Applies To:
Show VersionsBIG-IP AAM
- 14.0.0
BIG-IP APM
- 14.0.0
BIG-IP Link Controller
- 14.0.0
BIG-IP Analytics
- 14.0.0
BIG-IP LTM
- 14.0.0
BIG-IP PEM
- 14.0.0
BIG-IP AFM
- 14.0.0
BIG-IP FPS
- 14.0.0
BIG-IP DNS
- 14.0.0
BIG-IP ASM
- 14.0.0
BIG-IP Release Information
Version: 14.0.0.3
Build: 4.0
NOTE: This release includes fixes for the Spectre Variant 1 and Meltdown vulnerabilities (CVE-2017-5753, CVE-2017-5754).
In some configurations, installing software containing these fixes might impact performance. You can disable these fixes to recover performance. Please see K91229003 for additional Spectre and Meltdown information.
Cumulative fixes from BIG-IP v14.0.0.2 that are included in this release
Cumulative fixes from BIG-IP v14.0.0.1 that are included in this release
Known Issues in BIG-IP v14.0.x
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
717742-6 | CVE-2018-2798, CVE-2018-2811, CVE-2018-2795, CVE-2018-2790, CVE-2018-2783, CVE-2018-2825, CVE-2018-2826, CVE-2018-2796, CVE-2018-2799, CVE-2018-2815, CVE-2018-2800, CVE-2018-2814, CVE-2018-2797, CVE-2018-2794 | K44923228 | Oracle Java SE vulnerability CVE-2018-2783 |
709972 | CVE-2017-12613 | K52319810 | CVE-2017-12613: APR Vulnerability |
709688-2 | CVE-2017-3144 CVE-2018-5732 CVE-2018-5733 |
K08306700 | dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733 |
695072-3 | CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558 |
K23030550 | CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558 |
651741 | CVE-2017-5970, CVE-2016-7097 | K60104355 | CVE-2017-5970 kernel.el7: ipv4: Invalid IP options could cause skb->dst drop |
726409-5 | CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 |
K61429540 | Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 |
725801-5 | CVE-2017-7889 | K80440915 | CVE-2017-7889: Kernel Vulnerability |
725635-1 | CVE-2018-3665 | K21344224 | CVE-2018-3665: Intel Lazy FPU Vulnerability |
719554-1 | CVE-2018-8897 | K17403481 | Linux Kernel Vulnerability: CVE-2018-8897 |
710705-1 | CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421 | K34035645 | Multiple Wireshark vulnerabilities |
710148-1 | CVE-2017-1000111 CVE-2017-1000112 |
K60250153 | CVE-2017-1000111 & CVE-2017-1000112 |
709256-1 | CVE-2017-9074 CVE-2017-7542 |
K61223103 | CVE-2017-9074: Local Linux Kernel Vulnerability |
701785-1 | CVE-2017-18017 | K18352029 | Linux kernel vulnerability: CVE-2017-18017 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
734527-3 | 3-Major | BGP 'capability graceful-restart' for peer-group not properly advertised when configured | |
715750-1 | 3-Major | The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
743082-2 | 2-Critical | Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members | |
738887-4 | 2-Critical | The snmpd daemon may leak memory when processing requests. | |
738119-1 | 2-Critical | SIP routing UI does not follow best practices | |
734822-2 | 2-Critical | TMSH improvements | |
725696-2 | 2-Critical | A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted | |
723722-1 | 2-Critical | MCPD crashes if several thousand files are created between config syncs. | |
723298-1 | 2-Critical | BIND upgrade to version 9.11.4 | |
721924-6 | 2-Critical | bgpd may crash processing extended ASNs | |
719597-1 | 2-Critical | HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0 | |
706423-3 | 2-Critical | tmm may restart if an IKEv2 child SA expires during an async encryption or decryption | |
705476-1 | 2-Critical | Appliance Mode does not follow design best practices | |
703669-1 | 2-Critical | Eventd restarts on NULL pointer access | |
703045-2 | 2-Critical | If using TMSH commands with deprecated attributes in iAPP, the upgrade will fail. | |
743803-3 | 3-Major | IKEv2 potential double free of object when async request queueing fails | |
743233-1 | 3-Major | Default engineID may have different lengths | |
722682-3 | 3-Major | Fix of ID 615222 results in upgrade issue for GTM pool member with colon -- config failed to load★ | |
720713-1 | 3-Major | TMM traffic to/from a i10600/i10800 device in vCMP host mode may fail | |
720651-1 | 3-Major | Running Guest Changed to Provisioned Never Stops | |
720104-2 | 3-Major | BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware' | |
718817-1 | 3-Major | Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail. | |
718525-2 | 3-Major | PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting | |
711249-3 | 3-Major | NAS-IP-Address added to RADIUS packet unexpectedly | |
710976-2 | 3-Major | Network Map might take a long time to load | |
710827-1 | 3-Major | TMUI dashboard daemon stability issue | |
710232-1 | 3-Major | platform-migrate fails when LACP trunks are in use | |
709192-2 | 3-Major | GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart | |
708484-1 | 3-Major | Network Map might take a long time to load | |
707391-1 | 3-Major | BGP may keep announcing routes after disabling route health injection | |
706169-2 | 3-Major | tmsh memory leak | |
704804-4 | 3-Major | The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address | |
704755-3 | 3-Major | EUD_M package could not be installed on 800 platforms | |
704733-3 | 3-Major | NAS-IP-Address will be sent with the bytes backwards | |
704247-1 | 3-Major | BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted | |
702227-2 | 3-Major | Memory leak in TMSH load sys config | |
701249-3 | 3-Major | RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1 | |
677088-1 | 3-Major | Qkview does not follow current best practices | |
671712-3 | 3-Major | The values returned for the ltmUserStatProfileStat table are incorrect. | |
658557-4 | 3-Major | The snmpd daemon may leak memory when processing requests. | |
738985-1 | 4-Minor | BIND vulnerability: CVE-2018-5740 | |
725612-2 | 4-Minor | syslog-ng remote destination needs unique name that changes on address change. | |
714749-1 | 4-Minor | cURL Vulnerability: CVE-2018-1000120 | |
713932-2 | 4-Minor | Commands are replicated to PostgreSQL even when not in use. | |
707267-2 | 4-Minor | REST Framework HTTP header limit size increased to 8 KB | |
530775-2 | 4-Minor | Login page may generate unexpected HTML output | |
720391-3 | 5-Cosmetic | BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' | |
713491-3 | 5-Cosmetic | IKEv1 logging shows spi of deleted SA with opposite endianess |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
737758-3 | 2-Critical | MPTCP Passthrough and VIP-on-VIP can lead to TMM core | |
737445-1 | 2-Critical | Use of TCP Verified Accept can disable server-side flow control | |
727044-3 | 2-Critical | TMM may crash while processing compressed data | |
726239-5 | 2-Critical | interruption of traffic handling as sod daemon restarts TMM | |
724906-3 | 2-Critical | sasp_gwm monitor leaks memory over time | |
724868-3 | 2-Critical | dynconfd memory usage increases over time | |
724213-2 | 2-Critical | K74431483 | Modified ssl_profile monitor param not synced correctly |
722387-4 | 2-Critical | TMM may crash when processing APM DTLS traffic | |
716900-3 | 2-Critical | TMM core when using MPTCP | |
715923-7 | 2-Critical | When processing TLS traffic TMM may reset connections | |
710221-1 | 2-Critical | K67352313 | Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled |
709828-1 | 2-Critical | fasthttp can crash with Large Receive Offload enabled | |
700056-2 | 2-Critical | K05350542 | MCPD process may lock up and restart when applying Local Traffic Policy to virtual server |
726319-1 | 3-Major | 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses | |
725815-2 | 3-Major | vlangroup usage may cause a excessive resource consumption | |
722677-5 | 3-Major | High-Speed Bridge may lock up | |
722363-3 | 3-Major | Client fails to connect to server when using PVA offload at Established | |
722091-4 | 3-Major | TMM may crash while processing HTTP traffic | |
721621-3 | 3-Major | Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node | |
720799-1 | 3-Major | Virtual Server/VIP flaps with FQDN pool members when all IP addresses change | |
720293-4 | 3-Major | HTTP2 IPv4 to IPv6 fails | |
719600-1 | 3-Major | TCP::collect iRule with L7 policy present may result in connection reset | |
717888-4 | 3-Major | TMM may leak memory when a virtual server uses the MQTT profile. | |
717346-1 | 3-Major | K13040347 | [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total |
716716-1 | 3-Major | Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core | |
715883-1 | 3-Major | tmm crash due to invalid cookie attribute | |
715467-1 | 3-Major | Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY | |
714384-2 | 3-Major | DHCP traffic may not be forwarded when BWC is configured | |
713951-6 | 3-Major | tmm core files produced by nitrox_diag may be missing data | |
713934-1 | 3-Major | Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response | |
713766-1 | 3-Major | VLAN failsafe failover may not occur | |
712819-1 | 3-Major | 'HTTP::hsts preload' iRule command cannot be used | |
712664-1 | 3-Major | IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address | |
711281-6 | 3-Major | nitrox_diag may run out of space on /shared | |
709133-1 | 3-Major | When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur | |
709132-2 | 3-Major | When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur | |
707961-1 | 3-Major | K50013510 | Unable to add policy to virtual server; error = Failed to compile the combined policies |
707951-3 | 3-Major | Stalled mirrored flows on HA next-active when OneConnect is used. | |
704764-1 | 3-Major | SASP monitor marks members down with non-default route domains | |
704381-6 | 3-Major | SSL/TLS handshake failures and terminations are logged at too low a level | |
699598-1 | 3-Major | HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR | |
693244-3 | 3-Major | BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned | |
682283-1 | 3-Major | Malformed HTTP/2 request with invalid Content-Length value is served against RFC | |
602708-5 | 3-Major | K84837413 | Traffic may not passthrough CoS by default |
716922-1 | 4-Minor | Reduction in PUSH flags when Nagle Enabled | |
713533-1 | 4-Minor | list self-ip with queries does not work | |
712637-1 | 4-Minor | Host header persistence not implemented | |
708249-1 | 4-Minor | nitrox_diag utility generates QKView files with 5 MB maximum file size limit | |
701253-6 | 4-Minor | TMM core when using MPTCP |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
739846-2 | 2-Critical | Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection | |
726255-1 | 3-Major | dns_path lingering in memory with last_access 0 causing high memory usage | |
723792-1 | 3-Major | GTM regex handling of some escape characters renders it invalid | |
719644-3 | 3-Major | If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★ | |
715448-3 | 3-Major | K16055759 | Providing LB::status with a GTM Pool name in a variable caused validation issues |
710246-1 | 3-Major | DNS-Express was not sending out NOTIFY messages on VE | |
710032-2 | 3-Major | 'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
745358-2 | 3-Major | ASM GUI does not follow best practices |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
746341 | 1-Blocking | Virtual server page is blank when SSLO is provisioned | |
724341-1 | 3-Major | Import of Access Profile with Machine Cert Checker and default CA Profile is failing |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
706642-1 | 2-Critical | wamd may leak memory during configuration changes and cluster events |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
699454-6 | 4-Minor | Web UI does not follow current best coding practices | |
699453-6 | 4-Minor | Web UI does not follow current best coding practices |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
699531-5 | 2-Critical | Potential TMM crash due to incorrect number of attributes in a PEM iRule command | |
726647-4 | 3-Major | PEM content insertion in a compressed response may truncate some data | |
711093-4 | 3-Major | PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled | |
709610-4 | 3-Major | Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM | |
676346-1 | 3-Major | PEM displays incorrect policy action counters when the gate status is disabled. | |
648802-4 | 3-Major | Required custom AVPs are not included in an RAA when reporting an error. |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
734446-1 | 2-Critical | TMM crash after changing LSN pool mode from PBA to NAPT |
Cumulative fixes from BIG-IP v14.0.0.2 that are included in this release
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
716392-2 | 1-Blocking | Support for 24 vCMP guests on a single 4450 blade | |
704552-1 | 3-Major | Support for ONAP site licensing |
Cumulative fixes from BIG-IP v14.0.0.1 that are included in this release
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
693359-2 | 1-Blocking | AWS M5 and C5 instance families are supported |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
721364-1 | 1-Blocking | BIG-IP per-application VE BYOL license does not support three wildcard virtual servers | |
707100-1 | 2-Critical | Potentially fail to create user in AzureStack | |
706688-2 | 2-Critical | Automatically add additional certificates to BIG-IP system in C2S and IC environments | |
700086-2 | 2-Critical | AWS C5/M5 Instances do not support BIG-IP VE | |
721985-1 | 3-Major | PAYG License remains inactive as dossier verification fails. | |
721342-2 | 3-Major | No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments. | |
720961-4 | 3-Major | Upgrading in Intelligence Community AWS environment may fail | |
719396-2 | 3-Major | K34339214 | DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot. |
714303-2 | 3-Major | X520 virtual functions do not support MAC masquerading | |
709936-2 | 3-Major | Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration. | |
707585-2 | 3-Major | Use native driver for 82599 NICs instead of UNIC | |
703869-4 | 3-Major | Waagent updated to 2.2.21 |
Cumulative fix details for BIG-IP v14.0.0.3 that are included in this release
746341 : Virtual server page is blank when SSLO is provisioned
Component: Access Policy Manager
Symptoms:
When SSLO is provisioned and trying to create a new virtual server, the virtual server page is blank.
Conditions:
SSLO is provisioned
Impact:
Cannot create a new virtual server when SSLO is provisioned.
Workaround:
N/A
Fix:
The issue has been fixed in this release.
745358-2 : ASM GUI does not follow best practices
Component: Application Security Manager
Symptoms:
When processing requests to the administrative webUI, ASM does not follow best practices.
Conditions:
ASM provisioned and enabled.
Authenticated user with Administrator, Resource Administrator, or ASM Administrator roles.
Impact:
Unexpected HTML output.
Workaround:
None.
Fix:
When processing webUI requests ASM now follows best practices.
743803-3 : IKEv2 potential double free of object when async request queueing fails
Component: TMOS
Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.
Conditions:
When an async IPsec crypto operation fails to queue.
Impact:
Restart of tmm. All tunnels lost must be re-established.
Workaround:
No workaround known at this time.
743233-1 : Default engineID may have different lengths
Component: TMOS
Symptoms:
The initial engineIDType on an unconfigured system is NETSNMP_RND. If the snmpd configuration file is read and there is no stored engine ID then one is generated based on current system time (and some other bits) to produce a random engineID. When randomly generated engineID changed length in release 14.0.0 of the BIG-IP to include some trailing zeros.
Conditions:
Use of unconfigured engineID on a clean install with version 14.0.0 or later. Note the engineIDType of NETSNMP_RND cannot be user configured.
Impact:
This can be confusing because the alert daemon and the snmp agent both issue traps and the alert daemon traps did not include the trailing zeros.
Workaround:
There is no workaround.
Fix:
The bug has been fixed and the trailing zeros are no longer included in the randomly generated engine ID.
743082-2 : Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members
Component: TMOS
Symptoms:
Upgrading to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 might result a configuration that fails to load due to a stray colon-character that gets added to the configuration file.
Conditions:
-- Upgrade from pre-12.1.3 to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2.
-- GTM Pool Members.
Impact:
Configuration fails to load.
Workaround:
Remove stray colon-character from bigip_gtm.conf.
Fix:
Fixed an issue preventing configurations from loading into 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from a version before 12.1.3.
739846-2 : Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection
Component: Global Traffic Manager (DNS)
Symptoms:
When the big3d runs out of memory for iQuery connections, a segmentation fault might occur.
Conditions:
-- Not enough memory to create additional iQuery connections.
-- Receive an new iQuery connection.
Impact:
Segmentation fault and big3d restarts. No statistics collection or auto-discovery while big3d restarts.
Workaround:
None.
Fix:
The big3d process no longer gets a segmentation fault when reaching the limits of the memory footprint while trying to establish iQuery connections.
738985-1 : BIND vulnerability: CVE-2018-5740
Component: TMOS
Symptoms:
deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c.
Conditions:
"deny-answer-aliases" feature is explicitly enabled
Impact:
Crash of the BIND process and loss of service while the process is restarted
Workaround:
Only servers which have explicitly enabled the "deny-answer-aliases" feature are at risk and disabling the feature prevents exploitation.
Fix:
BIND patched to correct CVE-2018-5740
738887-4 : The snmpd daemon may leak memory when processing requests.
Component: TMOS
Symptoms:
Under certain conditions, the snmpd daemon may leak memory when processing requests.
Conditions:
This issue is known to occur on a multi-blade vCMP guest after specific maintenance operations have been carried out by an Administrator on the guest.
Impact:
Once enough memory has leaked, the system may become unstable and fail unpredictably.
Workaround:
If the snmpd daemon is consuming excessive memory, restart it with the following command:
bigstart restart snmpd
Fix:
The snmpd daemon no longer leaks memory when a multi-blade vCMP guest reaches a certain condition.
738119-1 : SIP routing UI does not follow best practices
Component: TMOS
Symptoms:
The SIP routing UI does not follow best practices.
Conditions:
Administrative access to the SIP Profile web UI.
Impact:
Unexpected HTML output.
Workaround:
None.
Fix:
The SIP routing UI does now follows best practices.
737758-3 : MPTCP Passthrough and VIP-on-VIP can lead to TMM core
Component: Local Traffic Manager
Symptoms:
If a FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled, TMM may produce a core upon receiving certain traffic.
Conditions:
A FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with a TCP profile attached that has MPTCP passthrough enabled, and certain traffic is received.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than not using an iRule with the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled.
Fix:
If MPTCP passthrough is enabled, the system now processes incoming MPTCP connections coming from the loop device as if MPTCP is disabled.
737445-1 : Use of TCP Verified Accept can disable server-side flow control
Component: Local Traffic Manager
Symptoms:
Unexpectedly high memory usage, aggressive sweeper messages, TCP memory pressure messages in logs.
Conditions:
Verified Accept is enabled in TCP profiles that are associated with virtual servers.
Impact:
Excessive memory usage.
Workaround:
There is no workaround other than disabling Verified Accept.
Fix:
Fixed server-side flow control.
734822-2 : TMSH improvements
Component: TMOS
Symptoms:
Under certain conditions TMSH usage, including via iControl, may lead to excessive resource consumption.
Conditions:
Authorized users making queries or updates via TMSH or iControl
Impact:
Excessive resource consumption, potentially leading to a failover event.
Workaround:
None.
734527-3 : BGP 'capability graceful-restart' for peer-group not properly advertised when configured
Component: TMOS
Symptoms:
BGP neighbor using peer-group with 'capability graceful-restart' enabled (which is the default). However, on the system, peer-group defaults to disable. Because there is no config statement to enable 'capability graceful-restart' after restart, it gets turned off after config load, which also turns it off for any BGP neighbor using it.
Conditions:
- Neighbor configured to use peer-group.
- Peer-group configured with capability graceful-restart, but with the default: disabled.
Impact:
Because peer-group is set to disable by default, and there is no operation to enable it after restart, 'capability graceful-restart' gets turned off after config load, and neighbors using it from peer-group get turned off as well.
Workaround:
Re-issue the commands to set peer-group 'capability graceful-restart' and 'clear ip bgp *' to reset BGP neighbors.
Fix:
The peer-group now has 'capability graceful-restart' enabled by default, so this issue no longer occurs.
Behavior Change:
In this release, peer-group has 'capability graceful-restart' enabled by default.
734446-1 : TMM crash after changing LSN pool mode from PBA to NAPT
Component: Carrier-Grade NAT
Symptoms:
TMM crashes after changing LSN pool mode from PBA to NAPT when long lived connections are killed due to the PBA block lifetime and zombie timeout expiring.
Conditions:
An LSN pool using PBA mode with a block lifetime and zombie timeout set and long lived connections.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Instead of changing the LSN pool mode from PBA to NAPT, create a new LSN pool configured for NAPT and change the source-address-translation pool on the virtual servers that use the PBA pool.
The PBA pool can be deleted after the virtual servers are no longer using it.
Fix:
TMM no longer crashes after changing LSN pool mode from PBA to NAPT.
727044-3 : TMM may crash while processing compressed data
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing compressed data.
Conditions:
Compression enabled
Hardware compression disabled
Impact:
TMM crash leading to a failover event.
Workaround:
No workaround.
Fix:
TMM now correctly processes compressed traffic
726647-4 : PEM content insertion in a compressed response may truncate some data
Component: Policy Enforcement Manager
Symptoms:
HTTP compressed response with content insert action can truncate data.
Conditions:
PEM content insertion action with compressed HTTP response.
Impact:
Data might be truncated.
Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.
Fix:
HTTP compressed response with content insert action no longer truncates data.
726409-5 : Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
Solution Article: K61429540
726319-1 : 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses
Component: Local Traffic Manager
Symptoms:
When FQDN nodes and pool members are used in LTM pools, a message similar to the following may be logged if the DNS server returns a different set of IP address records to resolve the FQDN name:
err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.
Conditions:
This message may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name, and new ephemeral pool members are created corresponding to the new IP addresses.
This may occur intermittently depending on timing conditions.
Impact:
These log messages are cosmetic and do not indicate any impact to traffic or BIG-IP operations.
Workaround:
None.
Fix:
'The requested Pool Member ... already exists' messages are no longer logged occasionally when an FQDN pool member name resolves to different IP addresses.
726255-1 : dns_path lingering in memory with last_access 0 causing high memory usage
Component: Global Traffic Manager (DNS)
Symptoms:
dns_path not released after exceeding the inactive path ttl.
Conditions:
1. Multiple tmm's in sync group
2. Multiple dns paths per GTM needed for load balancing.
Impact:
High memory usage.
Workaround:
There is no workaround at this time.
Fix:
dns_path memory will be released after ttl.
726239-5 : interruption of traffic handling as sod daemon restarts TMM
Component: Local Traffic Manager
Symptoms:
When the receiving host in a TCP connection has set its send window to zero (stopping the flow of data), following certain unusual protocol sequences, the logic in the TMM that persists in probing the zero window may enter an endless loop.
Conditions:
When the TCP implementation is probing a zero-window connection under control of a persist timer.
Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This fix handles a rare TMM crash when TCP persist timer is active.
725815-2 : vlangroup usage may cause a excessive resource consumption
Component: Local Traffic Manager
Symptoms:
Under certain conditions, systems using vlangroup functionality may consume excessive resources.
Conditions:
Vlangroups with child vlans with Self-IPs
Self-IPs that have restricted allow lists
Impact:
Excessive resource consumption, potentially leading to a crash and failover event.
Workaround:
Alter configuration. Contact support for instructions.
Fix:
Resource consumption is normalized.
725801-5 : CVE-2017-7889: Kernel Vulnerability
Solution Article: K80440915
725696-2 : A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted
Component: TMOS
Symptoms:
When OCSP Stapling is enabled on a client SSL profile, certain uncommon operations might result in a tmm timer queue getting into a loop, which results in tmm being aborted by sod. tmm restart
Conditions:
-- There are SSL handshakes waiting for an OCSP response, and one of the following:
+ There is a CMP transition.
+ There are changes made to the OCSP object.
Impact:
tmm restarts. Traffic interrupted while tmm restarts.
Workaround:
There is no workaround other than disabling OCSP stapling.
Fix:
The timer issue has been corrected.
725635-1 : CVE-2018-3665: Intel Lazy FPU Vulnerability
Solution Article: K21344224
725612-2 : syslog-ng remote destination needs unique name that changes on address change.
Component: TMOS
Symptoms:
Changing syslog server IP address requires syslog-ng restart to take effect. Syslog operations do not use the new remote destination address on syslog service reconfiguration.
Conditions:
1. Add Remote Syslog server (Server A) using System :: Logs :: Configuration :: Remote Syslog.
2. Click Update (Syslog messages go out toward Server A).
3. Remove Server A from configuration.
4. Add new Server B (different IP address).
5. Click Update.
Impact:
Syslog messages still go out toward Server A.
Workaround:
Restart the syslog service using the following command:
bigstart restart syslog-ng
Messages now properly go out toward Server B (the new IP address).
Fix:
Syslog operations now use the new remote destination address on syslog service reconfiguration.
724906-3 : sasp_gwm monitor leaks memory over time
Component: Local Traffic Manager
Symptoms:
The Server/Application State Protocol (SASP) monitor, sasp_gwm memory usage slowly increases over time.
Conditions:
The Server/Application State Protocol (SASP) monitor is configured.
The leakage occurs during normal operation of the monitor and is not tied to any specific user or traffic action.
Impact:
sasp_gwm grows over time and eventually the system may be pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.
Workaround:
Periodic restarts of sasp_gwm processes avoids the growth affecting the system.
Fix:
The sasp_gwm monitor no longer leaks memory when processing messages.
724868-3 : dynconfd memory usage increases over time
Component: Local Traffic Manager
Symptoms:
dynconfd memory usage slowly increases over time as it processes various state-related messages.
Conditions:
No special conditions as dynconfd is a core LTM process. Large numbers of pool members combined with flapping might increase the rate of memory usage increase.
Impact:
dynconfd grows over time and eventually the system is pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.
Workaround:
Periodic restarts of dynconfd avoids the growth affecting the system.
Fix:
dynconfd no longer leaks memory when processing messages.
724341-1 : Import of Access Profile with Machine Cert Checker and default CA Profile is failing
Component: Access Policy Manager
Symptoms:
Export and then reimport of Access Profile with Machine Cert Checker agent configured with default CA Profile is failing the following error:
The requested profile_certificateauthority (Common/certificateauthority) was not found. Unexpected Error: Loading configuration process failed.
Conditions:
Any Profile/Policy with Machine cert and default settings
Impact:
Low: affecting only import/export.
Workaround:
Use non-default CA Profile at the export time.
Fix:
Export and import of Profile with default CA Profile works properly.
724213-2 : Modified ssl_profile monitor param not synced correctly
Solution Article: K74431483
Component: Local Traffic Manager
Symptoms:
After modifying the ssl_profile attribute on an HTTPS monitor on a device within a high availability (HA) configuration, and after performing a full ConfigSync, the corresponding monitor on the peer-sync unit does not have the updated value.
Conditions:
-- An HTTPS monitor is used on BIG-IP systems in an HA configuration.
-- in-tmm monitor is enabled (for more information on in-tmm monitoring see K11323537: Configuring In-TMM monitoring at https://support.f5.com/csp/article/K11323537)
-- The ssl_profile field is modified on an HTTPS monitor.
-- A sync-to-peer (full ConfigSync, not incremental sync) is attempted to propagate the modified ssl_profile value to the peer units.
Impact:
The ssl_profile value for the HTTPS monitor on the peer unit is set to none, resulting in the two devices reporting themselves as in-sync, but having potentially different HTTPS monitor configurations.
Workaround:
Do not run HTTPS monitors using in-tmm monitors, and instead use the traditional HTTPS monitor configuration for SSL-attributes (cipherlist, key, cert, and compatibility attributes on HTTPS monitor).
Note: Using these attributes will generate deprecation warnings, but the configuration should still take effect.
Fix:
After modifying the ssl_profile attribute on an HTTPS monitor on a system within an HA configuration, and after performing a full ConfigSync, the corresponding monitor on the peer unit now receives the updated monitor attribute, as expected.
723792-1 : GTM regex handling of some escape characters renders it invalid
Component: Global Traffic Manager (DNS)
Symptoms:
The memory footprint of big3d increases.
Conditions:
GTM monitor recv string such as the following: ^http\/\d\.\d[23]\d\d
Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory. The monitor marks the server it is monitoring UP as long as the server returns any response.
Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}
Fix:
Fixed handling of escape characters. Recv strings that previously failed to compile will now compile.
723722-1 : MCPD crashes if several thousand files are created between config syncs.
Component: TMOS
Symptoms:
If more than several thousand (typically 20,000, but number varies by platform) files, for example SSL certificates or keys, are created between config syncs, the next config sync operation will take too long and mcpd will be killed by sod.
Conditions:
Creation of several thousand SSL certificates or keys followed by a config sync operation.
Impact:
Traffic is disrupted while the MCPD process restarts.
Workaround:
Run a config sync operation after every ~5000 files created.
Fix:
MCPD no longer crashes if several thousand files are created between config sync operations.
723298-1 : BIND upgrade to version 9.11.4
Component: TMOS
Symptoms:
The BIG-IP system is running BIND version 9.9.9.
Conditions:
BIND on BIG-IP system.
Impact:
BIND 9.9 Extended Support Version was supported until June, 2018.
Workaround:
None.
Fix:
BIND version has been upgraded to 9.11.4.
722682-3 : Fix of ID 615222 results in upgrade issue for GTM pool member with colon -- config failed to load★
Component: TMOS
Symptoms:
Loading configuration process failed after upgrade.
Conditions:
1. GTM pool member has colon in the name.
2. Upgrade to versions that has fix for ID 615222.
Impact:
Configuration load fails.
Workaround:
Add "\\" before the first ":" after upgrade.
722677-5 : High-Speed Bridge may lock up
Component: Local Traffic Manager
Symptoms:
Under certain conditions, hardware systems with a High-Speed Bridge and using Layer 2 forwarding configurations may experience a lockup of the High-Speed Bridge.
Conditions:
Hardware platform with High-Speed Bridge.
Layer 2 forwarding enabled.
vlangroup.flow.allocate disabled.
Impact:
High-Speed Bridge lockup, leading to a failover event.
Workaround:
The vlangroup.flow.allocate DB variable is enabled by default.
Ensure that vlangroup.flow.allocate is enabled with the command:
modify /sys db vlangroup.flow.allocate value enable
722387-4 : TMM may crash when processing APM DTLS traffic
Component: Local Traffic Manager
Symptoms:
When processing DTLS traffic for APM, TMM may crash.
Conditions:
APM provisioned and configured.
DTLS enabled in APM configuration.
Impact:
TMM crash, leading to a failover event.
Workaround:
None.
Fix:
DTLS traffic is now processed as expected.
722363-3 : Client fails to connect to server when using PVA offload at Established
Component: Local Traffic Manager
Symptoms:
A client can fail to connect to the server on subsequent attempts if using FastL4 with hardware (HW) acceleration.
When this issue occurs, the profile_bigproto_stat/rxsynatestablished stat is non-zero.
Conditions:
A FastL4 virtual server is configured with offload_state = EST.
Impact:
Clients fail to connect to the server.
Workaround:
There is no workaround other than to disable PVA acceleration.
722091-4 : TMM may crash while processing HTTP traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions TMM may crash while processing HTTP traffic
Conditions:
Use of HTTP iRules and/or LTM policies utilizing HTTP features.
Impact:
TMM crash leading to a failover event.
Workaround:
There is no workaround at this time.
Fix:
TMM now processes HTTP traffic as expected.
721985-1 : PAYG License remains inactive as dossier verification fails.
Component: TMOS
Symptoms:
- BIG-IP is deployed in a cloud environment (AWS/Azure/GCE) with PAYG licenses. The license won't activate on the startup.
Conditions:
- There are multiple ways this can happen but all of those come down to user networking issue where the http calls to the cloud metadata service fails.
- This can be a simple routing issue to the metadata service or a firewall issue.
Impact:
As license activation fails, the instance becomes unusable.
Workaround:
User should look at /var/log/ltm to determine the networking issue that is causing the dossier verification failure. This would be typically printed in the following way:
Curl request to metadata service failed with error(<error-code>): '<error-message>'
By resolving this networking error, license activation should succeed.
Fix:
PAYG License remains inactive as dossier verification fails.
721924-6 : bgpd may crash processing extended ASNs
Component: TMOS
Symptoms:
Under certain conditions bgpd may crash while processing extended ASNs.
Conditions:
Dynamic routing enabled.
Extended ASP capabilities enabled: bgp extended-asn-cap enabled
Impact:
Dynamic routing disrupted while bgpd restarts.
Fix:
bgpd now processes extended ASNs as expected.
721621-3 : Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node
Component: Local Traffic Manager
Symptoms:
If an LTM pool is configured with only FQDN members, the DNS server resolves the FQDN to IP addresses that match statically-configured LTM nodes, and the IP address records returned by the DNS server change, an ephemeral pool member may not be added to the pool for the new IP address.
When in this state, if the FQDN template pool member is deleted from the pool, a new ephemeral pool member may be added corresponding to the last IP address record returned by the DNS server.
Conditions:
This may occur when:
1. Static nodes are configured which match addresses that may be returned in the DNS query for a given FQDN name.
2. An FQDN node is created with autopopulate disabled, for an address which may resolve to the same address as one of the static nodes.
3. This FQDN node is added (as a pool member) with autopopulate disabled, to a pool with no other non-FQDN members.
4. The DNS server resolves the FQDN name to an address that matches one of the static nodes.
5. A subsequent DNS query resolves the FQDN name to a different address that matches a different static node.
Impact:
In this case:
-- The original ephemeral member is removed from the pool.
-- A new ephemeral member for the new address may NOT be added to the pool.
-- In this state, if the FQDN template member is deleted from the pool, a new ephemeral member (i.e., the missing ephemeral with new IP address) is re-added to the pool.
Note. This symptom can occur only if the statically-configured node is created prior to an ephemeral pool member being created for the same IP address. If an ephemeral pool member and node are created first, it is not possible to create a statically-configured node or pool member using the same IP address.
Overall, traffic for the affected pool may not be sent to correct pool member (new ephemeral address).
If no other members are defined in the pool, traffic will be interrupted.
Workaround:
This issue can be prevented by:
-- Avoiding configuring a static (non-FQDN) node with an IP address that matches any address that might be returned by the DNS server when resolving the FQDN.
-- Adding a statically-configured pool member to the pool in addition to the FQDN template member.
Once the symptom occurs, recovery is possible by performing either of the following actions:
-- Delete the statically-configured node with the conflicting IP address.
-- Recreate the node using the following procedure:
1. Delete the FQDN template member from the pool.
2. Delete the orphaned ephemeral member from the pool.
3. Re-add the FQDN template member to the pool.
Fix:
When an FQDN pool member address resolves to the same IP address as an existing static node, the corresponding ephemeral pool member is successfully created and deleted as expected, including when the IP address returned by the DNS query changes.
721364-1 : BIG-IP per-application VE BYOL license does not support three wildcard virtual servers
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) admin can create only 1 wildcard virtual servers for per-application BYOL license.
Note: If you are using BIG-IQ 6.0.0 or 6.0.1 to manage AWS-based, per-app BIG-IP VE systems running versions 13.1.0.5 through 13.1.0.8, you must use the following AWS templates:
-- Default-AWS-f5-HTTPS-WAF-lb-template
-- Default-AWS-f5-HTTPS-offload-lb-template
For these two templates, ports 443 and 80 (for HTTP redirect) are hard-coded in an iRule, which enable this functionality.
Conditions:
Per-app VE with BYOL license.
Impact:
Per-app VE with BYOL license does not work as expected.
Workaround:
N/A
Fix:
Per-app VE BYOL license now supports three wildcard virtual servers.
721342-2 : No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments.
Component: TMOS
Symptoms:
No Per-App Virtual Edition (VE) LTM or Per-App VE WAF images for various cloud environments.
Conditions:
Various Cloud environments (i.e., Azure, Google, AWS).
Impact:
No options to use various Per-App VE features.
Workaround:
None.
Fix:
There are now offerings for various cloud environments (Azure, Google, AWS). There are two types of Per-App VE LTM and two of Per-App VE WAF images.
720961-4 : Upgrading in Intelligence Community AWS environment may fail
Component: TMOS
Symptoms:
After importing an AWS instance into the Intelligence Community (IC) AWS environment you cannot upgrade to 13.1.0.2 (or later) because their license fails to validate afterwards.
Conditions:
-- Manually imported BIG-IP image into AWS IC.
-- Upgraded to 13.1.0.2 or newer.
Impact:
The system fails to validate the license after rebooting into the new software. Licenses are inoperative after the upgrade.
Workaround:
To work around this issue, perform the following procedure:
1. Redeploy a BYOL image from the IC marketplace.
2. Move over the license.
3. Configure the system.
Fix:
This release provides improved license validation to address this situation by detecting the IC environment, but allowing prior licenses to function.
720799-1 : Virtual Server/VIP flaps with FQDN pool members when all IP addresses change
Component: Local Traffic Manager
Symptoms:
When using FQDN pool members, if all ephemeral members are removed and replaced by a DNS query that returns an entirely new set of IP addresses (no overlap with previous DNS query results), all ephemeral pool members are removed before the new ephemeral pool members are created.
This results in a brief moment when there are no ephemeral members (that can receive traffic) in the pool.
Conditions:
A DNS query for the FQDN node in which the pool members belong, returns an entirely new set of IP addresses (no overlap with previous DNS query results).
Impact:
The brief moment during which there are no ephemeral members (that can receive traffic) in the pool can cause a Virtual Server or Virtual Address using that pool to flap.
Workaround:
It is possible to work around this issue by:
1. Adding a pool member with a statically-configured IP address.
2. Including multiple FQDN pool members in the pool, to limit the effect of the ephemeral members changing for a single FQDN pool member.
Fix:
When using FQDN pool members, ephemeral members whose IP addresses are not present in the most DNS query results are not immediately deleted from the pool.
To prevent the brief condition in which there are no ephemeral members in the pool (which can cause a Virtual Server or Virtual Address using that pool to flap), creation of new ephemeral nodes and pool members occurs immediately, but deletion of old new ephemeral nodes and pool members occurs after a delay.
The duration of the delay follows the fqdn 'down-interval' value configured for the associated FQDN template node.
720713-1 : TMM traffic to/from a i10600/i10800 device in vCMP host mode may fail
Component: TMOS
Symptoms:
When a i10600/i10800 device is configured as a vCMP host and at least one vCMP guest is running (or ever ran), TMM traffic to the vCMP host may fail.
Note: Management port traffic to/from the device is unaffected.
Note: TMM traffic to/from the vCMP guests running on the device is unaffected. This issue affects only the vCMP host.
The most visible symptom is that TMM on the vCMP host fails to answer ARP requests that it receives for its own Self-IP addresses.
Conditions:
This issue occurs when all of the following conditions apply:
- i10600/i10800 device in vCMP host mode.
- At least one vCMP guest is deployed or was deployed, at some point.
Impact:
Inability to communicate to/from the vCMP host via its Self-IP addresses.
Workaround:
None.
Fix:
The vCMP host continues to handle traffic correctly once a guest is started.
720651-1 : Running Guest Changed to Provisioned Never Stops
Component: TMOS
Symptoms:
After changing a vCMP guest status to provisioned the guest remains running showing a status of stopping.
Conditions:
-- Guests deployed on a BIG-IP VCMP host.
-- Changing the state from deployed to provisioned.
Impact:
Guests do not stop and change status until vcmpd process is restarted.
Workaround:
There is no workaround.
Fix:
The guest now stops when the state is changed from deployed to provisioned.
720391-3 : BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'
Component: TMOS
Symptoms:
BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' and 'unknown' when OID sysObjectID is queried.
Conditions:
1. Execute 'tmsh show sys hardware'.
2. Query for OID sysObjectID using snmpwalk.
Impact:
System is reported as 'none', when it should be i7800-D. Platform with dual SSD not correctly identified using tmsh command or snmpwalk.
Workaround:
None.
Fix:
Added new SNMP OID for BIG-IP i7800 Dual SSD, reported as BIG-IP i7800-D, which is the correct designation.
720293-4 : HTTP2 IPv4 to IPv6 fails
Component: Local Traffic Manager
Symptoms:
An IPv4-formatted virtual server with an IPv6-formatted pool member cannot establish the connection to the pool member if HTTP2 is configured.
Conditions:
-- IPv4 virtual Server.
-- IPv6 pool member.
-- HTTP2 profile.
Impact:
Traffic connection does not establish; no traffic passes.
Workaround:
None.
Fix:
In this release, an IPv4-formatted virtual server with an IPv6-formatted pool member works with HTTP2.
720104-2 : BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'
Component: TMOS
Symptoms:
BIG-IP i2800/i2600 650W AC PSU is missing marketing name under 'show sys hardware' and displays 'unknown' when OID sysObjectID is queried.
Conditions:
-- Execute 'tmsh show sys hardware'.
-- Query for OID sysObjectID using snmpwalk.
-- Using BIG-IP i2800/i2600 platforms.
Impact:
System reports an empty marketing name when queried. Platform with 650W AC PSU not identified using tmsh command or snmpwalk.
Workaround:
There is no workaround at this time.
Fix:
Added new SNMP OID for BIG-IP i2800/i2600 650W AC PSU.
719644-3 : If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★
Component: Global Traffic Manager (DNS)
Symptoms:
When an LTM configuration has virtual server names containing period (.), a GTM configuration with auto-discovery enabled is upgraded from v11.5.x to a later version might lose consistency.
Conditions:
-- Upgrading GTM from v11.5.x to later versions (e.g., BIG-IP DNS v12.x).
-- Auto-discovery is enabled.
-- LTM configuration containing virtual server names containing the period character (.).
-- The same virtual server name is used in multiple partitions.
Impact:
The configuration after the upgrade might be affected in the following ways:
-- Missing virtual servers.
-- Deletion of some pool members.
-- Virtual servers with incorrect addresses.
Workaround:
There is no workaround at this time.
Fix:
This release supports GTM upgrades from 11.x to BIG-IP DNS 12.x and later versions for cases where:
-- Auto-discovery is enabled.
-- LTM virtual server name a period character (.).
-- The same virtual server name is used in multiple partitions.
719600-1 : TCP::collect iRule with L7 policy present may result in connection reset
Component: Local Traffic Manager
Symptoms:
If an iRule utilizing TCP::collect and HTTP_REQUEST is on a virtual server with an L7 policy, the policy engine may cause the connection to be unexpectedly reset with a 'policy execution error' reset cause, and 'Unable to resume pending policy event on connflow' will be logged to /var/log/ltm.
Conditions:
TCP::collect and HTTP_REQUEST iRule with L7 policy on virtual server.
Impact:
Connections may be unexpectedly reset and errors logged to /var/log/ltm.
Workaround:
At the start of the HTTP_REQUEST event, issue an 'after 1' command to allow the policy engine to reach a consistent state before proceeding with the remainder of the iRule.
719597-1 : HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0
Component: TMOS
Symptoms:
When two VIPRION chassis with B2250 blades try to form a high availability (HA) connection, with one running v12.1.1 and the other running v13.1.0, HA connections between TMMs on Active and TMMs on Standby might fail.
Conditions:
-- Two VIPRION chassis with B2250 blades.
-- One blade running v12.1.1 and the other running v13.1.0.
-- Try to configure HA connection.
Impact:
Fail to form HA connection.
Workaround:
There is no workaround other than installing the same software on both blades.
Fix:
A new sys db mhdag.bitshift is added to support HA configurations using B2250 blades running v12.1.1 and v13.1.x. Set mhdag.bitshift to 5 on VIPRION chassis with B2250 blades running v13.1.x by running the following command: tmsh modify sys db mhdag.bitshift value 5
HA between VIPRION chassis running v12.1.1 and v13.1.x with B2250 blades now works as expected.
719554-1 : Linux Kernel Vulnerability: CVE-2018-8897
Solution Article: K17403481
719396-2 : DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot.
Solution Article: K34339214
Component: TMOS
Symptoms:
DHCP Client on the BIG-IP system sends host-name 'localhost' in DISCOVER packet after first boot.
Note: The problem goes away after the first boot.
Conditions:
-- DHCP is enabled (this is the default on BIG-IP systems).
-- Initial startup.
Impact:
This can affect the lease given out by the DHCP server in the given network if the DHCP server is configured in such a way as to dynamically update the DNS based on the host-name option in the lease.
Workaround:
-- Empty the /var/lib/dhclient/dhclient.leases file.
-- Run the following command: bigstart restart dhclient
Fix:
DHCP Client on the BIG-IP system no longer sends 'localhost' as the host-name in DISCOVER packet after first boot.
718817-1 : Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail.
Component: TMOS
Symptoms:
Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest fails due to a race condition.
There are log entries in /var/log/liveinstall.log:
-- error: status 256 returned by command: F5_INSTALL_SESSION_TYPE=install tmsh -f save sys ucs /var/tmp/kRf24pKXTQ.ucs.
-- info: tar: config/.ucs_base_mac: Cannot stat: No such file or directory.
-- info: Unexpected Error: UCS saving process failed.
Conditions:
-- Installing onto secondary VIPRION blade or onto VIPRION-based vCMP guest.
Impact:
Software installation fails.
Workaround:
You can use either workaround:
-- Add 'ignore .ucs_base_mac' to the 'monitor dir /config' stanza in /etc/csyncd.conf on all blades, and then restart csyncd on all blades by running "clsh bigstart restart csyncd"
-- Retry the installation until it succeeds.
718525-2 : PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting
Component: TMOS
Symptoms:
After removing the mcpd binary database and restarting, occasionally there are errors similar to the following in /var/log/ltm:
warning postgres[7663]: [3-1] ERROR: duplicate key value violates unique constraint "vlan_pkey"
(The object type may be something other than 'vlan_pkey'.)
Conditions:
This occurs when you remove the mcpd binary database and reboot the system.
Impact:
The configuration does not load until 'bigstart restart' is executed.
Workaround:
None.
Fix:
The 'duplicate key value' errors are no longer seen when removing the mcpd binary database and restarting.
717888-4 : TMM may leak memory when a virtual server uses the MQTT profile.
Component: Local Traffic Manager
Symptoms:
TMM may leak memory when a virtual server uses the MQTT profile.
Specifically, the xhead, xdata, mqtt_message, and mqtt_slab memory components might be seen leaking when inspecting TMM memory utilization using the following command: tmsh show sys memory.
Conditions:
This issue occurs when all of the following conditions are met:
-- A virtual server uses the MQTT profile.
-- That virtual server has no pool members available (hence it cannot load-balance traffic anywhere). This might occur because of the following:
+ A monitor has marked the pool members down.
+ A BIG-IP system Administrator manually forces the pool members off-line.
+ The pool members are unresponsive at connection time.
Impact:
Performance becomes degraded as TMM leaks memory. Eventually, TMM might crash due to memory exhaustion. Traffic disrupted while TMM restarts.
Workaround:
If the MQTT profile is not essential to the correct functioning of the virtual server (for example, because it is only used for gathering statistics), then you can remove the MQTT profile from the virtual server to prevent this issue from occurring.
You may want to restart TMM (using the command: bigstart restart tmm) to release any memory and start fresh after removing the MQTT profile. This will interrupt traffic momentarily and cause a failover on redundant units.
On multi-blade systems, you might want to wrap the command within 'clsh' to execute it on all blades (e.g.: clsh bigstart restart tmm).
Fix:
The MQTT profile no longer leaks TMM memory when it fails to load-balance traffic to a server-side resource.
717742-6 : Oracle Java SE vulnerability CVE-2018-2783
Solution Article: K44923228
717346-1 : [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total
Solution Article: K13040347
Component: Local Traffic Manager
Symptoms:
WebSocket profile statistics for current and maximum connections are always very large, even right after restarting the system. The numbers are several orders of magnitude larger than the statistics for total connections.
Conditions:
Rarely occurring, unstable network could be one of the reasons.
Impact:
Cannot use stats for troubleshooting.
Workaround:
Reset the stats using the following command:
# tmsh reset-stats ltm profile websocket
716922-1 : Reduction in PUSH flags when Nagle Enabled
Component: Local Traffic Manager
Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.
Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.
Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.
Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.
Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.
Mote: To take advantage of some of the Nagle benefits, use 'Auto'.
Fix:
Revised PUSH flag setting logic to set the flag in cases where sending is Nagle-limited.
716900-3 : TMM core when using MPTCP
Component: Local Traffic Manager
Symptoms:
In some cases TMM may crash when processing MPTCP traffic.
Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.
Impact:
Traffic interrupted while TMM restarts.
Workaround:
There is no workaround other than to disable MPTCP.
Fix:
TMM no longer produces a core.
716716-1 : Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core
Component: Local Traffic Manager
Symptoms:
TMM cores when the system has a kernel route configured, but no matching TMM route.
Conditions:
The scenario that can lead to this state is unknown.
Impact:
TMM cores. Traffic disrupted while tmm restarts.
Workaround:
Either remove the kernel route, or add a matching TMM route.
Fix:
This release prevents the core that occurred when the kernel has a route that has no corresponding TMM route.
716392-2 : Support for 24 vCMP guests on a single 4450 blade
Component: TMOS
Symptoms:
Cannot create more than 12 vCMP guests per blade.
Conditions:
-- Using vCMP.
-- VIPRION blades.
Impact:
Cannot configure more than 12 vCMP guests.
Workaround:
None.
Fix:
This release supports 24 vCMP guests on 4450 blades. Increased vCMP density ensures that all guests can access the hardware capabilities available from the BIG-IP platforms and VIPRION blades.
Behavior Change:
This release supports 24 vCMP guests on VIPRION 4450 blades. Increased vCMP density ensures that all guests can access the hardware capabilities available from BIG-IP platforms and VIPRION blades.
715923-7 : When processing TLS traffic TMM may reset connections
Component: Local Traffic Manager
Symptoms:
Under certain conditions TMM may reset TLS connections with a BAD_RECORD_MAC alert.
Conditions:
TLS profile active.
Impact:
BIG-IP sends a BAD_RECORD_MAC alert and terminates the SSL connection.
Workaround:
None.
Fix:
TMM now processes TLS traffic as expected.
715883-1 : tmm crash due to invalid cookie attribute
Component: Local Traffic Manager
Symptoms:
tmm crash due to invalid request-side cookie attribute.
Conditions:
While processing an HTTP request, an iRule tries to add a cookie attribute to a cookie that is only valid in an HTTP response (for instance, an 'expires' attribute).
Impact:
TMM cored. Traffic disrupted while tmm restarts.
Workaround:
None.
715750-1 : The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.
Component: Local Traffic Manager
Symptoms:
Upon receiving a FIN midstream in an SSL connection, the BIG-IP system will immediately proxy the FIN to the remote host on the peer side. At this point, depending on the specific configuration of the remote host on the peer side, the BIG-IP system may exhibit behaviors that may be deemed undesirable.
For instance, if the remote host on the peer side acknowledges the FIN but ignores it and keeps sending data to the BIG-IP system, the BIG-IP system will drop all ingress data (i.e., not proxy it) while keeping the side that transmitted the original FIN open indefinitely.
Once the remote host on the peer side completes transmitting data and sends a FIN of its own, the BIG-IP system will finally release the side that sent the original FIN by allowing it to close.
Conditions:
This issue occurs when the following conditions are met:
-- A standard virtual server with the clientssl and serverssl profiles in use.
-- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.
Impact:
There is no real impact to the BIG-IP system because of this issue. However, both the client and the server can be negatively impacted by this issue.
For example, if the original FIN was received by the BIG-IP system on the clientside:
-- The client connection is not allowed to close for potentially a very long time. During this time, the client does not receive anything other than Keep-Alive packets from the BIG-IP system. This can delay or adversely impact applications on the client.
-- The server continues to send data to the BIG-IP system unnecessarily. After accounting for the fact this could be a lot of data and many connections could be in this state, the server and/or its surrounding network could become impacted/congested. At a minimum, this might cause a waste of resources.
Workaround:
There is no workaround at this time.
Fix:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.
Behavior Change:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.
715467-1 : Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY
Component: Local Traffic Manager
Symptoms:
If the 'A' record for an FQDN node is removed or replaced on the DNS server, then the BIG-IP system does not remove the old ephemeral pool member or create the new pool member and node.
Conditions:
-- FQDN nodes.
-- Pool members with a service port of ANY.
Impact:
Ephemeral pool member and nodes are not removed or updated when the DNS 'A' record is removed or changed.
Workaround:
There is no workaround at this time.
Fix:
Upon a DNS 'A' record being removed or changed, the ephemeral pool members and nodes based on the old value are removed or changed.
715448-3 : Providing LB::status with a GTM Pool name in a variable caused validation issues
Solution Article: K16055759
Component: Global Traffic Manager (DNS)
Symptoms:
When utilizing an LB::status iRule where the GTM Pool name was provided in a variable, instead of directly written into the command, the system posts the following error message: Can't read 'monkey': no such variable.
Conditions:
LB::status pool a <Variable containing string>.
Impact:
Unable to use LB::status iRule.
Workaround:
There is no workaround at this time.
Fix:
Can now use LB::status iRule command to display the status of a GTM Pool when the name of the pool is provided in a variable.
714749-1 : cURL Vulnerability: CVE-2018-1000120
Component: TMOS
Symptoms:
It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.
Conditions:
BIG-IP systems are not affected by this vulnerability.
Impact:
None.
Workaround:
None.
Fix:
Patched CVE-2018-1000120
714384-2 : DHCP traffic may not be forwarded when BWC is configured
Component: Local Traffic Manager
Symptoms:
DHCP traffic may not be forwarded when BWC is configured on the system.
Conditions:
-- DHCP virtual server configured.
-- BWC policy configured and attached to the route-domain.
Impact:
DHCP traffic may not be forwarded.
Workaround:
There is no workaround other than to remove the BWC policy.
Fix:
DHCP traffic is now forwarded when BWC is configured,
714303-2 : X520 virtual functions do not support MAC masquerading
Component: TMOS
Symptoms:
MAC masquerading is not supported when using X520 virtual functions via SR-IOV in Virtual Edition (VE). This is due to a lack of functionality in the underlying hardware.
Conditions:
-- Use SR-IOV virtual functions as interfaces within VE.
-- Configure MAC masquerading with a shared MAC that should follow the active system after traffic group failovers.
Impact:
MAC masquerading will not function in this environment.
Workaround:
There is no workaround other than not to use MAC masquerading, as conventional failover works for this environment.
Fix:
MAC masquerading is now supported when using X520 virtual functions via SR-IOV in Virtual Edition (VE).
713951-6 : tmm core files produced by nitrox_diag may be missing data
Component: Local Traffic Manager
Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.
Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.
Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
When the nitrox_diag utility generates a tmm core file, that file now includes data for all tmm threads instead of only one.
713934-1 : Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response
Component: Local Traffic Manager
Symptoms:
Received malformed Truncated DNS response.
Conditions:
-- Using iRule 'DNS::question name' to shorten the name.
-- DNS response is longer than 4096 UDP limit.
Impact:
DNS request might not be resolved correctly.
Workaround:
There is no workaround at this time.
Fix:
In this release, when DNS::query name changes the query name, the software ensures that the request is updated with proper lengths.
713932-2 : Commands are replicated to PostgreSQL even when not in use.
Component: TMOS
Symptoms:
In MCP, PostgreSQL is used only by AFM. Even when AFM is not provisioned, however, commands are being replicated to PostgreSQL.
Conditions:
AFM is not provisioned.
Impact:
Unnecessary CPU cycles spent by MCP replicating commands to PostgreSQL.
Workaround:
None.
Fix:
Prevented replication of commands to PostgreSQL when it is not in use.
713766-1 : VLAN failsafe failover may not occur
Component: Local Traffic Manager
Symptoms:
VLAN failsafe may not take effect and cause failover.
Conditions:
If the VLAN failsafe is disabled, and then re-enabled, it might not properly take effect.
Impact:
System will not fail over when it should.
Workaround:
The failure condition is cleared by the next reboot following the disable/enable.
Fix:
Failover occurs as expected.
713533-1 : list self-ip with queries does not work
Component: Local Traffic Manager
Symptoms:
"list net self" command always returns all Self IPs, regardless of the regex patterns.
Conditions:
list net self always returns all Self IPs
Impact:
You are unable to filter the Self IP list using a regex pattern.
Fix:
You can now use pattern matching to list Self IPs
713491-3 : IKEv1 logging shows spi of deleted SA with opposite endianess
Component: TMOS
Symptoms:
Sometimes the IKEv1 racoon daemon logs a 32-bit child-SA spi with octets in backwards order (reversing the endianness).
Conditions:
When an SA is deleted.
Impact:
Logging typically shows a network byte order spi in the wrong order. Cosmetic interference with logging interpretation.
Workaround:
There is no workaround at this time.
Fix:
The spi values are shown in the correct endianness now.
712819-1 : 'HTTP::hsts preload' iRule command cannot be used
Component: Local Traffic Manager
Symptoms:
Using the 'HTTP::hsts preload' iRule command in the GUI, you might see error message similar to the following:
01070151:3: Rule [/Common/test] error: /Common/test:3: error: ["invalid argument preload; expected syntax spec: "][HTTP::hsts preload enable].
The message is incorrect: the command has the correct format. However, the system does not run it.
Conditions:
Using the 'HTTP::hsts preload' iRule command in the GUI.
Impact:
The command does not run. Cannot use the 'HTTP::hsts preload' iRule command in the GUI.
Workaround:
None.
Fix:
'HTTP::hsts preload' iRule command now works as expected.
712664-1 : IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address
Component: Local Traffic Manager
Symptoms:
As a result of a known issue IPv6 NS may be dropped if corresponds for host on remote VLAN of transparent vlangroup and matches a Virtual address with disabled ARP setting
Conditions:
- transparent vlan-group
- Virtual Address with ARP disabled
- Virtual Address corresponds to remote IPv6 host address
Impact:
NS for the host is dropped.
Traffic will not reach the remote host as resolution does not complete.
Workaround:
Do not use overlapping Virtual-addresses with ARP disabled, or enable ARP.
Fix:
IPv6 NS is no longer dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address.
712637-1 : Host header persistence not implemented
Component: Local Traffic Manager
Symptoms:
Online documentation describes a persistence mechanism which uses the HTTP Host: header. However, this mechanism is not implemented, and attempts to use it generates an error.
Conditions:
Online help for ltm persistence says that Host persistence can be enabled via iRule, but attempting to do so generates an error 'invalid argument host'.
Impact:
Although this does not impact any existing functionality, the documented function is not available.
Workaround:
There is no workaround at this time.
Fix:
LTM Host: header persistence is implemented.
711281-6 : nitrox_diag may run out of space on /shared
Component: Local Traffic Manager
Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.
Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.
Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.
Workaround:
The only workaround is to ensure there is enough free space for the files to be created.
In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.
Fix:
nitrox_diag now clears the older data before gathering new data, instead of after. Note, however, that if there is insufficient free space on /shared to collect the raw data, the operation still cannot succeed.
711249-3 : NAS-IP-Address added to RADIUS packet unexpectedly
Component: TMOS
Symptoms:
RADIUS authentication request contains NAS-IP-Address attribute with value 127.0.0.1.
Conditions:
VIPRION (single or multiblade) with no cluster member IP addresses configured.
Impact:
Authentication does not work as it has invalid/unrecognized source NAS-IP-Address.
Workaround:
Configure cluster member IP address or define hostname and address via global-settings remote-host.
711093-4 : PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled
Component: Policy Enforcement Manager
Symptoms:
PEM sessions may stay in the marked-for-delete state after session deletion.
Conditions:
This occurs if Gx final usage reporting response comes before Gy delete response (CCA).
Impact:
PEM sessions remain in marked-for-delete state.
Workaround:
None.
Fix:
PEM sessions no longer stay in the marked-for-delete state after session delete
710976-2 : Network Map might take a long time to load
Component: TMOS
Symptoms:
Network Map loading time is directly proportional to the number of profiles/policies associated with a virtual server. When there are a significant number, Network Map might take many tens of seconds to load; when there are fewer associated profiles/policies, loading time is shorter.
For example, consider a configuration that contains virtual servers with a large number of associated profiles/policies.
In the following example config, the virtual server has two associated profiles. The time to load the Network Map page increases with each additional profile/policy.
# tmsh list ltm virtual vs
ltm virtual vs {
creation-time 2018-03-06:18:27:53
destination 0.0.0.0:any
ip-protocol tcp
last-modified-time 2018-03-06:18:27:53
mask any
profiles {
myhttp { }
tcp { }
}
rules {
myrule
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
socks-tunnel
}
vs-index 5
}
Conditions:
-- Navigate to Local Traffic :: Network Map in the BIG-IP Configuration Utility.
-- The configuration contains a significantly large number of profiles/policies associated with the virtual server.
Impact:
It takes tens of seconds to load the Network Map page.
Workaround:
None.
Fix:
The data loading performance was improved to load the page faster.
710827-1 : TMUI dashboard daemon stability issue
Component: TMOS
Symptoms:
Some dashboard requests may cause a crash of TMUI dashboard daemons, affecting the TMUI dashboard.
Conditions:
Request sent to BIG-IP dashboard.
Impact:
Only the TMUI dashboard goes offline. Other TMUI functionality is not affected by this issue.
Workaround:
None available.
Fix:
Setup a correct exception handling prevented TMUI dashboard service failure.
710705-1 : Multiple Wireshark vulnerabilities
Solution Article: K34035645
710246-1 : DNS-Express was not sending out NOTIFY messages on VE
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Express is not sending out NOTIFY messages on BIG-IP Virtual Edition (VE).
Conditions:
-- DNS Express configured to send out NOTIFY messages.
-- Running on BIG-IP VE configuration.
Impact:
DNS secondary servers serving stale data.
Workaround:
There is no workaround at this time.
Fix:
DNS Express now sends out NOTIFY messages on VE.
710232-1 : platform-migrate fails when LACP trunks are in use
Component: TMOS
Symptoms:
Use of the platform-migrate option might fail due to some configurations being invalid on the new system. The error message generated appears as follows:
01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform.
Conditions:
You have a trunk with LACP enabled.
-- You are migrating from a hardware platform to a Virtual Edition (VE).
Impact:
Configuration fails to migrate.
Workaround:
After taking the old system offline, but before saving the UCS, disable LACP on all trunks.
710221-1 : Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled
Solution Article: K67352313
Component: Local Traffic Manager
Symptoms:
In an high availability (HA) configuration where an FQDN template-node on the 'active' unit is 'Force Offline', and the configuration is synchronized to the 'standby' unit, upon 'Enable' on that FQDN template-node in the 'active' unit (and the configuration is synchronized to the 'standby' unit), the ephemeral nodes associated with that FQDN template node remain Unavailable on the 'standby' unit.
Conditions:
HA configuration is configured with 'active' sync.
-- FQDN template-node is configured.
-- After ephemeral nodes are refreshed on the 'active' unit, it transitions to the 'standby' unit.
-- The FQDN template node on the (new-'active') unit is 'Force Offline' by the user.
-- The user explicitly 'Enable' that FQDN template node on the 'active' unit.
Impact:
The ephemerals on the 'standby' unit remain unavailable, even though the associated FQDN template node is 'available'. However, as no traffic is routed to the 'standby' unit, traffic is unaffected. Upon transition from 'standby' to' active', the ephemeral nodes will be refreshed and traffic should continue.
Workaround:
You can use either of these configuration options to prevent this issue from occurring:
-- Select 'Disabled' (rather than 'Force Offline') for the FQDN template node on the 'active' unit.
-- Configure the node without using FQDN.
Fix:
Upon 'Force Offline' and then 'Enable' for an FQDN template node on an 'active' unit in an HA configuration, the ephemerals on the 'standby' unit will reflect the re-enabled status based on the associated FQDN template-node on the 'active' unit.
710148-1 : CVE-2017-1000111 & CVE-2017-1000112
Solution Article: K60250153
710032-2 : 'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system.
Component: Global Traffic Manager (DNS)
Symptoms:
The BIG-IP system posts a 'No Access' error message instead of the virtual server's properties.
Conditions:
-- At least two BIG-IP systems in a sync group.
-- One of the BIG-IP systems has a partition that does not exist on the other with an LTM virtual server on that partition.
-- The issue occurs when a GSLB Server discovers that LTM virtual server and displays it on its virtual server page.
Note: This same error message displays for GSLB pool member properties accessed by navigating to GSLB :: pools :: [pool] :: members :: Member : Address. The differing issues have been fixed in differing releases. You can find information about the similar issue in the AskF5 Bug Tracker article for 722734.
Impact:
It makes the GSLB Server's virtual server's properties page unavailable in this case.
Workaround:
Use either of the following workaroudns:
-- Use TMSH to view or edit the properties of that virtual server.
-- Create partitions on the GTM device to match those appearing to be referenced in the object names.
Fix:
Partition checking has been disabled for virtual servers on the GTM side, since a virtual server owned by a server is always in the partition of that server (/Common).
709972 : CVE-2017-12613: APR Vulnerability
Solution Article: K52319810
709936-2 : Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.
Component: TMOS
Symptoms:
/var/log/boot.log has this error:
dhcp_config: save error: 01070911:3: The requested host (ntp-servers-ip) is invalid for servers in ntp (/Common/ntp).
Conditions:
- The BIG-IP system has DHCP enabled for management interface.
- Multiple NTP servers or domain-search are specified in the dhclient lease (stored at /var/lib/dhclient/dhclient.leases).
Impact:
- DNS and NTP servers are not configured in MCPD.
- Name resolution can break.
Workaround:
None.
Fix:
Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.
709828-1 : fasthttp can crash with Large Receive Offload enabled
Component: Local Traffic Manager
Symptoms:
fasthttp and lro can lead to a tmm crash.
Conditions:
fasthttp and lro enabled. (lro is enabled by default >= 13.1.0)
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use fasthttp
Fix:
fasthttp with lro enabled no longer causes tmm to crash.
709688-2 : dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733
Solution Article: K08306700
709610-4 : Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM
Component: Policy Enforcement Manager
Symptoms:
Session replacement fails as a result of a race condition between multiple RADIUS Accounting Start and Stop messages for the same subscriber.
Conditions:
This occurs when the following conditions are met:
-- These SysDB variables are set as follows:
sys db tmm.pem.session.radius.retransmit.timeout {
value "0"
}
sys db tmm.pem.session.provisioning.continuous {
value "disable"
}
-- Actions occur in the following order:
1. PEM receives RADIUS START with subscriber ID1 and IP1.
2. PEM receives RADIUS STOP with subscriber ID1 and IP1.
3. PEM receives RADIUS START with subscriber ID1 and IP2.
4. PEM receives RADIUS STOP with subscriber ID1 and IP2.
-- The time interval between steps 1 and 2 is very small (less than ~1ms).
Impact:
Subscriber session creation via PEM may fail.
Workaround:
There is no workaround other than to leave SysDbs variables set to the default values.
Fix:
The system now handles PEM subscriber session updates properly, so this issue no longer occurs.
709256-1 : CVE-2017-9074: Local Linux Kernel Vulnerability
Solution Article: K61223103
709192-2 : GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart
Component: TMOS
Symptoms:
The export operation of SSL keys and certificate into a .tgz archive file fails when the httpd daemon is restarted.
Conditions:
-- Export SSL Keys and certificates into archive file.
-- httpd is restarted.
Impact:
Export of SSL Keys and certificates into archive file does not work immediately after httpd restart via GUI/iControl.
Workaround:
After httpd restart, perform other operation like creating a key/cert before exporting archive file.
Fix:
The system allows exporting SSL keys and certificate to be archived into .tgz files after httpd restart.
709133-1 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur
Component: Local Traffic Manager
Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error can occur.
Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- An error occurs when reading the certificate serial number.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than not setting the tmm.ssl.loggingcreatedcerts BigDB variable.
Fix:
Double-free removed.
709132-2 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur
Component: Local Traffic Manager
Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a buffer overflow can occur.
Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- A malformed certificate with a serial number length equal to 256 bytes is parsed during forging.
Impact:
A off-by-one error causes one byte to write off the end of an array.
Workaround:
There is no workaround other than to not set tmm.ssl.loggingcreatedcerts BigDB variable.
Fix:
Buffer no longer overflows.
708484-1 : Network Map might take a long time to load
Component: TMOS
Symptoms:
Network Map loading time is directly proportional to the number of profiles/policies associated with a virtual server. When there are a significant number, Network Map might take many tens of seconds to load; when there are fewer associated profiles/policies, loading time is shorter.
For example, consider a configuration that contains virtual servers with a large number of associated profiles/policies.
In the following example config, the virtual server has two associated profiles. The time to load the Network Map page increases with each additional profile/policy.
# tmsh list ltm virtual vs
ltm virtual vs {
creation-time 2018-03-06:18:27:53
destination 0.0.0.0:any
ip-protocol tcp
last-modified-time 2018-03-06:18:27:53
mask any
profiles {
myhttp { }
tcp { }
}
rules {
myrule
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
socks-tunnel
}
vs-index 5
}
Conditions:
-- Navigate to Local Traffic :: Network Map in the BIG-IP Configuration Utility.
-- The configuration contains a significantly large number of profiles/policies associated with the virtual server.
Impact:
It takes tens of seconds to load the Network Map page.
Workaround:
None.
708249-1 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit
Component: Local Traffic Manager
Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.
Conditions:
Run the nitrox_diag command.
Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.
Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0
Fix:
Nitrox_diag utility now uses the -s0 command to generate QKView files, so there is no longer a 5 MB maximum file size limit, and the full QKView file is created.
707961-1 : Unable to add policy to virtual server; error = Failed to compile the combined policies
Solution Article: K50013510
Component: Local Traffic Manager
Symptoms:
LTM policy does not compile if it has more than one similar condition, and some of them refer to datagroup and others to non-datagroup types. The policy compiles if similar conditions all refer to datagroups or to non-datagroups.
010716d8:3: Compilation of ltm policies for virtual server /Common/vs_name failed; Failed to compile the combined policies.
Conditions:
-- LTM policy that has more than one similar condition.
-- Some conditions refer to datagroup types.
-- Some conditions refer to non-datagroup types.
Following is an example of such an LTM policy (i.e., referring to both datagroup and non-datagroup types):
ltm policy /Common/example_ltm_policy {
published-copy /Common/block_URI
requires { http }
rules {
example_Rule {
conditions {
0 {
http-host
host
datagroup /Common/example_datagroup <------ Datagroup
}
1 {
http-host
host
values { example.com } <------ Non-Datagroup
}
}
}
}
strategy /Common/first-match
}
Impact:
LTM policy does not compile. Cannot use the policy.
Workaround:
Create a datagroup for the non-datagroup type and use it in policy instead.
Fix:
LTM Policy compiles if it has more than one similar condition, and some of them refer to datagroup and others to non-datagroup types.
707951-3 : Stalled mirrored flows on HA next-active when OneConnect is used.
Component: Local Traffic Manager
Symptoms:
-- 'tmctl -d blade tmm/umem_usage_stat | grep xdata' may show increased memory usage.
-- 'tmsh show sys connect' shows idle flows.
Conditions:
- OneConnect profile is configured.
- High availability (HA) mirroring is enabled.
Impact:
- Some flows are mirrored incorrectly.
- Stalled flows may occupy a lot of memory.
Workaround:
Disable OneConnect.
Fix:
Stalled mirrored flows no longer appear when OneConnect is used.
707585-2 : Use native driver for 82599 NICs instead of UNIC
Component: TMOS
Symptoms:
-- Lower performance in TPS.
-- Increased CPU consumption for throughput.
Conditions:
-- Running BIG-IP Virtual Edition (VE) (UNIC is the default Virtual Function Network Driver for VE).
-- High data rates, perhaps particularly when connection mirroring is configured.
Impact:
Lower TPS performance numbers and higher CPU usage in throughput tests.
Workaround:
In case of UNIC, extra CPUs must be allocated to handle SoftIRQs for higher performance.
Fix:
This release provides a native driver based on F5's physical platforms.
707391-1 : BGP may keep announcing routes after disabling route health injection
Component: TMOS
Symptoms:
As a result of a known issue BIG-IP with BGP configured may continue to announce routes even after disabling the virtual address or disabling route announcement on the virtual address.
Conditions:
BGP configured with multiple routes announced via Virtual-address route announcements.
Configuration changes made on the BGP configuration itself.
Virtual address or its route health announcement disabled.
Impact:
Prefixes continue to exist in the BGP table even after disabling the virtual address (visible via imish with the "show ip bgp" command); which will continue to announce the prefix to configured peers.
Workaround:
Workaround would be to restart the dynamic routing process.
Fix:
BGP may no longer keeps announcing routes after disabling route health injection
707267-2 : REST Framework HTTP header limit size increased to 8 KB
Component: TMOS
Symptoms:
HTTP Header size limit causing 'Error getting auth token from login provider' GUI messages.
Conditions:
A client uses an HTTP Header larger than 4 KB to make a request to the REST framework.
Impact:
Users cannot login or access certain pages in the GUI.
Workaround:
Clear browser cookies, or otherwise reduce the size of the HTTP headers, so that the entire content HTTP headers is smaller than 4 KB.
Fix:
The HTTP header size limit for the REST Framework has been increased to 8 KB to match the limit set by Apache.
707100-1 : Potentially fail to create user in AzureStack
Component: TMOS
Symptoms:
Using Microsoft Azure Stack on the BIG-IP Virtual Edition (VE) configured with password authentication, the system sometimes fails to create the provided user, which means that the VE admin cannot ssh in after deployment. Note that an unexpected reboot causes this to occur during provisioning, and that Microsoft might have already fixed this issue.
Conditions:
Azure Stack VE provisioned with password authentication.
Impact:
Admin loses provisioned VE instance because there is no way to ssh in.
Workaround:
Deploy VE with key authentication.
Fix:
Extra handling was added to make user creation work even with unexpected reboots happening during Azure Stack provisioning.
706688-2 : Automatically add additional certificates to BIG-IP system in C2S and IC environments
Component: TMOS
Symptoms:
In order to function properly, the BIG-IP system's failover and autoscale features need extra certificates (which are used inside C2S environments) and endpoint URL. The extra certificates must be pointed to by the $AWS_CA_BUNDLE environment variable. The BIG-IP system's failover and autoscale feature use AWS CLI commands. Those AWS CLI commands need to have the $AWS_CA_BUNDLE pointing to the certificate files location and endpoint URL. These must be configured manually.
Conditions:
-- BIG-IP is running in AWS C2S (Commercial Cloud Services) where the domain is either c2s.ic.gov or sc2c.sgov.gov.
-- The BIG-IP system is configured to do failover or autoscale in those environments.
Impact:
Requires manual copying of the extra certificates, which are pointed to by AWS_CA_BUNDLE, to the BIG-IP system.
Workaround:
None.
Fix:
In this release, you can add all the needed certificates' URLs in the AWS user-data. The BIG-IP system then automatically downloads and stores the certificate and sets the $AWS_CA_BUNDLE environment variable and endpoint-url.
To use the functionality, when launching the BIG-IP system from the AWS web console, specify the C2S certificate URL and test URL in the following format:
c2s-keys-urls=url1,url2,url3;c2s-cert-test-url=ec2.us-iso-east-1.c2s.ic.gov:443;
Where the syntax explanation is as follows:
1. The string literal : c2s-keys-urls=
2. List of comma separated URLs.
3. A semicolon (;).
4. The string literal : c2s-cert-test-url=
5. A URL which is of following format
<A service name (e.g., ec2)>.<The region where it is running (e.g., us-iso-east-1)>.<the domain name :443 (e.g., c2s.ic.gov:443)>
Example: ec2.us-iso-east-1.c2s.ic.gov:443;
706642-1 : wamd may leak memory during configuration changes and cluster events
Component: WebAccelerator
Symptoms:
wamd memory consumption increases over time.
Conditions:
-- AAM is provisioned so wamd is running.
-- User-initiated configuration change and/or other internal configuration or cluster events.
Impact:
wamd grows slowly over time, eventually crashing due to lack of memory. Temporary outage of services provided by wamd such as PDF linearization, invalidation, etc.
Workaround:
No workaround available.
Fix:
wamd n longer leaks memory during configuration changes and cluster events.
706423-3 : tmm may restart if an IKEv2 child SA expires during an async encryption or decryption
Component: TMOS
Symptoms:
TMM may discard an existing child-SA via timer during the moment it is in use for encryption or decryption. And in another spot, an error aborting negotiation can cause multiple timers associated with one child-SA, which fight one another.
Conditions:
Errors in IPsec config that fail negotiation can happen when a child-SA is in a state that does not manage timers correctly.
A config with short SA lifetime, causing frequent re-keying, can have the effect of searching for a race condition when expire happens during active use in crypto.
Impact:
TMM restarts, disrupting traffic and causing HA failover.
Workaround:
Ensure that the IPsec IKEv2 configuration in the IPsec policy is correct (the same) on both IPsec peers. Also, ensure SA lifetime has longer duration, instead of merely seconds. (The default is one day.)
Fix:
Now we ensure only one timer can be associated with a child-SA related to short-term progress toward maturity during negotiation, even if an error happens.
Now we also ensure a child-SA is safe during async crypto operations, even if they expire while currently in use.
706169-2 : tmsh memory leak
Component: TMOS
Symptoms:
tmsh is leaking approximately 24 KB for every 'save sys config' call.
Conditions:
this occurs under the following conditions:
-- In tmsh, run the following command repeatedly:
save sys config
-- In the GUI, modify the configuration and click Update, change pages, or otherwise cause a save to the configuration.
Impact:
This results in a memory leak, and a possible out-of-memory condition.
Workaround:
None.
Fix:
tmsh no longer leaks memory when performing configuration-save operations.
705476-1 : Appliance Mode does not follow design best practices
Component: TMOS
Symptoms:
Appliance Mode does not follow design best practices
Conditions:
Appliance Mode does not follow design best practices
Impact:
Appliance Mode does not follow design best practices
Fix:
Appliance Mode now follows design best practices
704804-4 : The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address
Component: TMOS
Symptoms:
The NAS-IP-Address in RADIUS remote authentication requests is set to the loopback address, not the management IP.
Conditions:
This applies to remote authentication for the control plane, not APM.
Impact:
Login may be impacted.
Workaround:
There is no workaround at this time.
704764-1 : SASP monitor marks members down with non-default route domains
Component: Local Traffic Manager
Symptoms:
The LTM SASP monitor marks pool members down, whose address include non-default route domains.
Conditions:
1. Using the SASP health monitor to monitor a pool or pool member.
2. The address of the pool member includes a non-default route domain, such as:
ltm pool rd_test {
members {
test_1:http {
address 12.34.56.78%99
}
}
monitor my_sasp
}
Impact:
Pool members with non-default route domains will never be marked up by the SASP monitor.
Workaround:
Do not specify non-default route domains in the addresses of pool members monitored by the SASP health monitor.
The SASP protocol does not support the use of route domains in member addresses. Thus, the SASP GWM (Global Workload Manager) will ignore route domain information included in the member addresses when registered by the SASP monitor in BIG-IP, and will report the status of members using addresses without route domains.
Therefore, even with a fixed version of the SASP monitor, BIG-IP LTM administrators must be careful to avoid configuring multiple pool members with the same address except for different route domains, to be monitored by the SASP monitor. If case of such a configuration error, the status of the member reported by the SASP GWM may not accurately reflect the status of one or more of the pool members with matching IP addresses.
Fix:
The LTM SASP monitor will correctly report the status of pool members configured with addresses that include a non-default route domain, if the SASP GWM is monitoring members with matching addresses (minus route-domain information).
704755-3 : EUD_M package could not be installed on 800 platforms
Component: TMOS
Symptoms:
Attempts to install the EUD_M EUD package fail on 800 platforms even though they are supposed to be supported.
Conditions:
Attempt to install EUD_M package on 800 platforms.
Impact:
Cannot install EUD_M package on a platform that is claimed to support it.
Workaround:
None.
Fix:
EUD_M package can now be installed on 800 platforms as expected.
704733-3 : NAS-IP-Address will be sent with the bytes backwards
Component: TMOS
Symptoms:
The NAS-IP-Address will have the address of the local device sent with the bytes backwards (78.56.30.172 where 172.30.56.78 would be expected).
Conditions:
This affects IPv4 addresses only.
Impact:
The server may be configured to check the NAS-IP-Address before allowing logins, in which case it would fail.
Workaround:
There is no workaround at this time.
Fix:
This has been corrected.
704552-1 : Support for ONAP site licensing
Component: TMOS
Symptoms:
ONAP site licensing not supported.
Conditions:
-- Attempting to use ONAP site licensing
Impact:
BIG-IP system does not license.
Workaround:
None.
Fix:
Ported ONAP site licensing support to this version of the software.
Behavior Change:
This version of the software supports ONAP site licensing.
704381-6 : SSL/TLS handshake failures and terminations are logged at too low a level
Component: Local Traffic Manager
Symptoms:
SSL/TLS handshake failures and terminations are being logged at too low of a level (INFO).
Conditions:
-- SSL/TLS connections are received or sent.
-- Handshake failures are logged.
Impact:
Sometimes other errors are produced, and the cause is a SSL/TLS handshake failure, but this failure is not being logged.
Workaround:
There is no workaround.
Fix:
SSL/TLS handhake failures and terminations are now logged at a higher level (WARNING).
704247-1 : BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted
Component: TMOS
Symptoms:
BIG-IP .iso images may fail to install if multiple copies of the same image are present and have been deleted.
Conditions:
-- Have multiple copies of the same image .iso in the /shared directory on a BIG-IP system.
-- Delete one of them.
Impact:
Installation attempt of the remaining image(s) might fail.
Workaround:
Restart the lind process, so the installation can continue.
Fix:
The BIG-IP system now installs an image if multiple copies of the same image are present and have been deleted
703869-4 : Waagent updated to 2.2.21
Component: TMOS
Symptoms:
Microsoft updates waagent via an opensource process, but it is not compatible with BIG-IP software, and so cannot be upgraded outside of BIG-IP releases. Without this, Microsoft will not support older releases of BIG-IP systems in their environment.
Conditions:
Using Microsoft Azure.
Impact:
Microsoft does not support the version of waagent shipped as part of BIG-IP software.
Workaround:
None.
Fix:
Waagent was updated to 2.2.21 from Microsoft along with F5 changes for compatibility with BIG-IP software.
703669-1 : Eventd restarts on NULL pointer access
Component: TMOS
Symptoms:
The loop that reads /config/eventd.xml to load configuration data processes data in 1024-byte chunks. If the size of the file is a multiple of 1024 bytes, the end of file condition that terminates the file read does not occur until the subsequent read. The subsequent read returns zero (0) bytes and passes an empty buffer to the parser, which causes eventd to restart repeatedly.
Conditions:
The length of the file /config/eventd.xml is a multiple of 1024 bytes.
Impact:
Causes eventd to crash.
Workaround:
To work around the problem, insert whitespace in /config/eventd.xml to pad the file to a size that is not a multiple of 1024 bytes.
703045-2 : If using TMSH commands with deprecated attributes in iAPP, the upgrade will fail.
Component: TMOS
Symptoms:
TMSH commands with deprecated attributes will fail if used in iAPP.
Conditions:
TMSH commands with deprecated attributes will fail if used in iAPP. This is so whether the iAPP is activated during the upgrade process or simply run under iAPP service at the user display.
Impact:
TMSH commands will not execute like create command will result in no objects (eg monitor, virtual server etc) being created.
Workaround:
Try to avoid deprecated attributes of the object in the iAPP.
Fix:
All TMSH commands should handle deprecated attributes of objects consistently across TMSH command line, CLI Script and iAPP and like so:
- run TMSH commands to full execution with only warning message.
- full execution means objects action should be executed without error and no something amiss silently either.
702227-2 : Memory leak in TMSH load sys config
Component: TMOS
Symptoms:
When loading a configuration, either through tmsh load sys config or the corresponding iControl REST command, the TMSH or icrd_child processes can leak memory.
Conditions:
When configuration is loaded via TMSH or iControl REST.
Impact:
The TMSH process memory or icrd_child process memory continues to grow every time the config is loaded.
Workaround:
If memory consumption grows in the TMSH process, restart the TMSH process.
If memory consumption grows in iControl REST, restart the REST service using the following command: bigstart restart restjavad.
Fix:
There is no longer a memory leak when loading configuration in TMSH or iControl REST.
701785-1 : Linux kernel vulnerability: CVE-2017-18017
Solution Article: K18352029
701253-6 : TMM core when using MPTCP
Component: Local Traffic Manager
Symptoms:
When MPTCP is enabled on a virtual server, TMM may generate a core file and restart.
Conditions:
MPTCP must be in use.
Impact:
TMM crash, leading to a failover event.
Workaround:
Disable MPTCP.
Fix:
Prevented TMM core.
701249-3 : RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1
Component: TMOS
Symptoms:
RADIUS requests from BIG-IP have attribute NAS-IP-Address = 127.0.0.1, which might cause authentication to fail.
The NAS-IP-Address is essentially the resource an end user client is trying to authenticate to. This is typically the management IP address of the BIG-IP system, but the BIG-IP system always sends 127.0.0.1 instead. That might fail or it might work, depending on how the server is configured.
Conditions:
This is an issue for all RADIUS authentication requests that use the attribute NAS-IP-Address.
Note: This affects remote control plane authentication only, not APM or other uses of RADIUS.
Impact:
BIG-IP system always sends 127.0.0.1 instead of the BIG-IP system's management IP address. RADIUS server might not service the request, so authentication fails.
Workaround:
There is no workaround.
700086-2 : AWS C5/M5 Instances do not support BIG-IP VE
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) does not function on AWS C5/M5 instances.
Conditions:
BIG-IP VE on AWS C5/M5 instances.
Impact:
Cannot use BIG-IP VE on AWS C5/M5 instances.
Workaround:
None.
Fix:
BIG-IP VE now functions on AWS C5/M5 Instances.
700056-2 : MCPD process may lock up and restart when applying Local Traffic Policy to virtual server
Solution Article: K05350542
Component: Local Traffic Manager
Symptoms:
The mcpd process becomes unresponsive while attempting to load the configuration, or attempting to apply a configuration change that associates a particular local traffic policy to a virtual server. The mcpd process may also periodically restart every 5 minutes.
Conditions:
- Virtual servers configured.
- Specific policies configured and attached used by virtual servers.
Only policies configured in a specific way will trigger this situation. The specifics are not well understood, however, the vast majority of Local Traffic Policies are unaffected by this issue.
Impact:
Traffic disrupted while mcpd restarts.
Workaround:
There is no workaround.
Fix:
mcpd is responsive when an LTM Policy is attached to a virtual server, or when an already-attached policy is updated.
699598-1 : HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR
Component: Local Traffic Manager
Symptoms:
HTTP/2 requests with a large body may result in the BIG-IP system sending RST_STREAM with FRAME_SIZE_ERROR.
Conditions:
-- HTTP/2 profile is configured on the virtual server.
-- Request has body size greater than 16 KB.
Impact:
HTTP/2 stream is reset with FRAME_SIZE_ERROR and transfer does not complete.
Workaround:
None.
Fix:
Large HTTP/2 requests are now processed as expected.
699531-5 : Potential TMM crash due to incorrect number of attributes in a PEM iRule command
Component: Policy Enforcement Manager
Symptoms:
TMM crash.
Conditions:
An iRule with a PEM iRule command that does not have the minimum number of attributes.
Impact:
Loss of service. Traffic disrupted while tmm restarts.
Workaround:
Make sure the PEM iRule command is called with at least the minimum number of parameters.
For example, make sure to call 'PEM::subscriber config policy referential set' with referential policies.
Fix:
The system now provides the correct number of attributes, preventing a NULL pointer dereference.
699454-6 : Web UI does not follow current best coding practices
Component: Advanced Firewall Manager
Symptoms:
The web UI does not follow current best coding practices while processing URL DB updates.
Conditions:
ASM provisioned.
Impact:
UI does not respond as intended.
Workaround:
None.
Fix:
The web UI now follows current best coding practices while processing URL DB updates.
699453-6 : Web UI does not follow current best coding practices
Component: Advanced Firewall Manager
Symptoms:
The web UI does not follow current best coding practices while processing ASM configuration updates.
Conditions:
ASM provisioned
Impact:
UI does not respond as intended.
Workaround:
None.
Fix:
The web UI now follows current best coding practices while processing ASM configuration updates.
695072-3 : CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558
Solution Article: K23030550
693359-2 : AWS M5 and C5 instance families are supported
Component: TMOS
Symptoms:
AWS has announced support for M5 and C5 instance families. No previous BIG-IP Virtual Edition (VE) software supports these new AWS instance families.
Conditions:
Attempting to install pre-v14.0.0.1 VE software on M5 and C5 instance families.
Impact:
The system experiences a kernel panic and might crash.
Workaround:
None.
Fix:
All necessary components are added to support AWS M5 and C5 instance families.
Behavior Change:
No previous BIG-IP Virtual Edition (VE) software supports the newly announced AWS M5 and C5 instance families. Version 14.0.0.1 officially supports the AWS M5 and C5 instance families.
693244-3 : BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned
Component: Local Traffic Manager
Symptoms:
BIG-IP silently drop the serverside TCP flow, when it receives a client-side reset and the server-side flow is still in the SYN-SENT state.
Conditions:
BIG-IP receives a client-side reset when client-side TCP flow is in ESTABLISHED state and server-side TCP flow is in SYN-SENT state, serverside flow is silently dropped.
Impact:
Since serverside pool member does not receive the RST, it remains in SYN-RECEIVED state until it runs out of syn retransmissions and eventually, due to timeout, it returns to LISTEN state.
Fix:
BIG-IP resets serverside TCP flow with RST when it receives a client-side reset and the server-side flow is still in the SYN-SENT state.
682283-1 : Malformed HTTP/2 request with invalid Content-Length value is served against RFC
Component: Local Traffic Manager
Symptoms:
HTTP/2 request can include Content-Length header. When the value of a Content-Length header does not match the sum of lengths of all DATA frames from the stream, RFC requires that the system reset the stream.
Conditions:
-- A virtual server is configured with HTTP/2 profile.
-- The value of Content-Length header does not match the sum of lengths of all DATA frames from the stream.
Impact:
The BIG-IP system sends a request to a server and serves a provided response, which is not in conformance with the RFC.
Workaround:
None.
Fix:
Now, when a client sends a request over an HTTP/2 connection with a malformed HEADERS frame in which Content-Length does not match the payload size in DATA frames, the BIG-IP system correctly resets the stream with RST_STREAM frame.
677088-1 : Qkview does not follow current best practices
Component: TMOS
Symptoms:
Qkview does not follow current best practices
Conditions:
Authenticated administrative user initiates a Qkview
Impact:
Qkview output not processed as expected
Fix:
Qkview now follows current best practices
676346-1 : PEM displays incorrect policy action counters when the gate status is disabled.
Component: Policy Enforcement Manager
Symptoms:
Action counters are incorrect.
Conditions:
PEM policy actions enabled with gate status of disabled.
Impact:
May provide an inconsistent view of PEM actions.
Workaround:
There is no workaround.
Fix:
Counters are managed correctly regardless of the gate status.
671712-3 : The values returned for the ltmUserStatProfileStat table are incorrect.
Component: TMOS
Symptoms:
An SNMP table entry that intermittently comes back incorrectly. Specifically, an LTM profile user statistic value is returned with an OID that is off by one in the table.
Conditions:
A statistics profile is attached to a virtual server with an iRule that increments statistics on the profile. The SNMP walk of the table created by the statistics profile intermittently returns the values shifted up one OID such that the last row is zero and the first row is lost. A subsequent request is correct.
Impact:
Incorrect data returned in SNMP walk of LTM profile table.
Workaround:
The statistics themselves are kept correctly and can be accessed without using SNMP.
Fix:
The values in the ltmUserStatProfileStat table are always correct.
658557-4 : The snmpd daemon may leak memory when processing requests.
Component: TMOS
Symptoms:
Under certain conditions, the snmpd daemon may leak memory when processing requests.
Conditions:
A client allowed to send SNMP queries to the BIG-IP system, sends specially crafted requests.
Impact:
Once enough memory has leaked, the system may become unstable and fail unpredictably.
Workaround:
If the snmpd daemon is consuming excessive memory, restart it with the following command:
bigstart restart snmpd
Fix:
The snmpd daemon no longer leaks memory when handling specially crafted requests.
651741 : CVE-2017-5970 kernel.el7: ipv4: Invalid IP options could cause skb->dst drop
Solution Article: K60104355
648802-4 : Required custom AVPs are not included in an RAA when reporting an error.
Component: Policy Enforcement Manager
Symptoms:
Custom Attribute-Value-Pairs (AVPs) defined on the system will not be visible in a Re-Auth-Answer (RAA).
Conditions:
This occurs when the following conditions are met:
-- PEM enabled with Gx.
-- Custom AVPs configured.
-- PEM responds with an error code in an RAA against a Policy and Charging Rules Function (PCRF) triggered action.
Impact:
Lack of custom AVPs in such an RAA may result in loss of AVP dependent service.
Workaround:
There is no workaround at this time.
Fix:
Custom AVPs included regardless of an error code in an RAA.
602708-5 : Traffic may not passthrough CoS by default
Solution Article: K84837413
Component: Local Traffic Manager
Symptoms:
Traffic being forwarded by TMM may not passthrough the Class of Service (CoS) received.
Conditions:
-- IP forwarding Virtual server.
-- Traffic received with priority other than 3.
Impact:
Traffic is set to L2 QoS priority 3 and may cause issues on other networking devices.
Workaround:
Create a default CoS configuration or apply L2 QoS settings in the FastL4 profile.
Fix:
TMM now correctly passes through CoS by default.
530775-2 : Login page may generate unexpected HTML output
Component: TMOS
Symptoms:
Under certain circumstance the administrative login page may generate unexpected HTML output
Conditions:
External authentication enabled
Impact:
Unexpected output to client browser
Workaround:
None.
Fix:
The login page now generates the expected output.
Known Issues in BIG-IP v14.0.x
TMOS Issues
ID Number | Severity | Solution Article(s) | Description |
708956-3 | 1-Blocking | K51206433 | During system boots up, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform' |
746464-2 | 2-Critical | MCPD sync errors and restart after multiple modifications to file object in chassis | |
743810-2 | 2-Critical | AWS: Disk resizing in m5/c5 instances fails silently. | |
743790-2 | 2-Critical | BIG-IP system should trigger a HA failover event when expected HSB device is missing from PCI bus | |
743271 | 2-Critical | Querying vCMP Health Status May Show Stale Statistics | |
742419-2 | 2-Critical | BIG-IP NIC teaming of SR-IOV interfaces does not work under VMware ESXi | |
741423-3 | 2-Critical | Secondary blade goes offline when provisioning ASM/FPS on already established config-sync | |
737900-1 | 2-Critical | mcpd might crash on an unlicensed system | |
737692-2 | 2-Critical | Handle x520 PF DOWN/UP sequence automatically by VE | |
737055-1 | 2-Critical | Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy | |
726487-3 | 2-Critical | VIPRION secondary MCPD, Node Name encodes IP address which differs from supplied | |
721350-3 | 2-Critical | The size of the icrd_child process is steadily growing | |
717785-4 | 2-Critical | Interface-cos shows no egress stats for CoS configurations | |
716391-1 | 2-Critical | High priority for MySQL on 2 core vCMP may lead to control plane process starvation | |
711683-1 | 2-Critical | bcm56xxd crash with empty trunk in QinQ VLAN | |
708968-1 | 2-Critical | OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address | |
707013-2 | 2-Critical | vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest | |
747799-1 | 3-Major | Upgrade failure from 11.5.4-hf2 to a version larger than 11.5.4 due to clientssl profile with empty cert/key configuration. | |
747676-2 | 3-Major | Remote logging needs 'localip' to set source IP properly | |
746657-2 | 3-Major | tmsh help for FQDN node or pool member shows incorrect default for fqdn interval | |
746266-2 | 3-Major | Vcmp guest vlan mac mismatch across blades. | |
745825-2 | 3-Major | The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading | |
744520-2 | 3-Major | virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface | |
744252-1 | 3-Major | BGP route map community value: either component cannot be set to 65535 | |
743132-5 | 3-Major | mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile | |
742753-3 | 3-Major | Accessing the BIG-IP system's WebUI via special proxy solutions may fail | |
742170-1 | 3-Major | REST PUT command fails for data-group internal | |
741902-2 | 3-Major | sod does not validate message length vs. received packet length | |
741599-1 | 3-Major | After upgrade, Client SSL profile may have extra cert-key-chain structure | |
740746-1 | 3-Major | RSA key creation fails for generating key/csr pair when using gen-csr challenge-password | |
740589-2 | 3-Major | mcpd crash with core after 'tmsh edit /sys syslog-all-properties' | |
740517-2 | 3-Major | Application Editor users are unable to edit HTTPS Monitors via the Web UI | |
740413-2 | 3-Major | sod not logging Failover Condition messages | |
740135-2 | 3-Major | Traffic Group ha-order list does not load correctly after reset to default configuration | |
739872-1 | 3-Major | The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover | |
739533-5 | 3-Major | In rare circumstances, config sync may fail to delete files in /config/filestore/.snapshots_d/, filling up /config | |
739118-2 | 3-Major | Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration | |
737901-3 | 3-Major | Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode | |
737536-3 | 3-Major | Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others. | |
737397-2 | 3-Major | User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP | |
737346-2 | 3-Major | After entering username and before password, the logging on user's failure count is incremented. | |
734846-2 | 3-Major | Redirection to logon summary page does not occur after session timeout | |
734836 | 3-Major | Network Map summary counts pool members more than once if they are shared across pools | |
733585-4 | 3-Major | Merged can use %100 of CPU if all stats snapshot files are in the future | |
727467-2 | 3-Major | Some iSeries appliances can experience traffic disruption when the HA peer is upgraded from 12.1.3 and earlier to 13.1.0 or later. | |
727297-2 | 3-Major | GUI TACACS+ remote server list should accept hostname | |
725791-5 | 3-Major | Potential HW/HSB issue detected | |
722380-1 | 3-Major | The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core. | |
721020-2 | 3-Major | Changes to the master key are reverted after full sync | |
720819-3 | 3-Major | Certain platforms may take longer than expected to detect and recover from HSB lock-ups | |
720610-1 | 3-Major | Updatecheck logs bogus 'Update Server unavailable' on every run | |
720461-1 | 3-Major | qkview prompts for password on chassis | |
720269-1 | 3-Major | TACACS audit logging may append garbage characters to the end of log strings | |
718800-1 | 3-Major | Cannot set a password to the current value of its encrypted password | |
718291-1 | 3-Major | iHealth upload error doesn't clear | |
714986-4 | 3-Major | Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot | |
714974-1 | 3-Major | Platform-migrate of UCS containing QinQ fails on VE★ | |
714903-3 | 3-Major | Errors in chmand | |
714654-1 | 3-Major | Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM | |
714216-1 | 3-Major | Folder in a partition may result in load sys config error | |
713708-6 | 3-Major | Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI | |
712102-1 | 3-Major | K11430165 | customizing or changing the HTTP Profile's IPv6 field hides the field or the row |
712033-3 | 3-Major | When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name | |
709559-1 | 3-Major | LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name | |
709444-1 | 3-Major | "NTP not configured on device" warning seen when NTP symmetric key authentication is configured | |
708063 | 3-Major | In older RAID BIG-IP systems, storage provisioning is not possible when a drive is missing. | |
707740-5 | 3-Major | Failure deleting GTM Monitors when used on mulitple Virtual Servers with the same ip:port combination | |
707445-4 | 3-Major | K47025244 | Nitrox 3 compression hangs/unable to recover |
706804-2 | 3-Major | SNMP trap destination configuration of network option is missing "default" keyword | |
705651-2 | 3-Major | Async transaction may ignore polling requests | |
705442-2 | 3-Major | GUI Network Map objects search on Virtual Server IP Address and Port does not work | |
705037-1 | 3-Major | K32332000 | System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart |
704449-1 | 3-Major | Orphaned tmsh processes might eventually lead to an out-of-memory condition | |
703090-3 | 3-Major | With many iApps configured, scriptd may fail to start | |
701341-3 | 3-Major | K52941103 | If /config/BigDB.dat is empty, mcpd continuously restarts |
700827-3 | 3-Major | B2250 blades may lose efficiency when source ports form an arithmetic sequence. | |
698619-3 | 3-Major | Disable port bridging on HSB ports for non-vCMP systems | |
698432-1 | 3-Major | Invalid error messages: warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10 | |
696731-4 | 3-Major | K94062594 | The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled |
684096-3 | 3-Major | stats self-link might include the oid twice | |
673018-1 | 3-Major | Parsed text violates expected format error encountered while upgrading or loading UCS★ | |
668041-3 | 3-Major | K27535157 | Config load fails when an iRule comment ends with backslash in a config where there is also a policy. |
667618-5 | 3-Major | Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts | |
641450-6 | 3-Major | K30053855 | A transaction that deletes and recreates a virtual may result in an invalid configuration |
639619-6 | 3-Major | UCS may fail to load due to Master key decryption failure on EEPROM-less systems★ | |
606032-4 | 3-Major | Network Failover-based HA in AWS may fail | |
591305-2 | 3-Major | Audit log messages with "user unknown" appear on install | |
486712-4 | 3-Major | GUI PVA connection maximum statistic is always zero | |
723988-1 | 4-Minor | IKEv1 phase2 key length can be changed during SA negotiation | |
719770-1 | 4-Minor | tmctl -H -V and -l options without values crashed | |
713138-3 | 4-Minor | TMUI ILX Editor inserts an unnecessary linefeed | |
713134-1 | 4-Minor | Small tmctl memory leak when viewing stats for snapshot files | |
708415-3 | 4-Minor | Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled | |
707631-3 | 4-Minor | The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI | |
704336-5 | 4-Minor | Updating 3rd party device cert not copied correctly to trusted certificate store | |
703509-3 | 4-Minor | Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled | |
689491-2 | 4-Minor | cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled | |
685582-8 | 4-Minor | Incorrect output of b64 unit key hash by command f5mku -f | |
648917-2 | 4-Minor | Need to re-provision vCMP after upgrading to 13.1.x or later on the BIG-IP 10350F platform★ | |
394873 | 4-Minor | Upgrade process does not update Tcl scripts★ | |
720669-1 | 5-Cosmetic | Within the GUI, the 'MQTT-TLS' service port is incorrectly reported as 'common.all.MQTT-TLS'. | |
713519-1 | 5-Cosmetic | Enabling MCP Audit logging does not produce log entry for audit logging change | |
662725 | 5-Cosmetic | tmsh kernel default log levels does not match documentation |
Local Traffic Manager Issues
ID Number | Severity | Solution Article(s) | Description |
745589-5 | 2-Critical | In very rare situations, some filters may cause data-corruption. | |
742627-1 | 2-Critical | SSL session mirroring may cause memory leakage if HA channel is down | |
742184-2 | 2-Critical | TMM memory leak | |
741919-2 | 2-Critical | HTTP response may be dropped following a 100 continue message. | |
741814-1 | 2-Critical | Auto Last Hop for management connections cannot be disabled/enabled | |
740963-1 | 2-Critical | VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart | |
740490 | 2-Critical | Configuration changes involving HTTP2 or SPDY may leak memory | |
738945-3 | 2-Critical | SSL persistence does not work when there are multiple handshakes present in a single record | |
738046-1 | 2-Critical | SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby | |
726900 | 2-Critical | Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters | |
716714-2 | 2-Critical | OCSP should be configured to avoid TMM crash. | |
716213-5 | 2-Critical | BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic | |
571651-5 | 2-Critical | K66544028 | Reset Nitrox3 crypto accelerator queue if it becomes stuck. |
431480-6 | 2-Critical | Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message | |
747077 | 3-Major | Potential crash in TMM when updating pool members | |
746922-5 | 3-Major | When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain. | |
746078-2 | 3-Major | Upgrades break existing iRulesLX workspaces that use node version 6 | |
745923-1 | 3-Major | Virtual server may reset a connection with port zero when client sends ACK after a 4-way close | |
744686-1 | 3-Major | Wrong certificate can be chosen during SSL handshake | |
743900-2 | 3-Major | Custom DIAMETER monitor requests do not have their 'request' flag set | |
743257-2 | 3-Major | Fix block size insecurity init and assign | |
742838-2 | 3-Major | A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition | |
742237-3 | 3-Major | CPU spikes appear wider than actual in graphs | |
740959-3 | 3-Major | User with manager rights cannot delete FQDN node on non-Common partition | |
739963-3 | 3-Major | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup | |
739638-3 | 3-Major | BGP failed to connect with neighbor when pool route is used | |
739379-1 | 3-Major | Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error | |
739349-2 | 3-Major | LRO segments might be erroneously VLAN-tagged. | |
738523-1 | 3-Major | SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages | |
738521-3 | 3-Major | i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag. | |
738450-2 | 3-Major | Parsing pool members as variables with IP tuple syntax | |
726734-3 | 3-Major | DAGv2 port lookup stringent may fail | |
726266-1 | 3-Major | Virtual-wire is not supported on un-tagged VLANs. | |
726232-3 | 3-Major | iRule drop/discard may crash tmm | |
723306-2 | 3-Major | Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition | |
721261-2 | 3-Major | v12.x Policy rule names containing slashes are not migrated properly | |
720460-3 | 3-Major | Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly | |
720440-2 | 3-Major | Radius monitor marks pool members down after 6 seconds | |
720219-2 | 3-Major | K13109068 | HSL::log command can fail to pick new pool member if last picked member is 'checking' |
718867-1 | 3-Major | tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades★ | |
718790-2 | 3-Major | Traffic does not forward to fallback host when all pool members are marked down | |
717100-2 | 3-Major | FQDN pool member not added if FQDN resolves to same IP as another existing FQDN pool member | |
715785-1 | 3-Major | Incorrect encryption error for monitors during sync or upgrade | |
715756-1 | 3-Major | Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only | |
714559-4 | 3-Major | Removal of HTTP hash persistence cookie when a pool member goes down. | |
714503-1 | 3-Major | When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl | |
714495-1 | 3-Major | When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl" | |
713585-2 | 3-Major | K31544054 | When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long |
712489-1 | 3-Major | TMM crashes with message 'bad transition' | |
711981-6 | 3-Major | BIG-IP system accepts larger-than-egress MTU, PMTU update | |
710028-1 | 3-Major | LTM SQL monitors may stop monitoring if multiple monitors querying same database | |
709963-1 | 3-Major | Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members. | |
709837-1 | 3-Major | Cookie persistence profile may be configured with invalid parameter combination. | |
708068-1 | 3-Major | Tcl commands like "HTTP::path -normalize" do not return normalized path. | |
707691-5 | 3-Major | BIG-IP handles some pathmtu messages incorrectly | |
706505-3 | 3-Major | iRule table lookup command may crash tmm when used in FLOW_INIT | |
706102-1 | 3-Major | SMTP monitor does not handle all multi-line banner use cases | |
704450-4 | 3-Major | bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration | |
703266-1 | 3-Major | Potential MCP memory leak in LTM policy compile code | |
702450-2 | 3-Major | The validation error message generated by deleting certain object types referenced by a policy action is incorrect | |
702439-4 | 3-Major | K04964898 | Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset |
700696-4 | 3-Major | SSID does not cache fragmented Client Certificates correctly via iRule | |
698211-4 | 3-Major | K35504512 | DNS express response to non-existent record is NOERROR instead of NXDOMAIN. |
688553-4 | 3-Major | SASP GWM monitor may not mark member UP as expected | |
686059-3 | 3-Major | FDB entries for existing VLANs may be flushed when creating a new VLAN. | |
679687-2 | 3-Major | LTM Policy applied to large number of virtual servers causes mcpd restart | |
677709 | 3-Major | pkcs11d daemon can generate a very large number of log messages | |
674591-4 | 3-Major | K37975308 | Packets with payload smaller than MSS are being marked to be TSOed |
672410 | 3-Major | K58551820 | High CPU load when HTTP/2 gateway is configured with source-persistence. |
672312-4 | 3-Major | IP ToS may not be forwarded to serverside with syncookie activated | |
620053-3 | 3-Major | Gratuitous ARPs may be transmitted by active unit being forced offline | |
473787 | 3-Major | System might fail to unchunk server response when compression is enabled | |
747968-1 | 4-Minor | DNS64 stats not increasing when requests go through dns cache resolver | |
747628-2 | 4-Minor | BIG-IP sends spurious ICMP PMTU message to server | |
744210-3 | 4-Minor | DHCPv6 does not have the ability to override the hop limit from the client. | |
743116-3 | 4-Minor | Chunked responses may be incorrectly handled by HTTP/2 | |
738045-4 | 4-Minor | HTTP filter complains about invalid action in the LTM log file. | |
722534-2 | 4-Minor | load sys config merge not supported for iRulesLX | |
719247-1 | 4-Minor | K10845686 | HTTP::path and HTTP::query iRule functions cannot be set to a blank string |
699426-4 | 4-Minor | RRD cpu files are not updated when statsd has no prior knowledge of blades joining a cluster. | |
693901-5 | 4-Minor | Active FTP data connection may change source port on client-side | |
688005-1 | 4-Minor | The maximum-connection count doubles pva traffic counts for virtuals | |
594064-6 | 4-Minor | K57004151 | tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows. |
513310-6 | 4-Minor | TMM might core when a profile is changed. | |
666378-2 | 5-Cosmetic | A virtual server's connections per second (precision.last_value) is not updated unless it's equal to the rate-limit. |
Performance Issues
ID Number | Severity | Solution Article(s) | Description |
746620-2 | 3-Major | "source-port preserve" broken on BIG-IP VE |
Global Traffic Manager (DNS) Issues
ID Number | Severity | Solution Article(s) | Description |
737726-1 | 2-Critical | If named is restarted and zrd is not restarted, ZoneRunner can lose contact with the DNS server daemon | |
722741-2 | 2-Critical | Damaged tmm dns db file causes zxfrd/tmm core | |
746719-2 | 3-Major | zrd sets recursion desired and can't edit NS records when bind set recursion yes | |
744787-3 | 3-Major | Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias | |
744707-3 | 3-Major | Fixed crash related to DNSSEC key rollover | |
739553-2 | 3-Major | Setting large number for Wide IP Persistence TTL breaks Wide IP persistence | |
737529-3 | 3-Major | [GTM] load or save configs removes backslash \ from GTM pool member name | |
723288-1 | 3-Major | DNS cache replication between TMMs does not always work for net dns-resolver | |
723095-3 | 3-Major | Add record type breaks commands 'modify gtm pool type all'; errors on nonexistent pool | |
722734-2 | 3-Major | 'No Access' error when viewing properties page of a GTM Pool member whose name includes a partition that does not exist on that BIG-IP system. | |
714507-1 | 3-Major | [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server | |
688335-6 | 3-Major | K00502202 | big3d may restart in a loop on secondary blades of a chassis system |
688266-6 | 3-Major | big3d and big3d_install use different logics to determine which version of big3d is newer | |
679316-6 | 3-Major | iQuery connections reset during SSL renegotiation | |
615222-6 | 3-Major | GTM configuration fails to load when it has GSLB pool with members containing more than one colon character★ | |
222220-3 | 3-Major | Distributed application statistics | |
740284-1 | 4-Minor | Virtual servers 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM' | |
712335-2 | 4-Minor | GTMD may intermittently crash under unusual conditions. | |
699733-1 | 4-Minor | DNS NOTIFY not sent to mgmt IP under Zone Transfer Clients list after DNS Express zone update |
Application Security Manager Issues
ID Number | Severity | Solution Article(s) | Description |
716788-1 | 2-Critical | TMM may crash while response modifications are being performed within DoSL7 filter | |
606983-1 | 2-Critical | ASM errors during policy import | |
746394-2 | 3-Major | With ASM CORS set to "Disabled" it strips all CORS headers in response. | |
745802-2 | 3-Major | Brute Force CAPTCHA response page truncates last digit in the support id | |
744347-3 | 3-Major | Protocol Security logging profiles cause slow ASM upgrade and apply policy | |
740719-1 | 3-Major | ASM CSP header parser does not honor unsafe-inline attribute within script-src directive | |
739373 | 3-Major | ASM restart loop after sync from non-ASM to ASM device | |
738789-1 | 3-Major | ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog | |
738211-1 | 3-Major | pabnagd core when centralized learning is turned on | |
737500-1 | 3-Major | Apply Policy and Upgrade time degradation when there are previous enforced rules | |
734228 | 3-Major | False-positive illegal-length violation can appear | |
724414-1 | 3-Major | ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled | |
724032-2 | 3-Major | Searching Request Log for value containing backslash does not return expected result | |
722862 | 3-Major | ASM CAPTCHA sends non url-encoded payload when captcha is submitted by pressing 'Enter' | |
721752-3 | 3-Major | Null char returned in REST for Suggestion with more than MAX_INT occurrences | |
721399-1 | 3-Major | Signature Set cannot be modified to Accuracy = 'All' after another value | |
719459-1 | 3-Major | Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled | |
719005-2 | 3-Major | Login request may arrive corrupted to the backend server after CAPTCHA mitigation | |
718232-3 | 3-Major | Some FTP servers may cause false positive for ftp_security | |
716940-1 | 3-Major | Traffic Learning screen graphs shows data for the last day only | |
716324-1 | 3-Major | CSRF protection fails when the total size of the configured URL list is more than 2 KB | |
715128-2 | 3-Major | Simple mode Signature edit does not escape semicolon | |
713282-2 | 3-Major | Remote logger violation_details field does not appear when virtual server has more than one remote logger | |
712362-4 | 3-Major | ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase | |
711818-4 | 3-Major | Connection might get reset when coming to virtual server with offload iRule | |
711405-2 | 3-Major | K14770331 | ASM GUI Fails to Display Policy List After Upgrade |
704643-2 | 3-Major | Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule | |
701025-3 | 3-Major | BD restart on a device where 'provision.tmmcountactual' is set to a non-default value | |
687759 | 3-Major | bd crash | |
747560-4 | 4-Minor | ASM REST: Unable to download Whitehat vulnerabilities | |
722294-1 | 4-Minor | Reported session ID keeps changing for the same user session when ASM doesn't track sessions | |
720581-1 | 4-Minor | Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files | |
652793 | 4-Minor | "Signature Update Available" message is not cleared by UCS load/sync |
Application Visibility and Reporting Issues
ID Number | Severity | Solution Article(s) | Description |
746941-1 | 2-Critical | avrd memory leak when BIG-IQ fails to receive stats information | |
726852-1 | 2-Critical | AVR inject CSPM event when there is no analytics profile on the virtual server | |
744589-2 | 3-Major | Missing data for Firewall Events Statistics | |
740086-4 | 3-Major | AVR report ignore partitions for Admin users | |
740024-1 | 3-Major | Web page not load correctly if load time is enabled | |
737867-2 | 3-Major | Scheduled reports are being incorrectly displayed in different partitions | |
737863-2 | 3-Major | Advanced Filters for Captured Transactions not working on Multi-Blade Platforms | |
648242-3 | 3-Major | K73521040 | Administrator users unable to access all partition via TMSH for AVR reports |
741767-1 | 5-Cosmetic | ASM Resource :: CPU Utilization statistics are in wrong scale |
Access Policy Manager Issues
ID Number | Severity | Solution Article(s) | Description |
739716-1 | 1-Blocking | APM Subroutine loops without finishing | |
747621-1 | 2-Critical | Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used | |
745600-2 | 2-Critical | Removal of timer object from tmm timer-ring when a tcl context is released. | |
739674-2 | 2-Critical | TMM might core in SWG scenario with per-request policy. | |
722013-2 | 2-Critical | MCPD restarts on all secondary blades post config-sync involving APM customization group | |
713820-2 | 2-Critical | Pass in IP to urldb categorization engine | |
746768-3 | 3-Major | APMD leaks memory if access policy policy contains variable/resource assign policy items | |
745654-3 | 3-Major | Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server | |
745574-2 | 3-Major | URL is not removed from custom category when deleted | |
744532-1 | 3-Major | Websso fails to decrypt secured session variables | |
744316-2 | 3-Major | Config sync of APM policy fails with Cannot update_indexes validation error. | |
743437-2 | 3-Major | Portal Access: Issue with long 'data:' URL | |
739939-2 | 3-Major | Ping Access Agent Module leaks memory in TMM. | |
739024-1 | 3-Major | Kerberos auth fails intermittently after upgrade from v14.0.0 | |
738582-2 | 3-Major | Ping Access Agent Module leaks memory in TMM. | |
738397-3 | 3-Major | SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails. | |
737355-2 | 3-Major | HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files | |
737064-1 | 3-Major | ACCESS::session iRule commands may not work in serverside events | |
734316-1 | 3-Major | Per-Request Policy may require enabling SSL Forward Proxy Bypass | |
726616-2 | 3-Major | TMM crashes when a session is terminated | |
725867-1 | 3-Major | ADFS proxy does not fetch configuration for non-floating virtual servers | |
725840-1 | 3-Major | Customization group object is not deleted when SAML resource object is deleted | |
722423-2 | 3-Major | Analytics agent always resets when Category Lookup is of type custom only | |
720757-2 | 3-Major | Without proper licenses Category Lookup always fails with license error in Allow Ending | |
720030-5 | 3-Major | Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U) | |
713655-1 | 3-Major | RouteDomainSelectionAgent might fail under heavy control plane traffic/activities | |
710884-2 | 3-Major | Portal Access might omit some valid cookies when rewriting HTTP request. | |
710044-4 | 3-Major | Portal Access: same-origin AJAX request may fail in some case. | |
707953-3 | 3-Major | Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page | |
706797-2 | 3-Major | Portal Access: some multibyte characters in JavaScript code may not be handled correctly | |
706374-5 | 3-Major | Heavy use of APM Kerberos SSO can sometimes lead to memory corruption | |
704587-3 | 3-Major | K15450552 | Authentication with UTF-8 chars in password fails for ActiveSync users |
704524-5 | 3-Major | [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries | |
703984-8 | 3-Major | Machine Cert agent improperly matches hostname with CN and SAN | |
701800-1 | 3-Major | SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x | |
698836-1 | 3-Major | Increased APM session capacity is not available after installing an APM session count License | |
660654 | 3-Major | The APM 'epsec refresh' CLI command works incorrectly if install package is deleted |
WebAccelerator Issues
ID Number | Severity | Solution Article(s) | Description |
701977-6 | 3-Major | Non-URL encoded links to CSS files are not stripped from the response during concatenation |
Service Provider Issues
ID Number | Severity | Solution Article(s) | Description |
745397-2 | 2-Critical | Virtual server configured with FIX profile can leak memory. | |
747187-1 | 3-Major | SIP falsely detects media flow collision when SDP is in both 183 and 200 response | |
746825-2 | 3-Major | MRF SIP ALG with SNAT: Ephemeral listeners not created for un-subscribed outgoing calls | |
746731-2 | 3-Major | BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set | |
745628-2 | 3-Major | MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message | |
745514-2 | 3-Major | MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message | |
744949-2 | 3-Major | MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix | |
744275-2 | 3-Major | BIG-IP system sends Product-Name AVP in CER with Mandatory bit set | |
742829-2 | 3-Major | SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0 | |
741951-5 | 3-Major | Multiple extensions in SIP NOTIFY request cause message to be dropped. | |
738070-1 | 3-Major | Persist value for the RADIUS Framed-IP-Address attribute is not correct | |
727288-2 | 3-Major | Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC | |
709383-1 | 3-Major | DIAMETER::persist reset non-functional |
Advanced Firewall Manager Issues
ID Number | Severity | Solution Article(s) | Description |
726090 | 2-Critical | No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense | |
724532-3 | 2-Critical | SIG SEGV during IP intelligence category match in TMM | |
726154-3 | 3-Major | TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies | |
724679-1 | 3-Major | Non-attacking IP addresses could be logged along with attacking IP addresses when DoS detects an attack | |
720242-1 | 3-Major | GUI for AFM rules shows protocol value IPENCAP for rules under rule-list | |
663946-5 | 3-Major | VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments | |
707054-2 | 4-Minor | SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162 |
Policy Enforcement Manager Issues
ID Number | Severity | Solution Article(s) | Description |
747065-4 | 3-Major | PEM iRule burst of session ADDs leads to missing sessions | |
746344-2 | 3-Major | PEM may not establish diameter connection across HA switchover | |
726011-3 | 3-Major | PEM transaction-enabled policy action lookup optimization to be controlled by a sys db | |
709670-4 | 3-Major | K44067891 | iRule triggered from RADIUS occasionally fails to create subscribers. |
663874-1 | 3-Major | K77173309 | Off-box HSL logging does not work with PEM in SPAN mode. |
719107-1 | 4-Minor | Message type is not displayed in CLI and incorrect message type is displayed in GUI for Subscriber Management diameter protocol profile message type CCA-T. |
Carrier-Grade NAT Issues
ID Number | Severity | Solution Article(s) | Description |
744516-3 | 2-Critical | TMM panics after a large number of LSN remote picks | |
723658-2 | 2-Critical | TMM core when processing an unexpected remote session DB response. | |
669645-4 | 2-Critical | K44021449 | tmm crashes after LSN pool member change |
727212-2 | 3-Major | Subscriber-id query using full length IPv6 address fails. | |
721579-2 | 4-Minor | LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing |
Fraud Protection Services Issues
ID Number | Severity | Solution Article(s) | Description |
742037-4 | 3-Major | FPS live updates do not install when minor version is different | |
738669-1 | 3-Major | Login validation may fail for a large request with early server response | |
737368-2 | 3-Major | Fingerprint cookie large value may result in tmm core. | |
719186-1 | 3-Major | Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts | |
716318-1 | 3-Major | Engine/Signatures automatic update check may fail to find/download the latest update | |
741449-2 | 4-Minor | alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts |
Anomaly Detection Services Issues
ID Number | Severity | Solution Article(s) | Description |
741761-2 | 2-Critical | admd might fail the heartbeat, resulting in a core | |
739277-2 | 2-Critical | TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode | |
714334-2 | 2-Critical | admd stops responding and generates a core while under stress. | |
741993-2 | 3-Major | The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured. | |
720585-2 | 3-Major | Signatures generated by Behavioral DOS algorithm can create false-positive signatures | |
718772-1 | 3-Major | The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists) |
Traffic Classification Engine Issues
ID Number | Severity | Solution Article(s) | Description |
737379-1 | 3-Major | URLCAT doesn't work when we have uppercase characters in feedlist | |
726303-2 | 3-Major | Unlock 10 million custom db entry limit | |
741435-1 | 4-Minor | Using local traffic policies with type 'CE Profile', a new rule does not have the option to classify traffic |
Device Management Issues
ID Number | Severity | Solution Article(s) | Description |
718033-3 | 3-Major | REST calls fail after installing BIG-IP software or changing admin passwords | |
710809-3 | 3-Major | Restjavad hangs and causes GUI page timeouts |
iApp Technology Issues
ID Number | Severity | Solution Article(s) | Description |
726872-1 | 3-Major | IApp LX directory disappears after upgrade or restoring from ucs★ |
Known Issue details for BIG-IP v14.0.x
747968-1 : DNS64 stats not increasing when requests go through dns cache resolver
Component: Local Traffic Manager
Symptoms:
DNS64 stats are not incrementing when running the tmsh show ltm profile dns or in tmctl profile_dns_stat commands if responses are coming from dns cache resolver.
Conditions:
DNS responses are coming from dns cache resolver.
Impact:
DNS64 stats not correct.
Workaround:
There is no workaround at this time.
747799-1 : Upgrade failure from 11.5.4-hf2 to a version larger than 11.5.4 due to clientssl profile with empty cert/key configuration.
Component: TMOS
Symptoms:
During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration.
Due to a bug (614675) that exists in 11.5.4-hf2 (and only in 11.5.4-hf2), it's possible to create an invalid clientSSL profile with empty cert-key-chain in 11.5.4-hf2 (see below example). Note that this upgrade failure has an unique symptom - the typo "defualt_rsa_ckc".
ltm profile client-ssl /Common/cssl {
app-service none
cert none
cert-key-chain {
"" { } <============= empty cert-key-chain
defualt_rsa_ckc { <===== a typo "defualt"
cert /Common/default.crt
key /Common/default.key
}
}
key none
}
When you upgrade such a configuration from 11.5.4-hf2 to any larger version, you will receive a validation error, and the configuration will fail to load after upgrade.
Conditions:
The issue occurs when all the below conditions are met.
1. You are using 11.5.4-hf2, and have created an invalid clientSSL profile with empty cert-key-chain.
2. You upgrade to any larger version.
Impact:
Configuration fails to load. The system posts an error message that might appear similar to one of the following:
"/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- Loading schema version: 11.5.4 Loading schema version: 13.1.0.8 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file. Unexpected Error: Loading configuration process failed.
Workaround:
To workaround this situation, you can fix the configuration of the profile in /config/bigip.conf either before the upgrade (in 11.5.4-hf2), or after the upgrade failure
ltm profile client-ssl /Common/cssl {
app-service none
cert none <=== fill cert name, e.g. "/Common/default.crt"
chain none
cert-key-chain {
"" { } <====== remove
defualt_rsa_ckc {
cert /Common/default.crt
key /Common/default.key
}
}
key none <=== fill key name, e.g. "/Common/default.key"
}
747676-2 : Remote logging needs 'localip' to set source IP properly
Component: TMOS
Symptoms:
Source ip of log entries sometimes use self-ip.
Conditions:
It happens when configuring mgmt IP and route is slower than syslog-ng start.
Impact:
Remote log entry has wrong source IP address.
Workaround:
Use localip keyword to force specific IP address.
udp("1.1.1.9" port (514) localip("100.100.100.101"));
747628-2 : BIG-IP sends spurious ICMP PMTU message to server
Component: Local Traffic Manager
Symptoms:
After negotiating an MSS in the TCP handshake, BIG-IP then sends an ICMP PMTU message because the packet is too large.
Conditions:
The serverside allows timestamps and the clientside doesn't negotiate them.
The clientside MTU is lower than the serverside's.
There is no ICMP message on the clientside connection.
Impact:
Unnecessary retransmission by server, suboptimal xfrag sizes (and possibly packet sizes)
Workaround:
Disable timestamps on the serverside TCP profile, or proxy-mss on the clientside profile.
747621-1 : Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used
Component: Access Policy Manager
Symptoms:
Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used, e.g. RADIUS server performs two factor authentication.
Conditions:
1. Native VMware Horizon client is used to connect via APM.
2. RADIUS authentication agent is present in Access Policy.
3. RADIUS server asks for challenge response (e.g. 2FA).
Impact:
Authentication fails. User can't get access to VMware Horizon resources.
Workaround:
None.
747560-4 : ASM REST: Unable to download Whitehat vulnerabilities
Component: Application Security Manager
Symptoms:
When using the Whitehat Sentinel scanner, the REST endpoint for importing vulnerabilities (/mgmt/tm/asm/tasks/import-vulnerabilities) does not download the vulnerabilities from the server automatically when no file is provided.
Conditions:
The ASM REST API (/mgmt/tm/asm/tasks/import-vulnerabilities) is used to download vulnerabilities from the server when a Whitehat Sentinel Scanner is configured.
Impact:
Vulnerabilities from the Whitehat server are not automatically downloaded when no file is provided, and it must be downloaded manually, or the GUI must be used.
Workaround:
The ASM GUI can be used to download the vulnerabilities from the Whitehat Server, or the file can be downloaded separately, and provided to the REST endpoint directly.
747187-1 : SIP falsely detects media flow collision when SDP is in both 183 and 200 response
Component: Service Provider
Symptoms:
A spurious error message is logged ("MR SIP: Media flow creation (...) failed due to collision") and media does not flow.
Conditions:
A SIP server responds to an INVITE with both a 183 "Session Progress" and later a "200 OK" for a single SIP call, and both responses contain an SDP with the same media info.
Impact:
Media does not flow on pinholes for which a collision was detected and reported.
Workaround:
None
747077 : Potential crash in TMM when updating pool members
Component: Local Traffic Manager
Symptoms:
In very rare cases, TMM can crash while updating pool members.
Conditions:
The conditions that lead to this are not known.
Impact:
TMM crashes, which can cause a failover or outage.
Workaround:
There is no workaround.
747065-4 : PEM iRule burst of session ADDs leads to missing sessions
Component: Policy Enforcement Manager
Symptoms:
Some PEM sessions that were originally added, later disappear and cannot be added back.
Conditions:
-- Subscriber addition is done by iRule on UDP virtual servers.
-- The sessions are added in a burst.
-- A small fraction of such sessions cannot be added back after delete.
Impact:
Policies available in the missing session cannot be accessed.
Workaround:
Add a delay of at least a few milliseconds between adding multiple session with same subscriber-id and IP address.
746941-1 : avrd memory leak when BIG-IQ fails to receive stats information
Component: Application Visibility and Reporting
Symptoms:
AVRD has memory leak when it is failing to send statistical information to BIG-IQ.
Conditions:
BIG-IP is used by BIG-IQ version 6.0.0 or higher, and stats collection is enabled.
Plus, BIG-IQ has some malfunction that prevents it from receiving the statistical information that BIG-IP is sending (for example: all DCDs are down, or not network connection between BIG-IP and BIG-IQ).
Impact:
avrd memory is increased over time, leading to avrd restart when it is getting too large
Workaround:
Connectivity issue between BIG-IP and BIG-IQ should be fixed, not just in order to prevent this memory leak, but for more important functionality such as visibility and alerts features in BIG-IQ.
746922-5 : When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
Component: Local Traffic Manager
Symptoms:
In a situation when a routing entity belonging to the child route domain is searching for an egress point for a traffic flow, it's searching for a routing entry in the child domain first, then if nothing is found, it searches for it in the parent route domain and returns the best found routing entry.
If the best routing entry from the parent route domain is selected, then it is held by a routing entity and is used to forward a traffic flow. Later, a new route entry is added to the child route domain's routing table and this route entry could be better than the current previously selected routing entry. But previously selected entry doesn’t get invalidated, thus the routing entity which is holding this entry is forwarding traffic to a less preferable egress point.
#Example:
RD0(parent) -> RD1(child)
routing table: default gw for RD0 is 0.0.0.0/0%0
pool member is 1.1.1.1/32%1
-
Pool member searched for the best egress point and found nothing in the routing table for the route domain 1 and later found a routing entry, but from the parent route domain - 0.0.0.0/0%0.
Later new gw for RD1 was added - 0.0.0.0/0%1, it's more preferable for 1.1.1.1/32%1 pool member. 0.0.0.0/0%0 should be (but is not) invalidated to force the pool member to search for a new routing entry and find a better one if it exists, as in our case - 0.0.0.0/0%1.
Conditions:
1) There are more than one route domains in the parent-child relationship.
2) There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object(for instance, pool member) which is from child route domain.
3) The routing entry from a parent route domain was selected as an egress point for the object from the child route domain.
4) New routing entry for child route domain is added.
Impact:
If a new added route is more preferable than existing in a different route domain, then the new route is not going to be used by a routing object, which has selected an "old" route previously. Thus traffic flows through these routing objects to the unexpected/incorrect egress point. This could present undesirable behavior: the route could be unreachable and all traffic for a specific pool member is dropped or virtual server couldn't find an available SNAT address or just that the wrong egress interface is being used.
Workaround:
There are several ways:
Either of this workaround should be done after a new route in child domain was added.
- Recreate a route.
Recreate a parent route domain's routes. Restart tmrouted deamon if routes were gathered via routing protocols.
-----
- Recreate a routing object.
If a pool member is affected, recreate the pool member.
If a SNAT pool list is affected, recreate it.
And so on.
746825-2 : MRF SIP ALG with SNAT: Ephemeral listeners not created for un-subscribed outgoing calls
Component: Service Provider
Symptoms:
When a temporary registration is created for an un-subscribed user making an outgoing call, an ephemeral listener to receive incoming messages is not created.
Conditions:
If nonregister-subscriber-callout attribute in the siprouter-alg profile is enabled, and an unregiatered client device places an outgoing call, a temporary registration is created. This temporary registration lives for the life of the call. During the lifetime of the temporary registration if the connection from the client is closed, it is not possible for an external device to reach the client.
Impact:
The callee of an outgoing call initiated by an un-registered sip device will not be able to end the call.
Workaround:
There is no workaround at this time.
746768-3 : APMD leaks memory if access policy policy contains variable/resource assign policy items
Component: Access Policy Manager
Symptoms:
If an access policy contains variable/resource assign policy items, APMD will leak memory every time the policy is modified and applied.
Conditions:
1. Access policy has variable/resource assign policy items.
2. The access policy is modified and applied.
Impact:
APMD's memory footprint will increase whenever the access policy is applied.
Workaround:
There is no workaround.
746731-2 : BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set
Component: Service Provider
Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Firmware-Revision AVPs in DIAMETER Capabilities Exchange Request messages.
Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Firmware-Revision AVP.
Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.
Workaround:
Configure an iRule in the MRF transport-config, for example:
ltm rule workaround {
when DIAMETER_EGRESS {
if {[serverside] && [DIAMETER::command] == "257" } {
DIAMETER::avp flags set 267 0
}
}
}
746719-2 : zrd sets recursion desired and can't edit NS records when bind set recursion yes
Component: Global Traffic Manager (DNS)
Symptoms:
While attempting to use ZoneRunner to edit NS records, getting error:
01150b21:3: RCODE returned from query: 'SERVFAIL'.
Conditions:
-- Recursion is enabled in bind.
-- Bind is not able to reach the referenced Name Server.
Impact:
Administrator is unable to use ZoneRunner to edit NS records.
Workaround:
Set recursion to no for bind.
746657-2 : tmsh help for FQDN node or pool member shows incorrect default for fqdn interval
Component: TMOS
Symptoms:
The tmsh help text for LTM nodes and pools shows the incorrect default for the fqdn 'interval' value.
The default is indicated as the TTL, whereas the actual default value is 3600 seconds (1 hour).
The configured value is displayed correctly if the node or pool is displayed using the 'all-properties' keyword.
Conditions:
Always.
Impact:
FQDN nodes and pool members may be created with a different fqdn refresh interval than intended.
Workaround:
When creating an FQDN node or pool member, specify the desired fqdn 'interval' value (either TTL, or the desired number of seconds).
746620-2 : "source-port preserve" broken on BIG-IP VE
Component: Performance
Symptoms:
VE uses RSS hashing for selecting TMMs which has the side effect of causing "source-port preserve" to reuse ports aggressively. This can ultimately lead to connection failures.
Conditions:
BIG-IP virtual edition with "source-port preserve" configured on a fastl4 virtual server.
Impact:
Connections may fail due to reusing ports too quickly.
Workaround:
Set source-port to "change"
746464-2 : MCPD sync errors and restart after multiple modifications to file object in chassis
Component: TMOS
Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:
1. Errors are logged to /var/log/ltm similar to the following:
-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..
2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.
Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.
Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.
746394-2 : With ASM CORS set to "Disabled" it strips all CORS headers in response.
Component: Application Security Manager
Symptoms:
All access-control-* headers are removed by asm, including Cross-Origin Resource Sharing (CORS) headers. This causes CORS related javascript errors on browser console and blocks cross-domain requests that should be allowed.
Conditions:
-- ASM Provision
-- ASM policy attached to a virtual
-- Backed server sends CORS headers access-control-*
Impact:
Webapp which sends cross origin ajax requests could be broken.
Workaround:
Setup an irule on a virtual server.
when HTTP_RESPONSE {
array set header_list { }
foreach header_name [HTTP::header names] {
if { [string tolower $header_name] starts_with "access-control-" } {
set header_list($header_name) [HTTP::header $header_name]
}
}
}
when HTTP_RESPONSE_RELEASE {
foreach header_name [array names header_list] {
if {!([HTTP::header exists $header_name])} {
HTTP::header insert $header_name $header_list($header_name)
}
}
}
746344-2 : PEM may not establish diameter connection across HA switchover
Component: Policy Enforcement Manager
Symptoms:
PEM diameter may not establish diameter connection across HA switchover if 25 days have elapsed between the switchovers
Conditions:
If 25 days have elapsed across switchovers
Impact:
Diameter connection may not happen
Workaround:
tmm restart
746266-2 : Vcmp guest vlan mac mismatch across blades.
Component: TMOS
Symptoms:
Guests running on blades in a single chassis report different MAC addresses on a single vlan upon host reboot for vcmp guest.
Conditions:
This issue may be seen when all of the following conditions are met:
- One (or more) blade(s) are turned off completely via AOM.
- Create two vlans.
- Deploy a multi-slot guest with the higher lexicographic vlan.
- Now, assign the smaller vlan to the guest.
- Reboot the host
Impact:
Incorrect MAC addresses are reported by some blades.
Workaround:
There is no workaround at this time.
746078-2 : Upgrades break existing iRulesLX workspaces that use node version 6
Component: Local Traffic Manager
Symptoms:
When upgrading a BIG-IP with iRulesLX plugins, if those plugins are based on workspaces that use node version 6 (instead of version 0.12) they will fail to work properly after the upgrade once the plugin is reloaded from the workspace.
Errors like this will be seen in /var/log/ltm:
Oct 5 06:37:12 B7200-R14-S36 info sdmd[17582]: 018e0017:6: pid[26853] plugin[/Common/test-jt-plugin.test-jt-extension] Starting the server.....jt...after upgrade...
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: Resuming log processing at this invocation; held 233 messages.
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] /var/sdm/plugin_store/plugins/:Common:test-jt-plugin_62858_3/extensions/test-jt-extension/node_modules/f5-nodejs/lib/ilx_server.js:30
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] ILXServerWrap = process.binding('ILXServerWrap').ILXServerWrap;
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] ^
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] Error: No such module: ILXServerWrap
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] at Error (native)
Conditions:
Upgrading a version of BIG-IP that is using iRulesLX that has a workspace based on node version 6. Later reloading the iRulesLX plugin from the workspace.
Impact:
The iRulesLX plugin no longer works.
Workaround:
- Navigate to the workspace folder on the BIG-IP (/var/ilx/workspaces/<partition>/<workspace name>.
- Make the file "node_version" writable (chmod +w node_version).
- Edit the node_version file: change "0.12" to "6"
- Save the node_version file.
- Make the file "node_version" read-only (chmod -w node_version).
- Reload the iRulesLX plugin from the workspace.
745923-1 : Virtual server may reset a connection with port zero when client sends ACK after a 4-way close
Component: Local Traffic Manager
Symptoms:
Virtual sends a reset of port zero.
Conditions:
Here is an observed sequence for the problem to happen:
1. Three way handshake initiated by client to VIP.
2. Client actively closing the connection - 4 way close
3. Client continues to send ACK after 4 way close
Impact:
Virtual does a wrong reset.
Workaround:
There is no workaround at this time.
745825-2 : The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading
Component: TMOS
Symptoms:
This message may be logged while the audit_forwarder is loading the configuration:
audit_forwarder is disabled as the configuration is incomplete. Please define the following db variables: config.auditing.forward.sharedsecret, config.auditing.forward.destination and config.auditing.forward.type. And make sure config.auditing.forward.destination is not set to "::".
These DB variables may all be actually configured correctly, but since the configuration has not loaded yet this message may be logged multiple times.
Conditions:
The audit_forwarder process is starting up and loading the configuration.
Impact:
Confusing error messages in /var/log/ltm. Logging will still work as configured.
Workaround:
There is no workaround.
745802-2 : Brute Force CAPTCHA response page truncates last digit in the support id
Component: Application Security Manager
Symptoms:
Brute Force CAPTCHA response page shown to an end-user has a support id and the last digit is truncated.
Conditions:
- ASM Provisioned
- ASM policy attached to a virtual server
- ASM Brute Force Protection enabled in the asm policy
- ASM Brute Force sends captcha mitigation page when a website is under brute force attack.
Impact:
The support id presented to an end-user won't be matched to the one shown in the asm logs
Workaround:
There is no workaround at this time.
745654-3 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
Component: Access Policy Manager
Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.
Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.
Impact:
Low throughput and slow responses from Virtual server.
Workaround:
There is no workaround at this time.
745628-2 : MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message
Component: Service Provider
Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a NOTIFY message has been processed.
Conditions:
This occurs because the NOTIFY message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.
Impact:
Media addresses in the SDP payload are not translated.
Workaround:
There is no workaround.
745600-2 : Removal of timer object from tmm timer-ring when a tcl context is released.
Component: Access Policy Manager
Symptoms:
If a tcl context is associated with a tmm-timer (while creating access session) using iRule, the timer object is removed during tcl context release but its association remains. When the timer fires, it tries to access a memory which is already freed, causing tmm to crash and generate a core.
Conditions:
Creating access session using iRule.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
745589-5 : In very rare situations, some filters may cause data-corruption.
Component: Local Traffic Manager
Symptoms:
In very rare situations, an internal data-moving function may cause corruption.
Filters that use the affected functionality are:
HTTP2, Sip, Sipmsg, MQTTsession, serdes_diameter, FTP.
Conditions:
The affected filters are used, and some very rare situation occurs.
Impact:
This may cause silent data corruption, or a TMM crash.
Workaround:
There is no workaround at this time.
745574-2 : URL is not removed from custom category when deleted
Component: Access Policy Manager
Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.
Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.
Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.
Workaround:
"bigstart restart tmm" will resolve the issue.
745514-2 : MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message
Component: Service Provider
Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a SUBSCRIBE message has been processed.
Conditions:
This occurs because the SUBSCRIBE message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.
Impact:
Media addresses in the SDP payload are not translated.
Workaround:
There is no workaround.
745397-2 : Virtual server configured with FIX profile can leak memory.
Component: Service Provider
Symptoms:
System memory increases with each transmitted FIX message. tmm crash.
Conditions:
-- Virtual server configured with a FIX profile.
-- FIX profile specifies a message-log-publisher.
Impact:
Memory leak. Specifically, in the xdata cache. Potential traffic disruption while tmm restarts.
Workaround:
If possible, discontinue use of message logging functionality. Removing the message-log-publisher from the FIX profile stops xdata growth.
744949-2 : MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix
Component: Service Provider
Symptoms:
SIP response messages have the wrong IP address in the FROM header when using NAT64.
Conditions:
If the client's IPv6 address does not match the virtual server's configured IPv6 prefix, the FROM header on a response message will have a different IP address that the request message.
Impact:
The SIP ALG with SNAT system will be unable to establish a call for the client.
Workaround:
There is no workaround at this time.
744787-3 : Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias
Component: Global Traffic Manager (DNS)
Symptoms:
WideIP alias will be replaced.
Conditions:
There is an existing alias for a WideIP and adding the same alias for another WideIP.
Impact:
The previous WideIP will be replaced.
Workaround:
Avoid adding existing WideIP for other WideIP.
744707-3 : Fixed crash related to DNSSEC key rollover
Component: Global Traffic Manager (DNS)
Symptoms:
When running out of memory, a DNSSKEY rollover event can cause a tmm core dump.
Conditions:
System low/out of memory.
DNSSKEY rollover event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround.
744686-1 : Wrong certificate can be chosen during SSL handshake
Component: Local Traffic Manager
Symptoms:
If two certificates of the same type are configured in an SSL profile, one marked `usage CA' and the other not, the wrong one could be chosen during the handshake.
Conditions:
Two certificates of the same type are configured in an SSL profile.
Impact:
The wrong certificate could be chosen during the handshake.
Workaround:
Do not configure two certificates of the same type on an SSL profile.
744589-2 : Missing data for Firewall Events Statistics
Component: Application Visibility and Reporting
Symptoms:
Statistical information that is collected for Firewall event, has some data that is getting lost and not reported.
When this is taking place, the following message appears at avrd log:
Some rows of load_stat_firewall_events_<some number> not loaded
Conditions:
AFM is used, no particular condition that leads to this situation of losing some of the stats, usually takes place under heavy activity.
Impact:
Statistical reports of Firewall Events are missing some the the activity that actually took place.
Workaround:
There is no workaround at this time.
744532-1 : Websso fails to decrypt secured session variables
Component: Access Policy Manager
Symptoms:
Whenever websso tries to decrypt secure session variables, the following error is seen /var/log/apm:
Aug 15 21:36:25 abcd err websso.0[20421]: 014d0028:3: /Common/Test_PRP:Common:2b8e7abc: Master Decrypt failed for user test with error 'ckDecrypt: invalid ciphertext'
Aug 15 21:36:25 abcd info websso.0[20421]: 014d0009:6: /Common/Test_PRP:Common:2b8e7abc: Websso basic authentication for user 'test' using config '/Common/sso_test_obj'
Conditions:
- Per-req policy is attached to virtual server.
- Secure subsession variables are assigned to session variables using Variable Assign Agent in per-req policy.
- SSO Configuration Select agent is used in per-req policy.
Impact:
Single Sign-On (SSO) won't work correctly.
Workaround:
There is no workaround at this time.
744520-2 : virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface
Component: TMOS
Symptoms:
virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface.
Conditions:
Virtual server with pem profile and Vxlan-GRE tunnel interface.
Impact:
Traffic drop.
Workaround:
There is no workaround.
744516-3 : TMM panics after a large number of LSN remote picks
Component: Carrier-Grade NAT
Symptoms:
TMM panics with the assertion "nexthop ref valid" failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.
Conditions:
A LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.
Impact:
TMM restarts. Traffic is interrupted.
Workaround:
There is no workaround.
744347-3 : Protocol Security logging profiles cause slow ASM upgrade and apply policy
Component: Application Security Manager
Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.
Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.
Impact:
ASM upgrade and apply policy are delayed.
Workaround:
There is no workaround at this time.
744316-2 : Config sync of APM policy fails with Cannot update_indexes validation error.
Component: Access Policy Manager
Symptoms:
Config sync operation fails for APM policy when policy item of same name points to different agent on source and target
The system posts errors similar to the following:
Sync error on rfang-vemgmt.lab.labnet.com: Load failed from /Common/rfang-ve-3mgmt.lab.labnet.com 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (access_policy_item_agent) object ID (/Common/resm_act_message_box_1 /Common/resm_act_message_box_ag_1). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:access_policy_item_agent status:13)"
Conditions:
This occurs in the following scenario:
1. Configure a failover device group containing two BIG-IP systems.
2. Create an APM access profile on one unit.
+ Launch VPE for the policy.
+ Add a macro.
+ In macro add an agent, e.g., Message box.
+ Add macro to the main policy.
3. Initiate config sync to another device.
4. On one BIG-IP system, add another Message box agent using the same macro. On the other BIG-IP system, make a copy of the access profile.
5. On either BIG-IP system, initiate another config sync operation.
Impact:
Unable to sync configuration in a failover device group.
Workaround:
You can work around this using the following procedure:
1. On the device receiving the config sync, delete the APM policies that contain the referenced APM policy items.
2. Perform an overwrite-config-sync operation from the sending device to this device.
744275-2 : BIG-IP system sends Product-Name AVP in CER with Mandatory bit set
Component: Service Provider
Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.
Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Product-Name AVP.
Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.
Workaround:
Configure an iRule in the MRF transport-config, for example:
ltm rule workaround {
when DIAMETER_EGRESS {
if {[serverside] && [DIAMETER::command] == "257" } {
DIAMETER::avp flags set 269 0
}
}
}
744252-1 : BGP route map community value: either component cannot be set to 65535
Component: TMOS
Symptoms:
The community value for BGP route map entries should allow values of 1-65535 for both components, but it is not allowing 65535 for either component.
Conditions:
-- Using BGP route map community values.
-- Attempting to set one or both components to 65535.
Impact:
Unable to use the full range of BGP route map community values
Workaround:
There is no workaround at this time.
744210-3 : DHCPv6 does not have the ability to override the hop limit from the client.
Component: Local Traffic Manager
Symptoms:
DHCPv6 packet may be dropped by a device after the DHCP relay if the client provided hop limit is 1.
Conditions:
DHCPv6 Relay configured on the BIG-IP.
Impact:
Loss of DHCPv6 service.
Workaround:
There is no workaround at this time.
743900-2 : Custom DIAMETER monitor requests do not have their 'request' flag set
Component: Local Traffic Manager
Symptoms:
Using the technique detailed in the Article: K14536: Customizing the BIG-IP Diameter monitor https://support.f5.com/csp/article/K14536 to create custom DIAMETER monitor requests fails for any request that uses the numeric form of a DIAMETER command code, because the 'request' flag is not set in the DIAMETER packet.
Conditions:
-- Using custom DIAMETER monitor requests.
-- Using numeric DIAMETER command codes.
Impact:
The monitor probes fail because the BIG-IP system does not set the DIAMETER 'request' flag for requests it sends when using a numeric value for the command code, so the DIAMETER server thinks it is a response
Workaround:
None.
743810-2 : AWS: Disk resizing in m5/c5 instances fails silently.
Component: TMOS
Symptoms:
Resizing the disk in an m5/c5 instance in AWS has no impact on the disk size, and this operation fails silently.
Conditions:
BIG-IP system deployed in AWS with m5/c5 instance type that uses NVME disks instead of the usual native paravirt disks.
Impact:
Disk resizing fails; administrators cannot grow the instance disk in response to their requirements and instance utilization post-deployment.
Workaround:
There is no workaround.
743790-2 : BIG-IP system should trigger a HA failover event when expected HSB device is missing from PCI bus
Component: TMOS
Symptoms:
In some rare circumstances, the HSB device might drop off the PCI bus, resulting in the BIG-IP system not being able to pass traffic. However, no high availability (HA) failover condition is triggered, so the BIG-IP system stays active.
Conditions:
HSB drops off the PCI bus. This is caused in response to certain traffic patterns (FPGA issue) that are yet to be determined.
Impact:
No failover to standby unit after this error condition, causing site outage.
Workaround:
None.
743437-2 : Portal Access: Issue with long 'data:' URL
Component: Access Policy Manager
Symptoms:
HTML page may contain a very long 'data:' URL. Portal Access cannot handle such URLs correctly.
Conditions:
HTML page with very long 'data:' similar to the following example:
data:image/png;base64,...
Such URLs might be several megabytes long.
Impact:
The rewrite plugin cannot process HTML pages with very long URLs and restarts. The page is not sent to the end user client; web application may not work correctly.
Workaround:
There is no workaround at this time.
743271 : Querying vCMP Health Status May Show Stale Statistics
Component: TMOS
Symptoms:
Stale statistics collected while the guest was running a pre-13.1.0 version may periodically be seen when querying vCMP health status in the Configuration Utility or via tmsh show vcmp health commands.
Conditions:
This issue may be seen when all of the following conditions are met:
- the vCMP guest is deployed on more than one blade
- the vCMP guest is upgraded from a pre-13.1.0 release to 13.1.0 or above
Impact:
Health status is not always accurately reported
Workaround:
The issue may be resolved by setting the guest status temporarily to configured and then back to deployed.
743257-2 : Fix block size insecurity init and assign
Component: Local Traffic Manager
Symptoms:
After an HA failover the block size insecurity checks were creating conditions for an infinite loop. This causes tmm to be killed by sod daemon via SIGABRT.
Conditions:
Rare not reproducible.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround.
743132-5 : mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile
Component: TMOS
Symptoms:
On a chassis platform, if 'tmsh modify sys httpd ssl-certificate' is run immediately after creating a new certificate file, it's possible for mcpd to restart on the secondary blades. This happens when it takes longer for csyncd to copy the new certificate file to the other blades than it takes mcpd to send the modify message to the other blades.
Conditions:
Chassis platform with multiple blades.
Setting the httpd ssl-certificate to a new file.
Impact:
mcpd stops on secondary blades, causing those blades to go offline for a short time while mcpd and other daemons restart.
Workaround:
When setting the httpd ssl-certificate to a new file, wait a few seconds after creating the file before issuing the tmsh modify command.
743116-3 : Chunked responses may be incorrectly handled by HTTP/2
Component: Local Traffic Manager
Symptoms:
When a chunked HTTP response is serialized by HTTP/2, the chunking headers should be removed. This does not occur in some cases.
Conditions:
The HTTP/2 filter is used. Some other profiles are used on the same virtual. (In particular, the request logging profile triggers this issue.)
Impact:
The HTTP/2 payload will include chunking headers, corrupting it.
Workaround:
An iRule may be used to detect a HTTP/2 client, and forcibly turn on unchunking in the HTTP_RESPONSE event.
Example:
ltm rule unchunk_http2 {
when HTTP_REQUEST {
set is_http2 [HTTP2::active]
}
when HTTP_RESPONSE {
if { $is_http2 } {
HTTP::payload unchunk
}
}
}
742838-2 : A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition
Component: Local Traffic Manager
Symptoms:
If you have a published policy in /Common that is in use by a virtual server in a different partition, if you try to create and modify a draft of the existing policy, you will get an error like this:
"01070726:3: Policy /Common/Drafts/test-policy in partition Common cannot reference policy reference /Common/Drafts/test-policy /test/test-vs in partition test"
This happens in both the GUI and TMSH.
Conditions:
-- A published policy exists in /Common.
-- The published policy is attached to a virtual server in a different partition.
-- Attempt to create and modify a draft of the policy.
Impact:
Inability to edit the published policy.
Workaround:
None.
742829-2 : SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0
Component: Service Provider
Symptoms:
The BIG-IP system incorrectly handles SDP media ports. UAC sends SDP message body publishing capable of handling voice, text, and video. UAS responds, publishing voice, text and video not desired by setting video port to '0'. The BIG-IP system does not honor the fact that UAS does not want video, and translates video port '0' to an ephemeral port, causing the UAC to believe it must open a video channel. When the UAC sends a video connection request, the BIG-IP system sends the request to the wrong port, i.e., to the media port for text, which causes the connection to fail.
Conditions:
RTP media port defined in the SIP message is set to 0.
Impact:
Improper media channel creation.
Workaround:
You can use an iRule workaround to remove the media attributes with ports set to 0 at the ingress, and update the message body size accordingly.
742753-3 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail
Component: TMOS
Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.
Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:
- Remove the Referer header.
- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.
Impact:
Users cannot log on to the BIG-IP system's WebUI.
Workaround:
As a workaround, you can do any of the following things:
- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).
- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).
- Modify the proxy solution so that it inserts compatible Referer and Host headers.
742627-1 : SSL session mirroring may cause memory leakage if HA channel is down
Component: Local Traffic Manager
Symptoms:
If SSL session mirroring is enabled, but the HA channel is down, attempts to mirror may result in memory leakage.
Conditions:
- SSL session mirroring enabled
- HA channel is down
Impact:
Memory leakage over time resulting in eventual memory pressure leading to performance degradation and possible TMOS restart.
Workaround:
Ensuring that the HA peer is present and connected will avoid the leakage. Otherwise, no reasonable workaround exists short of disabling SSL session mirroring.
742419-2 : BIG-IP NIC teaming of SR-IOV interfaces does not work under VMware ESXi
Component: TMOS
Symptoms:
Configuring multiple SR-IOV interfaces into a trunk does not function correctly when running BIG-IP as a guest under VMware ESXi. The interface will show as uninitialized.
Conditions:
A system that passes SR-IOV virtual functions directly to a BIG-IP guest when running on VMware ESXi.
Impact:
The trunk will fail to initialize.
Workaround:
None.
742237-3 : CPU spikes appear wider than actual in graphs
Component: Local Traffic Manager
Symptoms:
Graphs of CPU usage show spikes that are wider than actual CPU usage.
Conditions:
CPU usage has spikes.
Impact:
Graphs of CPU spikes appear to last longer than they actually last.
Workaround:
Restart statsd to change the start of the RRD sampling interval.
742184-2 : TMM memory leak
Component: Local Traffic Manager
Symptoms:
-- High TMM memory utilization;
-- Aggressive sweeper activated;
-- the 'packet', 'xdata' and 'xhead' caches in the memory_usage_stat tmstat table have high 'allocated' and 'curr_allocs' numbers with a steadily increasing profile.
Conditions:
A fastL4 and a L7 profile (e.g. HTTP) are assigned to a virtual server.
Impact:
Degraded performance, possible TMM crash due to out-of-memory condition.
Workaround:
Do not add a L7 profile to a fastL4 virtual server.
742170-1 : REST PUT command fails for data-group internal
Component: TMOS
Symptoms:
Cannot change content of existing data-group internal using REST PUT command.
Conditions:
Using REST API.
Impact:
Cannot modify data-group internal via the REST API.
Workaround:
Add 'type' in the content
742037-4 : FPS live updates do not install when minor version is different
Component: Fraud Protection Services
Symptoms:
Install update file with a different minor version.
For example, install update file versioned 13.1.1 on BIG-IP version 13.1.0.
Conditions:
FPS is licensed and provisioned.
Impact:
FPS engine and signature cannot be updated.
Workaround:
N/A
741993-2 : The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured.
Component: Anomaly Detection Services
Symptoms:
The BIG-IP system does not answer the request matching the L7 policy that disabled DOSL7 when BADOS is configured. The connection hangs.
Conditions:
1. Create a DoS profile Behavioral & Stress-based (D)DoS Detection.
2. Create an L7 policy to disable DoS profile (even on all URLs).
3. Attach both to a virtual server.
4. Send a request to the virtual server.
Impact:
Connection hangs.
Workaround:
There is no workaround other than disabling the Behavioral & Stress-based (D)DoS Detection from the DoS profile.
741951-5 : Multiple extensions in SIP NOTIFY request cause message to be dropped.
Component: Service Provider
Symptoms:
When SIP NOTIFY messages are sent with a request URI that contains multiple client extensions, the system does not forward the message as expected.
Conditions:
SIP NOTIFY messages sent with a request URI that contains multiple client extensions.
Impact:
NOTIFY message is not forwarded.
Workaround:
None.
741919-2 : HTTP response may be dropped following a 100 continue message.
Component: Local Traffic Manager
Symptoms:
When a 100 response a quickly followed by another HTTP response (2xx/4xx), the second response might be dropped.
Conditions:
When a 100 response is quickly followed by another HTTP response (i.e., a 2xx/4xx response arrives within a few microseconds).
Impact:
The second response might be dropped, so the end user client might not receive all the HTTP responses coming from the server.
Note: This does not happen all the time, and depends on how the underlying data packets are formed and delivered to the HTTP filter.
Workaround:
You can use either of the following workarounds:
-- Use an iRule to disable the HTTP filter in the HTTP_REQUEST event.
-- Disable LRO by running the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable
741902-2 : sod does not validate message length vs. received packet length
Component: TMOS
Symptoms:
sod may crash or produce unexpected behavior.
Conditions:
If a malformed network failover packet is received by sod, it may cause an invalid memory access.
Impact:
sod may crash, causing a failover.
Workaround:
None.
741814-1 : Auto Last Hop for management connections cannot be disabled/enabled
Component: Local Traffic Manager
Symptoms:
Disabling/Enabling Auto Last Hop for management connections does not take effect. By default, it is enabled and stays enabled after a change.
Conditions:
-- Manual BIG-IP Management Port Configuration is configured. IP address and Network Mask is set, but Management Route is empty.
-- Auto Last Hop for management connections is disabled.
# tmsh mod ltm global-settings general mgmt-auto-last-hop disable
-- BIG-IP system is rebooted.
# full_box_reboot
Impact:
Auto Last Hop for management connections is still enabled on management interface and the BIG-IP system is still accessible outside local management network.
Workaround:
To work around this issue, use the following commands to move the lasthop.modules script to the /etc/sysconfig/sysinit directory:
# mv -v /etc/sysconfig/modules/lasthop.modules
/etc/sysconfig/sysinit/00activate-early-lasthop.sysinit
2. Reboot the BIG-IP system.
# full_box_reboot
741767-1 : ASM Resource :: CPU Utilization statistics are in wrong scale
Component: Application Visibility and Reporting
Symptoms:
Security :: Reporting : ASM Resources : CPU Utilization have the wrong scale for statistics.
Conditions:
Having the 'CPU Utilization' statistics under 'ASM Resources' available.
Impact:
Wrong scale of statistics.
Workaround:
To work around this issue:
1. Edit the following file: /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
2. Remove all division by 100 on 'formula' of each entity.
3. Save the change and restart monpd (bigstart restart monpd).
741761-2 : admd might fail the heartbeat, resulting in a core
Component: Anomaly Detection Services
Symptoms:
When the system is under heavy I/O stress, admd might fail the heartbeat (which is required by sod, the failover daemon), so sod kills the admd daemon, resulting in a core.
Conditions:
-- System is under heavy I/O stress.
-- admd fails the heartbeat.
Impact:
The system generates an admd core file. Traffic disrupted while admd restarts.
Workaround:
None.
741599-1 : After upgrade, Client SSL profile may have extra cert-key-chain structure
Component: TMOS
Symptoms:
Extra cert-key-chain structure appears in Client SSL profile after upgrade from pre-v14.0.0 versions to v14.0.0. The extra cert-key-chain object with a 'usage CA' attribute appears even when the SSL profile is not configured for SSL forward proxy prior to upgrade.
The 'usage CA' cert-key-chain structure is expected when an SSL profile is configured for SSL forward proxy.
Conditions:
-- SSL profiles have had their 'proxy-ca-cert' and 'proxy-ca-key' attributes modified (even if simply set to the default value of 'none' explicitly).
-- The 'clientssl' built-in profile if that profile is modified via the GUI.
-- Upgrade from pre-v14.0.0 versions to v14.0.0.
Impact:
Extraneous 'usage CA' cert-key-chain entries added to configuration after upgrade.
Workaround:
Before upgrading, use tmsh to set the 'proxy-ca-cert' and 'proxy-ca-key' attributes values back to their default by specifying the value as 'default-value'.
After upgrade on an affected system, for SSL profiles that are not configured for SSL forward proxy:
1. Delete the extra cert-key-chain object.
2. Edit the configuration file with a text editor and remove the 'proxy-ca-cert' and 'proxy-ca-key' attributes for those profiles.
3. Re-load the configuration using the following command: tmsh load sys config
741449-2 : alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts
Component: Fraud Protection Services
Symptoms:
JAVASCRIPT_THRESHOLD alert should contain 2 timestamps:
1. component-validation cookie timestamp (set on cookie creation)
2. current BIG-IP timestamp
currently, these timestamps are not available in the alert details
Conditions:
JAVASCRIPT_THRESHOLD alert is triggered
Impact:
it is impossible to analyze the alert
Workaround:
There is no workaround at this time.
741435-1 : Using local traffic policies with type 'CE Profile', a new rule does not have the option to classify traffic
Component: Traffic Classification Engine
Symptoms:
In a local traffic policy with type 'CE Profile', a new rule does not have the option to classify traffic.
Conditions:
-- PEM, AFM, APM, or SWG is provisioned.
-- Local traffic policy with type 'CE Profile'.
-- Create a new rule.
Impact:
No GUI option to classify traffic. Cannot use the GUI reclassify traffic using LTM Policies.
Workaround:
Use TMSH to configure the policies and rules for classifying traffic.
741423-3 : Secondary blade goes offline when provisioning ASM/FPS on already established config-sync
Component: TMOS
Symptoms:
When provisioning ASM for the first time on a device that is already linked in a high availability (HA) config-sync configuration, any other cluster device that is on the trust domain experiences mcpd restarting on all secondary blades due to a configuration error.
The system logs messages similar to the following in /var/log/ltm:
-- notice mcpd[12369]: 010718ed:5: DATASYNC: Done initializing datasync configuration for provisioned modules [ none ].
-- err mcpd[9791]: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.
-- err mcpd[9791]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.... failed validation with error 16908342.
-- notice mcpd[12369]: 0107092a:5: Secondary slot 2 disconnected.
Conditions:
-- Cluster devices are joined in the trust for HA or config-sync.
-- Provisioning ASM or FPS on clusters which are already joined in a trust.
-- ASM and FPS have not been provisioned on any of the devices: this is the first ASM/FPS provisioning in the trust.
Impact:
Traffic on all secondary blades is interrupted while mcpd restarts. Then, traffic is resumed.
Workaround:
Before provisioning ASM/FPS (but after setting up a trust configuration):
1. On the device on which ASM/FPS is about to be provisioned, create the datasync-global-dg device group and add all of the available devices.
For example, if there are two devices in the Trust Domain: test1.lab.com and test2.lab.com, and you plan to provision ASM/FPS for the first time on test1.lab.com, first run the following command from test1.lab.com:
tmsh create cm device-group datasync-global-dg devices add { test1.lab.com test2.lab.com }
2. Do not sync the device group.
3. Then on test1.lab.com, you can provision ASM/FPS.
740963-1 : VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart
Component: Local Traffic Manager
Symptoms:
VIP-on-VIP traffic might cause TCP retransmit bursts, which in certain situations can cause tmm to restart.
Conditions:
- Virtual server handling TCP traffic.
- iRule using the 'virtual' command.
Impact:
Temporary memory consumption and potential for tmm to restart. Traffic disrupted while tmm restarts.
Workaround:
None.
740959-3 : User with manager rights cannot delete FQDN node on non-Common partition
Component: Local Traffic Manager
Symptoms:
A user that has manager rights for a non-Common partition, but not for the /Common partition, may be denied delete privileges for an FQDN template node that is created on the non-Common partition for which the user does have manager rights.
This occurs because ephemeral nodes created from the FQDN template node are 'shared' in the /Common partition, so the delete transaction fails because the user has insufficient permissions to delete the dependent ephemeral nodes on the /Common partition.
Conditions:
-- A user is created with manager rights for a non-Common partition.
-- That user does not have manager rights for the /Common partition;
-- At least one ephemeral node is created from that FQDN template node (due to DNS lookup), which is not also shared by other FQDN template nodes.
-- That user attempts to delete an FQDN template node on the non-Common partition for which the user has manager rights.
Impact:
The transaction to delete the FQDN template node fails due to insufficient permissions. No configuration changes occur as a result of the FQDN template node-delete attempt.
Workaround:
You can use either of the following workarounds:
-- Perform the FQDN template node-delete operation with a user that has manager rights to the /Common partition.
-- Create the FQDN template node on the /Common partition.
740746-1 : RSA key creation fails for generating key/csr pair when using gen-csr challenge-password
Component: TMOS
Symptoms:
Failed to generate RSA key in pair with CSR via TMSH command when using key password options.
Response from create sys crypto key command when using challenge-password option:
Syntax Error: Key creation doesn't support challenge-password option.
Response from create sys crypto key command when using prompt-for-password option:
Syntax Error: Key creation doesn't support prompt-for-password option.
Conditions:
This issue happens while using either of the key password protect options while generating CSR and RSA key via tmsh command: create sys crypto key.
Impact:
Cannot generate password-protected RSA key via tmsh command.
Workaround:
There is no workaround.
740719-1 : ASM CSP header parser does not honor unsafe-inline attribute within script-src directive
Component: Application Security Manager
Symptoms:
Browser reports Content-Security-Policy error when ASM modifies the 'Content-Security-Policy' (CSP) header.
Conditions:
1. ASM provisioned.
2. ASM policy attached to a virtual server.
3. CSRF or Ajax blocking page enabled within ASM policy
4. Backend server sends 'Content-Security-Policy' header with 'script-src' 'unsafe-inline' directive.
Impact:
Browser posts 'Content-Security-Policy' error and stops JavaScript execution.
Workaround:
Disable 'Content-Security-Policy' header parsing for ASM policies. To do so, follow these steps:
1. In /usr/share/ts/bin/add_del_internal, run the following command:
add csp_enabled 0
2. Restart ASM by running the following command:
bigstart restart asm
740589-2 : mcpd crash with core after 'tmsh edit /sys syslog-all-properties'
Component: TMOS
Symptoms:
Syslog-ng consumes more than 95% CPU starving other processes of CPU time. This leads to eventual mcpd crash with core.
Conditions:
Configuring nonexistent local IP addresses and remote log server.
Impact:
Abnormal CPU usage. Potential eventual mcpd crash with core.
Workaround:
To mitigate the issue, you can use either of the following:
-- Follow these two steps:
1. Remove the remote log server from the configuration.
2. Replace the nonexistent local IP addresses with self IP addresses.
-- Configure the remote destination host with a unique parameter in the configuration so that syslog does not get confused if there are multiple entries:
udp(190.45.32.51 port(514) localip(190.46.2.221) persist-name(r1));
udp(190.45.32.51 port(514) localip(190.46.2.222) persist-name(r2));
udp(190.200.60.1 port(514) localip(190.46.2.221) persist-name(r3));
udp(190.200.60.1 port(514) localip(190.46.2.222) persist-name(r4));
740517-2 : Application Editor users are unable to edit HTTPS Monitors via the Web UI
Component: TMOS
Symptoms:
A user with Application Editor role cannot modify an HTTPS Monitor via the GUI. The user is sent the the following, misleading and incorrect error message: Access Denied: user does not have delete access to object (ssl_cert_monitor_param)
Conditions:
The logged in GUI user must be an Application Editor role for the partition containing the HTTPS Monitor
Impact:
The user must use TMSH to modify an HTTPS Monitor.
Workaround:
Run the following tmsh command: modify ltm monitor https"\
740490 : Configuration changes involving HTTP2 or SPDY may leak memory
Component: Local Traffic Manager
Symptoms:
If virtual servers which have HTTP2 or SPDY profiles are updated, then the TMM may leak memory.
Conditions:
-- A virtual server has a HTTP2 or SPDY profile.
-- Any configuration object attached to that virtual server changes.
Impact:
The TMM leaks memory, and may take longer to execute future configuration changes. If the configuration changes take too long, the TMM may be restarted by SOD.
Workaround:
None.
740413-2 : sod not logging Failover Condition messages
Component: TMOS
Symptoms:
When a failsafe fault occurs, sod does not log a message indicating that the device is unable to become Active.
Conditions:
Failsafe fault.
Impact:
No 'Failover Condition'messages logged in /var/log/ltm.
Workaround:
None.
740284-1 : Virtual servers 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM'
Component: Global Traffic Manager (DNS)
Symptoms:
Virtual servers on generic-hosts may be marked as Yellow, with a message of 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM'.
Conditions:
The conditions under which this occurs are not known.
Impact:
Virtual server is marked Yellow erroneously 'In Maintenance Mode'.
Workaround:
Use any of the following to reset the condition:
-- Restart gtmd by issuing the following command:
bigstart restart gtmd
-- Restart the system.
-- Remove any monitors from the affected server, save the configuration, and then add any required monitors.
-- Delete the affected server from the configuration and recreate it.
740135-2 : Traffic Group ha-order list does not load correctly after reset to default configuration
Component: TMOS
Symptoms:
After resetting the BIG-IP configuration to default (i.e., 'tmsh load sys config default'), if a configuration is loaded where the name of the self-device changes, this may cause the self-device to be removed from any traffic group HA Order lists.
Conditions:
-- Must be loading a configuration after resetting to default.
-- Must have at least one traffic group using the 'HA Order' Failover Method.
Impact:
Incorrect HA configuration.
Workaround:
Reload the configuration a second time.
740086-4 : AVR report ignore partitions for Admin users
Component: Application Visibility and Reporting
Symptoms:
The behavior of AVR's reporting feature changed after an upgrade.
Reports generated for specific partition include data from all partitions.
Conditions:
-- Users with Admin role.
-- AVR provisioned.
-- AVR profile configured and attached to a virtual server.
-- User with Admin role creates Scheduled Reports or uses GUI to view AVR reports.
Impact:
AVR GUI pages or Scheduled Reports defined for one partition include AVR data from other partitions.
Workaround:
One workaround is to have non-Admin users generate reports.
For non-Admin users, the partition is honored.
740024-1 : Web page not load correctly if load time is enabled
Component: Application Visibility and Reporting
Symptoms:
The web page does not load correctly. The TSPD_101 cookie is not present. All headers after the f5_cspm cookie are ignored.
Conditions:
-- AVR profile is attached to a virtual server.
-- Load time is enabled.
Impact:
Resources, such as scripts and CSS, are blocked when using Bot Defense Browser Verification due to anomaly 'Resource request without browser verification cookie'.
Workaround:
There is no workaround.
739963-3 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
Component: Local Traffic Manager
Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.
Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.
Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.
Workaround:
To restore the state of the member, remove it and add it back to the pool.
739939-2 : Ping Access Agent Module leaks memory in TMM.
Component: Access Policy Manager
Symptoms:
Whenever a ping access request traverses through apm_ivs (internal virtual server) to the Ping Access Agent (e.g., Cache-Miss), a memory leak occurs.
Conditions:
Ping Access Agent request that is not served from local cache (e.g., in the Cache-Miss case).
Impact:
The slow memory leak might eventually cause TMM to restart. Traffic disrupted while tmm restarts.
Workaround:
None.
739872-1 : The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover
Component: TMOS
Symptoms:
Running the 'load sys config verify' command for a configuration that would alter the high availability (HA) Group score for a Traffic Group can cause the HA group score to be updated.
Conditions:
Run 'load sys config verify' with configuration data that affects a Traffic Group's HA Group score.
Impact:
Unintended failover.
Workaround:
None.
739716-1 : APM Subroutine loops without finishing
Component: Access Policy Manager
Symptoms:
Some APM subroutines never finish. In authentication use cases, the end-users will continue to see logon pages, even after submitting correct credentials. In SWG confirm-and-continue use cases, the end-users will continue to see confirm boxes, even if they had already clicked "continue".
Conditions:
APM with a subroutine. Reproducibility will vary by platform and deployment.
Impact:
Subroutines never finish. End-users are not able to access resources.
Workaround:
TMM restart does resolve the issue.
739674-2 : TMM might core in SWG scenario with per-request policy.
Component: Access Policy Manager
Symptoms:
TMM can core when Secure Web Gateway (SWG) is configured, and SSL is resumed through per-request policy.
Conditions:
-- SWG is configured.
-- SSL is resumed through per-request policy.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
739638-3 : BGP failed to connect with neighbor when pool route is used
Component: Local Traffic Manager
Symptoms:
BGP peering fails to be established.
Conditions:
- Dynamic routing enabled.
- BGP peer connect through a pool route or ECMP route.
Impact:
BGP dynamic route paths are not created.
Workaround:
Use a gateway route.
739553-2 : Setting large number for Wide IP Persistence TTL breaks Wide IP persistence
Component: Global Traffic Manager (DNS)
Symptoms:
Wide IP persistence is not working. Previous Wide IP persistence records are cleared.
Conditions:
This occurs when the Wide IP Persistence TTL plus the persist-record creation time is greater than 4294967295.
Impact:
Wide IP persistence does not work.
Workaround:
There is no workaround other than not setting Wide IP Persistence TTL to a number greater than 4294967295.
739533-5 : In rare circumstances, config sync may fail to delete files in /config/filestore/.snapshots_d/, filling up /config
Component: TMOS
Symptoms:
If mcpd loses connection with a peer in the middle of a config sync operation when a large file is being transferred, the temporary copy of that file in /config/filestore/.snapshots_d/ might not be deleted. If this happens enough times with large enough files, those temporary files might fill the /config filesystem.
Conditions:
-- A config sync of a large file is happening.
-- The mcp connection between peers is lost.
Impact:
When that happens, the temporary files that should be deleted, might not be. This is not a problem until the issue has occurred many times, leaving many temporary files, at which point /config can run out of space. /config may get to 100% full. Having /config at 100% full might cause config sync to fail, prevent configuration changes, and other issues.
Workaround:
Delete all files in /config/filestore/.snapshots_d that are more than an hour old.
739379-1 : Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error
Component: Local Traffic Manager
Symptoms:
In situation where multiple SSL forward proxies are connected via virtual targeting, the SNI value extracted from ClientHello and saved in 1st layer of SSL forward proxy may get overwritten by the 2nd layer of SSL forward proxy. When this happens, certification verification will fail when 1st layer of SSL forward proxy attempts to validate certificate.
Conditions:
Two SSL forward proxies connected via virtual command in iRule.
Impact:
Client traffic gets random reset.
Workaround:
None.
739373 : ASM restart loop after sync from non-ASM to ASM device
Component: Application Security Manager
Symptoms:
When two or more device are configured with Configuration Management interface in a sync-failover device group: if one of the devices does not have ASM provisioned while another one does, performing a config sync of the sync-failover device group from the non-ASM device will cause the /Common/asm-hidden folder to be deleted along with its content.
The next time ASM is restarted (for any reason) on one of the ASM devices, ASM keeps restarting in a loop. Messages similar to the following appear in /var/log/ltm :
-- err mcpd[6550]: 01070734:3: Configuration error: Can't associate Bot Signature Category (/Common/asm-hidden/ASM-search-engines) folder does not exist.
Similarly messages similar to the following appear in /var/log/ts/ts_debug.log:
asm|INFO|Jul 30 12:03:02.481|5282|,,01070734:3: Configuration error: Can't associate Bot Signature Category (/Common/asm-hidden/ASM-search-engines) folder does not exist.
Conditions:
- Two or more devices are connected with a sync-failover device group.
- One device has ASM provisioned, while another device does not have ASM provisioned.
- Performing a sync from the non-ASM device to the ASM device.
Impact:
-- Search Engines are not applied on JavaScript challenges.
-- Upon an ASM restart, ASM restarts in a loop, and the device will remain offline.
Workaround:
Reload the configuration by running the following command:
tmsh save sys config && tmsh load sys config
As an alternative, re-provision ASM by running the following command:
tmsh modify sys provision asm level nominal
739349-2 : LRO segments might be erroneously VLAN-tagged.
Component: Local Traffic Manager
Symptoms:
Segments being processed for large receive offload (LRO) (the action the system performs to aggregate multiple incoming packets within a buffer before passing them up)
might be erroneously VLAN-tagged when LRO is enabled.
Conditions:
-- TCP LRO enabled.
-- Egress VLAN untagged.
Impact:
Egress traffic might sometimes be tagged.
Workaround:
Disable TCP LRO. To enable or disable LRO functionality, you can use the following command syntax:
tmsh modify sys db tm.tcplargereceiveoffload value <enable | disable>
739277-2 : TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode
Component: Anomaly Detection Services
Symptoms:
TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode
Conditions:
-- The virtual server is deleted during POST data.
-- BADOS configured in standard/aggressive mode.
Impact:
TMM core / traffic does not path through till TMM restarts.
Workaround:
You can work around this issue using either of the following options if you plan to delete a virtual server:
-- First detach the DoS protection profile.
-- Remove BADOS configuration or change BADOS mitigation to Conservative.
739118-2 : Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration
Component: TMOS
Symptoms:
Changing existing self IP addresses in bigip_base.conf file directly. After uploading the changed configuration file, BIG-IP routing service provides out of date Self IP route information to dependent services.
Conditions:
- Self IP address is configured on the BIG-IP system.
- Manually change the IP address of a self IP in bigip_base.conf file.
- Load changed configuration via tmsh.
Impact:
Different services have different route information:
-- tmsh table - has the old route.
-- Dynamic routing - hHas the old and new routes.
-- Kernel table - has the new route.
Workaround:
There are two workarounds, preventive and corrective.
Preventive:
Do not manually change self IP addresses in bigip_base.conf file. It is not recommended way to add/change BIG-IP configuration. Use GUI or tmsh instead.
Corrective:
If changed configuration is uploaded. In GUI or tmsh, delete changed self IP address, and then create a self IP address with old IP address and delete it as well. Now, all affected routes are removed.
739024-1 : Kerberos auth fails intermittently after upgrade from v14.0.0
Component: Access Policy Manager
Symptoms:
Kerberos auth fails and the client get credentials prompt (although it does not work even when entering credentials).
Conditions:
1. Configure SWG explicit or transparent proxy.
2. Configure start -> 401 negotiate -> variable assign <session.server.network.name = return "your_proxy_fqdn"> (required for Kerberos auth) -> Kerberos auth in main access policy.
3. Configure start -> SSL check -> [HTTPS | HTTP ] -> category lookup -> allow in per-request policy.
4. Send HTTP/HTTPS request from explicit or transparent client.
Impact:
Kerberos authentication fails.
Workaround:
Change the permission and ownership of the Kerberos keytab file with these commands:
chmod 640 <Kerberos keytab file>
chgrp root <Kerberos keytab file>
738945-3 : SSL persistence does not work when there are multiple handshakes present in a single record
Component: Local Traffic Manager
Symptoms:
SSL persistence hangs while parsing arbitrarily large SSL records comprising multiple handshake messages.
Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.
Impact:
SSL persistence parser fails to parse such messages. The parser incorrectly computes the length without recognizing that this is a multiple-message record. If the length is found to be arbitrarily large, the parser hangs while incorrectly waiting to receive the entire record.
Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.
After changing or disabling persistence, the transaction succeeds and no longer hangs.
738789-1 : ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog
Component: Application Security Manager
Symptoms:
ASM blocks requests when a request payload is an xml document with a prolog line at the begging with encoding="us-ascii"
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- ASM handles xml traffic with encoding="us-ascii" (this is very unlikely, the common case is encoding="utf-8")
Impact:
Blocked xml requests
Workaround:
Remove xml profile from a url in asm policy or disable XML malformed document detection via asm policy blocking settings
738669-1 : Login validation may fail for a large request with early server response
Component: Fraud Protection Services
Symptoms:
in case of large request/response, if FPS needs to store ingress and ingress chunks in buffer for additional processing (ingress :: for parameter parsing, egress :: for login validation's banned/mandatory strings check or scripts injection), if the server responds fast enough, the buffer may contain mixed parts of request/response. This may have several effects, from incorrectly performing login-validation to generating a tmm core file.
Conditions:
-- Login validation is enabled and configured to check for banned/mandatory string.
-- A username parameter is configured.
-- There are no parameters configured for encrypt/HTML Field Obfuscation (HFO), and no decoy parameters.
-- There is a large request and response.
-- The system response very quickly.
Impact:
This results in one or more of the following:
-- Login validation failure/skip.
-- Bad response/script injection.
-- tmm core. In this case, traffic is disrupted while tmm restarts.
Workaround:
None.
738582-2 : Ping Access Agent Module leaks memory in TMM.
Component: Access Policy Manager
Symptoms:
While handling Ping Access Request, if the internal events passing between modules fail, it might cause a memory leak inside TMM.
Conditions:
Internal events passing between Ping Access Request processing modules fail.
Impact:
Ping Access Agent Module leaks memory in TMM.
Workaround:
None.
738523-1 : SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages
Component: Local Traffic Manager
Symptoms:
When monitoring an SMTP server that emits multi-line '250' responses to the initial 'HELO' message, the monitor fails. If monitor logging is enabled on the pool member, the system posts an error similar to the following in the monitor log:
09:50:08.580145:(_Tcl /Common/mysmtp): ERROR: failed to complete the transfer, Failed to identify domain.
Conditions:
-- Monitoring an SMTP server.
-- SMTP server is configured to return a multi-line '250' response to the initial 'HELO' message.
Impact:
The pool member is marked down even though it is actually up.
Workaround:
None.
738521-3 : i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.
Component: Local Traffic Manager
Symptoms:
A trunk configured between a BIG-IP i4x00/i2x00 platform and an upstream switch may go down due to the presence of the VLAN tag.
Conditions:
LACP configured between a BIG-IP i4x00/i2x00 platform and an upstream switch.
Impact:
Trunks are brought down by upstream switch.
Workaround:
There is no workaround other than disabling LACP.
738450-2 : Parsing pool members as variables with IP tuple syntax
Component: Local Traffic Manager
Symptoms:
There is a config loading warning at tmsh similar to the following: unexpected end of arguments;expected argument spec:PORT.
Conditions:
Tcl variable is used for the IP tuple instead of a plain value.
Impact:
iRule LB::reselect command may not recognize an IP tuple when it is a variable. tmsh warning shows.
Note: There is no warning in the GUI.
Workaround:
Use plain value instead of variable.
738397-3 : SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.
Component: Access Policy Manager
Symptoms:
For a BIG-IP system configured as IdP, in the SAML-IdP-initiated case: If the IdP has a Per-Request policy (in addition to a V1 policy), such that the Per-Request policy has a subroutine or a subroutine macro with a logon page, the system reports access failure on running the policy.
The error logged is similar to the following: '/Common/sso_access:Common:218f759e: Authorization failure: Denied request for SAML resource /Common/saml_resource_obj1&state=000fffff032db022'.
Conditions:
-- BIG-IP system configured as IdP.
-- SAML IdP initiated case in which the following is true:
+ The IdP has a Per-Request policy (in addition to a V1 policy).
+ That Per-Request policy has a subroutine or a subroutine macro with a logon page.
Impact:
Access is denied. The request URI has '&state=<per-flow-id>' appended to the SAML Resource name.
Workaround:
None.
738211-1 : pabnagd core when centralized learning is turned on
Component: Application Security Manager
Symptoms:
pabnagd (the process responsible for automated and manual policy building operations) restarts and generates a core file. This might result in a loss of learning progress.
Note: This is a very rarely occurring issue.
Conditions:
Centralized learning is enabled for a policy.
Impact:
If there are locally learned policies, the system might lose some number of hours of learning progress. How many hours might be lost depends on the version, as follows:
-- For 13.1.0: 24 hours (12 hours, on average).
-- For 14.0.0: 1 hour (1/2 hour, on average).
Workaround:
None.
738070-1 : Persist value for the RADIUS Framed-IP-Address attribute is not correct
Component: Service Provider
Symptoms:
Using the RADIUS Framed-IP-Address attribute as a persistence value does not work correctly.
Conditions:
Using RADIUS and persisting on the Framed-IP Address attribute (RADIUS AVP 8).
Impact:
RADIUS requests may not get persisted to the servers they should be.
Workaround:
Use an iRule to persist instead, e.g.:
ltm rule radius-persistence {
when CLIENT_DATA {
persist uie [RADIUS::avp 8]
}
}
738046-1 : SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby
Component: Local Traffic Manager
Symptoms:
For FastL4 connections, SERVER_CONNECTED currently doesn't fire on the standby device. If the standby device then becomes active, the first packet from the server on an existing FastL4 connection causes SERVER_CONNECTED to fire. Depending on what the iRule does in SERVER_CONNECTED, a variety of results can occur, including TMM coring due to commands being executed in unexpected states.
Conditions:
-- High availability configuration.
-- Mirrored FastL4 virtual server.
-- Attached iRule contains a SERVER_CONNECTED event.
Impact:
SERVER_CONNECTED does not fire when expected on standby device. When the standby device becomes active, the SERVER_CONNECTED iRule may cause TMM to core with traffic being disrupted while TMM restarts.
Workaround:
None.
738045-4 : HTTP filter complains about invalid action in the LTM log file.
Component: Local Traffic Manager
Symptoms:
Payload data is collected at the HTTP_REQUEST event and finishes collecting (HTTP::release) when the NAME_RESOLVED event occurs. On releasing, data is forwarded to the serverside, triggering the HTTP_REQUEST_SEND event.
When trying to raise HTTP_REQUEST_SEND, the iRule queues it and returns IN_PROGRESS, because the system is already in the process of running TCLRULE_NAME_RESOLVED. (Nested iRules: TCLRULE_NAME_RESOLVED -> TCLRULE_HTTP_REQUEST_SEND)
Due to the IN_PROGRESS status, tcp_proxy skips forwarding HUDCTL_REQUEST to the serverside, but not the subsequent payload. So the HTTP filter considers this an invalid action.
Conditions:
-- Standard virtual server with iRules attached (for example, using the following configuration for a virtual server):
when HTTP_REQUEST {
HTTP::collect
NAME::lookup @10.0.66.222 'f5.com'
}
when NAME_RESOLVED {
HTTP::release
}
when HTTP_REQUEST_SEND {
log local0. "Entering HTTP_REQUEST_SEND"
}
-- Client sends two HTTP Post requests.
-- After the first request, the second connection is kept alive (for example, by using HTTP header Connection) so that the second request can reuse the same connection.
Impact:
The second request gets reset, and the system logs errors in the LTM log file.
Workaround:
To avoid nested iRules in this instance, simply remove the HTTP_REQUEST_SEND from the iRule.
737901-3 : Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode
Component: TMOS
Symptoms:
On iSeries platforms, when a VLAN is attached to a vCMP guest, the management MAC address and the host VLAN MAC address will be the same.
Conditions:
-- Creating a VLAN on the host and attaching it to a vCMP guest.
-- iSeries platforms.
Impact:
The management MAC address is the same as the Host VLAN MAC address, resulting in the same MAC being used for the VLAN traffic originating from the vCMP Host along with the Host's mgmt Interface traffic, potentially resulting in issues relating to the inability to differentiate traffic to mgmt port or traffic ports.
Workaround:
There is no workaround at this time.
737900-1 : mcpd might crash on an unlicensed system
Component: TMOS
Symptoms:
On an unlicensed system with a built-in iRule attached to a virtual server, mcpd might crash.
Conditions:
-- Unlicensed system (including as a result of the service agreement check date validation treating a license as invalid).
-- At least one built-in, system-supplied iRule is attached to a virtual server.
-- mcpd loads from the config files, such as when having just upgraded.
Impact:
On an unlicensed system, mcpd might crash repeatedly.
Workaround:
Perform the following procedure:
1. Reactivate the license on the system from the command-line, following the instructions in K2595: Activating and installing a license file from the command line :: https://support.f5.com/csp/article/K2595.
2. License the system.
Note: Running commands (e.g., tmsh show /sys hardware) on VIPRION systems while mcpd is down might fail or otherwise not work as expected.
737867-2 : Scheduled reports are being incorrectly displayed in different partitions
Component: Application Visibility and Reporting
Symptoms:
Scheduled analytics reports are being displayed in the list regardless of selected partition. However, you can only open reports belonging to the selected partition, even if they belong to 'Common'.
Conditions:
System configured with multiple partitions.
Impact:
It makes it difficult to modify reports from different partitions.
Workaround:
Switch to the report's partition before editing it.
737863-2 : Advanced Filters for Captured Transactions not working on Multi-Blade Platforms
Component: Application Visibility and Reporting
Symptoms:
On multi-blade systems, when you navigates to System :: Logs : Captured Transactions, click on Expand Advanced Filters, choose something, and click Update, the GUI reports a 'Could not get captured events' message.
Conditions:
-- Multi-blade systems.
-- AVR provisioned.
-- AVR HTTP Analytics Profile configured with 'Internal Traffic Capturing Logging Type' option enabled.
Impact:
The Captured Transactions filter does not work.
Workaround:
None.
737726-1 : If named is restarted and zrd is not restarted, ZoneRunner can lose contact with the DNS server daemon
Component: Global Traffic Manager (DNS)
Symptoms:
ZoneRunner displays the following error message when attempting to list resource records: No route to host.
Conditions:
-- named is restarted outside of the normal start up procedure.
-- zrd is not restarted.
Impact:
ZoneRunner cannot communicate with named, and thus cannot display resource records.
There are temporary addresses created on the loopback address to facilitate communication between the zrd and named processes. When named is restarted, these temporary address are inadvertently removed.
Workaround:
Restart the zrd process using the following command:
bigstart restart zrd
737692-2 : Handle x520 PF DOWN/UP sequence automatically by VE
Component: TMOS
Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that is passed to the BIG-IP-VE). If an x520 device's PF is set down and then up, tmm does not recover traffic on that interface.
Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.
Impact:
VE does not process any traffic on that VF.
Workaround:
Reboot VE.
737536-3 : Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
Component: TMOS
Symptoms:
The use case is the following:
|OSPF 1|---|Network1|------[|OSPF process 1|---BIG-IP system---|OSPF process 2|]-----|Network2|---|OSPF 2|
Attempting to redistribute default route received from OSPF process that is peering with the Internet to OSPF process 2. However, if that route is removed (e.g., an Internet link goes down), OSPF process 2 removes the associated route and the 'default-information originate' command is the ideal choice, because as long as the OSPF process 1 default route is in the routing table, the default route is redistributed into OSPF process 2. If that route is gone, OSPF process 2 immediately removes it from routing table. Enabling 'default-information originate' on OSPF process 2 does not affect the outcome, and a default route is not injected like it should be.
Conditions:
-- On the BIG-IP system, OSPF routing protocol is enabled on a route-domain.
-- Routing configuration example:
OSPF router config examples:
***
OSPF 1:
!router ospf 1
ospf router-id 10.13.0.7
redistribute ospf
network 10.13.0.0/16 area 0.0.0.1
default-information originate
OSPF 2:
router ospf 1
ospf router-id 10.14.0.5
redistribute ospf
network 10.14.0.0/16 area 0.0.0.1
BIG-IP system:
router ospf 1
ospf router-id 10.13.0.2
network 10.13.0.0/16 area 0.0.0.1
router ospf 2
ospf router-id 10.14.0.9
network 10.14.0.0/16 area 0.0.0.1
***
-- Enable 'default-information originate' on BIG-IP OSPF process 2 should allow OSPF process 2 to receive advertised default route from BIG-IP OSPF process 1 if such exists.
# expected OSPF routers configuration on the BIG-IP system:
router ospf 1
ospf router-id 10.13.0.2
network 10.13.0.0/16 area 0.0.0.1
router ospf 2
ospf router-id 10.14.0.9
network 10.14.0.0/16 area 0.0.0.1
default-information originate
Impact:
A default route from OSPF process 1 is not advertised into OSPF process 2 routing table.
Workaround:
None.
737529-3 : [GTM] load or save configs removes backslash \ from GTM pool member name
Component: Global Traffic Manager (DNS)
Symptoms:
GTM config fails to load, and posts an error similar to the following:
Syntax Error:(/config/bigip_gtm.conf at line: 47) the "create" command does not accept wildcard configuration identifiers
Conditions:
GTM server virtual server name contains a backslash (\) character.
Impact:
GTM config fails to load.
Workaround:
Edit bigip_gtm.conf manually and add the \ character.
Important: The system removes the \ (which results in further validation failures) in response to any of the following actions:
-- Load the GTM config.
-- Make changes to the GTM config, and you or the system saves it.
-- cpcfg operation.
-- Upgrade the system.
737500-1 : Apply Policy and Upgrade time degradation when there are previous enforced rules
Component: Application Security Manager
Symptoms:
When there are previously enforced rules present in the system, the time to apply changes made to a policy, and the time to upgrade the configuration to a new version suffers.
Conditions:
-- Signature Staging is enabled.
-- Updated Signature Enforcement is set to 'Retain previous rule enforcement and place updated rule in staging'.
-- Signatures are enforced on a policy.
-- A new ASM Signature Update is installed, which modifies the matching rule for some enforced signatures.
Impact:
The time to apply changes made to a policy, and the time to upgrade the configuration to a new version, suffers from a inefficiently performing query related to the existence of previously enforced rules.
Workaround:
There is no workaround at this time.
737397-2 : User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP
Component: TMOS
Symptoms:
Unable to archive certificates or keys using GUI and iControlSOAP.
Conditions:
When the user is in Certificate Manager role.
Impact:
Unable to backup certificates or keys.
Workaround:
The user in Certificate Manager role is still be able to export the key and see its PEM string. So you can manually create an archive file by copying the PEM string into a file.
737379-1 : URLCAT doesn't work when we have uppercase characters in feedlist
Component: Traffic Classification Engine
Symptoms:
A URL does not get classified when there are uppercase characters in the feedlist.
Conditions:
Using uppercase characters in the feedlist.
Impact:
URL is not classified as expected.
Workaround:
There is no workaround at this time.
737368-2 : Fingerprint cookie large value may result in tmm core.
Component: Fraud Protection Services
Symptoms:
The JavaScript component calculates part of the fingerprint cookie value. In some rare cases, large values are generated and may result in tmm core.
Conditions:
A large value (more than 35 characters) inside the fingerprint cookie.
Impact:
Memory overrun, tmm core in some cases.
Workaround:
N/A
737355-2 : HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files
Component: Access Policy Manager
Symptoms:
HTTP Strict-Transport-Security (HSTS) headers are missing for some APM-generated files.
Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS enabled.
-- HTTP GET requests for APM renderer files, including CSS, JS, and image files from the webtop.
Impact:
Without these headers, the user agent (browser) may switch to non-secure communication.
Workaround:
None.
737346-2 : After entering username and before password, the logging on user's failure count is incremented.
Component: TMOS
Symptoms:
Listing login failures (i.e., using the following command: 'tmsh show auth login-failures') shows a failed login for the user who is currently logging in via console or SSH.
Conditions:
-- A user is logging in via console or SSH.
-- Between the time the system presents the password prompt and the user enters the password.
Note: This does not apply to GUI or iControl REST logins.
Impact:
If many logins for the same user get to this state simultaneously, it may be enough to exceed a specified lockout threshold, locking the user out.
Workaround:
There is no workaround other than using the GUI or iControl REST to log in to the system.
737064-1 : ACCESS::session iRule commands may not work in serverside events
Component: Access Policy Manager
Symptoms:
-- 'ACCESS::session sid' will returns empty.
-- 'ACCESS::session data get <varname>' returns empty.
Conditions:
-- Using IP-based sessions
-- ACCESS::session iRule commands in a serverside iRule event, such as HTTP_PROXY_CONNECT.
-- Using SSL Bypass. Note: This issue is known to occur when using SSL Bypass, but this is not the only configuration that exhibits the problem.
Impact:
iRules may not work as expected.
Workaround:
There is no workaround at this time.
737055-1 : Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy
Component: TMOS
Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you cannot login to the Configuration Utility. Instead the system presents a blank page, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP system.
Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.
Impact:
You are unable to login to the Configuration Utility.
Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP system in the Referer header.
734846-2 : Redirection to logon summary page does not occur after session timeout
Component: TMOS
Symptoms:
After a BIG-IP Administrator user session times out, the user is not automatically redirected to the logon summary page, despite being configured to do so.
Conditions:
-- The BIG-IP system is configured to redirect to the logon summary page immediately after logging in, using the following db variable:
ui.users.redirectsuperuserstoauthsummary = true
-- The BIG-IP Administrator users' session automatically times out.
Impact:
The system does not comply with government security requirements that BIG-IP Administrator users be sent automatically to the logon summary. BIG-IP Administrator users must manually navigate to the logon summary page
Workaround:
Manually navigate to the logon summary page.
734836 : Network Map summary counts pool members more than once if they are shared across pools
Component: TMOS
Symptoms:
On the page at Local Traffic :: Network Map, in the summary view, the total number of pool members shows a larger number if there are pool members referenced by multiple pools.
Conditions:
-- Network Map summary view.
-- Pool members referenced by multiple pools.
Impact:
The number of pools value is higher than the actual number of pools because of how the system tracks a single pool member referenced in multiple pools.
Workaround:
There is no workaround at this time.
734316-1 : Per-Request Policy may require enabling SSL Forward Proxy Bypass
Component: Access Policy Manager
Symptoms:
For some SSL/TLS traffic, the per-request policy does not complete, leading to hanging connections and/or connection resets.
Conditions:
Reproducible with any forward proxy configuration involving per-request policies. This includes Secure Web Gateway (SWG) and SSL Orchestrator (SSLO).
To reproduce, the SSL Forward Proxy Bypass feature must be disabled in the client and server SSL profiles. This is equivalent to 'always intercept'.
Impact:
Policy execution may stall. Clients may experience hanging connections and/or connection resets.
Workaround:
Perform the following procedure:
1. Enable the SSL Forward Proxy Bypass feature in the client and server SSL profiles.
2. Set the default action to 'Intercept'.
734228 : False-positive illegal-length violation can appear
Component: Application Security Manager
Symptoms:
A false-positive illegal-length violation.
Conditions:
A chunked request where the request length is more than half of the configured max-request length.
Impact:
False-positive illegal-length violation.
Workaround:
Configure a higher max request length violation.
733585-4 : Merged can use %100 of CPU if all stats snapshot files are in the future
Component: TMOS
Symptoms:
Merged uses %100 of CPU if it cannot remove the oldest snapshot file, due to all snapshot files having timestamps in the future.
Conditions:
All stats snapshot file having timestamps in the future, release has the fix for issue 721740, but not this issue.
Impact:
Merged using %100 of the CPU.
Workaround:
Remove snapshot stats files that have timestamps in the future and restart merged.
727467-2 : Some iSeries appliances can experience traffic disruption when the HA peer is upgraded from 12.1.3 and earlier to 13.1.0 or later.
Component: TMOS
Symptoms:
-- CPU core 0 can be seen utilizing 100% CPU.
-- Other even cores may show a 40% increase in CPU usage.
-- Pool monitors are seen flapping in /var/log/ltm.
-- System posts the following messages:
+ In /var/log/ltm:
- err tmm4[21025]: 01340004:3: HA Connection detected dissimilar peer: local npgs 1, remote npgs 1, local npus 8, remote npus 8, local pg 0, remote pg 0, local pu 4, remote pu 0. Connection will be aborted.
+ In /var/log/tmm:
- notice DAGLIB: Invalid table size 12
- notice DAG: Failed to consume DAG data
Conditions:
-- Active unit on a pre-12.1.3.1 release.
-- Standby peer upgraded to a 13.1.0 or later release.
-- Device is an iSeries device (i5600 or later).
Important: This issue may also affect iSeries HA peers on the same software version if the devices do not share the same model number.
Note: Although this also occurs when upgrading to 12.1.3.8 and 13.0.x, the issue is not as severe.
Impact:
- High CPU usage.
- Traffic disruption.
Workaround:
Minimize impact on affected active devices by keeping the upgraded post-13.1.0 unit offline as long as possible before going directly to Active.
For example, on a 12.1.3 unit to be upgraded (pre-upgrade):
-- Run the following command: tmsh run sys failover offline persist
-- Run the following command: tmsh save sys config
-- Upgrade to 13.1.0.8.
-- Unit comes back up on 13.1.0.8 as 'Forced Offline' and does not communicate with the active unit running 12.1.3 at all.
-- Set up HA group and make sure the 12.1.3 Active unit's HA score is lower than 13.1.0.8.
-- To cause the 13.1.0.8 unit to go directly to Active and take over traffic, run the following command on the unit running 13.1.0.8:
tmsh run sys failover online
At this point, the 12.1.3 unit starts to show symptoms of this issue, however, because it is no longer processing traffic, there is no cause for concern.
727297-2 : GUI TACACS+ remote server list should accept hostname
Component: TMOS
Symptoms:
Cannot add hostnames to the Remote - TACACS+ server list in the GUI.
Conditions:
-- On the System :: Users : Authentication page with Remote - TACACS+ specified.
-- Add hostname to the server list.
Impact:
Validation does not accept a hostname. Cannot add hostname as a server.
Workaround:
Use tmsh to add a hostname.
727288-2 : Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC
Component: Service Provider
Symptoms:
Diameter message routing framework sends Capabilities-Exchange-Request (CER)/Device-Watchdog-Request (DWR) with hop-by-hop (h2h) ID and end-to-end (e2e) ID set to 0 as the server.
Conditions:
Diameter Message Routing Framework (MRF) in use
Impact:
The BIG-IP system sends CER and DWR to remote peers.
However, the BIG-IP system sends e2e=0 and h2h=0 as the server ID in the CER and DWR requests. This does not comply with RFC 6733 (https://tools.ietf.org/html/rfc6733).
Workaround:
Use an DIAMETER_EGRESS iRule event to change the hop-by-hop ID and end-to-end server ID.
727212-2 : Subscriber-id query using full length IPv6 address fails.
Component: Carrier-Grade NAT
Symptoms:
FW NAT / CGNAT modules query the subscriber ID using IPv6 address. If the query is done using the IPv6 mask, under some circumstances the query fails.
Conditions:
The network is using an IPv6 mask other than 128. Subscribers are created using the masked IP address as the key. If NAT module uses the complete IP address as the query key, the subscriber will not be found.
Impact:
Logs contain UNKNOWN subscriber-id.
Workaround:
There is no workaround at this time.
726900 : Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters
Component: Local Traffic Manager
Symptoms:
Virtual server may attempt to use syncookies on first SYN packet rather than allowing the connection to pass through to the real server.
Conditions:
Modifying a virtual server (CLI/iControl/GUI) to switch from FastL4 or TCP profiles to an 'ip-other' profile.
Impact:
The configured 'ip-other' virtual server will fail to accept all traffic. For example, a TCP or a UDP flow which should have been accepted and processed by the 'ip-other' virtual server will be dropped incorrectly, trying to enforce 'Syn Cookie' validation.
Workaround:
When switching a virtual server profile from FastL4/TCP to the 'ip-other' profile, delete the virtual server and then re-add it with the 'ip-other' profile.
726872-1 : IApp LX directory disappears after upgrade or restoring from ucs★
Component: iApp Technology
Symptoms:
After BIG-IP version upgrade or restoring from UCS, iApps/Application Services/Applications LX screen displays instances of iApps LX, but their UI is not functional. That is caused by the software defect causing iApp LX directory to disappear from /var/config/rest/iapps.
Conditions:
This issue can only happen during initial start after BIG-IP version upgrade or restoring from UCS. The more iApps LX instances and the more configuration they use, the more likely this issue to happen. We observed this issue with 90+ instances of f5-ddos-hybrid-defender iApp LX.
Impact:
The code of iAppLX is removed from the system because of the defect. That makes iAppLX UI unusable. The configuration deployed by the iApp LX instances remains in effect. The iApp LX configuration data remain intact and UI can be completely restored after manual installation of iApp LX code.
Workaround:
1. Copy iAppLX code from an unaffected BIG-IP to the BIG-IP impacted by this defect. For example,
/var/config/rest/iapps/f5-ddos-hybrid-defender.
2. Create a symlink to UI code for UI to work. For example,
ln -sfvn /var/config/rest/iapps/f5-ddos-hybrid-defender/presentation /var/iapps/www/f5-ddos-hybrid-defender
3. Restart restjavad:
bigstart restart restjavad
4. Restart restnoded:
bigstart restart restnoded
726852-1 : AVR inject CSPM event when there is no analytics profile on the virtual server
Component: Application Visibility and Reporting
Symptoms:
When there is a request for page load time in the analytics profile, and changes to the configuration remove the analytics profile, AVR will continue to inject the Client Side Performance Monitoring (CSPM) cookie.
Conditions:
-- Request for page-load-time statistic.
-- The analytics profile has been removed from the virtual server.
Impact:
Page-load-time cookie is injected when it should not be.
Workaround:
Uncheck the page-load-time checkbox before removing the profile from the virtual server.
726734-3 : DAGv2 port lookup stringent may fail
Component: Local Traffic Manager
Symptoms:
Under certain circumstances tmm might not be able to find a local port, and the connection may fail. This happens, for example, for active FTP with mirroring enabled.
Conditions:
Active FTP with mirroring enabled.
Impact:
Connection cannot get established.
Workaround:
There is no workaround other than to disable mirroring.
726616-2 : TMM crashes when a session is terminated
Component: Access Policy Manager
Symptoms:
TMM crashes when it is releasing the memory used by a session that is terminated. Either one of the following error messages might appear in the TMM log:
-- notice panic: ../kern/umem.c:4166: Assertion "valid type" failed.
-- notice panic: ../kern/page_alloc.c:705: Assertion "vmem_hashlist_remove not found" failed.
Conditions:
The memory used by a session is corrupted during the lifetime of the session. This issue happens infrequently.
Impact:
TMM restarts, causing service interruption if the BIG-IP system is not part of a high-availability setup.
Workaround:
There is no workaround at this time.
726487-3 : VIPRION secondary MCPD, Node Name encodes IP address which differs from supplied
Component: TMOS
Symptoms:
MCPD on secondary blade of VIPRION exits and restarts, logging errors similar to the following:
-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.
-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.
Conditions:
-- VIPRION platform.
-- Non-primary blade.
-- Modified default route domain for a partition.
-- Deleting and creating pool members during configuration save from a different client.
Impact:
Failovers and traffic degradation while blade restarts.
Workaround:
There is no workaround other than not to delete/create pool members from a different client while saving configuration changes in another client.
726303-2 : Unlock 10 million custom db entry limit
Component: Traffic Classification Engine
Symptoms:
Cannot add more than 10 million custom db entries.
Conditions:
This happens when you try to add more than 10 million custom db entries.
Impact:
Not able to add more than 10 million entries.
Workaround:
There is no workaround at this time.
726266-1 : Virtual-wire is not supported on un-tagged VLANs.
Component: Local Traffic Manager
Symptoms:
Virtual-wire is not supported on un-tagged packets. When configuring a virtual-wire on un-tagged VLANs, the BIG-IP system does not forward packets in virtual-wire.
Conditions:
A virtual-wire configured on un-tagged VLANs.
Impact:
Traffic is not forwarded in virtual-wire.
Workaround:
There is no workaround other than using virtual-wire only with tagged VLANs.
726232-3 : iRule drop/discard may crash tmm
Component: Local Traffic Manager
Symptoms:
TMM crash after an iRule attempts to drop packet.
Conditions:
Virtual server with UDP profile, and following iRule:
when LB_SELECTED {
drop
# discard - drop is the same as discard
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
726154-3 : TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies
Component: Advanced Firewall Manager
Symptoms:
TMM might restart when changing firewall or NAT configurations on a virtual server with the same name as a route-domains.
Conditions:
- There is a virtual server and a route-domain that have the same name in the configuration.
- A firewall or NAT policy is being attached or removed from one or both of the virtual server or route-domain.
Impact:
TMM might halt and traffic processing temporarily ceases. TMM restarts and traffic processing resumes.
Workaround:
There is no workaround other than not to use the same name for virtual server and route-domain objects.
726090 : No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense
Component: Advanced Firewall Manager
Symptoms:
Device ID challenges are not logged in the Bot Defense Request Log (local and remote) when associating the Bot Defense logging profile to the virtual server.
Conditions:
-- Device ID is enabled on the ASM Policy.
-- DoS profile with Proactive Bot Defense is not associated with the virtual server.
Impact:
There are no logs to show the browser challenges and the requests from clients that do not support JavaScript.
Workaround:
There is no workaround at this time.
726011-3 : PEM transaction-enabled policy action lookup optimization to be controlled by a sys db
Component: Policy Enforcement Manager
Symptoms:
There is no way to disable optimization if time-based actions are enabled in the PEM policy and a statistical transaction-based action enforcement is desired.
Conditions:
If the PEM classification tokens do not change.
Impact:
Time-based actions such as insert content may not get applied to such flows.
Workaround:
None.
725867-1 : ADFS proxy does not fetch configuration for non-floating virtual servers
Component: Access Policy Manager
Symptoms:
If the virtual address of a virtual server has a non-floating traffic group (e.g., traffic-group-local-only), ADFS proxy does not perform periodic configuration updates, including listing allowed URIs from ADFS, and thus blocks all the requests (by responding with 404).
Conditions:
-- Virtual address of virtual server has non-floating traffic group.
-- ADFS proxy feature is enabled on the virtual server.
Impact:
All the requests to ADFS are blocked.
Workaround:
Set floating traffic group for virtual address (e.g., traffic-group-1).
725840-1 : Customization group object is not deleted when SAML resource object is deleted
Component: Access Policy Manager
Symptoms:
Customization group object for the corresponding SAMLResource object is in the configuration store, even after SAMLResource is deleted in GUI/TMSH.
Conditions:
-- Customization Object is in the configuration store.
-- Delete the SAMLResource.
Impact:
There is no functional impact, but additional configuration objects exist in the configuration store.
Workaround:
Delete the customization group object manually in TMSH.
The BIG-IP system administrator can delete those customization groups if the corresponding SAML resources are deleted or do not exist in the configuration.
The command 'list apm policy customization-group' lists all the customization groups. The SAML-specific customization groups end with '_resource_saml_customization' and are prefixed with the SAML resource name (SAML resource name concatenated with literal 'resource_saml_customization').
725791-5 : Potential HW/HSB issue detected
Component: TMOS
Symptoms:
There are a number of High-Speed Bridge (HSB) stats registers that monitor the errors in HSB SRAM that are critical for passing traffic, for example, RQM_CRC_ERROR Count 0, RQM_CRC_ERROR count 1, RQM_CRC_ERROR Count 2, etc. Any errors in any of these registers may indicate a hardware error in the HSB SRAM that impedes traffic through embedded Packet Velocity Acceleration (ePVA). In that case, ePVA-accelerated flow might fail.
With a burst of CRC errors in the SRAM for ePVA transformation cache, it won't trigger a failover and causes a silent traffic outage on the FastL4 VIP with hardware traffic acceleration. This is because the health check watchdog packets are still functioning correctly, and the current TMOS software primarily monitors watchdog packets tx/rx failures to trigger failover.
In these cases, there might be the following messages in /var/log/tmm*:
Device error: hsb_lbb* tre2_crc_errs count *
Conditions:
Traffic is offloaded to HSB hardware for acceleration.
Impact:
Hardware accelerated traffic drop.
Workaround:
Switch traffic to software acceleration.
724679-1 : Non-attacking IP addresses could be logged along with attacking IP addresses when DoS detects an attack
Component: Advanced Firewall Manager
Symptoms:
During an attack, MySQL might log IP addresses that are not part of an attack along with the IP addresses that are part of the attack.
Conditions:
This occurs when the system detects a BadEndpoint attack.
Impact:
The system might log messages related to IP addresses that are not part of the attack. These IP addresses are not part of the attack and may be ignored.
Workaround:
None.
724532-3 : SIG SEGV during IP intelligence category match in TMM
Component: Advanced Firewall Manager
Symptoms:
TMM restart while matching traffic from source IP to IP Intelligence category.
Conditions:
Multiple configuration changes that include deleting the custom IP intelligence categories.
Impact:
TMM restart. Traffic disrupted while tmm restarts.
Workaround:
None.
724414-1 : ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled
Component: Application Security Manager
Symptoms:
When ASM inspects WebSocket frames, the bd daemon memory is leaking; eventually ASM stops inspecting traffic and sends resets or bypass requests.
Conditions:
ASM module is provisioned.
-- ASM policy and WebSocket profile are attached to a virtual server.
-- WebSocket URL has JSON profile attached to it.
-- JSON profile has parse parameters flag enabled (this is the default).
Impact:
ASM may reset connections; failover might occur.
Workaround:
There are two workarounds:
-- Remove JSON profile from WebSocket URL in the ASM policy.
-- Disable parse parameters flag in the json profile.
724032-2 : Searching Request Log for value containing backslash does not return expected result
Component: Application Security Manager
Symptoms:
Searching within Request Log for a value containing backslash does not return the expected result. This happens because escaping of backslashes in REST API access is handled differently with 'eq' and 'contains' filters.
Conditions:
Searching within Request Log for a value containing backslash.
Impact:
Search within Request Log record containing backslash does not return the expected result.
Workaround:
Backslashes in REST API requests should be doubled when searching using 'contains' filter, but must not be doubled when searching with 'eq' filter.
723988-1 : IKEv1 phase2 key length can be changed during SA negotiation
Component: TMOS
Symptoms:
Using IKEv1, if phase2 key length does not agree on both sides, a responder accepts whatever the initiator proposes as key length, but only after an initiator is authenticated. This results in key length downgrade or upgrade at a trusted peer's request, because the IKEv1 daemon was configured to obey the other peer's key length request.
Conditions:
The value of the ike-phase2-encrypt-algorithm on both sides agree on the encryption algorithm, but differ in key length. For example, if the initiator picks AES128 when the responder expects AES256.
Impact:
The responder accepts AES128 anyway. Although phase1 key length must be an exact match, when phase2 key length does not match, this allows an initiating peer to change the key length a responder uses, thus changing the strength configured by that responder.
Workaround:
No workaround is known at this time.
723658-2 : TMM core when processing an unexpected remote session DB response.
Component: Carrier-Grade NAT
Symptoms:
Using CGNAT or FW-NAT on a cluster may cause a TMM core if there are intra-cluster communication issues that cause CMP state transitions.
The system writes messages to /var/log/tmm* similar to the following:
notice CDP: exceeded 1/2 timeout for PG 1
notice CDP: PG 1 timed out
notice CDP: New pending state 0f -> 0d
notice Immediately transitioning dissaggregator to state 0xd
notice cmp state: 0xd
notice CDP: New pending state 0d -> 0f
...
notice cmp state: 0xf
notice CDP: exceeded 1/2 timeout for PG 1
Conditions:
-- A LSN pool or FW-NAT source translation that has persistence enabled.
-- Intra-cluster communication issues that cause CMP state transitions.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
723306-2 : Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
Component: Local Traffic Manager
Symptoms:
Loading correct configuration with 'tmsh load /sys config' fails. The error message appears similar to the following:
01070726:3: Virtual Address /test/0.0.0.0 in partition test cannot be referenced by Virtual Server /Common/test-internal in partition Common.
Unexpected Error: Loading configuration process failed.
Conditions:
Creating internal virtual server, when 0.0.0.0 address exists on another partition.
Impact:
Inability to load config, with created internal virtual server.
Workaround:
Create internal virtual server first; then create the 0.0.0.0 address on different partition.
723288-1 : DNS cache replication between TMMs does not always work for net dns-resolver
Component: Global Traffic Manager (DNS)
Symptoms:
System DNS resolvers (net dns-resolver objects) do not share DNS reply information between the dns resolver instances across TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.
Conditions:
There are no LTM DNS *cache* objects present in the BIG-IP configuration.
Impact:
A performance impact resulting from each TMM having to perform unnecessary DNS lookups.
Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.
Note: This workaround is effective even without a DNS license (although in that case, the placeholder object must be created using tmsh, as the GUI menu would not be available without a DNS license.)
723095-3 : Add record type breaks commands 'modify gtm pool type all'; errors on nonexistent pool
Component: Global Traffic Manager (DNS)
Symptoms:
tmsh command returns an error similar to the following message:
01070227:3: Pool Member references a nonexistent Pool (/Common/poolname of type NAPTR)
Conditions:
Changing the record type on GTM pool members by running the following command: tmsh modify gtm pool type all members add.
Impact:
Unable to add pool members quickly to all pools of the same type.
Workaround:
There is no workaround at this time.
722862 : ASM CAPTCHA sends non url-encoded payload when captcha is submitted by pressing 'Enter'
Component: Application Security Manager
Symptoms:
When an APM end-user gets the ASM CAPTCHA page, types the correct CAPTCHA letters and presses the 'Enter' key, rather than clicking the Submit button. The CAPTCHA letters are sent to the BIG-IP system along with other request parameters, these additional parameters are forwarded to the backend server incorrectly as non-url-encoded, they should be url-encoded.
Conditions:
This occurs when the following conditions are met:
-- ASM provisioned.
-- DoS application or ASM policy attached to a virtual server.
-- DoS application or ASM policy has CAPTCHA enabled.
-- User submits the CAPTCHA form using the 'Enter' key.
Impact:
Application receives unexpected content, which might cause the backend server's application business logic to not work as expected.
Workaround:
Disable CAPTCHA within the DoS application or ASM policy.
722741-2 : Damaged tmm dns db file causes zxfrd/tmm core
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd/tmm cores on startup.
Conditions:
Damaged tmm dns db file.
Impact:
System remains in a tmm-restart loop caused by tmm opening a corrupted tmmdns.bin on startup and segfaulting. Traffic disrupted while tmm restarts.
Workaround:
Delete the damaged db files.
722734-2 : 'No Access' error when viewing properties page of a GTM Pool member whose name includes a partition that does not exist on that BIG-IP system.
Component: Global Traffic Manager (DNS)
Symptoms:
The BIG-IP system posts a 'No Access' error message instead of the GTM Pool member's properties.
Conditions:
-- At least two BIG-IP systems in a sync group.
-- One of the BIG-IP systems has a partition that does not exist on the other, with a GTM Pool member on that partition.
-- The issue occurs when a GSLB Server discovers that GTM Pool member and displays it on its properties page.
Note: This same error message displays for GSLB Server's virtual server properties accessed by navigating to GSLB :: servers :: [server] :: virtual servers :: [virtual server]. The differing issues have been fixed in differing releases. You can find information about the similar issue in the AskF5 Bug Tracker article for 710032.
Impact:
It makes the GSLB pool member's properties page unavailable in this case.
Workaround:
Use either of the following workaroudns:
-- Use TMSH to view or edit the properties of that GTM Pool member.
-- Create partitions on the GTM device to match those appearing to be referenced in the object names.
722534-2 : load sys config merge not supported for iRulesLX
Component: Local Traffic Manager
Symptoms:
iRulesLX configurations are (for the most part) contained in the file system, rather than the 'traditional' BIG-IP config files. An attempt to merge configurations containing iRulesLX using the tmsh command 'load sys config merge' options fails with an error similar to the following:
# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ilx plugin test-plugin {
from-workspace test-ws
}
Validating configuration...
Unexpected Error: "basic_string::at"
Conditions:
The configuration being merged contains iRulesLX.
Impact:
The merge will fail with the error: Unexpected Error: "basic_string::at". The previous configuration will continue to work.
Workaround:
There is no workaround at this time for merging iRulesLX configuration. If the iRulesLX configuration is removed from the configuration to be merged, the merge will work.
722423-2 : Analytics agent always resets when Category Lookup is of type custom only
Component: Access Policy Manager
Symptoms:
Analytics errors out with a log that says you cannot use custom lookup only along with analytics (/var/log/apm). Even if the Analytics agent is set to disable RST on failure, the agent will send a RST.
Conditions:
In the per-request policy, Category Lookup agent is set to custom lookup only.
Impact:
This configuration leads to an Analytics agent with 'RST on Failure' disabled. The BIG-IP Admin cannot make the choice to disable RST on failure for this particular setup (even though it is a misconfiguration).
Workaround:
You can avoid the RST and error by modifying the configuration to use a standard category lookup before the analytics agent.
Using a custom-only 'Category Lookup' immediately followed by 'Response Analytics' is not a valid configuration. In this configuration, Analytics cannot run the way it is supposed to because it does not have the right information. 'Response Analytics' gives the option to choose what to do on error: RST, or continue on, implying that the non-RST option is valid. If the admin chooses to not reset, the system should log the error and continue. In this case, the system actually does send a RST, even though the RST is not what the BIG-IP admin intended to configure.
722380-1 : The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.
Component: TMOS
Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then TMM panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On these platforms, the reboot occurs before the core file is fully written, resulting in a truncated core.
Conditions:
An HSB lockup occurs on an i10600 or i10800 platform, triggering a core dump and a nic_failsafe reboot.
Impact:
The reboot happens after the core dump begins before it completes, resulting in a truncated core dump, which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.
Workaround:
None.
722294-1 : Reported session ID keeps changing for the same user session when ASM doesn't track sessions
Component: Application Security Manager
Symptoms:
A reported session ID is not maintained for the same user session.
Conditions:
-- Simple, feature-less policy (i.e., policy contains only attack signatures).
-- There are no cookies coming in from the server.
Impact:
The TS cookie is not created since there is no cookie-enforcing feature that is turned on (such as session tracking). Although this is correct behavior, it might result in confusion when there is a different, random session ID on each request.
Workaround:
Turn on a cookie-related feature (such as session tracking).
722013-2 : MCPD restarts on all secondary blades post config-sync involving APM customization group
Component: Access Policy Manager
Symptoms:
After performing a series of specific config-sync operations between multi-blade systems, the MCPD daemon restarts on all secondary blades of one of the systems.
Each affected blade will log an error message similar to the following example:
-- err mcpd[5038]: 01070711:3: Caught runtime exception, Failed to collect files (snapshot path () req (7853) pmgr (7853) not valid msg (create_if { customization_group { customization_group_name "/Common/Test-A_secure_access_client_customization" customization_group_app_id "" customization_group_config_source 0 customization_group_cache_path "/config/filestore/files_d/Common_d/customization_group_d/:Common:Test-A_secure_access_client_customization_66596_1" customization_group_system_path "" customization_group_is_system 0 customization_group_access 3 customization_group_is_dynamic 0 customization_group_checksum "SHA1:62:fd61541c1097d460e42c50904684def2794ba70d" customization_group_create_time 1524643393 customization_group_last_update_time 1524643393 customization_group_created_by "admin" customization_group_last_updated_by "admin" customization_group_size 62 customization_group_mode 33188 customization_group_update_revision 1
Conditions:
This issue occurs when all of the following conditions are met:
- You have configured a device-group consisting of multi-blade systems (such as VIPRION devices or vCMP guests).
- Systems are provisioned for APM.
- The device-group is configured for incremental manual synchronizations.
- On one system (for example, source_system), you create an APM configuration object (for example, a connectivity profile) that causes the automatic creation of an associated customization group.
- You synchronize the configuration from the source_system to the device-group.
- On the source_system, you create a new configuration object of any kind (for example, an LTM node).
- Instead of synchronizing the newest configuration to the device-group, you synchronize the configuration from another device in the device-group to the source_system (which effectively undoes your recent change).
- The MCPD daemon restarts on all secondary blades of the source_system.
Impact:
While the MCPD daemon restarts, the blade is offline, and many other BIG-IP daemons need to restart along with MCPD.
-- If the source_system is Active, the load capacity of the system temporarily decreases proportionally to the number of blades restarting. Additionally, if the systems use the min-up-members or HA-Group features, losing a certain number of secondary blades may trigger a failover.
-- If the source_system is Standby, some of the previously mirrored information may become lost as TMM on secondary blades restarts along with MCPD. Should this system later become the Active system, traffic may be impacted by the lack of previously mirrored information.
Workaround:
None.
721752-3 : Null char returned in REST for Suggestion with more than MAX_INT occurrences
Component: Application Security Manager
Symptoms:
Unable to view ASM event log details for a majority of violations.
Conditions:
Suggestion with more than MAX_INT (2,147,483,647) occurrences.
Impact:
Null char returned in REST for Suggestion with more than MAX_INT occurrences.
Workaround:
Use the following sql command:
UPDATE PLC.PL_SUGGESTIONS set occurrence_count = 2147483647 where occurrence_count < 0;
721579-2 : LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing
Component: Carrier-Grade NAT
Symptoms:
When checking persistence TTL by using 'lsndb list all', TTL for 'LSN Persistence Entries' and Age for 'LSN Inbound Mapping Entries' are reset once at around the halfway point of the persistence timeout, even though there is no traffic.
Conditions:
-- LSN with persistence timeout configured.
-- Using the following command: lsndb list all.
Impact:
lsndb shows misleading stats.
Workaround:
There is no workaround at this time.
721399-1 : Signature Set cannot be modified to Accuracy = 'All' after another value
Component: Application Security Manager
Symptoms:
ASM Signature Set cannot be modified to Accuracy = 'All' after another value was used previously.
Conditions:
-- ASM Signature Set has a value set for Accuracy filter.
-- Accuracy is subsequently set to 'All'.
Impact:
The change to Accuracy = 'All' does not take effect. ASM Signature Set cannot be modified to Accuracy = 'All'.
Workaround:
You can use either of the following workarounds:
-- Delete and re-create the Signature Set with the desired value.
-- Modify the filter to a value that will match all results (such as Accuracy is greater than or equal to 'Low').
721350-3 : The size of the icrd_child process is steadily growing
Component: TMOS
Symptoms:
The resident segment size (rss) for the icrd_child process continues to increase on issuing iCR GET requests. This increase is permanent and the rss does not drop back to its original size.
Conditions:
The following is an example config under which this issue occurs. Note this is an illustrative example; the actual issue might occur for various config objects.
GET tm/ltm/virtual?expandSubcollections=true wherein the virtual has some profiles associated with it.
ltm pool p-http { }
ltm virtual novel-1000 {
...
pool p-http
profiles {
analytics { }
http { }
tcp { }
}
....
}
# tmctl proc_pid_stat 'proc_name=icrd_child' -s proc_name,ppid,vsize,rss
On subsequent GET requests the rss size continues to increase.
Impact:
Increase in the rss of the icrd_child process. This increase could lead to icrd_child core or swapping of processes into the rss due to limited memory left for other processes.
Workaround:
There is no workaround.
721261-2 : v12.x Policy rule names containing slashes are not migrated properly
Component: Local Traffic Manager
Symptoms:
When migrating from v12.x to v13.0.x, 13.1.x, or 14.0.x, LTM polices that have rules containing the slash character will not migrate properly, and roll-forward migration will fail.
Conditions:
-- BIG-IP systems running v12.x.
-- Configuration contains LTM Policy rules whose names include the slash (/) character.
-- Upgrading to v13.0.x, 13.1.x, or 14.0.x.
Impact:
Roll-forward migration fails with the error: illegal characters in rule name.
Workaround:
Edit the rule names within LTM Policies, replacing the now-illegal slash (/) character with a legal alternative, such as the underscore (_).
Alternately, prior to migration, rename the rules on the v12.x system, and then perform the upgrade.
721020-2 : Changes to the master key are reverted after full sync
Component: TMOS
Symptoms:
Changing the master key on a device that is in a device cluster are reverted when performing a full sync of any device-group. The master key is reset to its previous value.
Conditions:
-- The BIG-IP system is in a device cluster.
-- You change the master key from within TMSH.
Impact:
Subsequent configuration loads fail on the device.
Workaround:
There is no workaround.
720819-3 : Certain platforms may take longer than expected to detect and recover from HSB lock-ups
Component: TMOS
Symptoms:
In the unlikely event of a HSB lock-up, certain BIG-IP platforms may take longer than expected to detect and recover from the condition.
For instance, it may take several minutes for an affected unit to detect the condition and initiate the predefined failsafe action.
Instead, the recovery mechanism should trigger almost instantaneously.
Conditions:
This issue occurs when all of the following conditions are met:
-- The BIG-IP system is an i56xx/i58xx, i76xx/i78xx, or i106xx/i108xx platform.
-- The HSB locks-up due to a different issue.
Impact:
Traffic will be negatively impacted until the BIG-IP system detects and remedies the condition.
Workaround:
None.
720757-2 : Without proper licenses Category Lookup always fails with license error in Allow Ending
Component: Access Policy Manager
Symptoms:
When a per-request policy's Category Lookup agent queries Standard Categories with an expired SWG/URLF license (and has 'RST on failure' disabled), the execution always ends with the following log messages:
Error: Global concurrent url filter session limit reached
The connection is aborted.
Conditions:
Category Lookup agent set to query the urldb engine (standard categories) with either no SWG/URLF license or an expired license.
Impact:
Even if 'RST on failure' is disabled, traffic cannot reach the allow ending successfully.
Workaround:
Remove the Category Lookup with standard category lookup from the per-request policy if the licenses do not allow for its use.
720669-1 : Within the GUI, the 'MQTT-TLS' service port is incorrectly reported as 'common.all.MQTT-TLS'.
Component: TMOS
Symptoms:
In some sections of the GUI, the 'MQTT-TLS' service port may be incorrectly reported as 'common.all.MQTT-TLS'.
Conditions:
This is currently known to happen in the 'Virtual Server List' screen when a virtual server is configured to listen on port 8883 (a.k.a. MQTT-TLS).
Impact:
None. The issue is cosmetic and has no effect on traffic.
Workaround:
None.
720610-1 : Updatecheck logs bogus 'Update Server unavailable' on every run
Component: TMOS
Symptoms:
The updatecheck operation erroneously logs that the Update Server is unavailable on every run, successful or not.
Conditions:
The BIG-IP system is configured to run the Automatic Update Check feature.
Impact:
Misleading messages in the log file, implying that the update server is not available.
Workaround:
None.
720585-2 : Signatures generated by Behavioral DOS algorithm can create false-positive signatures
Component: Anomaly Detection Services
Symptoms:
There is probability that the generated signatures will block unknown traffic (the traffic that was not presenting before the attack) even if it's not necessary from service health perspective
Conditions:
Run attack traffic.
In parallel run unknown traffic.
It should exceed the learned baseline together with the good traffic.
Impact:
The signatures may block unknown traffic even if it's not necessary from S/H perspective
Workaround:
There is no workaround at this time.
720581-1 : Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files
Component: Application Security Manager
Symptoms:
When using Policy Merge to add an XML Profile from policy A to policy B, if there are any Schema files (such as xsd or wsdl) associated with the profile, then the XML Profile added to policy B erroneously points to the file that is in policy A and does not create a new reference within policy B.
Conditions:
Policy Merge is used to add an XML Policy that contains a schema file from one policy to another.
Impact:
-- The reference to an object in another policy breaks BIG-IQ discovery.
-- The policy is not consistent after export/import.
Workaround:
None.
720461-1 : qkview prompts for password on chassis
Component: TMOS
Symptoms:
Qkview prompts for a password when executing getnodedates from the chassis module.
Conditions:
SSH auth keys are missing or corrupted.
Impact:
This blocks collecting qkview.
Workaround:
Edit the /user/bin/getnodedates script and add -oBatchMode=yes for the SSH command as shown in the following example:
$date = `/usr/bin/ssh -q -oBatchMode=yes -oStrictHostKeyChecking=no $ip /bin/date`;
720460-3 : Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly
Component: Local Traffic Manager
Symptoms:
The sys db compression.strategy is used to control the compression-provider selection. When it is set to 'softwareonly', compression somehow still selects a hardware accelerator.
Conditions:
This always happens when compression.strategy is set to 'softwareonly'.
Impact:
Compression.strategy set to 'softwareonly' does not work, and if there is a problem in a hardware accelerator, compression will still select the hardware accelerator, even though software compression is desired.
Workaround:
There is no workaround.
720440-2 : Radius monitor marks pool members down after 6 seconds
Component: Local Traffic Manager
Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.
Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.
Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.
Workaround:
There is no workaround at this time.
720269-1 : TACACS audit logging may append garbage characters to the end of log strings
Component: TMOS
Symptoms:
When using TACACS audit logging, you might see extra 'garbage' characters appended to the end of logging strings.
Conditions:
Using audit forwarding with a remote TACACS server.
Impact:
Confusing log messages. Remote TACACS logging might stop altogether after some time.
Workaround:
There is no workaround at this time.
720242-1 : GUI for AFM rules shows protocol value IPENCAP for rules under rule-list
Component: Advanced Firewall Manager
Symptoms:
When you set the protocol field to 'IPv4', it is displayed as 'IPENCAP' after saving.
Conditions:
This occurs only for rules under RuleList.
Impact:
Protocol value is displayed as 'IPENCAP' as opposed to 'IPv4'.
Workaround:
None.
720219-2 : HSL::log command can fail to pick new pool member if last picked member is 'checking'
Solution Article: K13109068
Component: Local Traffic Manager
Symptoms:
This occurs in certain configurations where the HSL::log command is using a remote high speed log (HSL) pool with failing pool members. If a pool member goes into a 'checking' state and the command attempts to send the log via that pool member, it can fail to send and all future log commands from that iRule will also fail, if that pool member is actually unavailable.
Conditions:
-- Using HSL::log command.
-- iRule with a remote high speed logging configured.
Impact:
Failure to send log messages via HSL.
Workaround:
Follow this procedure:
1. Change the 'distribution' method of the remote high speed config to something else.
2. Save the configuration.
3. Change the method back.
720030-5 : Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)
Component: Access Policy Manager
Symptoms:
Kerberos DNS SRV requests are generated without enabling EDNS0. Without this, internal DNS server (dnscached) truncates the UDP response if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in a lot of TIME_WAIT connections on the socket using dnscached.
Conditions:
APM end users using Kerberos SSO to access backend resources.
Impact:
Ability to create new DNS requests is affected, if there are numerous sockets in TIME_WAIT. This can result in scalability issues.
Workaround:
For BIG-IP software v12.x and later,
Edit the /etc/resolv.conf file to add an EDNS0 option.
There is no workaround if you are running a version earlier than 12.x.
719770-1 : tmctl -H -V and -l options without values crashed
Component: TMOS
Symptoms:
When the -H, -V or -l options were passed to tmctl without a following value, then tmctl crashed.
Conditions:
Use one of these options without the required value.
Impact:
Core file. No other impact.
Workaround:
Be sure to pass the required value with these options.
719459-1 : Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled
Component: Application Security Manager
Symptoms:
Policy builder suggests adding already existing URLs (as HTTPS) learned from response.
Conditions:
-- Differentiate HTTP and HTTPS URLs is disabled.
-- Learn-from response is enabled.
-- Server responses contain HTTPS links for HTTP requests instead of using protocol-relative URLs.
Impact:
This is a cosmetic issue in that incorrect suggestions are created. There is no impact to functionality.
Workaround:
Add the incorrect suggestions to the 'ignore' list.
719247-1 : HTTP::path and HTTP::query iRule functions cannot be set to a blank string
Solution Article: K10845686
Component: Local Traffic Manager
Symptoms:
The HTTP::path and HTTP::query iRule functions generate an error if called with an argument that is a blank string, resulting in connection termination.
Conditions:
In an iRule where the argument is a blank string:
HTTP::path ""
HTTP::query ""
Impact:
Error encountered while executing iRule "HTTP::query $blank", and the connection is terminated with an error in the logs similar to the following:
-- err tmm[17219]: 01220001:3: TCL error: /Common/ir_1-4045405141_query <HTTP_REQUEST>
Workaround:
To set HTTP::query to blank, use the following function:
HTTP::uri [HTTP::path]
To set HTTP::path to blank, use the following function:
HTTP::uri [HTTP::query]
719186-1 : Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts
Component: Fraud Protection Services
Symptoms:
Multipart/form-data requests are not supported in FPS. FPS-protected pages which have the enhanced data-manipulation feature enabled, may generate a false-positive 'missing strong integrity parameter' alert for multipart/form-data requests.
Conditions:
-- FPS profile attached to a virtual server.
-- Multipart/form-data requests to a URL.
-- Enhanced data-manipulation feature enabled on a protected URL.
Impact:
False-positive 'missing strong integrity parameter' alert.
Workaround:
Use the ANTIFRAUD::disable_alert iRule command to drop the alert:
(set the static::drop_alert variable, probably matching URL name and checking that Content-Type header starts with 'multipart/form-data')
when ANTIFRAUD_ALERT {
if {$static::drop_alert eq 1 &&
[ANTIFRAUD::alert_type] eq "vtoken" &&
[ANTIFRAUD::alert_component] eq "no_strong_integrity_param" } {
ANTIFRAUD::disable_alert
set static::drop_alert 0
}
}
719107-1 : Message type is not displayed in CLI and incorrect message type is displayed in GUI for Subscriber Management diameter protocol profile message type CCA-T.
Component: Policy Enforcement Manager
Symptoms:
If versions earlier than v13.1.0 have Subscriber Management diameter protocol message type CCA-T, their message type is not displayed on the command-line interface (CLI) and is incorrectly displayed as CCR-I in the GUI when upgraded to later versions.
Conditions:
-- Upgrade to v13.1.0 or later.
-- Configuration has Subscriber Management diameter protocol message type CCA-T.
Impact:
incorrectly displayed as CCR-I in the GUI.
Note: This configuration has no effect.
Workaround:
Delete the Subscriber Management diameter protocol message that has no message-type when viewed from CLI.
719005-2 : Login request may arrive corrupted to the backend server after CAPTCHA mitigation
Component: Application Security Manager
Symptoms:
Login request arrives corrupted (specifically, some of the characters in the payload are changed).
Conditions:
-- A brute force CAPTCHA mitigation happens.
-- Specific traffic conditions.
Impact:
Login request fails.
Workaround:
None.
718867-1 : tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades★
Component: Local Traffic Manager
Symptoms:
The db variable 'tmm.umem_reap_aggrlevel' (to set the memory-usage level at which aggressive connection-reaping begins) does not persist across upgrades; on upgrade it will be reset to its default value (80%).
Conditions:
-- The db variable 'tmm.umem_reap_aggrlevel' is set to a custom value (specifically, not '80').
-- The BIG-IP system is upgraded.
Impact:
The value for 'tmm.umem_reap_aggrlevel' has reset to '80', its default value.
Workaround:
Reset the variable's custom value after upgrade.
718800-1 : Cannot set a password to the current value of its encrypted password
Component: TMOS
Symptoms:
Attempting to set a password to the current value of its encrypted password silently fails without changing the password. For example, running the following tmsh command sets the encrypted password to the value 'password':
modify auth user <username> encrypted-password password
Attempting to set the password to 'password' using the command does not report an error, but does not change the password (meaning that encrypted password remains 'password'):
modify auth user <username> password password
Conditions:
Changing a password to the value of encrypted-password.
Impact:
Difficult to recover from this situation because trying to simply change the password to the correct value doesnot work.
(It is likely this initially happened by accident: attempting to set 'password', but setting 'encrypted-password' instead.)
Workaround:
First, change the password to something else. Then, change it back to the correct value.
718790-2 : Traffic does not forward to fallback host when all pool members are marked down
Component: Local Traffic Manager
Symptoms:
Traffic does not get forwarded to fallback hosts.
Conditions:
All the pool members are marked administrative down.
Impact:
Traffic does not get forwarded.
Workaround:
Pick a monitor working properly for the pool.
718772-1 : The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists)
Component: Anomaly Detection Services
Symptoms:
The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists).
Conditions:
Attack with traffic with 'unknown' header, for example
'Upgrade-Insecure-Requests: 1'.
Impact:
In the GUI, when the signature with the predicate 'unknown_header' is edited, this predicate is empty (instead of exists / does not exist).
Workaround:
There is no workaround.
718291-1 : iHealth upload error doesn't clear
Component: TMOS
Symptoms:
If an error occurs that sets the iHealth error string, then this string is never cleared.
Conditions:
Setting an invalid hostname for db variable proxy.host.
Impact:
The system reports the following error string: curl: (56) Recv failure: Connection reset by peer. This error message is never cleared, despite running a successful upload. The bogus error message could result in unnecessary confusion after a successful upload.
Workaround:
To clear the error message, run the following command:
/usr/bin/guishell -c "update diags_ihealth_request set error_str='';"
718232-3 : Some FTP servers may cause false positive for ftp_security
Component: Application Security Manager
Symptoms:
A login might get rejected after a lower number of failed logins than is configured for 'Maximum Username Login Retries'. BIG-IP system posts the following error message: 530 Too many failed login attempts by the user.
Conditions:
-- The server sends unexpected ingresses that are rejected.
-- There is a value specified for 'Maximum Username Login Retries'.
Impact:
A legitimate user might be rejected and have to wait until the configured 'Re-enable login' time.
Workaround:
There is no workaround at this time.
718033-3 : REST calls fail after installing BIG-IP software or changing admin passwords
Component: Device Management
Symptoms:
After installing the latest BIG-IP software, or changing the BIG-IP admin passwords once or twice, REST calls might fail with the following error: 400 - Bad Request.
Conditions:
The conditions under which this occurs are not well understood. The issue occurs randomly, and is likely the result of a timing issue.
Impact:
REST calls or GUI operations fail to work. Get errors on screen.
Workaround:
Run the following command on the BIG-IP system:
$ bigstart restart restjavad
717785-4 : Interface-cos shows no egress stats for CoS configurations
Component: TMOS
Symptoms:
No egress packet counts per CoS queue are reported on B21x0 and 5x00/7x00 platforms. The issue affects the egress packet statistics reporting per CoS queue only. The operation of the CoS feature is not affected and the egress packets statistics reporting per external interface is also not affected.
Conditions:
-- Valid 8 HW CoS feature configuration has been enabled and passing traffic.
-- BIG-IP 5x00/7x00 platforms and VIPRION 21x0 blades.
-- Running the show net interface-cos command.
Impact:
Egress packet statistics reported per CoS queue shows no counts.
Workaround:
None.
717100-2 : FQDN pool member not added if FQDN resolves to same IP as another existing FQDN pool member
Component: Local Traffic Manager
Symptoms:
FQDN ephemeral pool members and corresponding FQDN ephemeral nodes may not created if multiple FQDN template pool members created rapidly, without the corresponding FQDN template nodes being created first.
The missing FQDN ephemeral pool members may be created an hour after initial operations.
Conditions:
This may occur when all of the following conditions are true:
-- Multiple FQDN template pool members are created rapidly, such as during config load or multiple FQDN template pool members created in a single tmsh cli transaction, without the corresponding FQDN template nodes being created first.
-- The FQDN names in the newly-created FQDN template nodes all resolve to the same IP address.
Impact:
One or more FQDN ephemeral pool members may not be created, which could result in a pool with no members, and any virtual servers using that pool to fail to pass traffic.
Workaround:
The following steps, alone or in combination, may help avoid this issue:
1. Avoid rapid creation of multiple FQDN template pool members (such as by creating multiple in single tmsh cli transaction).
2. Create the corresponding FQDN template nodes first, before creating the FQDN template pool members.
Once this issue occurs (such as, after a config load), you can recover from this condition by deleting and recreating the FQDN template pool members that have no corresponding FQDN ephemeral pool members.
In addition, creating the corresponding FQDN template nodes first, with an FQDN 'interval' value set to a shorter timeout than the default (3600 seconds) allows automatic recovery from this condition after the configured FQDN 'interval' period (instead of after the default period of one hour).
716940-1 : Traffic Learning screen graphs shows data for the last day only
Component: Application Security Manager
Symptoms:
Traffic Learning screen graphs shows data for the last day only.
Conditions:
Visit Learning screen 1 hour after policy creation.
Impact:
Statistics shown are for the last day. No statistics for longer or for shorter periods of time.
Workaround:
There is no workaround.
716788-1 : TMM may crash while response modifications are being performed within DoSL7 filter
Component: Application Security Manager
Symptoms:
TMM might crash when a response is modified by the DoSL7 filter while injecting an HTML response from a backend server.
Conditions:
-- ASM provisioned.
-- DoS application profile is attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts, failover may occur.
Workaround:
There is no workaround other than to remove the DoS application profile from the virtual server.
716714-2 : OCSP should be configured to avoid TMM crash.
Component: Local Traffic Manager
Symptoms:
TMM generates a core if OCSP is not configured in the SSL profile.
Conditions:
OCSP not configured in the SSL profile.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than configuring OCSP in SSL profiles.
716391-1 : High priority for MySQL on 2 core vCMP may lead to control plane process starvation
Component: TMOS
Symptoms:
vCMP guest with only 2 cores (or 2 cores per blade for multi-blade guests) may undergo control plane process starvation, which could lead to failover due to CPU starvation of sod.
Conditions:
-- A device using Intel Hyper-Threading Technology is configured with only 2 cores (or 2 cores per blade for multi-blade vCMP guests).
-- A module using MySQL is provisioned.
Impact:
Control plane processes may experience CPU starvation, including failover due to CPU starvation of sod. This is a rarely occurring issue.
Workaround:
Revert to pre-11.5.1 HF4 behavior by setting the scheduler.splitplanes.asmopt database key to false.
IMPORTANT: You should not revert to pre-11.5.1 HF4 behavior unless requested by F5 Support. However, if required, you can disable this new behavior and revert to pre-11.5.1-HF4 behavior. For instructions on how to do so, see K16469: Certain BIG-IP ASM control plane processes are now pinned to the highest-numbered logical CPU core :: https://support.f5.com/csp/article/K16469.
716324-1 : CSRF protection fails when the total size of the configured URL list is more than 2 KB
Component: Application Security Manager
Symptoms:
When the cross-site request forgery (CSRF) protection URL list is of a total size that is greater than 2 KB. As a result, CSRF injection fails.
Conditions:
- CSRF protection is enabled.
- The total length of the defined CSRF URL list is more than 2 KB.
- A protected URL is accessed.
Impact:
CSRF false-positive violation.
Workaround:
Use wildcards to minimize total CSRF URL size.
716318-1 : Engine/Signatures automatic update check may fail to find/download the latest update
Component: Fraud Protection Services
Symptoms:
Engine/Signatures automatic update check may fail to find/download the latest update if the timestamp of the factory update file is later than the timestamp of the update file in downloads.f5.com.
Note: This issue is relevant only for engineering hotfixes.
Conditions:
This occurs when the following conditions are met:
-- Engineering hotfix.
-- The factory update file timestamp is later than the timestamp of the update file in downloads.f5.com.
Impact:
Automatic update check will detect the wrong update file.
Workaround:
Manually check, and then download and install the update file from downloads.f5.com, if needed.
716213-5 : BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic
Component: Local Traffic Manager
Symptoms:
When APM connects to Active Directory Federation Services (ADFS), a blank page is observed. The log file /var/log/ltm exhibits a TCP reset issued by the BIG-IP system. The TCP capture informs that the issue is due to an out-of-bounds error that occurs when traffic gets parsed by the SSL Persistence Parser (SSID).
Conditions:
-- SSL persistence (SSID) is enabled for a virtual host.
-- APM connects to ADFS.
Impact:
A blank page is observed due to the TCP reset.
Workaround:
No workaround is available.
715785-1 : Incorrect encryption error for monitors during sync or upgrade
Component: Local Traffic Manager
Symptoms:
The system logs an error message similar to the following in /var/log/ltm:
err mcpd[6823]: 01071768:3: Encryption of the field (password) for object (<monitor name>) failed.
This may cause a configuration sync to fail, or an upgrade to fail.
Conditions:
The exact conditions are unknown, however it may occur under these circumstances:
-- Performing a config sync operation.
-- Performing an upgrade.
Impact:
Inability to sync peer devices, or an inability to upgrade.
Workaround:
There is no workaround at this time.
715756-1 : Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only
Component: Local Traffic Manager
Symptoms:
When filesystems critical to TMOS functional operation are mounted read-only, clusterd on that blade should trigger a primary election if it was primary. Either way, the cluster should be informed of this critical error state.
Conditions:
A critical filesystem (e.g., '/', '/var', '/var/run', '/config', '/shared') has been mounted read-only.
Impact:
The blade with read-only filesystems and degraded functionality might stay primary and claim to be passing traffic.
Workaround:
There is no workaround other than to avoid mounting filesystems read-only on a BIG-IP system.
715128-2 : Simple mode Signature edit does not escape semicolon
Component: Application Security Manager
Symptoms:
When creating a user-defined ASM Signature in Simple mode, semicolon followed by space cannot be used in a keyword.
Conditions:
-- Using a user-defined ASM Signature in Simple mode.
-- There is a semicolon followed by a space in a keyword.
Impact:
The signature cannot be created.
Workaround:
The signature can be created in Advanced Mode by escaping semicolon as "|3B|".
714986-4 : Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot
Component: TMOS
Symptoms:
On an iSeries platform, when the console baud rate is changed through TMSH, new terminal sessions revert back to the previous baud rate instead of adopting the new setting unless the unit is rebooted.
Conditions:
1. Modify the console baud rate in BIG-IP through TMSH on an iSeries platform (i2xxx, i4xxx, i5xxx, i7xxx, i10xxx, i15xxx), for example: tmsh modify sys console baud-rate 9600.
2. Exit from the login prompt in the current terminal session, or kill it and start a new session.
Impact:
The BIG-IP system reverts to the previous baud rate instead of the new setting. Inability to create any new serial console connections with the modified baud-rate without a reboot.
Workaround:
The problem can be mitigated by manually reprogramming the TTY device and restarting the agetty process and bash login sessions. This closes any existing console connections, but newly established connections will connect at the modified baud rate.
1. Use TMSH to modify the baud rate to the desired speed by running a command similar to the following:
tmsh modify sys console baud-rate 9600
2. Re-program the TTY device with the desired speed by running a command similar to the following:
stty -F /dev/ttyS0 9600
3. Kill the existing agetty process so it will re-start at the new baud rate by running the following command:
/usr/bin/killall -q agetty
4. Restart bash logins by running the following command:
/bin/kill -HUP `/bin/ps -A | /bin/grep ttyS0 | /bin/grep -v grep | /bin/grep bash | /bin/awk '{print $1}'` >/dev/null 2>&1
714974-1 : Platform-migrate of UCS containing QinQ fails on VE★
Component: TMOS
Symptoms:
If you are doing platform-migrate from a hardware device to a Virtual Edition (VE) guest, and the UCS that came from the hardware device has a QinQ VLAN configuration, then the upgrade will fail.
Conditions:
-- VLAN with a QinQ configuration exists on the hardware configuration.
-- UCS file is saved on the hardware device.
-- UCS is copied to a VE guest.
-- Attempt to load the configuration using the following command: load sys ucs <UCS filename> no-license platform-migrate.
Impact:
The UCS load will fail and generate an error:
01071bd8:3: The tag-mode for requested member <VLAN name> has to be 'none' on platforms that do not support QinQ. Unexpected Error: Loading configuration process failed.
Workaround:
None.
714903-3 : Errors in chmand
Component: TMOS
Symptoms:
VIPRION cluster does not form; only primary blade stays online. Chassis manager chmand generated a core file. System logs the following error in ltm log: err clusterd[11162]: 013a0004:3: Error adding cluster mgmt addr, HAL error 7.
Conditions:
-- Restoring UCS.
-- Chassis starting up.
-- System in stressed condition, where there is very little or no memory available.
Impact:
Cluster does not form.
Workaround:
None.
714654-1 : Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM
Component: TMOS
Symptoms:
While creating a static route, tmrouted disconnects with error: existing entry is not a dynamic.
Conditions:
Creating a static route for a network that already has an advertised dynamic route.
Impact:
TMM's connection to tmrouted goes down, which results in loss of the dynamic route for TMM.
Workaround:
There is no workaround other than not creating a static route for routes received through dynamic routing.
714559-4 : Removal of HTTP hash persistence cookie when a pool member goes down.
Component: Local Traffic Manager
Symptoms:
When HTTP cookie hash persistence is configured the cookie is removed when a pool member goes down. This is incorrect if pool members are using session replication.
Conditions:
- Cookie hash persistence is configured.
- A pool member that the persistence record points to goes down.
- Pool members are using session replication.
Impact:
Connected clients must establish a new session.
Workaround:
To configure HTTP cookie hash persistence, use an iRule similar to the following:
when CLIENT_ACCEPTED {
persist cookie hash JSESSIONID
}
714507-1 : [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server
Component: Global Traffic Manager (DNS)
Symptoms:
GTM pool member dependency cannot be listed correctly using the following command:
# tmsh list gtm pool
Conditions:
-- Virtual server dependency in GTM server.
-- Running the command: tmsh list gtm pool.
Impact:
1. Pool member dependencies are not listed.
2. Pool member dependency information is missing when saving config:
# tmsh save sys config gtm-only
Workaround:
List specific gtm pools instead by running a command similar to the following:
# tmsh list gtm pool a p1
714503-1 : When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl
Component: Local Traffic Manager
Symptoms:
When using the GUI to create a new iRulesLX rule with the extension .tcl as part of the rule name, the GUI will append another .tcl at the end of the file. This is problematic when attempting to view the iRule in the iRulesLX workspace (at Local Traffic :: iRules : LX Workspaces :: <workspace name>).
Conditions:
-- Creating a new iRulesLX iRule in the GUI.
-- Adding the extension .tcl.
Impact:
Cannot view or delete the iRule from the iRulesLX GUI.
Workaround:
Do not name rules with the .tcl extension. The system will do that for you.
714495-1 : When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl"
Component: Local Traffic Manager
Symptoms:
When using TMSH to create a new iRulesLX rule with the extension '.tcl' as part of the rule name, TMSH will append another '.tcl' at the end of the file. This is problematic when attempting to view the iRule in the GUI (in the iRulesLX workspace at Local Traffic :: iRules : LX Workspaces :: <workspace name>).
Conditions:
Creating a new iRulesLX iRule in TMSH.
Impact:
Cannot view or delete the iRule from the iRulesLX GUI.
Workaround:
Do not name rules with the '.tcl' extension.
714334-2 : admd stops responding and generates a core while under stress.
Component: Anomaly Detection Services
Symptoms:
admd stops responding and generates a core while under stress.
Conditions:
-- The BIG-IP system is under stress.
-- CPU starvation is occurring.
Impact:
admd core and restart.
Note: The admd process provides stress-based DoS detection and mitigation control. When admd is not running, there is no stress-based anomaly detection or behavioral statistics aggregation.
Workaround:
None.
714216-1 : Folder in a partition may result in load sys config error
Component: TMOS
Symptoms:
If you run the command 'tmsh load sys config current_partition' in a partition that includes a folder, the command may return an error.
Conditions:
This occurs in the following scenario:
-- Create a partition.
-- Create a folder in that partition.
-- In the newly-created partition.
-- Save the configuration with the command 'save sys conf'.
-- In the same partition, run the following command to load the configuration: 'tmsh load sys config current_partition'.
Impact:
The load configuration process fails with an error that the folder does not exist.
Workaround:
There is no workaround at this time.
713820-2 : Pass in IP to urldb categorization engine
Component: Access Policy Manager
Symptoms:
Category lookup results might be less accurate. In some cases, the system returns 'uncategorized' when the reference (Forcepoint) returns a specific category.
Conditions:
Category Lookup agent is in per-request policy using the categorization engine to lookup up a website's classification.
Impact:
Actions leveraging categorization results will be applied incorrectly.
Workaround:
None.
713708-6 : Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI
Component: TMOS
Symptoms:
On the BIG-IP GUI, under System :: Software Management :: Update Check, after pressing 'Check now', the 'Available Update' shows a long string 'OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install' instead of the EPSEC version, e.g.: epsec-1.0.0-679.0.
Conditions:
-- Under System :: Software Management :: Update Check.
-- Press 'Check now'.
Impact:
Cannot determine what version is available by viewing 'Available Update'. Although this is how all the other updates work, it can result in a confusing BIG-IP user experience.
Workaround:
To have the browser show the link's destination address, view the browser's status fields while hovering the cursor over the following link text: OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install.
713655-1 : RouteDomainSelectionAgent might fail under heavy control plane traffic/activities
Component: Access Policy Manager
Symptoms:
If per-session access policy requests route domain selection during policy evaluation, the agent might hang and fail to retrieve route domain information. APMD might restart and produce a core file.
Conditions:
-- Policy sync operation.
-- System receives a query for route domain information.
-- There is a heavy load of control plane traffic to process.
Impact:
Poor performance and/or APMD restarts with a core file, causing brief disruption of the authentication service.
Workaround:
None.
713585-2 : When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long
Solution Article: K31544054
Component: Local Traffic Manager
Symptoms:
Config load could be very long and CPU usage very high.
Conditions:
There are many iRule and they are installed on many virtual servers.
Impact:
BIG-IP system performance could be degraded during the load and may cause system lock up.
Workaround:
Run "tmsh modify sys db rule.validation value syntax", this causes iRule validation to check iRule syntax only; the semantic checks will not be performed.
713519-1 : Enabling MCP Audit logging does not produce log entry for audit logging change
Component: TMOS
Symptoms:
When you enable MCP audit logging, the action of changing the audit logging entry is not logged. All actions after the configuration change are logged.
Conditions:
This occurs when enabling MCP audit logging.
Impact:
The audit logging change itself is not logged in the audit logs.
Workaround:
None.
713282-2 : Remote logger violation_details field does not appear when virtual server has more than one remote logger
Component: Application Security Manager
Symptoms:
Remote logger violation_details field appears empty.
Conditions:
-- More than one remote logger is attached to the virtual server.
-- A violation occurs.
-- Viewing the associated log.
Impact:
Violation_details field appears empty in logs.
Workaround:
There is no workaround at this time.
713138-3 : TMUI ILX Editor inserts an unnecessary linefeed
Component: TMOS
Symptoms:
If you use the TMUI edit for ILX, the system will append a linefeed character every time you save. This is not usually apparent, but if you edit the file, then delete your changes, and then save it, it will still register as changed.
A message indicates the need to refresh the workspace, and the actual content of the file will change, but not the functionality.
Conditions:
Edit a workspace file in ILX via the TMUI editor (i.e., the GUI).
Impact:
File contents can change unexpectedly and have needless characters at the end.
Workaround:
Use TMSH or a different editor, that is not TMUI, to change those files.
713134-1 : Small tmctl memory leak when viewing stats for snapshot files
Component: TMOS
Symptoms:
When viewing statistics for snapshot files, tmctl leaks a small amount of memory and displays the message:
tmctl: BUG: tmstat_dealloc invoked on a handle with rows outstanding; release all rows before calling tmstat_dealloc at <address>
Conditions:
Using tmctl to view statistics of snapshot files, for example:
tmctl -D /shared/tmstat/snapshots memory_usage_stat -s time,name,allocated,max_allocated name=access
Impact:
Errors written to output when running tmctl. The leak itself is very small and is only for tmctl (i.e., it does not have a cumulative, detrimental effect on the system that a TMM or MCP leak might).
Workaround:
None.
712489-1 : TMM crashes with message 'bad transition'
Component: Local Traffic Manager
Symptoms:
TMM crashes under a set of conditions in which the system detects an internal inconsistency. The system posts an error similar to the following in the LTM and TMM logs:
crit tmm[18755]: 01010289:2: Oops @ 0x2285e10:5157: bad transition
Conditions:
Conditions that cause this to happen are not predictable, but these might make it more likely:
-- FastL4 virtual server and HTTP are configured
-- db variable tmm.oops set to 'panic'.
-- Client sends three GET requests at once, and then closes the connection after a few seconds.
-- The server sends a partial 'Connection: close' response.
Impact:
TMM crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
712362-4 : ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase
Component: Application Security Manager
Symptoms:
When the WebSocket HTTP handshake response comes without 'Switching Protocols' reason phrase at the first line, the ASM does not follow up WebSocket frames on the WebSocket's connection.
The system posts the following messages in /ts/log/bd.log:
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0269|101 Switching Protocols HTTP status arrived, but the websocket hanshake failed.
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0270|Possible reasons are websocket profile isn't assigned on a virtual server or handshake is illegal.
Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- WebSocket backend server sends 101 response without the 'Switching Protocols' phrase.
Impact:
WebSocket frames stalls.
Workaround:
#1 Change the backend server:
Change WebSocket backend server to return 101 response to include the 'Switching Protocols' reason phrase:
HTTP/1.1 101 Switching Protocols
#2 Use an irRule:
when SERVER_CONNECTED {
TCP::collect 15
}
when SERVER_DATA {
if { [TCP::payload 15] contains "HTTP/1.1 101 \r\n" } {
TCP::payload replace 0 12 "HTTP/1.1 101 Switching Protocols"
}
}
712335-2 : GTMD may intermittently crash under unusual conditions.
Component: Global Traffic Manager (DNS)
Symptoms:
GTMD may intermittently crash when an unexpected error occurs while creating a statistics row for a resource added to the configuration.
Conditions:
When a pool member is added to the system and there is an unexpected failure to create the associated statistics row.
Impact:
GTMD restarts.
Workaround:
There is no workaround at this time.
712102-1 : customizing or changing the HTTP Profile's IPv6 field hides the field or the row
Solution Article: K11430165
Component: TMOS
Symptoms:
Customizing or changing the HTTP Profile's IPv6 field hides the field or the row.
Conditions:
Customizing or changing the HTTP Profile's IPv6 field.
Impact:
The HTTP Profile's IPv6 field cannot be customized or changed.
Workaround:
Use tmsh to set the HTTP Profile's IPv6 field.
712033-3 : When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name
Component: TMOS
Symptoms:
When you make a REST request to association list in /stats you get a duplicate name in the selfLink after members in both the entries and the selfLink, e.g.:
# restcurl -X GET -u admin /tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats
{
"kind": "tm:ltm:pool:members:membersstats",
"generation": 3,
"selfLink": "https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats?ver\u003d14.0.0",
"entries": {
"https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/~Common~node1:8105/stats": {
Conditions:
When making a REST request to an object in /stats that is an association list.
Impact:
The selfLink has a duplicate name. SelfLinks for associations do not work.
Workaround:
None.
711981-6 : BIG-IP system accepts larger-than-egress MTU, PMTU update
Component: Local Traffic Manager
Symptoms:
A Path MTU (PMTU) message can lead to the BIG-IP system to falsely assume an egress MTU on the related flow to be larger than the interface egress MTU.
Conditions:
A valid PMTU message.
Impact:
BIG-IP sends larger-than-configured interface egress MTU messages.
Workaround:
None.
711818-4 : Connection might get reset when coming to virtual server with offload iRule
Component: Application Security Manager
Symptoms:
When IN_DOSL7_ATTACK event is triggered, and iRule has an async command in it, events might be released out of order, causing connection RST.
Conditions:
1. Have DoS profile with iRule turned on.
2. iRule is async (such as wait, DNS resolving, etc.).
3. Send POST request.
Impact:
Connection receives a RST.
Workaround:
There is no workaround at this time.
711683-1 : bcm56xxd crash with empty trunk in QinQ VLAN
Component: TMOS
Symptoms:
When an empty trunk (no members) is configured 'tagged' in a QinQ VLAN, bcm56xxd will continuously crash.
Conditions:
Trunk with no members, configured as 'tagged' in a QinQ VLAN.
Impact:
bcm56xxd continuously crashes.
Workaround:
Use either of the following workarounds:
-- Add members to the trunk.
-- Remove the trunk from the QinQ VLAN.
711405-2 : ASM GUI Fails to Display Policy List After Upgrade
Solution Article: K14770331
Component: Application Security Manager
Symptoms:
After upgrade to version 13.1.0 or later, ASM GUI fails to display the Policy List.
Conditions:
Using an 11.5.0 to 11.5.4-HF1 version that is affected by the issue of policies with duplicate REST IDs that occurred after restoring from policy history or using Policy Diff to compare policies.
Impact:
ASM GUI starting using the REST API from version 13.1.0, so any systems that have been affected by this issue on a previous version now cause the GUI to fail to display the Policy List.
Workaround:
On the device run the following script:
---------------------------------
perl -MF5::DbUtils -MF5::Utils::Rest -MF5::ASMConfig::Entity::Policy -e '$dbh = F5::DbUtils::get_dbh();
$dbh->begin_work();
$dbh->do("UPDATE PLC.PL_POLICIES a SET a.rest_uuid = \"\" WHERE a.rest_uuid IN ( SELECT rest_uuid FROM (SELECT rest_uuid FROM PLC.PL_POLICIES GROUP BY rest_uuid having count(*) > 1) b)");
F5::Utils::Rest::populate_uuids(dbh => $dbh);
$dbh->commit();'
---------------------------------
Note: In a management environment, this change must be pushed to the peer as a full sync. The easiest way to do so is to ensure that the ASM sync device group is in manual sync mode, and to push the config to the peers from the device where the script was run.
710884-2 : Portal Access might omit some valid cookies when rewriting HTTP request.
Component: Access Policy Manager
Symptoms:
Portal Access is not sending certain cookies to the backend application.
Conditions:
-- Request path and cookie path are equal.
-- The last character of request path is not a forward slash (/).
Impact:
Backend application does not receive some cookies and may decide that APM end users are not authenticated, when they are.
Workaround:
There is no workaround at this time.
710809-3 : Restjavad hangs and causes GUI page timeouts
Component: Device Management
Symptoms:
Restjavad stops responding, causing GUI page timeouts.
Conditions:
The conditions behind this issue are not known.
Impact:
restjavad is active, but all endpoints are nonresponsive.
Workaround:
Restart restjavad
710044-4 : Portal Access: same-origin AJAX request may fail in some case.
Component: Access Policy Manager
Symptoms:
If base URL for current HTML page contains default port number, same-origin AJAX request from this page may fail via Portal Access.
Conditions:
- HTML page with explicit default port in base URL, for example:
<base href='https://some.com:443/path/'>
- Same-origin AJAX request from this page, for example:
var xhr = new XMLHttpRequest;
xhr.open('GET', 'some.file');
Impact:
Web application may not work correctly.
Workaround:
It is possible to use iRule to remove default port number from encoded back-end host definition in Portal Access requests, for example:
when RULE_INIT {
# hex-encoded string for 'https://some.com'
set ::encoded_backend {68747470733a2f2f736f6d652e636f6d}
# '3a343433' is hex-encoded form for ':443'
set ::pattern "/f5-w-${encoded_backend}3a343433\$"
set ::remove_end [ expr { [ string length $::pattern ] - 2 } ]
set ::remove_start [ expr {$::remove_end - 7} ]
}
when HTTP_REQUEST {
if { [HTTP::path] starts_with "$::pattern" } {
set path [ string replace [HTTP::path] $::remove_start $::remove_end "" ]
HTTP::path "$path"
}
}
710028-1 : LTM SQL monitors may stop monitoring if multiple monitors querying same database
Component: Local Traffic Manager
Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.
When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:
[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'
then multiple, periodic instances of the following message, referencing the same connection string:
Abandoning hung SQL query: '<query string>' for: '<connection string>'
or:
<connection string>(<thread-number>): Hung SQL query; abandoning
Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.
And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.
Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.
Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.
To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.
709963-1 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
Component: Local Traffic Manager
Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.
Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.
Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.
Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.
709837-1 : Cookie persistence profile may be configured with invalid parameter combination.
Component: Local Traffic Manager
Symptoms:
Configuring Cookie persistence profile via TMSH or iControl REST allows invalid parameter combinations.
Conditions:
Cookie persistence profile is configured via TMSH or iControl REST. TMUI is not affected.
Impact:
Invalid parameters for any method type of a Cookie persistence profile are ignored by TMM, no functional impact.
Workaround:
Use only the allowed parameters of each method type when Cookie persistence is configured via TMSH or iControl REST.
709670-4 : iRule triggered from RADIUS occasionally fails to create subscribers.
Solution Article: K44067891
Component: Policy Enforcement Manager
Symptoms:
The subscriber can not be added with the same IP address after retries. This is a rarely occurring issue: if the daily average of subscriber additions is ~30000 subscribers, 5 to 6 subscribers face this problem (0.02%).
Conditions:
Running iRule to create PEM sessions from RADIUS packets using the 'PEM::subscriber create' command.
Impact:
Intermittently (a few operations per day), the command silently fails. No session is created, and no TCL error is produced. Subscriber addition requires manual intervention.
Workaround:
Trigger a RADIUS START using a different IP address for the subscriber.
709559-1 : LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name
Component: TMOS
Symptoms:
Loading configuration fails on upgrade
Conditions:
Must have a profile named "/Common/ssh" and must be upgrading to v12.1.2
Impact:
The system won't be functional
Workaround:
Delete or rename "/Common/ssh"
709444-1 : "NTP not configured on device" warning seen when NTP symmetric key authentication is configured
Component: TMOS
Symptoms:
When NTP symmetric key authentication is configured, as per https://support.f5.com/csp/article/K14120, and the BIG-IP is part of a device service cluster, then a warning similar to this will be seen periodically in /var/log/ltm:
warning mcpd[6317]: 01071af0:4: NTP not configured on device 1.2.3.4 - within a trust
Conditions:
- NTP symmetric key authentication must be configured.
- The BIG-IP must be part of a device service cluster.
- Non-authenticated NTP servers must not be in-use.
Impact:
Incorrect NTP warnings are seen periodically in /var/log/ltm.
Workaround:
There is no workaround at this time.
709383-1 : DIAMETER::persist reset non-functional
Component: Service Provider
Symptoms:
When the iRule DIAMETER::persist reset is called, it is meant to remove existing persistence records from diadb. Without this bug fix, calling DIAMETER::persist reset has no effect and the persistence record remains.
Conditions:
Diameter session profile has persistence enabled and an iRule attempts to remove a persistence record.
Impact:
not provided by ENE
Workaround:
none
708968-1 : OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address
Component: TMOS
Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not created in TMM when passed from Dynamic Routing protocols like OSPFv3.
Conditions:
- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.
Impact:
- Route entry is not created in TMM, packets addressed to such a destination might not be delivered at all or might not be delivered using the most efficient route.
- Connection between TMM and tmrouted is restarted that is a small performance overhead.
Workaround:
- If possible IPv4 address or IPv4-compatible IPv6 address should be passed instead of IPv4-mapped IPv6 address, however this depends on other routers.
708956-3 : During system boots up, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'
Solution Article: K51206433
Component: TMOS
Symptoms:
During system bootup, the system occasionally posts the following error message and the system does not come up:
Dataplane INOPERABLE - only 1 HSBes found on this platform.
Conditions:
This occurs occasionally at system bootup.
-- Using the following platforms:
i4600, i4800, i10600, i10800, i2600, i2800, i7600, i7800, i5600, i5800, i15600, i15800, i12600, i12800, HERCULON i2800, HERCULON i5800, HERCULON i10800, i11600, i11800, i11800-DS, i5820-DF, i7820-DF.
Impact:
System does not come up.
Workaround:
Reboot system.
Because this condition only happens occasionally, rebooting typically corrects the issue.
708415-3 : Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled
Component: TMOS
Symptoms:
When setting the flow control value of an interface with a copper SFP to any value other than 'none' and the link partner has flow control disabled on their end, the interface stats will not reflect the configured flow control setting. This is because the interface stats reflect the negotiated link state rather than the advertised capabilities.
Conditions:
BIG-IP device is using copper SFPs.
-- Flow control is enabled on an interface.
-- That interface is connected to another device where flow control has not been enabled.
For example, an administrator might perform the following on a BIG-IP system with a copper SFP on interface 1.1:
# modify net interface 1.1 flow-control tx-rx
# show net interface 1.1 all-properties
Under the 'Flow Ctrl' column of the interface properties, the value will indicate 'none' even though the interface was configured to enable transmit and receive flow control. This is because the column does not indicate the advertised capabilities but rather the negotiated property of the link.
Impact:
There is no functional impact, as flow control cannot be performed until both link partners agree to support it.
Workaround:
Flow control must be enabled on the remote device and the link must be re-negotiated, in order for the flow control configuration to take effect and be reflected in the interface properties of the link.
708068-1 : Tcl commands like "HTTP::path -normalize" do not return normalized path.
Component: Local Traffic Manager
Symptoms:
When using HTTP::path with the -normalized parameter:
"%2E%2E" is converted to ".." (expected)
"/foo/../bar" is converted to "/bar" (expected)
"/foo/%2E%2E/bar" is converted to "/foo/../bar" (unexpected)
Conditions:
The TCL command HTTP::path -normalize does not return normalized path as expected.
Impact:
Unexpected result.
Workaround:
There is no workaround.
708063 : In older RAID BIG-IP systems, storage provisioning is not possible when a drive is missing.
Component: TMOS
Symptoms:
Any task requiring modification of application storage volumes does not succeed. This includes re-provisioning, which occurs automatically during software upgrades.
Conditions:
-- When a drive is not present in a drive bay on the following platforms:
+ BIG-IP 6900
+ BIG-IP 8900
+ BIG-IP 10000
+ BIG-IP 11050
-- An application that requires storage volumes is provisioned, such as ASM.
Impact:
Tasks requiring modification of application storage volumes such as software upgrades or re-provisioning fails.
Workaround:
Check RAID status before software upgrades or re-provisioning. Address any degraded RAID issues, such as a missing drive, before upgrades and/or re-provisioning.
707953-3 : Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page
Component: Access Policy Manager
Symptoms:
APM and APM Lite licenses are not distinguishable from the Provisioning UI: they both show as Licensed but APM lite only includes licenses for 10 sessions.
Conditions:
Viewing APM and APM Lite licenses in the GUI.
Impact:
Cannot distinguish the difference in types of licenses.
Workaround:
Check license file and verify what type of apm license is enabled: mod_apm (Full APM) or mod_apml (APM Lite).
707740-5 : Failure deleting GTM Monitors when used on mulitple Virtual Servers with the same ip:port combination
Component: TMOS
Symptoms:
User would get "monitor is in use" when attempting to delete a GTM Monitor, even after removing that monitor from all GTM Virtual Servers
Conditions:
Attach a gtm monitor to multiple gtm virtual servers in the same transaction, where both of the virtual servers are monitoring the same ip:port
Impact:
User will not be able to ever delete the un-used gtm monitor
Workaround:
Remove monitor from VSs
Reload GTM configuration with tmsh load sys config gtm-only
Delete monitor
707691-5 : BIG-IP handles some pathmtu messages incorrectly
Component: Local Traffic Manager
Symptoms:
FastL4 virtual servers incorrectly handle some pathmtu messages, such as ICMPv4 unreachable/fragmentation needed and ICMPv6 packet too big.
Conditions:
This occurs when the following conditions are true:
-- The client sends a window scaling factor greater than 0 (zero).
-- The server sends a window scaling factor equal to 0 (zero).
-- The pmtu message is within the window, but does not reflect the exact expected sequence number. The delta is bigger than the advertised window scaled at a factor of 0 (zero).
Impact:
pmtu message is erroneously ignored.
Workaround:
There is no workaround at this time.
707631-3 : The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI
Component: TMOS
Symptoms:
The 'SYN Challenge Handling' setting of a TCP profile can be reverted to defaults when a TCP profile is updated using the BIG-IP management GUI.
Conditions:
The SYN Challenge Handling settings of a TCP profile have previously been set to non-default values, and a configuration change is later made to the same TCP profile using the GUI.
Impact:
Loss of TCP profile syn challenge configuration settings
Workaround:
In the GUI, specifically set the SYN Challenge Handling fields after making an update to other TCP profile fields, or use tmsh to make the changes instead
SYN Challenge
GUI Setting: Nominal
TMSH:
syn-cookie-enable enabled
syn-cookie-whitelist disabled
GUI Setting: Challenge and Remember
TMSH:
syn-cookie-enable enabled
syn-cookie-whitelist enabled
GUI Setting: Disable Challenges:
syn-cookie-enable disabled
syn-cookie-whitelist disabled
707445-4 : Nitrox 3 compression hangs/unable to recover
Solution Article: K47025244
Component: TMOS
Symptoms:
LTM logs show the following message:
Nitrox 3, Hang Detected: compression device was reset
When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.
Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.
Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.
Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.
Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.
There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:
A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).
Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.
707054-2 : SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162
Component: Advanced Firewall Manager
Symptoms:
User cannot configure SYN Cookie MSS values for Fast L4 Profiles outside of 256-9162.
Conditions:
Under syncookie activated condition, SYN Cookie MSS value is set to < 256.
Impact:
Under syncookie activated condition, server side MSS lower than SYN Cookie MSS lower limit cannot be honored on client side. As a result, server side MSS discards data segment if larger than SYN Cookie MSS lower limit.
707013-2 : vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest
Component: TMOS
Symptoms:
- clusterd restarts on secondary blade
- /var/log/ltm: "Management IP (<guest_management-ip>) already in use by (vcmp guest <guest_name>)"
Conditions:
1. blade power off/on using bladectl command allows to reproduce ~80% of the time
2. not sure if this is specific to platform:
- was able to reproduce easily on (B2100 - A109),
- issue reproduced multiple times in cusomter environment on (B2150 - A113)
- not able to reproduce with the same steps and version on 4800 (PB300) viprion
Impact:
- Secondary slot on viprion hypervisor is in "INOPERATIVE" state
Workaround:
On the VMCP Host, copy the file /shared/db/cluster.conf from the primary to all secondary cluster members.
For a four slot chassis, issue this command from the primary:
$ for i in 1 2 3 4; scp /shared/db/cluster.conf slot$i:shared/db/cluster.conf ; done
Clusterd should then recover from the restart loop on secondary blades.
706804-2 : SNMP trap destination configuration of network option is missing "default" keyword
Component: TMOS
Symptoms:
When SNMP trap destinations are configured, the user can specify the network that the traps are transmitted out from. By default, the routing table is consulted. Use the network keyword to overwrite this with either "management" or "other". There is also a "default" keyword, which was removed since it was confusing. However, this broke backward compatibility of the REST API; so, it was put back.
Conditions:
Including the "network default" keywords in trap configuration reports an error with version 13.0.0 where the "default" keyword was removed.
Impact:
Existing scripts may encounter errors if they used this keyword.
Workaround:
Don't use the "default" keyword with the snmp trap destination network configuration.
706797-2 : Portal Access: some multibyte characters in JavaScript code may not be handled correctly
Component: Access Policy Manager
Symptoms:
If JavaScript code contains multi-byte character which contains 0x0A in the last byte after conversion to UTF-32 form, then this character is handled as NEW LINE by Portal Access server-side JavaScript parser. If NEW LINE is not valid in this place, JavaScript code cannot be parsed.
Conditions:
JavaScript code with multi-byte character which contains 0x0A in the last byte after conversion to UTF-32 form, for example:
//上 aa bb
(上) gives (4E 0A) in UTF32 form. So this line is processed as the following TWO lines:
//
aa bb
The second line is not a valid JavaScript code.
Impact:
Web application may not work correctly.
Workaround:
There is no workaround at this time.
706505-3 : iRule table lookup command may crash tmm when used in FLOW_INIT
Component: Local Traffic Manager
Symptoms:
iRule table lookup command may crash tmm when used in FLOW_INIT.
Conditions:
iRule table lookup command is used in FLOW_INIT.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use table lookup in the events after the flow is constructed.
706374-5 : Heavy use of APM Kerberos SSO can sometimes lead to memory corruption
Component: Access Policy Manager
Symptoms:
Kerberos SSO under high load can sometimes lead to system instability.
Conditions:
APM users using Kerberos SSO to access backend resources.
Impact:
This might result in unpredictable behavior such as memory corruption or core. However, the occurrence is rare since it only impacts concurrent DNS SRV requests to resolve different KDCs.
Workaround:
There is no workaround.
706102-1 : SMTP monitor does not handle all multi-line banner use cases
Component: Local Traffic Manager
Symptoms:
An SMTP monitor does not handle all multi-line banner use cases, such as when the banner is physically split across two packets. This issue is due to attempting to parse the banner value from the first packet without a portion of the banner value that may arrive in a second packet.
Conditions:
An SMTP monitor is configured; and uses a multi-line banner; and the SMTP monitor banner is split across two physical packets.
Impact:
The SMTP monitor sends an RST after the first packet, and marks the resource down.
Workaround:
Use an SMTP monitor with a single-line banner. Or, rather than using an SMTP monitor, instead use a TCP monitor with send/recv strings.
705651-2 : Async transaction may ignore polling requests
Component: TMOS
Symptoms:
Querying for the status of an asynchronous transaction by making a GET request may cause the query to block. The transaction will complete, even though the query may return an error status (400) to indicate that the GET request timed out.
Conditions:
A typical asynchronous transaction that returns a 202 status to indicate that you successfully created a transaction.
Impact:
The query returns an error.
Workaround:
To avoid having the query request block, refrain from querying the transaction for status.
705442-2 : GUI Network Map objects search on Virtual Server IP Address and Port does not work
Component: TMOS
Symptoms:
Searching for a Virtual Server using the IP Address and Port of the Virtual Server does not work.
Conditions:
Create a Virtual Server with name vs1 and address.
Impact:
Users are unable to search using an IP Address to filter Virtual Server results.
Workaround:
There is no workaround at this time.
705037-1 : System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
Solution Article: K32332000
Component: TMOS
Symptoms:
It is possible for the BIG-IP system to present duplicate if_index statistics of network objects, either viewed internally or polled via SNMP.
Conditions:
-- High availability (HA) configuration.
-- Tunnels configured.
-- If dynamic routing is configured, additional impact may be noted.
Impact:
-- Unreliable or confusing statistics via SNMP polling.
-- If dynamic routing is also configured, possible nsm daemon restart, which may lead to loss of dynamic routes.
Workaround:
None.
704643-2 : Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule
Component: Application Security Manager
Symptoms:
When adding or modifying a user-defined Attack Signature in Simple Edit Mode, backslashes preceding a forward slash are mistakenly doubled in regular expression keywords within the Signature.
Conditions:
-- Add or modify a user-defined Attack Signature with a regular expression keyword containing an escaped forward slash in Simple Edit Mode.
Impact:
The backslash escaping the forward slash is doubled, which changes the enforced signature rule.
Workaround:
Create or modify the Signature rule using Advanced Edit Mode.
704587-3 : Authentication with UTF-8 chars in password fails for ActiveSync users
Solution Article: K15450552
Component: Access Policy Manager
Symptoms:
ActiveSync end users cannot login to the server.
Conditions:
-- ActiveSync end users.
-- UTF-8 characters in the password.
Impact:
ActiveSync service is unavailable.
Workaround:
Put a Variable Assign agent after Logon Page with following assignment:
(check the secure checkbox)
session.logon.last.password = set pass [mcget -secure session.logon.last.password]; binary scan $pass c* chars; set newpass ""; foreach {ch} $chars { append newpass [format %c [expr $ch & 0xFF]] }; return $newpass
704524-5 : [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries
Component: Access Policy Manager
Symptoms:
Kerberos DNS SRV requests do not contain EDNS headers. Without this header, DNS server truncates the UDP responses if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in unnecessary round trips in order to resolve DNS SRV queries.
Conditions:
APM users using Kerberos SSO to access backend resources.
Impact:
Increased latency of HTTP request processing. If the number of APM users is large, then this issue is magnified.
Workaround:
There is no workaround at this time.
704450-4 : bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
Component: Local Traffic Manager
Symptoms:
A rarely seen scenario exists where 'bigd' crashes when the BIG-IP system is under extremely heavy load, due to 'bigd' running with an incomplete configuration and attempting to interact with 'mcpd' prior to being fully configured by 'mcpd'. This may occur when 'mcpd' is sufficiently delayed in configuring 'bigd' upon 'bigd' process start (at system-start, or upon 'bigd' process re-start), such that 'bigd' attempts to report monitoring results to 'mcpd' prior to fully receiving its configuration (from 'mcpd').
Conditions:
BIG-IP is under heavy load; and 'bigd' process is (re-)started; and 'mcpd' is delayed in relaying the full configuration to 'bigd'; and 'bigd' attempts to report monitoring results to 'mcpd'.
Impact:
Monitoring is delayed while bigd is restarting. If the load lasts for a long enough period of time, bigd might repeatedly fail to start and monitoring will not resume. In some cases 'bigd' may run with an incomplete configuration.
Workaround:
Reduce the load on the system.
704449-1 : Orphaned tmsh processes might eventually lead to an out-of-memory condition
Component: TMOS
Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.
An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:
/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh
If this issue occurs often enough, it might cause the BIG-IP system to run out of memory.
Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.
Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.
Workaround:
There are several workarounds for this issue:
-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Halt orphaned tmsh processes.
704336-5 : Updating 3rd party device cert not copied correctly to trusted certificate store
Component: TMOS
Symptoms:
When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.
Conditions:
Updating Device certificate which also includes multiple intermediate and root certificates.
Impact:
The Trusted Device and Trusted server Certificates do not include intermediate CA and root certificates.
Workaround:
Manually copy/append the missing intermediate and root certificate to /config/big3d/client.crt and /config/gtm/server.crt.
703984-8 : Machine Cert agent improperly matches hostname with CN and SAN
Component: Access Policy Manager
Symptoms:
MacOS Machine certificate agent matches the configured hostname with the actual hostname upon a beginning partial string match.
Conditions:
MacOS APM client using Machine Certificate Check agent.
Impact:
Hostname match may be incorrect in these cases.
Workaround:
There is no workaround at this time.
703509-3 : Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled
Component: TMOS
Symptoms:
Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled.
...notice tmsh[32418]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.
...notice tmsh[32418]: 01420003:5: The current session has been terminated.
...err tmsh[32417]: 01420006:3: Project-Id-Version: f5_tmsh 9.7.0 POT-Creation-Date: 2008-05-13 16:18-0700 PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE Last-Translator: F5 Networks <support@f5.com> Language-Team: LANGUAGE <en@li.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit
...err tmsh[32415]: 01420006:3: UCS saving process failed.
Conditions:
The default admin account is disabled, using an alternate user that has the administrator role.
Impact:
User is unable to save the configuration.
Workaround:
A user with the administrator role can save the config.
The root user can save the config.
703266-1 : Potential MCP memory leak in LTM policy compile code
Component: Local Traffic Manager
Symptoms:
Failure in processing LTM policy may result in MCP memory leak
Conditions:
When Centralized Policy Management (CPM) fails to process LTM policy
Impact:
MCP memory leak
Workaround:
There is no workaround at this time.
703090-3 : With many iApps configured, scriptd may fail to start
Component: TMOS
Symptoms:
If many iApp instances are installed, scriptd may have issues starting up, including the log message:
"script has exceeded its time to live, terminating the script"
Conditions:
This occurs when many iApp instances exist. F5's internal testing has been able to show that it occurs with 70 instances.
Impact:
The error message will show up, and some instances of the script will not run.
Workaround:
Restarting scriptd will resolve the issue.
702450-2 : The validation error message generated by deleting certain object types referenced by a policy action is incorrect
Component: Local Traffic Manager
Symptoms:
When deleting certain objects that are referenced by policy actions, you may see a validation error like this:
# tmsh delete ltm virtual test-vs
01071726:3: Cannot delete policy action '/Common/test-vs'. It is in use by ltm policy '/Common/test-policy'.
The referenced object is not a "policy action" in this case, but is a virtual server.
Conditions:
LTM policies must be in use, and at least one policy action must forward to an object. The user must attempt to delete that object.
Impact:
Possible confusion at the error message.
Workaround:
There is no workaround at this time.
702439-4 : Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset
Solution Article: K04964898
Component: Local Traffic Manager
Symptoms:
If the HTTP/2 configuration header_table_size is changed from the default value of 4096, then streams will be reset with a RST_STREAM error.
Conditions:
The header_table_size field in the HTTP/2 profile is changed from the default.
Impact:
HTTP/2 connections will be unusable.
Workaround:
Set the header table size argument back to its default.
701977-6 : Non-URL encoded links to CSS files are not stripped from the response during concatenation
Component: WebAccelerator
Symptoms:
Non-URL encoded links to CSS files are not stripped from the response during concatenation.
Conditions:
White space in the URLs.
Impact:
As above.
Workaround:
No workaround at this time.
701800-1 : SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x
Component: Access Policy Manager
Symptoms:
Mac RDP client 10.x shows credentials prompt when SSO-enabled native RDP resource is launched from the APM Webtop. If the user enters credentials manually, the RDP client will display an error message.
Conditions:
-- Mac RDP client is of version 10.x (e.g., 10.1.6).
-- Native RDP resource is assigned to the webtop.
-- SSO is enabled on the RDP Resource.
Impact:
RDP resource cannot be launched.
Workaround:
Add the following to 'Custom Parameters' of SSO-enabled RDP resources:
full address:s:%{session.server.network.name}
promptcredentialonce:i:1
701341-3 : If /config/BigDB.dat is empty, mcpd continuously restarts
Solution Article: K52941103
Component: TMOS
Symptoms:
If another issue causes /config/BigDB.dat to be empty, mcpd will fail to start up.
Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.
Impact:
The system will fail to start up, and mcpd will continually restart.
Workaround:
Remove this empty file. (If BigDB.dat is nonexistent, the issue will not occur.)
701025-3 : BD restart on a device where 'provision.tmmcountactual' is set to a non-default value
Component: Application Security Manager
Symptoms:
BD restarts with this error:
Plugin configuration load timeout. Exiting.
Conditions:
The db variable 'provision.tmmcountactual' is set to a number lower than the actual CPU count.
Impact:
BD restarts continuously.
Workaround:
You can use any of these workarounds:
-- In the GUI, set 'RWThreads' under Security :: Options : Application Security : Advanced Configuration : System Variables.
-- Use the 'add_del_internal' utility:
----------------------
# /usr/share/ts/bin/add_del_internal
USAGE:
/usr/share/ts/bin/add_del_internal add <param_name> <param_value> [--default <default_value>]
/usr/share/ts/bin/add_del_internal update <param_name> <param_value> [--default <default_value>]
/usr/share/ts/bin/add_del_internal delete <param_name>
----------------------
-- Set the bd internal parameter num_rw_threads to the amount of plugin channels that TMM expects.
-- Revert 'provision.tmmcountactual' sys db to the default value.
700827-3 : B2250 blades may lose efficiency when source ports form an arithmetic sequence.
Component: TMOS
Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command: tmsh show sys tmm-traffic
Conditions:
Source ports used to connect to B2250 blade form an arithmetic sequence.
For example, some servers always use randomly selected even source port numbers. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8… 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.
Impact:
Traffic imbalance between tmm threads may result in sub-optimal performance.
Workaround:
Randomize source ports when connecting via a BIG-IP system.
700696-4 : SSID does not cache fragmented Client Certificates correctly via iRule
Component: Local Traffic Manager
Symptoms:
The last few bytes of a very large-sized Client Certificate (typically greater than 16,384 bytes) are not cached correctly if the certificate is received fragmented by the SSL Session ID (SSID) parser.
Conditions:
-- Client Authentication is enabled.
-- A very large Client Certificate is supplied (typically greater than 16,384 bytes).
-- SSL Session ID Persistence is enabled.
-- The iRule CLIENTSSL_CLIENTCERT is enabled.
Impact:
The client certificate is not stored on the BIG-IP device correctly. The last few bytes are missing.
Workaround:
Disable the CLIENTSSL_CLIENTCERT iRule when SSL Session ID (SSID) persistence is in use. Even though the Client Certificate does not get cached, that is preferable to caching an incorrect client certificate.
699733-1 : DNS NOTIFY not sent to mgmt IP under Zone Transfer Clients list after DNS Express zone update
Component: Global Traffic Manager (DNS)
Symptoms:
When a DNS Express zone gets some zone entries updated, the BIG-IP system does not send DNS NOTIFY to nameserver with IP addresses from the mgmt subnet listed under Zone Transfer Clients.
Conditions:
* nameserver has IP address from mgmt subnet.
* nameserver id listed under Zone Transfer Clients of DNS Express zone.
* DNS Express zone gets entries updated.
Impact:
BIG-IP system does not send NOTIFY request to the nameserver.
Workaround:
There is no workaround at this time.
699426-4 : RRD cpu files are not updated when statsd has no prior knowledge of blades joining a cluster.
Component: Local Traffic Manager
Symptoms:
If a blade already known to statsd goes down, statsd continues to update the blade's /var/rrd/bladeXcpu file
If a new blade joins and is announced to statsd, statsd stops updating all /var/rrd/bladeXcpu files especillay if it did not have prior knowledge of the blade.
Conditions:
If statsd is restarted after the blade is disabled, or goes down, and after that the blade rejoins the cluster, the /var/rrd/bladeXcpu files stop updating (where X is the blade number).
Impact:
Data of those files is not updated. This impacts the graphs generated from these files.
Workaround:
Execute the command "bigstart restart statsd" after the new blade has joined the cluster.
698836-1 : Increased APM session capacity is not available after installing an APM session count License
Component: Access Policy Manager
Symptoms:
Unable to use extra capacity after installing an APM add-on license with a larger session count.
Conditions:
This occurs when the add-on License generated lacks the mod_apm license, meaning that no full APM license was previously installed, only the APM Light license (which constrains connections to a 10-session maximum).
To determine whether this condition exists, check the bigip.license file, or execute the following command: tmsh show sys license details. If only mod_apml is present and session counts are higher than 10, then the system is in the condition that triggers the problem.
Impact:
Unable to use extra session capability; can use only the 10-session maximum provided by the APM Light license.
Workaround:
Contact your F5 sales representative to get the correct APM add-on license with mod_apm, as well as the additional session count capability.
698619-3 : Disable port bridging on HSB ports for non-vCMP systems
Component: TMOS
Symptoms:
Internal packets flooded on internal switch interfaces by the HSB can be bridged back to the HSB on BIG-IP 5000/7000 and VIPRION B2100 blades configured to enable port bridging by the switch.
Conditions:
-- Packets being flooded from the HSB to VLAN members when adding/deleting VLANs.
-- Non-vCMP systems.
-- Virtual server configured for Direct Server Return (DSR or nPath Routing).
Impact:
This triggers a FDB flush and can result in packet flooding back to the HSB and potential network saturation.
Workaround:
None.
698432-1 : Invalid error messages: warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Component: TMOS
Symptoms:
Loading a UCS in a vCMP guest which was taken from a different guest or a hardware device can produce the following error messages:
warning mcpd[5953]: 012a0004:4: halStorageRead: unable to read storage on this platform.
warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
This is a cosmetic issue that occurs when the encrypted master key on a VCMP guest cannot be decrypted with the unit key of that system. This most often occurs when a UCS taken on a different guest is loaded.
Conditions:
Taking a UCS from one vCMP guest or hardware device and loading it onto a different vCMP guest.
Note: F5 does not support this configuration.
Impact:
Although there is no adverse effect on the system, error messages will be logged.
Workaround:
None.
698211-4 : DNS express response to non-existent record is NOERROR instead of NXDOMAIN.
Solution Article: K35504512
Component: Local Traffic Manager
Symptoms:
The DNS express response to a non-existent record is NOERROR instead of NXDOMAIN.
Conditions:
Delete a wildcard resource record to the related DNS express zone.
Impact:
DNS returns the incorrect response.
Workaround:
Delete the old db files: /var/db/tmmdns.bin and /var/db/zxfrd.bin, and then restart zxfrd.
696731-4 : The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled
Solution Article: K94062594
Component: TMOS
Symptoms:
The standard LinkUp/LinkDown traps are issued when a port's status changes; that is, the link goes up or down. Additionally, the network manager can administratively enable and disable ports. For some platforms, there is no reliably issued standard LinkUp/LinkDown trap when a port is administratively enabled/disabled.
Conditions:
Administrative disabling an interface on BIG-IP
Impact:
May issue only the F5 Link change trap and not the additional standard MIB trap. The standard LinkUp/LinkDown traps may not be issued.
Workaround:
Use the F5-proprietary MIB: 1.3.6.1.4.1.3375.2.4.0.37 F5-BIG-IP-COMMON-MIB::BIG-IPExternalLinkChange trap to track administrative changes to links.
693901-5 : Active FTP data connection may change source port on client-side
Component: Local Traffic Manager
Symptoms:
The active FTP data connection on the client-side may use source port other than what was configured in the 'Data Port' parameter of the FTP profile.
Conditions:
FTP profile is attached to a virtual server and the 'Data Port' parameter is either left as default (20) or defined as a specific value.
Impact:
Active FTP data connection may be blocked by firewalls that expect a pre-defined source port.
Workaround:
None.
689491-2 : cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled
Component: TMOS
Symptoms:
CPU usage stats are incorrect and system looks idle when it's actually busy
Conditions:
vcmp guests with 1-core or htsplit disabled
Impact:
CPU stats are incorrect and it might make it difficult to trouble shoot problems.
688553-4 : SASP GWM monitor may not mark member UP as expected
Component: Local Traffic Manager
Symptoms:
Pool members monitored by the SASP monitor may be incorrectly marked DOWN when they should be marked UP.
Conditions:
This may occur on affected BIG-IP versions when using the SASP monitor targeting a Load Balancing Advisor GWM (Global Workload Manager).
This is more likely to occur if pool members monitored by the SASP monitor are also monitored by an additional monitor which has marked the members DOWN, or if one or more pool members monitored by the SASP monitor have been manually marked down (state user-down via tmsh, or Disabled in the GUI).
This is not expected to occur with non-affected BIG-IP versions or when using the SASP monitor targeting a Lifeline GWM (Global Workload Manager).
Impact:
Traffic handled by pool members monitored by the SASP monitor may be disrupted.
Workaround:
Removing the SASP monitor from the pool or pool member configuration then re-adding the SASP monitor may reset the pool member status to the correct state.
688335-6 : big3d may restart in a loop on secondary blades of a chassis system
Solution Article: K00502202
Component: Global Traffic Manager (DNS)
Symptoms:
After big3d_install is run against a target system, and this target system is a multi-blade chassis, the big3d utility may begin restarting in a loop on all secondary blades of the target system. The primary blade is not affected, where big3d continues to run stable.
Conditions:
The following conditions are required to encounter this issue:
-- The big3d_install utility is used against a target system.
-- The target system is a multi-blade chassis.
-- The big3d_install utility picks the iQuery installation method (and not the SSH one).
-- The big3d_install utility incorrectly determines that the local version of the big3d utility should be copied to the remote system.
Impact:
big3d does not typically do anything on secondary blades, so this issue should have no immediate material impact.
However, should the cluster elect a new primary blade, and should big3d still be restarting on that blade, this could cause iQuery communication failures between that system and remote BIG-IP systems.
Workaround:
To stop secondary blades from restarting, manually restart big3d on the primary blade using the following command:
bigstart restart big3d
To prevent this issue from happening, you can run the big3d_install by specifying that the SSH installation method be used using the following command:
big3d_install -use_ssh <target IP>
688266-6 : big3d and big3d_install use different logics to determine which version of big3d is newer
Component: Global Traffic Manager (DNS)
Symptoms:
The big3d_install utility includes logic to determine whether the local system should copy its version of the big3d daemon to the remote system specified by the user.
This logic is incorrect and may result in the local copy of the big3d daemon being unnecessarily copied to the remote system or not copied when actually necessary.
Conditions:
A user runs the big3d_install utility.
Impact:
If the local big3d daemon was unnecessarily copied over to the remote system, there is no tangible impact (other than the fact big3d restarts on the remote system, which is expected). Eventually, the remote system restores and uses its version of the big3d daemon.
If the local big3d daemon was not copied over when it should have been, then the remote system may continue to run an older version of the big3d daemon, which may impede iQuery communication.
Workaround:
If the local big3d daemon was unnecessarily copied over to the remote system, you do not need to perform any remedial action. The remote system will automatically resolve this situation by restoring the intended (i.e., newer) big3d version.
If the local big3d daemon was not copied over when it should have been, you can invoke the big3d_install utility using the -f argument, which forces an install of the big3d daemon regardless of the local and remote versions.
688005-1 : The maximum-connection count doubles pva traffic counts for virtuals
Component: Local Traffic Manager
Symptoms:
The counters maintaining virtual server statistics double count packets processed by the pva hardware. This makes maximum connection counts for pva unreliable.
Conditions:
Connections utilizing PVA incorrectly report PVA counts.
Impact:
Fast L4 virtuals may report unreliable maximum connection counts.
687759 : bd crash
Component: Application Security Manager
Symptoms:
A bd crash.
Conditions:
-- A config change follows a bd crash.
-- There is a policy that is misconfigured, for example, a form-data parsing is applied on a non-form-data payload (such as XML or JSON).
Impact:
bd crashes; system fails over; traffic disturbance occurs.
Workaround:
Set the following internal parameter to 0: max_converted_length_to_cache
686059-3 : FDB entries for existing VLANs may be flushed when creating a new VLAN.
Component: Local Traffic Manager
Symptoms:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN.
Conditions:
- Creating a new VLAN with existing VLANs using trunk members. - STP is enabled on its trunk member.
Impact:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN. This will result in potential network saturation.
Workaround:
To avoid the FDB flushing on trunk member interfaces of existing, unrelated VLANs, ensure that STP is disabled on its trunk member.
685582-8 : Incorrect output of b64 unit key hash by command f5mku -f
Component: TMOS
Symptoms:
The output of the b64 unit key hash is inconsistent upon each 'f5mku -f' command, whereas the hex version of the unit key hash was always correct/consistent.
Conditions:
Viewing output of 'f5mku -f' command.
Impact:
Inconsistent output of the b64 unit key.
Workaround:
Adding the verbose option (v) to the f5mku command will print additional information. The following command prints the hex version of the unit key header hash, which will be stable and can be used to detect changes to the unit key:
f5mku -vf
For example:
# f5mku -vf
...
-- hdr.hash = c9:0d:13:2a:74:d4:7e:31:a4:78:5e:c8:3e:9c:b5:3d:7b:65:9c:7d
...
684096-3 : stats self-link might include the oid twice
Component: TMOS
Symptoms:
The object ID might be erroneously embedded in the self-link twice.
Conditions:
query for stats such as https://<host>/mgmt/tm/ltm/pool/p1/stats
Impact:
incorrect self-link returned
Workaround:
be mindful when parsing the self-link
679687-2 : LTM Policy applied to large number of virtual servers causes mcpd restart
Component: Local Traffic Manager
Symptoms:
When a large policy (on the order of several dozen rules), is applied to a large number of virtual servers (on the order of hundreds), the mcpd process compiles the policy to an optimized, intermediate form for each virtual server. The compilation occurs in the mcpd process, and because it becomes so busy/non-responsive, a watchdog process intervenes and restarts the mcpd process.
Conditions:
-- Relatively large policy (~30 or more rules) applied to large number of virtual servers (~100 or more).
-- Creating a draft of the policy that is currently applied to those virtual servers, when a similarly attached policy is published.
Impact:
The mcpd process becomes unresponsive and is reset by a watchdog process.
Workaround:
Two possible workarounds:
-- Make copies of the policy and apply a different copy of policy to different subsets of virtual servers.
-- Implement the policy using iRules.
679316-6 : iQuery connections reset during SSL renegotiation
Component: Global Traffic Manager (DNS)
Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
Conditions:
This occurs when a system tries to send data over the iQuery connection while the two endpoints are performing SSL renegotiation.
Note: iQuery connections automatically perform SSL renegotiation every 24 hours.
Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.
Note: This is a subtly different issue from the one (with a very similar error, 140940F5 vs 140940E5) described in Bug ID 477240: iQuery connection resets every 24 hours :: https://cdn.f5.com/product/bugtracker/ID477240.html (K16185: BIG-IP GTM iQuery connections may be reset during SSL key renegotiation :: https://support.f5.com/csp/article/K16185).
This issue occurs even in versions where ID477240 is fixed. There is no fix for this specific trigger of the same message.
Workaround:
There is no workaround at this time.
677709 : pkcs11d daemon can generate a very large number of log messages
Component: Local Traffic Manager
Symptoms:
If communication between a BIG-IP instance and the Hardware Security Module (HSM) is interrupted, during its attempts to re-establish a connection, the TMOS pkcs11d daemon will log many error messages in the /var/log/ltm log file (or in daemon.log for earlier versions).
Messages appear similar to the following:
-- err pkcs11d[21325]: 01680002:3: Session initialization error.
-- err pkcs11d[21325]: 01680032:3: netHSM: PKCS11d stopped. Verify password, and restart PKCS11d.
-- err pkcs11d[21325]: 01680029:3: netHSM: Failed login: password[incorrect]. Error[160].
Conditions:
-- Configurations employing an external HSM.
-- communication between the BIG-IP instance and the HSM is interrupted
Impact:
A sufficiently large amount of log-message handling may consume processor time and I/O resources, to the detriment of other processing.
Workaround:
None.
674591-4 : Packets with payload smaller than MSS are being marked to be TSOed
Solution Article: K37975308
Component: Local Traffic Manager
Symptoms:
Packets with length less than the specified MSS are sent as TSO packets, and the Broadcom NIC drops those to degrade performance.
Conditions:
When TM.TcpSegmentationOffload is enabled, Packets with length less than MSS are sent as TSO packets.
Impact:
TCP Packets are dropped.
Workaround:
Disable TSO option by setting the following SYS DB variable to disable: TM.TcpSegmentationOffload.
673018-1 : Parsed text violates expected format error encountered while upgrading or loading UCS★
Component: TMOS
Symptoms:
During a configuration roll-forward on an upgrade, the UCS load fails and reports the following error:
Parsed text violates expected format.
Conditions:
This can occur under the following conditions:
-- When loading a configuration that contains iFiles.
-- During an upgrade process, when the source-path for an iFile contain a URL with a space or other invalid URL character in it, for example: http://myfiles.com/get this file.txt.
Impact:
Configuration fails to load, and the system reports the following error: Parsed text violates expected format.
Workaround:
You can use either of the following workarounds:
-- Modify the URL to the iFile to remove any spaces, and then reload the configuration.
-- Use the HTTP specification for specifying spaces (and other characters) in URLs. For example, represent a space using the string %20 in the URL: http://myfiles.com/get%20this%20file.txt.
672410 : High CPU load when HTTP/2 gateway is configured with source-persistence.
Solution Article: K58551820
Component: Local Traffic Manager
Symptoms:
High CPU load when HTTP/2 gateway is configured with source-persistence.
Conditions:
-- HTTP/2 gateway is configured on the virtual server.
-- Source-persistence is turned on.
Impact:
High CPU load may lead to performance degradation.
Workaround:
Setting 'match-across-services' might help improve performance.
672312-4 : IP ToS may not be forwarded to serverside with syncookie activated
Component: Local Traffic Manager
Symptoms:
IP ToS field may not be preserved on forwarding in a FastL4 virtual server when syncookie is activated.
Conditions:
-- FastL4 ip-forwarding virtual server.
-- ToS in passthrough mode.
-- Syncookie is activated in hardware mode.
-- On a hardware platform with ePVA.
Impact:
IP ToS header is not forwarded to the serverside.
Workaround:
None.
669645-4 : tmm crashes after LSN pool member change
Solution Article: K44021449
Component: Carrier-Grade NAT
Symptoms:
Changing LSN pool members while processing traffic may cause tmm to crash.
Conditions:
-- Changing, using, or removing an LSN pool.
-- Traffic is being processed.
Impact:
When tmm crashes, traffic processing will stop until tmm restarts. Note that this can occur, even if the change was on a high-availability peer unit and config-sync has taken place.
Workaround:
Recommend to change LSN pool members during a maintainence window with low traffic or ideally to use an HA pair with a standby unit for implementing configuration changes on live traffic.
668041-3 : Config load fails when an iRule comment ends with backslash in a config where there is also a policy.
Solution Article: K27535157
Component: TMOS
Symptoms:
Config load fails when an iRule contains a commented line that ends with an escape character (backslash), and the config also contains an LTM policy. Depending on the iRule, you might also see the following error: Syntax Error:(/config/bigip.conf at line: 42078) double quotes are not balanced.
Conditions:
An iRule contains commented line that ends with a backslash, and the config also contains a policy, for example, an iRule similar to the first example, and a policy similar to the second:
ltm rule /Common/log_info {
when HTTP_RESPONSE {
#log local0. "Original Location header value: [HTTP::header value Location],\
updated: [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]"
}
}
...
ltm policy /Common/Test_Policy {
controls { forwarding }
requires { http tcp }
rules {
TestPol_Rule1 {
actions {
0 {
forward
select
node 10.2.10.20
}
}
conditions {
0 {
tcp
address
matches
values { 10.1.10.20 }
}
}
}
}
strategy /Common/first-match
}
Impact:
Config load fails.
Workaround:
You can use any of the following wordarounds:
-- Delete the comment line.
-- Merge the multiple-lines.
-- Make separate multi-line comments
667618-5 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
Component: TMOS
Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection will continue to be unsupported until the machine exit hardware SYN cookies.
Conditions:
A SYN flood attack or similar SYN attack where SYNs are flooded into the BIG-IP system.
Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.
Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options will not be taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.
Workaround:
There is no workaround at this time.
666378-2 : A virtual server's connections per second (precision.last_value) is not updated unless it's equal to the rate-limit.
Component: Local Traffic Manager
Symptoms:
A virtual server's current connections per second statistic is not updated unless the rate limit is hit and if the connections per second goes below the rate-limit the statistic remains equal to the rate-limit.
Conditions:
When rate limit is not configured or the connections are not up to the limit, the problem happens.
Impact:
There is no function impact, but the stats are wrong.
Workaround:
There is no workaround at this time.
663946-5 : VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments
Component: Advanced Firewall Manager
Symptoms:
When DNS is under load greater than the AFM-configured rate limit, certain IPv4 packets are categorized as IPv6 atomic fragments and may be dropped due to rate limits.
Conditions:
-- AFM enabled.
-- DNS load greater than AFM-configured rate limit for IPv6 atomic fragments (default 10 KB).
Impact:
May result in lower than expected DNS load test results.
Workaround:
Use either of the following workarounds:
-- Disable AFM.
-- Increase detection limit for IPv6 atomic fragments under AFM.
Note: For AFM HW DoS protection, the host and vCMP guest must be the same version, disable hardware DoS checking on the vCMP guest to prevent this issue. To do so, set sys db dos.forceswdos to 'true'.
663874-1 : Off-box HSL logging does not work with PEM in SPAN mode.
Solution Article: K77173309
Component: Policy Enforcement Manager
Symptoms:
While on-box HSL logging works, off-box HSL logging does not work with PEM in SPAN mode.
Conditions:
-- PEM in SPAN mode.
-- Off-box HSL logging is configured.
Impact:
Cannot use off-box HSL logging with PEM in SPAN mode; must use on-box HSL logging instead.
Workaround:
There is no workaround at this time.
662725 : tmsh kernel default log levels does not match documentation
Component: TMOS
Symptoms:
Actual tmsh default was 'notice', but changed to 'debug'
so that kern.log files in qkviews are complete.
This was done so that diagnosing issues, support
has all the information in terms of kernel output.
This documentation discrepancy is a non-functional
change that should have been done in 11.5.0 when
the actual default value was changed.
Conditions:
None.
Impact:
None.
Workaround:
None.
660654 : The APM 'epsec refresh' CLI command works incorrectly if install package is deleted
Component: Access Policy Manager
Symptoms:
If the install EPSEC package is deleted before running the 'epsec refresh' command, the existing EPSEC version is refreshed instead of the new version.
Conditions:
-- Upload and install EPSEC package with a later version than is on the system.
-- Delete the install package.
-- Run the command: epsec refresh.
Impact:
System package will be installed (essentially, a rollback to the previous version).
Workaround:
Leave the install package on the system until after you run the epsec refresh command.
652793 : "Signature Update Available" message is not cleared by UCS load/sync
Component: Application Security Manager
Symptoms:
If the most recent Signature Update was loaded by device group sync or UCS load, the "Signature Update Available" message is never cleared out.
Conditions:
ASM provisioned and "Signature Update Available" was indicated prior to loading the most recent Signature Update by device group sync or UCS load.
Impact:
The "Signature Update Available" message is never cleared out.
Workaround:
Restart ASM, or kill asmcrond ("pkill -f asmcrond").
648917-2 : Need to re-provision vCMP after upgrading to 13.1.x or later on the BIG-IP 10350F platform★
Component: TMOS
Symptoms:
With vCMP provisioned, upgrading to 13.1.x or later release will not enable IOMMU support after the upgrade.
Conditions:
-- Upgrading to 13.1.x or later.
-- vCMP already provisioned.
-- Running on the BIG-IP 10350F platform.
Impact:
Guests configured with FIPS functionality will fail to start until IOMMU is enabled.
Workaround:
You can use either of the following workarounds:
-- Re-provision vCMP after the upgrade to enable IOMMU support.
1. Modify the value of the DB variable kernel.iommu to 'enable'.
2. Restart the BIG-IP system.
648242-3 : Administrator users unable to access all partition via TMSH for AVR reports
Solution Article: K73521040
Component: Application Visibility and Reporting
Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).
Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.
Impact:
AVR reports via TMSH will fail when using partition based entities.
Workaround:
None.
641450-6 : A transaction that deletes and recreates a virtual may result in an invalid configuration
Solution Article: K30053855
Component: TMOS
Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.
Config load error:
01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.
Configuration-change-time error in /var/log/ltm:
err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>
Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).
Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.
Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
1. Delete virtual server.
2. Create virtual server (with an empty profile list).
3. Modify the virtual server's profile list.
639619-6 : UCS may fail to load due to Master key decryption failure on EEPROM-less systems★
Component: TMOS
Symptoms:
The following error:
'Symmetric Unit Key decrypt failure - decrypt failure'
is logged to /var/log/ltm when attempting to load a UCS.
Configuration fails then to load due to a secure attribute decryption failure.
Conditions:
1. UCS contains secure attributes.
2. UCS contains a '/config/bigip/kstore/.unitkey' file.
3. The current '/config/bigip/kstore/.unitkey' file does not match the '.unitkey' file within UCS.
4. System does not utilize an EEPROM for storing its unitkey. (For more information, see K73034260: Overview of the BIG-IP system Secure Vault feature :: https://support.f5.com/csp/article/K73034260.)
Impact:
The configuration fails to load.
Workaround:
Perform the following procedure:
1. Stop the system:
# bigstart stop
2. Replace the '/config/bigip/kstore/.unitkey' file with the '.unitkey' file from the UCS
3. Replace the '/config/bigip/kstore/master' file with the 'master' file from the UCS
4. Remove the mcp db to forcibly reload the keys:
# rm -f /var/db/mcpd.bin
# rm -f /var/db/mcpd.info
5. Restart the system and reload the configuration:
# bigstart start
# tmsh load sys config
or
# reboot
620053-3 : Gratuitous ARPs may be transmitted by active unit being forced offline
Component: Local Traffic Manager
Symptoms:
When cluster's active is forced offline, the non-primary blades may send gratuitous ARPs.
Conditions:
Cluster's active blade is forced offline.
Impact:
Potential impact to traffic if the gratuitous ARPs of the blade which goes offline is received before the unit taking over as primary, or if gratuitous ARPs are rate-limited on upstream or downstream devices.
Workaround:
Failover the cluster before forcing offline or configuring MAC masquerading.
615222-6 : GTM configuration fails to load when it has GSLB pool with members containing more than one colon character★
Component: Global Traffic Manager (DNS)
Symptoms:
The user configuration set (UCS) configuration file may fail to load due to the global server load balancing (GSLB)-referenced virtual server name syntax. The system posts errors similar to the following:
01070226:3: Pool Member 20002 references a nonexistent Virtual Server.
Conditions:
This issue occurs when all of the following conditions are met:
-- You have configured your BIG-IP DNS system (formerly known as BIG-IP GTM) with a virtual server name that includes the colon (:) character.
-- The virtual server is included as a GSLB pool member.
-- You save the configuration to a UCS file.
-- You attempt to load the UCS configuration file.
Impact:
Unable to create GTM Pool Member from TMSH, or to load a configuration with this object in it.
Workaround:
None.
606983-1 : ASM errors during policy import
Component: Application Security Manager
Symptoms:
Import failure when importing ASM policy with many Session Awareness Data Points.
ASM logs errors similar to the following:
-- crit g_server_rpc_handler_async.pl[10933]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): Could not update the Export Policy Task 'Export Policy Task (1469519765.114479)'. DBD::mysql::db do failed: Got a packet bigger than 'max_allowed_packet' bytes.
Conditions:
-- ASM provisioned.
-- Session Awareness enabled.
-- Many (more than 1000) active Session Awareness 'Block All' data points are present.
-- Export a policy.
-- Import the same policy.
Impact:
asm_config_server crash occurs. asm_config_server recovers automatically, within ~15-30 seconds.
Workaround:
Either release all Session Awareness Data Points before export, or remove them from the exported policy before importing it back.
606032-4 : Network Failover-based HA in AWS may fail
Component: TMOS
Symptoms:
MCPD posts an error that network failover is not configurable:
01071ac2:3: Device-group (/Common/autoscale-group): network-failover property must be disabled in VE-1NIC.
Conditions:
Attempting to setup high availability (HA) in Amazon Web Services (AWS) with only 1 network interface.
Impact:
Configuration of HA in AWS cannot be completed.
Workaround:
The current workaround is to configure HA in AWS with at least 2 network interfaces.
594064-6 : tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.
Solution Article: K57004151
Component: Local Traffic Manager
Symptoms:
When the tcpdump utility is used with the ':p' modifier, it appears that the first few serverside packets are not captured.
Conditions:
-- Using the ':p' modifier with the tcpdump utility to capture serverside flows associated with clientside flows that match a tcpdump filter.
-- FastL4 or standard virtual server UDP flows are being captured.
Impact:
Typically, the peer flow will not be captured until the second packet is processed on the original flow that is captured by the tcpdump filter. Although there is no operational impact, it might cause confusion when looking for serverside traffic when capturing using a command similar to the following: tcpdump -i <vlan>:p host <client-ip>
Typical examples of missing packets include:
-- Serverside syn and syn-ack from FastL4 TCP traffic.
-- All serverside packets for single packet request/reply traffic, e.g., dns request/reply.
Workaround:
Specify filter that includes serverside traffic (e.g., include pool member addresses as 'host <addr>').
591305-2 : Audit log messages with "user unknown" appear on install
Component: TMOS
Symptoms:
Multiple log entries in /var/log/audit similar to
May 4 11:37:35 localhost notice mcpd[5488]: 01070417:5: AUDIT - client Unknown, user Unknown - transaction #33-1 - object 0 - create_if { db_variable { db_variable_name "version.edition" db_variable_value "<none>" db_variable_sync_type "private_internal" db_variable_data_type "string" db_variable_display_name "Version.Edition" } } [Status=Command OK]
Conditions:
This happens on initial install, it is not yet known what triggers it.
Impact:
This is the result of a daemon on the system not properly identifying itself to mcpd. The log messages can be safely ignored.
571651-5 : Reset Nitrox3 crypto accelerator queue if it becomes stuck.
Solution Article: K66544028
Component: Local Traffic Manager
Symptoms:
Certain configuration parameters used during an SSL handshake can elicit a 'queue stuck' message from the accelerator. When this happens, the /var/log/ltm log file will contain a message similar to the following:
'n3-cryptoX request queue stuck'.
Conditions:
The BIG-IP system uses Nitrox 3 encryption hardware to perform SSL encryption.
An SSL handshake sent to the BIG-IP system is incorrectly configured or contains bad information.
Impact:
In-flight and queued contexts for the specific accelerator are dropped. After device recovery, new requests will be accelerated.
Workaround:
Disable crypto acceleration.
513310-6 : TMM might core when a profile is changed.
Component: Local Traffic Manager
Symptoms:
TMM might core when a profile is changed.
Conditions:
A "standard" type virtual server configured with the TCP or SCTP protocol profile, and a Persistence, Access or Auth profile. This issue might occur in either of the following scenarios:
-- Change profile on the active device.
-- Change profile on the standby device and perform a config sync to the active ones.
Impact:
TMM might core. Traffic disrupted while tmm restarts.
Workaround:
None.
486712-4 : GUI PVA connection maximum statistic is always zero
Component: TMOS
Symptoms:
The GUI PVA connection maximum statistic is always zero, regardless of the number of PVA connections established.
Conditions:
This occurs when fastL4 connections are used.
Impact:
The customer cannot determine the maximum number of PVA connections because the stat is always zero.
473787 : System might fail to unchunk server response when compression is enabled
Component: Local Traffic Manager
Symptoms:
If a BIG-IP virtual server is configured with a compression profile and either:
- an NTLM profile
- or an APM access policy
When a pool member sends a chunked (and uncompressed) HTTP response to the BIG-IP system (Transfer-Encoding: chunked), if the BIG-IP system compresses the payload, it does so without unchunking it.
This results in the BIG-IP system sending the client a malformed response that contains chunked encoding markers in the compressed content.
Conditions:
This issue occurs when the following conditions are met:
-- The NTLM and OneConnect profiles are applied to a virtual server. This can also be triggered when replacing the NTLM profile with an APM access policy configuration on the virtual server.
-- HTTP compression is enabled on the virtual server.
Impact:
HTTP responses to the client are malformed. When decompressed, the HTTP response payload incorrectly contains HTTP chunked encoding markers.
Workaround:
To work around this issue, you can either modify the type of response chunking or disable compression. For information on how to do so, see K14030: The BIG-IP system may fail to unchunk server responses when compression is enabled, available here: https://support.f5.com/csp/article/K14030.
431480-6 : Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message
Component: Local Traffic Manager
Symptoms:
Occasionally, you might encounter a situation in which tmm dumps a core, and the system writes to the logs a message similar to the following: notice panic: ../base/listener.c:1116: Assertion 'laddr is not NULL' failed.
Conditions:
The exact conditions that result in this error are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time, but the system recovers without any user action.
394873 : Upgrade process does not update Tcl scripts★
Component: TMOS
Symptoms:
The upgrade process does not update Tcl scripts (such as iRules) in the configuration.
Conditions:
Upgrading Tcl scripts (such as iRules).
Impact:
This might cause issues when iRule syntax changes between releases. After upgrading, you might need to modify iRules to reflect any changes in iRule syntax.
Workaround:
None.
222220-3 : Distributed application statistics
Component: Global Traffic Manager (DNS)
Symptoms:
Distributed application statistics shows only requests passed to its first wide IP.
Conditions:
Using Distributed application statistics and multiple wide-IP-members.
Impact:
The system does not include statistics for requests passed to other wide-IP-members of the distributed application.
Workaround:
None.
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/