptoms:
The error:

Configuration error: Clearing IP on interface mgmt failed - Cannot assign requested add

Conditions:
Starting VE in 1NIC mode without a DHCP server and configuring the management interface.

Impact:
No management IP or Self IP.

Workaround:
There is no workaround at this time.

Fix:
Configuring the management IP in 1NIC mode now works.

Fixed Versions:
13.1.1.2

691589-4 : When using LDAP client auth, tamd may become stuck

Links to More Info: BT691589

Component: TMOS

Symptoms:
When a virtual server uses an LDAP auth profile for client authentication, the system can get into a state where all authentications time out. This condition persists until tamd restarts. Traffic analysis between the BIG-IP system and the LDAP server shows that the BIG-IP system makes a TCP handshake with the server, then immediately sends FIN. Tamd cores may be seen.

Conditions:
-- Virtual server using LDAP auth profile.
-- BIG-IP system makes a TCP handshake with the server, then immediately sends FIN.

Impact:
Authentication to the virtual server fails until tamd is restarted.

Workaround:
To recover, restart tamd by running the following command: bigstart restart tamd

Fix:
tamd no longer becomes stuck when using LDAP client auth.

Fixed Versions:
12.1.4, 13.1.1.2

691504-1 : PEM content insertion in a compressed response may cause a crash.

Links to More Info: K54562183 , BT691504

691499-1 : GTP::ie primitives in iRule to be certified

Links to More Info: BT691499

Component: Service Provider

Symptoms:
The following commands in iRules are created and available but not officially tested and approved:

GTP::ie set instance/value
GTP::ie insert
GTP::ie append
GTP::ie remove

Conditions:
Using the following iRule commands:

GTP::ie set instance/value
GTP::ie insert
GTP::ie append
GTP::ie remove

Impact:
Although you can use these iRule commands, their functionality has not been tested and approved.

Workaround:
None.

Fix:
GTP::ie primitives in iRule are now certified.

Behavior Change:
Certified pre-existing iRules:

-- GTP::ie set instance <ie-path> <instance>
Assigns <instance> to the information element (IE) instance at <ie-path>.

-- GTP::ie set value <ie-path> <value>
Assigns <value> to the IE value at <ie-path>.

-- GTP::ie insert <ie-path> <type> <instance> <value>
Inserts a new IE of type <type> and instance <instance> with value <value> at <ie-path>

-- GTP::ie append [<ie-path>] <type> <instance> <value>
Appends a new IE of type <type> and instance <instance> with value <value> to the end of embeded IE of grouped-IE specified by <ie-path> or to the end of message if the grouped-IE <ie-path> is absent.

-- GTP::ie remove <ie-path>
Removes IE specified by <ie-path>.

Fixed Versions:
13.1.3.4, 14.1.2.7, 15.1.0.5

691498-3 : Connection failure during iRule DNS lookup can crash TMM

Links to More Info: BT691498

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes in the DNS response cache periodic sweep.

Conditions:
The DNS resolver connection fails after a successful lookup response is cached. This has been reproduced with a failure due to a lost route. Other failures such as down ports do not cause a crash.

Impact:
The TMM cores and automatically restarts, Traffic disrupted while tmm restarts.

Workaround:
No known workaround.

Fix:
The reference counting of the resolver connection was fixed.

Fixed Versions:
12.1.3.2, 13.1.0.4

691497-2 : tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions

Links to More Info: BT691497

Component: TMOS

Symptoms:
The .diffVersions directory has config change-diffs saved into patch files every time tmsh saves the configs. This is used for diagnostic purposes only.

Conditions:
When doing a 'tmsh save sys ucs <file>', it is possible that a background 'tmsh save sys config' gets run at the same time, causing a patch file to be deleted that the ucs-save feature now expected to exist.

Impact:
The ucs-save feature complains about the missing patch file and exits.

Workaround:
Re-run the 'tmsh save sys ucs <file>' ignoring the missing patch file message. That missing file doesn't need to be restored.

Fix:
With this defect fixed, patch files that end up missing once 'tmsh load sys ucs <file>' is started will not be reported as an error, and the tmsh command will complete normally.

Fixed Versions:
13.1.0.6

691491-5 : 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces

Links to More Info: K13841403 , BT691491

Component: TMOS

Symptoms:
2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces

Conditions:
-- 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms.
-- SNMP query of network interfaces via OID sysIfxStatHighSpeed.

Impact:
Value returned for 10G/40G/100G interfaces may be incorrect.

Workaround:
Use OID sysInterfaceMediaActiveSpeed.

Fix:
The BIG-IP system now correctly returns SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces.

Fixed Versions:
13.1.1.2

691477-2 : ASM standby unit showing future date and high version count for ASM Device Group

Links to More Info: BT691477

Component: Application Security Manager

Symptoms:
Policy builder is changing configuration of standby unit.

Conditions:
The system state changes from active to standby (also when blade is changed from master to non-master).

Impact:
Unexpected changes are made to the policy on standby device (CID increment).

Workaround:
Restart pabnagd when switching device from active to standby (also when blade is changed from master no non-master):

killall -s SIGHUP pabnagd

Fix:
Policy builder now updates its state correctly and doesn't make changes to a policy on a standby device.

Fixed Versions:
12.1.3.2, 13.1.0.4

691462-1 : Bad actors detection might not work when signature mitigation blocks bad traffic

Links to More Info: BT691462

Component: Anomaly Detection Services

Symptoms:
When signature detected and mitigating no bad actors detection

Conditions:
1. Signatures detected and mitigating
2. Attack traffic is not significantly higher than the good traffic

Impact:
No bad actors detected.
Only signatures provides DoS protection.
BIG-IP CPU utilization is higher than necessary

Workaround:
No workaround at this time.

Fix:
The fix takes in account also SIGNATURES DROPS to decide when bad actors detection should be more agressive.

Fixed Versions:
13.1.0.2

691287-1 : tmm crashes on iRule with GTM pool command

Links to More Info: BT691287

Component: Global Traffic Manager (DNS)

Symptoms:
tmm crashes with a SIGSEGV when a GTM iRule executes a 'pool' command against Tcl variables that have internal string representations, which can occur when a value is a result of (some) string commands (e.g., 'string tolower') or if the value comes from a built-in iRules command (such as 'class').

For example:

when DNS_REQUEST {
pool [string tolower "Test.com"]
}

or:

when DNS_REQUEST {
pool [class lookup pool-dg key-value]
}

Conditions:
GTM iRule executes a 'pool' command against Tcl variables that have internal string representations.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Pass the 'pool' argument through 'string trim'. For instance:

when DNS_REQUEST {
pool [string trim [class lookup pool-dg key-value]]
}

Fix:
tmm no longer crashes on GTM iRules that use the 'pool' command.

Fixed Versions:
12.1.3.4, 13.1.0.4

691224-3 : Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled

Links to More Info: K59327001 , BT691224

Component: Local Traffic Manager

Symptoms:
Node Server rejects received-and-incomplete ClientHello message and connection terminates.

Conditions:
This occurs when the following conditions are met:
-- SSL Persistence is enabled.
-- There is no ClientSSL and ServerSSL profile.
-- The BIG-IP device receives fragments of a ClientHello message (typically, 11 bytes each) from an SSL front-end client.

Impact:
With Session Persistence enabled
-- The parser fails to reassemble fragmented ClientHello messages prior to passing it on to the backend server.
-- As a result, the backend server responds as if it has received an incomplete ClientHello message, rejects the handshake, and terminates the connection.

Workaround:
The issue disappears when SSL Persistence is disabled.

Fixed Versions:
12.1.3.7, 13.1.1.2

691210-1 : Traffic stops on tmm restart when guest VLAN tagging is used for BIG-IP VE.

Links to More Info: BT691210

Component: TMOS

Symptoms:
Traffic stops after tmm restart. BIG-IP Virtual Edition (VE) becomes unresponsive and requires power cycle.

Conditions:
This occurs when the following conditions are met:
-- Using VE.
-- Data plane interfaces are SR-IOV VF.
-- Guest VLAN tagging is used.
-- tmm restart.

Impact:
BIG-IP system stops working, and management connection may be lost, requiring power cycle.

Workaround:
Use VLAN tagging from host.

Fix:
The BIG-IP system now continues to work after tmm restart when guest VLAN tagging is used with SR-IOV interfaces for BIG-IP VE.

Fixed Versions:
13.1.0.6

691171-1 : static and dynamically learned blackhole route from ZebOS cannot be deleted

Links to More Info: BT691171

Component: TMOS

Symptoms:
-- Static route added via IMISH can not be deleted.
-- Dynamically learned blackhole route can not be unlearned.

Conditions:
- Dynamic routing enabled.
- Added static route via IMISH or learning blackhole route via dynamic routing.

Impact:
Unintended route remains.

Workaround:
Restart tmrouted.

Fix:
Static route from IMISH and dynamic blackhole route are now cleaned up correctly.

Fixed Versions:
13.1.3, 14.0.0

691095-1 : CA bundle manager loses certificates in the CA bundle if the serial number is longer than 4 bytes

Links to More Info: BT691095

Component: Local Traffic Manager

Symptoms:
CA certificates with long but different serial numbers are treated identical and duplicate, thus get lost in the CA certificate merge operation. Only one would be left.

Conditions:
- The CA bundle file is managed by the CA bundle manager.

- The file contains certificates with large serial numbers.

Impact:
Certificates with large serial numbers are treated as duplicate, and removed.

Workaround:
There is no workaround at this time.

Fix:
Large serial numbers are treated correctly.

Fixed Versions:
13.1.0.4

691048-1 : Support DIAMETER Experimental-Result AVP response

Links to More Info: K34553736 , BT691048

Component: Service Provider

Symptoms:
When the Diameter server returns an answer message with an Experimental-Result AVP, but doesn't have Result-Code AVP inside, then the server side flow is aborted.

Conditions:
Diameter answer message doesn't have Result-Code AVP available, but with Experimental-Result AVP.

Impact:
The server side flow is aborted.

Workaround:
Use iRule to insert Result-Code AVP in all Diameter answer messages.

Fix:
This release supports DIAMETER Experimental-Result AVP response.

Fixed Versions:
13.1.1.2

690890-1 : Running sod manually can cause issues/failover

Links to More Info: BT690890

Component: TMOS

Symptoms:
If multiple instances of the system failover daemon are executed, improper behavior results. The system failover daemon is run internally by the system service manager (bigstart). When accidentally or intentionally executing the command 'sod', the second running instance will disrupt the failover system.

Conditions:
Accidentally or intentionally executing the command 'sod'.

Impact:
System might failover, reboot, or perform other undesirable actions that result in traffic interruption.

Workaround:
Do not attempt to invoke the 'sod' daemon directly. There is no use case for executing 'sod' directly, it is managed by 'bigstart'.

Fix:
The failover daemon detects that an instance is already running, and exits without disrupting the system.

Fixed Versions:
13.1.1.2

690883-1 : BIG-IQ: Changing learning mode for elements does not always take effect

Links to More Info: BT690883

Component: Application Security Manager

Symptoms:
When changing learning mode for an element type (e.g., WebSocket URLs), if no other changes are made to the default '*' entity, then suggestions are not created correctly.

Conditions:
Changes are deployed from a BIG-IQ device, where the learning mode for an element type (e.g., WebSocket URLs) is changed (e.g., from Never to Always), and no other changes are made to the default '*' entity.

Impact:
Suggestions are not created correctly.

Workaround:
Modify the '*' entity as well (change description).

Fix:
Learning mode changes are correctly handled from BIG-IQ.

Fixed Versions:
13.1.0.2

690819-1 : Using an iRule module after a 'session lookup' may result in crash

Links to More Info: BT690819

Component: TMOS

Symptoms:
'session lookup' does not clean up an internal structure after the call finishes. If another iRule module uses the values in this internal structure after a 'session lookup', it may result in a core or other undesired behavior.

Conditions:
Calling 'session lookup' in an iRule where a result is successfully retrieved, and then calling another module.

Impact:
The system may core, or result in undefined and/or undesired behavior.

Workaround:
Check the return value of 'session lookup' before using another iRule module.

If 'session lookup' says that the entry exists, call 'session lookup' again for a key that is known to not exist.

Fixed Versions:
11.6.3.3, 12.1.3.6, 13.1.1.2

690793-1 : TMM may crash and dump core due to improper connflow tracking

Links to More Info: K25263287 , BT690793

Component: TMOS

Symptoms:
In rare circumstances, it is possible for the embedded Packet Velocity Acceleration (ePVA) chip to try to process non-ePVA connflows. Due to this improper internal connflow tracking, TMM can crash and dump core.

Conditions:
This issue can occur on any system equipped with an ePVA and configured with virtual servers that make use of it to accelerate flows.

While no other conditions are required, it is known that modifying a FastL4 virtual server to Standard while the virtual server is processing traffic is very likely to cause the issue.

Impact:
TMM crashes and dumps core. A redundant unit will fail over. Traffic may be impacted while TMM restarts.

Workaround:
It is not recommended to switch virtual server profiles while running traffic. To change virtual server profiles, it is recommended to halt traffic to the system first.

However, this does not eliminate entirely the chances of running into this issue.

Fix:
The system now checks for HSB flow status update data and prevents false positive matches to virtual servers with non-FastL4 profiles.

Fixed Versions:
12.1.3.7, 13.1.0.6

690778-1 : Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule

Links to More Info: K53531153 , BT690778

Component: Local Traffic Manager

Symptoms:
Memory leak; the memory_usage_stat cur_allocs will increase each time the iRule is invoked.

Conditions:
This occurs when using an iRule that calls the STREAM::replace command more than once in the iRule's STREAM_MATCHED event.

Impact:
Memory leak; eventually the system will run out of memory and TMM will restart (causing a failover or outage). Traffic disrupted while tmm restarts.

Workaround:
Change the way the iRule is written so that the STREAM::replace command is not called more than once in the iRule's STREAM_MATCHED event.

Fix:
Prevented memory leak in stream code.

Fixed Versions:
13.1.1.2

690756-1 : APM depends on undocumented internal behavior of HTTP iRule commands after a retry is initiated

Links to More Info: BT690756

Component: Local Traffic Manager

Symptoms:
Using the ACCESS::restrict_irule_events disable command to allow iRule events triggered by APM-generated responses to be visible to the iRule no longer works.

Conditions:
-- ACCESS::restrict_irule_events disable.
-- HTTP iRules commands used in HTTP_RESPONSE_RELEASE after a retry has been triggered by APM.

Impact:
iRule execution is aborted.

Workaround:
The only possible workaround is to abandon the iRule, and implement the functionality using a VIP-targeting-VIP configuration.

Note: This might not be acceptable in many cases either because of functionality loss (e.g., client certificate auth), or because there are complicated issues specifically solved by iRules.

Fix:
APM triggers a new iRule event when it retries a request. This new event allows iRules to be notified when this occurs.

The HTTP_RESPONSE_RELEASE event is no longer triggered on an internal retry as no response will be sent.

A BigDB variable has been added to disable run-time validation of HTTP iRule commands. This is intended to ease the roll-forward of old APM iRules.

Fixed Versions:
13.1.0.8

690291-1 : tmm crash

Links to More Info: BT690291

Component: Local Traffic Manager

Symptoms:
TMM crashes while trying to access already freed memory.

Conditions:
This issue observed when system is under load/stress test.

Impact:
TMM crashes while trying to access already freed memory. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer tries to access already freed memory, so this crash does not occur.

Fixed Versions:
13.1.3.4

690215-2 : Missing requests in request log

Links to More Info: BT690215

Component: Application Security Manager

Symptoms:
Requests are missing from request log

Conditions:
Either of:
- pabnagd restart
- asm restart
- failover

Impact:
- Requests are not logged for up to an hour (affected by the amount of policies)

Workaround:
No workaround.

Fix:
All requests are now logged always.

Fixed Versions:
12.1.4.1, 13.1.1.4

690166-1 : ZoneRunner create new stub zone when creating a SRV WIP with more subdomains

Links to More Info: BT690166

Component: Global Traffic Manager (DNS)

Symptoms:
Creating SRV wideip will result in stub zone creation even there are already matching zones.

Conditions:
Creating SRV wideip with three more layers than existing zone.

Impact:
Unnecessary stub zones created.

Fixed Versions:
12.1.3.2, 13.1.0.4

690116-1 : websso daemon might crash when logging set to debug

Links to More Info: BT690116

Component: Access Policy Manager

Symptoms:
If the authentication type is HTTP headers and the log level is set to debug, an incorrect parameter gets printed, and if it happens to be NULL the websso daemon crashes.

Conditions:
-- Authentication type is HTTP headers.
-- Log level is debug for WebSSO (the single-sign-on (SSO) functionality for Web access through the BIG-IP APM system).

Impact:
websso daemon might crash.

Workaround:
Set log level to Informational.

Note: The data logged specifically for debug level is targeted toward developers, and is rarely useful in a production environment.

Fix:
The websso daemon no longer crashes when running in debug logging mode and handling certain traffic.

Fixed Versions:
13.1.0.4

690042-1 : Potential Tcl leak during iRule suspend operation

Links to More Info: K43412307 , BT690042

Component: Local Traffic Manager

Symptoms:
TMM's Tcl memory usage increases over time, and does not decrease. Memory leak of Tcl objects might cause TMM to core.

Conditions:
-- iRules are in use.
-- Some combination of nested proc calls and/or loops must go at least five levels deep.
-- Inside the nested calls, an iRule executes a suspend operation.

Impact:
Degraded performance. TMM out-of-memory crash. A failover or temporary outage might occur. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer leaks memory.

Fixed Versions:
11.6.4, 12.1.3.4, 13.1.0.6

689987-3 : Requests are not logged on new virtual servers after UCS load while ASM is running

Links to More Info: BT689987

Component: Application Security Manager

Symptoms:
Requests are not logged on new virtual servers after UCS load while ASM is running.

Conditions:
UCS file is loaded with different virtual servers while ASM is running.

Impact:
Requests are not logged on newly added Virtual Servers.

Workaround:
You can use either of the following workarounds:
-- Restart ASM.

-- Disassociate the logging profile and re-associated it with all affected virtual servers.

Note: As a best practice, it is recommended that you always perform a full restart after UCS load. To do so, run the following command: bigstart restart.

Fix:
Now logging profiles are associated with virtual servers after load is complete.

Fixed Versions:
13.1.3.4

689730-3 : Software installations from v13.1.0 might fail &start;

Links to More Info: BT689730

Component: TMOS

Symptoms:
Installation terminates with the following final log messages:

info: updating shared filesystem directories...
progress: 10/100
error: mkdir /mnt/tm_install/3543.JENFeQ/core failed - File exists
Terminal error: Failed to install.

Conditions:
-- BIG-IP Virtual Editions, or the following appliances:
+ i2600
+ i2800
+ i4600
+ i4800
+ i5600
+ i5800
+ i5820
+ i7600
+ i7800
+ i7820
+ i10600
+ i10800
+ i11600
+ i11800

-- Running BIG-IP software v13.1.0 or earlier.
-- Installing BIG-IP software with --instslot option.

Impact:
Installation of new software cannot proceed.

Workaround:
Remove the '/shared/core' symlink, the restart the installation.

Fix:
The installer now properly detects the symlink and proceeds without error.

Fixed Versions:
12.1.3.5, 13.1.0.8

689691-2 : iStats line length greater than 4032 bytes results in corrupted statistics or merge errors

Links to More Info: BT689691

Component: TMOS

Symptoms:
You can create dynamic statistics using the istats command and iStats directive in iRules. The maximum length of the line (the sum of all columns) is 4032 bytes. If the user attempts to create an iStat whose column sizes when summed exceed this value then there will be errors in the ltm and logs, and the statistic will not be incremented or merged. Log messages appear similar to the following:
-- notice 4: tmstat_row_alloc(1520): tmstat segment blade/tmm0 appears to be damaged at 0x42e2d50.
-- err tmm[21822]: 01220001:3: TCL error: /Common/istat_it <HTTP_REQUEST> - Error: tmstat_row_alloc(1520): tmstat segment blade/tmm0 appears to be damaged (line 1) invoked from within "ISTATS::incr "ltm.virtual [virtual name] counter $host-$path" 1".

Conditions:
An iStat is created or modified such that the sum of the column widths is greater than 4032 bytes.

Impact:
Statistics corruption or merge errors occur. The statistic is not maintained. This is a system limit. An iStat should not be created such that its record length exceeds the 4032-byte limit.

Workaround:
This is a system limit. An istat should not be created such that it's record length exceeds the limit.

Fix:
Line length enforcement was added and an error log is output when the length is exceeded. Now, when the limit is reached, there are no corruption or merge errors. The system posts messages similar to the following in the tmm log file:

-- notice iStat for table 'ltm_virtual' column 'www_qqwabc3584' cannot be added as row size '4040' is too long at 0x46dcd90

To avoid errors like this, do not add columns to iStats in iRule directives.

Fixed Versions:
13.0.1, 13.1.0.4

689614-1 : If DNS is not configured and management proxy is setup correctly, Webroot database fails to download

Links to More Info: BT689614

Component: Traffic Classification Engine

Symptoms:
If DNS is not configured and management proxy is setup correctly, Webroot database fails to download and cloud lookup fails as well.

Conditions:
DNS is not configured and management proxy is setup.

Impact:
Webroot database download & cloud lookup fails.

Workaround:
There is no workaround at this time.

Fix:
Code change is in place to download Webroot database & lookup cloud category via configured proxy.

Fixed Versions:
13.1.3.5

689591-2 : When pingaccess SDK processes certain POST requests from the client, the TMM may restart

Links to More Info: BT689591

Component: Access Policy Manager

Symptoms:
BIG-IP's tmm may restart when processing certain client's POST requests body on which need to be inspected by the PingAccess policy server.

Conditions:
- BIG-IP virtual server is configured as policy decision point with PingAccess policy server.
- User sends a POST request to BIG-IP.
- Policy configured on PingAccess server requires inspection of the body of the POST request sent by the user.

Impact:
Traffic will be temporarily disrupted while tmm restarts.

Fix:
TMM will no longer restart when processing client's POST requests that need to be inspected by the PingAccess policy server.

Fixed Versions:
13.0.1, 13.1.0.4

689577-3 : ospf6d may crash when processing specific LSAs

Links to More Info: K45800333 , BT689577

Component: TMOS

Symptoms:
When OSPFv3 is configured and another router in the network performs a graceful restart, ospf6d may crash.

Conditions:
-- OSPFv3 in use.
-- Graceful restart initiated by another system.

Impact:
OSPFv3 routing will interrupted while the daemon restarts and the protocol re-converges.

Workaround:
Disabling graceful restart on other network systems will prevent ospf6d from crashing on the BIG-IP system. However, it will cause a routing interruption on a system that restarts.

Fix:
The ospf6d daemon no longer crashes when a graceful restart occurs in the network.

Fixed Versions:
12.1.3.2, 13.1.0.6

689561-1 : HTTPS request hangs when multiple virtual https servers shares the same ip address

Links to More Info: BT689561

Component: Local Traffic Manager

Symptoms:
SSL forward proxy reuses the server ssl session when client ip, server ip and server port matches the ssl session. when multiple virtual https servers share the same ip address, it could happen server ssl reuse a session previously from other virtual server. in such a situation, client cannot forge certificate and hangs the ssh handshake.

Conditions:
multiple virtual https servers share the same ip address, and they internally share the ssl sessions. we saw it happens in several google domain.

Impact:
client cannot access some https web server.

Workaround:
A workaround is disabling the "Session Ticket" in the server ssl profile, since we do not support session id resumption in the server ssl, this will cause it do full handshake to web server every time, so server_certchain will not be NULL.

Fix:
it matches the client ip, server ip and port as well as the server name in the SNI to the server ssl session cache. it will not reuse the sessions does not match virtual server name after the fix.

Fixed Versions:
13.1.0.6

689540-1 : The same DOS attack generates new signatures even if there are signatures generated during previous attacks.

Links to More Info: BT689540

Component: Anomaly Detection Services

Symptoms:
The same DOS attack generates new signatures even if there are signatures generated during previous attacks.

Conditions:
Repeated DOS attack with the same attacking traffic

Impact:
Generated redundant useless signatures.

Workaround:
There is no workaround at this time.

Fix:
Prevent generation of new signatures handles requests which are already covered by the old ones.

Fixed Versions:
13.1.1.2

689491 : cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled

Links to More Info: BT689491

Component: TMOS

Symptoms:
CPU usage stats are incorrect and system looks idle when it's actually busy

Conditions:
vcmp guests with 1-core or htsplit disabled

Impact:
CPU stats are incorrect and it might make it difficult to trouble shoot problems.

Fixed Versions:
13.1.1.4

689449-1 : Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured

Links to More Info: BT689449

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, in some circumstances the system may experience an unconstrained TMM memory growth when a virtual server is configured for spdy/http2 and http with fallback-host.

Conditions:
- VIP configured with spdy/http2 and http with fallback-host.

Impact:
TMM may eventually enter aggressive sweeper mode where this memory will be released. In the process it is possible that some legitimate connections will killed.

Workaround:
No workaround at this time.

Fix:
BIG-IP no longer attempts to send a response with a configured fallback host in HTTP profile, when a connection is aborted by a client or due to an internal error. It prevents the internal flow to stay in memory after the connection has died.

Fixed Versions:
11.6.4, 12.1.3.4, 13.1.0.4, 14.0.0

689437-1 : icrd_child cores due to infinite recursion caused by incorrect group name handling

Links to More Info: K49554067 , BT689437

Component: TMOS

Symptoms:
Every time the virtual server stats are requested via REST, icrd_child consumes high CPU, grows rapidly toward the 4 GB max process size (32-bit process), and might eventually core.

Conditions:
Virtual server stats are requested via iControl REST with a special string that includes the dotted group names.

Impact:
icrd_child consumes high CPU, grows rapidly, and might eventually core.

Workaround:
Clear the virtual server stats via reset-stats and icrd_child no longer cores.

Fix:
icrd_child parsing logic update is needed to not enter recursion.

Fixed Versions:
11.5.9, 11.6.4, 12.1.4, 13.1.1.2

689375-1 : Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled

Links to More Info: K01512833 , BT689375

Component: TMOS

Symptoms:
TMUI hides several SSL client/server settings when 'Proxy SSL' is enabled, including the 'Generic Alert' setting, so you cannot set it.

Conditions:
Enable 'Proxy SSL' on SSL client/server profile in TMUI.

Impact:
TMUI hides many config settings, including 'Generic Alert'. You cannot modify 'Generic Alert' setting on SSL client/server profile using the GUI when 'Proxy SSL' is enabled.

Workaround:
Modify the same setting through TMSH modify client/server SSL profile command, as follows:

tmsh modify ltm profile client-ssl <profile_name> generic-alert disabled

tmsh modify ltm profile server-ssl <profile_name> generic-alert disabled

Fix:
You can now modify 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled.

Fixed Versions:
13.1.1.2

689361-1 : Configsync can change the status of a monitored pool member

Links to More Info: BT689361

Component: Local Traffic Manager

Symptoms:
It is possible for a configsync operation to incorrectly change a monitor's state. For example, it can change an 'unchecked' monitor to 'up', when that unchecked monitor references a node that does not respond to ICMP requests. This may occur when a node does not respond to ICMP requests for exactly one of two paired devices, but a configuration change made to one device causes the 'up' status to be propagated to the 'unchecked' device. Other state changes are possible.

Conditions:
Pool members are monitored and a configsync is initiated from a paired device.

Impact:
The configsync causes the monitor on the standby system to transition to an incorrect state, out of sync with the active system.

Workaround:
There is a workaround for the case described in 'Symptoms':

Ensure network configuration such that a monitored node responds to ICMP requests from both (or neither) of each paired-device. Alternatively, initiate configuration changes only from the device to which the node does not respond to ICMP requests.

Fix:
A configsync no longer causes an unexpected monitor transition on the standby system.

Fixed Versions:
12.1.5.2, 13.1.3.2, 14.1.2.1

689343-2 : Diameter persistence entries with bi-directional flag created with 10 sec timeout

Links to More Info: BT689343

Component: Service Provider

Symptoms:
Diameter persistence entries have timeout value less than 10 seconds, although the configured persistence timeout is 120 seconds

Conditions:
When Diameter custom persistence "DIAMETER::persist key 1" bi-directional iRule is used.

Impact:
The persist timeout is less than 10 seconds, thus subsequent requests will be dispatched to other pool member.

Workaround:
Don't use bi-directional persistence iRule. Use AVP persistence type with session-id as the persist key.

Fix:
When the Diameter custom persistence iRule "DIAMETER::persist key 1" is used, the persist timeout value will be set correctly as configured.

Fixed Versions:
13.1.0.4

689211-3 : IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }

Links to More Info: BT689211

Component: TMOS

Symptoms:
If you accidentally change an ike-peer version to { v1 v2 } for both IKEv1 and IKEv2 support then IKEv1 does not work when version is changed to { v1 }. Note: This is not a recommended action.

Packets from a remote peer after this appear to arrive via IPv6 and will not match the IPv4 config of the actual peer, so tunnels cannot be established.

Conditions:
Transiently changing an ike-peer version to { v1 v2 } before fixing it with 'version replace-all-with { v1 }' to target IKEv1 alone.

Impact:
IKEv1 tunnels cannot be established when the remote peer initiates. (If the local peer initiates, negotiation may succeed anyway, until the SA is expired or deleted.) After this, tmm forwards packets to racoon improperly.

Workaround:
After changing version to v1 alone, issue the following command to have the config work correctly:
bigstart restart

Fix:
Added check for the IPv6 flag in the packet, in addition to testing for a v4-in-v6 address; this corrects the corner case of an address containing all zero when forwarded.

Fixed Versions:
12.1.3.7, 13.1.1.4

689089-1 : VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot

Links to More Info: BT689089

Component: Local Traffic Manager

Symptoms:
The cluster configuration file can be lost or corrupted, resulting in the out-of-band cluster management IP reverting to the default value.

Conditions:
Unexpected system restart while the configuration file is being updated may cause the file to become corrupted. If this occurs, the following error will be logged during blade startup:

"err clusterd[8171]: 013a0027:3: Chassis has N slots, config file has 0, ignoring config file"

Where "N" is the number of physical slots in the chassis (2, 4, or 8).

Impact:
Management IP reverts to 192.168.1.246, resulting in loss of access to the chassis through the out-of-band management network.

Workaround:
If this occurs, the management IP can be restored using TMSH or the UI through an in-band self IP, or with TMSH through the management console port.

Fix:
The configuration file update logic has been changed to prevent file corruption during update.

Fixed Versions:
12.1.3.2, 13.1.0.8

689002-3 : Stackoverflow when JSON is deeply nested

Links to More Info: BT689002

Component: TMOS

Symptoms:
When the returned JSON payload from iControl REST is very large and deeply nested, the JSON destruction could trigger stack overflow due to deep recursion. This will crash icrd_child.

Conditions:
Deeply nested JSON returned from iControl-REST.

Impact:
icrd_child process coredumps.

Workaround:
None.

Fix:
The fix changes the destruction mechanism into an iterative solution, to completely avoid the stack overflow.

Fixed Versions:
12.1.4, 13.1.1.2

688942-5 : ICAP: Chunk parser performs poorly with very large chunk

Links to More Info: BT688942

Component: Service Provider

Symptoms:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system buffers the entire chunk and reevaluates the amount of data received as each new packet arrives.

Conditions:
ICAP server returns large payload entirely in a single chunk, or otherwise generates very large chunks (MB to GB range).

Impact:
The BIG-IP system uses memory to buffer the entire chunk. In extreme cases the parser can peg the CPU utilization at 100% as long as packets are arriving.

Workaround:
If possible, configure the ICAP server to chunk the response payload in mulitple normal sized chunks (up to a few tens of KB).

Fix:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system streams content back to the HTTP client or server as it arrives, without undue memory use or performance impact.

Fixed Versions:
12.1.3.6, 13.1.1.2

688911-1 : LTM Policy GUI incorrectly shows conditions with datagroups

Links to More Info: K94296004 , BT688911

Component: TMOS

Symptoms:
When editing an LTM policy rule, the GUI defaults to using the datagroup value, overriding previous rule values, because the policy rule introduced the datagroups.

Conditions:
Editing a policy rule.

Impact:
The previous rule values are overridden by the datagroup's values.

Workaround:
Use TMSH to modify the rule.

Fix:
The GUI was updated to default to using the policy rule's values and not the datagroup values.

Fixed Versions:
13.1.0.6

688813-2 : Some ASM tables can massively grow in size.

Links to More Info: K23345645 , BT688813

Component: Application Visibility and Reporting

Symptoms:
/var/lib/mysql mount point gets full.

Conditions:
Many combinations of IP addresses, Device IDs (and other ASM dimensions) in traffic over very long period of time (potentially weeks/months).

Impact:
While other dimensions are being collapsed correctly, the Device ID field is not being collapsed causing the growth in size.
-- High disk usage.
-- Frequent need to clear AVR data.

Workaround:
Manually delete AVR mysql partitions located in /var/lib/mysql/AVR.

Fix:
Over time, no of the AVR_STAT_ASM_HTTP_CLIENT_IP_X#...MYD file exceeds 300 MB, so this problem no longer occurs.

Fixed Versions:
13.1.0.2

688744-1 : LTM Policy does not correctly handle multiple datagroups

Links to More Info: K11793920 , BT688744

Component: Local Traffic Manager

Symptoms:
Policy in use where the conditions reference two or more datagroups, but only the conditions that refer to the first datagroup have any effect.

Conditions:
LTM Policy where the conditions reference two or more datagroups.

Impact:
LTM Policy conditions do not check against second and subsequent datagroups, resulting in policy not working as intended.

Workaround:
Only mitigation is to refactor the policy so that it does not refer to more than one datagroup-based condition.

Fix:
LTM Policy correctly handles policies referencing multiple datagroups

Fixed Versions:
13.1.0.8

688629-1 : Deleting data-group in use by iRule does not trigger validation error

Links to More Info: K52334096 , BT688629

Component: Local Traffic Manager

Symptoms:
iRule aborts due to failed commands, causing connflow aborts.

Conditions:
-- Delete a data group.
-- iRule uses that data-group on a virtual server

Impact:
In use data-group can be deleted without error. iRule aborts leading to connflow aborts.

Workaround:
Don't delete data-groups in use by an iRule.

Fix:
An attempt to delete a data-group in use by an iRule now triggers a validation error.

Fixed Versions:
12.1.5, 13.1.1.2

688627-1 : OPT-0043 40G optical transceiver cannot be unbundled into 4x10G

Links to More Info: BT688627

Component: TMOS

Symptoms:
OPT-0043 is a Bi-Directional optical transceiver made up of 2 20G channels. It must not be allowed to unbundle into 4x10G channels.

Conditions:
OPT-0043 transceiver inserted into a 40G interface

Impact:
Unbunding of OPT-0043 will be rejected. The OPT-0043 can only be used as a 40G interface, not as 4x10G.

tmsh error when bundling requested:
The requested bundle state of disabled for interface X.0 is invalid. Unbundling not allowed for this optic.

When OPT-0043 is inserted into interface X already configured as unbundled into 4x10G the interface will display as "disable". The following messages will be in /var/log/ltm

err bcm56xxd[21440]: 012c0010:3: Unbundled interfaces found. Bundle state 'disabled' for optic OPT-0043 is invalid.
err bcm56xxd[21440]: 012c0024:3: Invalid Bundle Config for optic OPT-0043
err bcm56xxd[21440]: 012c0010:3: Unsupported module in use on interface X.1
info bcm56xxd[21440]: 012c0015:6: Link: X.1 is DISABLED
err bcm56xxd[21440]: 012c0010:3: Unsupported module in use on interface X.2
info bcm56xxd[21440]: 012c0015:6: Link: X.2 is DISABLED
err bcm56xxd[21440]: 012c0010:3: Unsupported module in use on interface X.3
info bcm56xxd[21440]: 012c0015:6: Link: X.3 is DISABLED
err bcm56xxd[21440]: 012c0010:3: Unsupported module in use on interface X.4
info bcm56xxd[21440]: 012c0015:6: Link: X.4 is DISABLED

Workaround:
Do not unbundle OPT-0043 - that is an unsupported configuration.

Fix:
Unbunding of OPT-0043 will be rejected.

Fixed Versions:
13.1.3.1

688625-5 : PHP Vulnerability CVE-2017-11628

Links to More Info: K75543432 , BT688625

688571-2 : Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile.

Links to More Info: K40332712 , BT688571

Component: Local Traffic Manager

Symptoms:
If the server-ssl profile is configured with 'untrusted-cert-response-control drop', and the system receives the certificate from the backend server which is not trusted by current BIG-IP system, the expected behavior is that the system should end the connection.

But the current server-side behavior is that the system still accepts the untrusted certificate and establishes the SSL connection with backend server.

Conditions:
-- The BIG-IP system receives a certificate from the backend server that is not trusted by the BIG-IP system.

-- Configure the 'untrusted-cert-response-control drop' in the server-ssl profile.

-- The corresponding server-ssl is configured at the virtual server.

Impact:
Virtual server might communicate with the backend server that sends the untrusted certificate to the BIG-IP system. Untrusted cert could still be accepted by the server-ssl virtual server even though 'untrusted-cert-response-control drop' is configured in the server-ssl profile.

Workaround:
None.

Fix:
When the system receives the untrusted certificate from backend server and the server-ssl profile is configured with 'untrusted-cert-response-control drop', the system will end the current SSL handshake procedure instead of continuing to proceed to finish it.

Fixed Versions:
13.1.0.4

688570-5 : BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes

Links to More Info: BT688570

Component: Local Traffic Manager

Symptoms:
After an MPTCP connection closes properly, the BIG-IP will occasionally start sending MP_FASTCLOSE.

Conditions:
An MPTCP connection is closed.

Impact:
The MPTCP connection on the remote device is closed, but the connection on the BIG-IP remains open until the fastclose retransmission times out.

Workaround:
There is no workaround at this time.

Fix:
Fixed event processing at the end of a connection.

Fixed Versions:
13.1.0.4

688557-1 : Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'

Links to More Info: K50462482 , BT688557

Component: Local Traffic Manager

Symptoms:
The description of the 'mode' parameter shown by tmsh help for the ltm sasp monitor indicates that the default value for the 'mode' parameter is 'pull' (where the load balancer sends Get Weight Requests to the GWM).
As of BIG-IP v13.0.0 and v12.1.2-hf1, the default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).
This is a change from prior versions of BIG-IP, where the default value for the 'mode' parameter was 'pull'.

Conditions:
The incorrect description appears when issuing the 'tmsh help ltm monitor sasp' command on BIG-IP v13.0.0, v12.1.2-hf1, and later.

Impact:
Incorrect information about the default value for the 'mode' parameter for the ltm sasp monitor.

Workaround:
The default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).

Fix:
The 'tmsh help ltm monitor sasp' command now lists the correct default value for the 'mode' parameter.

Fixed Versions:
13.1.1.2

688553-3 : SASP GWM monitor may not mark member UP as expected

Links to More Info: BT688553

Component: Local Traffic Manager

Symptoms:
Pool members monitored by the SASP monitor may be incorrectly marked DOWN when they should be marked UP.

Conditions:
This may occur on affected BIG-IP versions when using the SASP monitor targeting a Load Balancing Advisor GWM (Global Workload Manager).

This is more likely to occur if pool members monitored by the SASP monitor are also monitored by an additional monitor which has marked the members DOWN, or if one or more pool members monitored by the SASP monitor have been manually marked down (state user-down via tmsh, or Disabled in the GUI).

This is not expected to occur with non-affected BIG-IP versions or when using the SASP monitor targeting a Lifeline GWM (Global Workload Manager).

Impact:
Traffic handled by pool members monitored by the SASP monitor may be disrupted.

Workaround:
Removing the SASP monitor from the pool or pool member configuration then re-adding the SASP monitor may reset the pool member status to the correct state.

Fixed Versions:
12.1.3.6, 13.1.1.5, 14.0.0.5

688544-1 : SWG reports on BIG-IQ show same series as 'Allowed' and 'Blocked' at the same time

Links to More Info: BT688544

Component: Application Visibility and Reporting

Symptoms:
SWG reports on BIG-IQ show incorrect data: the response for BIG-IP devices shows duplicate data for the same series such as 'Allowed' and 'Blocked'. There should be only one response either for 'Allowed' or for 'Blocked'.

Conditions:
-- SWG is provisioned.
-- BIG-IP device is added to BIG-IQ for management.

Impact:
Incorrect statistics data displayed

Workaround:
None.

Fix:
SWG reports on BIG-IQ now show 'Allowed' or 'Blocked' (as applicable) on BIG-IP devices.

Fixed Versions:
13.1.3

688516-1 : vCMPd may crash when processing bridged network traffic

Links to More Info: K03165684 , BT688516

688406-1 : HA-Group Score showing 0

Links to More Info: K14513346 , BT688406

Component: TMOS

Symptoms:
The 'show sys ha-group' command incorrectly displays a "0" for the total score even if the pools/trunks/clusters components have non-zero scores.

Conditions:
If the sys ha-group object is not currently assigned to any traffic-group.

Impact:
The total score is not calculated. An incorrect score value is displayed.

Workaround:
Refer to the component Score Contributions displayed using the following command: show sys ha-group detail.

Fix:
The total HA-Group Score is now displayed correctly.

Fixed Versions:
13.1.1.2

688399-4 : HSB failure results in continuous TMM restarts

Links to More Info: BT688399

Component: TMOS

Symptoms:
The TMM is continually restarted due to lack of the HSB PDE device. When this issue occurs, HSB errors may be present in the TMM log files, prior to a TMM core (SIGSEGV).

Conditions:
The conditions under which this occurs are unknown.

Impact:
TMM continually restarts until the unit is rebooted. Traffic disrupted while tmm restarts. The reboot appears to clear the condition.

Workaround:
Manually reboot the unit.

Fix:
The TMM restarts no longer occur.

Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.7, 15.0.1.4

688246-1 : An invalid mode in the LSN::persistence command causes TMM crash

Links to More Info: BT688246

Component: Carrier-Grade NAT

Symptoms:
When an iRule is triggered and the LSN::persistence command is passed an invalid persistence mode, TMM will crash.

Conditions:
An iRule using the LSN::persistence command with an invalid persistence mode that is attached to a Virtual Server and is triggered by traffic.

Impact:
TMM restarts. Traffic is interrupted. It is likely that the iRule will be triggered again causing repeated crashes.

Workaround:
The persistence mode must be set to one of "none", "address", "address-port" or "strict-address-port".

Fix:
TMM no longer crashes when an invalid persistence mode is used. Instead the LSN::persistence command returns an error.

Fixed Versions:
13.1.1.2

688148-3 : IKEv1 racoon daemon SEGV during phase-two SA list iteration

Links to More Info: BT688148

Component: TMOS

Symptoms:
The wrong list linkage is iterated when phase-two SAs are deleted.

Conditions:
Deleting phase-two SAs, either manually or in response to notifications.

Impact:
IKEv1 tunnel outage until the racoon daemon restarts.

Workaround:
None.

Fix:
Fixed list iteration to use the correct list linkage, so iterating one phase-one SAs list does not instead visit the global list of phase-two SAs.

Fixed Versions:
12.1.3.7, 13.1.1.4

688011-7 : Dig utility does not apply best practices

Links to More Info: K02043709 , BT688011

688009-7 : Appliance Mode TMSH hardening

Links to More Info: K46121888 , BT688009

687987 : Presentation of signatures in human-readable format

Links to More Info: BT687987

Component: Anomaly Detection Services

Symptoms:
When publishing signature with predicates such as http.referer and http.uri, the system presents the result of the hash operation as follows: http.uri_file_hashes-to 42

Conditions:
Always when publishing signature with predicates such as http.referer and http.uri.

Impact:
It is not clear what '42' means.

Workaround:
None.

Fix:
When publishing signatures, the system now presents the hashes as follows:

http.referer_hashes-like '/zzz'
http.uri_file_hashes-like '/123'

Fixed Versions:
13.1.0.2

687986 : High CPU consumption during signature generation, not limited number of signatures per virtual server

Links to More Info: BT687986

Component: Anomaly Detection Services

Symptoms:
The number of the signatures per virtual server is not limited. This can result in a very large number of generated signatures during sophisticated attacks that use changing patterns. After a time, when a system experiences a number of attacks, the list of generated signatures can be too long.

Conditions:
-- Sophisticated attacks that use changing patterns.
-- System experiences a large number of attacks.

Impact:
High CPU utilization when mitigating. Overloaded GUI signatures screen.

Workaround:
Manually remove old / not-often-used signatures.

Fix:
The system now limits the number of signatures per virtual servers, and optimizes per-signatures operation.

Fixed Versions:
13.1.0.2

687984 : Attacks with randomization of HTTP headers parameters generates too many signatures

Links to More Info: BT687984

Component: Anomaly Detection Services

Symptoms:
When attackers randomize HTTP headers parameters, Behavioral DoS (BADoS) might generate too many signatures.

Conditions:
Attacks with randomization of HTTP headers parameters.

Impact:
The list of generated signatures is too long. It produces unnecessary CPU utilization for attack mitigation.

Workaround:
None.

Fix:
Improved algorithm that detects a randomization.

Fixed Versions:
13.1.0.2

687937-1 : RDP URIs generated by APM Webtop are not properly encoded

Links to More Info: BT687937

Component: Access Policy Manager

Symptoms:
RDP URIs used to launch Native RDP resources form APM Webtop on Android/iOS/Mac are not properly encoded. As a result, RDP client might misinterpret the URI, in cases in which some RDP parameter contains the ampersand ( & ) symbol.

Conditions:
Native RDP resource is launched via RDP URI from APM Webtop.

One of RDP parameters contains symbol that should be URI encoded, e.g., '&'.

Impact:
RDP client misinterprets URI, which may result in failure to open RDP resource.

Workaround:
None.

Fix:
RDP URIs used to launch Native RDP resources from APM Webtop on Android/iOS/Mac are now properly encoded.

Fixed Versions:
13.1.0.4

687905-2 : OneConnect profile causes CMP redirected connections on the HA standby

Links to More Info: K72040312 , BT687905

Component: TMOS

Symptoms:
When virtual server uses OneConnect profile in HA setup, it can cause Clustered Multiprocessing (CMP) redirected connections and memory leak on high availability (HA) standby systems, including high memory usage on standby units.

Conditions:
-- Virtual server uses OneConnect profile in HA configuration.
-- Mirroring is enabled.
-- BIG-IP platform supports CMP.

Impact:
Redirected connections and memory leak on a standby device.

Workaround:
Remove OneConnect profile from the virtual server.

Fixed Versions:
12.1.3.6, 13.1.1.2

687887-1 : Unexpected result from multiple changes to a monitor-related object in a single transaction

Links to More Info: BT687887

Component: Local Traffic Manager

Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction attempts the 'delete key', and then the 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.

Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object, such as (delete, create, modify).

Impact:
The monitor-related object may be unchanged; or monitoring may stop for that object.

Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').

Fix:
Behavior is as-expected when a transaction executes multiple commands (such as 'delete', 'create', 'modify') upon the same monitor-related object (pool, pool_member, node_address, monitor).

Fixed Versions:
12.1.5.3, 13.1.3.2, 14.1.2.3

687759-1 : bd crash

Links to More Info: BT687759

Component: Application Security Manager

Symptoms:
A bd crash.

Conditions:
-- A config change follows a bd crash.
-- There is a policy that is misconfigured, for example, a form-data parsing is applied on a non-form-data payload (such as XML or JSON).

Impact:
bd crashes; system fails over; traffic disturbance occurs.

Workaround:
Set the following internal parameter to 0: max_converted_length_to_cache

Fixed Versions:
12.1.3.6, 13.1.0.8, 14.0.0.5, 14.1.0.6

687658 : Monitor operations in transaction will cause it to stay unchecked

Links to More Info: BT687658

Component: TMOS

Symptoms:
If a monitored object is deleted and created or modified in the same transaction, and any of its monitor configuration is changed (either the monitor, or the state user-down), the monitor state will become unchecked.

Conditions:
This only happens within transactions.

Note: Using the command 'modify ltm pool <name> members replace-all-with' is considered a transaction containing a delete and create of pool members.

Impact:
Monitor state never returns to its correct value.

Workaround:
Do not do these operations in transactions. For pool members, use 'modify ltm pool <name> members modify' instead of replace-all-with.

Fixed Versions:
11.6.3.3, 12.1.3.2, 13.1.0.8

687635-1 : Tmm becomes unresponsive and might restart

Links to More Info: K58002142 , BT687635

Component: Local Traffic Manager

Symptoms:
Under certain conditions, the tmm process can become unresponsive, and eventually be restarted by the watchdog process.

Conditions:
Problem occurs when there is an unexpected interaction between HTTP and SSL handlers during an abnormal connection shutdown.

Impact:
Tmm becomes unresponsive and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Tmm correctly shuts down HTTPS connection.

Fixed Versions:
13.0.1, 13.1.0.4

687603-2 : tmsh query for dns records may cause tmm to crash

Links to More Info: K36243347 , BT687603

Component: Local Traffic Manager

Symptoms:
tmm experiences segmentation fault.

Conditions:
Run 'tmsh show ltm dns cache records key cache <cache>' query when dns cache contains malformed records.

Impact:
Core file / system outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm experiences segmentation fault when running the 'tmsh show ltm dns cache records key cache <cache>' query when dns cache contains malformed records.

Fixed Versions:
11.6.5.3, 12.1.3.2, 13.1.3.5

687534-1 : If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page

Links to More Info: BT687534

Component: TMOS

Symptoms:
- Create a pool with name containing two dots (that is, the string '..')
- Go to the GUI Local Traffic :: Pools : Member List page and click the Add button to add a member.
- There is a No Access error preventing you from adding a member to the pool

Conditions:
This issue occurs when a pool name contains .. in the name.

Impact:
Cannot add a Member to the pool using the GUI.

Workaround:
Use tmsh to add pool members to an existing pool using a command similar to the following.
tmsh modify ltm pool <pool name> members add { <member info> }

Fix:
For pools with '..' in the name, it is now possible to add members after pool creation using the GUI Local Traffic :: Pools : Member List page.

Fixed Versions:
12.1.3.6, 13.1.1.2

687368-1 : The Configuration utility may calculate and display an incorrect HA Group Score

Links to More Info: BT687368

Component: TMOS

Symptoms:
The Configuration utility may calculate and display a high availability (HA) Group Score of 0, while in reality the correct HA Group Score is greater than 0.

Conditions:
This issue occurs when a particular HA Group object (for example, a Pool) has no available members, and the 'Minimum Member Count' option is not used (this is the default).

Impact:
This issue is cosmetic as it is limited to what the Configuration utility calculates and displays to the user. Internally, the system uses the correct HA Group Score to determine the role of the unit. However, it is possible for a BIG-IP Administrator to be mislead by this issue and take a wrong or unnecessary corrective action because of it.

Workaround:
You can use the TMSH utility from the command line to display the correct HA Group Score.

Fix:
The Configuration utility no longer calculates and displays an incorrect HA Group Score.

Fixed Versions:
13.1.1.5

687353-1 : Qkview truncates tmstat snapshot files

Links to More Info: K35595105 , BT687353

Component: TMOS

Symptoms:
Qkview truncates the snapshot files it collects in /shared/tmstat/snapshots/.

Conditions:
Files are larger than 5 MiB, or the 'max file size' limit specified when running Qkview (the -s argument).

Note: 5 MiB is qkview utility's default maximum file size value.

Impact:
Snapshot data may not be collected in qkview. This may result in data being lost if the issue is only identified once important data has rotated out of history.

Workaround:
To specify no file size limit when collecting qkviews, use the following tmsh command:
qkview -s0

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.6

687205-2 : Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart

Links to More Info: BT687205

Component: Local Traffic Manager

Symptoms:
During flow shutdown, SSL may deliver HUDEVT_SENT messages, causing additional messages to be queued by higher filters, which may result in a tmm crash and restart.

Conditions:
This happens in response to a relatively rare condition that occurs during shutdown, such as HUDEVT_SENT queued after HUDCTL_SHUTDOWN.

Impact:
Possible tmm restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
12.1.3.4, 13.1.0.4

687128-1 : gtm::host iRule validation for ipv4 and ipv6 addresses

Links to More Info: BT687128

Component: Global Traffic Manager (DNS)

Symptoms:
gtm::host iRule isn't validating that the host given matches the type of WideIP it is attached to.

Conditions:
An AAAA-type wideip with a ipv4 gtm::host iRule, or A-type wideip with an ipv6 gtm::host iRUle.

Impact:
Incorrect host information was being returned.

Workaround:
Only attach gtm::host of IPv4 type to A-type WideIPs, and gtm::host rules of IPv6 to AAAA-type WideIPs.

Fix:
FIxed issue allowing incorrect gtm::host iRule commands to trigger on incorrect wideip types.

Fixed Versions:
12.1.3.4, 13.1.0.4

687115-2 : SNMP performance can be impacted by a long list of allowed-addresses

Links to More Info: BT687115

Component: TMOS

Symptoms:
If the SNMP configuration includes a long list of allowed-addresses in the configuration then it can impact SNMP performance.

Conditions:
-- The SNMP daemon consults a system file to determine whether a request can be serviced.

-- There is a long list of allowed addresses in the configuration.

Impact:
Potentially slow SNMP response.

Workaround:
Make the list of allowed addresses be the minimum set of your clients.

Fix:
The daemon code is now more efficient.

Fixed Versions:
12.1.5.3, 13.1.3.2

686996-1 : TMM core under heavy load with PEM

Links to More Info: BT686996

Component: TMOS

Symptoms:
An internal race condition when deleting stale PEM data may cause a TMM core due to a use after free.

Conditions:
PEM policies configured. The crash is more likely with CGNAT / FWNAT configured and after a CMP state change such as after a blade failure.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
none

Fix:
The race condition is eliminated. TMM does not core under heavy load with PEM.

Fixed Versions:
13.1.3.2

686972-4 : The change of APM log settings will reset the SSL session cache.

Links to More Info: BT686972

Component: Local Traffic Manager

Symptoms:
If you change the configuration of APM log settings, it might cause the SSL session cache to be reset. Also, subsequent resumption of SSL sessions may fail after such change causing a situation where full ssl handshakes may occur more frequently.

Conditions:
-- Change the configuration of APM log settings.
-- SSL session cache is not empty.

Impact:
The change of APM log settings resets the SSL session cache, which causes the SSL session to initiate full-handshake instead of abbreviated re-negotiation.

Workaround:
Follow this procedure:
1. Change access policy.
2. The status of that access policy changes to 'Apply Access Policy'.
3. Re-apply that.

Fix:
The change of APM log settings now limits its effect on APM module instead of affecting other (SSL) module's data.

Fixed Versions:
12.1.3.4, 13.1.0.6

686926-2 : IPsec: responder N(cookie) in SA_INIT response handled incorrectly

Links to More Info: BT686926

Component: TMOS

Symptoms:
IKEv2 negotiation fails when a responder uses N(cookie) in the SA_INIT response, because the BIG-IP system does not expect a second response with the same zero message_id always used by SA_INIT.

Conditions:
Any time a responder sends N(cookie) in the first response to SA_INIT from a BIG-IP initiator.

Impact:
The SA negotiation fails when a responder includes N(cookie) in a SA_INIT response, because a second response appears to have an out-of-order message ID when BIG-IP believe the first message_id of zero was already handled earlier.

Workaround:
None.

Fix:
The BIG-IP system now correctly tracks a need to receive a SECOND response with message_id zero, to finish the SA_INIT exchange, whenever the first SA_INIT response caused the BIG-IP system to resend the first request with the cookie included.

Fixed Versions:
12.1.3.6, 13.1.1.4

686906-2 : Fragmented IPv6 packets not handled correctly on Virtual Edition

Links to More Info: BT686906

Component: TMOS

Symptoms:
Use of IP fragmentation with IPv6 packets might not be handled correctly by BIG-IP Virtual Edition (VE) platforms. The initial fragmented are received, but subsequent fragments are discarded.

Conditions:
VE with IPv6 packets and IP fragmentation.

Impact:
Traffic which depends upon fragmented IPv6 packets will not be successfully processed.

Workaround:
There is no workaround at this time.

Fix:
These fragments are now handled correctly in the same manner as IPv4.

Fixed Versions:
13.1.0.8

686890-1 : X509_EXTENSION memory blocks leak when C3D forges the certificate.

Links to More Info: BT686890

Component: Local Traffic Manager

Symptoms:
One X509_EXTENSION memory block leaks when C3D forges the certificate.

Conditions:
When C3D forges the certificate.

Impact:
X509_EXTENSION memory blocks leak when forged certificate is successful.

Workaround:
None.

Fix:
The system now frees the leaked X509_EXTENSION when C3D forges the certificate.

Fixed Versions:
13.1.0.8

686783-4 : UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters.

Links to More Info: BT686783

Component: Traffic Classification Engine

Symptoms:
If a UrlCat custom database feed list has URLs containing a www prefix or capital letters, the URLs are not categorized when queried.

Conditions:
The UrlCat custom database feed list with URL containing www prefix or capital letters,

Impact:
Improper classification

Workaround:
Using an iRule can help classify the URL.

Fix:
Normalized the URL before putting in the custom database.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2

686765-2 : Database cleaning failure may allow MySQL space to fill the disk entirely

Links to More Info: BT686765

Component: Application Security Manager

Symptoms:
Database cleaning failure may allow MySQL space to fill the disk entirely, which prevents any modification of ASM policy configuration.

In /var/log/ts/asm_config_server.log you might see these errors repeatedly:

Jun 9 09:38:45 10gal-f5-5000-2 crit g_server_rpc_handler.pl[16654]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::handle_error): Code: 999, Error message = DBD::mysql::db do failed: The table 'NEGSIG_SIGNATURES' is full

Conditions:
This occurs if database cleaning failures occur.

Impact:
Disk will fill up, and you will be unable to modify ASM policies.

Fixed Versions:
12.1.3.6, 13.1.0.8

686763-1 : asm_start is consuming too much memory

Links to More Info: BT686763

Component: Application Security Manager

Symptoms:
asm_start is consuming too much memory.

Conditions:
Roll forward a device with a large ASM configuration.

Impact:
Increase memory pressure on the device.

Workaround:
Run the following command: restart asm

Fix:
asm_start no longer increases its memory footprint during upgrade.

Fixed Versions:
12.1.5.3, 13.1.3

686631-2 : Deselect a compression provider at the end of a job and reselect a provider for a new job

Links to More Info: BT686631

Component: Local Traffic Manager

Symptoms:
The system might potentially retain a compression context, even though there is no data to be compressed or decompressed. This can affect the calculation of the load of the compression provider.

Conditions:
-- A connection is up.
-- Compression context is active.
-- There is no data for the compression provider.

Impact:
It affects the compression provider selection.

Workaround:
None.

Fix:
The system now deselects a provider at the end of a compression/decompression operation, and reselects a provider at the beginning of another compression/decompression operation.

Fixed Versions:
12.1.3.5, 13.1.1

686517-2 : Changes to a parent policy that has no active children are not synced to the secondary chassis slots.

Links to More Info: BT686517

Component: Application Security Manager

Symptoms:
Changes to a parent policy that has no active children are not synced to the secondary chassis slots.

Conditions:
-- ASM provisioned.
-- Having a parent policy that has no active children.

Impact:
On a chassis failover, the new Primary slot will have an outdated version of the parent policy.

Workaround:
None.

Fix:
Changes to a parent policy that has no active children are now synced to the secondary chassis slots.

Fixed Versions:
13.1.0.2

686510-1 : If tmm was restarted during an attack, the attack might appear ongoing in GUI

Links to More Info: BT686510

Component: Application Visibility and Reporting

Symptoms:
Attack appears ongoing, even though it ended.

Conditions:
Rare condition of tmm restart during an attack.

Impact:
The GUI falsely shows the attack as ongoing, even though it ended.

Workaround:
No workaround.

Fix:
Now, when tmm is restarted during an attack, this specific attack is shown as ended in DoS overview page after 15 minutes.

Fixed Versions:
13.1.0.2

686500-1 : Adding user defined signature on device with many policies is very slow

Links to More Info: BT686500

Component: Application Security Manager

Symptoms:
Adding or modifying a user-defined signature on a device with many policies is very slow.

Conditions:
The user adds or modifies a user-defined signature.

Impact:
The process takes a long time.

Fix:
Adding or modifying a user-defined signature now takes a reasonable amount of time.

Fixed Versions:
13.1.3, 14.0.0

686470-1 : Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load.

Links to More Info: BT686470

Component: Application Security Manager

Symptoms:
AJAX requests are not sent, JavaScript errors, AJAX-based web-app malfunctions.

Conditions:
1a. Single page application enabled either via a DoS application profile or in an ASM policy.
1b. AJAX Response Page enabled via ASM policy.

2. Web Application client side code uses jQuery or any other AJAX clientside framework.

Impact:
AJAX request might not be sent, and the overall website's clientside functionality related to the AJAX requests might not work as expected.

Workaround:
Disable Single Page Application support.

Fix:
Fixed Single Page Application AJAX hook to support the AJAX response onload callback re-assignment.

Fixed Versions:
13.1.0.2

686452-1 : File Content Detection Formats are not exported in Policy XML

Links to More Info: BT686452

Component: Application Security Manager

Symptoms:
If a policy is configured with Data Guard enabled with File Content Detection, the selected File Content Detection Formats are not correctly exported in the Policy XML.

When the policy is then imported, the Data Guard settings will be invalid and cannot be changed until the File Content Detection Formats are configured again.

Conditions:
A policy is configured with Data Guard enabled with File Content Detection, and then exported in XML format.

Impact:
When the policy is then imported, the Data Guard settings will be invalid and cannot be changed until the File Content Detection Formats are configured again.

The formerly selected file content formats will not be correctly identified.

Workaround:
Use Binary Policy import/export.

Fix:
File Content Detection Formats are correctly exported.

Fixed Versions:
13.1.0.2

686389-1 : APM does not honor per-farm HTML5 client disabling at the View Connection Server

Links to More Info: BT686389

Component: Access Policy Manager

Symptoms:
Current logic for determining whether to offer HTML5 client option works for Horizon 6.x (and earlier) but it does not work for Horizon 7.x.

With Horizon 7.x, VMware has enhanced the XML so that each resource includes a flag to indicate whether HTML5 client is enabled (absence of <html-access-disabled/> tag). APM does not honor this flag to show HTML5 client option to APM end user only if it has been enabled for that resource.

Conditions:
-- APM webtop with a VMware View resource assigned.
-- HTML5 Access disabled for some of the RDS farms managed by the broker.

Impact:
APM offers HTML5 client launch option and actually runs it if requested, although it is disabled at the backend.

Workaround:
There is no workaround at this time.

Fix:
For Horizon 7.x, the system now honors the <html5-access-disabled> flag in broker responses to disable HTML5 client for those RDS desktops and apps that have this flag set.

Behavior Change:
Before this fix, all the RDS desktops and apps were available for HTML5 client if it was installed on VCS.
Now, for those desktops and apps where HTML5 access has been deliberately disabled at the broker, only the native client option will be available.

Fixed Versions:
11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4

686376-2 : Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon

Links to More Info: BT686376

Component: Advanced Firewall Manager

Symptoms:
When there are scheduled firewall rules, and the BIG-IP system is restarted or PCCD daemon is restarted, new blob compilation succeeds, but TMM fails to activate the new blob. Both GUI and TMSH show error status: Firewall rules deployment failed. After the system gets in this state it cannot be fixed except by removing or disabling all scheduled firewall rules.

Conditions:
-- There are scheduled firewall rules.
-- The BIG-IP system is restarted or the PCCD daemon is restarted.

Impact:
After this failure, firewall rules are not applied on data traffic.

Workaround:
Remove or disable all scheduled firewall rules.

Fix:
New blob deployed and new firewall rules applied successfully.

Fixed Versions:
12.1.4.1, 13.1.1.2

686307-3 : Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later

Links to More Info: K10665315 , BT686307

Component: Local Traffic Manager

Symptoms:
When upgrading, monitor attributes such as receive string and send string might contain escape sequences that must be processed after the upgrade. However, due to a problem introduced by the LTM policy upgrade script, this processing is not performed, resulting in monitors not functioning correctly after the upgrade.

Note: Without LTM policies in the configuration, monitors upgrade without problem.

Conditions:
-- Upgrading and rolling forward monitor configuration data.
-- LTM policy data present.

Impact:
Monitors may not work after upgrade.

Workaround:
No workaround at this time.

Fix:
This release addresses the underlying problem so the issue no longer occurs.

Fixed Versions:
12.1.3.2, 13.1.0.4

686305-1 : TMM may crash while processing SSL forward proxy traffic

Links to More Info: K64552448 , BT686305

686282-2 : APMD intermittently crash when processing access policies

Links to More Info: BT686282

Component: Access Policy Manager

Symptoms:
APMD process may crash intermittently (rare) when processing access policies.

Conditions:
This rarely encountered issue occurs when any one of the following conditions exist:

-- iRule is configured with 'ACCESS::policy evaluate'.
-- NTLM authentication configured and ECA plugin is involved (for example VDI RDG).
-- Kerberos authentication is configured with RBA enabled.

Impact:
APM end users cannot pass access policy, cannot login.

Workaround:
None.

Fix:
APMD no longer intermittently crashes when processing access policies.

Fixed Versions:
12.1.3.2, 13.1.3

686228-1 : TMM may crash in some circumstances with VLAN failsafe

Links to More Info: K23243525 , BT686228

Component: Local Traffic Manager

Symptoms:
TMM may crash when managing traffic in response to the VLAN failsafe traffic generating mechanisms

Conditions:
- VLAN failsafe is configured with low timers.
- VLAN failsafe is triggered and multiple responses are received for traffic generating in fast succession.

Impact:
A TMM may core file may be produced. Traffic disrupted while tmm restarts.

Workaround:
Relax the timer to the default VLAN failsafe timer setting.

Fix:
TMM no longer crashes in some circumstances with VLAN failsafe.

Fixed Versions:
11.5.9, 11.6.4, 12.1.3.2, 13.1.0.6

686190-1 : LRO performance impact with BWC and FastL4 virtual server

Links to More Info: BT686190

Component: TMOS

Symptoms:
Using Bandwidth controller (BWC) might result in a very large drop in performance of up to 75%. In this release, Large receive offload (LRO) is enabled by default.

Conditions:
-- BWC is configured.
-- Virtual server has a FastL4 profile assigned.
-- LRO is enabled (enabled by default in 13.1.0).

Impact:
Very large performance impact to the BWC policy (up to 75%). For example, if the BWC policy rate limit is set to 100Mb, the actual rate limit could be 25Mb.

Workaround:
Disabling LRO recaptures most of the performance degradation related to using FastL4. To disable LRO (this is a system-wide setting), run the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable

Important note: Although you can disable LRO to recapture much of the 13.0.0-level performance, you will likely still experience some impact: 2-5% for small files, 17-22% degradation for the '10 requests per connection' benchmark. The only guaranteed way to avoid performance degradation is to remain on version 13.0.0.

Fixed Versions:
13.1.0.1

686124-1 : IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs

Links to More Info: K83576240 , BT686124

Component: TMOS

Symptoms:
Deleting SAs on a remote peer can cause improper handling in the IKEv1 racoon daemon when invalid SPI notifications are processed.

Conditions:
Events causing deletion of phase one IKE SAs.

Impact:
IPsec IKEv1 tunnels will halt or restart. Connectivity between remote private networks will be interrupted.

Workaround:
None.

Fix:
Phase one and phase two SA relationships are now more robust, tolerating operations that occur in any order, so tearing down old data structures will be done safely.

Fixed Versions:
12.1.3.7, 13.1.1.4

686111-1 : Searching and Reseting Audit Logs not working as expected

Links to More Info: K89363245 , BT686111

Component: TMOS

Symptoms:
Clicking the Search and Reset buttons on Audit Logs might post the following error message: An error has occurred while trying to process your request.

Conditions:
Clicking the 'Search' or 'Reset' button on Audit Logs.

Impact:
Cannot search Audit Logs.

Workaround:
Use tmsh or bash.

Fix:
Searching and Reseting Audit Logs now works as expected.

Fixed Versions:
13.1.1.5

686108-1 : User gets blocking page instead of captcha during brute force attack

Links to More Info: BT686108

Component: Application Security Manager

Symptoms:
Unexpected blocking page while captcha is configured.

Conditions:
-- Brute force configured with alarm and captcha mitigation.
-- The only source configured is username.
-- These are the first failed login requests after a system start up or after a login page configuration change.

Impact:
Unexpected blocking page mitigation where captcha mitigation was expected.

Workaround:
There are two workarounds:

-- Access the login page at least 10 times within 5 minutes.

-- Run the following command: tmsh modify sys db asm.cs_qualified_urls value <YOUR_LOGIN_URL>

Fix:
Fixed an issue with unexpected blocking page while captcha is configured.

Fixed Versions:
13.1.0.2

686065-2 : RESOLV::lookup iRule command can trigger crash with slow resolver

Links to More Info: BT686065

Component: Local Traffic Manager

Symptoms:
If thousands of connections are serviced by an iRule that performs a lookup for the same FQDN before the FQDN can be resolved, tmm may crash.

Conditions:
iRule with RESOLV::lookup.
Slow DNS resolver.
Thousand of connections triggering resolution of the same name.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove RESOLV::lookup from the workflow if it is not required.

Fix:
The scenario now works as expected and no longer results in a crash.

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.4

686062-1 : The dynconfd daemon uses UDP ports inefficiently

Links to More Info: BT686062

Component: Local Traffic Manager

Symptoms:
When performing DNS queries to resolve FQDN node names to IP addresses, the dynconfd daemon may open UDP ports in excess of what is actually needed.

Conditions:
This occurs when using FQDN node names, with multiple system DNS name servers configured.

Impact:
The dynconfd daemon uses more UDP ports than is strictly necessary.

Fix:
The dynconfd daemon makes more efficient use of UDP ports when performing DNS queries to resolve FQDN node names to IP addresses.

Fixed Versions:
13.1.3.6

686059-2 : FDB entries for existing VLANs may be flushed when creating a new VLAN.

Links to More Info: BT686059

Component: Local Traffic Manager

Symptoms:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN.

Conditions:
- Creating a new VLAN with existing VLANs using trunk members.
- STP is enabled on its trunk member.

Impact:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN. This will result in potential network saturation.

Workaround:
To avoid the FDB flushing on trunk member interfaces of existing, unrelated VLANs, ensure that STP is disabled on its trunk member.

Fixed Versions:
12.1.5.3, 13.1.3.4, 14.1.2.7

686029-2 : A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces

Links to More Info: BT686029

Component: TMOS

Symptoms:
FDB flushing on VLAN deletes is performed by VLAN member interface reference only, without regard to VLAN tags. This can result in unrelated VLAN FDB entries also being flushed on shared VLAN member interfaces.

Conditions:
Issuing a VLAN delete with other VLANs using shared tagged member interfaces with the VLAN being deleted.

Impact:
FDB entries for unrelated VLANs will be flushed if they share the same tagged VLAN member interfaces as the VLAN being deleted.

Workaround:
None.

Fix:
Correct FDB flushing on VLAN deletes, by limiting the scope to be VLAN specific.

Fixed Versions:
12.1.3.4, 13.1.0.4

685964-1 : cs_qualified_urls bigdb does not cause configured URLs to be qualified.

Links to More Info: BT685964

Component: Application Security Manager

Symptoms:
cs_qualified_urls is configured but is not functional.

Conditions:
-- cs_qualified_urls is configured.
-- A request to the URL listed in the bigdb arrives.
-- The URL is seen as non-qualified although configured.

Impact:
URLs that are not supposed to getting through configuration.

Workaround:
None.

Fix:
Fixed a bigdb issue with cs_qualified_urls variable.

Fixed Versions:
13.1.0.2

685888-1 : OAuth client stores incorrectly escaped JSON values in session variables

Links to More Info: BT685888

Component: Access Policy Manager

Symptoms:
1) The slash (/) is double escaped (\\/). The slash is common in URLs.
2) Unicode escaped characters (\uXXXX) are not correctly un-escaped into UTF-8 characters, ends up unrecognizable.

Conditions:
Occurs in 13.1 and earlier releases when OAuth servers response in JSON, such as the OIDC User Info.

Impact:
APM applications who read JSON node session variables may not get the correct values.

Workaround:
1) For double escaped slash, workaround is like,
session.oauth.client.last.UserInfo.picture = return [string map {{\\/} /} [ mcget {session.oauth.client.last.UserInfo.picture} ]]

2) For incorrect UTF-8 characters, there is no workaround.

Fix:
Unicode escaped characters are now correctly handled.

Fixed Versions:
13.1.4.1

685862-1 : BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message

Links to More Info: BT685862

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML IdP, and signing is configured, BIG-IP will sign the message by configured signing key, and include last certificate from the configured signing certificate chain in the SAML protocol message. Expected behavior is to include first certificate from the configured signing certificate chain.
The same applies to SAML SP generating SLO request/response messages.

Conditions:
All of the following:
- BIG-IP is used as SAML IdP or SAML as SP with SLO configured.
- BIG-IP generates signed SAML response containing assertion or SLO request/response
- Configured on BIG-IP signing certificate is a security chain and not a single certificate

Impact:
Impact is based on the SAML implementation on the receiving end of message sent by BIG-IP.
Some implementation may drop signed SAML message if last certificate from the bundle is included in the message. Other implementations will accept such signed messages. Note that signing operation itself is performed correctly by BIG-IP using configured signing certificate, and digital signature will contain correct value.

Workaround:
Instead of using signing certificate chain, change BIG-IP SAML IdP/SP configured signing certificate to refer to a standalone signing certificate (single X509 object) by extracting first certificate from the chain.

Fix:
After the fix, BIG-IP will include first certificate found within configured signing certificate (chain).

Fixed Versions:
12.1.5.1, 13.1.0.4

685771-1 : Policies cannot be created with SAP, OWA, or SharePoint templates

Links to More Info: BT685771

Component: Application Security Manager

Symptoms:
Attempting to create a security policy using "OWA Exchange", "SAP NetWeaver", or "SharePoint" Policy Template fails.

Conditions:
Attempt to create a security policy using "OWA Exchange", "SAP NetWeaver", or "SharePoint" Policy Templates

Impact:
Policy creation fails.

Workaround:
None.

Fix:
Policies can be created using these factory templates.

Fixed Versions:
13.1.0.2

685743-5 : When changing internal parameter 'request_buffer_size' in large request violations might not be reported

Links to More Info: BT685743

Component: Application Security Manager

Symptoms:
When the internal 'request_buffer_size' is set to a large value, long requests might be blocked, and no violation is reported.

Conditions:
-- Internal parameter 'request_buffer_size' is set to a large value (~50 KB or larger).
-- Request is long (~50 KB or longer).
-- Violations found.

Impact:
Requests might be blocked, and no reason is reported.

Workaround:
Reset internal 'request_buffer_size' to default.

Fix:
The system now handles the case in which the internal 'request_buffer_size' is set to a large value, so long requests are no longer blocked, and the violation is reported.

Fixed Versions:
12.1.3.2, 13.1.1.4

685708-4 : Routing via iRule to a host without providing a transport from a transport-config created connection cores

Links to More Info: BT685708

Component: Service Provider

Symptoms:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.

Conditions:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Specify a transport to use for creating a new outgoing connection in the MR::message route command.

Fix:
The system will no longer core.

Fixed Versions:
11.6.3.2, 12.1.3.6, 13.1.0.4

685628-1 : Performance regression on B4450 blade &start;

Links to More Info: BT685628

Component: Performance

Symptoms:
Performance degradation may occur for certain types of traffic when the system is under heavy traffic load. L4 and L7 performance may be degraded by up to 5% compared to previous BIG-IP releases.

Conditions:
- L4 and L7 traffic when system is under heavy traffic load.
- VIPRION B4450 blades.

Impact:
You may encounter a performance degradation for certain types of traffic upon upgrading.

Workaround:
None.

Fix:
Performance regression on B4450 blade has been eliminated.

Fixed Versions:
13.1.0.1

685615-4 : Incorrect source mac for TCP Reset with vlangroup for host traffic

Links to More Info: K24447043 , BT685615

Component: Local Traffic Manager

Symptoms:
BIG-IP outbound host TCP RST packets have incorrect source-mac-address.

Conditions:
BIG-IP host traffic is exiting via VLANs in a VLAN group.

Impact:
TCP Reset for traffic exiting the BIG-IP system with incorrect source-mac-address, which could include monitor traffic.

Workaround:
Use transparent mode on the VLAN group.

Fix:
source-mac-address for host traffic is correctly set.

Fixed Versions:
11.5.6, 11.6.5.1, 12.1.3.6, 13.1.0.6

685582-7 : Incorrect output of b64 unit key hash by command f5mku -f

Links to More Info: BT685582

Component: TMOS

Symptoms:
The output of the b64 unit key hash is inconsistent upon each 'f5mku -f' command, whereas the hex version of the unit key hash was always correct/consistent.

Conditions:
Viewing output of 'f5mku -f' command.

Impact:
Inconsistent output of the b64 unit key.

Workaround:
Adding the verbose option (v) to the f5mku command will print additional information. The following command prints the hex version of the unit key header hash, which will be stable and can be used to detect changes to the unit key:

f5mku -vf

For example:

# f5mku -vf
...
-- hdr.hash = c9:0d:13:2a:74:d4:7e:31:a4:78:5e:c8:3e:9c:b5:3d:7b:65:9c:7d
...

Fix:
The unit key hash is now the correct length and is consistent upon each 'f5mku -f' command.

Fixed Versions:
12.1.5.3, 13.1.1.2

685519-1 : Mirrored connections ignore the handshake timeout

Links to More Info: BT685519

Component: Local Traffic Manager

Symptoms:
Mirrored connections that do not complete the TCP 3-way-handshake do not honor the configured TCP handshake timeout on active and standby systems.

Conditions:
High availability mirroring enabled on virtual server with attached FastL4 profile.

Impact:
Unestablished TCP sessions in the connection table stay open for the duration of the TCP idle-timeout.

Workaround:
None.

Fix:
Mirrored connections now honor the TCP handshake timeout.

Fixed Versions:
11.6.4, 12.1.4.1, 13.1.1.4

685475-1 : Unexpected error when applying hotfix

Links to More Info: K93145012 , BT685475

Component: TMOS

Symptoms:
Software 'install hotfix' commands fail with a message similar to the following: Image (BIG-IP-11.6.1.0.0.317.iso) has a software image entry in MCP database but does not exist on the filesystem.

Conditions:
Before installing the hotfix, the necessary full (base) software image prerequisite was added to the images directory, but then was removed before issuing the hotfix command.

For example, to apply 'Hotfix-BIG-IP-11.6.1.2.0.338-HF2.iso', the system must have access to the base image; 'BIG-IP-11.6.1.0.0.317.iso'.

Here is another example: on multi-bladed VIPRION systems, where it is resolved by running 12.1.3.6.

1) Install and boot into 12.0.0 on the VIPRION system:
-- install /sys software image 12.0.0.iso create-volume volume HD1.test
-- reboot volume HD1.test
2) Install and boot into 12.1.2.0.402.249:
-- install /sys software hotfix Hotfix-BIG-IP-12.1.2.0.402.249-ENG.iso create-volume volume HD1.test2
-- reboot volume HD1.test2
3) Delete 12.0.0.iso and volume HD1.test:
-- delete sys software image 12.0.0.iso
-- delete sys software volume HD1.test
4) Copy over Hotfix-BIG-IP-13.1.0.7.0.17.1-ENG.iso without the 13.1.0.7 base image.
5) Check the /var/log/ltm logs for the following message:
-- lind[6288]: 013c0006:5: Image (BIG-IP-12.0.0.0.0.606.iso) has a software image entry in MCP database but does not exist on the filesystem.

Impact:
Cannot apply hotfix until the full base image is present.

Workaround:
Perform the following procedure:
1. Copy the base image to the images directory on the BIG-IP system.
2. Restart the 'lind' daemon.
3. Try the hotfix installation operation again.

Fix:
Issuing a 'install hotfix' command when the base image is not available sends the system into a 'wait' state. The process status is 'waiting for base image', which should make clear what needs to be done. When the base image becomes available (in the images directory), the hotfix installation proceeds.

Fixed Versions:
12.1.3.6, 13.1.0.4

685467-1 : Certain header manipulations in HTTP profile may result in losing connection.

Links to More Info: K12933087 , BT685467

Component: Local Traffic Manager

Symptoms:
HTTP profile has an option 'Insert X-Forwarded-For' which adds a header when a request is forwarding to a pool member. When a virtual server has iRule with a collect command like SSL::collect, it is affected by the HTTP profile processing. Same issue has an option 'Request Header Erase' available in HTTP profile.

Conditions:
A virtual server meets the following conditions:
-- ClientSSL profile.
-- HTTP profile with option 'Insert X-Forwarded-For' enabled and/or configured option 'Request Header Erase'.
-- iRule that has an 'SSL::collect' command in at least two events (e.g., CLIENTSSL_HANDSHAKE and CLIENTSSL_DATA).

Impact:
TCP connection is reset, and no response is provided to a client.

Workaround:
Use iRule to insert X-Forwarded-For with an appropriate IP address and/or remove headers configured in 'Request Header Erase' option of HTTP profile.

Fix:
An issue of a resetting connections due to configuration options 'Insert X-Forwarded-For' and 'Request Header Erase' in HTTP profile no longer happens.

Fixed Versions:
12.1.3.6, 13.1.0.4

685458-7 : merged fails merging a table when a table row has incomplete keys defined.

Links to More Info: K44738140 , BT685458

Component: TMOS

Symptoms:
There is as timing issue in merged where it will fail processing a table row with incomplete keys defined.

Conditions:
There are no specific conditions required, only that merged is running, which is true on every BIG-IP system, when the BIG-IP system is processing a table row with incomplete keys defined.

Although this issue is not dependent on configuration or traffic, it appears that it is more prevalent on vCMP hosts.

Impact:
There will be a few second gap in available statistics during the time when a core is being created and merged restarts.

Workaround:
None.

Fix:
merged now detect this scenario, a table row with incomplete keys defined, and does not fail.

Fixed Versions:
12.1.5, 13.1.0.4

685254-2 : RAM Cache Exceeding Watchdog Timeout in Header Field Search

Links to More Info: K14013100 , BT685254

Component: Local Traffic Manager

Symptoms:
SOD halts TMM while RAM cache is processing a header.

Conditions:
When RAM cache is attempting to match an ETag and fails to find it in the header field.

Impact:
The search continues until a match is found in memory, or a NUL byte is encountered. If the search takes too long, sod kills RAM cache on a watchdog timeout violation.

Workaround:
No workaround at this time.

Fix:
SOD no longer halts TMM while RAM cache is processing a header.

Fixed Versions:
12.1.3.4, 13.1.1.4

685230-3 : memory leak on a specific server scenario

Links to More Info: BT685230

Component: Application Security Manager

Symptoms:
The bd process memory increases.

Conditions:
A specific server scenario of handling the traffic.

Impact:
Swap may be used. The kernel OOM killer may be invoked. Possible traffic disturbance.

Workaround:
There is no workaround at this time.

Fix:
A memory leaked related to a specific server scenario was fixed.

Fixed Versions:
12.1.3.7, 13.1.0.8

685207-1 : DoS client side challenge does not encode the Referer header.

Component: Application Security Manager

Symptoms:
XSS reflection when DoS client side is enabled as a mitigation, or a proactive bot defense is enabled.

Conditions:
1. Login to the client IP address and send the ab request.
2. Once the DoS attack starts, sends the curl request
hl=en&q=drpdrp'-alert(1)-'drpdrp".
3. Unencoded Referer header is visible.

Impact:
The XSS reflection occurs after triggering the DoS attack.

Workaround:
None.

Fix:
DoS client side challenge now encodes the Referer header.

Fixed Versions:
11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.2

685193-1 : If Inheritance is None in the Parent Policy and there are at least 1 child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies

Links to More Info: BT685193

Component: Application Security Manager

Symptoms:
If Inheritance is None in the Parent Policy and there is at least one child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies.

Conditions:
1) Create Parent policy and set some section's Inheritance to None.
2) Create child policy and assign it to the parent created above.
3) Go to the Parent Policy Inheritance Setting tab, you will see that number of comments for sections with None will be equal to number of child policies.

Impact:
There is an incorrect number of Comments shown in Inheritance Settings

Workaround:
None.

Fix:
The correct number of comments will be shown for each section in Inheritance Setting tab for Parent Policy. In case of None inheritance nothing will be shown.

Fixed Versions:
13.1.0.2

685164-1 : In partitions with default route domain != 0 request log is not showing requests

Links to More Info: K34646484 , BT685164

Component: Application Security Manager

Symptoms:
No requests in request log when partition selected, while they can be seen when 'All [Read Only]' is selected.

Conditions:
Select a partition whose default route domain is not 0 (zero).

Impact:
No requests in request log.

Workaround:
As a partial workaround, you can use [All], but it's read only.

Fix:
Fixed filter by Source IP, which worked incorrectly in partitions whose default route domain was not 0 (zero).

Fixed Versions:
12.1.5, 13.1.0.2

685110-1 : With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.

Links to More Info: K05430133 , BT685110

Component: Local Traffic Manager

Symptoms:
1. FQDN Node/pools fails to populate with members.

2. An error similar to the following is logged in /var/log/ltm when an FQDN node or pool member is created:

err mcpd[####]: 01070356:3: Ratio load balancing feature not licensed.

Conditions:
1. License a BIG-IP system with non-LTM license lacking the ltm_lb_ratio feature.
Such licenses include APM and/or ASM licenses for certain newer platforms which do not support the AAM module.
Affected platforms include certain iSeries and Virtual Edition (VE) releases.
2. Configure an FQDN node/pool member. Do not specify a 'ratio' value.

Impact:
Unable to use FDQN nodes/pool members with non-LTM license.

Workaround:
None.

Fix:
Non-LTM license (ASM, APM, etc.), ephemeral nodes are now created for FQDN nodes/pool members.

Fixed Versions:
12.1.3.2, 13.1.1.2

685056 : VE OVAs is not the supported platform to run VMware guest OS customization

Links to More Info: BT685056

Component: TMOS

Symptoms:
VMware vCenter fails to create customization specification wizard because the BIG-IP Virtual Edition (VE) OVA's OSType is set to 'Other 64-bit'.

Conditions:
When applying VMware guest OS customization on VMware BIG-IP VE.

Impact:
VMware guest OS customization fails (cannot create customization specification wizard).

Workaround:
You can use either of the following workarounds:
- Apply VMware guest OS customization with 'ovftool'.
- Manually set OSType to 'Other 3.x Linux 64-bit'.

Fix:
OS type embedded in .ovf file in VE OVAs has been changed from 'Other 64-bit' to 'Other 3.x Linux 64-bit' to enable VMware guest OS customization.

Behavior Change:
In this release, the OS type set in .ovf file in the BIG-IP VE SCSI OVA images for VMware has been changed from 'Other 64bit' to 'Other 3.x Linux 64bit'. This enables 'VMware Guest Customization' via VMware vCenter.

Fixed Versions:
13.1.0.2

685020-3 : Enhancement to SessionDB provides timeout

Links to More Info: BT685020

Component: TMOS

Symptoms:
In some cases, calls made to SessionDB never return from the remote TMM.

Conditions:
-- Using add, update, delete, and lookup commands to remote TMM.
-- SessionDB request is not returned.

Impact:
Calls made to SessionDB never return from the remote TMM.

Workaround:
None.

Fix:
The system initiates a timeout after 2 seconds. If a timeout occurs, the calling command receives a result of err==ERR_TIMEOUT.

A new sys db variable was added to enable the timeout for the iRule table command. It defaults to false. Below is the new definition followed by the tmsh command to set the value.

# Enable or disable iRule table cmd timeout override to cause all
# requests to be 'remembered' so that we do not leak them
# if subsystems fail.
[Tmm.SessionDB.table_cmd_timeout_override]
default=false
type=enum
realm=common
enum=|true|false|

Behavior Change:
A new sys db variable was added to enable the timeout for the iRule table command. It defaults to false. Below is the new definition followed by the tmsh command to set the value.

# Enable or disable iRule table cmd timeout override to cause all
# requests to be 'remembered' so that we do not leak them
# if subsystems fail.
[Tmm.SessionDB.table_cmd_timeout_override]
default=false
type=enum
realm=common
enum=|true|false|

Fixed Versions:
12.1.3.2, 13.1.0.8

684937-3 : [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users

Links to More Info: K26451305 , BT684937

Component: Access Policy Manager

Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over period of time.
Websso process CPU usage is very high during this time. The latency can vary between APM end users.

Conditions:
-- A large number of APM end users have logged on and are using Kerberos SSO.
-- Running APM.

Impact:
Increased latency of HTTP request processing.

Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.

Fix:
LRU cache performance no longer drops linearly with the number of caches Kerberos tickets, the latency of HTTP request processing has been significantly improved.

Fixed Versions:
11.5.6, 11.6.3.2, 12.1.3.6, 13.0.1, 13.1.0.6

684852-1 : Obfuscator not producing deterministic output

Links to More Info: BT684852

Component: Fraud Protection Services

Symptoms:
Proactive defense challenge is not passed.

Conditions:
The obfuscator does not produce the same output for the same pair of key and seed. Therefore, on multi-blade devices, or on active-active deployments, when the request to the page (url=/) and the request to the javascript (/TSPD/*?type=10) each go to a different blade or a different device.

More frequently, it happens when the page and javascript are loaded from the same blade, but the javascript is stored in the cache.

Then another refresh, and the request goes to the second blade. Because the javascript in the cache was received from the first blade, it does not match the page.

Impact:
Proactive defense challenge is not passed; challenge remains on blank page on chassis.

Workaround:
None.

Fix:
Obfuscator now uses common Random object.

Fixed Versions:
13.1.0.2

684583-1 : Buitin Okta Scopes Request object uses client -id and client-secret

Links to More Info: BT684583

Component: Access Policy Manager

Symptoms:
Buitin Okta Scopes Request object uses client credentials instead of resource server credentials.

Conditions:
Buitin Okta Scopes Request object

Impact:
Scope request with Buitin Okta Scopes Request object fails.

Workaround:
Use modified Request object.

Fix:
Buitin Okta Scopes Request object is fixed to use resource server credentials.

Fixed Versions:
13.1.0.4

684414-2 : Retrieving too many groups is causing out of memory errors in TMUI and VPE

Links to More Info: BT684414

Component: Access Policy Manager

Symptoms:
Retrieving too many groups might cause out-of-memory errors in TMUI and VPE. TMUI might end up with HTTP 502 and VPE fails with HTTP 500

Conditions:
LDAP/AD server with over 20,000 groups.

Impact:
It's hard to perform LDAP/AD group mapping because there are no group names in the dialog box, which complicates work on such a large number of groups.

Workaround:
The only solution is to remove /shared/tmp/gmcache folder and use manual groupmapping.

Fix:
Retrieving too many groups no longer results in memory errors in TMUI and VPE, even on LDAP/AD servers with over 20,000 groups.

Fixed Versions:
12.1.3.2, 13.1.3.2

684391-3 : Existing IPsec tunnels reload. tmipsecd creates a core file.

Links to More Info: BT684391

Component: TMOS

Symptoms:
Existing IPsec tunnels reload. tmipsecd creates a core file.

Conditions:
Although an exact replication of the issue has not been reliable, the one instance occurred after the following conditions:
-- Remote peer repeatedly tries to establish a tunnel.
-- The IPsec IKEv1 daemon 'racoon' is dead.

Impact:
Existing IPsec tunnels reload when tmipsecd aborts. tmipsecd creates a core file.

Workaround:
None.

Fix:
Exception handling in tmipsecd has been improved so that tmipsecd will not reload when encountering some unusual conditions.

Fixed Versions:
12.1.3.6, 13.1.1.2

684370-1 : APM now supports VMware Workspace ONE integration with VIDM as ID Provider

Links to More Info: BT684370

Component: Access Policy Manager

Symptoms:
When VMware Horizon resources are behind APM, you can see available desktops and application on VMware Workspace One (WS1) portal, but you cannot launch them.

Conditions:
-- VMware virtual desktops and applications are hosted on VMware Horizon behind APM.
-- Authenticate with VMware Identity Manager (VIDM) and see available virtual desktops and applications on WS1 portal.
-- Attempt to launch a virtual desktop or application with VMware HTML5 client.

Impact:
BIG-IP users get authenticated with VIDM and can see available desktops and applications on the WS1 portal, but cannot launch a desktop or application with View HTML5 client.

Workaround:
Not applicable.

Fix:
APM now supports VMware Workspace One (WS1) with VMware Identity Manager (VIDM) as the Identity Provider and APM as a service provider, protecting VMware Horizon desktops and applications.

Fixed Versions:
13.1.1.3, 14.0.0

684333-1 : PEM session created by Gx may get deleted across HA multiple switchover with CLI command

Links to More Info: BT684333

Component: Policy Enforcement Manager

Symptoms:
PEM sessions may get cleaned up with terminate cause of FATAL GRACE TIMEOUT, if multiple high availability (HA) failover is being performed using the following command: tmsh run sys failover standby.

Conditions:
Multiple HA failover performed using the following command: tmsh run sys failover standby.

Impact:
PEM session created using Gx may get deleted.

Workaround:
Initiate failover using alternate commands, such as the following:
tmm big start restart.

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.4

684325-1 : APMD Memory leak when applying a specific access profile

Links to More Info: BT684325

Component: Access Policy Manager

Symptoms:
Access profile having CheckMachineCert agent, while updating profile using 'Apply access policy', each time it leaks 12096 bytes of memory.

Conditions:
-- Access profile configured with agent 'CheckMachineCert'.
-- Repeatedly update the profile using 'Apply access policy'.

Impact:
APMD process stops after repeated application of the script.

Workaround:
None.

Fix:
APMD no longer leaks memory when applying Access profile configured with agent 'CheckMachineCert'.

Fixed Versions:
11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4

684312-1 : During Apply Policy action, bd agent crashes, causing the machine to go Offline

Links to More Info: K54140729 , BT684312

Component: Application Security Manager

Symptoms:
During Apply Policy action, bd agent crashes, causing with this error:
--------------------
crit perl[21745]: 01310027:2: ASM subsystem error (bd_agent,): bd_agent exiting, error:[Bit::Vector::new_Dec(): input string syntax error at /usr/local/share/perl5/F5/CfgConvert.pm line 66, <$inf> line 1. ]
--------------------

Causing bd and bd_agent processes restart, and causing the machine to go Offline.

Conditions:
-- ASM provisioned.
-- Applying policy.
-- Corrupted data was attempted to be loaded during an Apply Policy action.

Impact:
bd and bd_agent processes restart, causing the machine to go Offline while the processes restart..

Workaround:
None.

Fix:
During Apply Policy action, bd agent no longer crashes when attempting to load corrupted data.

Fixed Versions:
11.6.3.2, 12.1.3.2, 13.1.0.2

684218-1 : vADC 'live-install' Downgrade from v13.1.0 is not possible

Links to More Info: BT684218

Component: TMOS

Symptoms:
vADC v13.1.0 has a new storage format that is incompatible with earlier versions. It should be possible to use the '--format' option of 'image2disk' to downgrade a v13.1.0 vADC system, but it is not.

Conditions:
Running v13.1.0, attempt software downgrade to 11.5.4, for example:

image2disk --format=volumes --nosaveconfig 11.5.4

Impact:
request is not allowed. no changes are made.

Workaround:
deploy a new 11.5.4 software image via the hypervisor environment

Fixed Versions:
13.1.1.2

684033-3 : CVE-2017-9798 : Apache Vulnerability (OptionsBleed)

Links to More Info: K70084351 , BT684033

683741-1 : APM now supports VMware Workspace ONE integration with vIDM as ID Provider

Links to More Info: BT683741

Component: Access Policy Manager

Symptoms:
When VMware Horizon resources are behind APM, APM end user is able to see available desktops and application on VMware Workspace ONE portal but is not able to launch them.

Conditions:
-- VMware virtual desktops and applications are hosted on VMware Horizon behind APM.
-- APM end user authenticates with VMware Identity Manager (IDM) and sees available virtual desktops and applications on Workspace ONE portal.
-- APM end user attempts to launch a virtual desktop or application with VMware native client.

Impact:
Users authenticates but is not able to launch a desktop or application with View native client.

Workaround:
None.

Fix:
APM now supports VMware Workspace ONE with VMware IDM as Identity Provider and APM as service provider, protecting VMware Horizon desktops and applications.

Fixed Versions:
13.1.1.3, 14.0.0

683697-1 : SASP monitor may use the same UID for multiple HA device group members

Links to More Info: K00647240 , BT683697

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, the SASP monitor running on one member of an HA group (failover device group) may use the same LB UID as another member of the device group.

The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.

As a result, only the first HA group member using the duplicated UID is able to successfully use the SASP monitor.

The SASP monitor instance running on the HA group member using the duplicated UID will fail to connect to the SASP GWM.

Conditions:
This occurs under rare timing conditions when using the SASP monitor on a BIG-IP system that belongs to an HA group.

It is possible that the necessary timing conditions may occur if the external SASP monitor daemon is forcibly restarted (such as for troubleshooting purposes).

Impact:
The SASP monitor is unable to monitor pool member availability on all members of the HA group.

Workaround:
Forcing the mcpd process to reload the configuration (as described in article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030) allows recovery from this condition.

It is possible that less-intrusive measures such as restarting the external SASP monitor daemon (such as by sending a SIGTERM to the SASPD_monitor process) may also allow recovery. Due to the rare occurrence of this symptom, this solution has not been confirmed.

Fix:
The SASP monitor reliably uses a unique UID across HA group members, allowing all HA group members to successfully connect to the SASP GWM.

Fixed Versions:
12.1.3.4, 13.1.1.4

683508-1 : WebSockets: umu memory leak of binary frames when remote logger is configured

Links to More Info: K00152663 , BT683508

Component: Application Security Manager

Symptoms:
ASM out of memory error messages in /var/log/asm.

Conditions:
-- Virtual server configured with WebSocket profile.
-- ASM remote logger configured and assigned to the virtual server.

Impact:
ASM out of memory, memory leak.

Workaround:
Remove ASM remote logging profile from a virtual server.

Fix:
This release correctly releases unused memory after WebSocket message is sent to the logging destination.

Fixed Versions:
12.1.3.2, 13.1.0.2

683474 : The case-sensitive problem during comparison of 2 Virtual Servers

Component: Application Visibility and Reporting

Symptoms:
Failed to load "incident types volume graph" if incident was filtered by Virtual Server

Impact:
Chart of incident data will not be displayed.

Workaround:
Avoid to create virtual servers that have the same letters, differing only by capital letters verses small letters.

Fix:
monpd process uses a case-sensitive comparison of virtual servers

Fixed Versions:
13.1.0.2

683389-3 : Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file

Links to More Info: BT683389

Component: Access Policy Manager

Symptoms:
Flash ActionScript3 application shows Error #2134 when trying to call flash.net::SharedObject.getLocal with localPath specified.

Conditions:
Attempt to create local SharedObject.

Impact:
Affected Flash applications are not working when accessed through Portal Access.

Workaround:
None.

Fix:
Addressed an issue in Portal Access which caused rewritten Flash files to show Error #2134 on attempt to create local SharedObject.

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.4

683297-2 : Portal Access may use incorrect back-end for resources referenced by CSS

Links to More Info: BT683297

Component: Access Policy Manager

Symptoms:
If HTML page contains reference to external CSS file with URL beginning with '//', then host-less references in this CSS file are handled incorrectly by Portal Access.

Conditions:
- HTML page at http://example.host/page.html:

<link rel=stylesheet href=//another.host/some/path/my.css>

- and this CSS contains reference with absolute path like this:

html { background-image: url(/misc/image/some.png); }

Portal Access uses 'http://example.host' as back-end for this image instead of correct 'http://another.host'.

Impact:
Web application may not work correctly.

Workaround:
Use iRule to correct back-end host.

Fix:
Portal Access uses correct back-end host for references in CSS files included with scheme-less URL.

Fixed Versions:
13.0.1, 13.1.0.4

683241-1 : Improve CSRF token handling

Links to More Info: K70517410 , BT683241

Component: Application Security Manager

Symptoms:
Under certain conditions, CSRF token handling does not follow current best practices.

Conditions:
CSRF is configured.

Impact:
CSRF token handling does not follow current best practices.

Workaround:
None.

Fix:
CSRF token handling now follows current best practices.

Fixed Versions:
11.5.6, 11.6.3.2, 12.1.3.6, 13.1.0.6

683135-2 : Hardware syncookies number for virtual server stats is unrealistically high

Links to More Info: BT683135

Component: TMOS

Symptoms:
In some situations 'tmsh show ltm virtual' shows unrealistically high hardware (HW) syncookie numbers.

These unrealistically high HW syncookie stats cause AFM DoS TCP synflood vector to have high numbers, and that can cause TCP synflood vector to drop packets in HW based on the configured rate-limit for that vector.

Conditions:
Virtual server with hardware syncookie protection enabled.

Impact:
Stats issue. Can have impact to traffic if AFM TCP Synflood vector is enabled in mitigation mode.

Workaround:
Disable the TCP Synflood vector in mitigate mode.

Since Syncookie is already providing protection, the TCP Synflood option should be enabled only in detect-only mode, if at all.

Fixed Versions:
13.1.3.2, 14.1.2.7

683131-1 : Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present &start;

Links to More Info: BT683131

Component: TMOS

Symptoms:
BIG-IP software installations will fail and report a status of:

waiting for cleanup; multiple base builds found (BIG-IP 13.0.0)

Conditions:
- Perform software installation in a vCMP guest when guest is running v13.0.0 or newer.
- Ask the guest to install a hotfix (e.g. "tmsh install /sys software hotfix 13.0.0-hf2.iso volume HD1.2 create-volume") to a boot location that does not have a base software version installed.
- Hypervisor has a valid copy of the the correct base image (e.g. v13.0.0 build 0.0.1645)
- Guest has a valid copy of the correct base image (e.g. v13.0.0 build 0.0.1645)

Impact:
Software installation fails, and will not complete/continue.

Workaround:
Delete the base software image from either the hypervisor or guest's file system

Fix:
The condition no longer causes an error; the installation request successfully runs to completion.

Fixed Versions:
13.1.0.2

683114-2 : Need support for 4th element version in Update Check

Links to More Info: BT683114

Component: TMOS

Symptoms:
Previously, there was no 4th element version Update Check functionality.

Conditions:
Using Update Check.

Impact:
No 4th element version support provided.

Workaround:
None.

Fix:
There is now 4th element version support in Update Check.

Fixed Versions:
12.1.3.1, 13.1.0.1

683113-3 : [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users

Links to More Info: K22904904 , BT683113

Component: Access Policy Manager

Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over a period of time.

Websso CPU usage is very high.

The BIG-IP system response can rate drop to the point that the clients disconnect after waiting for a response. The system logs error messages similar to the following: Failure occurred when processing the work item.

Conditions:
-- Running APM.
-- A large number of APM end users (~20 KB) have logged on and are using Kerberos SSO.

Impact:
Increased latency of HTTP request processing.

Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.

Fix:
Improvements to the krb5 library have been implemented for better scalability, so the latency of HTTP request processing has been significantly improved.

Fixed Versions:
11.5.6, 11.6.3.2, 12.1.3.6, 13.0.1, 13.1.0.6

683029-1 : Sync of virtual address and self IP traffic groups only happens in one direction

Links to More Info: BT683029

Component: TMOS

Symptoms:
If you have a virtual address and a self IP that both listen on the same IP address, changing the traffic group of the self IP will make an equivalent change to the traffic group of the virtual address. However, this does not work in reverse. Changing the traffic group of the virtual address will not cause a change of the traffic group of the self IP.

Conditions:
You have a virtual address and a self IP that both listen on the same IP address. (The subnet mask need not be the same.)

Impact:
This is by design, but is counterintuitive, and there is no warning message that this is the case. Setting the traffic group on both objects will always work properly.

Workaround:
Care should be taken to ensure that the desired traffic group is set on both objects.

Fixed Versions:
13.1.1.2

682944-1 : key-id missing for installed netHSM key for standby BIG-IP system in high availability (HA) setup

Links to More Info: BT682944

Component: Local Traffic Manager

Symptoms:
In a BIG-IP high availability (HA) configuration, the nethsm key installed has empty key-id string for the standby BIG-IP system. That is, the BIG-IP system that actually gets the key installed has the key-id string properly displayed. But its peer BIG-IP system does not display a key-id string associated with the installed key.

Conditions:
-- nethsm key installed.
-- Standby BIG-IP system in an high availability (HA) configuration.

Impact:
The peer BIG-IP system has no key-id string properly displayed.

Workaround:
Even though key-id does not display, the key is present on the peer BIG-IP system and can be used there.

Fix:
The netHSM key for standby BIG-IP system in high availability (HA) configurations now shows up after a successful configsync.

Fixed Versions:
13.1.0.8

682837-2 : Compression watchdog period too brief.

Links to More Info: BT682837

Component: TMOS

Symptoms:
Compression TPS can be reduced on certain platforms when sustained, very high compression request traffic is present.

Conditions:
Very high sustained system-wide compression request traffic.

Impact:
Accelerated compression throughput can drop significantly; some flows dropped.

Workaround:
Switch to software compression.

Fix:
Compression request monitor tuned to account for systems with smaller bandwidth.

Fixed Versions:
12.1.3.1, 13.1.1.4

682500-2 : VDI Profile and Storefront Portal Access resource do not work together

Links to More Info: BT682500

Component: Access Policy Manager

Symptoms:
Accessing a Citrix Storefront portal access resource and clicking on the application does not work since VDI returns HTTP status 404.

Conditions:
-- VDI profile is attached to the Virtual server.
-- Access policy has Citrix Storefront portal access resource.
-- Citrix remote-desktop resource is attached.

Impact:
Citrix Storefront portal access resource cannot be used to launch applications.

Workaround:
None.

Fix:
Citrix Storefront portal access resources can now be used with Citrix Remote desktop resources.

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.4

682352-2 : OpenSSL vulnerability CVE-2017-3735

Links to More Info: K21462542

682335-1 : TMM can establish multiple connections to the same gtmd

Links to More Info: BT682335

Component: Global Traffic Manager (DNS)

Symptoms:
TMM can establish multiple connections to the same gtmd, and tmm may core.

Conditions:
This timing-related issue involves coordination between license blob arrival, gtmd connection teardown/establishment, and gtmd restart.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed, if there is an existing connflow, don't start another connection.

Fixed Versions:
12.1.3.4, 13.1.0.4

682283-2 : Malformed HTTP/2 request with invalid Content-Length value is served against RFC

Links to More Info: BT682283

Component: Local Traffic Manager

Symptoms:
HTTP/2 request can include Content-Length header. When the value of a Content-Length header does not match the sum of lengths of all DATA frames from the stream, RFC requires that the system reset the stream.

Conditions:
-- A virtual server is configured with HTTP/2 profile.
-- The value of Content-Length header does not match the sum of lengths of all DATA frames from the stream.

Impact:
The BIG-IP system sends a request to a server and serves a provided response, which is not in conformance with the RFC.

Workaround:
None.

Fix:
Now, when a client sends a request over an HTTP/2 connection with a malformed HEADERS frame in which Content-Length does not match the payload size in DATA frames, the BIG-IP system correctly resets the stream with RST_STREAM frame.

Fixed Versions:
13.1.0.8, 14.0.0.3

682213-1 : TLS v1.2 support in IP reputation daemon

Links to More Info: K31623549 , BT682213

Component: TMOS

Symptoms:
The IP reputation daemon opens SSL connections to the Webroot BrightCloud server using TLS 1.0 protocol.

Conditions:
This occurs when using IP reputation.

Impact:
Because IP reputation services are used to accept/deny connections to critical business applications, there might be concerns about the service. Also some configurations might require that all transactions exfiltrating a PCI-controlled environment leverage secure protocols and ciphers, which won't be the case for IP reputation services.

Workaround:
None.

Fix:
Webroot updated BrightCloud servers to support TLS 1.2. This is additional support. To preserve backward compatiblity, the servers support TLS 1.0, TLS 1.1, TLS 1.2, SSL 2.0 and SSL 3.0.

In addition, this software version supports TLS 1.2 on the client side by customizing the SDK used by the IP reputation daemon.

Fixed Versions:
12.1.3.2, 13.1.0.2

682104-3 : HTTP PSM leaks memory when looking up evasion descriptions

Links to More Info: BT682104

Component: Local Traffic Manager

Symptoms:
http_psm_description_lookup leaks xfrags containing PSM evasion descriptions.

Conditions:
When PSM looks up evasion descriptions.

Impact:
Memory leaked each time might eventually cause out of memory to the TMM.

Workaround:
None.

Fix:
This fix will stop the memory leakage.

Fixed Versions:
12.1.3.2, 13.1.0.4

681955-1 : Apache CVE-2017-9788

Links to More Info: K23565223 , BT681955

681814-1 : Changes to a cipher group are not propagated to SSL profiles until the configuration is reloaded

Links to More Info: BT681814

Component: Local Traffic Manager

Symptoms:
Changes to a cipher group, even indirect changes such as changing an underlying cipher rule, will not be propagated to the SSL profiles until the configuration is reloaded.

Conditions:
-- An SSL profile is using cipher groups (instead of the cipher string).
-- Some changes are made to that group.

Impact:
The available ciphers on an SSL profile might not be as expected.

Workaround:
You can use either of the following workarounds:

-- Always reload the configuration after changing a cipher group.
-- Use the existing cipher string mechanism instead.

Fix:
With this change, changes to a cipher group are correctly propagated to the SSL profiles, so no configuration reload is required.

Fixed Versions:
13.1.3.5

681782-6 : Unicast IP address can be configured in a failover multicast configuration

Links to More Info: BT681782

Component: TMOS

Symptoms:
Failover multicast configuration does not work when configured with a unicast IP address. Although this is an invalid configuration, the system does not prevent it.

Conditions:
Specify a unicast IP address under 'Failover Multicast Configuration' for network failover in high availability configurations.

Impact:
Failover multicast configuration does not work.

Workaround:
Specify a multicast IP address under 'Failover Multicast Configuration' for network failover.

Fix:
The system now prevents specifying a unicast IP address when configuring multicast failover.

Fixed Versions:
13.1.1.2

681757-3 : Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'

Links to More Info: K32521651 , BT681757

Component: Local Traffic Manager

Symptoms:
In response to this issue, you might see the following symptoms:
-- System remains inoperative
-- Screen alerts similar to the following are posted: 'Configuration has not yet loaded'.
-- Configuration fails to load after upgrade to v12.1.0 or higher.

The system records an error message similar to the following in the ltm log file:

emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 010716de:3: Policy '/Common/Policy', rule 'Policy-Rule'; target 'forward' action 'select' does not support parameter of type 'member'. Unexpected Error: Loading configuration process failed.

Conditions:
Local Traffic Policy with a forward action that selects a target of type 'member'.

Impact:
Configuration fails to load on upgrade.

Workaround:
Modify the local traffic policies to use a target type of 'node' before upgrading, or, after upgrading, edit the config file and modify 'member' to 'node' in the local traffic policy, and then reload the configuration.

Fix:
Upon upgrade to v12.1.0 or later, policies that perform the action 'forward - select - member' will be automatically changed to 'forward - select - node', and configuration will load successfully.

Fixed Versions:
12.1.3.6, 13.1.1.2

681673-4 : tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results

Links to More Info: BT681673

Component: Local Traffic Manager

Symptoms:
TMSH does not block modify FDB commands that add a multicast MAC addresses.

Conditions:
This occurs when the following is configured using tmsh commands when the mac-address is multicast:
fdb vlan <vlan> records add {<mac-address> {interface <slot>/<port>}}.

Impact:
There is not enough information to map the outgoing MAC address to a multi-cast group, and therefore it gets a default entry added that has no ports mapped. The result is that the frame will not go out the interface indicated in the tmsh command yet no warning is provided.

Workaround:
None.

Fix:
TMSH modify FDB command is no longer permitted to add multicast MAC addresses, so this issue no longer occurs.

Fixed Versions:
13.1.1.2

681415-3 : Copying of profile with advanced customization or images might fail

Links to More Info: BT681415

Component: Access Policy Manager

Symptoms:
Copying a profile with advanced customization or images produces an error message similar to the following: 'Please specify language code' or similar

Conditions:
Access Profile has advanced customization group or customization image assigned to any of object connected to profile.

Impact:
Unable to copy policy.

Workaround:
None.

Fix:
Copying of profile with advanced customization or images now succeeds as expected.

Fixed Versions:
12.1.3.4, 13.1.0.6

681385-2 : Forward proxy forged cert lifespan can be configured from days into hours.

Component: Local Traffic Manager

Symptoms:
Once support for OCSP in place, you may need to forge certificates in lifespan shorter than one day. Previously, there was no way to configure that.

Conditions:
Configure forward proxy forged cert lifespan shorter than a day.

Impact:
None. This is a request for enhancement.

Workaround:
None.

Fix:
A new DB variable (tmm.ssl.certlifespaninhours) is added to support specifying hours instead of days:

[root@localhost:Active:Standalone] config # tmsh list sys db tmm.ssl.certlifespaninhours
sys db tmm.ssl.certlifespaninhours {
value "disable"
}
[root@localhost:Active:Standalone] config # tmsh modify sys db tmm.ssl.certlifespaninhours value enable
[root@localhost:Active:Standalone] config # tmsh list sys db tmm.ssl.certlifespaninhours
sys db tmm.ssl.certlifespaninhours {
value "enable"
}

When this variable is enabled, the configured lifespan is treated as hours. When this variable is disabled, the configured lifespan is treated as days.

Behavior Change:
Configured Forward proxy forged cert lifespan allows changing
from days to hours using a new DB variable: tmm.ssl.certlifespaninhours.

Fixed Versions:
13.1.0.2

681175-3 : TMM may crash during routing updates

Links to More Info: K32153360 , BT681175

Component: Local Traffic Manager

Symptoms:
When dynamic routing is configured and ECMP routes are received, certain routing updates may lead to a TMM crash.

Conditions:
-- Dynamic routing.
-- ECMP routes.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable ECMP routes by configuring "max-paths 1" in ZebOS.

Fix:
TMM no longer crashes on routing updates when ECMP is in use.

Fixed Versions:
12.1.3.2, 13.1.0.4

681010-2 : 'Referer' is not masked when 'Query String' contains sensitive parameter

Links to More Info: K33572148 , BT681010

Component: Application Security Manager

Symptoms:
While 'Query String' contains masked sensitive parameter value the 'Referer' header sensitive parameter value is exposed.

Conditions:
-- Sensitive parameter is defined in: 'Security :: Application Security : Parameters : Sensitive Parameters'.

-- 'Query String' contains the defined sensitive parameter.

Impact:
"Referer" header contains unmasked value of the sensitive parameter.

Workaround:
Enable 'Mask Value in Logs' in: 'Security :: Application Security : Headers : HTTP Headers :: referer'.

Fix:
The 'Referer' header value is masked in case of sensitive parameter in 'Query String'.

Fixed Versions:
11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2

681009-1 : Large configurations can cause memory exhaustion during live-install &start;

Links to More Info: BT681009

Component: TMOS

Symptoms:
system memory can be exhausted and the kernel will kill processes as a result.

Conditions:
During live-install, if configuration roll-forward is enabled, and the compressed configuration size is of a similar order of magnitude as total system memory.

Impact:
The kernel will kill any number of processes; any/all critical applications could become non-functional.

Workaround:
Make sure there are no un-intended large files included in the configuration. Any file stored under /config is considered part of the configuration.

If the configuration is, as intended, on the same order of magnitude as total system memory, do not roll it forward as part of live install. Instead, save it manually and restore it after rebooting to the new software.

to turn off config roll forward; setdb liveinstall.saveconfig disable

to save/restore configuration manually; see
https://support.f5.com/csp/article/K13132

Fixed Versions:
13.1.1.5

680917-1 : Invalid monitor rule instance identifier

Links to More Info: BT680917

Component: TMOS

Symptoms:
iApp triggers an error while attempting to change server properties for pool members. The error reads "Invalid monitor rule instance identifier"

Conditions:
While changing the server properties associated with the pool members through iApp.

Impact:
Will not be able to change the server properties using iApp.

Fixed Versions:
12.1.5.3, 13.1.3.2, 14.1.2.1

680856-2 : IPsec config via REST scripts may require post-definition touch of both policy and traffic selector

Links to More Info: BT680856

Component: TMOS

Symptoms:
A new IPsec tunnel may not work after being configured over REST. While the configuration is correct, a log message similar to the following may appear in ipsec.log (IKEv2 example):

info tmm[24203]: 017c0000 [0.0] [IKE] [INTERNAL_ERR]: selector index (/Common/Peer_172.16.4.1) does not have corresponding policy

Conditions:
A new IPsec tunnel is configured over REST.

Impact:
The newly configured IPsec tunnel does not start.

Workaround:
The following methods cause the traffic-selector and ipsec-policy to be correctly related to one another:
-- Restart tmm.
-- Change the configuration, for example the Description field, of both the policy and the traffic selector. This may also be done using REST.

Fix:
A traffic selector can no longer use a deleted policy by name, and if recreated after deletion, the policy is correctly constructed.

Fixed Versions:
12.1.3.6, 13.1.1.4

680850-2 : Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.

Links to More Info: K48342409 , BT680850

Component: Global Traffic Manager (DNS)

Symptoms:
Enabling debug logging on zxfrd (DNSX) can result in excessive CPU and disk usage, as well as errors during DNS AXFR or IXFR processing.

Conditions:
log.zxfrd.level is set to debug by running the following command: tmsh modify sys db log.zxfrd.level value debug

Impact:
IXFRs or AXFRs may fail and be rescheduled due to high CPU usage by zxfrd, which causes it to fail to process data packets during a transfer.

Workaround:
To avoid this issue, do not set log.zxfrd.level to debug.

Fix:
With this change, the dump to /var/tmp/zxfrd.out occurs only when a new db variable, dnsexpress.dumpastext, is set to true. This enables turning on logging for debug without consuming all the CPU and disk necessary to dump packets and zone contents.

Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.

Behavior Change:
Previously, setting the zxfrd log level to debug caused all AXFR and IXFR requests and responses to be logged to /var/tmp/zxfrd.out. Doing so also caused the contents of all zones to be dumped, as text, to /var/tmp/zxfrd.out when the database was saved.

This was extremely CPU-, memory-, and disk-intensive. The CPU load could cause zxfrd to fail to process transfer data packets in a timely fashion, which could cause the master DNS server to close the connection.

With this fix, setting log.zxfrd.level debug no longer outputs this information.

Although it is not generally useful to output the contents of the transfer packets or the contents of the database, if this information is required for troubleshooting or information-verification purposes, you can set the new db variable: dnsexpress.dumpastext.

Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.

Fixed Versions:
12.1.3.4, 13.1.0.6

680838-2 : IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator

Links to More Info: BT680838

Component: TMOS

Symptoms:
A tmm restart and corefile can occur in rare cases while negotiating an IKEv2 IPsec tunnel.

A child_sa managed to process GETSPI_DONE once in the IDLING state, where the ike_sa was expected to be the initiator, but it appeared not to be -- failing an assert.

Conditions:
The BIG-IP is negotiating an IPsec tunnel as the Initiator, but an unexpected state change associated with being the Responder occurs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM will no longer restart due to assertion failure.

Fixed Versions:
12.1.3.6, 13.1.1.4

680729-1 : DHCP Trace log incorrectly marked as an Error log.

Links to More Info: K64307999 , BT680729

Component: Policy Enforcement Manager

Symptoms:
The following sample DHCP debug log may be found repeatedly in the TMM logs.

<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>

Conditions:
Send a DHCP request through a DHCP virtual and wait for 30 seconds for the DHCP callback to trigger.

Impact:
Possible clutter in the TMM logs.

Workaround:
Set the db variable to critical. To do so, run the following command: setdb tmm.dhcp.log.level critical

Fix:
The following log can be seen only when DHCP debug logs are set to enabled.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>

Fixed Versions:
11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4

680564-1 : "MCP Message:" seen on boot up with Best License

Links to More Info: BT680564

Component: Local Traffic Manager

Symptoms:
This message can be seen in /var/log/tmm

notice MCP message handling failed in 0x7aa640 (16973843): Aug 28 12:41:02 - MCP Message:

Conditions:
This occurs when booting BIG-IP that has a Best license applied.

Impact:
This message can be ignored.

Workaround:
Ignore message

Fix:
With fix, message goes away

Fixed Versions:
13.1.1.5

680556-1 : Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted

Links to More Info: BT680556

Component: TMOS

Symptoms:
TMM crashes with a subkey that has master_record field set to true.

Conditions:
The specific conditions under which this occurs are not known.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Although the issue is not known, the system now handles the situation without necessarily restarting tmm.

Fixed Versions:
13.1.1.4

680388-1 : f5optics should not show function name in non-debug log messages

Links to More Info: BT680388

Component: TMOS

Symptoms:
For logging thresholds other than debug, the function name appears in log messages created by f5optics.

Conditions:
-- BIG-IP is running.
-- Logging thresholds is set to a value other than debug.

Impact:
Log files contain unexpected data.

Workaround:
There is no workaround at this time.

Fix:
With the fix, f5optics is not displaying function names in non-debug logging messages.

Fixed Versions:
12.1.3.5, 13.1.1

680353-1 : Brute force sourced based mitigation is not working as expected

Links to More Info: BT680353

Component: Application Security Manager

Symptoms:
Brute force mitigations are not working by the configured order under some conditions - for example a captcha is arriving instead of a drop.

Conditions:
-- Brute force is configured.
-- There is more than one source (for example, User and IP address).

Impact:
The incorrect mitigation is received.

Workaround:
None.

Fix:
Fixed an issue with brute force mitigations.

Fixed Versions:
13.1.0.2

680264-2 : HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags

Links to More Info: BT680264

Component: Local Traffic Manager

Symptoms:
Intermittently, HTTP2 experiences protocol resets.

Conditions:
-- xfrag is 2 bytes in length.
-- The header length is greater than 128.
-- xfrag starts.

For example, the following returns the incorrect header length:
(0xFF BYTE1) next byte, http2_arbint_read.

Impact:
Unexpected loss of HTTP2 frames due to protocol resets.

Workaround:
No effective workaround.

Fix:
HTTP2 now parses the request, regardless of its xfrags distribution.

Fixed Versions:
12.1.4, 13.0.1, 13.1.0.4

680086 : BMC firmware fails md5sum check

Links to More Info: BT680086

Component: TMOS

Symptoms:
Checking the md5sum of BMC firmware fails when issuing the commandL
md5sum -c /usr/firmware/shuttle_x.x.xx.ima_enc.md5

The command fails with the following message:
(...) listed file could not be read".

Conditions:
iSeries appliances:
- i2000
- i4000
- i5000
- i7000
- i10000
- i15000

Impact:
'md5sum -c' does not work for BMC firmware checksums.

Workaround:
1. Indirectly check the md5sum by calculating it with the command:
md5sum /usr/firmware/shuttle*.ima_enc

2. Compare that to
cat /usr/firmware/shuttle*.ima_enc.md5

As an alternative, you can use the following command:

diff -sy <(md5sum < /usr/firmware/shuttle*.ima_enc | awk '{ print $1 }') <(cat /usr/firmware/shuttle*.ima_enc.md5 | awk '{ print $1 }')

Fix:
The 'md5sum -c' check now works for BMC firmware checksums.

Fixed Versions:
13.1.1

680074-2 : TMM crashes when serverssl cannot provide certificate to backend server.

Links to More Info: BT680074

Component: Local Traffic Manager

Symptoms:
TMM halts and restarts when server SSL cannot provide a certificate to the backend server.

Conditions:
-- The backend server is configured to require a client certificate to complete the SSL handshake.
-- The server SSL profile is not configured with a client certificate.

Impact:
TMM halts and restarts. Traffic disrupted while tmm restarts.

Workaround:
No workaround at this time.

Fix:
TMM no longer halts and restarts when server SSL cannot provide a certificate to the backend server.

Fixed Versions:
13.1.0.6

680069-1 : zxfrd core during transfer while network failure and DNS server removed from DNS zone config &start;

Links to More Info: K81834254 , BT680069

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd cores and restarts.

Conditions:
While zone transfer is in progress, the network fails and the DNS server is removed from the DNS zone configuration.

Impact:
zxfrd cores.

Workaround:
None.

Fix:
zxfrd no longer cores during transfer while network failure and DNS server removed from DNS zone config.

Fixed Versions:
12.1.3.6, 13.1.0.4

679861 : Weak Access Restrictions on the AVR Reporting Interface

Links to More Info: K31152411 , BT679861

679751-3 : Authorization header can cause a connection reset

Links to More Info: BT679751

Component: Access Policy Manager

Symptoms:
APM resets connections and reports an ERR_ARG from a simple web request.

Conditions:
-- APM profile with User Identification Method as HTTP.
-- APM profile with User Identification Method as OauthToken.
-- HTTP traffic arrives with certain types of Authorization headers.

Impact:
Connections are reset and APM logs ERR_ARG, which is not helpful for understanding the cause.

Workaround:
iRule workaround:

when HTTP_REQUEST {
if { [HTTP::header "Authorization"] contains "Bearer" && [string tolower [HTTP::header "User-Agent"]] contains "onenote" } {
HTTP::header replace Authorization [string map {"Bearer" ""} [HTTP::header Authorization]]
}
}

Fix:
APM no longer resets connections and reports an ERR_ARG from a simple web request.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1

679722-1 : Configuration sync failure involving self IP references

Links to More Info: BT679722

Component: Advanced Firewall Manager

Symptoms:
Configuration sync fails, generating an error similar to the following:

Caught configuration exception (0), Values (self-IP) specified for self IP (<name>): foreign key index (fw_enforced_policy_FK) do not point at an item that exists in the database..

Conditions:
-- There is another object, such as a firewall policy, that references a self IP address.
-- The self IP address is non-syncable; that is, its traffic group is set to 'traffic-group-local-only'.

Impact:
Sync operation fails.

Workaround:
Set the self IP address' traffic group to a value other than 'traffic-group-local-only', and then force a full load push from the first device.

Fix:
If a traffic group is non-syncable, modifying its traffic group to a syncable value (anything other than 'traffic-group-local-only') now causes the system to suggest synchronization.

Fixed Versions:
13.1.3.2

679613-1 : i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1'

Links to More Info: K23531420 , BT679613

Component: Local Traffic Manager

Symptoms:
When an interface is associated with a VLAN whose tag value is '1', traffic is incorrectly sent out as untagged.

Conditions:
1. Create a VLAN with a tag value of '1'.
2. Associate an interface with the VLAN whose value is '1'.
3. Send traffic out that interface.

Impact:
Incorrect routing/switching of traffic.

Workaround:
Use VLANs with a tag value different from '1'.

Fixed Versions:
13.1.1.2

679496-2 : Add 'comp_req' to the output of 'tmctl compress'

Links to More Info: BT679496

Component: Local Traffic Manager

Symptoms:
The output of 'tmctl compress' displays the total numbers of requests (tot_req), but does not distinguish between deflate (compression) requests and inflate (decompression) requests.

Conditions:
Viewing the output of the 'tmctl compress' command.

Impact:
Cannot determine the different types of requests.

Workaround:
There is no workaround at this time.

Fix:
This release now distinguishes between deflate (compression) requests and inflate (decompression) requests, as follows: there is an indicator, 'comp_req', for compression requests. The number of decompression request is tot_req - comp_req.

Fixed Versions:
12.1.3.5, 13.1.1

679494-1 : Change the default compression strategy to speed

Links to More Info: BT679494

Component: Local Traffic Manager

Symptoms:
The current default compression.strategy is 'latency', which does not perform properly, i.e., the provider selection algorithm does not react to load change fast enough.

Conditions:
Using compression.strategy to distribute workload among hardware and software compression providers.

Impact:
The work load may not be distributed evenly among hardware and software compression providers when compression.strategy is 'latency'.

Workaround:
Modify the tmsh sys db variable compression.strategy to 'speed'.

Fix:
The default compression strategy is now set to 'speed'.

Fixed Versions:
12.1.3.5, 13.1.1

679384-3 : The policy builder is not getting updates about the newly added signatures.

Links to More Info: K85153939 , BT679384

Component: Application Security Manager

Symptoms:
The policy builder is not getting updates about the newly added signatures.

Conditions:
When ASU is installed or user-defined signatures are added/updated.

Impact:
No learning suggestions for some of the newly added signatures.

Workaround:
Use either of the following workarounds:
-- One workaround is restarting the policy builder. This will revert the learning progress made in the last 24 hours:
killall -s SIGHUP pabnagd

-- Manually change some Policy Attack Signature Set in Learning and Blocking Settings (e.g., disabling and re-enabling Learn checkbox).

Fix:
After the fix, Policy Builder will be aware of all newly added signatures.

Fixed Versions:
12.1.3.2, 13.1.0.4

679347-2 : ECP does not work for PFS in IKEv2 child SAs

Links to More Info: K44117473 , BT679347

Component: TMOS

Symptoms:
The original racoon2 code has no support for DH generate or compute using elliptic curve algorithms for (perfect forward security).

Additionally, the original interfaces are synchronous, but the only ECP support present uses API with async organization and callbacks, so adding ECP does not work.

Conditions:
Changing an ike-peer definition from the default phase1-perfect-forward-secrecy value of modp1024 to something using ECP: ecp256, ecp384, or ecp512.

Note: The first child SA is negotiated successfully.

Impact:
Once the first child SA expires (or is deleted), the IKEv2 tunnel goes down when another SA cannot be negotiated.

Workaround:
Use MODP for perfect-forward-secrecy instead of ECP.

Fix:
Full support for ECP as PFS has now been added, so a new child-SA negotiated in a IKEV2EXCH_CREATE_CHILD_SA exchange works as expected for ecp256, ecp384, and ecp512.

Fixed Versions:
12.1.3.6, 13.1.1.2, 14.0.0

679221-2 : APMD may generate core file or appears locked up after APM configuration changed

Links to More Info: BT679221

Component: Access Policy Manager

Symptoms:
Right after clicking the 'Apply Access Policy' link, APMD may generate a core file and restart; or appears to be locked up.

Conditions:
-- Changing APM configuration, especially Per-Session and Per-Request Policy.
-- Configured for AD or LDAP Auth Agent.

Impact:
If APMD restarts, then AAA service will be interrupted for a brief period of time. If APMD appears to be locked up, then AAA service will be stopped until manually restarted.

Workaround:
None.

Fix:
APMD now processes the configuration changes correctly during 'modify apm profile access <profile name> generation-action increment' (TMSH) or 'Apply Access Policy' (GUI), and no service interruption occurs.

Fixed Versions:
12.1.3.4, 13.1.0.6

679149-1 : TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]

Links to More Info: BT679149

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may crash or LB::server returns unexpected result.

Conditions:
GTM rule command LB::server is executed before a load balance decision is made or the decision is not to a real pool member.

Impact:
GTM rule command LB::server returns unexpected result. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
GTM rule command LB::server is now executed at the correct time, so TMM does not crash and LB::server returns expected results.

Fixed Versions:
12.1.3.4, 13.1.0.4

679135-2 : IKEv1 and IKEv2 cannot share common local address in tunnels

Links to More Info: BT679135

Component: TMOS

Symptoms:
When IKEv1 and IKEv2 IPsec tunnels are configured to use the same local IP address, either all the IKEv1 or all the IKEv2 tunnels will not establish.

Note: This is as designed: the system does not support using the same local self IP to establish both IKEv1 and IKEv2 tunnels. However, the system does not prevent it, and there is no indication of the reason for the failure.

Conditions:
-- Use the same self IP as the local address of an IPsec tunnel for IKEv1, as well as the local address of a tunnel for IKEv2.
-- Try to create competing listeners.

Impact:
Either the IKEv1 or IKEv2 tunnel will not work, because the listener for that tunnel fails to establish. Usually the IKEv1 tunnel will not work after tmm restart or BIG-IP reboot.

Workaround:
Use another self IP for the tunnel local address to keep IKEv1 and IKEv2 local tunnel addresses separate.

Note: If IKEv1 tunnels use one local address, while IKEv2 tunnels use another, everything works as expected.

Fix:
Logging in /var/log/ltm now reveals failure to establish listener, along with a suggestion to avoid sharing one local address across IKEv1 and IKEv2 tunnels.

Fixed Versions:
12.1.3.6, 13.1.1.2

679114-4 : Persistence record expires early if an error is returned for a BYE command

Links to More Info: BT679114

Component: Service Provider

Symptoms:
When an error is returned for a SIP command, the persistence timeout is set to the transaction timeout.

Conditions:
An error is returned for a any SIP command.

Impact:
The persistence record will expire early when the call has not been ended.

Workaround:
None.

Fix:
For BYE commands, the timeout is not set to transaction timeout on failure.

Fixed Versions:
11.6.3, 12.1.3.6, 13.1.0.6

679088-1 : Avr reporting and analytics does not display statistics of many source regions

Links to More Info: BT679088

Component: Application Visibility and Reporting

Symptoms:
1. The network reporting does not show the statistics related to some Source Regions.
2. In the Security=>Reporting=>Network=>Enforced Rules dashboard are impossible to select or find some Source Region using filtering .
For example, there are list of some missing Source Regions:
France, Ile-de-France, Ukraine, Kyyiv,Russian Federation, Tambovskaya oblast, South Africa, Western Cape and Spain,Madrid

Conditions:
This occurs when attempting to filter on the affected source regions.

Impact:
The network reporting does not show the statistics related to some Source Regions.

Fixed Versions:
13.1.0.2

678925-1 : Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.

Links to More Info: BT678925

Component: TMOS

Symptoms:
Using a multicast VXLAN tunnel without a proper route associated with the tunnel's local-address may cause a TMM crash.

Conditions:
When the following conditions are met:
- No route is associated with the tunnel's local-address.
- A selfip address is assigned to the tunnel.

Then, a connection using the tunnel may cause a TMM crash.

Note that the user can use the TMSH command "show net route lookup <address>" to check if there is a route associated with the tunnel's local-address.

Impact:
The TMM crashes and traffic is disrupted.

Workaround:
Make sure that there is a route associated with the tunnel's local-address, before using the tunnel.

Fix:
The TMM no longer crashes.

Fixed Versions:
12.1.3.6, 13.1.1.4

678872-3 : Inconsistent behavior for virtual-address and selfip on the same ip-address

Links to More Info: BT678872

Component: Local Traffic Manager

Symptoms:
Inconsistent ICMP/ARP behavior for self IP address or virtual-address when virtual-address and self IP address have the same IP address.

Conditions:
Virtual-address and self IP address have the same IP address.
-- Virtual-address ICMP and ARP disabled.

Impact:
ICMP echo reply and ARP for the IP address might be inconsistent. Self IP address might override the ARP setting of a virtual address.

Workaround:
No workaround.

Fix:
This implements the initialization-order-independent set of rules of whether particular IP address should have ARP/ICMP enabled for multiple maching vaddrs. The lookup is performed from the most fine netmask to the most coarse netmask. If for particular netmask there is no maching vaddr then more coarse netmask is lookedup. Otherwise if any machnig vaddr for particular netmask have ARP/ICMP enabled then IP address will have ARP/ICMP enabled. If none of matching vaddrs for particular netmask have ARP/ICMP enabled the then IP address will have ARP/ICMP disabled.

The rule above have one exception, due to the performance optimizations. If the vaddr have both ARP and ICMP disabled then the vaddr is considered deleted.

Fixed Versions:
12.1.3.6, 13.1.0.8

678861-1 : DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other &start;

Links to More Info: BT678861

Component: Global Traffic Manager (DNS)

Symptoms:
Upgrade fails with a message similar to the following.

emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 01070356:3: Link Controller feature not licensed. Unexpected Error: Loading configuration process failed.

Conditions:
Previously had Link Controller with DNS:: commands in an iRule proc.

Impact:
Upgrade fails.

Workaround:
Remove DNS:: commands from procs before upgrade.

Or use AFM instead of iRules.

Fixed Versions:
12.1.3.2, 13.1.0.6

678851-3 : Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()

Links to More Info: BT678851

Component: Access Policy Manager

Symptoms:
Java applets containing call of getDocumentBase() through a reference to java.applet.AppletStub are incorrectly rewritten.

Attempt to call incorrectly patched method causes following exception:
java.lang.VerifyError: (...) Illegal type in constant pool

Conditions:
This occurs when using rewrite on Java applets that call getDocumentBase().

Impact:
Affected Java applets cannot be started through Portal Access.

Workaround:
None.

Fix:
Rewritten applets with calls of java.applet.AppletStub interface methods are no longer causing java.lang.VerifyError exception during execution.

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.4

678820-1 : Potential memory leak if PEM Diameter sessions are not created successfully.

Links to More Info: BT678820

Component: Policy Enforcement Manager

Symptoms:
Memory leak resulting in reduction in available memory.

Conditions:
1. PEM configured with Gx.
2. PCRF Gx end point operationally DOWN
3. Subscriber creation attempt.

Impact:
Loss of service

Workaround:
There is no workaround at this time.

Fix:
Diameter context is freed in case of a failed Diameter session creation.

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.4

678801-4 : WS::enabled returned empty string

Links to More Info: BT678801

Component: Local Traffic Manager

Symptoms:
WS::enabled command returned empty string instead of 0 or 1 for status.

Conditions:
-- WS::enabled command is used to query the status of WebSocket processing.
-- WebSocket and HTTP profiles are configured on the virtual server.

Impact:
Unable to determine the status of WebSocket processing using iRule commands.

Workaround:
There is no workaround at this time.

Fix:
Invoke appropriate method via WebSocket Tcl code.

Fixed Versions:
12.1.3.6, 13.1.0.8

678524-1 : Join FF02::2 multicast group when router-advertisement is configured

Links to More Info: BT678524

Component: Local Traffic Manager

Symptoms:
MLD snooping switches may not deliver router solicitation packets to BIG-IP, which breaks BIG-IP's router advertisement functionality. MLD snooping switches may not deliver the packets because BIG-IP has not joined the FF02::2 multicast group.

Conditions:
router-advertisement configured, MLD snooping switches.

Impact:
IPv6 hosts never receive router advertisements from BIG-IP in response to their router solicitations.

Workaround:
Disable MLD snooping on switches.

Fix:
BIG-IP now joins the FF02::2 multicast group when router-advertisements are configured.

Behavior Change:
BIG-IP now joins the FF02::2 multicast group when router-advertisement is configured.

Fixed Versions:
13.1.0.4

678488-1 : BGP default-originate not announced to peers if several are peering over different VLANs

Links to More Info: K59332320 , BT678488

Component: TMOS

Symptoms:
BGP default-originate is not announced to peers if several are configured as peers over different VLANs.

Conditions:
-- default-originate is configured on four similar neighbors.
-- The neighbors are reachable over different interfaces/subnets.

Impact:
Only some of the peered neighbors get the default route.

Workaround:
Add the following to the the BGP configuration:
network 0.0.0.0/0

Fix:
All peered neighbors now get the default route.

Fixed Versions:
12.1.4.1, 13.1.1.2

678427-1 : Safari 11 displays F5 EPI and F5 VPN launch confirmation dialogs twice

Links to More Info: K03138339 , BT678427

Component: Access Policy Manager

Symptoms:
Safari 11 displays confirmation dialogs to launch F5 EPI or F5 VPN app twice. Although functionality is not affected, the user experience might be confusing.

Conditions:
-- Safari 11, F5 EPI, or F5 VPN app installed.
-- Endpoint check or VPN configured in access policy.

Impact:
None. The extra dialog box does not affect system functionality.

Workaround:
None.

Fix:
Confirmation dialog is now displayed only once during VPN establishment with Safari browser.

Fixed Versions:
13.1.0.6

678388-1 : IKEv1 racoon daemon is not restarted when killed multiple times

Links to More Info: K00050055 , BT678388

Component: TMOS

Symptoms:
IPsec IKEv1 tunnels will fail and stay down indefinitely if the IKEv1 racoon daemon crashes. racoon does not get restarted by tmipsecd. This can occur if racoon has crashed more than once beforehand.

Conditions:
The IPsec IKEv1 racoon daemon crashes, or is killed manually, multiple times.

Impact:
IPsec IKEv1 tunnels cannot be established because the racoon daemon is dead. The user will receive no CLI or web UI clues to indicate that racoon is dead. Attempts to reconfigure IPsec while racoon is dead will not resolve the problem.

Workaround:
Run the following command to restart the IPsec IKEv1 racoon and tmipsecd daemons at the same time:
tmsh restart sys service tmipsecd

Fix:
Fixed tmipsecd so it correctly tracks whether the IKEv1 racoon daemon is still running or needs a restart. This also covers odd timing, such as killing racoon right after it starts.

Fixed Versions:
12.1.3.6, 13.1.1.2

678380-2 : Deleting an IKEv1 peer in current use could SEGV on race conditions.

Links to More Info: K26023811 , BT678380

Component: TMOS

Symptoms:
When either deleting a peer in IKEv1 or updating it, this problem causes the v1 racoon daemon to crash with a SIGSEGV under some race conditions, intermittently.

Conditions:
This requires a peer using IKEv1, which gets updated or deleted while the IKEv1 racoon daemon is performing operations related to this peer.

Impact:
If the problem occurs, the IKEv1 racoon daemon restarts and interrupts IPsec traffic.

Workaround:
None.

Fix:
The system now checks whether the old peer definition is valid when navigating from phase-one SAs to the IKEv1 peer definition.

Fixed Versions:
12.1.3.7, 13.1.1.4

678293-2 : Uncleaned policy history files cause /var disk exhaustion

Links to More Info: K25066531 , BT678293

Component: Application Security Manager

Symptoms:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions, which might cause /var disk exhaustion.

Conditions:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions.

Two possible causes might explain what caused the history files to be copied:
-- The device was synchronized from itself.
-- There was a UCS loaded on the device.

Impact:
/var disk usage is high.

Workaround:
Use the following one-liner to find unreferenced policy history files that can be deleted:

----------------------------------------------------------------------
perl -MData::Dumper -MF5::DbUtils -MFile::Find -e '$dbh = F5::DbUtils::get_dbh(); $sql = ($dbh->selectrow_array(q{show tables in PLC like ?}, undef, q{PL_POLICY_VERSIONS})) ? q{select policy_version, policy_id from PLC.PL_POLICY_VERSIONS} : q{select revision, policy_id from PLC.PL_POLICY_HISTORY}; %known_history_files = map { (qq{$_->[1]/$_->[0].plc} => 1) } @{$dbh->selectall_arrayref($sql)}; find({ wanted => sub { next unless -f $_; $_ =~ m|/policy_versions/(.*)$|; if (! $known_history_files{$1}) { print qq{$_\n} } }, no_chdir => 1, }, q{/ts/dms/policy/policy_versions});'
----------------------------------------------------------------------

Manually verity the file list output. If it seems correct, you can then delete the files by piping the output into 'xargs rm'.

In addition, you can delete the following file: /var/ts/var/install/recovery_db/conf.tar.gz.

Fixed Versions:
12.1.3.2, 13.1.0.4

678254-1 : Error logged when restarting Tomcat

Links to More Info: BT678254

Component: TMOS

Symptoms:
An error is logged after restarting Tomcat and using the web UI.

Conditions:
Using the web UI to restart tomcat.

Impact:
An error is logged after restarting Tomcat and using the web UI.

Workaround:
There is no workaround.

Fix:
When restarting Tomcat and using the web UI, and error will be logged only if the debug flag is enabled.

Fixed Versions:
12.1.3.7, 13.1.0.8

677958-4 : WS::frame prepend and WS::frame append do not insert string in the right place.

Links to More Info: BT677958

Component: Local Traffic Manager

Symptoms:
When WS::frame prepend and WS::frame append are used together in the same event, the strings are not inserted in the right place.

Conditions:
-- Both WS::frame prepend and WS::frame append commands are present in the same iRule event.
-- WebSocket and HTTP profile are configured on the virtual.
-- Client/server send and receive WebSocket frames.

Impact:
The user-supplied string is not inserted in the right place when sent to the end-point.

Workaround:
None.

Fix:
Separate buffers were now used for append and prepend, instead of reusing the same buffer.

Fixed Versions:
12.1.3.6, 13.1.0.8

677937-3 : APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets

Links to More Info: K41517253 , BT677937

Component: TMOS

Symptoms:
APM client cannot connect to server when the APM tunnel is encapsulated in an IPsec tunnel.

Conditions:
This requires a relatively complicated network setup of configuring an APM tunnel over an IPsec tunnel (and iSession is in use).

Impact:
No connectivity between the client and the server.

Workaround:
Do not encapsulate APM tunnel in an IPsec tunnel. (The APM tunnel has its own TLS.)

Fix:
APM tunnel and IPsec over IPsec tunnel now correctly accepts isession-SYN connect packets.

Fixed Versions:
12.1.3.4, 13.1.1.4

677919-4 : Enhanced Data Manipulation AJAX Support

Links to More Info: BT677919

Component: Fraud Protection Services

Symptoms:
Need enhanced data manipulation detection to protect against modifying parameters in real-time (malware script in the browser) that are sent by JSON.

Conditions:
There is a malware script in the browser performing real-time modification of parameters that are sent by JSON.

Impact:
End-users already under attack could send manipulated JSON data to backend servers.

Workaround:
None.

Fix:
The Enhanced Data Manipulation Check has been improved so that it can now detect JSON data manipulation in the browser.

Fixed Versions:
13.1.0.3

677666-2 : /var/tmstat/blades/scripts segment grows in size.

Links to More Info: BT677666

Component: Local Traffic Manager

Symptoms:
Over time the /var/tmstat/blade/scripts file size grows. This can eventually lead to the system no longer providing up-to-date statistics.

Conditions:
-- Using istats.
-- Deleting configurations.
-- Using ASM.

Impact:
Virtual size of merged process grows linearly with /var/tmstat/blades/scripts segment. This could lead to out-of-memory condition as well as out-of-date statistics.

Workaround:
No known workarounds.

Fix:
Condition corrected.

Fixed Versions:
13.0.1, 13.1.0.4

677525-2 : Translucent VLAN group may use unexpected source MAC address

Links to More Info: BT677525

Component: Local Traffic Manager

Symptoms:
When a VLAN group is configured in translucent mode, IPv6 neighbor discovery packets sent from the BIG-IP system may have the locally unique bit flipped in the source MAC address.

Conditions:
VLAN group in translucent mode.

Impact:
In an HA configuration, switches in the network may have FDB entries for the standby system assigned to the port of the active system.

Workaround:
No workaround at this time.

Fix:
Translucent VLAN group no longer send neighbor discovery packets whose source MAC has the locally unique bit flipped.

Fixed Versions:
11.5.6, 11.6.3.2, 12.1.3.6, 13.1.0.6

677494-1 : Flow filter with Periodic content insertion action could leak insert content record

Links to More Info: BT677494

Component: Policy Enforcement Manager

Symptoms:
Subscriber using flow filter and periodic insert content could create multiple records for same insert content action.

Conditions:
If two flows belonging to the same subscriber matching 2 different rules of the same policy and alternates and in the meanwhile policy rule action is updated.

Impact:
More than one record being created for the same insert content action.

Workaround:
There is no workaround at this time.

Fix:
Update the insert content array as soon as the pemdb record is updated.

Fixed Versions:
13.1.0.6

677485-1 : Discovery of DSC clustered BIG-IP systems fails due to secure value decryption error

Links to More Info: BT677485

Component: TMOS

Symptoms:
After initially configuring a DSC cluster, iControl-REST on BIG-IP systems might fail to decrypt the secure values due to a stale BIG-IP master key in its cache, and returns the secure values encrypted by the BIG-IP master key. BIG-IQ is unable to decrypt these secure values and fails to discover the BIG-IP system.

Conditions:
-- DSC cluster.
-- iControl REST.
-- BIG-IP system with stale BIG-IP master key in its cache.
-- BIG-IQ attempts to decrypt the secure values.

Impact:
Discovery fails due to secure value decryption error.

Workaround:
Restart iControl-REST server on the BIG-IP system.

On BIG-IP v12.0.0 and later:
-- In TMSH, run the following command:
restart sys service restjavad
-- On the console, run the following command:
bigstart restart restjavad

On BIG-IP v11.x.x:
-- In TMSH, run the following command:
restart sys service icrd
-- On the console, run the following command:
bigstart restart icrd

Fix:
The system now enforces obtaining the BIG-IP master key if the first decryption fails to proceed properly.

Fixed Versions:
13.1.1.2

677473-3 : MCPD core is generated on multiple add/remove of Mgmt-Rules

Links to More Info: BT677473

Component: Advanced Firewall Manager

Symptoms:
MCP crashes with core. MCP automatically restarts causing other dependent daemons, including tmm, to restart. Corresponding messages (restarting mcp, restarting tmm, and so on) are broadcast in all command line connections (terminals). Core files are written into /shared/core directory. The BIG-IP system might become unusable while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped until all daemons restart.

Conditions:
-- AFM is licensed and provisioned.
-- There are firewall policies/rules defined in configuration.
-- Remove firewall rules/policies, especially rules attached to management-IP (might have to repeat this).

Impact:
The BIG-IP system might become unusable for few minutes while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
MCP no longer crashes, and other dependent daemons no longer restart. The BIG-IP system remains operational in both control-plane (tmsh/GUI) and data traffic processing.

Fixed Versions:
12.1.3.6, 13.1.0.8

677368-2 : Websso crash due to uninitialized member in websso context object while processing a log message

Links to More Info: BT677368

Component: Access Policy Manager

Symptoms:
Websso crashes occasionally on processing a log message on TMEVT_CLOSE event. This happens when a TMEVT_CLOSE event is received without receiving a request.

Conditions:
TMEVT_CLOSE event is received without receiving a request.

Impact:
Websso process crash.

Workaround:
None.

Fix:
A rare condition that caused the websso module to core is fixed by removing the webssocontext object from the logging function.

Fixed Versions:
13.0.1, 13.1.0.4

677148-1 : Periodic content insertion creates duplicate records if same policy is added to Global high and subscriber specific

Links to More Info: BT677148

Component: Policy Enforcement Manager

Symptoms:
If same pem policy with insert content is added to global high and subscriber specific, insert content could add duplicate records. This result in a case where if the periodic content tag is absent, the periodic content insertion will not scheduled immediately, but will add only after the expiry of the current interval.

Conditions:
If same pem policy with insert content is added to global high and subscriber specific.

Impact:
if the periodic content tag is absent, the periodic content insertion will not scheduled immediately.

Workaround:
This is a wrong configuration, a pem policy should be included either in Global High, or subscriber specific, not both.

Fix:
Re-use the already created record in case of same policy attached to Global high and subscriber specific

Fixed Versions:
13.1.0.6

677088-2 : BIG-IP tmsh vulnerability CVE-2018-15321

Links to More Info: K01067037 , BT677088

676990-2 : No way to enable SNAT of host traffic

Links to More Info: BT676990

Component: Local Traffic Manager

Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, may use an MAC and IPv6 source address from a different VLAN.

Conditions:
- Multiple VLANs with IPv6 configured addresses.
- Multiple routes to the same destination, either the same or more specific, default routes, etc., that cover the traffic destination.
- Changes in routes that cause the traffic to the destination to shift from one VLAN and gateway to another. This can be typically observed with dynamic routing updates.

Impact:
Traffic to the destination may fail due to using incorrect source IPv6/MAC address, which might cause monitor traffic to fail. There is no way to enable SNAT of host traffic, so no way to control this behavior.

Workaround:
Continuous traffic to the IPv6 link-local nexthops can avoid this issue.

This may be achieved by a script or an external monitor pinging the nexthop link-local address using the specific VLAN.

Fix:
There is now a db variable to control this behavior, snat.hosttraffic sys db, which enables SNAT of host traffic. When snat.hosttraffic is enabled, TMM picks the correct src-ip, and uses its own rt_entry, which can be different from the host's.

Fixed Versions:
13.1.3.2

676897-3 : IPsec keeps failing to reconnect

Links to More Info: K25082113 , BT676897

Component: TMOS

Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.

Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.

Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Workaround:
Manually delete the SA.

Fix:
This release corrects this issue.

Fixed Versions:
12.1.3.6, 13.1.1.4

676709-3 : Diameter virtual server has different behavior of connection-prime when persistence is on/off

Links to More Info: K37604585 , BT676709

Component: Service Provider

Symptoms:
When using an Diameter MBLB profile with per-AVP persistence enabled and connection priming enabled, not all pool members may have a connection established as part of priming.

Conditions:
-- Diameter MBLB profile.
-- Per-AVP persistence enabled.
-- Connection priming enabled.

Impact:
It is possible that not all pool members will have a connection established as part of priming.

Workaround:
None.

Fix:
A Diameter MBLB profile with persistence and connection priming enabled may not prime connections properly.

Fixed Versions:
11.6.5.2, 13.1.3.4

676557-1 : Binary data marshalled to TCL may be converted to UTF8

Links to More Info: BT676557

Component: Local Traffic Manager

Symptoms:
Binary data marshalled out of some iRule commands may be mistakenly converted to UTF8.

Conditions:
Unspecified commands return raw binary data (instead of strings). These commands may have their output incorrectly converted to UTF8. This will corrupt the binary data.

Impact:
Data corruption in some iRule commands

Workaround:
None.

Fix:
Binary output from certain iRule commands will not be corrupted into UTF8 strings.

Fixed Versions:
13.1.3.2

676457-5 : TMM may consume excessive resource when processing compressed data

Links to More Info: K52167636 , BT676457

676416-4 : BD restart when switching FTP profiles

Links to More Info: BT676416

Component: Application Security Manager

Symptoms:
Switching a Virtual Server from an FTP profile with Protocol Security enabled to an FTP profile with Protocol Security disabled, causes the BIG-IP system to go offline, generates errors in the bd log, and causes BD to restart.

Conditions:
-- Running FTP traffic with FTP profile with Protocol Security enabled.
-- On FTP service, change to FTP profile with Protocol Security disabled.

Impact:
BD restart, traffic disrupted, and failover in high availability (HA) configuration.

Workaround:
There is no workaround at this time.

Fix:
This version provides an improved mechanism for switching FTP profiles, so that now there is no BD restart.

Fixed Versions:
11.6.3.2, 12.1.3.2, 13.1.1.4

676346-2 : PEM displays incorrect policy action counters when the gate status is disabled.

Links to More Info: BT676346

Component: Policy Enforcement Manager

Symptoms:
Action counters are incorrect.

Conditions:
PEM policy actions enabled with gate status of disabled.

Impact:
May provide an inconsistent view of PEM actions.

Workaround:
There is no workaround.

Fix:
Counters are managed correctly regardless of the gate status.

Fixed Versions:
13.1.0.6, 14.0.0.3

676223-4 : Internal parameter in order not to sign allowed cookies

Links to More Info: BT676223

Component: Application Security Manager

Symptoms:
ASM TS cookies may get big (up to 4k).

Conditions:
policy building is turned on (manual or automatic). There are allowed cookies.

Impact:
This increases web site throughput.

Workaround:
N/A

Fix:
Parameter to not to sign allowed cookies added.

Fixed Versions:
12.1.3.7, 13.1.1.4

676203-3 : Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.

Links to More Info: BT676203

Component: TMOS

Symptoms:
TMM memory usage suddenly increases rapidly.

Conditions:
The inter-blade mpi connection fails and does not recover.

Impact:
Inter-blade mpi requests do not complete and the system eventually exhausts memory.

Workaround:
None.

Fix:
Inter-blade mpi connection now continues as expected, without memory issues.

Fixed Versions:
12.1.3.2, 13.1.0.8

676092-3 : IPsec keeps failing to reconnect

Links to More Info: BT676092

Component: TMOS

Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.

Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.

Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Workaround:
Manually delete the SA.

Fix:
The system now correctly handles these conditions so the issue no longer occurs.

Fixed Versions:
12.1.3.6, 13.1.1.4

675921-2 : Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running

Links to More Info: BT675921

Component: TMOS

Symptoms:
Creating 'ssl-mode dedicated' guests on the BIG-IP i5800, the 5th guest and beyond get an error, however they do become deployed with Status of 'running'.

Conditions:
-- Creating 5 (or more) 'ssl-mode dedicated' vCMP guests.
-- Running on the BIG-IP i5800 platform.

Impact:
5th guest and beyond result in an error.

Workaround:
There is no workaround other than not creating more than 4 'ssl-mode dedicated' vCMP guests when provisioning vCMP guests on the i5800 platform.

Fix:
The system now limits the maximum number of 'ssl-mode dedicated' vCMP guests to the number that the BIG-IP i5800 can physically support.

Fixed Versions:
12.1.3.1, 13.1.1

675866-4 : WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO

Links to More Info: BT675866

Component: Access Policy Manager

Symptoms:
Kerberos rejects tickets with 2 minutes left in their ticket lifetime. This causes tickets to be rejected by KDC, causing APM to disable SSO.

Conditions:
This occurs with Kerberos-protected resources using Windows Server 2012-based DC due to issue described in the Microsoft KB: Kerberos authentication fails when the computer tries to request a service ticket from a Windows Server 2012-based DC, https://support.microsoft.com/en-us/help/2877460/kerberos-authentication-fails-when-the-computer-tries-to-request-a-ser.

Impact:
Cannot access the Kerberos-protected resources.

Workaround:
None.

Fix:
Kerberos SSO (S4U) tickets are not used when the remaining lifetime is less than 5 minutes. Existing tickets with more than half the configured lifetime or at least 1 hour of lifetime remaining are used. If there are no such tickets, then new tickets are acquired and used.

Fixed Versions:
11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4

675775-4 : TMM crashes inside dynamic ACL building session db callback

Links to More Info: BT675775

Component: Access Policy Manager

Symptoms:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time may cause TMM restart in dynamic ACL building session db callback.

Conditions:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Guard against NULL pointer dereference for dynamic ACL build.

Fixed Versions:
12.1.3.4, 13.1.0.6

675673-1 : Policy history files should be limited by settings in a configuration file.

Links to More Info: BT675673

Component: Application Security Manager

Symptoms:
The /var directory is filling up with many policy history files.

Conditions:
This can occur during normal ASM operation under high load.

Impact:
/var out of space.

Workaround:
Increase the size of /var disk partition.

Alternatively, older files under /ts/dms/policy/policy_versions can be manually deleted (or offloaded to another device/storage).

Note: When deleting older files, make sure that the most recent versions for each policy are preserved.

Fix:
Added automatic cleaning of history files according configured maxSizeOfSavedVersions and minRetainedFilesInDir

Fixed Versions:
13.1.3

675367-2 : The IMAP and POP3 monitors might fail if the mail server supports GSSAPI authentication

Links to More Info: K95393925 , BT675367

Component: Local Traffic Manager

Symptoms:
The IMAP and POP3 monitors might fail if the mail server supports GSSAPI authentication.

Conditions:
An IMAP and POP3 monitor is configured and the server returns GSSAPI as an available authentication mechanism.

Impact:
The monitor fails and marks the server down, even when it might be available.

Workaround:
If possible, use one of the following workarounds:

-- Turn off GSSAPI authentication on the mail server.
-- Use an alternate monitor type.

Fixed Versions:
13.1.3

675232-6 : Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction

Links to More Info: BT675232

Component: Application Security Manager

Symptoms:
Errors encountered -

In TMSH CLI transaction:
----------------
transaction failed: 01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------

In iApp template implementation:
----------------
script did not successfully complete: (01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------

Conditions:
In an iApp template implementation or TMSH CLI transaction, create a new ASM policy and then try to modify it's active state.

Impact:
The policy is created but the modify action cannot find the policy.

Workaround:
iApps are built to work with ASM Policy Templates.

A new ASM Policy Template can be created from the desired ASM Policy.

That can be done via GUI and starting from from v13.0 via REST as well.

Then, the newly created ASM Policy Template can be referenced in the iApp template implementation or TMSH CLI transaction as follows:
-----------------
tmsh::create asm policy <some_policy> active policy-template NEWLY_CREATED_POLICY_TEMPLATE
-----------------

Fix:
iApp template implementation and TMSH CLI transaction can now modify a newly created ASM policy.

Fixed Versions:
11.6.3.2, 12.1.3.2, 13.1.0.8

674795-2 : tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours.

Links to More Info: BT674795

Component: Traffic Classification Engine

Symptoms:
tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds. In fact, it is in hours.

Conditions:
-- Viewing tmsh help/man page.
-- Searching for urldb feedlist polling interval.

Impact:
Note that the interval described is in hours instead of seconds.

Workaround:
None.

Fix:
tmsh help/man page now correctly states that the urldb feedlist polling interval is in hours.

Fixed Versions:
12.1.5.3, 13.1.3.2

674747-4 : sipdb cannot delete custom bidirectional persistence entries.

Links to More Info: K30837366 , BT674747

Component: Service Provider

Symptoms:
Custom bidirectional SIP persistence entries cannot be deleted using the sipdb tool.

Conditions:
Rules and SIP messages created custom bidirectional SIP persistence entries.

Impact:
Custom bidirectional SIP persistence entries exist and can be viewed with the sipdb utility. They cannot be deleted,
however.

Workaround:
None.

Fix:
The sipdb tool now supports deletion of bidirectional SIP persistence entries.

Fixed Versions:
11.6.3, 12.1.3.6, 13.1.0.4

674591-3 : Packets with payload smaller than MSS are being marked to be TSOed

Links to More Info: K37975308 , BT674591

Component: Local Traffic Manager

Symptoms:
Packets with length less than the specified MSS are sent as TSO packets, and the Broadcom NIC drops those to degrade performance.

Conditions:
When TM.TcpSegmentationOffload is enabled, Packets with length less than MSS are sent as TSO packets.

Impact:
TCP Packets are dropped.

Workaround:
Disable TSO option by setting the following SYS DB variable to disable: TM.TcpSegmentationOffload.

Fix:
Packets less than MSS are not sent as TSO packets, so there is no performance degradation.

Fixed Versions:
11.6.5.2, 12.1.4, 13.1.1.4

674576-3 : Outage may occur with VIP-VIP configurations

Links to More Info: BT674576

Component: Local Traffic Manager

Symptoms:
In some VIP-VIP configurations, TMM may produce a core with a 'no trailing data' assert.

Conditions:
VIP-VIP configuration.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround at this time.

Fix:
TMM no longer produces a core with a 'no trailing data' assert.

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.4

674494-4 : BD memory leak on specific configuration and specific traffic

Links to More Info: K77993010 , BT674494

Component: Application Security Manager

Symptoms:
RSS memory of the bd grows.

Conditions:
-- Remote logger is configured.
-- IP has ignore logging configured.
-- Traffic is coming from the ignored logging IP.

Impact:
Potential memory exhaustion. The kernel might run out of memory and may kill bd, causing traffic disruption.

Workaround:
None.

Fix:
Freeing up the remote loggers data when deciding not to log remotly.

Fixed Versions:
12.1.3.2, 13.1.0.2

674455-5 : Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS

Links to More Info: BT674455

Component: TMOS

Symptoms:
When booted into the Maintenance OS image from the grub boot menu, running tmidiag -r drops the serial console from the grub kernel line, which causes a loss of communication on the serial console after rebooting.

Conditions:
-- Booted into Maintenance OS.
-- Running the command: tmidiag -r

Impact:
Serial console baud rate settings are incorrect. Uses the bios baud rate on the console.

Workaround:
When booting, edit the grub kernel line to include console=ttyS0.

Note: The value is "tty", an uppercase "S" character, and zero, so ttyS0.

Fix:
tmidiag has been fixed to not strip out console=ttyS0.

Fixed Versions:
12.1.3.5, 13.1.0.8

674256-2 : False positive cookie hijacking violation

Links to More Info: K60745057 , BT674256

Component: Application Security Manager

Symptoms:
A false positive cookie hijacking violation.

Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.

Impact:
False positive violation / blocking.

Workaround:
Cookie hijacking violation when the device ID feature is turned off is almost never relevant, as it should be able to detect only cases where some of the TS cookies were taken. The suggestion is to turn off this violation.

Fixed Versions:
13.1.0.8, 13.1.1.4, 14.0.0

674145-1 : chmand error log message missing data

Links to More Info: BT674145

Component: TMOS

Symptoms:
When there is an error with communication between chmand and lopd, a message is logged giving information about the problem. That message is missing data useful to F5 for determining the cause of the communications error.

Messages similar to:
Jul 11 11:10:19 localhost warning chmand[7815]: 012a0004:4: getLopReg: lop response data does not match request, u16DataLen=0xb expected=0xb, u8Length=0x8 expected=0x, u8Page=0x28 expected=0x$, u8Register=0x50 expected=0xP

The expected data values are missing in this message, making it more difficult for F5 engineers to determine what caused the original communications problem.

Conditions:
This issue only occurs when there is some problem with the communication channel between chmand and lopd.

Impact:
Added difficulty for F5 to determine what problem caused the error message to be logged.

Fix:
The expected data values are properly printed in the log message.

Fixed Versions:
11.5.9, 11.6.3.3, 12.1.4, 13.1.1.4

673996-2 : Unable to set 'media-fixed' on management port on BIG-IP i15000 platforms

Links to More Info: BT673996

Component: TMOS

Symptoms:
Changing 'media-fixed' on management port on BIG-IP i15000 platforms using tmsh command 'tmsh modify net interface mgmt media-fixed <speed>' does not take effect.

Conditions:
-- Connecting two BIG-IP i15000 units via management port.
-- Changing the 'media-fixed' value.

Impact:
Changing the 'media-fixed' value does not work.

Workaround:
Pull the management cable out and plug it back in to get the link up at the respective speeds.

Fix:
Users can now change the 'media-fixed' value using tmsh commands.

Fixed Versions:
13.1.1, 14.0.0

673842-4 : VCMP does not follow best security practices

Links to More Info: K01413496 , BT673842

673832-1 : Performance impact for certain platforms after upgrading to 13.1.0.

Links to More Info: BT673832

Component: Performance

Symptoms:
Performance impact for certain platforms after upgrading to 13.1.0.

Conditions:
The following platforms, with Fast HTTP/OneConnect/Full Proxy configured.

-- i2800
-- i4800
-- i5800
-- i7800
-- i10800
-- i11800
-- B2250
-- B4450

Impact:
The performance impacts occur on the following platforms under the associated conditions:

-- i2800 2%-3% Full Proxy traffic.
-- i4800 2%-3% Full Proxy traffic.
-- i5800 3%-8% Fast HTTP/Full Proxy traffic.
-- i7800 3%-7% Fast HTTP/Full Proxy traffic.
-- i10800 3%-7% Fast HTTP/Full Proxy traffic.
-- i11800 2%-3% Fast HTTP traffic.
-- B2250 3%-6% OneConnect/Full Proxy traffic.
-- B4450 4%-10% Fast HTTP/OneConnect/Full Proxy traffic.

Workaround:
None.

Fix:
Performance impact for certain platforms has been eliminated.

Fixed Versions:
13.1.0.1, 14.0.0

673748-2 : ng_export, ng_import might leave security.configpassword in invalid state

Links to More Info: K19534801 , BT673748

Component: Access Policy Manager

Symptoms:
If import/export of Access Profile or Access Policy results in an error, security.configpassword may retain temporary not <null> state, which can cause problems when the config is saved or loaded using the sys save config or sys load config commands.

Conditions:
Import or export of Access Profile or Access Policy fails with an error.

Impact:
Passwords in .conf might get mangled.

Workaround:
Set the security.configpassword db variable using the following command:
modify sys db security.configpassword value "<null>"

Fix:
Error handling for access policy import failures has been improved.

Fixed Versions:
12.1.3.2, 13.1.4.1

673717-3 : VPE loading times can be very long

Links to More Info: BT673717

Component: Access Policy Manager

Symptoms:
When a configuration contains 2000-3000 Access Policy objects, the Visual Policy Editor (VPE) loading operations can take tens of seconds to load.

Conditions:
-- Access Policy configured with 2000-3000 Access Policy objects.
-- Open in VPE.

Impact:
Policies with thousands of entries can take tens of seconds or more to load.

Workaround:
None.

Fix:
Configuration load has been optimized, so VPE loading time is significantly shorter for these types of configurations.

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.6

673664-1 : TMM crashes when sys db Crypto.HwAcceleration is disabled. &start;

Links to More Info: BT673664

Component: Local Traffic Manager

Symptoms:
TMM crashes when sys db Crypto.HwAcceleration is disabled.

Conditions:
This occurs when sys db Crypto.HwAcceleration is disabled.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
Enable crypto hardware acceleration using the following command:
tmsh modify sys db crypto.hwacceleration value enable

Fixed Versions:
13.1.1.2

673607-9 : Apache CVE-2017-3169

Links to More Info: K83043359

673595-9 : Apache CVE-2017-3167

Links to More Info: K34125394

673522-1 : RST when using Bot Defense profile and surfing to a long URL on related domain

Links to More Info: BT673522

Component: Application Security Manager

Symptoms:
When surfing to a long URL of a related domain, and using "Cross Domain Requests : validate upon request" option in Bot Defense profile - Connection Aborts.

Conditions:
-- Bot Defense Profile is attached to virtual server with 'Cross Domain Requests' option configured to 'Validate Upon Request'.
-- Surfing to a non-HTML, long URL in a related domain.

Impact:
Connection Aborts.

Workaround:
Use another option of 'Cross Domain Requests': 'Validate in a Bulk' or 'Allow All'.

Fix:
Fixed an issue with connection resets when using a bot defense profile.

Fixed Versions:
13.1.3.4

673399-3 : HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.

Links to More Info: BT673399

Component: Local Traffic Manager

Symptoms:
The client sends a GET request with switching protocols and the server responds with a 401. Subsequent GET request from client is dropped.

Conditions:
HTTP and Websocket profiles are attached to the virtual server. The client sends a GET request with switching protocols indicating upgrade to Websockets, and the server responds with a 401. Subsequent GET request from client is dropped.

Impact:
Connection is reset.

Workaround:
Disable Websockets profile on the virtual server.

Fix:
We now check whether the Websockets filter is on the virtual server before attempting an insert.

Fixed Versions:
12.1.3.4, 13.1.0.8

673272-5 : Search by "Signature ID is" does not return results for some signature IDs

Links to More Info: BT673272

Component: Application Security Manager

Symptoms:
Search by "Signature ID is" does not return results for some signature IDs.

Conditions:
Request associated with signature that was previously enforced and is now in staging after the attack signature update.

Impact:
You are unable to filter requests by some signature IDs.

Fix:
Fixed an issue with searching by signature ID.

Fixed Versions:
13.1.4, 14.1.4.2, 15.1.4, 16.0.1.2

672963-4 : MSSQL monitor fails against databases using non-native charset

Links to More Info: BT672963

Component: Local Traffic Manager

Symptoms:
MSSQL monitor is fails against databases using non-native charset.

Conditions:
MSSQL monitor configured to monitor a database that is using non-native charset (ISO-8859-1).

Impact:
MSSQL monitoring always marks node / member down.

Workaround:
On BIG-IP v13.x and v14.0.x, you can work around this issue using the following steps:

1. Log in to the BIG-IP console into a bash prompt.

2. Run the following command:
mount -o remount,rw /usr; ln -s /usr/java-64/openjdk/lib/charsets.jar /usr/java/openjdk/lib/charsets.jar; mount -o remount,ro /usr

3. Restart bigd:
bigstart restart bigd

Fix:
MSSQL monitor can be used effectively against a database using a non-native charset.

Fixed Versions:
13.1.5

672667-6 : CVE-2017-7679: Apache vulnerability

Links to More Info: K75429050 , BT672667

672514-1 : Local Traffic/Virtual Server/Security page crashed

Links to More Info: BT672514

Component: Advanced Firewall Manager

Symptoms:
Local Traffic/Virtual Server/Security page crashes when AFM policy with 20k rules is attached to a virtual.

Conditions:
1. AFM provisioned.
2. AFM policy attached to Virtual with 20k rules with UUID.
3. Traffic hitting Virtual.

Impact:
Unable to manage the AFM policy using the management utility.

Workaround:
Use tmsh to attach AFM policy and other security items

Fix:
The issue is fixed. Policy Rules are displayed on Virtual security page only for Management context.

Fixed Versions:
13.1.1.2

672504-2 : Deleting zones from large databases can take excessive amounts of time.

Links to More Info: K52325625 , BT672504

Component: Global Traffic Manager (DNS)

Symptoms:
When deleting a zone or large number of Resource Records, zxfrd can reach 100% CPU for large amounts of time.

Conditions:
With a significantly sized database, deletes might be very time-intensive.

Impact:
Because zxfrd takes an excessive amount of time deleting records, it can delay transfer requests

Workaround:
None.

Fix:
Dramatically improved algorithm, to remove significant delay in deletions.

Fixed Versions:
12.1.3.1, 13.1.0.2

672491-5 : net resolver uses internal IP as source if matching wildcard forwarding virtual server

Links to More Info: K10990182 , BT672491

Component: Global Traffic Manager (DNS)

Symptoms:
If a net resolver is created and contains a forwarding zone that matches an existing wildcard forwarding virtual server, an incorrect internal IP address will be used as the source.

Upon listener lookup for the net resolver, the wildcard virtual server will be matched to the forwarding zone resulting in a loopback IP address being used as the source IP address.

Conditions:
When creating an AFM policy that restricts FQDNs, a net resolver is needed to resolve the FQDNs. If the forwarding zone of this net resolver matches a wildcard server, DNS queries from the net resolver will use a loopback IP address as the source IP address.

Impact:
Failed DNS queries as a result of incorrect source IP address.

Workaround:
None.

Fix:
This issue was resolved by ensuring listener lookup only matches the exact IP addresses, no-wildcards.

Fixed Versions:
11.6.5.3, 12.1.3.6, 13.1.3.2

672312-3 : IP ToS may not be forwarded to serverside with syncookie activated

Links to More Info: BT672312

Component: Local Traffic Manager

Symptoms:
IP ToS field may not be preserved on forwarding in a FastL4 virtual server when syncookie is activated.

Conditions:
-- FastL4 ip-forwarding virtual server.
-- ToS in passthrough mode.
-- Syncookie is activated in hardware mode.
-- On a hardware platform with ePVA.

Impact:
IP ToS header is not forwarded to the serverside.

Workaround:
None.

Fix:
The BIG-IP system now forwards IP ToS in syncookie mode.

Fixed Versions:
12.1.4, 13.1.1.2, 14.0.0.5

672124-6 : Excessive resource usage when BD is processing requests

Links to More Info: K12403422 , BT672124

671741-3 : LCD on iSeries devices can lock at red 'loading' screen.

Links to More Info: BT671741

Component: TMOS

Symptoms:
There are cases when TMOS is under stress conditions that the LCD on iSeries devices can lock at red 'loading' screen.

Conditions:
-- iSeries platforms.
-- Device under stress.

Impact:
LCD on iSeries devices can lock at red 'loading' screen. Appliance power cycle is required to correct the error.

Workaround:
None. You must power cycle the device to correct the condition.

Fix:
This issue is resolved.

Fixed Versions:
12.1.5, 13.1.3

671716-1 : UCS version check was too strict for IPS hitless upgrade

Links to More Info: BT671716

Component: Protocol Inspection

Symptoms:
When we upgrade from one minor release to another, e.g. from 13.1 to 13.2, then UCS upgrade of IPS IM packages fail.

Conditions:
During upgrade from one minor release to another.

Impact:
The default library will be used instead of the last updated IM/IPS library in last build.

Workaround:
Install the IM package available for that new release.

Fixed Versions:
13.1.0.4

671712-2 : The values returned for the ltmUserStatProfileStat table are incorrect.

Links to More Info: BT671712

Component: TMOS

Symptoms:
An SNMP table entry that intermittently comes back incorrectly. Specifically, an LTM profile user statistic value is returned with an OID that is off by one in the table.

Conditions:
A statistics profile is attached to a virtual server with an iRule that increments statistics on the profile. The SNMP walk of the table created by the statistics profile intermittently returns the values shifted up one OID such that the last row is zero and the first row is lost. A subsequent request is correct.

Impact:
Incorrect data returned in SNMP walk of LTM profile table.

Workaround:
The statistics themselves are kept correctly and can be accessed without using SNMP.

Fix:
The values in the ltmUserStatProfileStat table are always correct.

Fixed Versions:
12.1.3.7, 13.1.1.2, 14.0.0.3

671627-3 : HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.

Links to More Info: K06424790 , BT671627

Component: Access Policy Manager

Symptoms:
Some HTTP responses do not contain any body. For instance, responses with status codes 1xx, 204, or 304 must not include body. Portal Access adds 'Transfer-Encoding: chunked' header and may add chunked body with empty payload to such responses.

Conditions:
HTTP response without body processed by Portal Access

Impact:
Most browsers ignore invalid 'Transfer-Encoding' header and/or body for responses which must not include body at all. And yet, some traffic validators may refuse to pass invalid responses.

Workaround:
Use an iRule to remove 'Transfer-Encoding' header and/or body from HTTP responses with status codes 1xx, 204, and 304.

Fix:
Now Portal Access does not add invalid 'Transfer-Encoding' header and/or body to responses which have no body.

Fixed Versions:
12.1.3.2, 13.1.0.4

671597-3 : Import, export, copy and delete is taking too long on 1000 entries policy

Links to More Info: BT671597

Component: Access Policy Manager

Symptoms:
Huge policies with 10^3 items are impossible to import, export and copy.

Conditions:
When access policy has 1000+ entires.

Impact:
Import, export and copy are abandoned or fail due to out of memory condition.

Workaround:
Use ng_export, ng_import and ng_profile rather than UI to import/export.

Fix:
Ng_export speed has been improved 5 times
ng_import and ng_profile are working 50 times faster because of avoiding denormalisation and optimisation

ng_export is still should be used from the console.

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.6

671323-1 : Reset PIN Fail if Token input field is not 'password' field

Links to More Info: BT671323

Component: Access Policy Manager

Symptoms:
User is not able to reset the PIN when the password source field in RSA SecurID or RADIUS Auth agent is not set to default value(%{session.logon.last.password})

Conditions:
- APM is licensed and provisioned.
- RSA SecurID or RADIUS Auth agent is included in an access policy.
- Password source field in this agent is changed to a custom value.
- APM end user is challenged to reset the PIN or reenter the PIN/token.

Impact:
APM end users cannot reset the PIN or do not get authenticated.

Workaround:
There is no workaround other than not changing the default value in password source fields for RADIUS or RSA SecureID auth agent.

Fix:
APM end users can now successfully reset the PIN or reenter the token. They can also use custom password session variables for authentication.

Fixed Versions:
13.1.1.2

670528-4 : Warnings during vCMP host upgrade.

Links to More Info: K20251354 , BT670528

Component: TMOS

Symptoms:
- Log message repeats every 5 seconds in /var/log/ltm
slot<#>/<host> warning vcmpd[<pid>]: 01510005:4: Failed to find value for enum::cli_id (ha_feature_t::provisioning-failed).

Conditions:
- Configure vCMP host in 12.1.x or 11.6.x.
- Deploy 13.x guest.
- Monitor /var/log/ltm.

Impact:
Warning message displayed every 5 seconds.

Workaround:
Run the following command:
tmsh create sys log-config filter stop_vcmpd_log message-id 01510005 publisher none

Fixed Versions:
11.6.5.2, 12.1.3.7, 13.1.1.2

670197-1 : IPsec: ASSERT 'BIG-IP_conn tag' failed

Links to More Info: BT670197

Component: TMOS

Symptoms:
When using IPsec, tmm assert with 'BIG-IP_conn tag' failed.

Conditions:
The conditions under which this assert occurs when using IPsec are unknown.

Impact:
The tmm restarts and all connections are reset. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
When using IPsec, tmm no longer asserts with 'BIG-IP_conn tag' failed.

Fixed Versions:
13.1.1.4

670103-1 : No way to query logins to BIG-IP in TMUI

Links to More Info: BT670103

Component: TMOS

Symptoms:
Cannot use the GUI to query logins to the BIG-IP system based on a time range or a specific user.

Conditions:
-- Using the GUI.
-- Gather login information.

Impact:
No support for queries.

Workaround:
None.

Fix:
Added support for using using the GUI to query logins to the BIG-IP system.

Behavior Change:
The ability to query logins on the BIG-IP, using the GUI, was added at System >> Logins : History. Users can query all available login data that is present on the BIG-IP. This information can be filtered by time, username, status, access method, and host.

Fixed Versions:
13.1.0.2

669585-1 : The tmsh sys log filter is unable to display information in uncompressed log files.

Links to More Info: BT669585

Component: TMOS

Symptoms:
You notice missing log information when reviewing system logs using the tmsh show sys log command.

Conditions:
One or more of the BIG-IP sytem backup log files, designated with .1, .2, etc are not compressed.
Note: Backup log files should end with the .gz extension. For example, ltm.1.gz.
You use the tmsh show sys log command to view log information for one or more days in the past.

Impact:
Unable to view the full range of backup log information.

Workaround:
To log in to the Advanced shell (bash).
To ensure all backup logs for a particular log type are compressed, use the following command syntax:

gzip /var/log/<log>.*

For example, to compress the full set of backup logs for the ltm log type, type the following command:

Note: The following message is expected if the log file is already compressed: gzip: /var/log/<log>.gz already has .gz suffix -- unchanged'

gzip /var/log/ltm.*

Fix:
Increased flexibility of log reading mechanism, to look for both compressed (ending in .gz) and uncompressed (ending in .#) log files.

Fixed Versions:
13.1.0.2

669462-2 : Error adding /Common/WideIPs as members to GTM Pool in non-Common partition

Links to More Info: BT669462

Component: TMOS

Symptoms:
Unable to use Pool Members from /Common/ when outside of /Common/

Conditions:
Adding /Common/WideIPs as members in non-Common GTM Pool

Impact:
Unable to use pool-members from /Common/ when outside of /Common/

Workaround:
No workaround at this time.

Fix:
Fixed issue preventing users from using GTM pool-members within /Common/ on GTM Pools outside of /Common/

Fixed Versions:
12.1.3.2, 13.1.0.4

668826-1 : File named /root/.ssh/bigip.a.k.bak is present but should not be

Links to More Info: BT668826

Component: TMOS

Symptoms:
In AWS instances, a file /root/.ssh/bigip.a.k.bak is present which should not be. It is harmless to users other than that it is confusing.

Conditions:
After the first boot, this file should be deleted, but it is not.

Impact:
No real impact other than possibly confusion as this file isn't used in this environment. The file does not contain any sensitive data as it's a dangling symlink.

Workaround:
No need to workaround as the presence of the file is harmless. Users could manually remove this file if desired.

Fix:
This file is no longer present which is the correct state.

Fixed Versions:
13.1.0.2

668276-1 : BIG-IP does not display failed login attempts since last login in GUI

Links to More Info: BT668276

Component: TMOS

Symptoms:
The BIG-IP does not have a mechanism in the GUI to display information about login attempts.

Conditions:
n/a

Impact:
Administrators cannot use the GUI to evaluate login attempts to the BIG-IP.

Workaround:
Administrators can view the logs at /var/log/secure.

Fix:
New GUI pages were create to allow administrators, resource admins, and auditors to view information about login attempts to the BIG-IP. These pages are available at System >> Logins in the GUI.
The user logins summary, available at System >> Logins : Summary can be set as the default start screen for BIG-IP users. However, this process is not as straightforward as other pages, as these pages are available only to users with a role of admin, resource admin, or auditor. Because of these restrictions, setting this page as default is accomplished by setting a DB variable, UI.Users.RedirectSuperUsersToAuthSummary, to true.
When this DB variable is set to true, users with roles of admin, resource admin, or auditor will be redirected to the System >> Logins : Summary page. Users with other roles will be redirected to the Start Screen that is set in System >> Preferences.

Fixed Versions:
13.1.0.2

668273-1 : Logout button not available in Configuration Utility when using Client Cert LDAP

Links to More Info: K12541531 , BT668273

Component: TMOS

Symptoms:
When the BIG-IP system is configured to use the Client Cert LDAP for Remote Authorization, the Logout button is not available.

Conditions:
A BIG-IP system is configured to use Client Cert LDAP for Remote Authorization.

Impact:
BIG-IP system users cannot end the session on the BIG-IP system.

Workaround:
Close all windows to end the session.

Fix:
Now, when the BIG-IP system is configured to use Client Cert LDAP as the Remote Auth method, there is a Logout button in the window, and when the Logout button is clicked, the system displays a modal window to instruct the user on how to end the session.

Fixed Versions:
13.1.0.2

668184-2 : Huge values are shown in the AVR statistics for ASM violations

Links to More Info: BT668184

Component: Application Security Manager

Symptoms:
Huge values are shown in the AVR statistics for ASM violations.

Conditions:
Out-of memory-condition in the ASM. Some other extreme conditions might also cause this behavior.

Impact:
ASM violation numbers are incorrectly reported.

Workaround:
None.

Fix:
An issue with bd sending wrong numbers to AVR was fixed.

Fixed Versions:
12.1.3.2, 13.1.0.2

668041-2 : Config load fails when an iRule comment ends with backslash in a config where there is also a policy. &start;

Links to More Info: K27535157 , BT668041

Component: TMOS

Symptoms:
Config load fails when an iRule contains a commented line that ends with an escape character (backslash), and the config also contains an LTM policy. Depending on the iRule, you might also see the following error: Syntax Error:(/config/bigip.conf at line: 42078) double quotes are not balanced.

Conditions:
-- iRule contains commented line that ends with a backslash.
-- The config also contains a policy.

For example, an iRule similar to the first example, and a policy similar to the second:

ltm rule /Common/log_info {
when HTTP_RESPONSE {
#log local0. "Original Location header value: [HTTP::header value Location],\
updated: [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]"
}
}

...

ltm policy /Common/Test_Policy {
controls { forwarding }
requires { http tcp }
rules {
TestPol_Rule1 {
actions {
0 {
forward
select
node 10.2.10.20
}
}
conditions {
0 {
tcp
address
matches
values { 10.1.10.20 }
}
}
}
}
strategy /Common/first-match
}

Impact:
Config load fails.

Workaround:
You can use any of the following workarounds:
-- Delete the line of code with the comment.
-- Put the entire comment on one line of code.
-- Divide lengthy comments into a series of smaller ones, so that each comment fits within one line of code.
-- Move the iRule so that it is sequentially before the LTM policy in the config file.

Fix:
Config load no longer fails when an iRule comment ends with backslash in a config where there is also a policy.

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.2

667779-1 : iRule commands may cause the TMM to crash in very rare situations.

Links to More Info: BT667779

Component: Local Traffic Manager

Symptoms:
A TMM crash may occur in very rare situations.

Conditions:
A Tcl iRule command is used.

Impact:
A TMM Core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Tcl iRule commands are more robust to extreme scenarios within the TMM.

Fixed Versions:
11.6.5.2, 12.1.5, 13.1.3

667770-1 : SIGSEGV to tmm when performing multiple, repeated SSL profile updates, or during UCS restore

Links to More Info: K12472293 , BT667770

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends a SIGSEGV to the TMM process when performing multiple change operations on configurations that contain a combination of SSL profiles and AVR (analytics).

Conditions:
-- Configuration contains a combination of SSL profiles and AVR.

-- Performing multiple, repeated SSL profile updates, or during UCS restore.

Impact:
The BIG-IP system sends a SIGSEGV to the TMM process. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.

Fix:
TMM no longer halts and restarts when performing multiple change operations on configurations that contain a combination of SSL profiles and AVR (analytics).

Fixed Versions:
13.1.0.6

667618-1 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts

Links to More Info: BT667618

Component: TMOS

Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection will continue to be unsupported until the machine exit hardware SYN cookies.

Conditions:
A SYN flood attack or similar SYN attack where SYNs are flooded into the BIG-IP system.

Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.

Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options will not be taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.

Note that if no good traffic hits the virtual server, syncookies will also fail to deactivate, but will do so once both good traffic has been seen, and the attack has ended.

Workaround:
Restarting TMM or rebooting the device will clear the HSB issue

Fix:
Hardware SYN Cookies now immediately deactivate after the SYN attack ends and valid TCP traffic starts.

Fixed Versions:
13.1.3

667542-6 : DNS Express does not correctly process multi-message DNS IXFR updates.

Links to More Info: BT667542

Component: Global Traffic Manager (DNS)

Symptoms:
If DNS Express sends an IXFR query to a DNS server, and that server responds with an IXFR update that is larger than one DNS message, DNS Express processes only the first message.

DNS Express then updates the SOA serial number to match that of the IXFR, marks the IXFR as successful and the Zone as 'Green'.

There is no indication that the IXFR was incomplete.

DNS Express might then have, and might serve, incorrect data for that Zone.

Conditions:
An IXFR response from a DNS server spans multiple DNS messages.

Note: This is not a common condition, but it is possible.

Impact:
This might result in incomplete or otherwise inaccurate Zone data, which DNS Express will serve.

Workaround:
Note: Although this does have a workaround, there is no way for you to determine that the Zone is complete other than to query the entire zone and compare it to the zone from the master DNS server.

To workaround this issue:
1. Stop zxfrd.
2. Remove the database /var/db/zxfrd.bin.
3. Restart zxfrd.

This triggers a full transfer (AXFR) of the zone, as well as all the other zones.

Fix:
The system now continues the processing of DNS messages until the closing SOA RR is encountered.

Fixed Versions:
13.1.0.2

667469-3 : Higher than expected CPU usage when using DNS Cache

Links to More Info: K35324588 , BT667469

Component: Global Traffic Manager (DNS)

Symptoms:
CPU usage shows higher than expected usage when using the DNS Cache.

Conditions:
Usage of any of the 3 DNS Cache types, particularly on chassis with multiple blades.

Impact:
Higher than expected CPU usage.

Workaround:
No workaround at this time.

Fix:
Improvements have been made to the efficiency of the DNS Cache inter-tmm mirroring. These efficiencies may result in better CPU utilization and/or higher responses per second.

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.4

667353 : Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table

Links to More Info: BT667353

Component: Advanced Firewall Manager

Symptoms:
Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table - issue is due to TMM (self) abort due to memory corruption in one of the TMSTAT tables AFM uses for correlating dynamic signatures.

Conditions:
Following conditions suffice to trigger the TMM crash due to self abort in one of the TMSTAT tables:

a) Generate a set of N dynamic signatures (few context).

b) When attack stops, the current set of signatures are moved to 'past' attack state.

c) If in between, TMM restarts (or receives MCP config again e.g via load), these past attack signatures are incorrectly created in tmstat table which is used only for the current attack signatures - this is the *cause* of the issue!

d) New attack appears that somewhat overlap with the 'past' signatures and this causes the following TMSTAT table to be corrupted over period of time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
This issue is fixed, the past attack signatures are never created in the correlation stats table (even for conditions explicitly described above)

Fixed Versions:
13.1.0.6, 14.0.0

667257-4 : CPU Usage Reaches 100% With High FastL4 Traffic

Links to More Info: BT667257

Component: TMOS

Symptoms:
CPU usage reaches 100% with high FastL4 traffic. Issue with re-offloading evicted FastL4 traffic to ePVA.
Typically observed on systems handling a lot of FastL4 traffic that have been upgraded to a version that has re-offload behavior implemented by Bug ID 563475: ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.

Conditions:
-- Most traffic is FastL4 forwarding deterministic LDNS.
-- ePVA hardware is in use.

Impact:
Default configurations may suddenly show higher CPU performance profile usage after upgrade.

Workaround:
None.

Fix:
The following db variables have been added to control re-offload behavior:

sys db pva.reoffload.delay {
value "5"
}
sys db pva.reoffload.exponential {
value "true"
}

pva.reoffload.delay is in seconds. This is the amount of time that needs to expire before TMM attempts to re-offload the flow to the ePVA.

If pva.reoffload.exponential is 'true', then if there is a collision, there is an exponential backoff (5 seconds, 10 seconds, 20 seconds, and so on), before the flow is re-offloaded).

If pva.reoffload.exponential is 'false', then there is no backoff, and the flow is re-offloaded after the pva.reoffload.delay expires.

Behavior Change:
The following db variables have been added to control re-offload behavior:

sys db pva.reoffload.delay {
value "5"
}
sys db pva.reoffload.exponential {
value "true"
}

pva.reoffload.delay is in seconds. This is the amount of time that needs to expire before TMM attempts to re-offload the flow to the ePVA.

If pva.reoffload.exponential is 'true', then if there is a collision, there is an exponential backoff (5 seconds, 10 seconds, 20 seconds, and so on), before the flow is re-offloaded).

If pva.reoffload.exponential is 'false', then there is no backoff, and the flow is re-offloaded after the pva.reoffload.delay expires.

Fixed Versions:
11.6.4, 12.1.4.1, 13.1.1.4

667173-1 : 13.1.0 cannot join a device group with 13.1.0.1

Links to More Info: BT667173

Component: TMOS

Symptoms:
13.1.0.1 cannot form device trust with a 13.1.0 device.

Conditions:
A device running 13.1.0 wanting to establish device trust with a device running 13.1.0.1 or vice versa.

Impact:
Cannot form Device Trust.

Workaround:
13.1.0 cannot initially form device trust with a 13.1.0.1 device. However, if you establish trust from the 13.1.0.1 device and then bring in the 13.1.0 device from 13.1.0.1, you can mitigate this issue. Once trust is formed, there should be no issue.

Fix:
13.1.0.1 now can form device trust with a 13.1.0 device.

Fixed Versions:
11.6.3, 12.1.3.1, 13.1.0.1

667148-3 : Config load or upgrade can fail when loading GTM objects from a non-/Common partition

Links to More Info: K02500042 , BT667148

Component: TMOS

Symptoms:
GTM configuration fails to load.

Conditions:
GTM config referencing non-/Common partition objects from /Common.

Impact:
GTM configuration fails to load, which may keep a system from becoming active

Workaround:
No workaround.

Fix:
Fixed issue preventing GTM configurations from loading when non-Common partitioned items present.

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.4

665992-2 : Live Update via Proxy No Longer Works

Links to More Info: K40510140 , BT665992

Component: Application Security Manager

Symptoms:
BIG-IP devices that need to use a proxy server to communicate with callhome.f5.com, no longer receive, or check for, automatic updates.

Conditions:
The BIG-IP device is behind a network firewall and outbound communication must be through a proxy.

Impact:
The BIG-IP will not be able to contact the callhome server to check for, or receive, updates.

Workaround:
Updates can be downloaded manually from the F5 Downloads server and installed directly on the BIG-IP.

Fix:
Proxy settings are correctly used when contacting the F5 callhome server.

Fixed Versions:
13.1.0.4

665470-3 : Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised

Links to More Info: BT665470

Component: Application Security Manager

Symptoms:
Failed to Learn page malicious IP addresses in a specific case.

Conditions:
-- IP intelligence is turn on.
-- Logging is turned off.

Impact:
Requests that should be learned are not.

Workaround:
Turn on logging.

Fix:
The system now Learns page malicious IP addresses when IP intelligence is turn on and logging is turned off.

Fixed Versions:
12.1.3.6, 13.1.1.4

665362-2 : MCPD might crash if the AOM restarts

Links to More Info: BT665362

Component: TMOS

Symptoms:
In very rare circumstances, mcpd might crash when the AOM restarts.

Conditions:
This can occur while AOM is restarting.

Impact:
System goes offline for a few minutes.

Workaround:
None.

Fix:
Added error handling to prevent crash. If this error occurs in the future it will not crash, but a restart of mcpd is required.

Fixed Versions:
12.1.3.6, 13.1.0.8, 14.0.0

665354-1 : Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log

Links to More Info: K31190471 , BT665354

Component: TMOS

Symptoms:
The most common symptom is a reboot of the unit without much detail in the normal tmm or ltm logs. From there, inspect the SEL logs. In the SEL logs, you will see a message about a bad_tlp_status, followed shortly by a message about completion_time_out_status.

Those two messages together indicate this known issue.

Conditions:
-- There are empty 10 GB ports or 10 GB ports that have optics but are not connected to a proper link.
-- Running on one of the following platforms: i2600, i2800, i4600, i4800.

Impact:
The unit intermittently reboots.

Workaround:
To prevent the issue from occurring, you must populate all 10 Gb ports with optic cables and ensure they are connecting to a working peer link. A single 10 Gb empty or improperly connected port can cause a system reboot.

If that is not possible, however, there is no workaround, and you must contact F5 Technical Support to request a software update or engineering hotfix.

Important: A device Return Materials Authorization (RMA) will not prevent this issue.

Fix:
There is a BIG-IP system software update to disable the 10 Gb FPGA mac receiver until a valid link is detected. This eliminates the issue and prevents the ultra jumbo packet from being sent to the FPGA datapath.

Fixed Versions:
12.1.3, 13.0.1, 13.1.0.4

664618-1 : Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block'

Links to More Info: BT664618

Component: Local Traffic Manager

Symptoms:
When using Protocol Security profiles for HTTP, the HTTP Protocol Checks 'Alarm' vs. 'Block' setting will not be honored for the 'Check maximum number of headers' check. If an HTTP response contains more than the configured maximum number of headers, the connection will be reset.

Client traffic with more than the maximum allowed headers will be allowed through to the server, and an alert will be generated, as expected. The server response will also have too many headers, but the connection will be reset.

Conditions:
-- PSM HTTP Protocol Checks configured in 'Alarm' mode ('Block' disabled).
-- The maximum number of headers is exceeded for server responses.

Impact:
Connections are reset, when only alerting is expected.

Workaround:
None.

Fix:
Two threshold values are now available for monitoring the number of HTTP headers:
-- Use the HTTP security profile and select 'alarm' (as opposed to 'block').
-- Use the HTTP service protocol profile. When the 'alarm' threshold is hit, the HTTP traffic remains intact, and logging can be seen in the PSM event logs. When the HTTP service protocol profile's threshold is hit, the HTTP traffic will be blocked, and logging to be seen in both LTM log and PSM event logs.

Fixed Versions:
12.1.4.1, 13.1.1.5, 14.0.0.5

664528-2 : SSL record can be larger than maximum fragment size (16384 bytes)

Links to More Info: K53282793 , BT664528

Component: Local Traffic Manager

Symptoms:
SSL record containing handshake data can exceed maximum fragment size of 16384 bytes because handshake data is not fragmented.

Conditions:
This usually happen when a large certificate or certificate chain is configured for server or client authentication.

Impact:
SSL handshake will fail with client or server that properly checks the record size.

Workaround:
Use a certificate that is smaller in size.

Fix:
Properly fragment handshake data.

Fixed Versions:
12.1.3.4, 13.1.0.4

663874-2 : Off-box HSL logging does not work with PEM in SPAN mode.

Links to More Info: K77173309 , BT663874

Component: Policy Enforcement Manager

Symptoms:
While on-box HSL logging works, off-box HSL logging does not work with PEM in SPAN mode.

Conditions:
-- PEM in SPAN mode.
-- Off-box HSL logging is configured.

Impact:
Cannot use off-box HSL logging with PEM in SPAN mode; must use on-box HSL logging instead.

Workaround:
There is no workaround at this time.

Fix:
Off-box HSL logging now works with PEM in SPAN mode.

Fixed Versions:
13.1.0.8

663821-1 : SNAT Stats may not include port FTP traffic

Links to More Info: K41344010 , BT663821

Component: Local Traffic Manager

Symptoms:
Using 'tmsh show ltm snat' command or the GUI, SNAT stats are not updated for port 21 traffic (FTP).

Conditions:
-- SNAT is configured.
-- FTP connections transverse the SNAT.

Impact:
Stats are not incremented in tmsh or GUI

Workaround:
None.

Fix:
SNAT Stats now include port FTP traffic, and values are incremented as expected.

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.6

663535-2 : Sending ASM cookies with "secure" attribute even without client-ssl profile

Links to More Info: BT663535

Component: Application Security Manager

Symptoms:
ASM cookies can be set with "secure" attribute on when BIG-IP works on SSL profile.

Conditions:
Enabling ASM, network to BIG-IP without client-ssl.

Impact:
When working with encrypted network in the client side but clear network in the ASM virtual, cookies cannot be set with "secure" attributes.

Workaround:
There is no workaround at this time.

Fix:
Added an internal parameter "assume_https", to decide always setting the "secure" attribute, even when the BIG-IP network is clear.

Fixed Versions:
12.1.3.2, 13.1.1.4

662850-6 : Expat XML library vulnerability CVE-2015-2716

Links to More Info: K50459349 , BT662850

662311-1 : CS alerts should contain actual client IP address in XFF header

Links to More Info: BT662311

Component: Fraud Protection Services

Symptoms:
When no XFF header exists, the alert server will use the sender IP address as the client IP address. Doing so is incorrect behavior because the sender IP address is always the BIG-IP system's IP address. Even if XFF headers exist, the client IP address as known to the BIG-IP system may be missing in the XFF header.

Conditions:
This occurs under either of the following conditions:
-- There is no XFF header in the original request.
-- An XFF header exists, but it does not contain the actual client IP address (as seen by the BIG-IP system).

Impact:
Alert server/BIG-IQ does not show the actual client IP address.

Workaround:
None.

Fix:
FPS now always appends the client IP address to the end of the last XFF header in the alert request. If there is no XFF header, FPS inserts one.

Fixed Versions:
13.1.0.4

661939-2 : Linux kernel vulnerability CVE-2017-2647

Links to More Info: K32115847 , BT661939

660913-4 : For ActiveSync client type, browscap info provided is incorrect. &start;

Links to More Info: BT660913

Component: Access Policy Manager

Symptoms:
Clients using Microsoft ActiveSync are failing access policy evaluation.

Conditions:
-- This occurs with clients using Microsoft ActiveSync.
-- It can be encountered on upgrade if you are upgrading to version 12.1.2 - 14.1.0 from an earlier version.

Impact:
ActiveSync "Client UI" expression will fail and a wrong branch will be selected. As a result Clients using ActiveSync may not be authenticated.

Workaround:
In the VPE change the ActiveSync "Client UI" expression to:

expr { [mcget {session.server.landinguri}] starts_with "/Microsoft-Server-ActiveSync" || [mcget {session.ui.mode}] == 8 }

Fix:
Session variable session.client.browscap_info is now set correctly.

Fixed Versions:
12.1.4.1, 13.1.3.4, 14.1.4.3

660826-3 : BIG-IQ Deployment fails with customization-templates

Links to More Info: BT660826

Component: Access Policy Manager

Symptoms:
BIG-IQ involving multiple commands in a transaction to modify customization group fails.

Conditions:
Simulation by tmsh for what's done in BIG-IQ:

1) Add a log-on agent in your policy.

2) Edit the log-on agent customization (Advanced Customication: logon.inc and view.inc both)
This should create two customization templates.

3) Make a backup of the customization template files in some folder (/tmp). For example: To copy logon.inc and view.inc for logon agent in sjc-access policy?(sjc-access_act_logon_page_ag) below cp statements worked.

cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:logon.inc_74991_2 /tmp/logon.inc
:Common:sjc-access_act_logon_page_ag::logon.inc_74991_2

cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:view.inc_74991_2 /tmp/view.inc

4) tmsh

5) create /cli transaction

6) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { logon.inc { local-path /tmp/logon.inc } }

7) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { view.inc { local-path /tmp/view.inc } }

8) submit /cli transaction

Impact:
BIG IQ operation failed with scenario involving change to customization group.

Workaround:
There is no workaround.

Fix:
BIG-IQ will be able to operate on customization group successfully.

Fixed Versions:
13.1.1.5, 14.0.0

660239-6 : When accessing the dashboard, invalid HTTP headers may be present

Links to More Info: BT660239

Component: TMOS

Symptoms:
When accessing parts of the BIG-IP dashboard via the GUI, there might be invalid HTTP headers in the responses.

Conditions:
Access the dashboard via Statistics :: Dashboard.

Impact:
The invalid HTTP headers might cause issues with the dashboard if there are intervening proxies between the browser and the BIG-IP.

You may see such errors in the http error logs

Feb 20 08:47:58 myBIG-IP err httpd[13777]: [error] [client 10.20.30.40] Response header name '<PostData><![CDATA[table=log%5Fstat]]></PostData>Cache-Control' contains invalid characters, aborting request, referer: https://mybigip.com/tmui/dashboard/MonitorDashboardModule.swf

Workaround:
There is no workaround at this time.

Fix:
Eliminated invalid header data.

Fixed Versions:
11.5.7, 11.6.3.3, 12.1.3.2, 13.0.1, 13.1.0.3

658716-1 : Failure of mcpd when closing out CMI connection

Links to More Info: BT658716

Component: TMOS

Symptoms:
The mcpd daemon fails with a segment fault (SIGSEGV) during teardown of connections with a high availability (HA) peer. The system logs messages similar to the following to /var/log/ltm:

warning mcpd[4822]: 01071aea:4: CMI heartbeat timer expired, status: 192.168.254.253.

Conditions:
-- Connection with HA peer node is discontinued.
-- Heartbeat timer expires.

Impact:
The mcpd daemon restarts, possibly resulting in other daemons restarting as well, with momentary disruption of control-plane operations.

Workaround:
There is no workaround at this time.

Fix:
The system now handles this condition, so the issue no longer occurs.

Fixed Versions:
13.1.3.5

658715-1 : Mcpd crash

Links to More Info: BT658715

Component: TMOS

Symptoms:
Mcpd crashes and generates a core file.

Conditions:
This can occur while making configuration changes to high availability (HA) configurations. This occurs rarely.

Impact:
The mcpd crashes and restarts. System operation paused while mcpd restarts.

Workaround:
None.

Fixed Versions:
13.1.3.5

658557-3 : The snmpd daemon may leak memory when processing requests.

Links to More Info: K35209601 , BT658557

658410-2 : icrd_child generates a core when calling PUT on ltm/data-group/internal/

Links to More Info: BT658410

Component: TMOS

Symptoms:
icrd_child generates a core file when calling PUT on ltm/data-group/internal/.

Conditions:
Calling PUT on ltm/data-group/internal/.

Impact:
The iControl REST API is temporarily not available for configuration queries or modifications.

Workaround:
There is no workaround at this time.

Fix:
icrd_child no longer cores when calling PUT on ltm/data-group/internal/.

Fixed Versions:
13.1.1.2

658382-2 : Large numbers of ERR_UNKNOWN appearing in the logs

Links to More Info: BT658382

Component: Local Traffic Manager

Symptoms:
There are times when LTM Policy subsystem attempts to execute particular actions, which fail and result in LTM Policy writing an error to the logs with an error type of ERR_UNKNOWN.

Conditions:
This has been observed when plugins are active and experiencing high traffic volumes. The logging of ERR_UNKNOWN occurs when filters and plug-ins experience failures (such as out of memory) and react by initiating a reset of the connection. When these filters and plug-ins return an error to LTM Policy, LTM Policy logs ERR_UNKNOWN.

Impact:
This is a case of unnecessary logging, and there is no adverse effect other than a higher-than-normal amount of logging.

Workaround:
None

Fixed Versions:
12.1.4.1, 13.1.1.5

658278-1 : Network Access configuration with Layered-VS does not work with Edge Client

Links to More Info: BT658278

Component: Access Policy Manager

Symptoms:
When Network Access is configured in virtual server-to-virtual server targeting, the Edge client cannot connect.

Conditions:
Network Access is configured as follows :
-- The external-client-facing virtual server has the SSL profile attached.
-- The internal virtual server has the Access profile and connectivity profile attached.
-- The external-client-facing virtual server has an iRule that forwards the HTTP requests to the internal virtual server.

Impact:
When Edge client connects, the external-client-facing virtual server issues a request for '/pre/config.php?version=2.0', and the Edge client hangs.

Workaround:
None.

Fix:
Network Access configuration with Layered-VS now works with Edge Client.

Fixed Versions:
11.6.4, 13.1.0.8, 14.0.0

657912-3 : PIM can be configured to use a floating self IP address

Links to More Info: BT657912

Component: TMOS

Symptoms:
Using PIM-Sparse Mode for multicast traffic with BGP for unicast routing/reverse path filtering may prevent PIM neighbor routers from switching from the RPT to the SPT.

Conditions:
-- PIM-Sparse Mode.
-- BGP.
-- Floating self IP address.

Impact:
Routers upstream and including BIG-IP will never receive PIM JOIN messages from the rendezvous point, which is required for traffic to switch from the RPT to the SPT. The sender's DR may continue to send traffic to the RP in register messages indefinitely.

Workaround:
Remove the floating self IP address from the traffic group or select a routing protocol that does not use it, such as OSPF.

Fix:
PIM can now send hello messages from a floating self IP address.

Behavior Change:
PIM can now send hello messages using a floating self IP address. Configure it in imish under the interface along with the PIM mode:

#imish
imish> enable
imish# configure terminal
imish(config)# interface external
imish(config-if)# ip pim use-floating-address

Upon failover, the previously active unit will send hellos from a non-floating self IP address, and the new active unit will begin sending hellos from the floating self IP address. No state is shared between the units; both will generate a new PIM generation ID, and the state of all multicast routes will be reset and need to reconverge.

Fixed Versions:
12.1.5.3, 13.1.3.5

656901-3 : MRF add 'existing_connection_only' and 'outgoing_connection_instance_seed' two iRule commands

Links to More Info: BT656901

Component: Service Provider

Symptoms:
If the MRF 'existing_connection_only' is not there, then MRF will forward the new message to either the existing connection or creating a new connection.

If the MRF 'outgoing_connection_instance_seed' is not there, then the generation of the connection's instance number will use some internal originating connection id. Same client IP with different src_port may end up to different outgoing connection.

Conditions:
If these two new iRule commands were not there.

Impact:
1. Won't always reuse the existing connection.
2. The requests from same client IP with different src_port, the outgoing connection may be different.

Workaround:
There is no workaround at this time.

Fix:
MR::message existing_connections_only <boolean> Gets or sets a flag that instructs the MRF to only forward the message using existing connections,
and if a connection to the selected host does not exist then the route will fail.

MR::message outgoing_connection_instance_seed <integer>Gets or if been set by this iRule then this seed will be used to generate the connection instance number instead of this generated by some internal originating connection id. (See MR::connection_instance iRule command).

If the number received is larger than 32 bit then the 64 bit number will be hashed to 32 bit number.

Fixed Versions:
13.1.0.4

656784-1 : Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM

Links to More Info: K98510679 , BT656784

Component: Access Policy Manager

Symptoms:
After upgrading to Windows 10 Creators Update (version 1703), when attempting to connect to a remote desktop through APM with the Remote Desktop Gateway (RDG) feature, the remote desktop client is not able to authenticate and connect.

Windows 10 Version 1703 RDP client is using Negotiate HTTP authentication scheme, while APM requires NTLM scheme for RD Gateway.

Conditions:
- You are accessing Microsoft Remote Desktop through BIG-IP APM using Remote Desktop Gateway (RDG) feature.
- You upgrade to Windows 10 Creators Update (version 1703).

Impact:
Remote desktop client is not able to authenticate and connect to the desktop.

Workaround:
Use either of the following workarounds:

-- Force the Windows RDP client to use NTLM authentication scheme (instead of Negotiate) by setting Group Policy 'User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\RD Gateway\Set RD Gateway authentication method' to 'Ask for credentials, use NTLM protocol'.

-- Use the following iRule to convert Negotiate to NTLM:
when HTTP_REQUEST {
set is_rdg_request [expr { [HTTP::method] starts_with "RDG_" }]
if {!$is_rdg_request} { return; }

set auth [HTTP::header Authorization]
set is_nego_auth [expr { $auth contains "Negotiate" }]

if { $is_nego_auth } {
set auth [string map {"Negotiate" "NTLM"} $auth]
HTTP::header replace Authorization $auth
}
}
when HTTP_RESPONSE_RELEASE {
if {!$is_rdg_request || !$is_nego_auth} { return; }

catch {
set auth [HTTP::header WWW-Authenticate]
if { $auth contains "NTLM" } {
set auth [string map {"NTLM" "Negotiate"} $auth]
HTTP::header replace WWW-Authenticate $auth
}
}
}

Fix:
After upgrading to Windows 10 Creators Update (version 1703), the RDP client can still authenticate and connect via APM used as RD Gateway.

Fixed Versions:
12.1.4.1, 13.1.1.5, 14.0.0

655233-2 : DNS Express using wrong TTL for SOA RRSIG record in NoData response

Links to More Info: K93338593 , BT655233

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express returns an incorrect TTL for the SOA RRSIG record in a NoData response.

Conditions:
-- DNS Express configured.
-- A query that results in a NoData response and DNSSEC signing requested.

Impact:
This brings the behavior in line with RFC2308. There is no known functional impact.

Workaround:
There is no workaround.

Fix:
The TTL of the RRSIG record now matches the TTL of the covered SOA record.

Fixed Versions:
12.1.3.1, 13.1.0.2

653976-4 : SSL handshake fails if server certificate contains multiple CommonNames

Links to More Info: K00610259 , BT653976

Component: Local Traffic Manager

Symptoms:
SSL server side handshake fails when the external server certificate's Subject field contains multiple CommonNames.

Conditions:
This issue occurs when both of the following conditions are met:
-- The external server certificate's Subject field contains multiple CommonNames.
-- The certificate does not contain subjAltName extension (or if it does, the same names are not included in the subjAltName's dNSName list).

Impact:
Connection with external server cannot be established. In case of forward proxy, bypass or intercept will fail.

Workaround:
In case of forward proxy bypass, configure IP address bypass instead of hostname bypass since IP address bypass check happens before SSL handshake.

The second option is to update the external server's certificate to include the list of CommonNames in subjAltName extension as dNSName.

Fix:
The system now checks all CommonNames in a certificate's Subject field instead of checking only the longest one in length.

Fixed Versions:
12.1.3.4, 13.1.0.6

653759-1 : Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update &start;

Links to More Info: BT653759

Component: TMOS

Symptoms:
Chassis Variant number is not specified when checking the log file /var/log/ltm, for example:

#grep queryFDD /var/log/ltm
...debug chmand[12982]: 012a0007:7: queryFDD returned 1 items for: update|F100|||NONE|NONE|NONE|0x0

This should contain the Variant number 400-0028-04, as follows:
...debug chmand[32663]: 012a0007:7: queryFDD returned 1 items for: update|F100|400-0028-04||NONE|NONE|NONE|0x0

Conditions:
-- B2100/B2150/B2200 blade in C2200/C2400 chassis.
-- Checking for the Chassis Variant number.

Impact:
This has no impact, since there are no Variants currently defined for the C2200/C2400 chassis.

Workaround:
There is no workaround at this time.

Fix:
Chassis Variant number is printed out as expected in the log file.

Fixed Versions:
12.1.3.5, 13.1.1

653573-4 : ADMd not cleaning up child rsync processes

Links to More Info: BT653573

Component: Anomaly Detection Services

Symptoms:
ADMd daemon on the device is spinning up rsync processes and not cleaning them up properly, which can result in zombie processes.

Conditions:
The rsync process ends via exit (which might occur if there is an issue with the process).

Impact:
Although there is no technical impact, there are many zombie processes left behind.

Workaround:
Restart admd to remove all existing rsync zombies:
bigstart restart admd

Fix:
admd now handles the SIGCHLD signal from rsync, so the issue no longer occurs.

Fixed Versions:
13.1.1.4, 14.0.0.5, 14.1.0.6, 14.1.2.3

653210-1 : Rare resets during the login process

Links to More Info: BT653210

Component: Access Policy Manager

Symptoms:
On rare occasions, the login process resets and a NULL sresult message will be logged in /var/log/apm:

-- notice tmm[18397]: 01490505:5: /Common/ltm-apm_main_irules:Common:448568c9: Get license - Unexpected NULL session reply. Resetting connection.

Conditions:
A race condition allows license information to be processed out of order.

Impact:
The system resets the client connection attempt. The APM end user client must retry the login process.

Workaround:
Have the APM end user client retry the login operation.

Fixed Versions:
13.1.3.2, 14.1.2.4

653201-2 : Update the default CA certificate bundle file to the latest version and remove expiring certificates from it

Links to More Info: BT653201

Component: Local Traffic Manager

Symptoms:
The default CA certificate bundle file used by the system contains some older certificates, e.g., expired or soon-to-be expired.

Conditions:
If the default CA certificate bundle file is configured in SSL profiles, it is used as a set of built-in trusted certificates when verifying peer's certificate during SSL handshake.

Impact:
When the built-in trusted certificates are obsolete, i.e., containing a certain number of expired certificates, the systems might fail to verify peers certificate correctly.

Workaround:
You can either directly update the default CA certificate bundle file /config/ssl/ssl.crt/ca-bundle.crt with proper certificates and then 'bigstart restart tmm'

Alternatively, you can use a separate certificate, for example:
tmsh install sys crypto cert better_ca_bundle from-local-file /shared/better_ca_bundle.pem
tmsh modify ltm profile client-ssl cssl ca-file better_ca_bundle.crt

Fix:
This release updates the default CA certificate bundle file by adding the latest certificates and removing the expired certificates.

Fixed Versions:
13.1.0.8

652877-5 : Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades

Links to More Info: BT652877

Component: TMOS

Symptoms:
All services on one or all secondary blades in a VIPRION chassis restart, and MCPD logs errors similar to the following:

-- err mcpd[9063]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)
-- err mcpd[9063]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3:Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)... failed validation with error 17237812.

In versions prior to v11.6.0, the error is: 'Can't save/checkpoint DB object,' rather than 'Can't update_indexes/checkpoint DB object'.

Conditions:
Multi-bladed VIPRION system, where the 'if-index' value for VLANs differs between blades.

You can check the 'if-index' value by running the following command on each blade: tmsh list net vlan all if-index.

Impact:
MCPD restart on all secondary blades results in partial service outage.

Workaround:
Reactivate the license only on a system that is standby/offline.

Fix:
Reactivating the license on a VIPRION system no longer causes MCPD process restart on one or all secondary blades.

Fixed Versions:
11.5.9, 11.6.4, 12.1.4, 13.1.1.2

652502-2 : SNMP queries return 'No Such Object available' error for LTM OIDs

Links to More Info: BT652502

Component: TMOS

Symptoms:
When the BIG-IP system starts with an expired license, SNMP queries for LTM-related OIDs fail with an error:

No Such Object available on this agent at this OID.

If you re-activate the license or install a new one, the snmpd process is not notified of the change to the license, so it still fails and reports that error message.

The failures recur until the snmpd process is restarted.

Conditions:
The BIG-IP system starts with an expired license.
A new/updated license is activated/reactivated.

Impact:
SNMP queries to LTM OIDs (e.g., ltmRst and ltmVirtual) do not return any data.

Workaround:
After the license is reactivated or a new one installed, restart the snmpd process:

# bigstart restart snmpd

Fixed Versions:
13.1.1.4, 14.1.3.1

651741-2 : CVE-2017-5970 kernel.el7: ipv4: Invalid IP options could cause skb->dst drop

Links to More Info: K60104355 , BT651741

651413-4 : tmsh list ltm node does not return an error when node does not exist

Links to More Info: K34042229 , BT651413

Component: TMOS

Symptoms:
TMSH does not post an error message in response to the tmsh command to list a specific, non-existent LTM node, or when listing a set of non-existent nodes using regular expressions.

Conditions:
-- Running the command: tmsh list ltm node.
-- Running a regular expression to list a set of nodes.
-- The specified node does not exist.

Impact:
The command produces no output or error message. No indication of why there is no output, nor is there a description of the possible error condition.

Workaround:
None.

Fix:
TMSH now posts the appropriate, node-not-found error message when LTM nodes do not exist when running the command: tmsh list ltm node.

Fixed Versions:
12.1.3.4, 13.1.1.2

649205-1 : Failure of mcpd during setup of HA communication

Links to More Info: BT649205

Component: TMOS

Symptoms:
-- The mcpd daemon exits and generates a core file.
-- Communication fails between high availability (HA) peers.

Conditions:
This can occur while making configuration changes to HA configurations.

Impact:
The mcpd crashes and restarts. System operation pauses while mcpd restarts. HA (CMI) communication is not established.

Workaround:
None.

Fixed Versions:
13.1.3.5

649161-2 : AVR caching mechanism not working properly

Links to More Info: K42340304 , BT649161

Component: Application Visibility and Reporting

Symptoms:
The AVR caching mechanism fails to store dimension-based queries properly, which leads to incorrect reports.

Conditions:
Using AVR caching mechanism (turned-on by default).

Impact:
Reports will be incorrect.

Workaround:
Using the following TMSH command should solve the problem:
tmsh modify sys db avr.requestcache value disable

* NOTE: the above might cause AVR to perform a bit slower.

Fix:
The system no longer stores the dimension-based queries in the AVR cache.

Fixed Versions:
12.1.3.2, 13.1.0.8

648802-1 : Required custom AVPs are not included in an RAA when reporting an error.

Links to More Info: BT648802

Component: Policy Enforcement Manager

Symptoms:
Custom Attribute-Value-Pairs (AVPs) defined on the system will not be visible in a Re-Auth-Answer (RAA).

Conditions:
This occurs when the following conditions are met:
-- PEM enabled with Gx.
-- Custom AVPs configured.
-- PEM responds with an error code in an RAA against a Policy and Charging Rules Function (PCRF) triggered action.

Impact:
Lack of custom AVPs in such an RAA may result in loss of AVP dependent service.

Workaround:
There is no workaround at this time.

Fix:
Custom AVPs included regardless of an error code in an RAA.

Fixed Versions:
12.1.3.6, 13.1.0.6, 14.0.0.3

648766-2 : DNS Express responses missing SOA record in NoData responses if CNAMEs present

Links to More Info: K57853542 , BT648766

Component: Global Traffic Manager (DNS)

Symptoms:
A valid NoData response can contain CNAMEs if a partial chase occurred without final resolution. DNS Express is not including the expected SOA record in this scenario.

Conditions:
-- DNS Express configured.
-- Partial CNAME chase resulting in incomplete resolution.

Impact:
A valid DNS response with a a partial chase but missing the SOA record may not be considered authoritative due to the missing record.

Workaround:
None.

Fix:
The SOA record is now included as appropriate.

Fixed Versions:
12.1.3.1, 13.1.0.2

648621-5 : SCTP: Multihome connections may not expire

Links to More Info: BT648621

Component: TMOS

Symptoms:
SCTP: Multihome connections may not expire when forcibly deleted.

Conditions:
When the multi-homing connections have been forcibly deleted from tmsh command.

Impact:
The multi-homing connections won't be expired.

Workaround:
Don't manually deleted the multi-homing connections.

Fixed Versions:
11.6.5.3, 12.1.5.2, 13.1.3.4, 14.1.2.1, 15.0.1.4

648320-5 : Downloading via APM tunnels could experience performance downgrade.

Links to More Info: K38159538 , BT648320

Component: Local Traffic Manager

Symptoms:
Multiple DTLS records can be packed into one UDP packet. When packet size is too large, packet fragmentation is possible at IP layer. This causes high number of packet drops and therefore performance downgrade.

Conditions:
When downloading using APM tunnels.

Impact:
High number of packet drops and inferior performance.

Workaround:
None.

Fix:
One DTLS record is now contained in each UDP packet to avoid packet fragmentation.

Fixed Versions:
11.6.3.2, 12.1.3.4, 13.0.1, 13.1.0.6

648270-3 : mcpd can crash if viewing a fast-growing log file through the GUI

Links to More Info: BT648270

Component: TMOS

Symptoms:
If the GUI tries to display a log file that is actively growing by thousands of log entries per second, the GUI might hang, and mcpd could run out of memory and crash.

Conditions:
The GUI tries to display a log file that is actively growing by thousands of log entries per second.

Impact:
mcpd crashes, and it and tmm restart. Traffic disrupted while tmm restarts.

Workaround:
Do not use the GUI to view a log file that is growing by thousands of log entries per second.

Fixed Versions:
11.6.5.2, 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.0.6

648242-2 : Administrator users unable to access all partition via TMSH for AVR reports

Links to More Info: K73521040 , BT648242

Component: Application Visibility and Reporting

Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).

Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.

Impact:
AVR reports via TMSH will fail when using partition based entities.

Workaround:
None.

Fix:
Allowing for administrator users to get all partitions available on query.

Fixed Versions:
12.1.3.2, 13.1.0.8, 14.0.0.5, 14.1.4, 15.1.2.1, 16.0.1.1

646615-2 : Improved default storage size for DNS Express database

Links to More Info: BT646615

Component: Global Traffic Manager (DNS)

Symptoms:
A tweak has been made to the DNS Express database to improve the initial database size.

Conditions:
DNS Express with configured zones.

Impact:
Possibly reduced database size.

Workaround:
N/A as this is an improvement.

Fix:
A tweak has been made to the DNS Express database to improve the initial database size.

Fixed Versions:
12.1.3.1, 13.1.0.2

645615-6 : zxfrd may fail and restart after multiple failovers between blades in a chassis.

Links to More Info: K70543226 , BT645615

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.

Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.

Impact:
zxfrd will create a core file and restart, picking up where it left off.

Workaround:
None.

Fix:
The cause of the failure is now addressed.

Fixed Versions:
11.5.7, 11.6.3, 12.1.3.1, 13.1.0.2

644192-6 : Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN

Links to More Info: K23022557 , BT644192

Component: Global Traffic Manager (DNS)

Symptoms:
Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN.

Conditions:
A CNAME wide IP and a dnx with parent zone.
For example, CNAME wide IP for www.siterequest.com and a dnx zone for siterequest.com.

Impact:
Cache resolvers will remember NXDOMAIN for the entire name. So clients talking to those caches asking for A/AAAA records may actually get NXDOMAIN responses until the negative cache expires.

Workaround:
Option 1: Create a related "www.siterequest.com" txt record in ZoneRunner
Option 2: Create a ltm virtual server iRule, similar to this:
when DNS_RESPONSE {
if { [DNS::question name] eq "www.siterequest.com" } {
if { [DNS::header rcode] eq "NXDOMAIN" } {
DNS::header rcode NOERROR
DNS::authority clear
return
}
}
}

Fix:
A new DB key, 'gtm.allownxdomainoverride', has been added to allow configuring the BIG-IP DNS system to respond with a NOERROR response.

Fixed Versions:
11.6.5.3, 13.1.5, 14.1.3.1, 15.1.2, 16.0.1.1

643935-2 : Rewriting may cause an infinite loop while processing some objects

Links to More Info: BT643935

Component: Access Policy Manager

Symptoms:
Browser might become unresponsive when the end user client attempts to access a page containing specific script constructions through Portal Access.

Conditions:
The client application code contains an object that includes a toString() method and property names similar to ones from the JavaScript builtin Location interface.

Impact:
Browser becomes unresponsive when accessing the page through Portal Access.

Workaround:
None.

Fix:
None.

Fixed Versions:
13.1.3.2, 14.0.1.1, 14.1.2.3

643455-1 : Update TTL for equally trusted records only

Links to More Info: BT643455

Component: Global Traffic Manager (DNS)

Symptoms:
A child server's domain name may continue to be resolved by the child server even after the parent server revokes the NS record for the child server.

Conditions:
* Steady series of DNS queries for a domain name in the child server.
* The TTL for the domain name. A record is shorter than the TTL for the NS record for the child name server.
* The NS record is removed from the parent server.

Impact:
A client will still use the revoked child server after it is revoked.

Workaround:
Restart the TMM to clear out the cache.

Fix:
The TTL is updated for equally trusted records only.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5

642923-6 : MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system

Links to More Info: BT642923

Component: TMOS

Symptoms:
MCP may timeout and be killed by the sod watchdog, causing mcpd to restart.

Conditions:
Certain operations, under certain conditions, on certain platforms, may take longer to complete than the mcpd heartbeat timeout (300 seconds). When that happens, the system considers mcpd unresponsive, and will kill mcpd before it has finished its task, resulting in this issue.

There are a number of ways that this issue may manifest.

For example, the default mcpd heartbeat timeout might be reached when loading a configuration file with a large number* of file objects configured (e.g., SSL certificates and keys, data-groups, APM customizations, EPSEC file updates, external monitors, or other data present in the filestore (/config/filestore)).

*Note: Depending the operations mcpd is performing, the performance of the hardware, the speed of disk access, and other potential factors, 3,000 is a relative estimate of the number of filestore objects that might cause this issue to occur.

Impact:
mcpd restarts, which causes a system to go offline and restart services.

Workaround:
To prevent the issue from occurring, you can temporarily disable the heartbeat timeout using the following command:

modify sys daemon-ha mcpd heartbeat disable

Important: Disabling the heartbeat timer means that, should the mcpd process legitimately become unresponsive, the system will not automatically restart mcpd to recover.

Note: If you have a large number of objects (more than 3,000) in the filestore, and are able to reduce this by deleting their related configuration objects, you may be able to work around the issue.

To determine the specific cause of the issue, you can open a support case with F5, to inspect the resulting mcpd core file.

Fix:
A possible case where mcpd goes too long without updating the heartbeat has been fixed by replacing one algorithm with a more efficient one.

Fixed Versions:
12.1.4, 13.1.1.2

642068-4 : PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens

Links to More Info: BT642068

Component: Policy Enforcement Manager

Symptoms:
PEM sessions stay in the marked-for-delete state if CCR-T times out.

Conditions:
This occurs if PCRF does not respond to CCR-T packets from the BIG-IP system during session termination.

Impact:
PEM sessions remain in the marked-for-delete state.

Workaround:
Configure the required timeout value in the sys db variable tmm.pem.session.timeout.endpointdeleteresponse.

Note: The value must be greater than 0 (zero).

Fix:
PEM sessions no longer stay in the marked-for-delete state if CCR-T times out.

Fixed Versions:
11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4

641450-5 : A transaction that deletes and recreates a virtual may result in an invalid configuration

Links to More Info: K30053855 , BT641450

Component: TMOS

Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.

Config load error:
01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.

Configuration-change-time error in /var/log/ltm:
err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>

Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).

Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.

Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
1. Delete virtual server.
2. Create virtual server (with an empty profile list).
3. Modify the virtual server's profile list.

Fixed Versions:
12.1.5.1, 13.1.3.4, 14.1.2.5

641101-7 : httpd security and bug fix update CVE-2016-8743

Links to More Info: K00373024

640766-2 : Linux kernel vulnerability: CVE-2016-10088 CVE-2016-9576

Links to More Info: K05513373 , BT640766

639619-5 : UCS may fail to load due to Master key decryption failure on EEPROM-less systems &start;

Links to More Info: BT639619

Component: TMOS

Symptoms:
The following error:
'Symmetric Unit Key decrypt failure - decrypt failure'
is logged to /var/log/ltm when attempting to load a UCS.
Configuration fails then to load due to a secure attribute decryption failure.

Conditions:
1. UCS contains secure attributes.
2. UCS contains a '/config/bigip/kstore/.unitkey' file.
3. The current '/config/bigip/kstore/.unitkey' file does not match the '.unitkey' file within UCS.
4. System does not utilize an EEPROM for storing its unitkey. (For more information, see K73034260: Overview of the BIG-IP system Secure Vault feature :: https://support.f5.com/csp/article/K73034260.)

Impact:
The configuration fails to load.

Workaround:
Perform the following procedure:

1. Stop the system:
# bigstart stop
2. Replace the '/config/bigip/kstore/.unitkey' file with the '.unitkey' file from the UCS
3. Replace the '/config/bigip/kstore/master' file with the 'master' file from the UCS
4. Remove the mcp db to forcibly reload the keys:
# rm -f /var/db/mcpd.bin
# rm -f /var/db/mcpd.info

5. Restart the system and reload the configuration:
# bigstart start
# tmsh load sys config
or
# reboot

Fix:
The system now always reload the .unitkey from storage when loading other keys, so the UCS loads as expected.

Fixed Versions:
11.6.4, 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2

638091-6 : Config sync after changing named pool members can cause mcpd on secondary blades to restart

Links to More Info: BT638091

Component: TMOS

Symptoms:
After performing a ConfigSync, mcpd restarts and the following error is seen in /var/log/ltm:

01070734:3: Configuration error: Invalid mcpd context, folder not found <foldername>

Conditions:
- Chassis cluster with at least two blades
- sync-failover device group set to full-sync and auto-sync disabled
- Changing a named pool-member in non-default partition without syncing between delete and create

Impact:
Secondary blades do not process traffic as they restart

Workaround:
To prevent blade restart, follow the workaround in K16592: ConfigSync may fail when deleting and recreating a pool member with a node name set (https://support.f5.com/csp/article/K16592).

To work around this issue, you can synchronize the configuration just after deleting the pool member and node, before re-creating the pool member. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure may impact client connectivity to the node. You should perform this procedure only during a maintenance window.

1. Log in to the BIG-IP system Configuration utility.
2. Navigate to Local Traffic :: Pools, and select the Pool with the member you want to delete.
3. From the top of the menu, click Members.
4. Select the checkbox next to the pool member you want to delete, and click Remove.
5. Navigate to Local Traffic :: Nodes.
6. Select the checkbox next to the node with the same name, and click Delete.
7. Navigate to Device Management :: Overview.
8. Select the local device by hostname (self).
9. Click the Sync option.
10. If the ConfigSync was successful, you may now re-create the pool member.

Fix:
Config sync after changing named pool members no longer causes mcpd on secondary blades to restart.

Fixed Versions:
12.1.4, 13.1.1.2

636997-1 : big3d may crash

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, big3d may crash or malfunction while processing GTM data

Conditions:
GTM enabled

Impact:
iQuery connection may be reset

Workaround:
None

Fix:
big3d processes GTM data as expected

Fixed Versions:
13.1.0.4

636994-1 : big3d may crash

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, big3d may crash or malfunction while processing GTM data

Conditions:
GTM enabled

Impact:
iQuery connection may be reset

Workaround:
None

Fix:
big3d processes GTM data as expected

Fixed Versions:
13.1.0.4

636992-1 : big3d may crash

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, big3d may crash or malfunction while processing GTM data

Conditions:
GTM enabled

Impact:
iQuery connection may be reset

Workaround:
None

Fix:
big3d processes GTM data as expected

Fixed Versions:
13.1.0.4

636986-1 : big3d agent vulnerability CVE-2021-22982

Links to More Info: K72708443 , BT636986

636982-1 : big3d may crash

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, big3d may crash or malfunction while processing GTM data

Conditions:
GTM enabled

Impact:
iQuery connection may be reset

Workaround:
None

Fix:
big3d processes GTM data as expected

Fixed Versions:
13.1.0.4

636842-3 : A FastL4 virtual server may drop a FIN packet when mirroring is enabled

Links to More Info: K51472519 , BT636842

Component: Local Traffic Manager

Symptoms:
A FastL4 virtual server may drop a FIN packet when mirroring is enabled.

Conditions:
- The virtual server uses the FastL4 profile.
- The virtual server performs mirroring.
- The tm.fastl4_ack_mirror db key is enabled (default).
- The client or the server sends a FIN packet, immediately followed by a RST packet.

Impact:
The BIG-IP system forwards the RST packet but not the FIN packet.

As the RST sent by one of the TCP endpoints would have its sequence number increased by 1 to account for the FIN packet, the other TCP endpoint may not accept the RST as the FIN packet was never seen.

This issue is exacerbated if the FIN packet also carries application data (for example, if it is actually a FIN,PSH,ACK packet). In this case, the other TCP endpoint never sees the application data contained within the packet, and the sequence number in the RST will be off by more than just 1.

Ultimately this can cause application failures and also the two connection flows to stall for some time.

Workaround:
To workaround this issue you can either:

1) Disable mirroring for the virtual server (but this comes with a loss of functionality, which may not be acceptable).

or

2) Disable the tm.fastl4_ack_mirror db key (but this would affect all FastL4 virtual servers performing mirroring on the box).

Fix:
A FastL4 virtual server no longer drops a FIN packet when mirroring is enabled.

Fixed Versions:
12.1.5.1, 13.1.3.2, 14.1.2.5

636453-9 : OpenSSH vulnerability CVE-2016-10009

Links to More Info: K31440025

636400-1 : CPB (BIG-IP->BIGIQ log node) Hardening

Links to More Info: K26462555 , BT636400

635509-1 : APM does not support Vmware'e Blast UDP

Links to More Info: BT635509

Component: Access Policy Manager

Symptoms:
APM does not support Blast Extreme Adaptive Transport (BEAT) protocol which is required for Blast UDP

Conditions:
1. Vmware View Connection Server is configured for Blast UDP
2. Client attempts Blast UDP

Impact:
Since APM does not support Blast UDP, Vmware Horizon Client always uses TCP transport even when the network conditions dictate that UDP transport would be more efficient

Workaround:
None

Fix:
APM now adds support for Blast Extreme Adaptive Transport protocol, which in turn enables Blast UDP.

Fixed Versions:
13.1.1.3

635191-2 : Under rare circumstances TMM may crash

Links to More Info: BT635191

Component: Local Traffic Manager

Symptoms:
tmm crash and BIG-IP failover.

Conditions:
There are no known, reproducible conditions under which this occurs. However, the tmm restart happens once, and then does not recur. The only way to determine that the issue exists is through a review of the core stack, which must be completed by F5 Support.

Impact:
tmm restart and failover. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The tmm restart and failover no longer occur.

Fixed Versions:
12.1.3.7, 13.1.1.2, 14.0.0

633441-1 : Datasync Background Tasks running even without features requiring it

Links to More Info: BT633441

Component: TMOS

Symptoms:
The Datasync Background Tasks are running daily for several hours and consuming CPU. This is expected and required to generated dynamic versions of obfuscated JavaScript. However, this is running even if there are no features enabled which require JavaScript.

Conditions:
ASM is provisioned.

Impact:
Spikes of daily CPU usage during several hours even if there are no features requiring JavaScript.

Workaround:
If there are no features requiring JavaScript, then this command limits to a single version of obfuscated JavaScript, causing this CPU spike to remain a short one, and only once daily.

tmsh modify security datasync local-profile cs-asm-dosl7 max-gen-rows 1

Important: It is not recommended to keep this configuration if any of the JavaScript features are enabled in either ASM Policy or DoS profile, because it will significantly reduce the JavaScript security.

To re-enable full JavaScript obfuscation, run this command:

tmsh modify security datasync local-profile cs-asm-dosl7 max-gen-rows infinite

The log /var/log/datasync/datasyncd.log can be used to monitor the Background Tasks.

Fix:
The Datasync Background Tasks are now running only if there are features requiring JavaScript.

Fixed Versions:
13.1.0.5

632875-5 : Non-Administrator TMSH users no longer allowed to run dig

Links to More Info: K37442533 , BT632875

632646-1 : APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.

Links to More Info: BT632646

Component: Access Policy Manager

Symptoms:
APM - OAM login with invalid ObSSOCookie results in error page instead of redirecting to login page.

Conditions:
This happens occasionally if a session cookie (ObSSOCookie) is deleted from OAM server, or an OAM session is deleted from server.

Impact:
OAM login with invalid ObSSOCookie results in error page. However, expected behavior is that user is redirected to login page if login with ObSSOCokkie fails.

Workaround:
No Workaround

Fix:
Issue is fixed - On authenticate with ObSSOCookie, read getStatus() API call to check the ObSSOCookie status and redirect to IDP if it is not 1 (LOGGEDIN, AWAITINGLOGIN). With this fix user will be redirected to IDP on logging with cookie that is deleted manually from the OAM server.

Fixed Versions:
11.6.3.2, 12.1.3.2, 13.0.1, 13.1.0.4

631418-1 : Packets dropped by HW grey list may not be counted toward AVR.

Links to More Info: BT631418

Component: Advanced Firewall Manager

Symptoms:
If the system supports hardware grey list, packets dropped by HW grey list may not be counted toward AVR.

Conditions:
AFM license, HW grey list support.

Impact:
User visibility.

Workaround:
There is no workaround at this time.

Fix:
The issue is fixed.

Fixed Versions:
13.1.0.4, 14.0.0

631316-2 : Unable to load config with client-SSL profile error &start;

Links to More Info: K62532020 , BT631316

Component: TMOS

Symptoms:
Config loading fails with an error similar to the following: 'Client SSL profile cannot contain more than one set of same certificate/key type.'

Conditions:
This occurs when both of the following conditions are met:
-- The system is loading config.
-- The config contains a client SSL profile which has an RSA cert-key-chain whose key is default (/Common/default.key), but whose chain is non-empty, or the cert is different from /Common/default.crt. For example:

cert-key-chain {
cert /Common/default.crt <==== default cert
chain /Common/chainCA.crt <==== non-empty
key /Common/default.key <==== default key
rsa {
cert /Common/default.crt <==== default cert
chain /Common/chainCA.crt <==== non-empty
key /Common/default.key <==== default key
}
}

Impact:
Configuration can not be loaded.

Workaround:
Remove or adjust the problematic client SSL profile by editing the appropriate bigip.conf file (/config/bigip.conf or /config/partitions/<name>/bigip.conf, depending on the partition the profile resides in), and then load the configuration again.

Steps:
1. Open the configuration file in a text editor.
2. Load the file /config/bigip.conf (or /config/partitions/<name>/bigip.conf, if the client SSL profile is in a partition).

3. Update the client SSL profile by setting .crt and .key to non-default, as shown in the following example:

cert-key-chain {
cert /Common/kc.crt <==== changed to non-default
chain /Common/chainCA.crt
key /Common/kc.key <==== changed to non-default
rsa {
cert /Common/kc.crt <==== changed to non-default
chain /Common/chainCA.crt
key /Common/kc.key <==== changed to non-default
}
}

4. Save your changes, and then run the following command:
tmsh load sys conf

Fixed Versions:
11.6.3.2, 12.1.3.2, 13.1.0.6

631286-3 : TMM Memory leak caused by APM URI cache entries

Links to More Info: BT631286

Component: Access Policy Manager

Symptoms:
Tmctl stats for "access_uri_info" gradually grows and can lead to TMM memory exhaustion.

Conditions:
APM or SWG in use.

Impact:
TMM memory exhaustion.

Workaround:
Restart tmm.

Fix:
This release implements a limit of how many entries the system stores in the URI cache. The default is 2048 entries. The DB variable allows a range of 2048 - 8192. You can the following DB variable to control the max limit:

access.max.euie_uri.cache.entries

Fixed Versions:
12.1.3.7, 13.0.1, 13.1.0.4

630137-2 : Dynamic Signatures feature can fill up /config partition impacting system stability

Links to More Info: BT630137

Component: Advanced Firewall Manager

Symptoms:
When the AFM DoS Dynamic Signatures feature is enabled, inadequate file housekeeping results in the /config/filestore partition filling up. mcpd halts the other running daemons and the system becomes unresponsive.

Conditions:
AFM DoS Dynamic Signatures feature enabled

Configuration changes made but not saved

Device receives traffic.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Make all configuration changes via Configuration Tool (UI) or issue a 'save sys config partitions all' command.

If rolling back the configuration is a requirement, before making changes to the configuration, save a configuration snapshot to a file with the 'save sys config file <filename>' command. You can then load the previous configuration with a 'load sys config file <filename>' command.

Fix:
AFM DoS Dynamic Signatures file housekeeping improved, /config filestore no longer fills up.

Fixed Versions:
13.1.1.2, 14.0.0

629628-1 : Request Events Missing Due to Policy Builder Restart

Links to More Info: BT629628

Component: Application Security Manager

Symptoms:
Policy builder process restarts when it gets a UCS load event.
As a result, request events are missing from the request log while policy builder is catching up on the policies.

Conditions:
-- In a high availability environment when devices require a full ASM sync from their peer.
-- Learning is enabled for ASM policies.

Impact:
Any requests that needed to be logged due to a logging profile (e.g., Log All) will be lost during this time. This occurs because policy builder is responsible for logging these requests. These restarts are not particularly harmful.

Workaround:
None.

Fix:
Policy builder now handles requests while catching up on the policies assuring no requests are lost due to the restart.

Fixed Versions:
13.1.3.4

629334-1 : Portal Access: JavaScript expressions in parentheses may be rewritten incorrectly

Links to More Info: BT629334

Component: Access Policy Manager

Symptoms:
In some cases Portal Access rewrites incorrectly JavaScript expressions enclosed into parentheses.

Conditions:
JavaScript code with the following constructions:
- (a.b) (...)
- (a[b]) (...)
- (b) = ...
Assuming 'b' is an element to be rewritten.
Some examples:
- (window.open) ("", "_blank");
- (form["submit"])();
- (location) = "http://some.org/";

Impact:
JavaScript code may not work correctly. In some cases, JavaScript code becomes syntactically incorrect.

Workaround:
Use iRule to remove parentheses around JavaScript expressions where necessary.

Fix:
Now JavaScript expressions in parentheses are rewritten correctly.

Fixed Versions:
13.1.0.4

628645 : Classification signatures fails to update and there are no errors in the GUI &start;

Links to More Info: BT628645

Component: Traffic Classification Engine

Symptoms:
The libcec.so library fails to update, and errors are no longer displayed in the GUI.

Var/log/hitless_upgrade.log provides a hint that the upgrade is failing:

update_dpi_sigfile.pl|DEBUG|Nov 01 20:39:33.305|19694|F5::DPI::Sigfile::AutoDownload::call_soap_server,,Timestamp: 2016-10-19 11:25:00, BigIP: 12.1.0
update_dpi_sigfile.pl|INFO|Nov 01 20:39:34.562|19694|F5::Sigfile::Update::update,,The most recent DPI Signatures file is already installed.

Conditions:
-- A BIG-IP system is updated to the latest libcec.so, for example, using 'hitless upgrade' (Traffic Intelligence / Classification / Check for updates).

-- Upgrade the software. By using "Check for updates"

Impact:
Classification signatures fail to update. There are no errors displayed in the GUI. Running the 'tmsh list ltm classification' command shows that the new version has not been installed.

Additionally, in /var/log/hitless_upgrade.log:

update_dpi_sigfile.pl|DEBUG|Nov 01 20:39:33.305|19694|F5::DPI::Sigfile::AutoDownload::call_soap_server,,Timestamp: 2016-10-19 11:25:00, BigIP: 12.1.0
update_dpi_sigfile.pl|INFO|Nov 01 20:39:34.562|19694|F5::Sigfile::Update::update,,The most recent DPI Signatures file is already installed.

Workaround:
Check /var/log/hitless_upgrade.log log

Fix:
The system now display error message on GUI correctly

Fixed Versions:
13.1.4

625901-2 : SNAT pools allow members in different partitions to be assigned, but this causes a load failure

Links to More Info: BT625901

Component: TMOS

Symptoms:
SNAT pools allow members in different partitions to be assigned, but this is prohibited at load time.

Conditions:
The SNAT pool is in a partition different from that of the member you are trying to add to it.

Impact:
Load will fail with an error like the following:

01070726:3: SNAT pool translation address /p1/mysnatpool /p2/1.2.3.4%5 in partition PARE cannot reference SNAT Translation /p2/1.2.3.4%5 in partition p2

Workaround:
Use a SNAT pool member in the same partition.

Fixed Versions:
12.1.5.1, 13.1.3.4

624231-4 : No flow control when using content-insertion with compression

Links to More Info: BT624231

Component: Policy Enforcement Manager

Symptoms:
Packets can get queued in PEM and cause performance impact.
It could cause memory corruptions in some cases

Conditions:
This issue can happen when system there is are a lot of connections with compression enabled, hardware offload is not enabled, and content insertion is enabled

Impact:
Performance impact to flows and possible system crash.

Workaround:
Enable hardware offload and use the pem throttle feature for content insertion

Fixed Versions:
12.1.3.2, 13.1.0.4

621260-4 : mcpd core on iControl REST reference to non-existing pool

Links to More Info: BT621260

Component: TMOS

Symptoms:
MCPd cores when attempting to create a pool and a monitor reference by using a REST call such as:

curl -u admin:admin -H "Content-Type: application/json" -X POST http://localhost:8100/tm/ltm/pool -d'{"name":"test_pool","monitor":" "}'

Conditions:
The monitor reference in the REST call must be comprised of a single space character.

Impact:
MCPd restarts, causing many of the system daemons to restart as well.

Workaround:
Don't use spaces in the monitor reference name.

Fixed Versions:
11.6.5.1, 12.1.5.1, 13.1.1.5, 14.0.1.1, 14.1.0.2

620954-5 : Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable

Links to More Info: BT620954

Component: TMOS

Symptoms:
Contention for /var/log/tallylog lock might result in users failing to authenticate correctly. As a result of this issue, you might see the following message:
PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.

Conditions:
High concurrent authentication attempts may trigger this issue. For example, open a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), then close the connection. If done frequently enough, there is an occasional authentication failure.

Impact:
This intermittent authentication failure results in users not being able to login.

Workaround:
Since this is an intermittent authentication failure, wait a few seconds and then attempt to log in again.

Fixed Versions:
12.1.5.1, 13.1.3

618884-6 : Behavior when using VLAN-Group and STP

Links to More Info: BT618884

Component: Local Traffic Manager

Symptoms:
May not see ICMP response traffic when using Ping within the same VLAN when STP mode is configured.

Conditions:
-- STP mode is configured.
-- Ping is issued in the same VLAN.

Note: This issue is a constraint to soft switched platforms.

Impact:
May not see ICMP response traffic.

Workaround:
None.

Fixed Versions:
12.1.4, 13.1.1.4

618641-1 : In rare cases VDI plugin might leak memory or crash while processing client connections

Links to More Info: BT618641

Component: Access Policy Manager

Symptoms:
In rare cases VDI plugin might leak memory or crash while processing client connections.

Conditions:
APM is used for proxying VDI connections (e.g. Citrix Virtual Apps, VMware Horizon, MS RDP).

Impact:
Rarely, VDI plugin might leak memory or crash.

Workaround:
None.

Fix:
Fixed rare VDI plugin memory leaks and crashes.

Fixed Versions:
13.1.3.2

617929-4 : Support non-default route domains

Links to More Info: BT617929

Component: Local Traffic Manager

Symptoms:
Some connections are reset.

Conditions:
This occurs when the device is configured with non-default route domains when connecting to other tmms over the backplane.

Impact:
Traffic processing failure.

Workaround:
None.

Fix:
The system now supports non-default route domains when connecting to other tmms over the backplane.

Note: As a result of this fix, there is a behavior change: The iRule 'node' method now requires that you specify a route_domain to in order for the traffic to be sent to a node assigned to a route domain.

Behavior Change:
The iRule 'node' method now requires a route_domain to be specified in order for the traffic to be sent to a node that is assigned to a route domain.

Fixed Versions:
13.1.3.4, 14.1.2.8, 15.0.1.3

617643-2 : iControl.ForceSessions enabled results in GUI error on certain pages

Links to More Info: BT617643

Component: TMOS

Symptoms:
GUI pages display 'An error has occurred while trying to process your request.'

Conditions:
Visiting pages related to PKI (cert/key), SNMP, AFM or licensing tasks when iControl.ForceSessions is enabled.

Impact:
Unable to use GUI for certain tasks when iControl.ForceSessions is enabled.

Workaround:
Use shell for related administrative tasks or if feature is not used, disable with the following command:

tmsh# modify sys db icontrol.forcesessions value disable

Fix:
Enabled GUI to adapt when the iControl.ForceSessions is set to 'enable'.

Fixed Versions:
13.1.1.2

616008-1 : TMM core may be seen when using an HSL format script for HSL reporting in PEM

Links to More Info: K23164003 , BT616008

Component: Policy Enforcement Manager

Symptoms:
TMM core resulting in potential loss of service.

Conditions:
Requires a PEM HSL reporting action with an HSL format script against a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
In an iRule against the virtual server, set a Tcl variable in the first line after an iRule event. Unset the same Tcl variable in the last line of the iRule event.

Fix:
TMM core no longer occurs when using an HSL format script for HSL reporting in PEM.

Fixed Versions:
11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4

615934-3 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.

Links to More Info: BT615934

Component: TMOS

Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.

Conditions:
If there is an existing key/certificate, and the key/certificate management iControl/SOAP functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.

Impact:
Key/certificate overwrite using iControl operations might fail.

Fix:
The fix honors the overwrite flag, so that the key/certificate is overwritten when the flag is set to true.

Fixed Versions:
13.1.3.5, 14.1.4, 15.1.3

613728-2 : Import/Activate Security policy with 'Replace policy associated with virtual server' option fails

Links to More Info: BT613728

Component: Application Security Manager

Symptoms:
Visible errors in the BIG-IP Configuration utility:

-- MCP Validation error - 01071abb:3: Cannot create/modify published policy '/Common/<ltm_policy_name>' directly, try specifying a draft folder like '/Common/Drafts/<ltm_policy_name>'.

-- MCP Validation error - 01071726:3: Cannot deactivate policy action '/Common/<asm_policy_name>'. It is in use by ltm policy '/Common/<asm_policy_name>'.

Conditions:
-- ASM provisioned.

-- Having an active Security policy 'A' assigned to an LTM L7 Policy 'L'.

-- Import/Activate Security policy 'B' with the option 'Replace policy associated with virtual server' enabled, to replace security policy 'A'.

Impact:
Security Policy is activated but not assigned to the LTM policy.

Workaround:
Run the following command prior to the Import/Activate of a Security policy action:
---------
# tmsh modify ltm policy L legacy
---------

Fix:
The process of importing/activating a Security policy now correctly replaces an existing policy, when the option 'Replace policy associated with virtual server' is enabled.

Fixed Versions:
12.1.4, 13.1.3

612792-1 : Support RDP redirection for connections launched from APM Webtop on iOS

Links to More Info: BT612792

Component: Access Policy Manager

Symptoms:
Launching Native RDP resource from APM Webtop might fail on iOS.

Conditions:
1. Native RDP resource is launched from APM Webtop on iOS.
2. The RDP connection is redirected from one RDP server to another. This typically happens in RDP farm (multiple RDP servers) deployments.

Impact:
Native RDP resource can't be launched.

Workaround:
iOS RDP client version 8.1.35 allows workaround with following “Variable Assign” agent in Access Policy:
Custom Variable:
session.client.platform
Custom Expression:
set client_os [mcget {session.client.platform}];
return [expr {$client_os == "iOS" ? "Android" : $client_os}];

Fix:
RDP redirection is now supported for connections launched from APM Webtop on iOS. Launching RDP resources from APM Webtop now requires at least version 8.1.35 of iOS RDP client.

Fixed Versions:
13.0.1, 13.1.0.4

612118-2 : Nexthop explicit proxy is not used for the very first connection to communicate with the backend.

Links to More Info: BT612118

Component: Access Policy Manager

Symptoms:
In SWG / forward proxy, nexthop explicit proxy is not used for the very first connection to communicate with the backend.

Conditions:
SWG per-request policy with proxy select agent.

Impact:
The BIG-IP system directly communicates with the backend to fetch server certificates.

Workaround:
None.

Fix:
Next-hop proxy gets used for all the connections that use proxy-select agent even for fetching the backend cert. In earlier version it would use the default route to fetch the certificate.

In transparent mode for https traffic, the proxy select agent is able to use the host & port information gathered from the backend certificate as the per-request policy can run before the cert fetching process. Therefore there is no longer a requirement for the per-request policy to have a category lookup agent before the proxy select agent.

Fixed Versions:
13.0.1, 13.1.0.4

608988-1 : Error when deleting multiple ASM Policies

Links to More Info: BT608988

Component: Application Security Manager

Symptoms:
Error when attempting to delete multiple ASM policies at once.

Conditions:
Multiple ASM policies are selected for deletion that have multiple XML profiles configured on their URLs.

Impact:
Operation fails with ASM subsystem error messages in asm log.

Workaround:
Delete policies one at a time.

Fix:
Multiple ASM policy delete finishes successfully.

Fixed Versions:
13.1.0.4

608952-4 : MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2

Links to More Info: BT608952

Component: Local Traffic Manager

Symptoms:
MSSQL health monitor always shows down.

Conditions:
The Microsoft SQL server that is being monitored has disabled support for legacy security protocols, and supports only versions TLSv1.1 and TLSv1.2.

Impact:
MSSQL monitor is unable to perform health checking when SQL Server is configured to require TLSv1.1 or TLSv1.2.

Workaround:
None.

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.5

606983-2 : ASM errors during policy import

Links to More Info: BT606983

Component: Application Security Manager

Symptoms:
Import failure when importing ASM policy with many Session Awareness Data Points.

ASM logs errors similar to the following:
-- crit g_server_rpc_handler_async.pl[10933]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): Could not update the Export Policy Task 'Export Policy Task (1469519765.114479)'. DBD::mysql::db do failed: Got a packet bigger than 'max_allowed_packet' bytes.

Conditions:
-- ASM provisioned.
-- Session Awareness enabled.
-- Many (more than 1000) active Session Awareness 'Block All' data points are present.
-- Export a policy.
-- Import the same policy.

Impact:
asm_config_server crash occurs. asm_config_server recovers automatically, within ~15-30 seconds.

Workaround:
Either release all Session Awareness Data Points before export, or remove them from the exported policy before importing it back.

Fix:
Import failure no longer occurs when importing ASM policy with more than 1000 Session Awareness Data Points. Now, there is a maximum of 1000 Session Awareness Data Points exported into an XML policy export.

Fixed Versions:
12.1.3.6, 13.1.0.8, 14.0.0.5

605675-2 : Sync requests can be generated faster than they can be handled

Links to More Info: BT605675

Component: TMOS

Symptoms:
Configuration changes in quick succession might generate sync change messages faster than the receiving BIG-IP system can parse them. The sending BIG-IP system's queue for its peer connection fills up, mcp fails to allocate memory, and then the system generates a core file.

Conditions:
Configuration changes in quick succession that might generate sync-change messages.

Impact:
Core file and sync operation does not complete as expected. The possibility for this occurring depends on the size and complexity of the configuration, which impacts the time required to sync, and the traffic load occurring at the time of the sync operation.

Workaround:
None.

Fixed Versions:
11.6.5.2, 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.2

605649-2 : The cbrd daemon runs at 100% CPU utilization

Links to More Info: K28782793 , BT605649

Component: Application Security Manager

Symptoms:
The cbrd daemon runs at 100% CPU utilization.

You may notice this issue while inspecting:

- The performance graphs for the BIG-IP device.
- SNMP reports from the BIG-IP device.
- The output of utilities such as top or ps.

Note: The cbrd daemon performs XML Content-Based Routing on the BIG-IP system. However, the daemon runs regardless of provisioning and whether the feature is actually being utilized or not.

Conditions:
This is a rarely occurring event whose cause is not known.

Impact:
The cbrd daemon may run inefficiently. Additionally, other control-plane processes running on the BIG-IP device may also be detrimentally affected (depending on the size of the BIG-IP device and its configuration).

Workaround:
You can try to work around this issue by restarting the cbrd daemon using the following command:
bigstart restart cbrd

As the issue occurs rarely, you may not experience this issue again for a long time. This is, however, only a temporary workaround, and will have to be repeated as needed.

Fixed Versions:
12.1.5, 13.1.1.4

604811-2 : Under certain conditions TMM may crash while processing OneConnect traffic

Links to More Info: BT604811

Component: Local Traffic Manager

Symptoms:
TMM may crash while processing OneConnect traffic

Conditions:
Removing the OneConnect profile from a virtual server while passing traffic.

Impact:
TMM crash leading to a failover event

Fix:
TMM now processes profile removals as expected

Fixed Versions:
11.6.3.2, 12.1.5.3, 13.1.3

602708-4 : Traffic may not passthrough CoS by default

Links to More Info: K84837413 , BT602708

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may set the packet Quality of Service (QoS) priority to 3 when traffic is processed by an IP forwarding virtual server.

Conditions:
-- IP forwarding virtual server.
-- Traffic received with priority other than 3.

Impact:
Traffic is set to L2 QoS priority 3 and may cause issues on other networking devices.

Workaround:
Create a default CoS configuration or apply L2 QoS settings in the FastL4 profile.

Fix:
TMM now correctly passes through CoS by default.

Fixed Versions:
12.1.3.7, 13.1.1.2, 14.0.0.3

601189-3 : The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode

Links to More Info: BT601189

Component: Local Traffic Manager

Symptoms:
The BIG-IP system might send TCP packets out of order in Fastl4 in syncookie mode.

Conditions:
-- Fastl4 VS.
-- syncookie mode.

Impact:
TCP packet are sent out of order.

Workaround:
None.

Fix:
The BIG-IP system no longer sends TCP packets out of order in Fastl4 in syncookie mode.

Fixed Versions:
12.1.5.1, 13.1.3.2, 14.1.2.5

600985-3 : Network access tunnel data stalls

Links to More Info: BT600985

Component: Access Policy Manager

Symptoms:
In certain scenarios, the network access tunnel stays up; however, no data transfer occurs on the tunnel. This issue occurs intermittently.

Conditions:
The cause of this issue is not yet known.

Impact:
Data stalls on the tunnel and hence wont be able to access any applications. However, Edge Client shows the VPN tunnel as 'Connected'.

Workaround:
Manually re-establish the tunnel.

Fixed Versions:
13.1.3, 14.1.2.7

599567-3 : APM assumes SNAT automap, does not use SNAT pool

Links to More Info: BT599567

Component: Local Traffic Manager

Symptoms:
When a virtual server configured to use a SNAT pool is also associated with APM (for example, when configured as a RDP gateway), the SNAT pool setting is not honored.
Also SNAT configuration of 'None' does not work. It always works as if it is configured with Automap.

Conditions:
SNAT pool configured.
-- APM configured (one example is deploying the Horizon View iApp for APM).

Impact:
The VLAN Self IP address is used instead of the SNAT pool addresses.

Workaround:
First, follow the configuration details in K03113285: Overview of BIG-IP APM layered virtual servers :: https://support.f5.com/csp/article/K03113285, to ensure everything is configured properly.

Then ensure that the appropriate SNAT pool is set on the new layered forwarding virtual sever.

Note: This workaround does not work when using a pool of VMware vCenter Server (VCS) as configured by default with the iApp.

Fix:
The system now honors the virtual server SNAT configuration.

Fixed Versions:
12.1.5, 13.1.1.5, 14.0.1.1, 14.1.2.5

598085-1 : Expected telemetry is not transmitted by sFlow on the standby-mode unit.

Links to More Info: BT598085

Component: TMOS

Symptoms:
The expected telemetry is not transmitted by sFlow on the standby-mode unit. In a high-availability (HA)/redundant BIG-IP configuration, standby BIG-IP units are failing to generate sFlow telemetry packets containing unit-specific data.

Conditions:
In a high-availability/redundant BIG-IP configuration with sFlow configured.

Impact:
The sFlow data being transmitted by the standby unit consists of packet samples of the HA Heartbeat traffic, and no other telemetry information.

Workaround:
None.

Fixed Versions:
12.1.4, 13.1.1.4

594751-1 : LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN

Links to More Info: K90535529 , BT594751

Component: Local Traffic Manager

Symptoms:
Vlan Name and Vlan Tag values are not seen by the LLDP neighbors of the BIG-IP system.

Conditions:
1. LLDP is enabled globally and per interface.

2. Interfaces are added to a trunk after it has already been assigned to a VLAN.

For instance, assume the following protocol were followed for creating an LLDP trunk:

tmsh modify net lldp-globals enabled
tmsh modify net interface 1.1 lldp-admin txrx lldp-tlvmap 114680
tmsh modify net interface 1.2 lldp-admin txrx lldp-tlvmap 114680
tmsh create net trunk myTrunk
tmsh create net vlan myVlan
tmsh modify net trunk myTrunk interfaces add { 1.1 1.2 }
tmsh modify net vlan myVlan interfaces add { myTrunk }

The neighbor to this BIG-IP unit would not see the Vlan Name and Vlan Tag information of this trunk because the interfaces were added after the trunk was already assigned to a VLAN.

Impact:
LLDP Neighbors are unable to see VLAN information for the LLDP interfaces of the BIG-IP.

Workaround:
If the configuration has not yet been performed, the issue can be prevented by assigning all the desired interfaces to a trunk before assigning the trunk to a VLAN.

If the problem already exists, it can be remedied by performing a restart of the LLDP service. This should not impact dataplane services outside of LLDP. To do so, run the following command:
bigstart restart lldpd

Fix:
VLANs are now properly applied to any interfaces added to a trunk if the trunk already belongs to any VLANs.

Fixed Versions:
12.1.5.1, 13.1.0.6

594064-5 : tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.

Links to More Info: K57004151 , BT594064

Component: Local Traffic Manager

Symptoms:
When the tcpdump utility is used with the ':p' modifier, it appears that the first few serverside packets are not captured.

Conditions:
-- Using the ':p' modifier with the tcpdump utility to capture serverside flows associated with clientside flows that match a tcpdump filter.
-- FastL4 or standard virtual server UDP flows are being captured.

Impact:
Typically, the peer flow will not be captured until the second packet is processed on the original flow that is captured by the tcpdump filter. Although there is no operational impact, it might cause confusion when looking for serverside traffic when capturing using a command similar to the following: tcpdump -i <vlan>:p host <client-ip>

Typical examples of missing packets include:
-- Serverside syn and syn-ack from FastL4 TCP traffic.
-- All serverside packets for single packet request/reply traffic, e.g., dns request/reply.

Workaround:
Specify filter that includes serverside traffic (e.g., include pool member addresses as 'host <addr>').

Fix:
tcpdump now successfully captures the first serverside packets.

Fixed Versions:
11.6.5.3, 12.1.5.2, 13.1.3.4

591732-3 : Local password policy not enforced when auth source is set to a remote type.

Links to More Info: BT591732

Component: TMOS

Symptoms:
Local password policy not enforced when auth source is set to a remote type. Any non-default password policy change is not enforced for local users.

Conditions:
1) Some part of the local password policy has been changed from the default values, for example, changing the password minimum-length to 15 where the default is 6.

2) The auth source is set to a remote source, such as LDAP, AD, TACACS.

Impact:
The system does not enforce any of the non-default local password policy options.

For example:
-- Even if the minimum-length is set to 15, a local user's password can be set to something less than 15.

Another example:
-- Even if max-duration is set to 90 days, the password does not expire for 99999 days (the default).

Note: Impact may vary among versions:
-- minimum-length policy works in v11.x and v12.x, but fails in v13.x later.
-- max-duration policy fails in all affected versions.

Workaround:
None

Fix:
The BIG-IP system now honors the password policy settings for local accounts. However, this does not address complexity issues. That is tracked under ID 928161. For more information see https://cdn.f5.com/product/bugtracker/ID928161.html

Fixed Versions:
12.1.5.1, 13.1.3.5, 14.1.3.1, 15.0.1.4

589233-2 : vCMPd may crash when processing bridged network traffic

Links to More Info: K03165684

589083-6 : TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.

Links to More Info: BT589083

Component: TMOS

Symptoms:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation fails because of permission errors.

Using iControl, the system posts an error similar to the following: Error processing request for URI:http://localhost:8110/mgmt/tm/sys/config
{code:400,message: Can't create tmsh temp directory \"/config/.config.backup\" Permission denied, errorStack:[]}.

Using TMSH (e.g., running the command: tmsh save sys config), the system posts an error similar to the following:

Can't create tmsh temp directory "/config/.config.backup" Permission denied

Conditions:
This occurs when the following conditions are met:
-- Remote Authentication is configured.
-- User is logged in as a remote user who has the admin role.
-- Using TMSH or iControl for remotely authenticated user operations.

Impact:
Cannot save the configuration.

Workaround:
Use one of the following workarounds:
-- Use the GUI to save the configuration.
-- Have a locally authenticated user with admin role save the configuration.

Fix:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation now completes as expected, without permission errors.

Fixed Versions:
12.1.2, 13.1.0.4, 14.0.0

583084-10 : iControl produces 404 error while creating records successfully

Links to More Info: K15101680 , BT583084

Component: TMOS

Symptoms:
iControl produces an HTTP 404 - Not Found error message while creating the BIG-IP DNS topology record successfully.

Conditions:
Creating GTM topology record without using full path via iControl.

Impact:
Resulting code/information is not compatible with actual result.

For a post request, the create command and the list command are formed and executed, and the name in the curl request and the name in the list response are compared to verify whether or not it is the actual object. When a create command is executed with properties that are not fullPath (e.g., in iControl), it still creates the object with fullPath. So list returns the name with fullPath and compares it with the name that does not contain the fullPath, and the comparison fails because the names do not match.

Workaround:
Use the full path when creating BIG-IP DNS topology records using iControl.

Fix:
The system now compares both names, ignoring the partition '/Common' if the exact comparison fails.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2

581921-3 : Required files under /etc/ssh are not moved during a UCS restore

Links to More Info: K22327083 , BT581921

Component: TMOS

Symptoms:
The SSH files required for SSH sign on are not transferred when performing a UCS restore operation. Further, files are not transferred even during upgrade.

Conditions:
This can happen when performing a UCS restore operation, or when upgrading from one version to the next.

Impact:
This might impact SSH operations.

Workaround:
Add the /etc/ssh directory to the UCS backup configuration. This causes all subsequent UCS backup and restore operations will now include the /etc/ssh/ directory.

To complete this procedure, refer to K4422: Viewing and modifying the files that are configured for inclusion in a UCS archive :: https://support.f5.com/csp/article/K4422.

Fix:
The correct folder is now present when performing a UCS restore operation, so that all of the files required for the operation of SSH are transferred.

Fixed Versions:
11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.1.1, 14.1.0.6

581851-6 : mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands

Links to More Info: K16234725 , BT581851

Component: TMOS

Symptoms:
The Master Control Program Daemon (MCPD) on secondary blades may unexpectedly restart when the BIG-IP system processes multiple, concurrent TMOS Shell (tmsh) commands.

Under these circumstances, a race condition may occur and cause the mcpd process on the secondary blades to fail to correctly process concurrent updates from the primary blade.

As a result of this issue, you may encounter one or more of the following symptoms:

-- The mcpd process on secondary blades unexpectedly restarts.
-- You notice error messages in the /var/log/ltm file on the BIG-IP system that appears similar to the following example:
+ err mcpd[<PID>]: 01070823:3: Read Access Denied: The current update partition ([None]) does not match the object's partition (Common), stats not reset

+ err mcpd[<PID>]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070823:3: Read Access Denied: The current update partition ([None]) does not match the object's partition (Common), stats not reset

-- Depending on your high availability (HA) configuration, the device may unexpectedly fail over to another system in the device group.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have a VIPRION platform or Virtual Clustered Multiprocessing (vCMP) guest configuration that uses two or more blades.
-- You attempt to run multiple, concurrent tmsh commands on the BIG-IP system. For example, you run a tmsh command to continually reset persistence records and at the same time run another tmsh command to continually reset the TCP statistics.

Impact:
The BIG-IP system may experience performance degradation when the secondary blades become unavailable while the mcpd process restarts. Depending on your HA configuration, the device may fail over.

Workaround:
None.

Fix:
This issue no longer occurs.

Fixed Versions:
11.5.9, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0

580537-3 : The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data

Links to More Info: BT580537

Component: Global Traffic Manager (DNS)

Symptoms:
The geoip_update_data script will not install a City2 GeoIP data.

Conditions:
Attempting to install the City2 GeoIP data.

Impact:
The City2 GeoIP data must be installed manually.

Workaround:
The City2 GeoIP data can be installed manually by extracting the contents of the RPM and updating the associated files. The commands are:

rpm -U <full path to the City2 GeoIP RPM file>
rm /shared/GeoIP/F5GeoIP.dat
ln -s /shared/GeoIP/F5GeoIPCity2.dat /shared/GeoIP/F5GeoIP.dat
rm /shared/GeoIP/v2/F5GeoIP.dat

Fix:
The geoip_update_data script was updated to support installing City2 GeoIP data.

Fixed Versions:
12.1.3.2, 13.0.1, 13.1.0.4

579219-1 : Access keys missing from SessionDB after multi-blade reboot.

Links to More Info: BT579219

Component: Access Policy Manager

Symptoms:
Reboot a 4-blade vCMP guest. Now, only the master key for catalog remained. All subkeys are missing.

Conditions:
This can occur intermittently during a reboot in a multi-blade vCMP guest configured with APM.

Impact:
Some Access subkeys may be missing after the reboot.

Workaround:
Reboot the primary blade.

Fixed Versions:
13.1.5, 14.1.2.8, 15.1.1

576123-4 : ASM policies are created as inactive policies on the peer device

Links to More Info: K23221623 , BT576123

Component: Application Security Manager

Symptoms:
ASM policies are created as inactive policies on the peer device.

Conditions:
This occurs when the following conditions are met:
-- ASM Sync is enabled on a Sync-Only auto-sync Device Group.
-- There is either no failover group, or the failover group is a manual sync group.

Impact:
ASM policies are created as inactive policies on the peer device, resulting in an inconsistency between peers.

Workaround:
You can use either of the following workarounds:
-- Set the device group with ASM sync enabled to manual sync.
-- Enable auto-sync for the failover group.

Fix:
This release fixes the ASM Synchronization mechanism so that ASM policies are correctly created on the peer device

Fixed Versions:
11.5.9, 11.6.3.2, 12.1.3.2, 13.1.1.4

571651-4 : Reset Nitrox3 crypto accelerator queue if it becomes stuck.

Links to More Info: BT571651

Component: Local Traffic Manager

Symptoms:
Certain configuration parameters used during an SSL handshake can elicit a 'queue stuck' message from the accelerator. When this happens, the /var/log/ltm log file will contain a message similar to the following:

'n3-cryptoX request queue stuck'.

Conditions:
The BIG-IP system uses Nitrox 3 encryption hardware to perform SSL encryption.

An SSL handshake sent to the BIG-IP system is incorrectly configured or contains bad information.

Impact:
In-flight and queued contexts for the specific accelerator are dropped. After device recovery, new requests will be accelerated.

Workaround:
Disable crypto acceleration.

Fix:
The crypto accelerator is gracefully reset when the accelerator stalls due to a misconfigured request.

Note: This issue resolution is limited to SSL handshake issues, and is not a resolution for all possible causes of a 'queue stuck' event.

Fixed Versions:
11.5.9, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0.5

563661-1 : Datastor may crash

Links to More Info: BT563661

Component: TMOS

Symptoms:
In rare cases, datastor may crash to protect the system from corruption. After datastor restarts, tmm may crash when attempting to communicate with datastor.

Conditions:
WAM provisioned and enabled.

Impact:
Datastor and TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This issue has been fixed.

Fixed Versions:
11.6.3.3, 12.1.3.2, 13.1.0.6

562921-5 : Cipher 3DES and iQuery encrypting traffic between BIG-IP systems

Links to More Info: BT562921

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP systems use the iQuery protocol to securely communicate with other BIG-IP systems. The BIG-IP system supports the AES/3DES ciphers for encrypting iQuery traffic. Some of these ciphers are now considered unsecure.

Conditions:
The value is hardcoded into the product.

Note: This is completely independent of the TMM profiles or the httpd cipher values.

Impact:
There is no way to configure this; the value is hardcoded. Scanner operations performed on your configuration will report this as an unsecure cipher.

Workaround:
If you do not need iQuery at all, you can block port 4353 completely. For those who do need it, there is no workaround.

Fix:
The cipher list in use is now
"AESGCM:AES:!ADH:!AECDH:!PSK:!aECDH:!DSS:!ECDSA:!AES128:-SHA1:AES256-SHA"

Fixed Versions:
11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.4

554228-7 : OneConnect does not work when WEBSSO is enabled/configured.

Links to More Info: BT554228

Component: Access Policy Manager

Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and doesn't reuse pooled connections.

Conditions:
WEBSSO and OneConnect.

Impact:
Idle serverside connections that should be eligible for reuse by the virtual server are not used. This might lead to build-up of idle serverside connections, and may result in unexpected 'Inet port exhaustion' errors.

Workaround:
None.

Fix:
OneConnect now works when WEBSSO is enabled/configured, so that the system reuses the pooled server side connections.

Fixed Versions:
11.6.1, 13.1.3.6

551925-4 : Misdirected UDP traffic with hardware acceleration

Links to More Info: BT551925

Component: TMOS

Symptoms:
UDP traffic might be forwarded to the wrong destination when using hardware acceleration.

Conditions:
If the UDP timeout is lower than the embedded Packet Velocity Acceleration (ePVA) aging timeout.

This occurs because UDP connections are accelerated until the ePVA aging timeout expires for the connection. If the ePVA aging timeout is greater than the UDP timeout, then TMM removes the connection from software, but the connection is still accelerated in the ePVA. Subsequent traffic then matches to the original connection, causing it to be sent to the wrong destination.

Impact:
Traffic can be sent to the wrong destination.

Workaround:
You can use either or both of the following workarounds:
-- Increase the UDP timeout (60s or more).
-- Disable UDP hardware acceleration.

Fixed Versions:
11.6.4, 12.1.3.7, 13.1.1.2

550928-3 : TMM may crash when processing HTTP traffic with a FastL4 virtual server

Links to More Info: K34360320 , BT550928

550526-2 : Some time zones prevent configuring trust with a peer device using the GUI.

Links to More Info: K84370515 , BT550526

Component: TMOS

Symptoms:
AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, and AWDT time zones prevent configuring trust with a peer device using the GUI.

Conditions:
-- Setting a BIG-IP system timezone to AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, or AWDT.

-- Using the GUI to add a peer device to a trust configuration.

Impact:
Adding a peer device using the GUI fails.

Workaround:
You can use either of the following workarounds (you might find the first one easier):

-- Temporarily set the device timezone to a non-affected timezone (e.g.; UTC), establish trust, and set it back:

1. Navigate to System :: Platform.

2. Under 'Time Zone', select 'UTC', and click 'Update'

3. Repeat steps one and two to change all devices that are to be part of the trust domain.

4. Establish device trust by navigating to Device Management :: Device Trust :: Add all peers to be part of the trust domain.

5. Once trust is established, navigate to System :: Platform, and change Time Zone back to preferred time zone.

-- Use tmsh to add a peer device in these timezones: AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, or AWDT.

Fix:
You can now use the GUI to add AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, and AWDT when adding a peer device.

Fixed Versions:
12.1.3.7, 13.1.1.2

536831-1 : APM PAM module does not handle local-only users list correctly

Links to More Info: BT536831

Component: Access Policy Manager

Symptoms:
The following log messages are shown in /var/log/secure, when remote-auth (APM based) is configured and when trying to authenticate local users:

-- notice httpd[8281]: pam_apm: module returning Failure, ClientHandler auth failed!(admin)
-- notice httpd[8281]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=X.X.X.X attempts=1 start="Wed Jan 17 14:49:21 2018"

This failure log shows that the system first attempts to authenticate local users (like admin, root, etc.) remotely.

Conditions:
This occurs when following conditions are met:
- APM is provisioned on a BIG-IP system.
- APM-based remote-auth is configured.
- Local users (like admin, root, etc.) attempt to log into the management interface of that BIG-IP system.

Impact:
Local users credentials are sent to remote authentication servers which will return auth failure. However, in the second attempt, the system attempts to authenticate a user locally, and it will succeed, as expected. Check below logs:

-- notice httpd[8281]: pam_apm: module returning Failure, ClientHandler auth failed!(admin)
-- notice httpd[8281]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=X.X.X.X attempts=1 start="Wed Jan 17 14:49:21 2018"

Workaround:
None.

Fix:
Local users are authenticated locally. The system no longer sends request to remote servers for local users.

Fixed Versions:
13.1.0.4

530775-3 : Login page may generate unexpected HTML output

Links to More Info: K23734425

529896-1 : DNS Cache can use cached data from ADDITIONAL sections in answers after RRset cache cleared

Links to More Info: BT529896

Component: Global Traffic Manager (DNS)

Symptoms:
On deleting the RRset cache, an incorrect answer could be served out of the message cache.

Conditions:
The RRset cache is cleared but the message cache is not.

Impact:
A deleted or cleared answer may be served

Fix:
Now, the RRset cache entries are marked as delete using ID instead of TTL.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5

528894-8 : Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition

Links to More Info: BT528894

Component: TMOS

Symptoms:
Configuration stanzas that do not belong in the files of a non-Common partition appear there. These stanzas could include, for example, 'net trunk' or 'sys ha-group' objects.

Conditions:
-- The system includes partitions other than Common.

-- Configuration in a partition other than Common is modified.

-- A Config-Sync operation not involving an overwrite takes place (it is also possible to reproduce this issue on a standalone BIG-IP system by doing a save operation like the following: "tmsh save sys config partitions { Common other }").

Impact:
/config/partitions/<partition_name>/bigip_base.conf will contain extraneous config stanzas (such as the ones mentioned in Symptoms).

/config/bigip_base.conf will no longer contain config stanzas that belong there.

Note that the impact is mostly cosmetic. An affected device will still be able to correctly load its configuration even if some config stanzas appear in the wrong flat config file.

However, Administrators performing audits of the flat config files will be perplexed as to why some stanzas are moving back and forth between partitions.

Workaround:
If you wish to restore your flat config files to their proper state after the issue has already occurred, simply run "tmsh save sys config" on the affected device.

Alternatively, to prevent the issue in the first place, you can Config-Sync using the following command "tmsh run cm config-sync force-full-load-push to-group <device-group>".

Note that neither workaround is permanent and the issue will reoccur.

Fixed Versions:
13.1.5, 15.1.5

522241-2 : Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete

Links to More Info: BT522241

Component: Local Traffic Manager

Symptoms:
After running the tmsh command "show ltm dns cache records <key|msg|nameserver|rrset> cache <name> count-only" you may experience the following symptoms:

- One of the TMM instances on the system climbs to 100% CPU utilization for a prolonged amount of time.

- The odd-numbered hyperthread (i.e. 1) corresponding to the even-numbered hyperthread (i.e. 0) where the busy TMM instance is running is partially halted by the HT-Split feature (this will be observable in utilities such as "top" and by the presence of "Idle enforce starting" log messages in the /var/log/kern.log file).

- After waiting for a very long time, the tmsh command may not actually return and display a record count.

- The tmsh command does not respond to CTRL+C and continues running.

Conditions:
A DNS cache contains a large number of records and the BIG-IP Administrator runs the following tmsh command to determine the exact record count:

"show ltm dns cache records <key|msg|nameserver|rrset> cache <name> count-only"

Impact:
Due to the high CPU utilization, traffic handling is impaired. Control-plane processes can also become affected, leading to different issues (this depends on the size and load of the BIG-IP system). For example, the lacpd process can become descheduled causing trunks to flap.

Workaround:
Do not run the specified tmsh command.

If you have run the specified tmsh command and this has not returned after a very long time and you want restore normal system operation, perform the following steps:

1) Press CTRL+Z to background execution of the command.

2) Enter the "killall -9 tmsh" command (if you have multiple tmsh commands running and only want to kill the affected one, you will have to identify the correct tmsh process using utilities such as ps and top).

If your login shell is tmsh and not bash, simply close your SSH session to the BIG-IP system (as you won't be able to perform the aforementioned steps).

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7

514703-3 : gtm listener cannot be listed across partitions

Links to More Info: BT514703

Component: TMOS

Symptoms:
Unable to reference (perform operations: list, create, modify ...) gtm listeners across partitions.

Conditions:
-- In one partition.
-- Listener in another partition.
-- Attempt to perform operations on the listener in the other partition.

For example, the current partition is /Common, and a listener exists in /DifferentPartition, and you try to perform operations on the listener under /DifferentPartition.

Impact:
Cannot perform any operations on that listener. The listener will be listed as non-existent.

Workaround:
Change to the partition where the listener exists before performing any operations on it.

Fix:
The system can now reference GTM listeners across partitions.

Fixed Versions:
13.0.1, 13.1.0.6

513310-5 : TMM might core when a profile is changed.

Links to More Info: BT513310

Component: Local Traffic Manager

Symptoms:
TMM might core when a profile is changed.

Conditions:
A "standard" type virtual server configured with the TCP or SCTP protocol profile, and a Persistence, Access or Auth profile. This issue might occur in either of the following scenarios:
-- Change profile on the active device.
-- Change profile on the standby device and perform a config sync to the active ones.

Impact:
TMM might core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now reinitializes the TCP proxy filter chain on profile change, so that tmm no longer cores.

Fixed Versions:
11.5.9, 11.6.4, 12.1.3.7, 13.1.1.4, 14.0.0.5

504522-1 : Trailing space present after 'tmsh ltm pool members monitor' attribute value

Links to More Info: BT504522

Component: Local Traffic Manager

Symptoms:
Values returned from the tmsh command 'ltm pool pool members monitor' have a trailing space, such as returning '/Common/myhttps ' (note the trailing-space). This trailing-space is also observed for the value returned from a REST call.

Conditions:
'tmsh' or a REST call is used to return the 'monitor' for pool members.

Impact:
Scripts or custom applications processing this returned output may wish to 'trim' whitespace on the value (as a trailing space is present); or should not assume the trailing space will be present in the future (as this behavior is not guaranteed).

Workaround:
Use a script or custom applications to 'trim' trailing whitespace for returned values.

Fix:
Values returned from the tmsh command 'ltm pool pool members monitor' no longer have a trailing space.

Fixed Versions:
12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.6

495443-9 : ECDH negotiation failures logged as critical errors.

Links to More Info: K16621 , BT495443

Component: Local Traffic Manager

Symptoms:
When a failure occurs in an SSL negotiation involving Elliptic Curve Diffie-Hellman (ECDH) key agreement, a critical error may be logged. However, an SSL negotiation failure is not a critical issue.

Conditions:
An SSL negotiation failure involving ECDH key agreement.

Impact:
Spurious critical error logs.

Workaround:
Treat SSL ECDH negotiation failures as non-critical errors.

Fix:
These ECDH failures are now logged as non-critical errors.

Fixed Versions:
11.5.3, 12.1.3.5, 13.1.1

495242-4 : mcpd log messages: Failed to unpublish LOIPC object

Links to More Info: BT495242

Component: Local Traffic Manager

Symptoms:
The system posts the following error: err mcpd[7143]: 010716d6:3: Failed to unpublish LOIPC object for (loipc_name.1417443578.297505208). Call to (shm_unlink) failed with errno (2) errstr (No such file or directory).

Conditions:
This is an intermittent issue that occurs on standby systems in High Availability (HA) configurations. In this case, the system is attempting to remove a file/directory that does not exist. Either the file has already been removed or it was not created.

Impact:
This is a benign error that can be safely ignored.

Workaround:
None.

Fix:
The system now suppresses logging when attempting to delete non-existent file.

Fixed Versions:
11.5.6, 11.6.4, 12.1.3.6, 13.1.1.2

491560-2 : Using proxy for IP intelligence updates

Links to More Info: BT491560

Component: TMOS

Symptoms:
When connecting to the proxy server, the iprepd daemon doesn't send in CONNECT request the value of DB variable iprep.server but its locally resolved IP address.

Conditions:
The following DB variables are configured to use proxy:
proxy.host
proxy.port

This presents a problem when the proxy server is configured to allow only IPs that have a reverse lookup.

Impact:
When the proxy sees the traffic it denies it, because the reverse lookup for that server IP is not present.

Workaround:
Use one of the workarounds:

-- Do not use proxy.

-- Check the server IP address regularly and maintain proxy white list manually.

Fix:
Now the iprepd daemon sends CONNECT request with the value of DB variable iprep.server and lets the proxy server do the DNS lookup.

Fixed Versions:
12.1.4, 13.1.1.4

489572-3 : Sync fails if file object is created and deleted before sync to peer BIG-IP

Links to More Info: K60934489 , BT489572

Component: TMOS

Symptoms:
Sync fails if you create/import a file object and delete it before triggering manual sync; ltm logs contain messages similar to the following:

Standby:
-- err mcpd[7339]: 01070712:3: Caught configuration exception (0), Failed to sync files..
-- err mcpd[7339]: 01071488:3: Remote transaction for device group /Common/test to commit id 42 6079477704784246664 /Common/test failed with error 01070712:3: Caught configuration exception (0), Failed to sync files...

Active:
-- err mcpd[6319]: 0107134a:3: File object by name (/Common/filename) is missing.

Conditions:
This occurs when the following conditions are met:
-- BIG-IP systems configured for high availability (HA) are not configured to sync automatically, and incremental synchronization is enabled (these are the default settings).
-- One or more file objects are created and deleted before performing a sync from Active to Standby.

Impact:
Sync fails.

Workaround:
When you create/add a file object, make sure to sync before deleting it.

If a system is already in this state, perform a full sync and overwrite the configuration, as described in K13887: Forcing a BIG-IP device group member to initiate a ConfigSync operation :: https://support.f5.com/csp/#/article/K13887.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1

484683-3 : Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer.

Links to More Info: BT484683

Component: TMOS

Symptoms:
-- After a configuration synchronization (ConfigSync) operation, the peer of a high-availability (HA) pair cannot show the summary of cert-chain using the command:
tmsh run sys crypto check-cert verbose enabled

-- After a ConfigSync operation, Certificate Subjects may be missing or empty when viewed in the Configuration Utility/GUI under System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: <certificate>.

Conditions:
Conditions leading to this issue include:
1. On the command line or in the GUI, set up an high availability (HA) configuration.
2. Import Certificate chain to one BIG-IP system.
3. Perform a ConfigSync operation to sync the certificate chain to the high availability (HA) peer.

Impact:
After a ConfigSync operation, the certificate chain summary is not created on other high availability (HA) peers.

Workaround:
1. Copy the cert-chain file to a location on the system (e.g., /shared/tmp/).

2. Update the cert-chain using a command similar to the following:
modify sys file ssl-cert Cert-Chain_Browser_Serv.crt source-path file:/shared/tmp/Cert-Chain_Browser_Serv.crt_5361_1.

Note: The step above causes the units to be out of sync, so an additional config-sync operation is required to bring the units 'In Sync' again.

Fixed Versions:
13.1.3.2, 14.1.2.7

471237-4 : BIG-IP VE instances do not work with an encrypted disk in AWS.

Links to More Info: K12155235 , BT471237

Component: TMOS

Symptoms:
BIG-IP VE instances cannot use encrypted disks in AWS as encryption-decryption introduces some data corruption in the disk that causes failure in some of the TMOS daemons at run-time.

Conditions:
Deploy a BIG-IP VE guests in AWS with an encrypted disk.

Impact:
TMM cores at startup, and does not start.

Workaround:
Do not use encrypted disks in AWS for BIG-IP VE instances.

Fix:
BIG-IP VE instances can now work with an encrypted disk in AWS.

Fixed Versions:
12.1.3.2, 13.1.0.2

470346-4 : Some IPv6 client connections get RST when connecting to APM virtual

Links to More Info: BT470346

Component: Access Policy Manager

Symptoms:
IPv6 clients connecting to APM virtual server that renders some page, e.g., logon page, webtop, or message box, might get connection resets.

Conditions:
IPv6 client has the last 4 bytes of the IP address set to some special-purpose address, e.g., multicast address.

Impact:
Client connection is reset.

Workaround:
Change the last 4 bytes of the client IPv6 address to avoid the IPv4 special-address range.

Fix:
All IPv6 clients can now connect through APM virtual server, regardless of the values of the last 4 bytes of the address.

Fixed Versions:
13.1.5, 14.1.4.3, 15.1.4

464650-6 : Failure of mcpd with invalid authentication context.

Links to More Info: BT464650

Component: TMOS

Symptoms:
MCPd cores.

Conditions:
It is not known what triggers this core.

Impact:
Mcpd restarts

Workaround:
None.

Fix:
Failure of mcpd with invalid authentication context no longer occurs.

Fixed Versions:
11.5.7, 11.6.3.3, 12.1.3.7, 13.1.1.2

463097-5 : Clock advanced messages with large amount of data maintained in DNS Express zones

Links to More Info: BT463097

Component: Local Traffic Manager

Symptoms:
Clock advanced messages with a large amount of data maintained in DNS Express (DNSX) zones, the TMM can suffer from clock advances when performing the DB reload.

Conditions:
Large enough zones into DNSX (several hundred thousand to several million records depending on hardware).

Impact:
Clock advance messages in log. No traffic can be passed for this duration. When DNS Express zones are updated, you may see messages similar to the following in the /var/log/ltm log: notice tmm[25454]: 01010029:5: Clock advanced by 121 ticks.

Workaround:
Prevent all updates to DNSX zones.

Fix:
AXFR and IXFR to DNS Express (DNSX) with large zones has been significantly improved. DNSX DB now reside in /shared to resolve DB size issues.

Fixed Versions:
12.1.3.1, 13.1.0.2

452283-5 : An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows

Links to More Info: BT452283

Component: Local Traffic Manager

Symptoms:
An MPTCP connection that never expires can be seen using the command "tmsh show sys conn". Its idle time periodically resets to 0.

Conditions:
A virtual server is configured with a TCP profile with "Multipath TCP" enabled.
BIG-IP receives an MP_FASTCLOSE while the BIG-IP is advertising a zero window.

Impact:
A connection remains that never expires; its idle time periodically resets to 0.

Workaround:
There is no workaround at this time.

Fix:
Fixed MP_FASTCLOSE handling.

Fixed Versions:
11.6.3.3, 12.1.3.4, 13.1.0.4

440620-1 : New connections may be reset when a client reuses the same port as it used for a recently closed connection

Links to More Info: BT440620

Component: Local Traffic Manager

Symptoms:
If a client reuses the same port that it used for a recently closed connection, the new connection may receive a RST in response to the client's SYN.

Conditions:
A client reuses the same port that it used for a recently closed connection. The 4-tuple of local address, local port, remote address, and remote port must be the same to trigger this issue.

Impact:
New connections reusing a 4-tuple may be reset for a brief period following a connection close.

Workaround:
Lowering the "Close Wait" and "Fin Wait 1" timeouts in the TCP profile will shorten the amount of time that a particular 4-tuple remains unusable.

Fix:
Improved abort handling to better clean up hanging connections.

Fixed Versions:
11.6.5.1, 12.1.3.6, 13.1.0.4

431503-6 : TMSH crashes in rare initial tunnel configurations

Links to More Info: K14838 , BT431503

Component: TMOS

Symptoms:
In rare BIG-IP configuration scenarios, TMM may crash during its startup process when the tunnel configurations are loaded.

Conditions:
During TMM startup, a tunnel is created, then immediately removed during the configuration load period, when TMM neighbor messages may be in flight via the tunnel. When the race condition fits, the neighbor message may land on an invalid tunnel.

Impact:
TMM crash in rare race conditions.

Workaround:
None.

Fix:
TMM no longer crashes on neighbor messages during the initial tunnel config load process.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1

424588-1 : iRule command [DOSL7::profile] returns empty value

Links to More Info: BT424588

Component: Application Security Manager

Symptoms:
iRule command [DOSL7::profile] returns an empty value.

Conditions:
iRule with the [DOSL7::profile] command attached to a virtual server.

Impact:
The iRule returns an empty value.

Workaround:
None.

Fix:
The [DOSL7::profile] command now returns the DoS profile name attached to virtual server, as expected.

Fixed Versions:
13.1.3.5

423519-1 : Bypass disabling the redirection controls configuration of APM RDP Resource.

Component: Access Policy Manager

Symptoms:
User can bypass RDP resource redirection restrictions between RDP remote machine and local machine.

Conditions:
1. Create RDP resource. Disable redirection parameter.
2. Launch the resource.
3. Launch RDP Client, enable redirection parameter.

Impact:
User can bypass RDP resource restrictions.

Workaround:
NA

Fix:
User is not allowed to perform any redirection controls of the RDP resource.

Fixed Versions:
13.1.5

273104-1 : Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps

Component: Local Traffic Manager

Symptoms:
Nmap can be used to determine the uptime of a BIG-IP by sampling timestamps and their update frequency.

Conditions:
Always.

Impact:
Nmap can be used to determine the uptime of a BIG-IP by sampling timestamps and their update frequency.

Fix:
Each TCP connection starts with a random Timestamp. Disabled by default. Sys db tm.tcpsendrandomtimestamp can be used to enable/disable TCP random Timestamp.

Fixed Versions:
12.1.4.1, 13.1.3

251162-1 : The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name

Links to More Info: K11564

Component: Local Traffic Manager

Symptoms:
If you apply a custom HTTP profile to a virtual server, and the maximum header size defined in the profile is exceeded, the BIG-IP system lists the wrong profile name in the corresponding log message. Instead of logging the profile name associated with the virtual server, the BIG-IP system logs the profile name as http.

For example:

tmm1[5133]: 011f0005:3: HTTP header (34083) exceeded maximum allowed size of 32768 (Client side: vip=http_10.1.0.30 profile=http pool=apache2)

Conditions:
-- You apply a custom HTTP profile to a virtual server.
-- The maximum header size defined in the profile is exceeded.

Impact:
The BIG-IP system lists the wrong profile name in the corresponding log message. This is a cosmetic error, as the correct profile is affected. Only its name is incorrectly reported.

Workaround:
None.

Fixed Versions:
12.1.3.6, 13.1.0.4

1089373-3 : OpenSSL Vulnerability: CVE-2022-0778

Links to More Info: K31323265

1089237-2 : OpenSSL Vulnerability: CVE-2022-0778

Links to More Info: K31323265

1087201-3 : OpenSSL Vulnerability: CVE-2022-0778

Links to More Info: K31323265

1078721-3 : TMM may consume excessive resources while processing ICAP traffic

Component: Service Provider

Symptoms:
Undisclosed ICAP traffic may cause an increase in TMM resource utilization.

Conditions:
ICAP profile enabled

Impact:
Undisclosed ICAP traffic may cause an increase in TMM resource utilization.

Workaround:
N/A

Fix:
TMM does not consume excessive resources while processing ICAP traffic.

Fixed Versions:
13.1.5

1072197-4 : Issue with input normalization in WebSocket.

Component: Application Security Manager

Symptoms:
Under certain conditions, attack signature violations might not be triggered in WebSocket scenario.

Conditions:
- ASM handles WebSocket flow.
- Malicious WebSocket message contains specific characters.

Impact:
Attack detection is not triggered as expected.

Workaround:
N/A

Fix:
Attack detection is now triggered as expected.

Fixed Versions:
13.1.5

1071365-2 : iControl SOAP WSDL hardening

Component: TMOS

Symptoms:
Under certain conditions iControl SOAP does not follow best practices for WSDL processing.

Conditions:
- Authenticated administrative user
- WSDL processing

Impact:
iControl SOAP does not follow current best practices.

Workaround:
N/A

Fix:
iControl SOAP now processes WSDL files according to current best practices.

Fixed Versions:
13.1.5

1069449-4 : ASM attack signatures may not match cookies as expected

Component: Application Security Manager

Symptoms:
Under certain conditions ASM attack signatures may not match cookies as expected.

Conditions:
- Specially crafted cookies

Impact:
Attack signatures are not detected as expected.

Workaround:
N/A

Fix:
ASM attack signatures now match cookies as expected.

Fixed Versions:
13.1.5

1067285-4 : Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.'

Component: Application Security Manager

Symptoms:
F5 Networks, Inc.
F5 Networks Inc.
F5 Networks appear as F5, Inc.

Conditions:
NA

Impact:
F5 Networks, Inc
F5 Networks
F5 Networks Inc will appear as F5, Inc to the end user, be it online help, or any ASM related screens.

Workaround:
NA

Fix:
F5 Networks, Inc
F5 Networks
F5 Networks Inc will appear as F5, Inc to the end user, be it online help, or any ASM related screens.

Fixed Versions:
13.1.5

1066285-2 : Master Key decrypt failure - decrypt failure.

Links to More Info: BT1066285

Component: TMOS

Symptoms:
After MCPD restarts or the system reboots:
-- the system is inoperative and MCPD may be restarting
-- the logs report this error:

err mcpd[12444]: 01071769:3: Decryption of the field (value) for object (config.auditing.forward.sharedsecret) failed while loading configuration that is encrypted with a different master key.

-- the system may be reporting this error:

load_config_files[5635]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- Error: failed to reset strict operations; disconnecting from mcpd. Will reconnect on next command.

This may occur during a system upgrade.

Conditions:
When config.auditing.forward.sharedsecret is encrypted and masterkey value is changed.

Impact:
MCPD will continuously restart, and the system will remain inoperative.

Workaround:
If a system is affected by this issue, set the DB key back to its default value. Once the configuration is loaded, set the DB key back to the correct value:

- tmsh modify /sys db config.auditing.forward.sharedsecret value '<null>'


After changing the SecureValue master key but before encountering the issue, run the following command to update the value of the DB key on-disk:

setdb config.auditing.forward.sharedsecret "$(getdb config.auditing.forward.sharedsecret)"

Fix:
N/A

Fixed Versions:
13.1.5

1064961-5 : big3d may consume excessive resources when processing route domains

Component: Global Traffic Manager (DNS)

Symptoms:
Excessive CPU utilization by big3d daemon.

Conditions:
- 2 or more route domains in use

Impact:
Excessive resource consumption, potentially leading to reduced performance or a failover event

Workaround:
N/A

Fix:
big3d now processes route domains as expected.

Fixed Versions:
13.1.5

1064617-4 : DBDaemon process may write to monitor log file indefinitely

Links to More Info: BT1064617

Component: Local Traffic Manager

Symptoms:
If debug logging is enabled for a database monitor (mssql, mysql, postgresql or oracle), the DBDaemon process may write to a monitor log file indefinitely, including after the monitor log file is rotated and/or deleted.

Conditions:
This problem may occur when:
- using a database monitor (mssql, mysql, postgresql or oracle) which is configured with the "debug" value set to "yes"
- using a database monitor (mssql, mysql, postgresql or oracle) for a pool member which is configured with the "logging" set to "enabled"

Impact:
The DBDaemon process may write debug logging messages to the affected monitor log file indefinitely, including after the monitor log file has been rotated and/or deleted.
As a result, storage in the /var/log volume may be consumed to the point that other logging cannot be performed, and the BIG-IP instance may be restarted/rebooted.

Workaround:
To work around this issue, restart the DBDaemon process.

To find the PID of the DBDaemon process, observe the output of the following command:
ps -ef |grep -v grep | grep DB_monitor.jar | awk '{print($2)}'

To confirm whether the DBDaemon process is writing to a monitor log file, and if so, which file:
lsof -p $(ps -ef | grep -v grep | grep DB_monitor.jar | awk '{print($2)}') | grep -e COMMAND -e '/var/log/monitors'

To kill the DBDaemon process:
kill $(ps -ef | grep -v grep | grep DB_monitor.jar | awk '{print($2)}')

NOTE:
Killing the DBDaemon process will cause a short-term loss of database monitoring functionality, until DBDaemon is restarted by the next database monitor probe.

Fixed Versions:
13.1.5

1062513-1 : GUI returns 'no access' error message when modifying a GTM pool property.

Links to More Info: BT1062513

Component: Global Traffic Manager (DNS)

Symptoms:
When you modify a GTM pool property and then click "Update," the next page displays the error message "No access."

When you modify GTM pool properties using the GUI, the properties do not update or display.

Conditions:
This occurs when you modify a GTM pool property using the GUI.

Impact:
You cannot change a GTM pool property using the GUI.

Workaround:
Use TMSH to change the GTM pool property.
OR
Click on "Update" a second time in the GUI.

Fix:
N/A

Fixed Versions:
13.1.5

1060933-4 : Issue with input normalization.

Component: Application Security Manager

Symptoms:
Under certain conditions, attack signature violations may not be triggered.

Conditions:
- ASM provisioned with XML content profile
- Request contains XML body

Impact:
Attack detection is not triggered as expected.

Workaround:
None

Fix:
Attack detection is now triggered as expected.

Fixed Versions:
13.1.5

1060409-1 : Behavioral DoS enable checkbox is wrong.

Component: Anomaly Detection Services

Symptoms:
Behavioral DoS Enabled indicator is wrongly reported after configuration change, when no traffic is injected to the virtual server.

Conditions:
Behavioral DoS is enabled and then disabled when no traffic is injected to the virtual server.

Impact:
After server health is stabilized and constant, the BIG-IP system doesn't report the configuration changes.

Workaround:
Send 1-2 requests to the server and the configuration will be updated.

Fix:
Behavioral DoS enabled/disabled flag is now reported correctly.

Fixed Versions:
13.1.5

1059185-4 : iControl REST Hardening

Component: TMOS

Symptoms:
Under certain conditions iControl REST does not follow current best practices.

Conditions:
- Authenticated administrative user
- iControl REST request

Impact:
iControl REST does not follow current best practices.

Workaround:
N/A

Fix:
iControl REST now follows current best practices.

Fixed Versions:
13.1.5

1055453-1 : Blocking page trims the last digit of the Support ID.

Links to More Info: BT1055453

Component: Application Security Manager

Symptoms:
The Support ID in a blocking page has the last digit trimmed.

Conditions:
Support ID that is 20 digits.

Impact:
Support ID shown in a response page does not match what is shown in event log screen in GUI and in remote logging.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
13.1.5

1052929-1 : MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized.

Links to More Info: BT1052929

Component: Local Traffic Manager

Symptoms:
When MCPD starts, it may log an error message reporting an issue communicating with the onboard FIPS HSM. If the HSM is uninitialized, this message is erroneous, and an be ignored.

Depending on the hardware platform, the message may be one of the following:

err mcpd[12345]: 01b50049:3: FIPSUserMgr Error: An internal login failure is being experienced on the FIPS card. Please issue 'FIPSutil loginreset -r' followed by 'bigstart restart' for a password reset. You will need your FIPS Security Officer password to reset the password..
err mcpd[12345]: 01b50049:3: FIPSUserMgr Error: An internal login failure is being experienced on the FIPS card. The FIPS card must be reinitialized, which will erase its contents..

Conditions:
-- BIG-IP system with an onboard FIPS HSM, or a vCMP guest running on a BIG-IP system with an onboard FIPS HSM
-- the FIPS HSM is not initialized, i.e. "fipsutil info" reports "FIPS state: -1".

Impact:
This message can be ignored when the FIPS HSM is not in-use, and is uninitialized.

Workaround:
Initialize the FIPS HSM following the instructions in the F5 Platforms : FIPS Administration manual.

Fixed Versions:
13.1.5

1051797-4 : Linux kernel vulnerability: CVE-2018-18281

Component: TMOS

Symptoms:
Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks.

Conditions:
A syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap().

Impact:
A stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused.

Workaround:
N/A

Fix:
Kernel updated to address CVE-2018-18281

Fixed Versions:
13.1.5

1051561-4 : iControl REST request hardening

Component: TMOS

Symptoms:
iControl REST does not follow current best practices.

Conditions:
- iControl REST request

Impact:
iControl REST does not follow current best practices.

Workaround:
N/A

Fix:
iControl REST now follows current best practices.

Fixed Versions:
13.1.5

1051213-4 : Increase default value for violation 'Check maximum number of headers'.

Links to More Info: BT1051213

Component: Application Security Manager

Symptoms:
Due to recent change in browsers, up to 7 headers are newly inserted in the request.

In ASM, there is default limit of 20 headers. So, when legitimate requests have more than 20 headers, they're blocked with violation "Maximum Number of Headers exceeded".

Conditions:
When the number of headers passed in request is greater than the value of maximum number of headers set, then this violation is raised.

Impact:
Legitimate requests are blocked with violation "Maximum Number of Headers exceeded" when number of header is greater than the value set for the policy (default 20).

Workaround:
Increase "Check maximum number of headers" to 30 under Learning and Blocking settings screen for a policy.

Fix:
Increased default value of maximum number of headers to 30.

Fixed Versions:
13.1.5

1051209-4 : BD may not process certain HTTP payloads as expected

Component: Application Security Manager

Symptoms:
Under certain conditions BD may not process HTTP payloads as expected.

Conditions:
- HTTP request

Impact:
Payloads are not processed as expected, potentially leading to missed signature matches.

Workaround:
N/A

Fix:
BD now processes HTTP payloads as expected.

Fixed Versions:
13.1.5

1050697-1 : Traffic learning page counts Disabled signatures when they are ready to be enforced

Component: Application Security Manager

Symptoms:
The traffic learning page counts Disabled signatures when they are ready to be enforced.

Conditions:
Policy has a disabled signature.

Impact:
Traffic learning page shows different counts of "ready to be enforced" signatures compared to Security ›› Application Security : Security Policies : Policies List ›› <policy name>

Workaround:
None

Fixed Versions:
13.1.5

1050537-4 : GTM pool member with none monitor will be part of load balancing decisions.

Links to More Info: BT1050537

Component: Global Traffic Manager (DNS)

Symptoms:
A GTM pool member containing no monitor (status=BLUE) is not included in load balancing decisions.

Conditions:
GTM pool member the monitor value set to none.

Impact:
GTM does not load balance to this pool member.

Workaround:
N/A

Fix:
Handled GTM pool with "none" monitor

Behavior Change:
GTM pool members with "none" monitor are now part of load balancing decisions

Fixed Versions:
13.1.5

1049229-4 : When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays.

Links to More Info: BT1049229

Component: Advanced Firewall Manager

Symptoms:
An authenticated administrative user tries to create a sub-rule under the Network Firewall rule list from the GUI and is redirected to a 'No Access' error page.

Conditions:
This error can occur when you create a sub-rule under the Network Firewall rule list in the TMOS GUI on a version of BIG-IP (including engineering hotfixes) that include the fixes for BIG-IP bugs ID1032405 and ID941649.

Impact:
The user cannot create a sub-rule under the Network Firewall rule list in the TMOS GUI.

Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.

Fix:
After the fixes for ID1032405 and ID941649 are installed, the "No Access" errors no longer occur when you create a sub-rule under the Network Firewall rule list in the TMOS GUI.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2

1047169-4 : GTM AAAA pool can be deleted from the configuration despite being in use by an iRule.

Links to More Info: BT1047169

Component: TMOS

Symptoms:
A BIG-IP Administrator is incorrectly able to delete a GTM AAAA pool from the configuration, despite this object being referenced in an iRule in use by an AAAA wideip.

An error similar to the following example will be visible in the /var/log/gtm file should the iRule referencing the pool run after the pool has been deleted:

err tmm[11410]: 011a7001:3: TCL error: Rule /Common/my_rule <DNS_REQUEST> - GTM Pool 'my_pool' of type 'A' not found (line 1)GTM Pool 'my_pool' of type 'A' not found (line 1) invoked from within "pool my_pool"

Note the error message incorrectly reports the pool as type A (it should report type AAAA).

Conditions:
-- Two GTM pools of type A and AAAA share the same exact name (which is legal).

-- The pool name is referenced in an iRule by the 'pool' command.

-- The iRule is in use by an AAAA wideip.

-- A BIG-IP Administrator attempts to delete the AAAA pool.

Impact:
The system incorrectly allows the deletion of the AAAA pool from the configuration.

Consequently, the next time the GTM configuration is reloaded from file, the operation will fail.

Additionally, traffic which relied on the pool being present in the configuration will fail.

Fixed Versions:
13.1.5

1047053-4 : TMM may consume excessive resources while processing RTSP traffic

Component: Service Provider

Symptoms:
Under certain conditions, TMM may consume excessive resources while processing RTSP traffic.

Conditions:
- RTSP profile enabled
- Undisclosed traffic

Impact:
An increase in TMM resource utilization, potentially leading to a crash and failover event.

Workaround:
N/A

Fix:
TMM now processes RTSP traffic as expected.

Fixed Versions:
13.1.5, 15.1.5

1046785-5 : Missing GTM probes when max synchronous probes are exceeded.

Links to More Info: BT1046785

Component: Global Traffic Manager (DNS)

Symptoms:
GTM probes are missing, resources are marked down.
When instances fail and BIG-IP is not aware of the failure, some virtual servers/pool members are marked as available and some objects are marked down on part of the sync group members.

Conditions:
Max synchronous probes are exceeded. This value is controlled by the GTM global variable max-synchronous-monitor-requests.

Impact:
-- Resources are marked down.
-- Inconsistent monitor statuses across BIG-IP DNS systems in a single sync group
-- Because some monitor instances don't have monitor traffic, if an instance fails, the BIG-IP DNS systems may not be aware of the failure.

Workaround:
Increase the value of Max Synchronous Monitor Requests:

tmsh modify gtm global-settings metrics max-synchronous-monitor-requests value <value - default is 20>

Fix:
All monitors are now allowed to probe without triggering a failure.

Fixed Versions:
13.1.5

1046693-1 : TMM with BFD confgured might crash under significant memory pressure

Links to More Info: BT1046693

Component: TMOS

Symptoms:
TMM might crash when processing BFD traffic under high memory pressure.

Conditions:
- BFD in use.
- TMM under high memory pressure.

Impact:
Traffic disrupted while tmm restarts.

Fixed Versions:
13.1.5

1046669-4 : The audit forwarders may prematurely time out waiting for TACACS responses

Links to More Info: BT1046669

Component: TMOS

Symptoms:
If a TACACS server takes longer than five seconds to respond, the audit forwarder will reset the connection.

Conditions:
-- Using remote TACACS logging.
-- TACACS server takes longer than 5 seconds to respond to logging requests.

Impact:
Misleading log messages.

Fix:
The time that a BIG-IP system will wait for a response from a TACACS server is now configurable using the DB variable config.auditing.forward.tacacs.timeout.response.

Behavior Change:
The time that a BIG-IP system will wait for a response from a TACACS server is now configurable using the DB variable config.auditing.forward.tacacs.timeout.response.

Fixed Versions:
13.1.5

1045549-1 : BFD sessions remain DOWN after graceful TMM restart

Links to More Info: BT1045549

Component: TMOS

Symptoms:
BFD sessions remain DOWN after graceful TMM restart

Conditions:
TMM is gracefully restarted, for example with 'bigstart restart tmm' command.

Impact:
BFD sessions remain DOWN after graceful TMM restart

Workaround:
After restarting TMM, restart tmrouted.

Fixed Versions:
13.1.5

1045421-4 : No Access error when performing various actions in the TMOS GUI

Links to More Info: K16107301 , BT1045421

Component: TMOS

Symptoms:
An authenticated administrative user is redirected to a 'No Access' error page while performing various actions in the TMOS GUI, including when trying to:
-- Apply a policy to a virtual server
-- Import images (TMOS images / hotfixes / apmclients)
-- Export/apply an APM policy
-- Run the high availability (HA) setup wizard
-- Export a certificate/key through one of the following paths:
---- System / Certificate Management : Traffic Certificate Management : SSL Certificate List / test-renew-self-sign / Renew
---- DNS / GSLB : Pools : Pool List / Click Testpool / Click Members / Click Manage
---- System / Software Management : APM Clients / Import
---- System / Certificate Management : Traffic Certificate Management : SSL Certificate List / NewSSLCert / Certificate / Export / Click Download

Conditions:
This may occur when performing various actions in the TMOS GUI on a version of BIG-IP software (including Engineering Hotfixes) that includes fixes for ID1032405 :: https://cdn.f5.com/product/bugtracker/ID1032405.html and ID941649 :: https://cdn.f5.com/product/bugtracker/ID941649.html .

Impact:
Cannot perform various actions in the TMOS GUI.

Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.

Fix:
'No Access' errors no longer occur when performing various actions in the TMOS GUI under these conditions.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2

1045101-1 : Bd may crash while processing ASM traffic

Component: Application Security Manager

Symptoms:
Bd may crash when handling HTTP requests with APM and ASM.

Conditions:
- ASM and APM are provisioned
- Session awareness is enabled and "Use APM Username and Session ID" is selected in "Application Username" configuration
- Specially crafted HTTP request

Impact:
Bd crash leading to a traffic disruption and failover event.

Workaround:
N/A

Fix:
Bd now process ASM and APM traffic as expected.

Fixed Versions:
13.1.5, 15.1.5, 16.1.2.1

1044425-5 : NSEC3 record improvements for NXDOMAIN

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP DNSSEC NSEC3 records for NXDOMAIN responses can be improved to support current best practices.

Conditions:
- DNSSEC zone configured

Impact:
BIG-IP DNSSEC NSEC3 records for NXDOMAIN responses do not follow current best practices.

Workaround:
N/A

Fix:
BIG-IP DNSSEC NSEC3 records for NXDOMAIN responses now follow current best practices.

Fixed Versions:
13.1.5

1043385-1 : No Signature detected If Authorization header is missing padding.

Component: Application Security Manager

Symptoms:
If the Authentication scheme value in the Authorization header contains extra/missing padding in base64, then ASM does not detect any attack signatures.

Conditions:
HTTP request with Authorization header contains base64 value with extra/missing padding.

Impact:
Attack signature not detected.

Workaround:
N/A

Fix:
Base64 values with extra/missing padding has been handled to detect attack signature

Fixed Versions:
13.1.5

1043277-1 : 'No access' error page displays for APM policy export and apply options.

Links to More Info: K06520200 , BT1043277

Component: TMOS

Symptoms:
An authenticated administrative user is redirected to a 'NO ACCESS' error page while exporting/applying an APM policy in the TMOS GUI.

Conditions:
This issue can occur when exporting/applying an APM policy in the TMOS GUI on a version of BIG-IP software (including Engineering Hotfixes) that includes fixes for ID1032405 :: https://cdn.f5.com/product/bugtracker/ID1032405.html and ID941649 :: https://cdn.f5.com/product/bugtracker/ID941649.html.

Impact:
Cannot export/apply an APM policy in the TMOS GUI.

Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.

Fix:
'No Access' errors no longer occur when exporting/applying an APM policy in the TMOS GUI under these conditions.

Fixes introduced for ID1045421 and ID1049229 (i.e., both fixes) resolve this issue.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1

1042993-4 : Provisioning high availability (HA) setup wizard fails to load, reports 'No Access'

Links to More Info: K19272127 , BT1042993

Component: TMOS

Symptoms:
An authenticated administrative user is redirected to a 'NO ACCESS' error page while running the high availability (HA) setup wizard.

Conditions:
This may occur when running the high availability (HA) setup wizard in the TMOS GUI on a version of BIG-IP software (including Engineering Hotfixes) that includes fixes for ID1032405 :: https://cdn.f5.com/product/bugtracker/ID1032405.html and ID941649 :: https://cdn.f5.com/product/bugtracker/ID941649.html .

Impact:
You are unable to run/finish the Config Sync/HA setup wizard to completion.

Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.

Fix:
'NO ACCESS' error pages no longer appear while running the high availability (HA) setup wizard in the TMOS GUI under these conditions.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1

1042069-4 : Some signatures are not matched under specific conditions.

Component: Application Security Manager

Symptoms:
Some signatures are not matched and attack traffic can pass through.

Conditions:
There are more than 20 signatures that have a common keyword with a signature that does not match (and has a common keyword and a new keyword).

Impact:
Attacking traffic can bypass the WAF.

Workaround:
N/A

Fix:
Attack signatures that share words with other attack signatures will be matched correctly now.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2.1

1042009-4 : Mcpd fails to reply if a request is proxied to another daemon and the connection to that daemon closes

Links to More Info: BT1042009

Component: TMOS

Symptoms:
Mcpd does not reply to the request if the publisher's connection closes/fails, in this case when bcm56xxd
is restarted. The perceivable signs of the failure are the snmpwalk failing with a timeout and the
"MCPD query response exceeding" log messages

Conditions:
1) Configure snmp on the BIG-IP so you can run snmpwalk locally on the BIG-IP.

2) From one session on the BIG-IP, run a snmpwalk in the while loop.

while true;do date; snmpwalk -v2c -c public 127.0.0.1 sysDot1dbaseStat;sleep 2;done

Sample output:

Sat Aug 21 00:57:23 PDT 2021
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatResetStats.0 = INTEGER: 0
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatMacAddr.0 = STRING: 0:23:e9:e3:8b:41
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatNumPorts.0 = INTEGER: 12
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatType.0 = INTEGER: transparentonly(2)

3) From a second session on the BIG-IP restart bcm56xxd

bigstart restart bcm56xxd

4a) the snmpwalk will continually report the following:

Timeout: No Response from 127.0.0.1

And snmpd will continually log "MCPD query response exceeding" every 30 seconds in /var/log/ltm

Impact:
SNMP stopped responding to queries after upgrade

Workaround:
Snmpd restart

Fixed Versions:
13.1.5

1040821-1 : Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes

Links to More Info: BT1040821

Component: TMOS

Symptoms:
Address Translation and Port Translation checkboxes are automatically checked under the virtual server's advanced configuration.

Conditions:
Virtual Server's Advanced configuration option is selected followed by adding an iRule or a pool.

Impact:
The Address and Port translation options are automatically checked when the default is to have them unchecked.

Workaround:
Manually un-check Address Translation and Port Translation checkboxes under virtual server's advanced configuration

Fixed Versions:
13.1.5

1038913-1 : The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category

Component: Application Visibility and Reporting

Symptoms:
In GUI "Security ›› Reporting : Application : Charts" filtering "View By" as IP Intelligence "Last Week", "Last Month" and "Last Year" reports show the "Safe" category instead of "Aggregated".

Conditions:
-- ASM is provisioned
-- The system is under heavy traffic
-- The number of stats records per report period (5 min) is higher than 10,000

Impact:
Inaccurate Last Week IPI reporting

Fixed Versions:
13.1.5

1038741-1 : NTLM type-1 message triggers "Unparsable request content" violation.

Links to More Info: BT1038741

Component: Application Security Manager

Symptoms:
When internal parameter for "authorization header decode failure" is disabled, Valid NTLM type-1 message will be blocked with "Unparsable request content" violation.

Conditions:
Disable internal parameter ignore_authorization_header_decode_failure

Impact:
Valid NTLM Type-1 message will be blocked by ASM.

Workaround:
Enable internal parameter ignore_authorization_header_decode_failure, ASM will not block the NTLM type-1 message request

Fixed Versions:
13.1.5

1038733-1 : Attack signature not detected for unsupported authorization types.

Component: Application Security Manager

Symptoms:
ASM does not detect an Unsupported Bearer authorization type that contains header value in base64 format.

Conditions:
HTTP Request containing Bearer Authorization header which
contain a matching signature in base64 encoded format.

Impact:
ASM does not raise a violation and does not block the request.

Workaround:
N/A

Fix:
ASM decodes base64 value in Bearer Authorization header and perform attack signature matching, raises violation and block request if it contains attack.

Fixed Versions:
13.1.5

1038629-2 : DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client

Links to More Info: BT1038629

Component: Local Traffic Manager

Symptoms:
With the DTLS virtual server, when client sends the CLOSE_NOTIFY alert, BIG-IP is simply closing the connection without sending the CLOSE_NOTIFY back to client as well as the backend server. This causes the backend server to not close/shutdown the connection completely.

Conditions:
This issue occurs with all DTLS virtual servers which has associated client-ssl and server-ssl profiles.

Impact:
Backend server and client will have a dangling connection for certain period of time (Based on the timeout implementation at the respective ends).

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1

1037457-4 : High CPU during specific dos mitigation

Component: Application Security Manager

Symptoms:
CPU is high.

Conditions:
A dos attack with specific characteristic is active and the policy is configured in a specific way.

Impact:
While the attack is mitigated on the BIG-IP system and does not reach the server, the CPU of the BIG-IP increases and this may impact other services on the BIG-IP device.

Workaround:
N/A

Fix:
A specific high CPU scenario during dos attacks was fixed.

Fixed Versions:
13.1.5

1036521-5 : TMM crash in certain cases

Links to More Info: BT1036521

Component: Application Security Manager

Symptoms:
TMM crash in certain case when dosl7 is attached

Conditions:
TMM is configured with dosl7

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
N/A

Fixed Versions:
13.1.5

1035853-5 : Transparent DNS Cache can consume excessive resources.

Links to More Info: K41415626 , BT1035853

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, the Transparent DNS Cache can consume excessive resources.

Conditions:
- GTM/DNS is provisioned
- Transparent DNS Cache is configured on a virtual server

Impact:
Excessive resource consumption, which can lead to increased server-side load.

Workaround:
N/A

Fix:
The Transparent DNS Cache now consumes resources as expected.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2

1035133-1 : Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab

Links to More Info: BT1035133

Component: Application Visibility and Reporting

Symptoms:
In various BIG-IQ GUI forms under the "Monitoring" tab (for example Monitoring -> Local Traffic -> HTTP), data for some time periods are missing.

Multiple "Unexpected end of ZLIB input stream" errors appear in BIG-IQ DCD logs under /var/log/appiq/gc_agent-manager.log

Conditions:
BIG-IP is attached to BIG-IQ, traffic volume is high

Impact:
Data in BIG-IQ are missing therefore some graphs show incorrect information

Workaround:
None

Fix:
Fixed an issue with missing statistics.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2

1034941-4 : Exporting and then re-importing "some" XML policy does not load the XML content-profile properly

Links to More Info: BT1034941

Component: Application Security Manager

Symptoms:
Exporting and then re-importing an existing ASM policy in XML format does not load its XML content-profile properly. An XML content-profile containing a firewall configuration shows the 'Import URL' as N/A for most .xsd files.

Conditions:
Corner case, when the second import_url value is null

Impact:
The import_url field is set as N/A for all files, except for the first one

Workaround:
None

Fix:
Fixed incorrect XML export when we've multiple import_url in content-profile

Fixed Versions:
13.1.5

1034589-4 : No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration.

Links to More Info: BT1034589

Component: TMOS

Symptoms:
It is possible to delete a Pool or Trunk from the configuration while one or more high availability (HA) Groups still reference it.

As a result, the configuration of affected high availability (HA) Groups is automatically and silently adjusted (i.e. the deleted object is no longer referenced by any high availability (HA) Group).

The lack of warning about this automatic change could lead to confusion.

Conditions:
A pool or trunk is deleted from the configuration while still being referenced from a high availability (HA) Group.

Impact:
The automatic and silent removal of the deleted object from all high availability (HA) Groups may go unnoticed by BIG-IP Administrators, with potential consequences on the failover behavior of the devices.

Fix:
A warning message is logged to /var/log/ltm, and is also presented in tmsh.

Fixed Versions:
13.1.5

1034365 : DTLS handshake fails with DTLS1.2 client version

Links to More Info: BT1034365

Component: Local Traffic Manager

Symptoms:
DTLS handshake will be unsuccessful when client initiates a handshake with BIG-IP with DTLS1.2 version

Conditions:
When there is a DTLS client which supports both DTLS 1.0 and DTLS 1.2, then this problem could occur.

Impact:
DTLS handshakes can fail.

Workaround:
If possible, force the client to use only DTLS 1.0 in the client hello negotiation.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5

1033837-4 : REST authentication tokens persist on reboot &start;

Component: TMOS

Symptoms:
REST authentication tokens persist across reboots. Current best practices require that they be invalidated at boot.

Conditions:
- REST authentication token in use
- BIG-IP restarts

Impact:
REST authentication tokens are not invalidated at boot.

Workaround:
NA

Fix:
REST authentication are invalidated at boot.

Behavior Change:
Existing REST tokens are now invalidated on boot; new tokens will need to be generated after a reboot.

Fixed Versions:
13.1.5

1032405-5 : TMUI XSS vulnerability CVE-2021-23037

Links to More Info: K21435974 , BT1032405

1032077 : TACACS authentication fails with tac_author_read: short author body

Links to More Info: BT1032077

Component: TMOS

Symptoms:
If a TACACS user is part of a group with 10s of attribute value pairs (AVPs) were the length of all the avp's combined is such that the authorization reply message from the TACACS server is segmented, the login will fail.

The error message that is logged when the login fails is
"tac_author_read: short author body, 4468 of 6920: Operation now in progress" Where the numbers 4468 and 6920 will vary.

Conditions:
- TACACS authentication
- TACACS user that is part of a group where the combined length of the AVPs is greater then the largest TCP segment the TACACS server is able to send.

Impact:
User is unable to login.

Workaround:
If possible, reduce the number of attributes of the TACACS group or user.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2

1031445 : Intermittent false positive unparseable request violations with unknown authorization

Component: Application Security Manager

Symptoms:
False positive unparseable request violations with an authorization header error in the violation description.

Conditions:
Specific authorization headers. The issue is intermittent and does not always reproduce.

Impact:
False positive violation. Wrong blocking.

Workaround:
N/A

Fix:
Fixed the false positive unparseable request violation.

Fixed Versions:
13.1.5

1030853-4 : Route domain IP exception is being treated as trusted (for learning) after being deleted

Links to More Info: BT1030853

Component: Application Security Manager

Symptoms:
Traffic is considered trusted for learning even though a trusted IP exception was deleted.

Conditions:
Creating and deleting a route domain-specific IP exception

Impact:
Traffic learning suggestions scores are miscounted.
In automatic policy builder mode the policy can be updated by the policy builder based on the wrong score counting.

Workaround:
Stop and restart learning for the relevant policy

Fix:
When a route domain IP Exception configured for trusted learning is deleted, the upcoming suggestions scores will be calculated correctly without considering the deleted IP trusted.

Fixed Versions:
13.1.5

1030689-4 : TMM may consume excessive resources while processing Diameter traffic

Links to More Info: K82793463 , BT1030689

1029897-4 : Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members.

Links to More Info: K63312282 , BT1029897

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may pass malicious requests to server-side pool members.

Conditions:
1. The BIG-IP LTM has one or more virtual servers configured to proxy HTTP/2 requests from the client-side to HTTP/1 requests on the server-side.
2. An HTTP/2 client sends a request with one of the following issues and the BIG-IP passes it to the server-side pool members:
a. H2.TE request line injection
I. An HTTP/1 request embedded within an HTTP/2 pseudo-header value
II. Individual carriage return (CR) or line feed (LF) allowed within an HTTP/2 pseudo-header
b. Request line injection (folder traps)
c. Request line injection (rule bypass)

Impact:
Malicious HTTP/2 requests can be translated to HTTP/1 requests and sent to the pool member web server. Depending on the behavior of the pool member web server, this can lead to an HTTP request smuggling attack. When the affected virtual server is configured with the OneConnect profile, an attacker might be able to impact the responses sent to a different client.

Workaround:
You can configure the BIG-IP ASM system or Advanced WAF to block an HTTP/1 request that is embedded within an HTTP/2 pseudo header value from being sent to the backend server.

Fix:
This has been fixed so that client requests are appropriately rejected by BIG-IP.

Fixed Versions:
13.1.5

1028669-3 : Python vulnerability: CVE-2019-9948

Links to More Info: K28622040 , BT1028669

1028497-3 : libexpat vulnerability: CVE-2019-15903

Links to More Info: K05295469 , BT1028497

1026605-1 : When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes

Links to More Info: BT1026605

Component: Local Traffic Manager

Symptoms:
When bigd.mgmtroutecheck is enabled and monitors are configured in a non-default route-domain, bigd may calculate the interface index incorrectly. This can result in monitor probes improperly being denied when they egress a non-mgmt VLAN. Or monitor probes might be allowed to egress the management interface

Conditions:
-- Bigd.mgmtroutecheck is enabled.
-- Monitor probes in a non-default route domain
-- More than one VLAN configured in the route-domain

Impact:
Monitor probes may be denied even thought they egress a non-mgmt VLAN.

Monitor probes may be improperly allowed out a mgmt interface.

/var/log/ltm:
err bigd.0[19431]: 01060126:3: Health check would route via mgmt port, node fc02:0:0:b::1%1. Check routing table.

bigd debug log:
:(_do_ping): probe denied; restricted egress device and route check [ tmm?=false td=true tr=false addr=fc02:0:0:b::1%1:0 srcaddr=none ]

Workaround:
Disable bigd.mgmtroutecheck, reduce the number of VLANs inside the route-domain

Fix:
The Bigd interface index is now calculated properly

Fixed Versions:
13.1.5

1024621-1 : Re-establishing BFD session might take longer than expected.

Links to More Info: BT1024621

Component: TMOS

Symptoms:
It might take a few minutes for a BFD session to come up. During this time you will notice session state transition multiple times between 'Admin Down' <-> 'Down'.

Conditions:
BFD peer trying to re-establish a session with BIG-IP, choosing ephemeral ports dis-aggregating to different TMMs.

Impact:
It might take a few minutes for a BFD session to come up.

Workaround:
Increasing Tx/Rx timers will minimize a chance of hitting the problem (For example 1000 TX/RX)

Fixed Versions:
13.1.5

1024553-4 : GTM Pool member set to monitor type "none" results in big3d: timed out

Links to More Info: BT1024553

Component: Global Traffic Manager (DNS)

Symptoms:
A pool member is marked down with a 'none' type monitor attached.

Conditions:
-- GTM pool member with a 'none' monitor configured

Impact:
Setting a pool member to have "none" monitor should result in a blue "checking" status but it may mark the pool member as down/unavailable.

Workaround:
NA.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5

1024325-1 : EHF installation is not updating the Linux Kernel

Links to More Info: BT1024325

Component: TMOS

Symptoms:
After EHF installation, the Linux kernel contains the base installation version only.

Conditions:
Hotfix BIG-IP ISO should contain the Kernel RPM.

Impact:
Any new patches/changes present at the new Linux kernel which is part of the Hotfix image will not be effective (run).

Workaround:
When the fix requires changes to the Linux kernel, install the regular full ISO instead of the hotfix.

Fix:
Updated the install post scripts to handle new Linux kernel files properly.

Fixed Versions:
13.1.5

1023993-1 : Brute Force is not blocking requests, even when auth failure happens multiple times

Component: Application Security Manager

Symptoms:
Send traffic with multiple Authorization headers in the request after configuring the brute force. The traffic will not be blocked, when it is supposed to be.

Conditions:
When there is more than one Authorization header present in the requests.

Impact:
Brute force is possible with specially crafted requests having multiple Authorization headers and will be able to bypass brute force checks.

Workaround:
Enable "Illegal repeated header violation" and configure Authorization header repeated occurrence to disallow.

Fix:
ASM detects the brute force attempt with multiple Authorization headers in the request.

Fixed Versions:
13.1.5

1023437-5 : Buffer overflow during attack with large HTTP Headers

Component: Anomaly Detection Services

Symptoms:
When the HTTP Headers are larger than 1024 characters and one of the anomalous textual headers is located after 1024, a buffer overflow might occur.

Conditions:
HTTP or TLS Signature protection is activated and during attack anomalous request arrives.

Impact:
Most of the time results in bad characters in the signature name, more rarely results in Memory Access Violation which could be exploited as buffer overflow attack.

Fix:
Enforce HTTP metadata size limit to be within the first 1024 characters of the HTTP Headers payload.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1

1023341-4 : HSM hardening

Component: Local Traffic Manager

Symptoms:
Under certain conditions, HSM interactions do not follow current best practices.

Conditions:
- HSM in use

Impact:
Certain HSM interactions do not follow current best practices.

Workaround:
N/A

Fix:
HSM interactions now follow current best practices.

Fixed Versions:
13.1.5, 16.1.1

1022637-4 : A partition other than /Common may fail to save the configuration to disk

Links to More Info: BT1022637

Component: TMOS

Symptoms:
A mismatch between the running-configuration (i.e. what is returned by "tmsh list ...") and the saved-configuration (i.e. what is stored in the flat configuration files) for a partition other than /Common, despite a "tmsh save config" operation was just performed (either by the user or as a result of a config-sync).

Conditions:
- One or more partitions other than /Common exist on the system.

- One or more of said partitions have no more configuration objects defined in them (i.e. are empty).

- A config save operation similar to "tmsh save sys config partitions { Common part1 [...] }" occurs, either manually initiated by an Administrator or as a result of a config-sync operation (in which case the device-group must be configured for manual synchronization).

Impact:
Should a BIG-IP Administrator notice the mismatch, the only immediate impact is confusion as to why the config save operation was not effective.

However, as the flat config files are now out-of-date, performing a config load operation on a unit in this state will resurrect old configuration objects that had been previously deleted.

On an Active unit, this may affect traffic handling. On a redundant pair, there is the risk that the resurrected objects may make it to the Active unit after a future config-sync operation.

Workaround:
If you notice the mismatch, you can resolve it by performing a config save operation for all partitions (i.e. "tmsh save sys config").

Fix:
Non /Common partitions now get saved to disk as intended.

Fixed Versions:
13.1.5, 15.1.5

1022269-4 : False positive RFC compliant violation

Links to More Info: BT1022269

Component: Application Security Manager

Symptoms:
False positive RFC compliant violation.

Conditions:
Authorization header with specific types.

Impact:
False positive violations.

Workaround:
Turn on an internal parameter:

/usr/share/ts/bin/add_del_internal add ignore_authorization_header_decode_failure 1

Fix:
Added tolerance to the authorization headers parser.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.2

1021417-5 : Modifying GTM pool members with replace-all-with results in pool members with order 0

Links to More Info: BT1021417

Component: Global Traffic Manager (DNS)

Symptoms:
GTMpool has multiple members with order 0.

Conditions:
There is an overlap for the pool members for the command replace-all-with and the pool members to be replaced.

Impact:
Multiple pool members have the same order.

Workaround:
Perform this procedure:
1. Delete all pool members from the GTM pool.
2. Use replace-all-with.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2

1021061-1 : Config fails to load for large config on platform with Platform FIPS license enabled

Links to More Info: BT1021061

Component: Global Traffic Manager (DNS)

Symptoms:
Config fails to load.

Conditions:
-- Platforms with Platform FIPS license enabled.
-- There are several ways to encounter this. One is with a large GTM (DNS) configuration that requires extending the gtmd stats file.

Impact:
Config file fails to load. For the gtmd configuration, gtmd repeatedly logs error messages similar to:

err gtmd[14954]: 011af002:3: TMSTAT error 'Invalid argument' creating row '/Common/vs_45_53' in table 'gtm_vs_stat'

For merged daemon, reports messages similar to:
err merged[9166]: 011b0900:3: TMSTAT error tmstat_row_create: Invalid argument.

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1

1020789-1 : Cannot deploy a four-core vCMP guest if the remaining cores are in use.

Links to More Info: BT1020789

Component: TMOS

Symptoms:
When trying to deploy a vCMP guest on an i11800 vCMP host using four or more cores while all of the other cores are in use, the following error message may be seen:

err mcpd[<pid>]: 0107131f:3: Could not allocate vCMP guest (<guest_name>) because fragmented resources

--------------------------------------------------
one more similar issue has raised for 8 guests allocation failure

When trying to deploy a eight core guest on an i11800 vCMP host where four 2 cores are in use, the following error message may be seen:

0107131f:3: Could not allocate vCMP guest (guest-8cores-A) because fragmented resources

Conditions:
-- VCMP provisioned and all or most cores are in use.
-- Attempt to deploy a guest.

This is more likely to occur with vCMP guests that use four or more cores.

Impact:
All of the available cores cannot be used.

Workaround:
You may be able to work around this by deploying the largest guests first, then any remaining 2-core guests.

There is currently no other fix.

Fix:
N/A

Fixed Versions:
13.1.5

1020717-1 : Policy versions cleanup process sometimes removes newer versions

Component: Application Security Manager

Symptoms:
The policy versions cleanup process sometimes removes versions in incorrect order. Newer versions are removed while older versions are preserved.

Conditions:
"maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg" has very low value.

Impact:
Newer versions are removed.

Workaround:
increase value of "maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg"

Fixed Versions:
13.1.5

1019853-4 : Some signatures are not matched under specific conditions

Links to More Info: K30911244 , BT1019853

Component: Application Security Manager

Symptoms:
Some signatures are not matched, attacking traffic may pass through.

Conditions:
- Undisclosed signature conditions

Impact:
Attacking traffic can bypass the WAF.

Workaround:
N/A

Fix:
Signatures are now matched as expected.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2

1019085-3 : Network virtual-addresses fail to retain the "icmp-echo enabled" property following an upgrade or reload of the configuration from file. &start;

Links to More Info: BT1019085

Component: TMOS

Symptoms:
Network virtual-addresses default to "arp disabled" and "icmp-echo disabled". However, a BIG-IP Administrator can change these settings to "enabled", if required.

Either following a software upgrade or a reload of the configuration from file, network virtual-addresses that had previously been set to "icmp-echo enabled" revert to the default of "icmp-echo disabled".

Conditions:
- One or more network virtual-addresses configured with "icmp-echo enabled".

- A software upgrade or reload of the configuration from file occurs (for example, taking and restoring a UCS archive, removing the mcpd binary database and reloading the config, etc.).

Impact:
Traffic failures can occur as a result of the affected network virtual-addresses not being presented to the surrounding network as originally intended by the BIG-IP Administrator.

Workaround:
Manually configure the affected virtual-addresses to "icmp-echo enabled" again. This workaround is not permanent, and the issue will occur again in the future given the right conditions.

Fix:
Network virtual-addresses no longer lose the "icmp-echo enabled" property.

Fixed Versions:
13.1.5

1019081-1 : HTTP/2 hardening

Links to More Info: K97045220 , BT1019081

Component: Local Traffic Manager

Symptoms:
Under certain condition, the HTTP/2 profile does not follow current best practices

Conditions:
- HTTP/2 profile enabled

Impact:
The HTTP/2 profile does not follow current best practices.

Workaround:
N/A

Fix:
TMM now processes HTTP/2 traffic as expected

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.3.1

1018613-5 : Modify wideip pools with replace-all-with results pools with same order 0

Links to More Info: BT1018613

Component: Global Traffic Manager (DNS)

Symptoms:
Multiple wideip pools have the order 0.

Conditions:
There are overlap for the pools for command replace-all-with and the pools to be replaced.

Impact:
iQuery flapping between GTMs.

Workaround:
First delete all pools from the wideip and then use replace-all-with.

Fixed Versions:
13.1.5

1018577-1 : SASP monitor does not mark pool member with same IP Address but different Port from another pool member

Links to More Info: BT1018577

Component: Local Traffic Manager

Symptoms:
When the LTM SASP monitor is applied to a pool with multiple members having the same IP Address but different Ports, only one of the pool members with the duplicated IP Address will be monitored (marked UP or DOWN as appropriate). Other pool members sharing the same IP Address will remain in a 'checking' state.

Conditions:
This occurs when using the SASP monitor in a pool with multiple members having the same IP Address but different Ports.
For example:
ltm pool sasp_test_pool {
members {
sasp_1:80 {
address 10.10.10.1
}
sasp_1:8080 {
address 10.10.10.1
}
sasp_2:80 {
address 10.10.10.2
}
sasp_2:8080 {
address 10.10.10.2
}
}
monitor sasp_test
}

In this case, only one pool member with a given IP Address will be correctly monitored by the sasp monitor.
Any additional pool members with the same IP Address but different port will not be monitored by the SASP monitor and will remain in a 'checking' state.

Impact:
Not all pool members may be effectively/accurately monitored by the SASP monitor.

Fix:
The ltm sasp monitor correctly monitors members of a pool which share the same IP Address but different Ports.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2

1018493-4 : Response code 304 from TMM Cache always closes TCP connection.

Links to More Info: BT1018493

Component: Local Traffic Manager

Symptoms:
When a virtual server is configured to accelerate HTTP traffic, it caches responses with 200 and 304 response codes. Serving a response with "304 Not Modified" code, TMM may close a connection to a client.

Conditions:
-- A virtual server has a web-acceleration profile (without a web application for versions prior 16.0.0).
-- A response with code 304, stored in TMM cache, is served to a request.

Impact:
A client needs to open a new TCP connection every time when a response with "304 Not Modified" code is served.

Fix:
TMM correctly serves a response with "304 Not Modified" code, allowing to correctly handle TCP connection status.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4, 16.1.2

1017645-4 : False positive HTTP compliance violation

Links to More Info: BT1017645

Component: Application Security Manager

Symptoms:
False-positive HTTP compliance violation.

Conditions:
Authorization header with bearer token and/or some other authorization headers types.

Impact:
False-positive traffic blocking.

Workaround:
Turn on an internal parameter by entering the following command from the BIG-IP CLI:

/usr/share/ts/bin/add_del_internal add ignore_authorization_header_decode_failure 1

Then restart ASM for this to take effect:

bigstart restart asm

Fix:
The RFC compliance violation is no longer issued for unknown types of authorization headers.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2

1017513-1 : Config sync fails with error Invalid monitor rule instance identifier

Links to More Info: BT1017513

Component: Local Traffic Manager

Symptoms:
If you remove or attach a different monitor to an fqdn pool, then perform a full config-sync, an error occurs:

Load failed from /Common/bigip1 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 58.

Conditions:
-- BIG-IP device is configured with fqdn nodes/pools with monitors.
-- Modify an fqdn pool to remove or attach a different monitor.
-- Run the command: run cm config-sync to-group Failover
-- Perform a full config-sync.

Impact:
Sync to the peer device(s) fails.

Workaround:
Use incremental-sync.

Fixed Versions:
13.1.5, 14.1.4.5, 16.1.2.1

1016657-5 : TMM may crash while processing LSN traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing LSN traffic

Conditions:
- LSN listener enabled
- Packet filtering enabled

Impact:
TMM crash leading to a failover event

Workaround:
N/A

Fix:
TMM now processes LSN traffic as expected

Fixed Versions:
13.1.5

1015161-4 : Ephemeral pool member may not be created when FQDN resolves to address that matches static node

Links to More Info: BT1015161

Component: Local Traffic Manager

Symptoms:
An ephemeral pool member may not created if the FQDN name resolves to a new IP address that matches an existing statically-configured node.

When this occurs, a message like the following appears in the LTM log:

err mcpd[4498]: 01070734:3: Configuration error: node (/Common/_auto_10.10.120.12) not found.

Note that the node name in the message is the expected name of an ephemeral node created for this address, not the actual name of the statically-configured node with that IP address.

Conditions:
This may occur if:
-- The FQDN node and pool member are created with the "autopopulate enabled" option.
-- The FQDN name resolves to more than one IP address.
-- One of these IP addresses was not included in the previous DNS query result.
-- There is a statically-configured node with the same IP address.

Impact:
An ephemeral pool member is not created for the IP address newly included in the DNS query result. This results in traffic not being load-balanced to all of the expected pool members.

Workaround:
Use one of the following methods to prevent this issue from occurring:
-- Avoid creating statically-configured nodes using the same IP addresses returned by resolution of configured node/pool member FQDN names.
-- Configure the FQDN pool member with "autopopulate disabled" (default), which creates only a single ephemeral pool member.

Perform this sequence of actions to recover from an occurrence of this issue:
1. Remove any pool members referencing the conflicting IP address(es) from their respective pool(s).
2. Delete the statically-configured node(s) using the conflicting IP address(es).
3. Add any pool members referencing the conflicting IP address(es) back to their respective pool(s).

Fix:
Ephemeral pool members are successfully created when the corresponding FQDN name resolves to one or more new IP addresses that conflict with statically-configured nodes.

Fixed Versions:
13.1.5, 14.1.4.5

1015133-1 : Tail loss can cause TCP TLP to retransmit slowly.

Links to More Info: BT1015133

Component: Local Traffic Manager

Symptoms:
If a long tail loss occurs during transmission, TCP might be slow to recover.

Conditions:
-- A virtual server is configured with the TCP profile attached.
-- SACK and TLP are enabled.
-- A tail loss of multiple packets sent by the BIG-IP occurs.

Impact:
BIG-IP retransmits one packet per RTT, causing a long recovery. The impact is more pronounced if an entire window is lost.

Workaround:
Disabling TLP may improve performance in this particular case, but may degrade performance in other situations.

Fix:
A new sys db key was added: tm.tcpaggressivepartialack (disabled by default). When enabled, more data is retransmitted every RTT, similar to slow-start.

Behavior Change:
A new sys db key was added: tm.tcpaggressivepartialack (disabled by default). When enabled, more data is retransmitted every RTT, similar to slow-start.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1

1013145-4 : APM Hardening

Links to More Info: K32734107

1012721-3 : Tmm may crash with SIP-ALG deployment in a particular race condition

Links to More Info: BT1012721

Component: Service Provider

Symptoms:
Tmm crashes in SIP-ALG deployment

Conditions:
--- SIP-ALG is deployed
--- While processing first SIP REGISTER at server-side

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Tmm no longer crashes in this race condition

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1, 16.1.1

1011285-5 : The iControl REST API no longer accepts an empty 'lastResortPool' property for wide IP objects.

Links to More Info: BT1011285

Component: Global Traffic Manager (DNS)

Symptoms:
If you attempt a POST or PATCH iControl REST request against a wide IP, and you include an empty 'lastResortPool' property in the JSON body, the system rejects the request as invalid and returns the following validation error:

{
"code": 400,
"message": "\"last-resort-pool\" requires a value",
"errorStack": [],
"apiError": 26214401
}

Conditions:
A POST or PATCH command against a wide IP object includes an empty lastResortPool property.

Impact:
Inability to create or modify the wide IP object.

Workaround:
You can use either of the following, depending on what you want to do:

-- To create a new wide IP object, remove the empty 'lastResortPool' property from the JSON body.

-- To remove the last-resort-pool from an already existing wide IP, define the property as follows instead:
"lastResortPool":"none"

Fixed Versions:
13.1.5, 15.1.5

1011069-5 : Group/User R/W permissions should be changed for .pid and .cfg files.

Component: Application Security Manager

Symptoms:
The following files should be set with lower permissions:
/etc/ts/dcc/dcc.cfg (-rw-rw--w-)
/run/asmcsd.pid (-rw-rw--w-)
/run/bd.pid (-rw-rw--w-)
/run/dcc.pid (-rw-rw--w-)
/run/pabnagd.pid (-rw-rw--w-)

Conditions:
Always

Impact:
Incorrect file permissions.

Workaround:
chmod 664 <files_list>

Fix:
The corrected permissions 664 are applied to the given list of files.

Fixed Versions:
13.1.5

1011061-5 : Certain attack signatures may not match in multipart content

Component: Application Security Manager

Symptoms:
Under certain conditions, ASM may not correctly detect attack signatures.

Conditions:
- ASM provisioned
- Request contains a specially-crafted multipart body

Impact:
Attack detection is not triggered as expected.

Workaround:
None

Fix:
Attack detection is now triggered as expected.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2

1010393-2 : Unable to relax AS-path attribute in multi-path selection

Links to More Info: BT1010393

Component: TMOS

Symptoms:
In BIG-IP versions where ID933461 (https://cdn.f5.com/product/bugtracker/ID933461.html) is fixed, you are unable to relax AS-path attribute in multi-path selections.

Conditions:
BGP multi-path routes with different AS_PATH attributes.

Impact:
Some routes might not be considered as multipath. ECMP routes are not installed properly.

Workaround:
Consider using 'bgp bestpath as-path ignore' or alter the AS_PATH attribute upstream.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2

1009725-5 : Excessive resource usage when ixlv drivers are enabled

Links to More Info: K53442005 , BT1009725

1008561-2 : In very rare condition, BIG-IP may crash when SIP ALG is deployed

Links to More Info: K44110411 , BT1008561

1008269-5 : Error: out of stack space

Links to More Info: BT1008269

Component: TMOS

Symptoms:
When polling for profile statistics via iControl REST, the BIG-IP system returns an error:

Error: out of stack space

Conditions:
Polling stats via iControl REST.

Impact:
You are intermittently unable to get stats via iControl REST.

Workaround:
None

Fixed Versions:
13.1.5

1008077-3 : TMM may crash while processing TCP traffic with a FastL4 VS

Links to More Info: K50343028 , BT1008077

1008017-3 : Validation failure on Enforce TLS Requirements and TLS Renegotiation

Links to More Info: BT1008017

Component: Local Traffic Manager

Symptoms:
The configuration load fails with an error:

err mcpd[4182]: 0107186b:3: Invalid "enforce-tls-requirements" value for profile /prod/my_profile. In Virtual Server (/common/my_virtual_server) an http2 profile with enforce-tls-requirements enabled is incompatible with client-ssl/server-ssl profile with renegotiation enabled. Value must be disabled.

Conditions:
BIG-IP system allows this configuration and fails later:

-- Virtual server with HTTP/2, HTTP, and client SSL profiles (with renegotiation disabled).

1. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile (by default it is enabled).
2. Add server SSL profile with 'TLS Renegotiation' enabled.
3. Save the configuration.
4. Load the configuration.

Impact:
The configuration will not load if saved.

Workaround:
If enabling 'Enforce TLS Requirements' in a HTTP/2 profile configured on a virtual server, ensure that 'TLS Renegotiation' is disabled in the Server SSL profiles on that virtual server.

Fix:
There is now a validation check to prevent this configuration, which is the correct functionality.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2

1007629-3 : APM policy configured with many ACL policies can create APM memory pressure

Links to More Info: BT1007629

Component: Access Policy Manager

Symptoms:
High APM memory usage even in idle state when no traffic is flowing.

Conditions:
APM policies configured with resource assignment agents with ACL policies configured. The idle state memory usage will be proportional to the number of resource assignment agents and ACL policies configured

Impact:
If idle state memory of APM is high then less memory is available for use during traffic flow and thereby can lead to OOM crashes and failover.

Workaround:
None

Fix:
APM policy configured with many ACL policies no longer creates APM memory pressure

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1

1007489-3 : TMM may crash while handling specific HTTP requests &start;

Links to More Info: K24358905 , BT1007489

1005433-1 : LTM Pool Members may not be updated accurately when multiple identical database monitors are configured

Links to More Info: BT1005433

Component: Local Traffic Manager

Symptoms:
When two or more database monitors (MSSQL, MySQL, PostgreSQL, Oracle) with identical 'send' and 'recv' strings are configured and applied to different LTM pools (with at least one pool member in each), the monitor status of some LTM pool members may not be correct.

Other parameters of the affected monitors that differ (such as 'recv row' or 'recv column' indicating where the specified 'recv' string should be found in the result set) may cause LTM pool members using one of the affected monitors to connect to the same database to be marked UP, while LTM pool members using another affected monitor may be marked DOWN.

As a result of this issue, LTM pool members that should be marked UP or DOWN by the configured monitor may instead be marked according to another affected monitor's configuration, resulting in the affected LTM pool members being intermittently marked with an incorrect state.

After the next monitor ping interval, affected LTM pool members members may be marked with the correct state.

Conditions:
This may occur when multiple database monitors (MSSQL, MySQL, PostgreSQL, Oracle) are configured with identical 'send' and 'recv' parameters, and applied to different LTM pools/members.

For example:
ltm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
recv none
send "select version();"
...
}

Impact:
Monitored LTM pool members using a database monitor (MSSQL, MySQL, PostgreSQL, Oracle) randomly go offline/online.

Workaround:
To avoid this issue, configure each database monitor with values that make the combined parameters unique by changing either the 'send' or the 'recv' parameters, or both.

For example:
ltm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
recv 5.7
send "select version();"
...
}

Fix:
The system now correctly updates LTM pool members when multiple identical database monitors are configured.

Fixed Versions:
13.1.5, 14.1.4.5

1004929-3 : During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid.

Links to More Info: BT1004929

Component: TMOS

Symptoms:
While receiving a config sync operation, mcpd on a secondary blade may restart, logging:

err mcpd[6383]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020012:3: A unsigned four-byte integer message item is invalid.... failed validation with error 16908306

Conditions:
-- A VIPRION system (or cluster-based vCMP guest) with more than one blade processes a full configuration load, i.e. as a result of running "tmsh load sys config" or receiving a full-load config sync from peer BIG-IP.

-- The system generates a large number of warning messages during a configuration load, whose total length is larger than 65,535 bytes.

These warnings can be seen in the output of "tmsh load sys config" or "tmsh load sys config verify", or are logged under message ID 01071859

An example of such a warning is:

SSLv2 is no longer supported and has been removed. The 'sslv2' keyword in the cipher string of the ssl profile (/Common/ssl-profile-1) has been ignored.

Impact:
MCPD on secondary blades restart. Those blades are inoperative while services restart.

Workaround:
Address the warnings reported by the system.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5

1004417-2 : Provisioning error message during boot up &start;

Links to More Info: BT1004417

Component: TMOS

Symptoms:
Error message in /var/log/ltm:
Could not retrieve DB variable for (provision.datastor)

Conditions:
Upgrade BIG-IP software from version 12.x to version 13.x or higher.

Impact:
The error message is logged after the first boot after the upgrade. There is no impact on functionality and the error message can be ignored.

Workaround:
None

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2

1004069-3 : Brute force attack is detected too soon

Links to More Info: BT1004069

Component: Application Security Manager

Symptoms:
A Brute force attack is detected too soon.

Conditions:
The login page has the expected header validation criteria.

Impact:
The attack is detected earlier than the setpoint.

Workaround:
N/A

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2

1003557-5 : Not following best practices in Guided Configuration Bundle Install worker

Links to More Info: K74151369 , BT1003557

1003257-2 : ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected

Links to More Info: BT1003257

Component: TMOS

Symptoms:
ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' commands are not working properly. The address is always set to interface-configured global/local addresses respectively.

Conditions:
Using BGPv4 with IPv6 capability extension and a route-map with 'set ipv6 next-hop' and/or 'set ipv6 next-hop local' configuration.

Impact:
Wrong next-hop is advertised.

Workaround:
None.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2

1002809-5 : OSPF vertex-threshold should be at least 100

Links to More Info: BT1002809

Component: TMOS

Symptoms:
OSPF vertex-threshold should be at least 100, but you are able to set it to any number between 0 and 10000000.

Conditions:
-- Using OSPFv2/OSPFv3
-- Configuring the vertex-threshold setting

Impact:
When the setting is less than the default of 100, routes may not be installed properly.

Workaround:
Ensure that vertex-threshold is set to 100 (default) or above.

Fixed Versions:
13.1.5

1002561-4 : TMM vulnerability CVE-2021-23007

Links to More Info: K37451543 , BT1002561

1002557-4 : Tcl free object list growth

Links to More Info: BT1002557

Component: Access Policy Manager

Symptoms:
Apmd memory usage grows over time when a single agent with a Tcl object is shared across multiple threads.

Conditions:
This is encountered in APM environments when passing traffic.

Impact:
Tcl free object list grows and apmd memory usage increases over time.

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1

1002109-5 : Xen binaries do not follow security best practices

Links to More Info: BT1002109

Component: TMOS

Symptoms:
The following xen* binaries have multiple violations of security best practices.
usr/bin/xenstore
/usr/bin/xenstore-exists
/usr/bin/xenstore-ls
/usr/bin/xenstore-read
/usr/bin/xenstore-rm
/usr/bin/xenstore-watch
/usr/bin/xenstore-chmod
/usr/bin/xenstore-list
/usr/bin/xenstore-write

Conditions:
The violations can be seen on BIG-IP by running following script.
https://github.com/slimm609/checksec.sh

Impact:
The issue lead to violation of security best practices.

Fix:
Fixed an issue with certain xen* binaries.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4

1000973-1 : Unanticipated restart of TMM due to heartbeat failure

Links to More Info: BT1000973

Component: TMOS

Symptoms:
A tmm thread might stall while yielding the CPU, and trigger a failsafe restart of the tmm process. A core file might be generated without any message logged in /var/log/*.

High resolution timers (hrtimer) may be lost.

Conditions:
This occurs when data in kernel hrtimer module is corrupted by a kernel bug, so a tmm thread may fail to wake at the appropriate time after having entered a planned short sleep.

The precise details in this particular case are not knowable.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Very rarely, this might take a long time, in which case there is no mitigation except to wait for the operation to complete.

Alternatively, the unit might remain offline, in which rebooting the system is the better option.

Fix:
Fixed kernel issue that led to an unanticipated restart of tmm due to heartbeat failure.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2


Known Issues in BIG-IP v13.1.x


TMOS Issues

ID Number Severity Links to More Info Description
970269 1-Blocking BT970269 Install fails as lind keeps failing due to "Fatal error: block id new probe failed - device file:/dev/cdrom" &start;
809553-3 1-Blocking BT809553 ONAP Licensing - Cipher negotiation fails
778317-3 1-Blocking BT778317 IKEv2 HA after Standby restart has race condition with config startup
698085 1-Blocking BT698085 Transparent mode VLAN group may not work on vCMP guests
1050969-3 1-Blocking BT1050969 After running clear-rest-storage you are logged out of the UI with a message - Your login credentials no longer valid
990853-5 2-Critical BT990853 Mcpd restarts on Secondary VIPRION blades upon modifying a vCMP guest's management IP address or gateway.
976669-4 2-Critical BT976669 FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade
957337-5 2-Critical BT957337 Tab complete in 'mgmt' tree is broken
950673-1 2-Critical BT950673 Hardware Syncookie mode not cleared when deleting/changing virtual server config.
944513-5 2-Critical BT944513 Apache configuration file hardening
943109-5 2-Critical BT943109 Mcpd crash when bulk deleting Bot Defense profiles
942549-4 2-Critical BT942549 Dataplane INOPERABLE - Only 7 HSBs found. Expected 8
941893-1 2-Critical BT941893 VE performance tests in Azure causes loss of connectivity to objects in configuration
929133-4 2-Critical BT929133 TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'
871561-1 2-Critical BT871561 Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)' &start;
860349-4 2-Critical BT860349 Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication
854493-2 2-Critical BT854493 Kernel page allocation failures messages in kern.log
841953-3 2-Critical BT841953 A tunnel can be expired when going offline, causing tmm crash
837637-4 2-Critical K02038650 , BT837637 Orphaned bigip_gtm.conf can cause config load failure after upgrading &start;
831821-5 2-Critical BT831821 Corrupted DAG packets causes bcm56xxd core on VCMP host
819009-1 2-Critical BT819009 Dynamic routing daemon mribd crashes if 'mrib debug all' is enabled in high availability (HA) config with Floating Self IP configured for PIM protocol.
817085-2 2-Critical BT817085 Multicast Flood Can Cause the Host TMM to Restart
809089-3 2-Critical BT809089 TMM crash after sessiondb ref_cnt overflow
808129-3 2-Critical BT808129 Cannot use BIG-IQ to license BIG-IP 14.1.0.3 on AWS.
780437-4 2-Critical BT780437 Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
777993-3 2-Critical BT777993 Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same
777389-4 2-Critical BT777389 In rare occurrences related to PostgreSQL monitor, the mcpd process restarts
777229-2 2-Critical BT777229 IPsec improvements to internal pfkey messaging between TMMs on multi-blade
776393-5 2-Critical BT776393 Restjavad restarts frequently due to insufficient memory with relatively large configurations
776117-4 2-Critical BT776117 BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type
774361-3 2-Critical BT774361 IPsec High Availability sync during multiple failover via RFC6311 messages
770953-4 2-Critical BT770953 'smbclient' executable does not work
769341-3 2-Critical BT769341 HA failover deletes outstanding IKEv2 SAs along with IKEv1 SAs
767877-1 2-Critical BT767877 TMM core with Bandwidth Control on flows egressing on a VLAN group
758929-4 2-Critical BT758929 Bcm56xxd MIIM bus access failure
758604-3 2-Critical BT758604 Deleting a port from a single-port trunk does not work.
756830-4 2-Critical BT756830 BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'
755716-3 2-Critical BT755716 IPsec connection can fail if connflow expiration happens before IKE encryption
749249-2 2-Critical BT749249 IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP
746464-3 2-Critical BT746464 MCPD sync errors and restart after multiple modifications to file object in chassis
746122-2 2-Critical BT746122 'load sys config verify' resets the active master key to the on-disk master key value
743271-3 2-Critical BT743271 Querying vCMP Health Status May Show Stale Statistics
742764-4 2-Critical BT742764 If two racoon daemon are spawned on startup, one fails and cores.
742419-1 2-Critical BT742419 BIG-IP NIC teaming of SR-IOV interfaces does not work under VMware ESXi
740994-1 2-Critical BT740994 AWS pool member discovery (f5-iAppLX-aws-autoscale) does not work
737692-1 2-Critical BT737692 Handle x520 PF DOWN/UP sequence automatically by VE
737055-2 2-Critical BT737055 Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy
715511-1 2-Critical BT715511 Span-port IFP rule shouldn't be created if no span port is configured
714281-2 2-Critical BT714281 NSH tunnel reject inner packet from other vendor
705730-1 2-Critical K31992159 , BT705730 Config fails to load due to invalid SSL cipher after upgrade from v13.1.0 &start;
704681-2 2-Critical BT704681 Kernel panic with mcpd or system shutdown
698931-2 2-Critical BT698931 Corrupted SessionDB messages causes TMM to crash
693206 2-Critical BT693206 iSeries LCD screen is frozen on a red spinning 'please wait' indicator
671545 2-Critical BT671545 MCPD core while booting up device with error "Unexpected exception caught"
593536-6 2-Critical K64445052 , BT593536 Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations
382363-6 2-Critical K30588577 min-up-members and using gateway-failsafe-device on the same pool.
1077789-1 2-Critical BT1077789 System might become unresponsive after upgrading. &start;
1076921-4 2-Critical BT1076921 Log hostname should be consistent when it contains ' . '
1065041-1 2-Critical BT1065041 Web Application shows 'Not Found' in GUI.
1048853-3 2-Critical BT1048853 "IKE VBUF" memory leak debug.
1041865-1 2-Critical BT1041865 Correctable machine check errors [mce] should be suppressed
1035121-2 2-Critical BT1035121 Configsync syncs the node's monitor status
1012493-2 2-Critical BT1012493 Systemauth.primaryadminuser set to anything but 'admin' causes internal error for mcp-state check
998957-5 3-Major BT998957 Mcpd consumes excessive CPU while collecting stats.
997561-1 3-Major BT997561 TMM CPU imbalance with GRE/TB and GRE/MPLS traffic
997541-1 3-Major BT997541 Round-robin GRE Disaggregator for hardware and software
995605-4 3-Major BT995605 PVA accelerated traffic does not update route domain stats
994365-5 3-Major BT994365 Inconsistency in tmsh 'object mode' for some configurations
994361 3-Major BT994361 Updatecheck script hangs/Multiple updatecheck processes
992813-4 3-Major BT992813 The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations.
992053-5 3-Major BT992053 Pva_stats for server side connections do not update for redirected flows
988745-1 3-Major BT988745 On reboot, 'could not find platform object' errors may be seen in /var/log/ltm
987081-5 3-Major BT987081 Alarm LED remains active on Secondary blades even after LCD alerts are cleared
981485-2 3-Major BT981485 Neurond enters a restart loop after FPGA update.
977953-4 3-Major BT977953 Show running config interface CLI could not fetch the interface info and crashes the imi
976013-2 3-Major BT976013 If bcm56xxd starts while an interface is disabled, the interface cannot be enabled afterwards
972785-3 3-Major BT972785 Unable to create virtual server with a non-zero Route Domain for custom partition via iControl SOAP
967557-4 3-Major BT967557 Improve apm logging when loading sys config fails due to corruption of epsec rpm database
966949-4 3-Major BT966949 Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node
965941-4 3-Major BT965941 Creating a net packet filter in the GUI does not work for ICMP for IPv6
964125-4 3-Major BT964125 Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.
960029-4 3-Major BT960029 Viewing properties for IPv6 pool members in the Statistics page in the GUI returns an error
959057-1 3-Major BT959057 Unable to create additional login tokens for the default admin user account
958465-4 3-Major BT958465 in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization
953477-5 3-Major BT953477 Syncookie HW mode not cleared when modifying VLAN config.
950849-1 3-Major BT950849 B4450N blades report page allocation failure. &start;
948601-5 3-Major File object checksum attribute is not updated when an external data-group file or external monitor file is edited from GU
945265-2 3-Major BT945265 BGP may advertise default route with incorrect parameters
943669-3 3-Major BT943669 B4450 blade reboot
943653-4 3-Major BT943653 Allow 32-bit processes to use larger area of virtual address space
939541-4 3-Major BT939541 TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE
936093-4 3-Major BT936093 Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline
935801-2 3-Major BT935801 HSB diagnostics are not provided under certain types of failures
933329-4 3-Major BT933329 The process plane statistics do not accurately label some processes
931629-3 3-Major BT931629 External trunk fdb entries might end up with internal MAC addresses.
930825-2 3-Major BT930825 System should reboot (rather than restart services) when it sees a large number of HSB XLMAC errors
928697-4 3-Major BT928697 Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT
928389-5 3-Major BT928389 GUI becomes inaccessible after importing certificate under import type 'certificate'
925797-4 3-Major BT925797 Full config sync fails and mcpd memory usage is very high on the receiving device with thousands of FQDN pools members
922613-4 3-Major BT922613 Tunnels using autolasthop might drop traffic with ICMP route unreachable
922153-6 3-Major BT922153 Tcpdump is failing on tmm 0.x interfaces
921149-3 3-Major BT921149 After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy
921121-2 3-Major BT921121 Tmm crash with iRule and a PEM Policy with BWC Enabled
920761-4 3-Major BT920761 Changing a virtual server type in the GUI may change some options; changing back to the original type does not restore original values
920517-4 3-Major BT920517 Rate Shaping Rate Class 'Queue Method' and 'Drop Policy' defaults are incorrect in the GUI
919401-4 3-Major BT919401 Disallow adding Request Adapt Profiles and Response Adapt Profiles to virtual servers in TMSH when ICAP is not licensed
919185-5 3-Major BT919185 Request adapt and response adapt profile options should not be available in the GUI when ICAP is not licensed
915557-5 3-Major BT915557 The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status.
915493-2 3-Major BT915493 imish command hangs when ospfd is enabled
914081-4 3-Major BT914081 Engineering Hotfixes missing bug titles
909197-1 3-Major BT909197 The mcpd process may become unresponsive
908453-1 3-Major BT908453 Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly
907549-4 3-Major BT907549 Memory leak in BWC::Measure
906505-5 3-Major BT906505 Display of LCD System Menu cannot be configured via GUI on iSeries platforms
905749-3 3-Major BT905749 imish crash while checking for CLI help string in BGP mode
904401-3 3-Major BT904401 Guestagentd core
901989-5 3-Major BT901989 Boot_marker writes to /var/log/btmp
901669-1 3-Major BT901669 Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change.
900933-5 3-Major BT900933 IPsec interoperability problem with ECP PFS
900485-5 3-Major BT900485 Syslog-ng 'program' filter does not work
899933-5 3-Major BT899933 Listing property groups in TMSH without specifying properties lists the entire object
899085-3 3-Major BT899085 Configuration changes made by Certificate Manager role do not trigger saving config
898461-5 3-Major BT898461 Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'
898389-4 3-Major BT898389 Traffic is not classified when adding port-list to virtual server from GUI
895845-2 3-Major BT895845 Implement automatic conflict resolution for gossip-conflicts in REST
895781-4 3-Major BT895781 Round Robin disaggregation does not disaggregate globally
892445-5 3-Major BT892445 BWC policy names are limited to 128 characters
891337-4 3-Major BT891337 'save_master_key(master): Not ready to save yet' errors in the logs
891221-5 3-Major BT891221 Router bgp neighbor password CLI help string is not helpful
888525 3-Major BT888525 MAC filter setting failure in ixvf driver leaves the vaddr hash empty
888081-2 3-Major BT888081 BIG-IP VE Migration feature fails for 1NIC
886689-3 3-Major BT886689 Generic Message profile cannot be used in SCTP virtual
886649-4 3-Major BT886649 Connections stall when dynamic BWC policy is changed via GUI and TMSH
884729-5 3-Major BT884729 The vCMP CPU usage stats are incorrect
883149-5 3-Major BT883149 The fix for ID 439539 can cause mcpd to core.
882609-6 3-Major BT882609 ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back
880689-4 3-Major BT880689 Update oprofile tools for compatibility with current architecture
880473-4 3-Major BT880473 Under certain conditions, the virtio driver may core during shutdown
880133 3-Major BT880133 During BIG-IP boot, hyper-v driver installation throws error messages on console
880013-4 3-Major BT880013 Config load fails after changing the BIG-IP Master key which has an encrypted key in it's configuration
879969-2 3-Major BT879969 FQDN node resolution fails if DNS response latency >5 seconds
879001-4 3-Major BT879001 LDAP data is not updated consistently which might affect authentication.
877145-5 3-Major BT877145 Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException
874857 3-Major BT874857 Hardware-accelerated connections might not be removed from ePVA on transition to standby
871705-3 3-Major BT871705 Restarting bigstart shuts down the system
867793-4 3-Major BT867793 BIG-IP sending the wrong trap code for BGP peer state
867249-4 3-Major BT867249 New SNMP authentication type and privacy protocol algorithms not available in UI
865177 3-Major BT865177 Cert-LDAP returning only first entry in the sequence that matches san-other oid
862693-4 3-Major BT862693 PAM_RHOST not set when authenticating BIG-IP using iControl REST
862525-6 3-Major GUI Browser Cache Timeout option is not available via tmsh
858769-2 3-Major K82498430 , BT858769 Net-snmp library must be upgraded to 5.8 in order to support SHA-2
853617-4 3-Major BT853617 Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles
852565-1 3-Major BT852565 On Device Management::Overview GUI page, device order changes
851837-4 3-Major BT851837 Mcpd fails to start for single NIC VE devices configured in a trust domain
850193-1 3-Major BT850193 Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues
847157 3-Major BT847157 TCP connection is not established for ICAP server
844925-1 3-Major BT844925 Command 'tmsh save /sys config' fails to save the configuration and hangs
843661-4 3-Major BT843661 TMSH allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command
842901-5 3-Major BT842901 Improve fast failover of PIM-DM-based multicast traffic when BIG-IP is deployed as an Active/Standby HA pair.
841721-5 3-Major BT841721 BWC::policy detach appears to run, but BWC control is still enabled
841649-1 3-Major BT841649 Hardware accelerated connection mismatch resulting in tmm core
841277-3 3-Major BT841277 C4800 LCD fails to load after annunciator hot-swap
838425-1 3-Major BT838425 Tmrouted on a multi-blade system might generate a core during system shutdown
838337-5 3-Major BT838337 The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.
838297-5 3-Major BT838297 Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication
827293-1 3-Major BT827293 TMM may crash running remote tcpdump
827209-1 3-Major BT827209 HSB transmit lockup on i4600
827021-4 3-Major BT827021 MCP update message may be lost when primary blade changes in chassis
826313-2 3-Major BT826313 Error: Media type is incompatible with other trunk members &start;
826265-2 3-Major BT826265 The SNMPv3 engineBoots value restarts at 1 after an upgrade
825445 3-Major BT825445 Using broadcast or subnet address as self IP may cause interruption during config sync
824809-2 3-Major BT824809 bcm56xxd watchdog restart
824681 3-Major BT824681 Invalid volume name, clusterd error at boot time &start;
819457-5 3-Major BT819457 LTM high availability (HA) sync should not sync GTM zone configuration
819261-2 3-Major BT819261 Log HSB registers when parts of the device becomes unresponsive
818505-5 3-Major BT818505 Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
814353-2 3-Major BT814353 Pool member silently changed to user-disabled from monitor-disabled
814273-4 3-Major BT814273 Multicast route entries are not populating to tmm after failover
814053-5 3-Major BT814053 Under heavy load, bcm56xxd can be killed by the watchdog
812929-4 3-Major BT812929 mcpd may core when resetting a DSC connection
812493-5 3-Major BT812493 When engineID is reconfigured, snmp and alert daemons must be restarted &start;
811053-4 3-Major BT811053 REBOOT REQUIRED prompt appears after failover and clsh reboot
811041-3 3-Major BT811041 Out of shmem, increment amount in /etc/ha_table/ha_table.conf
810957-4 3-Major BT810957 Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core
810613-4 3-Major BT810613 GUI Login History hides informative message about max number of lines exceeded
809509-2 3-Major BT809509 Resource Admin User unable to download UCS using Rest API.
808277-2 3-Major BT808277 Root's crontab file may become empty
807337-1 3-Major BT807337 Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.
806881-3 3-Major BT806881 Loading the configuration may not set the virtual server enabled status correctly
806073-5 3-Major BT806073 MySQL monitor fails to connect to MySQL Server v8.0
803237-5 3-Major BT803237 PVA does not validate interface MTU when setting MSS
802493 3-Major BT802493 Hardware syncookies on some hardware platforms may retrieve the wrong mss
799001-5 3-Major BT799001 Sflow agent does not handle disconnect from SNMPD manager correctly
798949-4 3-Major BT798949 Config-Sync fails when Config-Sync IP configured to management IP
798885-1 3-Major BT798885 SNMP response times may be long when processing requests
797609-3 3-Major BT797609 Creating or modifying some virtual servers to use an address or port list may result in a warning message
797221-3 3-Major BT797221 BCM daemon can be killed by watchdog timeout during blade-to-blade failover
796121 3-Major BT796121 Make direct task call to save UCS config results in timeout error
795685-3 3-Major BT795685 Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer
791061-3 3-Major BT791061 Config load in /Common removes routing protocols from other partitions
790081 3-Major BT790081 Igbvf PF reset might lead to a crash
789181-1 3-Major BT789181 Link Status traps are not issued on VE based BIG-IP systems
788645-3 3-Major BT788645 BGP does not function on static interfaces with vlan names longer than 16 characters.
787881-4 3-Major BT787881 TMSH displays TSIG keys
784733 3-Major BT784733 GUI LTM Stats page freezes for large number of pools
783985-1 3-Major BT783985 Grub boot entries not updated on i2600 from iControl SOAP set_boot_location call &start;
782613-3 3-Major BT782613 Security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp
782157 3-Major BT782157 Cannot save UCS with a passphrase when unused EPSEC files are available
781733-4 3-Major BT781733 SNMPv3 user name configuration allows illegal names to be entered
780745-1 3-Major BT780745 TMSH allows creation of duplicate community strings for SNMP v1/v2 access
776489-4 3-Major BT776489 Remote authentication attempts to resolve only LDAP host against the first three name servers configured.
775845-3 3-Major BT775845 Httpd fails to start after restarting the service using the iControl REST API
775797-1 3-Major BT775797 Previously deleted user account might get authenticated
775733-2 3-Major BT775733 /etc/qkview_obfuscate.conf not synced across blades
773577-3 3-Major BT773577 SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted
773333-3 3-Major BT773333 IPsec CLI help missing encryption algorithm descriptions
772497-3 3-Major BT772497 When BIG-IP is configured to use a proxy server, updatecheck fails
772117-1 3-Major BT772117 Overwriting FIPS keys from the high availability (HA) peer with older config leads to abandoned key on FIPS card
769029-2 3-Major BT769029 Non-admin users fail to create tmp dir under /var/system/tmp/tmsh
767305-3 3-Major BT767305 If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried
765969-3 3-Major BT765969 HSB register dump missing from hsb_snapshot
761933-2 3-Major BT761933 Reboot with 'tmsh reboot' does not log message in /var/log/audit
761753-4 3-Major BT761753 BIG-IP system incorrectly flags UDP checksum as failed on x520 NICs
761321-4 3-Major BT761321 'Connection Rate Limit' is hidden, but 'Connection Rate Limit Mode' is not
760982-2 3-Major BT760982 An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios
760932-4 3-Major BT760932 Part of audit log messages are also in other logs when strings are long
760739-4 3-Major BT760739 The Nokia alert configuration is not correct for all clearing events
760354-1 3-Major BT760354 Continual mcpd process restarts after removing big logs when /var/log is full
760259-2 3-Major BT760259 Qkview silently fails to capture qkviews from other blades
759737-1 3-Major BT759737 Control and Analysis Plane CPU usage statistics are inaccurate for single core vCMP guests
759564-5 3-Major BT759564 GUI not available after upgrade
759258-4 3-Major BT759258 Instances shows incorrect pools if the same members are used in other pools
758516-2 3-Major BT758516 IKEv2 auth encryption is missing defensive coding that checks object validity
758387-4 3-Major BT758387 BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it
757787-1 3-Major BT757787 Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI.
756139-4 3-Major BT756139 Inconsistent logging of hostname files when hostname contains periods
754691-3 3-Major BT754691 During failover, an OSPF routing daemon may crash.
753423-4 3-Major BT753423 Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation
753001-3 3-Major mcpd can be killed if the configuration contains a very high number of nested references
752994-3 3-Major BT752994 Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod
751581-1 3-Major BT751581 REST API Timeout while queriying large number of persistence profiles
751573-2 3-Major BT751573 Updates to HSL pool members may not take effect
751409-3 3-Major BT751409 MCP Validation does not detect when virtual servers differ only by overlapping VLANs
751024-2 3-Major BT751024 i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd
749011-5 3-Major BT749011 Datasync may start background tasks during high disk IO utilization
748443-2 3-Major BT748443 HiGig MAC recovery mechanism may fail continuously at runtime
747799-2 3-Major BT747799 'Unable to load the certificate file' error and configuration-load failure upgrading from 11.5.4-HF2 to a later version, due to empty cert/key in client SSL profile
747676-1 3-Major BT747676 Remote logging needs 'localip' to set source IP properly
746873-2 3-Major BT746873 Non-admin users are not able to run the tmsh list command due to permissions error for LTM message-routing
746861-4 3-Major BT746861 SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated &start;
746758-4 3-Major BT746758 Qkview produces core file if interrupted while exiting
746657-3 3-Major BT746657 tmsh help for FQDN node or pool member shows incorrect default for fqdn interval
746650 3-Major BT746650 Stale packets in HSB transmit queue causes HSB DMA lockup
746333 3-Major BT746333 Setting the hostname to non-FQDN value prevents upgrade &start;
744956 3-Major BT744956 High disk utilization when unused files or file objects grow in the file store folder
744936 3-Major BT744936 Adding a default tmm gateway in AWS breaks failover between two instances if the default tmm gateway can't provide route to the ec2 metadata service at 169.254.169.254.
744740-2 3-Major BT744740 After upgrade, dhclient overwrites configured hostname, even when 'sys management-dhcp' does not contain the 'host-name' in the request-options. &start;
744520-3 3-Major BT744520 virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface
743234-2 3-Major BT743234 Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons
743132-4 3-Major BT743132 mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile
742753-2 3-Major BT742753 Accessing the BIG-IP system's WebUI via special proxy solutions may fail
741621 3-Major BT741621 CLI preference 'suppress-warnings' setting may show incorrectly
740517-3 3-Major BT740517 Application Editor users are unable to edit HTTPS Monitors via the Web UI
740280-1 3-Major BT740280 Configuration Utility and tmsh may not validate Certificate Authority profile names
740135-3 3-Major BT740135 Traffic Group ha-order list does not load correctly after reset to default configuration
739820-3 3-Major BT739820 Validation does not reject IPv6 address for TACACS auth configuration
739533-4 3-Major BT739533 In rare circumstances, config sync may fail to delete files in /config/filestore/.snapshots_d/, filling up /config
739400 3-Major BT739400 iControl REST fails to list virtual servers
739118-3 3-Major BT739118 Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration
737901-2 3-Major BT737901 Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode
737346-3 3-Major BT737346 After entering username and before password, the logging on user's failure count is incremented.
730852-4 3-Major BT730852 The tmrouted repeatedly crashes and produces core when new peer device is added
727191-5 3-Major BT727191 Invalid arguments to run sys failover do not return an error
726416-2 3-Major BT726416 Physical disk HD1 not found for logical disk create
725792-1 3-Major BT725792 BWC: Measure log-publisher if used might result in memory leak
725668 3-Major BT725668 Licensing fails on a single-NIC device if a VLAN name other than 'internal' is used for the dataplane.
725646-5 3-Major BT725646 The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly
724889 3-Major BT724889 BIG-IP Virtual Edition in AWS does not failover NATs in same availability zone
724706-1 3-Major BT724706 iControl REST statistics request causes CPU spike
724653-4 3-Major BT724653 In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync.
721806 3-Major BT721806 Traffic Policy edit to datagroup errors on adding ASM disable action
721585-2 3-Major BT721585 mcpd core processing ltm monitors with deep level of inheritance
721020-3 3-Major BT721020 Changes to the master key are reverted after full sync
718800-2 3-Major BT718800 Cannot set a password to the current value of its encrypted password
718291 3-Major BT718291 iHealth upload error does not clear
718108-1 3-Major BT718108 It is not possible to core the icrd_child process if iControl REST requests were sent to the BIG-IP system using non-admin accounts
716140-1 3-Major BT716140 Information in snmpd.conf files may be overwritten causing SNMP v3 queries to recieve 'Unsupported security level' errors
715379-1 3-Major BT715379 IKEv2 accepts asn1dn for peers-id only as file path of certificate file
715115 3-Major BT715115 Application Security roles are not showing all accessible objects in GUI
715061-2 3-Major BT715061 TMM may crash and produce a core file on a vCMP guest when the guest is being shut down from the host.
714986-3 3-Major BT714986 Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot
714216-2 3-Major BT714216 Folder in a partition may result in load sys config error
712033-2 3-Major BT712033 When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name
711747-4 3-Major BT711747 Vcmp_pde_state_memcpy core during http traffic and pfmand resets.
710173 3-Major BT710173 TMSH dns-resolver allows route-domain from another partition
709559-2 3-Major BT709559 LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name
706703-1 3-Major BT706703 TMM crashes when changing virtual server's profile to FastL4 profiles while traffic flows
705651-1 3-Major BT705651 Async transaction may ignore polling requests
704546 3-Major BT704546 Symlinks may be corrupted by upgrade
703090-4 3-Major BT703090 With many iApps configured, scriptd may fail to start
701722-1 3-Major BT701722 Potential mcpd memory leak for signed iRules
701341-1 3-Major K52941103 , BT701341 If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts
701289-1 3-Major BT701289 Static BFD with BIG-IP floating IP address
700897-1 3-Major BT700897 sod is unable to handle the maximum (127) allowable traffic groups if there are 8 devices in the DG
700794-1 3-Major BT700794 Cannot replace a FIPS key with another FIPS key via tmsh
698933-1 3-Major BT698933 Setting metric-type via ospf redistribute command may not work correctly
698432-2 3-Major BT698432 Invalid error messages: warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
698222-1 3-Major BT698222 Added RX latency with ixlv devices on VE after host reboot
698171-2 3-Major BT698171 STP interfaces remain in block state on 40G bundled interfaces after enabling STP
698038-3 3-Major K05730807 , BT698038 TACACS+ system auth file descriptor leaks when servers are unreachable
698034-1 3-Major BT698034 PKCS12 file imported via Configuration utility into folder is placed at partition root
698013-1 3-Major K27216452 , BT698013 TACACS+ system auth and file descriptors leak
693563-1 3-Major K22942093 , BT693563 No warning when LDAP is configured with SSL but with a client certificate with no matching key &start;
692371 3-Major BT692371 Unexpected Octeon, Nitrox, and/or Super IO recovery warnings in LTM log
692218-4 3-Major BT692218 Audit log messages sent from the primary blade to the secondaries should not be logged.
691749-1 3-Major BT691749 Delete sys connection operations cannot be part of TMSH transactions
690928 3-Major BT690928 System posts error message: 01010054:3: tmrouted connection closed
690259 3-Major BT690259 Benign message 'keymgmtd started' is reported at log-level alert.
689567-1 3-Major BT689567 Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned
688231 3-Major BT688231 Unable to set VET, AZOT, and AZOST timezones
687617-1 3-Major BT687617 DHCP request-options when set to "none" are reset to defaults when loading the config.
686816-1 3-Major BT686816 Link from iApps Components page to Policy Rules invalid
684096-2 3-Major BT684096 stats self-link might include the oid twice
683767-1 3-Major BT683767 Users are not able to complete the sync using GUI
683706-3 3-Major BT683706 Pool member status remains 'checking' when manually forced down at creation
681935-1 3-Major BT681935 B2000-Series Blades Low Throughput With Two-Member Trunk
679061-1 3-Major BT679061 LCD stuck at the loading spinner
673952-3 3-Major BT673952 1NIC VE in high availability (HA) device-group shows 'Changes Pending' after reboot
671372-4 3-Major K01930721 , BT671372 When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.
669046-3 3-Major BT669046 Handling large replies to MCP audit_request messages
664017-9 3-Major BT664017 OCSP may reject valid responses
662301-5 3-Major BT662301 'Unlicensed objects' error message appears despite there being no unlicensed config
661640-2 3-Major BT661640 Improve fast failover of PIM-based multicast traffic when BIG-IP is deployed as an Active/Standby high availability (HA) pair.
658850-5 3-Major BT658850 Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP
657834-6 3-Major K45005512 , BT657834 Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent
649682-1 3-Major BT649682 'list cm device build' data is not synchronized correctly across a device trust group
648917 3-Major BT648917 Need to re-provision vCMP after upgrading to 13.1.x or later on the BIG-IP 10350F platform &start;
633745 3-Major BT633745 Tmipsecd restarts on HA state transitions
624016 3-Major BT624016 Traffic data stats get lost on hardware-accelerated flows when the flows are terminated earlier
606032-3 3-Major BT606032 Network Failover-based high availability (HA) in AWS may fail
605966-8 3-Major BT605966 BGP route-map changes may not immediately trigger route updates
601220-1 3-Major BT601220 Multi-blade trunks seem to leak packets ingressed via one blade to a different blade
596020-5 3-Major BT596020 Devices in a device-group may report out-of-sync after one of the devices is rebooted
593361-2 3-Major The malformed MAC for inner pkt with dummy MAC for NSH with VXLAN-GPE.
591305-1 3-Major BT591305 Audit log messages with "user unknown" appear on install
587821-6 3-Major BT587821 vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
584696-1 3-Major BT584696 MCP debug (/service/mcpd/debug), "Rule checker library has not been initialized"
569859-1 3-Major BT569859 Password policy enforcement for root user when mcpd is not available
566995-4 3-Major BT566995 bgpd might crash in rare circumstances.
560429-1 3-Major BT560429 LTM iRule table set command cannot always set value of record with extremely short timeout
538283-4 3-Major BT538283 iControl REST asynchronous tasks may block other tasks from running
508302-1 3-Major BT508302 Auto-sync groups may revert to full sync
499348-7 3-Major BT499348 System statistics may fail to update, or report negative deltas due to delayed stats merging.
493740-1 3-Major BT493740 tmsh allows cipher group creation with non-existent "require" or "exclude" cipher rule.
469724-1 3-Major BT469724 When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire
410549 3-Major Changing the provision.tmmcount db variable value results in continuous tmm restarts
409062-2 3-Major K20008325 ArcSight HSL is not supported for most system daemons
405329-4 3-Major The imish utility cores while checking help strings for OSPF6 vertex-threshold
402691-1 3-Major The fields displayed in the 'tmsh show net ipsec' should be visible through SNMP
398683-2 3-Major K12304 Use of a # in a TACACS secret causes remote auth to fail
385013-5 3-Major Certain user roles do not trigger a sync for a 'modify auth password' command
291256-4 3-Major Changing 'Minimum Length' and 'Required Characters' might result in an error
1093973-3 3-Major BT1093973 Tmm may core when BFD peers select a new active device.
1093553-1 3-Major BT1093553 OSPF "default-information originate" injects a new link-state advertisement
1091725-1 3-Major BT1091725 Memory leak in IPsec
1091345-5 3-Major BT1091345 The /root/.bash_history file is not carried forward by default during installations.
1080297-4 3-Major BT1080297 ZebOS does not show "log syslog" in the running configuration
1077533-3 3-Major BT1077533 BIG-IP fails to restart services after mprov runs during boot.
1077405-5 3-Major BT1077405 Ephemeral pool members may not be created with autopopulate enabled.
1074841-4 3-Major BT1074841 Invalid syslog configuration kills syslog-ng after restarting syslog-ng.
1073429-4 3-Major BT1073429 Auth partition definition is incorrectly synchronized to peer and then altered.
1072401 3-Major Modification of certificate associated with a parent ssl profile will fail if the a child profile is part of an iApp with strict updates enabled
1072081-4 3-Major BT1072081 Imish segmentation fault when running 'ip pim sparse-mode ?' on interface config.
1067797-4 3-Major BT1067797 Trunked interfaces that share a MAC address may be assigned in the incorrect order.
1065549-1 3-Major BT1065549 BIG-IP does not fail gracefully when a TX error is detected in the kernel ixgbevf driver.
1064461-1 3-Major BT1064461 PIM-SM will not complete RP registration over tunnel interface when floating IP address is used.
1063657 3-Major GUI does not display policy rules when httpd.basic_auth db variable is disabled.
1063237-1 3-Major BT1063237 Stats are incorrect when the management interface is not eth0
1062901-4 3-Major BT1062901 The 'trap-source' and 'network' SNMP properties are ineffective, and SNMP traps may be sent from an unintended interface.
1060181-1 3-Major BT1060181 SSL handshakes fail when using CRL certificate validator.
1057709-1 3-Major BT1057709 Invalid Certificate for all BIG-IP VE OVA images on vCenter 7.0U2.
1057501-1 3-Major BT1057501 Expired DST Root CA X3 resulting in http agent request failing.
1054041-1 3-Major BT1054041 Neuron-based platforms may activate SYN Cookies for the wrong virtual server
1052893-2 3-Major Configuration option to delay reboot if dataplane becomes inoperable
1049713 3-Major BT1049713 GUI does not display a traffic group's failover order correctly when httpd.basic_auth is disabled
1045277-5 3-Major BT1045277 The /var partition may become 100% full requiring manual intervention to clear space
1044281-4 3-Major BT1044281 In some cases, cpcfg does not trigger selinux relabel, leaving files unlabeled
1044089-4 3-Major BT1044089 ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI.
1042737-1 3-Major BT1042737 BGP sending malformed update missing Tot-attr-len of '0.
1042589-4 3-Major BT1042589 Wrong trunk_id is associated in bcm56xxd.
1041317-4 3-Major BT1041317 MCPD delay in processing a query_all message if the update_status bit is set
1040277-2 3-Major BT1040277 Syslog-ng issue may cause logging to stop and possible reboot of a system
1036613-5 3-Major BT1036613 Client flow might not get offloaded to PVA in embryonic state
1036557-5 3-Major BT1036557 Monitor information not seen in GUI
1036541-1 3-Major BT1036541 Inherited-traffic-group setting of floating IP does not sync on incremental sync
1036461-1 3-Major BT1036461 icrd_child may core with high numbers of open file descriptors.
1036097-1 3-Major BT1036097 VLAN failsafe does not trigger on guest
1033689-4 3-Major BT1033689 BGP route map community value cannot be set to the required range when using AA::NN notation
1033333-1 3-Major BT1033333 FIPS: importing a stub SSL key file results in 2 keys that share the same FIPS device
1032821-3 3-Major BT1032821 Syslog: invalid level/facility from /usr/libexec/smart_parse.pl
1032257-4 3-Major BT1032257 Forwarded PVA offload requests fail on platforms with multiple PDE/TMM
1031117-4 3-Major BT1031117 The mcpd error for virtual server profiles incompatible needs to have more details
1026581-2 3-Major BT1026581 NETFLOW/IPFIX observationTimeMilliseconds Information Element value is not populated correctly.
1026549-5 3-Major BT1026549 Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd
1026273-2 3-Major BT1026273 HA failover connectivity using the cluster management address does not work on VIPRION platforms &start;
1021925-1 3-Major BT1021925 During bootup AWS BIG-IP endpoint was not licensed when custom gateway configured over management interface
1021873-4 3-Major BT1021873 TMM crash in IPIP tunnel creation with a pool route
1021109-1 3-Major BT1021109 The cmp-hash VLAN setting does not apply to trunked interfaces.
1020377-3 3-Major BT1020377 Missing IKEv2 listeners can send IKE packets to the IKEv1 racoon daemon
1020089-4 3-Major BT1020089 MCP validation should prevent defining multiple virtual servers with the same virtual address but with different subnet masks
1019129-1 3-Major BT1019129 Changing syslog remote port requires syslog-ng restart to take effect
1018309-1 3-Major BT1018309 Loading config file with imish removes the last character
1017897-4 3-Major BT1017897 Self IP address creation fails with 'ioctl failed: No such device'
1017857-5 3-Major BT1017857 Restore of UCS leads to incorrect UID on authorized_keys &start;
1014285-1 3-Major BT1014285 Set auto-failback-enabled moved to false after upgrade &start;
1013649-2 3-Major BT1013649 Leftover files in /var/run/key_mgmt after key export
1012601-7 3-Major BT1012601 Alarm LED and LCD alert cleared prematurely on startup for missing PSU input
1012449-5 3-Major BT1012449 Unable to edit custom inband monitor in the GUI
1012049-5 3-Major BT1012049 Incorrect virtual server list returned in response to status request
1007909-5 3-Major BT1007909 Tcpdump with :p (peer flow) flag does not capture forwarded between TMMs
1006345-3 3-Major BT1006345 Static mac entry on trunk is not programmed on CPU-only blades
1004469-4 3-Major BT1004469 SNMP OID ltmSipsessionProfileStatVsName and ltmSiprouterProfileStatVsName returns empty string
964533-5 4-Minor BT964533 Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.
962605-1 4-Minor BIG-IP may go offline after installing ASU file with insufficient disk space
955593-4 4-Minor BT955593 "none" missing from the error string when snmp trap is configured with an invalid network type
955057-4 4-Minor BT955057 UCS archives containing a large number of DNS zone files may fail to restore. &start;
947865-4 4-Minor BT947865 Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read
944485-3 4-Minor BT944485 License activation through proxy server uses IP address in proxy CONNECT, not nameserver
939757-2 4-Minor BT939757 Deleting a virtual server might not trigger route injection update.
939517-2 4-Minor BT939517 DB variable scheduler.minsleepduration.ltm changes to default value after reboot
929173-4 4-Minor BT929173 Watchdog reset due to CPU stall detected by rcu_sched
927441-1 4-Minor BT927441 Guest user not able to see virtual server details when ASM policy attached
924429-4 4-Minor BT924429 Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values
921001-2 4-Minor BT921001 After provisioning change, pfmand might keep interfaces down on particular platforms
918013-4 4-Minor BT918013 Log message with large wchan value
911713 4-Minor BT911713 Delay in Network Convergence with RSTP enabled
908005-1 4-Minor Limit on log framework configuration size
906889-3 4-Minor BT906889 Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
906449-5 4-Minor BT906449 Node, Pool Member, and Monitor Instance timestamps may be updated by config sync/load
901985-1 4-Minor BT901985 Extend logging for incomplete HTTP requests
896693-1 4-Minor BT896693 Patch installation is failing for iControl REST endpoint.
896689-1 4-Minor BT896689 Asynchronous tasks can be managed via unintended endpoints
893093-5 4-Minor BT893093 An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing.
889813-4 4-Minor BT889813 Show net bwc policy prints bytes-per-second instead of bits-per-second
884953-1 4-Minor BT884953 IKEv1 IPsec daemon racoon goes into an endless restart loop
878365-1 4-Minor BT878365 Logrotate may fail after downgrading to an older version
876249-1 4-Minor BT876249 Top command shows tmm 0.0% CPU usage under load
869237-1 4-Minor Management interface might become unreachable when alternating between DHCP/static address assignment.
860573-1 4-Minor BT860573 LTM iRule validation performance improvement by tracking procedure/event that have been validated
858549-3 4-Minor BT858549 GUI does not allow IPv4-Mapped IPv6 Address to be assigned to self IPs
851393-4 4-Minor BT851393 Tmipsecd leaves a zombie rm process running after starting up
848681-3 4-Minor BT848681 Disabling the LCD on a VIPRION causes blade status lights to turn amber
846521-3 4-Minor BT846521 Config script does not refresh management address entry properly when alternating between dynamic and static
838925-3 4-Minor BT838925 Rewrite URI translation profile can cause connection reset while processing malformed CSS content
828625-4 4-Minor BT828625 User shouldn't be able to configure two identical traffic selectors
819429-1 4-Minor BT819429 Unable to scp to device after upgrade: path not allowed
819421-1 4-Minor BT819421 Unable to scp/sftp to device after upgrade &start;
808481-3 4-Minor BT808481 Hertfordshire county missing from GTM Region list
807309-1 4-Minor BT807309 Incorrect Active/Standby status in CLI Prompt after failover test
805325-1 4-Minor BT805325 tmsh help text contains a reference to bigpipe, which is no longer supported
803773 4-Minor BT803773 BGP Peer-group route-maps are not applied to newly configured peers
795429-1 4-Minor BT795429 Unrelated iControl REST transaction error message is returned when committing a transaction without any tasks.
790161-1 4-Minor BT790161 BGP bestpath does not set multipath correctly with as-ignore
784981 4-Minor BT784981 Modifying 'local-ip' for a remote syslog requires restarting syslog-ng
781657 4-Minor BT781657 BSD HSL remote logging does not log FQDN from BIG-IP 12.0.0 and later
774617-4 4-Minor BT774617 SNMP daemon reports integer truncation error for values greater than 32 bits
766321 4-Minor BT766321 boot slots created on pre-14.x systems lack ACLs
761981-1 4-Minor BT761981 Information in snmpd.conf files may be overwritten causing SNMP v3 queries to recieve 'Unsupported security level' errors
761084 4-Minor BT761084 Custom monitor fields appear editable for Auditor, Operator, or Guest
760234-2 4-Minor BT760234 Configuring Advanced shell for Resource Administrator User has no effect
759852-2 4-Minor BT759852 SNMP configuration for trap destinations can cause a warning in the log
759606-4 4-Minor BT759606 REST error message is logged every five minutes on vCMP Guest
759590-3 4-Minor BT759590 Creation of RADIUS authentication fails with service types other than 'authenticate only'
758348 4-Minor BT758348 Cannot access GUI via hostname when it contains _ (underscore character)
758105-1 4-Minor BT758105 Drive model WDC WD1005FBYZ-01YCBB2 must be added to pendsect drives.xml
756714-3 4-Minor BT756714 UIDs on /home directory are scrambled after upgrade &start;
756401-1 4-Minor BT756401 IKEv2 debug logging often omits SPI values that would identify the SAs involved
755450-3 4-Minor BT755450 Memory leak when using lots of iApps
755343-1 4-Minor BT755343 Phonehome_upload crashes when Automatic Phone Home is disabled
754500-4 4-Minor BT754500 GUI LTM Policy options disappearing
751103-5 4-Minor BT751103 TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop
749469 4-Minor BT749469 Unable to issue iControl rest API to perform 'tmsh show running-config' command
746152-3 4-Minor BT746152 Bogus numbers in hsbe2_internal_pde_ring table's rqm_dma_drp_pkts column
742105-1 4-Minor BT742105 Displaying network map with virtual servers is slow
741299-1 4-Minor BT741299 An icr_eventd error: Receive MCP msg failed
734269 4-Minor BT734269 Difficulty in selection from large numbers of iRules for Virtual Server configuration
724994-2 4-Minor API requests with 'expandSubcollections=true' are very slow
723833-1 4-Minor BT723833 IPsec related routing changes can misfire, like changing tunnel mode to interface mode
722647-2 4-Minor BT722647 The configuration of some of the Nokia alerts is incorrect
715331-1 4-Minor BT715331 IKEv2 logs peers_id comparisons and cert verfication failures
714705-2 4-Minor BT714705 Excessive "The Service Check Date check was skipped" log messages.
713183-2 4-Minor BT713183 Malformed JSON files may be present on vCMP host
713169 4-Minor BT713169 License String 'ASM-VE' was not recognized by the UI in the policy rule page
713138-2 4-Minor BT713138 TMUI ILX Editor inserts an unnecessary linefeed
713134-2 4-Minor BT713134 Small tmctl memory leak when viewing stats for snapshot files
712241-5 4-Minor BT712241 A vCMP guest may not provide guest health stats to the vCMP host
708415-2 4-Minor BT708415 Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled
703509-2 4-Minor BT703509 Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled
699209-1 4-Minor BT699209 API errors can prevent access to login history in Configuration Utility
698991-1 4-Minor K64258832 , BT698991 CPU utilization on i850 is not a reliable indicator of system capacity
697329-2 4-Minor BT697329 Warning message: get_db failed for is_provisioned wam - returning not-provisioned.
696363-1 4-Minor BT696363 Unable to create SNMP trap in the GUI
694765-1 4-Minor BT694765 Changing the system's admin user causes vCMP host guest health info to be unavailable
692172-1 4-Minor BT692172 rewrite profile causes "No available pool member" failures when connection limit reached
691571 4-Minor BT691571 tmsh show sys software doesn't show the correct HF version
689147-5 4-Minor BT689147 Confusing log messages on certain user/role/partition misconfiguration when using remote role groups
685233-1 4-Minor K13125441 , BT685233 tmctl -d blade command does not work in an SNMP custom MIB
675911-4 4-Minor K13272442 , BT675911 Different sections of the GUI can report incorrect CPU utilization
674026-2 4-Minor BT674026 iSeries AOM web UI update fails to complete. &start;
673811-1 4-Minor BT673811 After an upgrade, IPsec tunnels may fail to start &start;
673573-5 4-Minor BT673573 tmsh logs boost assertion when running child process and reaches idle-timeout
671025-2 4-Minor BT671025 File descriptor exhaustion can occur when state-mirroring peer-address is misconfigured
663911-5 4-Minor BT663911 When running out of memory, MCP can report an incorrect allocation size
659579-2 4-Minor BT659579 Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time
658943-1 4-Minor BT658943 Errors when platform-migrate loading UCS using trunks on vCMP guest
646768-3 4-Minor K71255118 , BT646768 VCMP Guest CM device name not set to hostname when deployed
631083-3 4-Minor BT631083 Some files in home directory are overwritten on password change
627506-1 4-Minor BT627506 Unable to change management-ip address
617636-1 4-Minor K15009669 , BT617636 LTM v11.6.x Errors in F5-BIGIP-LOCAL-MIB.txt prevent its compilation in NMS (Network Management System)
611724 4-Minor BT611724 LTM v11.5.4 HF1 iApp folders removed on partition load
603693-4 4-Minor K52239932 , BT603693 Brace matching in switch statement of iRules can fail if literal strings use braces
539648-1 4-Minor K45138318 , BT539648 Disabled db var Watchdog.State prevents vCMP guest activation.
447522-4 4-Minor BT447522 GUI: SNMPV3 Incorrectly requires "OID" when creating an SNMP user.
1096461-2 4-Minor TACACS system-auth Accounting setting has no effect when set to send-to-all-servers/send-to-first-server
1095205-1 4-Minor Config.auditing.forward.multiple db Variable with value "none" is not working as expected with multiple destination addresses in audit_forwarder.
1089005-1 4-Minor BT1089005 Dynamic routes might be missing in the kernel on secondary blades.
1076253-2 4-Minor BT1076253 IKE library memory leak
1072237-4 4-Minor BT1072237 Retrieval of policy action stats causes memory leak
1067617-1 4-Minor BT1067617 BGP default route not advertised after mid-session OPEN.
1065821-1 4-Minor BT1065821 Cannot create an iRule with a newline between event and opening brace.
1064753-1 4-Minor BT1064753 OSPF LSAs are dropped/rate limited incorrectly.
1062385-1 4-Minor BT1062385 BIG-IP has an incorrect limit on the number of monitored HA-group entries.
1060769-4 4-Minor BT1060769 The /mgmt/tm/sys/performance/all-stats and /mgmt/tm/sys/performance/throughput iControl REST endpoints cannot be successfully parsed by common JSON libraries.
1059441-1 4-Minor BT1059441 Upgrading with a configuration that contains objects with properties that override the TCP profile can result in incorrect property values being used. &start;
1057925-1 4-Minor BT1057925 GTP iRule generates a warning.
1055053-1 4-Minor BT1055053 "tmsh load sys config default" does not clear Zebos config files.
1053037-3 4-Minor BT1053037 MCP error on loading a UCS archive with a global flow eviction policy
1050413-1 4-Minor BT1050413 Drive model HGST HUS722T1TALA604 must be added to pendsect drives.xml.
1044893-1 4-Minor BT1044893 Kernel warnings from NIC driver Realtek 8139
1036265-1 4-Minor BT1036265 Overlapping summary routes might not be advertised after ospf process restart.
1035017-4 4-Minor Remove unused CA-bundles
1034509-2 4-Minor BT1034509 Sensor read errors on VIPRION C2200 chassis
1033969-2 4-Minor BT1033969 MPLS label stripping needs next protocol indicator
1032921-1 4-Minor BT1032921 VCMP Guest CPU usage shows abnormal values at the Host
1030645-1 4-Minor BT1030645 BGP session resets during traffic-group failover
1029173-1 4-Minor BT1029173 MCP daemon does not log an error message upon connection failure to PostgreSQL server.
1025965-5 4-Minor BT1025965 Audit role users cannot see folder properties under sys-folder
1024301-4 4-Minor BT1024301 Missing required logs for "tmsh modify disk directory" command
1022297-1 4-Minor BT1022297 In BIG-IP GUI using "Select All" with filters is not working appropriately for policies
1020109-4 4-Minor BT1020109 Subnet mask property of virtual addresses not displayed in management GUI
1011217-1 4-Minor BT1011217 TurboFlex Profile setting reverts to turboflex-base after upgrade &start;
1003469-4 4-Minor BT1003469 The BIG-IP GUI fails to reset the statistics for an IPv6 pool member and returns an error.
1003081-4 4-Minor BT1003081 GRE/TB-encapsulated fragments are not forwarded.
965457-2 5-Cosmetic BT965457 OSPF duplicate router detection might report false positives
964421-4 5-Cosmetic BT964421 Error '01070734:3: Configuration error: Signing key and signing certificate must be set simultaneously'
796045 5-Cosmetic BT796045 Tmsh reports Bay2 as Bay1
769145-3 5-Cosmetic BT769145 Syncookie threshold warning is logged when the threshold is disabled
761621-4 5-Cosmetic BT761621 Ephemeral FQDN pool members in Partition shown as Common under Local Traffic > Pools > "Members"
720669-2 5-Cosmetic BT720669 Within the GUI, the 'MQTT-TLS' service port is incorrectly reported as 'common.all.MQTT-TLS'.
713519-2 5-Cosmetic BT713519 Enabling MCP Audit logging does not produce log entry for audit logging change
679431-1 5-Cosmetic BT679431 In routing module the 'sh ipv6 interface <interface> brief' command may not show header
1022421-1 5-Cosmetic BT1022421 Pendsec utility incorrectly starts on i2x00/i4x00 platform with NON WD disk


Local Traffic Manager Issues

ID Number Severity Links to More Info Description
752766-2 1-Blocking BT752766 The BIG-IP system might fail to read SFPs after a reboot
989749 2-Critical BT989749 Tcpdump command does not show F5 ethtrailer info
967249-4 2-Critical BT967249 TMM may leak memory early during its startup process, and may continue to do so indefinitely.
949137-5 2-Critical BT949137 Clusterd crash and vCMP guest failover
938545-5 2-Critical BT938545 Oversize plugin Tcl object results can result in 0-length messages and plugin crash
914309 2-Critical BT914309 TMM crash seen with FTP and Classification profiles
911041-1 2-Critical BT911041 Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash
910653-2 2-Critical BT910653 iRule parking in clientside/serverside command may cause tmm restart
889209-3 2-Critical BT889209 Sflow receiver configuration may lead to egress traffic dropped after TMM starts.
879409-1 2-Critical BT879409 TMM core with mirroring traffic due to unexpected interface name length
851581-4 2-Critical BT851581 Server-side detach may crash TMM
851385-5 2-Critical BT851385 Failover takes too long when traffic blade failure occurs
842937-2 2-Critical BT842937 TMM crash due to failed assertion 'valid node'
835505-3 2-Critical BT835505 Tmsh crash potentially related to NGFIPS SDK
824437-4 2-Critical BT824437 Chaining a standard virtual server and an ipother virtual server together can crash TMM.
816961-1 2-Critical BT816961 LB::detach iRule command may trigger TMM crash
766509-3 2-Critical BT766509 Strict internal checking might cause tmm crash
763197-2 2-Critical BT763197 Flows not mirrored on wildcard Virtual Server with opaque VLAN group
751589-2 2-Critical BT751589 In BIG-IP VE, some IP rules may not be created during the first boot up.
745774-3 2-Critical BT745774 Creating EC-only client SSL profile for forward-proxy without RSA key certs defined results in invalid profile
745589-4 2-Critical BT745589 In very rare situations, some filters may cause data-corruption.
743950-2 2-Critical BT743950 TMM crashes due to memory leak found during SSL OCSP with C3D feature enabled
738964-1 2-Critical Instruction logger debugging enhancement
737985 2-Critical BT737985 BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode.
734551 2-Critical BT734551 L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server
726900-3 2-Critical BT726900 Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters
715088 2-Critical BT715088 Changing WebSocket payload protocol profile from mqtt back to none causes TMM restart
711907 2-Critical BT711907 TMM may consume excessive resources when processing UDP traffic
706501 2-Critical BT706501 VCMP guest, tmm continues to restart on Cavium Nitrox PX platform
691196-1 2-Critical BT691196 one Cisco NEXUS switch and 2 BIG-IP WCCP web caches do not work together
682273-1 2-Critical BT682273 Connection rate limit on a pool member can be exceeded
663925-1 2-Critical BT663925 Virtual server state not updated with pool- or node-based connection limiting
625807-5 2-Critical BT625807 Tmm cores in bigproto_cookie_buffer_to_server
474797-6 2-Critical BT474797 Nitrox crypto hardware may attempt soft reset while currently resetting
431480-5 2-Critical K17297 , BT431480 Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message
1091021-5 2-Critical BT1091021 The BIG-IP system may take no fail-safe action when the bigd daemon becomes unresponsive.
1086677-1 2-Critical TMM Crashes in xvprintf() because of NULL Flow Key
1074517-5 2-Critical BT1074517 Tmm may core while adding/modifying traffic-class attached to a virtual server
1073609-3 2-Critical BT1073609 Tmm may core while using reject iRule command in LB_SELECTED event.
1071449-1 2-Critical BT1071449 Statsd memory leak on platforms with license disabled processors.
1067669-4 2-Critical BT1067669 TCP/UDP virtual servers drop all incoming traffic.
1048097-2 2-Critical BT1048097 Under certain conditions, using the HTTP::retry iRule command causes TMM to crash.
1041225 2-Critical BT1041225 Missing SHA-384 cipher suites in outgoing LDAP TLS ClientHello
1039145-4 2-Critical BT1039145 Tenant mirroring channel disconnects with peer and never reconnects after failover.
1030185-1 2-Critical BT1030185 TMM may crash when looking up a persistence record using "persist lookup" iRule commands
1020645-2 2-Critical BT1020645 When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered
999881-2 3-Major BT999881 Tcl command 'string first' not working if payload contains Unicode characters.
996649-2 3-Major BT996649 Improper handling of DHCP flows leading to orphaned server-side connections
995201-1 3-Major BT995201 IP fragments for the same flow are dropped if they are received on different VLANs and route domains.
994081-6 3-Major BT994081 Traffic may be dropped with an Immediate idle timeout setting.
993517-5 3-Major BT993517 Loading an upgraded config can result in a file object error in some cases
991501-1 3-Major BT991501 Pool members with HTTPS monitor may be incorrectly marked down.
985749-5 3-Major BT985749 TCP exponential backoff algorithm does not comply with RFC 6298
984897-5 3-Major BT984897 Some connections performing SSL mirroring are not handled correctly by the Standby unit.
976525-1 3-Major BT976525 Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled
975725-1 3-Major BT975725 Wildcard virtual servers do not forward L3 unicast traffic sent to L2 broadcast
971217-4 3-Major BT971217 AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations.
969637-6 3-Major BT969637 Config may fail to load with "FIPS 140 operations not available on this system" after upgrade &start;
968949-3 3-Major BT968949 Keepalives aren't sent in FIN_WAIT_2 when using a TCP profile
968509-1 3-Major Response headers are not parsed correctly causing subsequent requests stall at BIG-IP
967353-5 3-Major BT967353 HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.
965129 3-Major BT965129 Classification of ftp data-channel traffic is "tcp"
962913-2 3-Major BT962913 The number of native open connections in the SSL profile is higher than expected
961001-4 3-Major BT961001 Arp requests not resolved for snatpool members when primary blade goes offline
958785-3 3-Major BT958785 FTP data transfer does not complete after QUIT signal
956133-5 3-Major BT956133 MAC address might be displayed as 'none' after upgrading. &start;
953601-5 3-Major BT953601 HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions
950197 3-Major BT950197 On BIG-IP C124 platform, drops seen on HSB-TMM 0.x interfaces
950005-4 3-Major BT950005 TCP connection is not closed when necessary after HTTP::respond iRule
948985-1 3-Major BT948985 Workaround to address Nitrox 3 compression engine hang
947125-4 3-Major BT947125 Unable to delete monitors after certain operations
945601-2 3-Major BT945601 An incorrect LTM policy rule may be matched when a policy consists of multiple rules with TCP address matching conditions.
942217-1 3-Major BT942217 Virtual server keeps rejecting connections for rstcause 'VIP down' even though virtual status is 'available'
941481-4 3-Major BT941481 iRules LX - nodejs processes consuming excessive memory
938309-4 3-Major BT938309 In-TMM Monitors time out unexpectedly
936593 3-Major BT936593 Invalid server-side SSL profile options can be configured in tmsh
936441-4 3-Major BT936441 Nitrox5 SDK driver logging messages
934697-1 3-Major BT934697 Route domain not reachable (strict mode)
934017-1 3-Major BT934017 Problems may occur after creating a node named '_auto_<IP address>'
932857-4 3-Major BT932857 Delays marking Nodes or Pool Members DOWN with in-TMM monitoring
932461-1 3-Major BT932461 Cert update on server SSL profile on HTTPS monitor: BIG-IP not using the updated certificate.
928857-4 3-Major BT928857 Use of OCSP responder may leak X509 store instances
928805-4 3-Major BT928805 Use of OCSP responder may cause memory leakage
928789-4 3-Major BT928789 Use of OCSP responder may leak SSL handshake instances
928445-1 3-Major BT928445 HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2
927713-4 3-Major BT927713 Clsh reboot hangs when executed from the primary blade.
927589-5 3-Major BT927589 ILX::call command response get truncated
926513-4 3-Major BT926513 HTTP/2 clone pool fails to receive traffic with the clone pool (server) option selected.
922641-1 3-Major BT922641 Any iRules that park in a clientside or serverside command leave the iRule attached to the wrong flow
922637 3-Major BT922637 iRules utilize information from incorrect peer flow for connection within a clientside/serverside command.
922413-5 3-Major BT922413 Excessive memory consumption with ntlmconnpool configured
921881-5 3-Major BT921881 Use of IPFIX log destination can result in increased CPU utilization
921541-5 3-Major BT921541 When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.
920789-5 3-Major BT920789 UDP commands in iRules executed during FLOW_INIT event fail
920285-3 3-Major BT920285 WS::disconnect may result in TMM crash under certain conditions
920205-5 3-Major BT920205 Rate shaping might suppress TCP RST
918277-5 3-Major BT918277 Slow Ramp does not take into account pool members' ratio weights
914061-4 3-Major BT914061 BIG-IP may reject a POST request if it comes first and exceeds the initial window size
910905-3 3-Major BT910905 TMM crash when processing virtual server traffic with TLS/SSL session cache enabled
910673-5 3-Major BT910673 Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'
906653-5 3-Major BT906653 Server side UDP immediate idle-timeout drops datagrams
905477-5 3-Major BT905477 The sdmd daemon cores during config sync when multiple devices configured for iRules LX
904625-5 3-Major BT904625 Changes to SSL.CertRequest.* DB variables cause high availability (HA) devices go out of sync
898685-1 3-Major BT898685 Order of ciphers changes after updating cipher group
897185-5 3-Major BT897185 Resolver cache not using random port distribution
895649-1 3-Major BT895649 Improve TCP analytics goodput reports
895205-5 3-Major BT895205 A circular reference in rewrite profiles causes MCP to crash
891145-2 3-Major BT891145 TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal
889165-5 3-Major BT889165 "http_process_state_cx_wait" errors in log and connection reset
887265-6 3-Major BT887265 BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration &start;
887045-5 3-Major BT887045 The session key does not get mirrored to standby.
886049-1 3-Major Mcpd validation for proxy ssl and don't-insert-empty-fragments
885325-5 3-Major BT885325 Stats might be incorrect for iRules that get executed a large number of times
883049-6 3-Major BT883049 Statsd can deadlock with rrdshim if an rrd file is invalid
882725-1 3-Major BT882725 Mirroring not working properly when default route vlan names not match.
881937-4 3-Major BT881937 TMM and the kernel choose different VLANs as source IPs when using IPv6.
881041-5 3-Major BT881041 BIG-IP system may forward IP broadcast packets back to the incoming VLAN interface via a forwarding virtual server.
878925-4 3-Major BT878925 SSL connection mirroring failover at end of TLS handshake
878253-4 3-Major BT878253 LB::down no longer sends an immediate monitor probe
876569-5 3-Major BT876569 QAT compression codec produces gzip stream with CRC error
876145-1 3-Major BT876145 Nitrox5 failure on vCMP guest results in all crypto requests failing.
874317-4 3-Major BT874317 Client-side asymmetric routing could lead to SYN and SYN-ACK on different VLAN
873677-3 3-Major BT873677 LTM policy matching does not work as expected
871045-5 3-Major BT871045 IP fragments are disaggregated to separate TMMs with hardware syncookies enabled
867985-1 3-Major BT867985 LTM policy with a 'shutdown' action incorrectly allows iRule execution
864649-5 3-Major BT864649 The client-side connection of a dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server never expires from the connection table
862069-4 3-Major BT862069 Using non-standard HTTPS and SSH ports fails under certain conditions
862001-4 3-Major BT862001 Improperly configured NTP server can result in an undisciplined clock stanza
853613-5 3-Major BT853613 Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp
852873-4 3-Major BT852873 Proprietary Multicast PVST+ packets are forwarded instead of dropped
852325-4 3-Major BT852325 HTTP2 does not support Global SNAT
851789-4 3-Major BT851789 SSL monitors flap with client certs with private key stored in FIPS
851121-4 3-Major BT851121 Database monitor DBDaemon debug logging not enabled consistently
851101-1 3-Major BT851101 Unable to establish active FTP connection with custom FTP filter
848777-4 3-Major BT848777 Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.
846977-4 3-Major BT846977 TCP:collect validation changed in 12.0.0: the first argument can no longer be zero &start;
846873-2 3-Major BT846873 Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure
845333-2 3-Major BT845333 An iRule with a proc referencing a datagroup cannot be assigned to Transport Config
842425-4 3-Major BT842425 Mirrored connections on standby are never removed in certain configurations
841369-5 3-Major BT841369 HTTP monitor GUI displays incorrect green status information
841341-2 3-Major BT841341 IP forwarding virtual server does not pick up any traffic if destination address is shared.
840785-4 3-Major BT840785 Update documented examples for REST::send to use valid REST endpoints
834373-1 3-Major BT834373 Possible handshake failure with TLS 1.3 early data
832133-5 3-Major BT832133 In-TMM monitors fail to match certain binary data in the response from the server.
827441-3 3-Major BT827441 Changing a UDP virtual server with an immediate timeout to a TCP virtual server can cause connections to fail
826349-3 3-Major BT826349 VXLAN tunnel might fail due to misbehaving NIC checksum offload
825245-1 3-Major BT825245 SSL::enable does not work for server side ssl
823825-3 3-Major BT823825 Renaming high availability (HA) VLAN can disrupt state-mirror connection
820333-5 3-Major BT820333 LACP working member state may be inconsistent when blade is forced offline
818833-4 3-Major BT818833 TCP re-transmission during SYN Cookie activation results in high latency
818789-3 3-Major BT818789 Setting ssl profile to none in https monitor, not setting Ciphers to DEFAULT as in serverssl Profile
818097-2 3-Major BT818097 Plane CPU stats too high after primary blade failover in multi-blade chassis
816205-2 3-Major BT816205 IPsec passthrough scenario may not forward ICMP unreachable messages from the server-side
815825-1 3-Major BT815825 BIG-IP may not create a listener object after TMM restarts or the system reboots
815405-3 3-Major BT815405 GUI update of Child FastL4 profile overwrites CLI-only customized settings (options that are not available in GUI)
815089-5 3-Major BT815089 On a system with no VLANs, you can create virtual servers or SNATs that have identical address/port combinations
812693-1 3-Major BT812693 Connection in FIN_WAIT_2 state may fail to be removed
812497-2 3-Major BT812497 VE rate limit should not count packet that does not have a matched vlan or matched MAC address
810533-5 3-Major BT810533 SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile
808017-4 3-Major BT808017 When using a variable as the only parameter to the iRule persist command, the iRule validation fails
806085-3 3-Major BT806085 In-TMM MQTT monitor is not working as expected
801549-4 3-Major BT801549 Persist records do not expire properly if mirroring is configured incorrectly
801541-3 3-Major BT801541 Persist records do not expire properly if HA peer is unavailable
795933-4 3-Major BT795933 A pool member's cur_sessions stat may incorrectly not decrease for certain configurations
795501-1 3-Major BT795501 Possible SSL crash during config sync
795261-4 3-Major BT795261 LTM policy does not properly evaluate condition when an operand is missing
794505-2 3-Major BT794505 OSPFv3 IPv4 address family route-map filtering does not work
794385-1 3-Major BT794385 BGP sessions may be reset after CMP state change
787973-4 3-Major BT787973 Potential memory leak when software crypto request is canceled.
787853-4 3-Major BT787853 BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps.
787433-2 3-Major BT787433 SSL forward proxy: OCSP signer certificate isn't refreshed or regenerated when forward proxy CA key/cert is changed
785877-1 3-Major BT785877 VLAN groups do not bridge non-link-local multicast traffic.
785481-4 3-Major BT785481 A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached
785361-4 3-Major BT785361 In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped
784713-2 3-Major BT784713 When SSL forward proxy is enabled, AKID extension of the OCSP signer certificate on the clientside is not correct
783145-2 3-Major BT783145 Pool gets disabled when one of its pool member with monitor session is disabled
783077 3-Major BT783077 IPv6 host defined via static route unreachable after BIG-IP reboot
781041-4 3-Major BT781041 SIP monitor in non default route domain is not working.
777269-2 3-Major BT777269 Gratuitous ARP may be sent for self IPs from incorrect MAC address at startup
767341-5 3-Major BT767341 If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.
767217-3 3-Major BT767217 Under certain conditions when deleting an iRule, an incorrect dependency error is seen
766593-4 3-Major BT766593 RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20
764969-4 3-Major BT764969 ILX no longer supports symlinks in workspaces as of v14.1.0
761869-1 3-Major BT761869 WMI monitor may return negative values
761477-5 3-Major BT761477 Client authentication performance when large CRL is used
760406-5 3-Major BT760406 HA connection might stall on Active device when the SSL session cache becomes out-of-sync.
758904 3-Major BT758904 After full config sync or modifications to SSL profiles, new SSL/TLS handshakes fail for at least 5 seconds
758596-1 3-Major BT758596 Unable to associate cipher group with long name profile
757505-2 3-Major BT757505 peer-cert-mode set to 'always' does not work when client-ssl is enabled with session-ticket
757029-4 3-Major BT757029 Ephemeral pool members may not be created after config load or reboot
756812-1 3-Major BT756812 Nitrox 3 instruction/request logger may fail due to SELinux permission error
756313-4 3-Major BT756313 SSL monitor continues to mark pool member down after restoring services
755997-1 3-Major BT755997 Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address
755791-4 3-Major BT755791 UDP monitor not behaving properly on different ICMP reject codes.
755631-3 3-Major BT755631 UDP / DNS monitor marking node down
754604-3 3-Major BT754604 iRule : [string first] returns incorrect results when string2 contains null
754218-1 3-Major BT754218 Stateless virtual servers does not work for non-standard load-balancing methods
753526-3 3-Major BT753526 IP::addr iRule command does not allow single digit mask
753383-3 3-Major BT753383 Deadlock While Attaching NDAL Devices
753159-3 3-Major BT753159 Pool IP ToS/QoS settings are not preserved on mirrored FastL4 connections
752858-2 3-Major BT752858 HTTP commands do not return an error when called from an invalid state
751718 3-Major BT751718 Connection tear down takes longer when using FastL4 profiles and connection mirroring.
750473-3 3-Major BT750473 VA status change while 'disabled' are not taken into account after being 'enabled' again
750204-2 3-Major BT750204 Add support for P-521 curve in the X.509 chain to SSL LTM
749608-1 3-Major BT749608 HTTP Persistence cookies erroneously sent when cookie persistence turned off
748891-3 3-Major BT748891 Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system.
748182 3-Major BT748182 pkcs11d error code not logged in logs
746078-3 3-Major BT746078 Upgrades break existing iRulesLX workspaces that use node version 6
743900-3 3-Major BT743900 Custom DIAMETER monitor requests do not have their 'request' flag set
742838-3 3-Major BT742838 A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition
740959-2 3-Major BT740959 User with manager rights cannot delete FQDN node on non-Common partition
739475-2 3-Major BT739475 Site-Local IPv6 Unicast Addresses support.
738450-3 3-Major BT738450 Parsing pool members as variables with IP tuple syntax
738045-10 3-Major BT738045 HTTP filter complains about invalid action in the LTM log file.
727469-2 3-Major BT727469 ProxySSL leaks profile reference
726232-2 3-Major BT726232 iRule drop/discard may crash tmm
726058 3-Major BT726058 DHCP in forwarding mode decrements the received DHCP client side IP TTL prior to forwarding the packets towards the DHCP server
723306-3 3-Major BT723306 Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
723112-6 3-Major BT723112 LTM policies does not work if a condition has more than 127 matches
722751-1 3-Major BT722751 VLAN group does not pass OSPF traffic till first unicast packet is passed
719300 3-Major BT719300 ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address
718867-2 3-Major BT718867 tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades &start;
718790-3 3-Major BT718790 Virtual server reports unavailable and resets connection erroneously.
718288-3 3-Major BT718288 MCPD might crash on secondary blades when DNSSEC client-facing SOA zone serial not updated
716492-2 3-Major K59332523 , BT716492 Rateshaper stalls when TSO packet length exceeds max ceiling.
715596-1 3-Major BT715596 Connections are reset when TCP timestamp mirroring is enabled
715323 3-Major BT715323 iControl SOAP attribute ssl_profile not supported for in-tmm https monitor
714503-2 3-Major BT714503 When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl
714495-2 3-Major BT714495 When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl"
714372-2 3-Major BT714372 Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari
714292-1 3-Major BT714292 Transparent forwarding mode across multiple VLAN groups or virtual-wire
713585-3 3-Major K31544054 , BT713585 When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long
712489-2 3-Major BT712489 TMM crashes with message 'bad transition'
709963-2 3-Major BT709963 Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
709837-2 3-Major BT709837 Cookie persistence profile may be configured with invalid parameter combination.
709381 3-Major BT709381 iRules LX plugin imported from a system with a different version does not properly run, and the associated iRule times out.
700639-5 3-Major BT700639 The default value for the syncookie threshold is not set to the correct value
700080-2 3-Major BT700080 A db var compression.zlibinflateratio.threshold is added to force stopping inflating
698420-1 3-Major BT698420 SSL handshake fails for some servers if their root certificates are not in the configured CA bundle
696735-1 3-Major BT696735 TCP ToS Passthrough mode does not work correctly
695109-1 3-Major K15047377 , BT695109 Changes to fallback persistence profiles attached to a Virtual server are not effective
694697-1 3-Major K62065305 , BT694697 clusterd logs heartbeat check messages at log level info
690699-2 3-Major BT690699 Fragmented SSL handshake messages cause Proxy SSL handshake to fail
688140-2 3-Major BT688140 Forward Proxy SSL server side may send a wrong SNI extension when the client does not send one
687044-3 3-Major BT687044 tcp-half-open monitors might mark a node up in error
686563-1 3-Major BT686563 WMI monitor on invalid node never transitions to DOWN
686547-1 3-Major BT686547 WMI monitor sends logging data for credentials when no credentials specified
686395-1 3-Major BT686395 With DTLS version1, when client hello uses version1.2, handshake shall proceed
686101-1 3-Major K73346501 , BT686101 Creating a pool with a new node always assigns the partition of the pool to that node.
683061-1 3-Major BT683061 Rapid creation/update/deletion of the same external datagroup may cause core
679687-1 3-Major LTM Policy applied to large number of virtual servers causes mcpd restart
678450-6 3-Major BT678450 No 'F5RST port in use' sent when new connection arrives to port in use with strict preserve.
671261-5 3-Major K32306231 , BT671261 MCP does not recognize 'Notify Status to Virtual Address' when using 'Selective' setting of ICMP Echo
668459-2 3-Major BT668459 Asymmetric transparent nexthop traffic only updates ingress interface
655383-3 3-Major BT655383 Failure to extend database continues to execute rather than halting because of fragmented state.
649275-1 3-Major BT649275 RSASSA-PSS client certificates support in Client SSL
646440-3 3-Major BT646440 TMSH allows mirror for persistence even when no mirroring configuration exists
637613-5 3-Major K24133500 , BT637613 Cluster blade being disabled immediately returns to enabled/green
620053-2 3-Major BT620053 Gratuitous ARPs may be transmitted by active unit being forced offline
579252-5 3-Major BT579252 Traffic can be directed to a less specific virtual during virtual modification
558976-3 3-Major BT558976 Improvement to cause tmm to core when mcpd exits
512490-13 3-Major BT512490 Increased latency during connection setup when using FastL4 profile and connection mirroring.
505037-3 3-Major K01993279 , BT505037 Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop
429124-5 3-Major K15069 , BT429124 ePVA does not work with lasthop pools with only one member
428864-8 3-Major BT428864 Lowering virtual server connection limit does not work when traffic is being processed
369640-4 3-Major K17195 iRules might return incorrect data when multiple partitions and/or folders contain objects with the same name
315765-4 3-Major BT315765 The BIG-IP system erroneously performs a SNAT translation after the SNAT translation address has been disabled.
1097473-1 3-Major BT1097473 BIG-IP transmits packets with incorrect content
1091785-5 3-Major BT1091785 DBDaemon restarts unexpectedly and/or fails to restart under heavy load
1090025 3-Major BT1090025 TMM may crash virtual server with HTTP profile and analytics enabled handles specific type of traffic
1088597-5 3-Major BT1088597 TCP keepalive timer can be immediately re-scheduled in rare circumstances
1087569-1 3-Major BT1087569 Changing max header table size according HTTP2 profile value may cause stream/connection to terminate
1086473-5 3-Major BT1086473 BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake
1085541 3-Major BT1085541 Reload of RULE_INIT destroys TMM local data structures
1083989-4 3-Major BT1083989 TMM may restart if abort arrives during MBLB iRule execution
1083621-2 3-Major BT1083621 The virtio driver uses an incorrect packet length
1082225-1 3-Major BT1082225 Tmm may core while Adding/modifying traffic-class attached to a virtual server.
1079769-2 3-Major BT1079769 Tmm utilizing the virtio driver might crash after modifying several IPv6 virtual servers
1079237-4 3-Major BT1079237 After certain configuration tasks are performed, TMM may run with stale SNAT translation parameters.
1075045-4 3-Major BT1075045 Proxy initialization failed, Defaulting to DENY, after applying additional profile to a virtual server
1068445-4 3-Major BT1068445 TCP duplicate acks are observed in speed tests for larger requests
1067469-1 3-Major BT1067469 Discrepancy in virtual server stats with LRO enabled.
1065013-1 3-Major BT1065013 Tmm crash with iRuleLX plugin in use
1063865-3 3-Major BT1063865 Blade remains in an INOPERATIVE state after being moved to new chassis.
1063453-4 3-Major BT1063453 FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets.
1059573-1 3-Major BT1059573 Variation in a case insensitive value of an operand in LTM policy may fail in some rules.
1056401-1 3-Major BT1056401 Valid clients connecting under active syncookie mode might experience latency.
1053869 3-Major BT1053869 After a Self-IP undergoes a valid address change, its port-lockdown settings are lost.
1053741-1 3-Major BT1053741 Bigd may exit and restart abnormally without logging a reason
1053149-4 3-Major BT1053149 A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received.
1051153-1 3-Major BT1051153 DHCP fails intermittently when the connection is through BIG-IP.
1046717-2 3-Major BT1046717 Tmm crash when utilizing one-connect with inband monitors and ECMP or pool routes.
1043017-1 3-Major BT1043017 Virtual-wire with standard-virtual fragmentation
1043009-1 3-Major BT1043009 TMM dump capture for compression engine hang
1040957-4 3-Major BT1040957 The ipother profile can be used with incompatible profiles in a virtual server
1040465-1 3-Major BT1040465 Incorrect SNAT pool is selected
1040017-1 3-Major BT1040017 Final ACK validation during flow accept might fail with hardware SYN Cookie
1039277-1 3-Major BT1039277 TMM core
1037645-5 3-Major BT1037645 TMM may crash under memory pressure when using iRule 'AES::key' command
1036169-1 3-Major BT1036169 VCMPD rsync server max connection limit: guest "Exit flags for PID 17299: 0x500".
1036093-1 3-Major BT1036093 Tmm sends out neighbor advertisements for the link local addresses even if IPv6 is disabled
1033537-1 3-Major BT1033537 Cookie persistence profile only examines the first cookie.
1029069-4 3-Major Non-ASCII characters are not displayed correctly.
1025089-5 3-Major BT1025089 Pool members marked down by database monitor due to stale cached connection
1018765-4 3-Major BT1018765 Changing the sshd port breaks some BIG-IP utilities on a multi-bladed system
1017885-2 3-Major BT1017885 Wildcard server-name does not match multiple labels in FQDN
1017721-1 3-Major BT1017721 WebSocket does not close cleanly when SSL enabled.
1017421-1 3-Major BT1017421 SASP Monitor does not log significant error conditions at default logging level
1017029-1 3-Major BT1017029 SASP monitor does not identify specific cause of failed SASP Registration attempt
1016921-2 3-Major BT1016921 SSL Connection mirroring - session resumption does not occur on standby when the session ticket is enabled
1016589-5 3-Major BT1016589 Incorrect expression in STREAM::expression might cause a tmm crash
1015817-5 3-Major BT1015817 Flows rejected due to no return route do not increment rejection stats
1014633-1 3-Major BT1014633 Transparent / gateway monitors may fail if there is no route to a node
1013209-4 3-Major BT1013209 BIG-IP components relying on ca-bundle.crt may stop working after upgrade &start;
1012813-5 3-Major BT1012813 Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file"
1010209-5 3-Major BT1010209 BIG-IP configuration allows literal CR and LF characters in LTM monitor send and recv strings
1006845 3-Major BT1006845 Modifying the default clientssl profile to use a cipher group causes configuration load to fail
1006157-4 3-Major BT1006157 FQDN nodes not repopulated immediately after 'load sys config'
1004897-2 3-Major BT1004897 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason
1004689-1 3-Major BT1004689 TMM might crash when pool routes with recursive nexthops and reselect option are used.
1004609-2 3-Major SSL forward proxy virtual server may set empty SSL session_id in server hello.
1004445-2 3-Major BT1004445 Warning not generated when maximum prefix limit is exceeded.
1000561-1 3-Major BT1000561 Chunk size incorrectly passed to client-side
999709-2 4-Minor BT999709 iRule 'pool'/'virtual' commands not triggered in CLIENT_ACCEPTED with HTTP/2.
990173-5 4-Minor BT990173 Dynconfd repeatedly sends the same mcp message to mcpd
987885-2 4-Minor BT987885 Half-open unclean SSL termination might not close the connection properly
982993-2 4-Minor BT982993 Gateway ICMP monitors with IPv6 destination and IPV6 transparent nexthop might fail
962181-4 4-Minor BT962181 iRule POLICY command fails in server-side events
956025-4 4-Minor BT956025 HTTP profile response-chunking "unchunk" option does not remove Content-Length from response header
950729-1 4-Minor BT950729 URI::basename iRule command may include the semicolon and additional characters.
932553-2 4-Minor BT932553 An HTTP request is not served when a remote logging server is down
931469-4 4-Minor BT931469 Redundant socket close when half-open monitor pings
929429-5 4-Minor BT929429 Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed
922005-6 4-Minor BT922005 Stats on a certain counter for web-acceleration profile may show excessive value
921477-5 4-Minor BT921477 Health monitors may fail when the HTTP RFC Compliance option is enabled in a dual BIG-IP setup.
915853 4-Minor BT915853 BIG-IP generates duplicated ACK after SSL Handshake when SSL Session reused
911853-3 4-Minor BT911853 Stream filter chunk-size limits filter to a single match per ingress buffer
910965-4 4-Minor BT910965 Overflow of Multicast table filling the tmm log
904537-5 4-Minor BT904537 The csyncd process may keep trying to sync the GeoIP database to a secondary blade
901485-4 4-Minor BT901485 HTTP_RESPONSE_RELEASE is not raised for HTTP early response
898753-2 4-Minor BT898753 Multicast control-plane traffic requires handling with AFM policies
898201-5 4-Minor BT898201 Fqdn nodes are not getting populated after BIG-IP reboot when DNS server is accessed through a local virtual server.
880697-5 4-Minor BT880697 URI::query command returning fragment part, instead of query part
844337-1 4-Minor BT844337 Tcl error log improvement for node command
838305-2 4-Minor BT838305 BIG-IP may create multiple connections for packets that should belong to a single flow.
834217-3 4-Minor BT834217 Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.
832233-4 4-Minor BT832233 The iRule regexp command issues an incorrect warning
829021-5 4-Minor BT829021 BIG-IP does not account a presence of http2 profile when response payload is modified
822245-6 4-Minor BT822245 Large number of in-TMM monitors results in some monitors being marked down
812377 4-Minor BT812377 The rate class feature does not honor the Burst Size setting.
807397-1 4-Minor BT807397 IRules ending with a comment cause config verification to fail
804157-2 4-Minor BT804157 ICMP replies are forwarded with incorrect checksums causing them to be dropped
795345 4-Minor BT795345 SSL connection terminated is logged for each SSL connection
789225-1 4-Minor BT789225 TMSTAT CPU usage and output from top do not agree
787905-2 4-Minor BT787905 Improve initializing TCP analytics for FastL4
774173-1 4-Minor BT774173 WebUI - Cipher Group preview causes high availability (HA) sync state to become Changes Pending
772297-3 4-Minor BT772297 LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade
760590-1 4-Minor BT760590 TCP Verified-Accept with proxy-mss enabled does not honor the route-metrics cache when sending the SYN to the server
758435-4 4-Minor BT758435 Ordinal value in LTM policy rules sometimes do not work as expected &start;
756443 4-Minor BT756443 GUI cannot edit ILX workspace/extension objects with certain non-alphanumeric characters.
748333-1 4-Minor BT748333 DHCP Relay does not retain client source IP address for chained relay mode
743253-4 4-Minor BT743253 TSO in software re-segments L3 fragments.
743116-2 4-Minor BT743116 Chunked responses may be incorrectly handled by HTTP/2
742603-3 4-Minor BT742603 WebSocket Statistics are updated to differentiate between client and server sides
722534-3 4-Minor BT722534 load sys config merge not supported for iRulesLX
702281-1 4-Minor BT702281 OneConnect header transformations may cause some Websocket connections to reset.
699076-1 4-Minor BT699076 URI::path iRules command warns end and start values equal
680680-1 4-Minor BT680680 The POP3 monitor used to send STAT command on v10.x, but now sends LIST command
592503-1 4-Minor BT592503 TMM 'timer' device does not report 'busy' for non-priority timers.
544958-3 4-Minor BT544958 Monitors packets are sent even when pool member is 'Forced Offline'.
470807-2 4-Minor BT470807 iRule data-groups are not checked for existence
463214 4-Minor BT463214 The COMPAT SSL stack does not support connection mirroring
370573-1 4-Minor iRule STREAM command internal error causes connection drop
1093545-1 4-Minor BT1093545 Attempts to create illegal virtual-server may lead to mcpd crash.
1067025-1 4-Minor BT1067025 Rate-shaping + immediate timeout causing connection to stall.
1064725-1 4-Minor BT1064725 False alarm log message on ltm as CHMAN request for tag:19 as failed.
1064669-4 4-Minor BT1064669 Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash.
1045913-5 4-Minor BT1045913 COMPRESS::disable/COMPRESS::enable don't work reliably for selective compression
1037153-5 4-Minor BT1037153 iRule "log" command to remote destinations may cause TMM to leak memory
1035757-1 4-Minor BT1035757 iRulesLX restart leaves stale files in /var/tmstat/blade/tmplugin_ilx_*
1034865-5 4-Minor BT1034865 CACHE::enable failed on private/no-store content
1030533-4 4-Minor BT1030533 The BIG-IP system may reject valid HTTP responses from OCSP servers.
1027805-1 4-Minor BT1027805 DHCP flows crossing route-domain boundaries might fail.
1016045-1 4-Minor BT1016045 OOPS logging may appear while active ftp if the port command forces a cmp_redirection and a quit follows.
1015793-4 4-Minor BT1015793 Length value returned by TCP::payload is signed and can appear negative
1015117-1 4-Minor BT1015117 Headers are corrupted during modification/insertion if a mix of end-of-line markers <CRLF> and <LF> are used
1013937-4 4-Minor BT1013937 In-TMM HTTP and HTTPS monitors require RFC-compliant send strings to work.
1011889-2 4-Minor BT1011889 The BIG-IP system does not handle DHCPv6 fragmented traffic properly
1004953-1 4-Minor BT1004953 HTTP does not fall back to HTTP/1.1 &start;
979213-4 5-Cosmetic BT979213 Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.
897437-2 5-Cosmetic BT897437 First retransmission might happen after syn-rto-base instead of minimum-rto.


Performance Issues

ID Number Severity Links to More Info Description
682209 2-Critical BT682209 Per Request Access Policy subroutine performance down by about 7%
1004633-5 2-Critical BT1004633 Performance degradation on KVM and VMware platforms.
747960 4-Minor BT747960 BIG-IP VE with 1nic does not handle fragmented traffic to webui or ssh properly


Global Traffic Manager (DNS) Issues

ID Number Severity Links to More Info Description
933405-4 1-Blocking K34257075 , BT933405 Zonerunner GUI hangs when attempting to list Resource Records
993921-5 2-Critical BT993921 TMM SIGSEGV
940733-1 2-Critical K29290121 , BT940733 Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt &start;
913729-3 2-Critical BT913729 Support for DNSSEC Lookaside Validation (DLV) has been removed.
887681-1 2-Critical BT887681 Tmm SIGSEGV in rrset_array_lock,services/cache/rrset.c
788465-4 2-Critical BT788465 DNS cache idx synced across HA group could cause tmm crash
737726-2 2-Critical BT737726 If named is restarted and zrd is not restarted, ZoneRunner can lose contact with the DNS server daemon
722741-3 2-Critical BT722741 Damaged tmm dns db file causes zxfrd/tmm core
705869-5 2-Critical BT705869 TMM crashes as a result of repeated loads of the GEOIP database
698050-1 2-Critical BT698050 Under certain extreme conditions, big3d may core
675731-1 2-Critical BT675731 Certain types of GTM Pools not displaying while listing WideIPs
264701-2 2-Critical K10066 GTM: zrd exits on error from bind about .jnl file error (Formerly CR 68608)
1031945-1 2-Critical BT1031945 DNS cache configured and tmm stuck in 'not ready' state indefinitely after TMM restart or reboot &start;
1027657-1 2-Critical BT1027657 Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules.
994221-5 3-Major BT994221 ZoneRunner returns error 'Resolver returned no such record'
990929-5 3-Major BT990929 Status of GTM monitor instance is constantly flapping
987709-1 3-Major BT987709 Static target string as CNAME pool member might cause config load failure if wide IP with same name exists in another partition
977113-3 3-Major BT977113 Unable to configure dependency for GTM virtual server if pool member dependency exists
973341-5 3-Major BT973341 Customized device certs will break scripts relying on /config/httpd/conf/ssl.crt/server.crt
969553-4 3-Major BT969553 A DNS Cache (or Network DNS Resolver) returns SERVFAIL to some queries.
967737-5 3-Major BT967737 DNS Express: SOA stops showing up in statistics from second zone transfer
966461-1 3-Major BT966461 Tmm leaks memory after each DNSSEC query when netHSM is not connected
965053-5 3-Major BT965053 [Regression of ID787881 & ID761032] DNSX fails to sign zone transfer using tsig key after failure
958325-4 3-Major BT958325 Updating DNS pool monitor via transaction leaves dangling monitor_rule in MCP DB
958157-1 3-Major BT958157 Hash collisions in fastDNS packet processing
940469-3 3-Major BT940469 Unsupported option in /etc/resolv.conf causes failure to sync DNS Zone configuration
936777-5 3-Major BT936777 Old local config is synced to other devices in the sync group.
926593-4 3-Major BT926593 GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'
920817-3 3-Major BT920817 Wide IP operations performed in quick succession result in missing resource records and out of sync journals.
918693-2 3-Major BT918693 Wide IP alias validation error during sync or config load
912761-5 3-Major BT912761 Link throughput statistics are different
911241-3 3-Major BT911241 The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug
903521-5 3-Major BT903521 TMM fails to sign responses from BIND when BIND has 'dnssec-enable no'
899253-3 3-Major BT899253 [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist
890285-2 3-Major BT890285 DNS resolver cannot forward DNS query to local IPv6 virtual server
880125-1 3-Major BT880125 WideIP (A) created together with aliases (CNAME) causes missing A records in ZoneRunner
879301-4 3-Major BT879301 When importing a BIND zone file, SRV/DNAME/NAPTR RRs do not have correct $ORIGIN appended
879169-4 3-Major BT879169 RESOLV::lookup @<virtual server name> may not work &start;
851341-1 3-Major BT851341 DNS cache responds with records exceeding cache-maximum-ttl for multiple TMMs
813221-4 3-Major BT813221 Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync
795633-4 3-Major BT795633 GUI and REST API unable to add virtual servers containing a space in the name to a pool
789421-1 3-Major BT789421 Resource-administrator cannot create GTM server object through GUI
779793-3 3-Major BT779793 [LC] Error Message "Cannot modify the destination address of monitor" for destination * bigip_link monitor
779185-4 3-Major BT779185 Forward zone deleted when wideip updated
774225-1 3-Major BT774225 mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting
760615-4 3-Major BT760615 Virtual Server discovery may not work after a GTM device is removed from the sync group
756177-1 3-Major BT756177 GTM marks pool members down across datacenters
751540-1 3-Major BT751540 GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server
746719-3 3-Major BT746719 SERVFAIL when attempting to view or edit NS resource records in zonerunner
745035-1 3-Major BT745035 gtmd crash
744787-2 3-Major K04201069 , BT744787 Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias
739553-3 3-Major BT739553 Setting large number for Wide IP Persistence TTL breaks Wide IP persistence
737529-2 3-Major BT737529 [GTM] load or save configs removes backslash \ from GTM pool member name
723095-2 3-Major BT723095 tmsh "modify gtm pool <type> all ... " commands fail
722734-1 3-Major BT722734 'No Access' error when viewing properties page of a GTM Pool member whose name includes a partition that does not exist on that BIG-IP system.
718230-2 3-Major BT718230 Attaching a BIG-IP monitor type to a server with already defined virtual servers is not prevented
716701-1 3-Major BT716701 In iControl REST: Unable to create Topology when STATE name contains space
714507-2 3-Major BT714507 [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server
712500-1 3-Major BT712500 Unhandled Query Action Drops Stat does not increment after transparent cache miss
701232-2 3-Major BT701232 Two-way iQuery connections fail to get established between GTM devices with the same address on different networks connected through address translation
698211-1 3-Major K35504512 , BT698211 DNS express response to non-existent record is NOERROR instead of NXDOMAIN.
688335-5 3-Major K00502202 , BT688335 Big3d may restart in a loop on secondary blades of a chassis system
679316-5 3-Major BT679316 iQuery connections reset during SSL renegotiation
665117-9 3-Major K33318158 , BT665117 DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping
627760-5 3-Major BT627760 Gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card
222220-2 3-Major K11931 Distributed application statistics are not passed correctly.
1091249-5 3-Major BT1091249 BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address.
1083405-4 3-Major BT1083405 "Error connecting to named socket" from zrd
1082197-4 3-Major BT1082197 RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response
1076401-1 3-Major BT1076401 Memory leak in TMM (ldns) when exceeding dnssec.maxnsec3persec.
1075469-4 3-Major BT1075469 DNS GUI: Refreshing a DNS Express record sometimes fails to populate the server.
1071301-4 3-Major BT1071301 GTM server does not get updated even when the virtual server status changes.
1071233-4 3-Major BT1071233 GTM Pool Members may not be updated accurately when multiple identical database monitors are configured
1070953-1 3-Major BT1070953 Dnssec zone transfer could cause numerous gtm sync events.
1070357 3-Major BT1070357 GSLB monitors fail to work if Max Synchronous Monitor Requests Number is hit.
1067309-4 3-Major BT1067309 GTMD cored followed by TMM core SIGSEGV due to illegal GTM server reference.
1066397-4 3-Major BT1066397 GTM persists to last resort pool members even when primary pool members become available.
1064205-4 3-Major GSLB virtual server's status can't be changed from the drop-down selection box on its properties page.
1044873-4 3-Major BT1044873 Deleted GTM link is not removed from virtual server object and causes load failure.
1041625-1 3-Major BT1041625 Virtual server flapping when the active and standby devices have different configuration.
1033897-3 3-Major BT1033897 DNSSEC keys generated independently are still in use after GTM sync
1030237-4 3-Major BT1030237 Zxfrd core and continual restart when out of configured space
1024905-4 3-Major BT1024905 GTM monitor times out if monitoring a virtual server with translation address
1003233-4 3-Major BT1003233 SNMP Polling can cause inconsistencies in gtm link stats.
1001101-5 3-Major BT1001101 Cannot update/display GTM/DNS listener route advertisement correctly
996261-5 4-Minor BT996261 Zrd in restart loop with empty named.conf
995369-5 4-Minor BT995369 DNSSEC manual key created with other algorithms ends up using RSA/SHA1 algorithm
959613-5 4-Minor BT959613 SIP/HTTPS monitor attached to generic-host virtual server and pool shows 'blank' reason
947217-2 4-Minor BT947217 Fix of ID722682 prevents GTM config load when the virtual server name contains a colon &start;
889801-4 4-Minor BT889801 Total Responses in DNS Cache stats does not increment when an iRule suspending command is present under DNS_RESPONSE.
885201-4 4-Minor BT885201 BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log
839361-2 4-Minor BT839361 iRule 'drop' command does not drop packets when used in DNS_RESPONSE
822393-1 4-Minor BT822393 Prober pool selected on server or data center not being displayed after selection in Internet Explorer
790113-3 4-Minor BT790113 Cannot remove all wide IPs from GTM distributed application via iControl REST
775801-4 4-Minor BT775801 [GTM] [GUI] 'Route Advertisement' checked but not saved when creating GTM listener
755282-3 4-Minor BT755282 [GTM] bigip_add password prompt for IPv4-mapped IPv6 address
752216-4 4-Minor K33587043 , BT752216 DNS queries without the RD bit set may generate responses with the RD bit set
708680-5 4-Minor BT708680 TMUI is unable to change the Alias Address of DNS/GTM Monitors
688266-5 4-Minor BT688266 big3d and big3d_install use different logics to determine which version of big3d is newer
464708-4 4-Minor BT464708 DNS logging does not support Splunk format log
1026813-3 4-Minor BT1026813 LCD IP address is missing from /etc/hosts on iSeries
985001-1 5-Cosmetic BT985001 Taiwan, Hong Kong, and Macau Are Defined As Countries in DNS/GTM Topology Definition
774257-1 5-Cosmetic BT774257 tmsh show gtm pool and tmsh show gtm wideip print duplicate object types


Application Security Manager Issues

ID Number Severity Links to More Info Description
947373-1 2-Critical BT947373 BD sometimes crashes when handling HTTP traffic
887621-5 2-Critical BT887621 ASM virtual server names configuration CRC collision is possible
884945-4 2-Critical BT884945 Latency reduce in case of empty parameters.
865461-4 2-Critical BT865461 BD crash on specific scenario
790349-1 2-Critical BT790349 merged crash with a core file
725887-1 2-Critical BT725887 BD crash on specific scenario
674903-2 2-Critical K32302399 , BT674903 TMM halts and restarts in response to certain requests.
1068237-4 2-Critical BT1068237 Some attack signatures added to policies are not used.
1050089-1 2-Critical TMM crash in certain cases
1015881-2 2-Critical BT1015881 TMM might crash after configuration failure
1000789 2-Critical BT1000789 ASM-related iRule keywords may not work as expected
997417 3-Major BT997417 Live Update via HTTPS Proxy No Longer Works
995889-4 3-Major BT995889 Username/Password JSON elements of login page detected as case sensitive when the policy is configured as case insensitive
974985-5 3-Major Dosl7/bot does not ignore non-http traffic even when disabled via iRule DOSL7::disable
974513-4 3-Major BT974513 Dropped requests are reported as blocked in Reporting/charts
966633-4 3-Major BT966633 Policy entity search with non-ASCII value filter returns no results in REST/GUI in non-UTF-8 policies
966613-2 3-Major BT966613 Cannot create XML profile based on WSDL when wsdl contains empty soap:address – getting error ‘Column 'object_uri' cannot be null’
962493-2 3-Major Request is not logged
962489-2 3-Major False positive enforcement of parameters with specific configuration
959965-5 3-Major Asmlogd stops deleting old protobufs
959957-5 3-Major BT959957 Asmlogd stops deleting old protobufs
948805-4 3-Major BT948805 False positive "Null in Request"
923221-5 3-Major BT923221 BD does not use all the CPU cores
920961-4 3-Major BT920961 Devices incorrectly report 'In Sync' after an incremental sync
905681-1 3-Major BT905681 Incorrect enforcement of policy parameters
904133-3 3-Major BT904133 Creating a user-defined signature via iControl REST occasionally fails with a 400 response code
898825-5 3-Major BT898825 Attack signatures are enforced on excluded headers under some conditions
886533-6 3-Major BT886533 Icap server connection adjustments
874185-4 3-Major BT874185 Incorrect Alarm/Block flags displayed for Signature with previously enforced rule
868721-4 3-Major BT868721 Transactions are held for a long time on specific server related conditions
867777-1 3-Major BT867777 Remote syslog server cannot parse violation detail buffers as UTF-8.
867373-1 3-Major BT867373 Methods Missing From ASM Policy
864677-4 3-Major BT864677 ASM causes high mcpd CPU usage
863609-1 3-Major BT863609 Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies
853989-5 3-Major BT853989 DOSL7 Logs breaks CEF connector by populating strings into numeric fields
850677-1 3-Major BT850677 Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy
832205-1 3-Major BT832205 ASU cannot be completed after Signature Systems database corruption following binary Policy import
831661-4 3-Major BT831661 ASMConfig Handler undergoes frequent restarts
829029-2 3-Major BT829029 Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error
809125-3 3-Major BT809125 CSRF false positive
797813 3-Major BT797813 TMM memory grows on custom bot signature with empty domain
793149-2 3-Major BT793149 Adding the Strict-transport-Policy header to internal responses
785529-3 3-Major BT785529 ASM unable to handle ICAP responses which length is greater then 10K
781021-3 3-Major BT781021 ASM modifies cookie header causing it to be non-compliant with RFC6265
772473-1 3-Major BT772473 Request reconstruct issue after challenge
761565-3 3-Major BT761565 ASM BD core when custom captcha page configured size more than 45K with %ASM.captcha.support_id% placeholder is at the end
760949 3-Major BT760949 Empty hostname in remote log after modification
759462-2 3-Major BT759462 Site names and vulnerabilities cannot be retrieved from WhiteHat server
753711-2 3-Major BT753711 Copied policy does not retain signature staging
745324-2 3-Major BT745324 MCP crash or blocked for a long time when loading configuration
739437-1 3-Major BT739437 null in request causes parameters violation to be skipped
738789-2 3-Major BT738789 ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog
718232-2 3-Major BT718232 Some FTP servers may cause false positive for ftp_security
716324-2 3-Major BT716324 CSRF protection fails when the total size of the configured URL list is more than 2 KB
711818-3 3-Major BT711818 Connection might get reset when coming to virtual server with offload iRule
703678-1 3-Major BT703678 Cannot add 'secure' attributes to several ASM cookies
701025-2 3-Major BT701025 BD restart on a device where 'provision.tmmcountactual' is set to a non-default value
698361-1 3-Major BT698361 The ASM-FPS fingerprint is not presented in dashboard
694934-1 3-Major BT694934 bd crashes on a very specific and rare scenario
694657-1 3-Major BT694657 ASM GUI displaying inconsistent policy sync version information
689982-3 3-Major BT689982 FTP Protocol Security breaks FTP connection
679819-1 3-Major BT679819 Some requests or some request details may not be seen in exported request
667414-1 3-Major BT667414 JSON learning of parameters in WebSocket context is not working
640842-1 3-Major BT640842 ASM end user using mobile might be blocked when CSRF is enabled
562356-1 3-Major BT562356 ASM config syncronization stops working
1085661-5 3-Major BT1085661 Standby system saves config and changes status after sync from peer
1083913-4 3-Major BT1083913 Missing error check in ICAP handling
1082461-5 3-Major BT1082461 The enforcer cores during a call to 'ASM::raise' from an active iRule
1078765-4 3-Major BT1078765 Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer.
1070073-2 3-Major ASM Signature Set accuracy filter is wrong on GUI.
1069137-5 3-Major BT1069137 Missing AWAF sync diagnostics
1069133-1 3-Major BT1069133 ASMConfig memory leak.
1069113-4 3-Major BT1069113 ASM process watchdog should be less aggressive.
1062493-4 3-Major BT1062493 BD crash close to it's startup
1061617-1 3-Major Some of the URL Attack signatures are not detected in the URL if "Handle Path Parameters" is configured "As Parameters".
1058597-1 3-Major BT1058597 Bd crash on first request after system recovery.
1057557-2 3-Major BT1057557 Exported policy has greater-than sign '>' not escaped to '&gt;' with response_html_code tag.
1056957-5 3-Major BT1056957 An attack signature can be bypassed under some scenarios.
1051589-4 3-Major Missing configuration after upgrade &start;
1048949-5 3-Major BT1048949 TMM xdata leak on websocket connection with asm policy without websocket profile
1036969-5 3-Major BT1036969 Chrome sometimes ignores cross-site bot-defense cookies
1036057-4 3-Major BT1036057 Add support for line folding in multipart parser.
1033017-6 3-Major BT1033017 Policy changes learning mode to automatic after upload and sync
1031461-6 3-Major Session awareness entries aren't mirrored to both sides of an active-active deployment.
1030133-5 3-Major BT1030133 BD core on XML out of memory
1029989-4 3-Major CORS : default port of origin header is set 80, even when the protocol in the header is https
1029373-7 3-Major BT1029373 Firefox 88+ raising Suspicious browser violations with bot defense
1028473-4 3-Major URL sent with trailing slash might not be matched in ASM policy
1023889-4 3-Major BT1023889 HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message
1021609-4 3-Major BT1021609 Improve matching of URLs with specific characters to a policy.
1017261-3 3-Major BT1017261 Configuraton update triggers from MCP to ASM are ignored
1011093-1 3-Major BT1011093 Remote log messages are separated into 2 lines if max_request_size limit falls exactly on \n char.
945821-4 4-Minor BT945821 Remote logging conditions adjustments
896285-5 4-Minor BT896285 No parent entity in suggestion to add predefined-filetype as allowed filetype
864617 4-Minor BT864617 Violation Occurrences section of event logs missing info
853049-1 4-Minor BT853049 Facility of Event Log profile is getting reset
841985-1 4-Minor BT841985 TSUI GUI stuck for the same session during long actions
795769-1 4-Minor BT795769 Incorrect value of Systems in system-supplied signature sets
757486-4 4-Minor BT757486 Errors in IE11 console appearing with Bot Defense profile
746984-3 4-Minor BT746984 False positive evasion violation
737476 4-Minor BT737476 End users using virtual keyboard might be blocked during clientside features
720581-2 4-Minor BT720581 Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files
708576-2 4-Minor BT708576 Errors related to dosl7d_tcpdumps_cleaner appearing in email every hour
699898-2 4-Minor BT699898 Wrong policy version time in policy created after synchronization between active and stand by machines.
688833-3 4-Minor BT688833 Inconsistent XFF field in ASM log depending violation category
652793-1 4-Minor BT652793 "Signature Update Available" message is not cleared by UCS load/sync
620301-3 4-Minor BT620301 Policy import fails due to missing signature System in associated Signature Set
618503-2 4-Minor BT618503 Irrelevant fields visible in Logging profile
547428-2 4-Minor BT547428 Unexpected storage-format string causes asm restart
1084857-5 4-Minor BT1084857 ASM::support_id iRule command does not display the 20th digit
1073625-5 4-Minor Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled.
1057713-1 4-Minor "South Sudan" is missing from the ASM Geolocation Enforcement list.
1035361-6 4-Minor Illegal cross-origin after successful CAPTCHA
1026457-2 4-Minor "Security ›› Event Logs : Protocol : FTP, SMTP" page returns a "500 Internal Server" error
1026277-4 4-Minor Apply Policy can get ignored in auto-sync setup, while importing/replacing several existing policies with policies that have Policy Builder enabled
1014573-4 4-Minor BT1014573 Several large arrays/objects in JSON payload may core the enforcer
1029689-5 5-Cosmetic BT1029689 Incosnsitent username "SYSTEM" in Audit Log


Application Visibility and Reporting Issues

ID Number Severity Links to More Info Description
932189-5 3-Major BT932189 Incorrect BD Swap Size units on ASM Resources chart
898333-5 3-Major BT898333 Unable to collect statistics from BIG-IP system after BIG-IQ restart
869049-6 3-Major BT869049 Charts discrepancy in AVR reports
852577-1 3-Major BT852577 [AVR] Analytic goodput graph between different time period has big discrepancy
808801-1 3-Major BT808801 AVRD crash when configured to send data externally
752971 3-Major BT752971 ACL-related reports might not contain some of the activity that takes place
746837-3 3-Major BT746837 AVR JS injection can cause error on page if the JS was not injected
703225 3-Major BT703225 DoS Visibility does not support display of more than 500 attacks and/or virtual servers
910777-5 4-Minor BT910777 Sending ASM report via AWS SES failed duo to wrong content type
808805-2 4-Minor BT808805 Avrd crashes upon configuration change.
633217-1 4-Minor BT633217 Countries in new DoS visibility tables will appear "N/A" after upgrade &start;
930217-5 5-Cosmetic BT930217 Zone colors in ASM swap usage graph are incorrect


Access Policy Manager Issues

ID Number Severity Links to More Info Description
893953-4 1-Blocking BT893953 Portal Access: Chrome/Edge browser: cookie transport: sync XMLHttpRequests should not be used in onbeforeunload handlers
995029-2 2-Critical BT995029 Configuration is not updated during auto-discovery
930625-4 2-Critical BT930625 TMM crash is seen due to double free in SAML flow
910097-1 2-Critical BT910097 Changing per-request policy while tmm is under traffic load may drop heartbeats
904441-5 2-Critical BT904441 APM vs_score for GTM-APM load balancing is not calculated correctly
860617-1 2-Critical BT860617 Radius sever pool without attaching the load balancing algorithm will result into core
856909-1 2-Critical BT856909 Apmd core occurs when it fails to retrieve agentInfo
831737-2 2-Critical BT831737 Memory Leak when using Ping Access profile
789085-3 2-Critical BT789085 When executing the ACCESS::session iRule command under a serverside event, tmm may crash
770557-1 2-Critical BT770557 Per-Session RADIUS Acct STOP message is forged based on pool route domain, but is sent through default one
761373-1 2-Critical BT761373 Debug information logged to stdout
748572-1 2-Critical BT748572 Occasionally ramcache might crash when data is sent without the corresponding event.
683598-1 2-Critical BT683598 Redeployment of SAML-SP app fails if HTTP-header-based SSO is configured
681352-1 2-Critical BT681352 Performance of a client certificate validation with OCSP agent is degraded
647590-1 2-Critical BT647590 Apmd crashes with segmentation fault when trying to load access policy
1063261-2 2-Critical BT1063261 TMM crash is seen due to sso_config objects.
949105-5 3-Major BT949105 Error log seen on Category Lookup SNI requests for same connection
944029-3 3-Major BT944029 Support challenge response agent to handle Access-Challenge when Logon agent is not in policy
925573-4 3-Major BT925573 SIGSEGV: receiving a sessiondb callback response after the flow is aborted
924697-5 3-Major BT924697 VDI data plane performance degraded during frequent session statistic updates
920541-1 3-Major BT920541 Incorrect values in 'Class Attribute' in Radius-Acct STOP request
918053-4 3-Major BT918053 [Win][EdgeClient] 'Enable Always Connected mode' is checked for all connectivity profiles with same Parent profile.
915509-4 3-Major BT915509 RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true
894885-5 3-Major BT894885 [SAML] SSO crash while processing client SSL request
884797-1 3-Major BT884797 Portal Access: in some cases data is not delivered via WebSocket connection
883577-1 3-Major BT883577 ACCESS::session irule command does not work in HTTP_RESPONSE event
866685-4 3-Major BT866685 Empty HSTS headers when HSTS mode for HTTP profile is disabled
858005-4 3-Major When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:"
853325-4 3-Major BT853325 TMM Crash while parsing form parameters by SSO.
849029-1 3-Major BT849029 No configurable setting for maximum entries in CRLDP cache
844573-4 3-Major BT844573 Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret.
837781 3-Major BT837781 Per-request policy using Client-Initiated Form-based SSO cannot access the resource, and configured as SAML-IdP, fails to process SAML Requests/Responses.
831781-1 3-Major BT831781 AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode
828773-2 3-Major BT828773 Incomplete response to an internal request by Portal Access
824121-3 3-Major BT824121 Using the Websocket profile prevents mouse wheel scroll function
811645 3-Major BT811645 Export of variable-assign is failing if 'error:' is part of expression
794585-4 3-Major BT794585 User cannot log in after license reactivation on vCMP host
788473-1 3-Major BT788473 Email sent from APM is not readable in some languages
774301-2 3-Major BT774301 Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList
773841 3-Major BT773841 Per-request access policy may handle logon pages incorrectly
771905-1 3-Major BT771905 JWT token rejected due to unknown JOSE header parameters
761303-4 3-Major BT761303 Upgrade of standby BIG-IP system results in empty Local Database
760410-3 3-Major BT760410 Connection reset is seen when Category lookup agent is used in per-req policy
759392-4 3-Major BT759392 HTTP_REQUEST iRule event triggered for internal APM request
759356-1 3-Major BT759356 Access session data cache might leak if there are multiple TMMs
758542-1 3-Major BT758542 OAuth database instance appears empty after upgrade from v13.x &start;
757782-4 3-Major BT757782 OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default
756813-1 3-Major BT756813 In rare cases tmm crash is observed when using APM as RDG proxy
756777-2 3-Major BT756777 VDI plugin might crash on process shutdown during RDG connections handling
748944 3-Major BT748944 Import is failing for APM SSO Config object
747624-1 3-Major BT747624 RADIUS Authentication over RSA SecureID is not working in challenge mode
744316-1 3-Major BT744316 Config sync of APM policy fails with Cannot update_indexes validation error.
743475 3-Major BT743475 Upgrades from releases earlier than 13.1.1 may fail when AD servers are invalid &start;
741967 3-Major BT741967 APM custom report with active field failed on vcmp
738865-4 3-Major BT738865 MCPD might enter into loop during APM config validation
738547-1 3-Major BT738547 SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII
722991-2 3-Major BT722991 'dead.letter' file might appear in the /root directory
720030-4 3-Major BT720030 Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)
718602 3-Major BT718602 Old config snapshots do not time out on standby
714902-1 3-Major BT714902 Restjavad may hang if discover task fails and the interval is 0
712857-2 3-Major BT712857 SWG-Explicit rejects large POST bodies during policy evaluation
711056-2 3-Major BT711056 License check VPE expression fails when access profile name contains dots
710044-3 3-Major BT710044 Portal Access: same-origin AJAX request may fail in some case.
707953-2 3-Major BT707953 Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page
707746-1 3-Major BT707746 EPSEC package rolls back to previous version whenever the device is rebooted
706797-1 3-Major BT706797 Portal Access: some multibyte characters in JavaScript code may not be handled correctly
706782-1 3-Major BT706782 Inefficient APM processing in large configurations.
706374-4 3-Major BT706374 Heavy use of APM Kerberos SSO can sometimes lead to memory corruption
705502-2 3-Major BT705502 Create download URL for APM CLI client rpm/deb packages for x86_64 for armhf and Linux platforms
704524-4 3-Major BT704524 [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries
703984-7 3-Major BT703984 Machine Cert agent improperly matches hostname with CN and SAN
702246-1 3-Major BT702246 Cannot import local db user with multiple groups
698836-2 3-Major BT698836 Increased APM session capacity is not available after installing an APM session count License
688046-2 3-Major BT688046 Change condition and expression for Protocol Lookup agent expression builder
685593-1 3-Major BT685593 Access session iRules can fail with error 'Illegal argument'
684399-1 3-Major BT684399 Connectivity profiles GUI shows (Not Licensed) when LTM base is presented
682751-7 3-Major BT682751 Kerberos keytab file content may be visible.
682271-2 3-Major BT682271 Portal Access may handle JavaScript getter/setter definitions incorrectly
681836 3-Major BT681836 Portal Access: JavaScript code may be corrupted in debug mode
680855-2 3-Major BT680855 Safari 11 sometimes start more than one session
680112-2 3-Major K18131781 , BT680112 SWG-Explicit rejects large POST bodies during policy evaluation
679735-3 3-Major BT679735 Multidomain SSO infinite redirects from session ID parameters
676854-3 3-Major BT676854 CRL Authentication agent will hang waiting on unresponsive authentication server.
676599-1 3-Major BT676599 SAML IdP connectors created by SAML IdP automation are not deleted automatically when the metadata is updated such that the corresponding entityDescriptors are removed.
676463-1 3-Major BT676463 Having two SAML IdP metadata automation objects that point to the same metadata and different SP results in 'join fail' of the IdP connector with SP object.
675143-1 3-Major BT675143 The SAML IdP metadata automation periodic update of metadata file that has Certificate may cause 'Apply Access Policy' to show up even if no changes to the IdP connector object are made.
673357-3 3-Major SWG puts flow in intercept mode when session is not found
665700 3-Major BT665700 APM 11.x upgrade breaks 'log only message-id' workflow &start;
651169-1 3-Major BT651169 The Dashboard does not show an alert when a power supply is unplugged
621158-3 3-Major BT621158 F5vpn does not close upon closing session
597955-1 3-Major BT597955 APM can generate seemingly spurious error log messages
582606-2 3-Major BT582606 IPv6 downloads stall when NA IPv4&IPv6 is used.
578989-6 3-Major Maximum request body size is limited to 25 MB
534187-3 3-Major BT534187 Passphrase protected signing keys are not supported by SAML IDP/SP
527119-6 3-Major BT527119 An iframe document body might be null after iframe creation in rewritten document.
376615 3-Major Logon failure when Access Policy contains On-Demand Cert Agent for legacy logon method
307037-3 3-Major Dynamic Resources Are Assigned But Not Accessible
1097821-5 3-Major BT1097821 Unable to create apm policy customization image using tmsh command when source-path is specified
1086733 3-Major Unable to launch multiple apps with mixed mode of multi-session configuration
1085417-1 3-Major Add VMware HTML5 settings icon in APM Webtop
1063345-1 3-Major Urldbmgrd may crash while downloading the database.
1056669-1 3-Major BT1056669 Clicking the ActiveX RDP Resources icon does not display the ActiveX RDP web page.
1042505-4 3-Major BT1042505 Session variable "session.user.agent" does not get populated for edge clients
1041989-1 3-Major BT1041989 APM Portal Access does not add automatically the / after the URL encoded (after the '$$'), Redirect breaks
1039941 3-Major BT1039941 [WIN]Webtop offers to download f5vpn when it is already installed
1037877-4 3-Major BT1037877 OAuth Claim display order incorrect in VPE
1024437-5 3-Major BT1024437 Urldb index building fails to open index temp file
1001041-1 3-Major BT1001041 Reset cause 'Illegal argument'
1000669 3-Major BT1000669 Tmm memory leak 'string cache' leading to SIGFPE
963129-1 4-Minor BT963129 RADIUS Accounting Stop message fails via layered virtual server
949957-2 4-Minor BT949957 RDP: Username is pre-filled with f5_apm* string after clicking on webtop resource on Mobile Clients (iOS & Android)
944093-4 4-Minor BT944093 Maximum remaining session's time on user's webtop can flip/flop
917605 4-Minor BT917605 Enabling APM debug logs can lead to leakage in file descriptors
867705-1 4-Minor BT867705 URL for IFRAME element may not be normalized in some cases
866953-1 4-Minor BT866953 Portal Access: F5_Inflate_onclick wrapper functionality needs refining
860041-1 4-Minor BT860041 Portal Access: 5_Deflate_removeEventListener wrapper need to be added
848217-1 4-Minor Portal Access: default port encoded in rewritten url, need to be removed from host header in request to backend
840257-1 4-Minor BT840257 Portal Access: HTML iframe sandbox attribute is not supported
819233-1 4-Minor BT819233 Ldbutil utility ignores '--instance' option if '--list' option is specified
778333-1 4-Minor