Applies To:
Show VersionsBIG-IP AAM
- 14.0.0
BIG-IP APM
- 14.0.0
BIG-IP Link Controller
- 14.0.0
BIG-IP Analytics
- 14.0.0
BIG-IP LTM
- 14.0.0
BIG-IP PEM
- 14.0.0
BIG-IP AFM
- 14.0.0
BIG-IP FPS
- 14.0.0
BIG-IP DNS
- 14.0.0
BIG-IP ASM
- 14.0.0
BIG-IP Release Information
Version: 14.0.0.4
Build: 5.0
NOTE: This release includes fixes for the Spectre Variant 1 and Meltdown vulnerabilities (CVE-2017-5753, CVE-2017-5754).
In some configurations, installing software containing these fixes might impact performance. You can disable these fixes to recover performance. Please see K91229003 for additional Spectre and Meltdown information.
Cumulative fixes from BIG-IP v14.0.0.3 that are included in this release
Cumulative fixes from BIG-IP v14.0.0.2 that are included in this release
Cumulative fixes from BIG-IP v14.0.0.1 that are included in this release
Known Issues in BIG-IP v14.0.x
Functional Change Fixes
None
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
749774-4 | 3-Major | EDNS0 client subnet behavior inconsistent when DNS Caching is enabled | |
749675-4 | 3-Major | DNS cache resolver may return a malformed truncated response with multiple OPT records |
Cumulative fixes from BIG-IP v14.0.0.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
725815-2 | CVE-2018-15320 | K72442354 | vlangroup usage may cause a excessive resource consumption |
722091-4 | CVE-2018-15319 | K64208870 | TMM may crash while processing HTTP traffic |
717888-4 | CVE-2018-15323 | K26583415 | TMM may leak memory when a virtual server uses the MQTT profile. |
717742-6 | CVE-2018-2798, CVE-2018-2811, CVE-2018-2795, CVE-2018-2790, CVE-2018-2783, CVE-2018-2825, CVE-2018-2826, CVE-2018-2796, CVE-2018-2799, CVE-2018-2815, CVE-2018-2800, CVE-2018-2814, CVE-2018-2797, CVE-2018-2794 | K44923228 | Oracle Java SE vulnerability CVE-2018-2783 |
715923-7 | CVE-2018-15317 | K43625118 | When processing TLS traffic TMM may reset connections |
709972 | CVE-2017-12613 | K52319810 | CVE-2017-12613: APR Vulnerability |
709688-2 | CVE-2017-3144 CVE-2018-5732 CVE-2018-5733 |
K08306700 | dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733 |
701253-6 | CVE-2018-15318 | K16248201 | TMM core when using MPTCP |
695072-3 | CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558 |
K23030550 | CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558 |
651741 | CVE-2017-5970, | K60104355 | CVE-2017-5970 kernel.el7: ipv4: Invalid IP options could cause skb->dst drop |
734822-2 | CVE-2018-15325 | K77313277 | TMSH improvements |
726409-5 | CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 |
K61429540 | Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 |
725801-5 | CVE-2017-7889 | K80440915 | CVE-2017-7889: Kernel Vulnerability |
725635-1 | CVE-2018-3665 | K21344224 | CVE-2018-3665: Intel Lazy FPU Vulnerability |
719554-1 | CVE-2018-8897 | K17403481 | Linux Kernel Vulnerability: CVE-2018-8897 |
710705-1 | CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421 | K34035645 | Multiple Wireshark vulnerabilities |
710148-1 | CVE-2017-1000111 CVE-2017-1000112 |
K60250153 | CVE-2017-1000111 & CVE-2017-1000112 |
709256-1 | CVE-2017-9074 CVE-2017-7542 |
K61223103 | CVE-2017-9074: Local Linux Kernel Vulnerability |
705476-1 | CVE-2018-15322 | K28003839 | Appliance Mode does not follow design best practices |
699453-6 | CVE-2018-15327 | K20222812 | Web UI does not follow current best coding practices |
677088-1 | CVE-2018-15321 | K01067037 | BIG-IP tmsh vulnerability CVE-2018-15321 |
701785-1 | CVE-2017-18017 | K18352029 | Linux kernel vulnerability: CVE-2017-18017 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
734527-3 | 3-Major | BGP 'capability graceful-restart' for peer-group not properly advertised when configured | |
715750-1 | 3-Major | The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
743082-2 | 2-Critical | Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members★ | |
738887-4 | 2-Critical | The snmpd daemon may leak memory when processing requests. | |
738119-1 | 2-Critical | SIP routing UI does not follow best practices | |
725696-2 | 2-Critical | A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted | |
723722-1 | 2-Critical | MCPD crashes if several thousand files are created between config syncs. | |
723298-1 | 2-Critical | BIND upgrade to version 9.11.4 | |
721924-6 | 2-Critical | K17264695 | bgpd may crash processing extended ASNs |
719597-1 | 2-Critical | HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0 | |
706423-3 | 2-Critical | tmm may restart if an IKEv2 child SA expires during an async encryption or decryption | |
703669-1 | 2-Critical | Eventd restarts on NULL pointer access | |
703045-2 | 2-Critical | If using TMSH commands with deprecated attributes in iApp, the upgrade will fail. | |
743803-3 | 3-Major | IKEv2 potential double free of object when async request queueing fails | |
743233-1 | 3-Major | Default engineID may have different lengths | |
722682-3 | 3-Major | Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load★ | |
720713-1 | 3-Major | TMM traffic to/from a i10600/i10800 device in vCMP host mode may fail | |
720651-1 | 3-Major | Running Guest Changed to Provisioned Never Stops | |
720104-2 | 3-Major | BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware' | |
718817-1 | 3-Major | Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail. | |
718525-2 | 3-Major | PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting | |
711249-3 | 3-Major | NAS-IP-Address added to RADIUS packet unexpectedly | |
710976-2 | 3-Major | Network Map might take a long time to load | |
710827-1 | 3-Major | TMUI dashboard daemon stability issue | |
710232-1 | 3-Major | platform-migrate fails when LACP trunks are in use | |
709192-2 | 3-Major | GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart | |
708484-1 | 3-Major | Network Map might take a long time to load | |
707391-1 | 3-Major | BGP may keep announcing routes after disabling route health injection | |
706169-2 | 3-Major | tmsh memory leak | |
704804-4 | 3-Major | The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address | |
704755-3 | 3-Major | EUD_M package could not be installed on 800 platforms | |
704733-3 | 3-Major | NAS-IP-Address is sent with the bytes in reverse order | |
704247-1 | 3-Major | BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted | |
702227-2 | 3-Major | Memory leak in TMSH load sys config | |
701249-3 | 3-Major | RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1 | |
671712-3 | 3-Major | The values returned for the ltmUserStatProfileStat table are incorrect. | |
658557-4 | 3-Major | The snmpd daemon may leak memory when processing requests. | |
738985-1 | 4-Minor | BIND vulnerability: CVE-2018-5740 | |
725612-2 | 4-Minor | syslog-ng remote destination needs unique name that changes on address change. | |
714749-1 | 4-Minor | cURL Vulnerability: CVE-2018-1000120 | |
713932-2 | 4-Minor | Commands are replicated to PostgreSQL even when not in use. | |
707267-2 | 4-Minor | REST Framework HTTP header limit size increased to 8 KB | |
530775-2 | 4-Minor | Login page may generate unexpected HTML output | |
720391-3 | 5-Cosmetic | BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' | |
713491-3 | 5-Cosmetic | IKEv1 logging shows spi of deleted SA with opposite endianess |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
737758-3 | 2-Critical | MPTCP Passthrough and VIP-on-VIP can lead to TMM core | |
737445-1 | 2-Critical | Use of TCP Verified Accept can disable server-side flow control | |
727044-3 | 2-Critical | TMM may crash while processing compressed data | |
726239-5 | 2-Critical | interruption of traffic handling as sod daemon restarts TMM | |
724906-3 | 2-Critical | sasp_gwm monitor leaks memory over time | |
724868-3 | 2-Critical | dynconfd memory usage increases over time | |
724213-2 | 2-Critical | K74431483 | Modified ssl_profile monitor param not synced correctly |
722387-4 | 2-Critical | TMM may crash when processing APM DTLS traffic | |
716900-3 | 2-Critical | TMM core when using MPTCP | |
710221-1 | 2-Critical | K67352313 | Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled |
709828-1 | 2-Critical | fasthttp can crash with Large Receive Offload enabled | |
700056-2 | 2-Critical | MCPD process may lock up and restart when applying Local Traffic Policy to virtual server | |
726319-1 | 3-Major | 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses | |
722677-5 | 3-Major | High-Speed Bridge may lock up | |
722363-3 | 3-Major | Client fails to connect to server when using PVA offload at Established | |
721621-3 | 3-Major | Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node | |
720799-1 | 3-Major | Virtual Server/VIP flaps with FQDN pool members when all IP addresses change | |
720293-4 | 3-Major | HTTP2 IPv4 to IPv6 fails | |
719600-1 | 3-Major | TCP::collect iRule with L7 policy present may result in connection reset | |
717346-1 | 3-Major | K13040347 | [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total |
716716-1 | 3-Major | Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core | |
715883-1 | 3-Major | tmm crash due to invalid cookie attribute | |
715467-1 | 3-Major | Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY | |
714384-2 | 3-Major | DHCP traffic may not be forwarded when BWC is configured | |
713951-6 | 3-Major | tmm core files produced by nitrox_diag may be missing data | |
713934-1 | 3-Major | Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response | |
713766-1 | 3-Major | VLAN failsafe failover may not occur | |
712819-1 | 3-Major | 'HTTP::hsts preload' iRule command cannot be used | |
712664-1 | 3-Major | IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address | |
711281-6 | 3-Major | nitrox_diag may run out of space on /shared | |
709133-1 | 3-Major | When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur | |
709132-2 | 3-Major | When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur | |
707961-1 | 3-Major | K50013510 | Unable to add policy to virtual server; error = Failed to compile the combined policies |
707951-3 | 3-Major | Stalled mirrored flows on HA next-active when OneConnect is used. | |
704764-1 | 3-Major | SASP monitor marks members down with non-default route domains | |
704381-6 | 3-Major | SSL/TLS handshake failures and terminations are logged at too low a level | |
699598-1 | 3-Major | HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR | |
693244-3 | 3-Major | BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned | |
682283-1 | 3-Major | Malformed HTTP/2 request with invalid Content-Length value is served against RFC | |
602708-5 | 3-Major | K84837413 | Traffic may not passthrough CoS by default |
716922-1 | 4-Minor | Reduction in PUSH flags when Nagle Enabled | |
713533-1 | 4-Minor | list self-ip with queries does not work | |
712637-1 | 4-Minor | Host header persistence not implemented | |
708249-1 | 4-Minor | nitrox_diag utility generates QKView files with 5 MB maximum file size limit |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
739846-2 | 2-Critical | Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection | |
726255-1 | 3-Major | dns_path lingering in memory with last_access 0 causing high memory usage | |
723792-1 | 3-Major | GTM regex handling of some escape characters renders it invalid | |
719644-3 | 3-Major | If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★ | |
715448-3 | 3-Major | Providing LB::status with a GTM Pool name in a variable caused validation issues | |
710246-1 | 3-Major | DNS-Express was not sending out NOTIFY messages on VE | |
710032-2 | 3-Major | 'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
745358-2 | 3-Major | ASM GUI does not follow best practices |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
746341 | 1-Blocking | Virtual server page is blank when SSLO is provisioned | |
724341-1 | 3-Major | Import of Access Profile with Machine Cert Checker and default CA Profile is failing |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
706642-1 | 2-Critical | wamd may leak memory during configuration changes and cluster events |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
699454-6 | 4-Minor | Web UI does not follow current best coding practices |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
699531-5 | 2-Critical | Potential TMM crash due to incorrect number of attributes in a PEM iRule command | |
726647-4 | 3-Major | PEM content insertion in a compressed response may truncate some data | |
711093-4 | 3-Major | PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled | |
709610-4 | 3-Major | Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM | |
676346-1 | 3-Major | PEM displays incorrect policy action counters when the gate status is disabled. | |
648802-4 | 3-Major | Required custom AVPs are not included in an RAA when reporting an error. |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
734446-1 | 2-Critical | TMM crash after changing LSN pool mode from PBA to NAPT |
Cumulative fixes from BIG-IP v14.0.0.2 that are included in this release
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
716392-2 | 1-Blocking | Support for 24 vCMP guests on a single 4450 blade | |
704552-1 | 3-Major | Support for ONAP site licensing |
Cumulative fixes from BIG-IP v14.0.0.1 that are included in this release
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
693359-2 | 1-Blocking | AWS M5 and C5 instance families are supported |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
721364-1 | 1-Blocking | BIG-IP per-application VE BYOL license does not support three wildcard virtual servers | |
707100-1 | 2-Critical | Potentially fail to create user in AzureStack | |
706688-2 | 2-Critical | Automatically add additional certificates to BIG-IP system in C2S and IC environments | |
700086-2 | 2-Critical | AWS C5/M5 Instances do not support BIG-IP VE | |
721985-1 | 3-Major | PAYG License remains inactive as dossier verification fails. | |
721342-2 | 3-Major | No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments. | |
720961-4 | 3-Major | Upgrading in Intelligence Community AWS environment may fail | |
719396-2 | 3-Major | K34339214 | DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot. |
714303-2 | 3-Major | X520 virtual functions do not support MAC masquerading | |
709936-2 | 3-Major | Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration. | |
707585-2 | 3-Major | Use native driver for 82599 NICs instead of UNIC | |
703869-4 | 3-Major | Waagent updated to 2.2.21 |
Cumulative fix details for BIG-IP v14.0.0.4 that are included in this release
749774-4 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
Component: Global Traffic Manager (DNS)
Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.
Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.
Impact:
Inconsistent behavior.
Workaround:
None.
Fix:
In this release, responses are now consistent when caching is enabled.
749675-4 : DNS cache resolver may return a malformed truncated response with multiple OPT records
Component: Global Traffic Manager (DNS)
Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.
Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).
Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.
Workaround:
A second query will return the cached record, which will only have one OPT record.
Fix:
DNS cache resolver now returns the correct response under these conditions.
746341 : Virtual server page is blank when SSLO is provisioned
Component: Access Policy Manager
Symptoms:
When SSLO is provisioned and trying to create a new virtual server, the virtual server page is blank.
Conditions:
SSLO is provisioned
Impact:
Cannot create a new virtual server when SSLO is provisioned.
Workaround:
N/A
Fix:
The issue has been fixed in this release.
745358-2 : ASM GUI does not follow best practices
Component: Application Security Manager
Symptoms:
When processing requests to the administrative webUI, ASM does not follow best practices.
Conditions:
ASM provisioned and enabled.
Authenticated user with Administrator, Resource Administrator, or ASM Administrator roles.
Impact:
Unexpected HTML output.
Workaround:
None.
Fix:
When processing webUI requests ASM now follows best practices.
743803-3 : IKEv2 potential double free of object when async request queueing fails
Component: TMOS
Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.
Conditions:
When an async IPsec crypto operation fails to queue.
Impact:
Restart of tmm. All tunnels lost must be re-established.
Workaround:
No workaround known at this time.
743233-1 : Default engineID may have different lengths
Component: TMOS
Symptoms:
The initial engineIDType on an unconfigured system is NETSNMP_RND. If the snmpd configuration file is read and there is no stored engine ID then one is generated based on current system time (and some other bits) to produce a random engineID. When randomly generated engineID changed length in release 14.0.0 of the BIG-IP to include some trailing zeros.
Conditions:
Use of unconfigured engineID on a clean install with version 14.0.0 or later. Note the engineIDType of NETSNMP_RND cannot be user configured.
Impact:
This can be confusing because the alert daemon and the snmp agent both issue traps and the alert daemon traps did not include the trailing zeros.
Workaround:
There is no workaround.
Fix:
The bug has been fixed and the trailing zeros are no longer included in the randomly generated engine ID.
743082-2 : Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members★
Component: TMOS
Symptoms:
Upgrading to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 might result a configuration that fails to load due to a stray colon-character that gets added to the configuration file.
Conditions:
-- Upgrade from pre-12.1.3 to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2.
-- GTM Pool Members.
Impact:
Configuration fails to load.
Workaround:
Remove stray colon-character from bigip_gtm.conf.
Fix:
Fixed an issue preventing configurations from loading into 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from a version before 12.1.3.
739846-2 : Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection
Component: Global Traffic Manager (DNS)
Symptoms:
When the big3d runs out of memory for iQuery connections, a segmentation fault might occur.
Conditions:
-- Not enough memory to create additional iQuery connections.
-- Receive an new iQuery connection.
Impact:
Segmentation fault and big3d restarts. No statistics collection or auto-discovery while big3d restarts.
Workaround:
None.
Fix:
The big3d process no longer gets a segmentation fault when reaching the limits of the memory footprint while trying to establish iQuery connections.
738985-1 : BIND vulnerability: CVE-2018-5740
Component: TMOS
Symptoms:
deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c.
Conditions:
"deny-answer-aliases" feature is explicitly enabled
Impact:
Crash of the BIND process and loss of service while the process is restarted
Workaround:
Only servers which have explicitly enabled the "deny-answer-aliases" feature are at risk and disabling the feature prevents exploitation.
Fix:
BIND patched to correct CVE-2018-5740
738887-4 : The snmpd daemon may leak memory when processing requests.
Component: TMOS
Symptoms:
Under certain conditions, the snmpd daemon may leak memory when processing requests.
Conditions:
This issue is known to occur on a multi-blade vCMP guest after specific maintenance operations have been carried out by an Administrator on the guest.
Impact:
Once enough memory has leaked, the system may become unstable and fail unpredictably.
Workaround:
If the snmpd daemon is consuming excessive memory, restart it with the following command:
bigstart restart snmpd
Fix:
The snmpd daemon no longer leaks memory when a multi-blade vCMP guest reaches a certain condition.
738119-1 : SIP routing UI does not follow best practices
Component: TMOS
Symptoms:
The SIP routing UI does not follow best practices.
Conditions:
Administrative access to the SIP Profile web UI.
Impact:
Unexpected HTML output.
Workaround:
None.
Fix:
The SIP routing UI does now follows best practices.
737758-3 : MPTCP Passthrough and VIP-on-VIP can lead to TMM core
Component: Local Traffic Manager
Symptoms:
If a FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled, TMM may produce a core upon receiving certain traffic.
Conditions:
A FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with a TCP profile attached that has MPTCP passthrough enabled, and certain traffic is received.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than not using an iRule with the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled.
Fix:
If MPTCP passthrough is enabled, the system now processes incoming MPTCP connections coming from the loop device as if MPTCP is disabled.
737445-1 : Use of TCP Verified Accept can disable server-side flow control
Component: Local Traffic Manager
Symptoms:
Unexpectedly high memory usage, aggressive sweeper messages, TCP memory pressure messages in logs.
Conditions:
Verified Accept is enabled in TCP profiles that are associated with virtual servers.
Impact:
Excessive memory usage.
Workaround:
There is no workaround other than disabling Verified Accept.
Fix:
Fixed server-side flow control.
734822-2 : TMSH improvements
Solution Article: K77313277
734527-3 : BGP 'capability graceful-restart' for peer-group not properly advertised when configured
Component: TMOS
Symptoms:
BGP neighbor using peer-group with 'capability graceful-restart' enabled (which is the default). However, on the system, peer-group defaults to disable. Because there is no config statement to enable 'capability graceful-restart' after restart, it gets turned off after config load, which also turns it off for any BGP neighbor using it.
Conditions:
- Neighbor configured to use peer-group.
- Peer-group configured with capability graceful-restart, but with the default: disabled.
Impact:
Because peer-group is set to disable by default, and there is no operation to enable it after restart, 'capability graceful-restart' gets turned off after config load, and neighbors using it from peer-group get turned off as well.
Workaround:
Re-issue the commands to set peer-group 'capability graceful-restart' and 'clear ip bgp *' to reset BGP neighbors.
Fix:
The peer-group now has 'capability graceful-restart' enabled by default, so this issue no longer occurs.
Behavior Change:
In this release, peer-group has 'capability graceful-restart' enabled by default.
734446-1 : TMM crash after changing LSN pool mode from PBA to NAPT
Component: Carrier-Grade NAT
Symptoms:
TMM crashes after changing LSN pool mode from PBA to NAPT when long lived connections are killed due to the PBA block lifetime and zombie timeout expiring.
Conditions:
An LSN pool using PBA mode with a block lifetime and zombie timeout set and long lived connections.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Instead of changing the LSN pool mode from PBA to NAPT, create a new LSN pool configured for NAPT and change the source-address-translation pool on the virtual servers that use the PBA pool.
The PBA pool can be deleted after the virtual servers are no longer using it.
Fix:
TMM no longer crashes after changing LSN pool mode from PBA to NAPT.
727044-3 : TMM may crash while processing compressed data
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing compressed data.
Conditions:
Compression enabled
Hardware compression disabled
Impact:
TMM crash leading to a failover event.
Workaround:
No workaround.
Fix:
TMM now correctly processes compressed traffic
726647-4 : PEM content insertion in a compressed response may truncate some data
Component: Policy Enforcement Manager
Symptoms:
HTTP compressed response with content insert action can truncate data.
Conditions:
PEM content insertion action with compressed HTTP response.
Impact:
Data might be truncated.
Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.
Fix:
HTTP compressed response with content insert action no longer truncates data.
726409-5 : Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
Solution Article: K61429540
726319-1 : 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses
Component: Local Traffic Manager
Symptoms:
When FQDN nodes and pool members are used in LTM pools, a message similar to the following may be logged if the DNS server returns a different set of IP address records to resolve the FQDN name:
err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.
Conditions:
This message may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name, and new ephemeral pool members are created corresponding to the new IP addresses.
This may occur intermittently depending on timing conditions.
Impact:
These log messages are cosmetic and do not indicate any impact to traffic or BIG-IP operations.
Workaround:
None.
Fix:
'The requested Pool Member ... already exists' messages are no longer logged occasionally when an FQDN pool member name resolves to different IP addresses.
726255-1 : dns_path lingering in memory with last_access 0 causing high memory usage
Component: Global Traffic Manager (DNS)
Symptoms:
dns_path not released after exceeding the inactive path ttl.
Conditions:
1. Multiple tmm's in sync group
2. Multiple dns paths per GTM needed for load balancing.
Impact:
High memory usage.
Workaround:
There is no workaround at this time.
Fix:
dns_path memory will be released after ttl.
726239-5 : interruption of traffic handling as sod daemon restarts TMM
Component: Local Traffic Manager
Symptoms:
When the receiving host in a TCP connection has set its send window to zero (stopping the flow of data), following certain unusual protocol sequences, the logic in the TMM that persists in probing the zero window may enter an endless loop.
Conditions:
When the TCP implementation is probing a zero-window connection under control of a persist timer.
Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This fix handles a rare TMM crash when TCP persist timer is active.
725815-2 : vlangroup usage may cause a excessive resource consumption
Solution Article: K72442354
725801-5 : CVE-2017-7889: Kernel Vulnerability
Solution Article: K80440915
725696-2 : A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted
Component: TMOS
Symptoms:
When OCSP Stapling is enabled on a client SSL profile, certain uncommon operations might result in a tmm timer queue getting into a loop, which results in tmm being aborted by sod. tmm restart
Conditions:
-- There are SSL handshakes waiting for an OCSP response, and one of the following:
+ There is a CMP transition.
+ There are changes made to the OCSP object.
Impact:
tmm restarts. Traffic interrupted while tmm restarts.
Workaround:
There is no workaround other than disabling OCSP stapling.
Fix:
The timer issue has been corrected.
725635-1 : CVE-2018-3665: Intel Lazy FPU Vulnerability
Solution Article: K21344224
725612-2 : syslog-ng remote destination needs unique name that changes on address change.
Component: TMOS
Symptoms:
Changing syslog server IP address requires syslog-ng restart to take effect. Syslog operations do not use the new remote destination address on syslog service reconfiguration.
Conditions:
1. Add Remote Syslog server (Server A) using System :: Logs :: Configuration :: Remote Syslog.
2. Click Update (Syslog messages go out toward Server A).
3. Remove Server A from configuration.
4. Add new Server B (different IP address).
5. Click Update.
Impact:
Syslog messages still go out toward Server A.
Workaround:
Restart the syslog service using the following command:
bigstart restart syslog-ng
Messages now properly go out toward Server B (the new IP address).
Fix:
Syslog operations now use the new remote destination address on syslog service reconfiguration.
724906-3 : sasp_gwm monitor leaks memory over time
Component: Local Traffic Manager
Symptoms:
The Server/Application State Protocol (SASP) monitor, sasp_gwm memory usage slowly increases over time.
Conditions:
The Server/Application State Protocol (SASP) monitor is configured.
The leakage occurs during normal operation of the monitor and is not tied to any specific user or traffic action.
Impact:
sasp_gwm grows over time and eventually the system may be pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.
Workaround:
Periodic restarts of sasp_gwm processes avoids the growth affecting the system.
Fix:
The sasp_gwm monitor no longer leaks memory when processing messages.
724868-3 : dynconfd memory usage increases over time
Component: Local Traffic Manager
Symptoms:
dynconfd memory usage slowly increases over time as it processes various state-related messages.
Conditions:
No special conditions as dynconfd is a core LTM process. Large numbers of pool members combined with flapping might increase the rate of memory usage increase.
Impact:
dynconfd grows over time and eventually the system is pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.
Workaround:
Periodic restarts of dynconfd avoids the growth affecting the system.
Fix:
dynconfd no longer leaks memory when processing messages.
724341-1 : Import of Access Profile with Machine Cert Checker and default CA Profile is failing
Component: Access Policy Manager
Symptoms:
Export and then reimport of Access Profile with Machine Cert Checker agent configured with default CA Profile is failing the following error:
The requested profile_certificateauthority (Common/certificateauthority) was not found. Unexpected Error: Loading configuration process failed.
Conditions:
Any Profile/Policy with Machine cert and default settings
Impact:
Low: affecting only import/export.
Workaround:
Use non-default CA Profile at the export time.
Fix:
Export and import of Profile with default CA Profile works properly.
724213-2 : Modified ssl_profile monitor param not synced correctly
Solution Article: K74431483
Component: Local Traffic Manager
Symptoms:
After modifying the ssl_profile attribute on an HTTPS monitor on a device in a high availability (HA) configuration, and after performing a full ConfigSync, the corresponding monitor on the peer-sync unit does not have the updated value.
Conditions:
-- An HTTPS monitor is used on BIG-IP systems in an HA configuration.
-- The ssl_profile field is modified on an HTTPS monitor.
-- A sync-to-peer (full ConfigSync, not incremental sync) is attempted to propagate the modified ssl_profile value to the peer units.
Impact:
The ssl_profile value for the HTTPS monitor on the peer unit is set to none, resulting in the two devices reporting themselves as in-sync, but having potentially different HTTPS monitor configurations.
Workaround:
-- Do not run HTTPS monitors using in-tmm monitors,
-- Use the traditional HTTPS monitor configuration for SSL-attributes (cipherlist, key, cert, and compatibility attributes on HTTPS monitor).
Note: Using these attributes generates deprecation warnings, but the configuration still takes effect.
Fix:
After modifying the ssl_profile attribute on an HTTPS monitor on a system within an HA configuration, and after performing a full ConfigSync, the corresponding monitor on the peer unit now receives the updated monitor attribute, as expected.
723792-1 : GTM regex handling of some escape characters renders it invalid
Component: Global Traffic Manager (DNS)
Symptoms:
The memory footprint of big3d increases.
Conditions:
GTM monitor recv string such as the following: ^http\/\d\.\d[23]\d\d
Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory. The monitor marks the server it is monitoring UP as long as the server returns any response.
Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}
Fix:
Fixed handling of escape characters. Recv strings that previously failed to compile will now compile.
723722-1 : MCPD crashes if several thousand files are created between config syncs.
Component: TMOS
Symptoms:
If more than several thousand (typically 20,000, but number varies by platform) files, for example SSL certificates or keys, are created between config syncs, the next config sync operation will take too long and mcpd will be killed by sod.
Conditions:
Creation of several thousand SSL certificates or keys followed by a config sync operation.
Impact:
Traffic is disrupted while the MCPD process restarts.
Workaround:
Run a config sync operation after every ~5000 files created.
Fix:
MCPD no longer crashes if several thousand files are created between config sync operations.
723298-1 : BIND upgrade to version 9.11.4
Component: TMOS
Symptoms:
The BIG-IP system is running BIND version 9.9.9.
Conditions:
BIND on BIG-IP system.
Impact:
BIND 9.9 Extended Support Version was supported until June, 2018.
Workaround:
None.
Fix:
BIND version has been upgraded to 9.11.4.
722682-3 : Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load★
Component: TMOS
Symptoms:
Loading configuration process failed after upgrade when pool member names contain colons. The system posts errors similar to the following:
01070226:3: Pool Member 443:10.10.10.10 references a nonexistent Virtual Server
Unexpected Error: Loading configuration process failed.
Conditions:
-- GTM pool member has colon in its name.
-- Upgrade to any of the following versions:
+ 12.1.3.x
+ Any 13.0.x
+ All 13.1.x earlier than 13.1.1.2
+ 14.0.x earlier than 14.0.0.3
Impact:
The system removes the part of the pool member name that precedes the colon, and configuration load fails. For example, when the configuration contains a pool member named example_pm:443:10:10:10:10, the system removes the part of the pool member name that precedes the first colon, in this case, example_pm, leaving the pool member name 443:10.10.10.10.
Workaround:
After upgrade, add two backslash characters, \\ before the first colon, : character.
1. Upgrade the BIG-IP DNS system to the new version of software.
2. SSH to log into the bash prompt of the BIG-IP DNS system.
3. Run the following command to add the string \\ in front of the first colon character, : in the name of each affected GTM pool member:
for j in $(find /config/ -name bigip_gtm.conf); do for i in $(awk '$0 ~ /^gtm server.*:/ {gsub("[/:]"," ",$0); print $4}' ${j}); do sed -i "s, /Common/${i}, /Common/${i}\\\\\\\,g" ${j} | grep " /Common/${i}"; done; done
4. Run the following command: load sys config gtm-only
Fix:
Configuration load no longer fails when upgrading with a configuration that contains BIG-IP DNS pools with members whose names contain colon characters.
722677-5 : High-Speed Bridge may lock up
Component: Local Traffic Manager
Symptoms:
Under certain conditions, hardware systems with a High-Speed Bridge and using Layer 2 forwarding configurations may experience a lockup of the High-Speed Bridge.
Conditions:
Hardware platform with High-Speed Bridge.
Layer 2 forwarding enabled.
vlangroup.flow.allocate disabled.
Impact:
High-Speed Bridge lockup, leading to a failover event.
Workaround:
The vlangroup.flow.allocate DB variable is enabled by default.
Ensure that vlangroup.flow.allocate is enabled with the command:
modify /sys db vlangroup.flow.allocate value enable
722387-4 : TMM may crash when processing APM DTLS traffic
Component: Local Traffic Manager
Symptoms:
When processing DTLS traffic for APM, TMM may crash.
Conditions:
APM provisioned and configured.
DTLS enabled in APM configuration.
Impact:
TMM crash, leading to a failover event.
Workaround:
None.
Fix:
DTLS traffic is now processed as expected.
722363-3 : Client fails to connect to server when using PVA offload at Established
Component: Local Traffic Manager
Symptoms:
A client can fail to connect to the server on subsequent attempts if using FastL4 with hardware (HW) acceleration.
When this issue occurs, the profile_bigproto_stat/rxsynatestablished stat is non-zero.
Conditions:
A FastL4 virtual server is configured with offload_state = EST.
Impact:
Clients fail to connect to the server.
Workaround:
There is no workaround other than to disable PVA acceleration.
722091-4 : TMM may crash while processing HTTP traffic
Solution Article: K64208870
721985-1 : PAYG License remains inactive as dossier verification fails.
Component: TMOS
Symptoms:
- BIG-IP is deployed in a cloud environment (AWS/Azure/GCE) with PAYG licenses. The license won't activate on the startup.
Conditions:
- There are multiple ways this can happen but all of those come down to user networking issue where the http calls to the cloud metadata service fails.
- This can be a simple routing issue to the metadata service or a firewall issue.
Impact:
As license activation fails, the instance becomes unusable.
Workaround:
User should look at /var/log/ltm to determine the networking issue that is causing the dossier verification failure. This would be typically printed in the following way:
Curl request to metadata service failed with error(<error-code>): '<error-message>'
By resolving this networking error, license activation should succeed.
Fix:
PAYG License remains inactive as dossier verification fails.
721924-6 : bgpd may crash processing extended ASNs
Solution Article: K17264695
Component: TMOS
Symptoms:
Under certain conditions bgpd may crash while processing extended ASNs.
Conditions:
Dynamic routing enabled.
Extended ASP capabilities enabled: bgp extended-asn-cap enabled
Impact:
Dynamic routing disrupted while bgpd restarts.
Fix:
bgpd now processes extended ASNs as expected.
721621-3 : Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node
Component: Local Traffic Manager
Symptoms:
If an LTM pool is configured with only FQDN members, the DNS server resolves the FQDN to IP addresses that match statically-configured LTM nodes, and the IP address records returned by the DNS server change, an ephemeral pool member may not be added to the pool for the new IP address.
When in this state, if the FQDN template pool member is deleted from the pool, a new ephemeral pool member may be added corresponding to the last IP address record returned by the DNS server.
Conditions:
This may occur when:
1. Static nodes are configured which match addresses that may be returned in the DNS query for a given FQDN name.
2. An FQDN node is created with autopopulate disabled, for an address which may resolve to the same address as one of the static nodes.
3. This FQDN node is added (as a pool member) with autopopulate disabled, to a pool with no other non-FQDN members.
4. The DNS server resolves the FQDN name to an address that matches one of the static nodes.
5. A subsequent DNS query resolves the FQDN name to a different address that matches a different static node.
Impact:
In this case:
-- The original ephemeral member is removed from the pool.
-- A new ephemeral member for the new address may NOT be added to the pool.
-- In this state, if the FQDN template member is deleted from the pool, a new ephemeral member (i.e., the missing ephemeral with new IP address) is re-added to the pool.
Note. This symptom can occur only if the statically-configured node is created prior to an ephemeral pool member being created for the same IP address. If an ephemeral pool member and node are created first, it is not possible to create a statically-configured node or pool member using the same IP address.
Overall, traffic for the affected pool may not be sent to correct pool member (new ephemeral address).
If no other members are defined in the pool, traffic will be interrupted.
Workaround:
This issue can be prevented by:
-- Avoiding configuring a static (non-FQDN) node with an IP address that matches any address that might be returned by the DNS server when resolving the FQDN.
-- Adding a statically-configured pool member to the pool in addition to the FQDN template member.
Once the symptom occurs, recovery is possible by performing either of the following actions:
-- Delete the statically-configured node with the conflicting IP address.
-- Recreate the node using the following procedure:
1. Delete the FQDN template member from the pool.
2. Delete the orphaned ephemeral member from the pool.
3. Re-add the FQDN template member to the pool.
Fix:
When an FQDN pool member address resolves to the same IP address as an existing static node, the corresponding ephemeral pool member is successfully created and deleted as expected, including when the IP address returned by the DNS query changes.
721364-1 : BIG-IP per-application VE BYOL license does not support three wildcard virtual servers
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) admin can create only 1 wildcard virtual servers for per-application BYOL license.
Note: If you are using BIG-IQ 6.0.0 or 6.0.1 to manage AWS-based, per-app BIG-IP VE systems running versions 13.1.0.5 through 13.1.0.8, you must use the following AWS templates:
-- Default-AWS-f5-HTTPS-WAF-lb-template
-- Default-AWS-f5-HTTPS-offload-lb-template
For these two templates, ports 443 and 80 (for HTTP redirect) are hard-coded in an iRule, which enable this functionality.
Conditions:
Per-app VE with BYOL license.
Impact:
Per-app VE with BYOL license does not work as expected.
Workaround:
N/A
Fix:
Per-app VE BYOL license now supports three wildcard virtual servers.
721342-2 : No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments.
Component: TMOS
Symptoms:
No Per-App Virtual Edition (VE) LTM or Per-App VE WAF images for various cloud environments.
Conditions:
Various Cloud environments (i.e., Azure, Google, AWS).
Impact:
No options to use various Per-App VE features.
Workaround:
None.
Fix:
There are now offerings for various cloud environments (Azure, Google, AWS). There are two types of Per-App VE LTM and two of Per-App VE WAF images.
720961-4 : Upgrading in Intelligence Community AWS environment may fail
Component: TMOS
Symptoms:
After importing an AWS instance into the Intelligence Community (IC) AWS environment you cannot upgrade to 13.1.0.2 (or later) because their license fails to validate afterwards.
Conditions:
-- Manually imported BIG-IP image into AWS IC.
-- Upgraded to 13.1.0.2 or newer.
Impact:
The system fails to validate the license after rebooting into the new software. Licenses are inoperative after the upgrade.
Workaround:
To work around this issue, perform the following procedure:
1. Redeploy a BYOL image from the IC marketplace.
2. Move over the license.
3. Configure the system.
Fix:
This release provides improved license validation to address this situation by detecting the IC environment, but allowing prior licenses to function.
720799-1 : Virtual Server/VIP flaps with FQDN pool members when all IP addresses change
Component: Local Traffic Manager
Symptoms:
When using FQDN pool members, if all ephemeral members are removed and replaced by a DNS query that returns an entirely new set of IP addresses (no overlap with previous DNS query results), all ephemeral pool members are removed before the new ephemeral pool members are created.
This results in a brief moment when there are no ephemeral members (that can receive traffic) in the pool.
Conditions:
A DNS query for the FQDN node in which the pool members belong, returns an entirely new set of IP addresses (no overlap with previous DNS query results).
Impact:
The brief moment during which there are no ephemeral members (that can receive traffic) in the pool can cause a Virtual Server or Virtual Address using that pool to flap.
Workaround:
It is possible to work around this issue by:
1. Adding a pool member with a statically-configured IP address.
2. Including multiple FQDN pool members in the pool, to limit the effect of the ephemeral members changing for a single FQDN pool member.
Fix:
When using FQDN pool members, ephemeral members whose IP addresses are not present in the most DNS query results are not immediately deleted from the pool.
To prevent the brief condition in which there are no ephemeral members in the pool (which can cause a Virtual Server or Virtual Address using that pool to flap), creation of new ephemeral nodes and pool members occurs immediately, but deletion of old new ephemeral nodes and pool members occurs after a delay.
The duration of the delay follows the fqdn 'down-interval' value configured for the associated FQDN template node.
720713-1 : TMM traffic to/from a i10600/i10800 device in vCMP host mode may fail
Component: TMOS
Symptoms:
When a i10600/i10800 device is configured as a vCMP host and at least one vCMP guest is running (or ever ran), TMM traffic to the vCMP host may fail.
Note: Management port traffic to/from the device is unaffected.
Note: TMM traffic to/from the vCMP guests running on the device is unaffected. This issue affects only the vCMP host.
The most visible symptom is that TMM on the vCMP host fails to answer ARP requests that it receives for its own Self-IP addresses.
Conditions:
This issue occurs when all of the following conditions apply:
- i10600/i10800 device in vCMP host mode.
- At least one vCMP guest is deployed or was deployed, at some point.
Impact:
Inability to communicate to/from the vCMP host via its Self-IP addresses.
Workaround:
None.
Fix:
The vCMP host continues to handle traffic correctly once a guest is started.
720651-1 : Running Guest Changed to Provisioned Never Stops
Component: TMOS
Symptoms:
After changing a vCMP guest status to provisioned the guest remains running showing a status of stopping.
Conditions:
-- Guests deployed on a BIG-IP VCMP host.
-- Changing the state from deployed to provisioned.
Impact:
Guests do not stop and change status until vcmpd process is restarted.
Workaround:
There is no workaround.
Fix:
The guest now stops when the state is changed from deployed to provisioned.
720391-3 : BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'
Component: TMOS
Symptoms:
BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' and 'unknown' when OID sysObjectID is queried.
Conditions:
1. Execute 'tmsh show sys hardware'.
2. Query for OID sysObjectID using snmpwalk.
Impact:
System is reported as 'none', when it should be i7800-D. Platform with dual SSD not correctly identified using tmsh command or snmpwalk.
Workaround:
None.
Fix:
Added new SNMP OID for BIG-IP i7800 Dual SSD, reported as BIG-IP i7800-D, which is the correct designation.
720293-4 : HTTP2 IPv4 to IPv6 fails
Component: Local Traffic Manager
Symptoms:
An IPv4-formatted virtual server with an IPv6-formatted pool member cannot establish the connection to the pool member if HTTP2 is configured.
Conditions:
-- IPv4 virtual Server.
-- IPv6 pool member.
-- HTTP2 profile.
Impact:
Traffic connection does not establish; no traffic passes.
Workaround:
None.
Fix:
In this release, an IPv4-formatted virtual server with an IPv6-formatted pool member works with HTTP2.
720104-2 : BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'
Component: TMOS
Symptoms:
BIG-IP i2800/i2600 650W AC PSU is missing marketing name under 'show sys hardware' and displays 'unknown' when OID sysObjectID is queried.
Conditions:
-- Execute 'tmsh show sys hardware'.
-- Query for OID sysObjectID using snmpwalk.
-- Using BIG-IP i2800/i2600 platforms.
Impact:
System reports an empty marketing name when queried. Platform with 650W AC PSU not identified using tmsh command or snmpwalk.
Workaround:
There is no workaround at this time.
Fix:
Added new SNMP OID for BIG-IP i2800/i2600 650W AC PSU.
719644-3 : If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★
Component: Global Traffic Manager (DNS)
Symptoms:
When an LTM configuration has virtual server names containing period (.), a GTM configuration with auto-discovery enabled is upgraded from v11.5.x to a later version might lose consistency.
Conditions:
-- Upgrading GTM from v11.5.x to later versions (e.g., BIG-IP DNS v12.x).
-- Auto-discovery is enabled.
-- LTM configuration containing virtual server names containing the period character (.).
-- The same virtual server name is used in multiple partitions.
Impact:
The configuration after the upgrade might be affected in the following ways:
-- Missing virtual servers.
-- Deletion of some pool members.
-- Virtual servers with incorrect addresses.
Workaround:
There is no workaround at this time.
Fix:
This release supports GTM upgrades from 11.x to BIG-IP DNS 12.x and later versions for cases where:
-- Auto-discovery is enabled.
-- LTM virtual server name a period character (.).
-- The same virtual server name is used in multiple partitions.
719600-1 : TCP::collect iRule with L7 policy present may result in connection reset
Component: Local Traffic Manager
Symptoms:
If an iRule utilizing TCP::collect and HTTP_REQUEST is on a virtual server with an L7 policy, the policy engine may cause the connection to be unexpectedly reset with a 'policy execution error' reset cause, and 'Unable to resume pending policy event on connflow' will be logged to /var/log/ltm.
Conditions:
TCP::collect and HTTP_REQUEST iRule with L7 policy on virtual server.
Impact:
Connections may be unexpectedly reset and errors logged to /var/log/ltm.
Workaround:
At the start of the HTTP_REQUEST event, issue an 'after 1' command to allow the policy engine to reach a consistent state before proceeding with the remainder of the iRule.
719597-1 : HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0
Component: TMOS
Symptoms:
When two VIPRION chassis with B2250 blades try to form a high availability (HA) connection, with one running v12.1.1 and the other running v13.1.0, HA connections between TMMs on Active and TMMs on Standby might fail.
Conditions:
-- Two VIPRION chassis with B2250 blades.
-- One blade running v12.1.1 and the other running v13.1.0.
-- Try to configure HA connection.
Impact:
Fail to form HA connection.
Workaround:
There is no workaround other than installing the same software on both blades.
Fix:
A new sys db mhdag.bitshift is added to support HA configurations using B2250 blades running v12.1.1 and v13.1.x. Set mhdag.bitshift to 5 on VIPRION chassis with B2250 blades running v13.1.x by running the following command: tmsh modify sys db mhdag.bitshift value 5
HA between VIPRION chassis running v12.1.1 and v13.1.x with B2250 blades now works as expected.
719554-1 : Linux Kernel Vulnerability: CVE-2018-8897
Solution Article: K17403481
719396-2 : DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot.
Solution Article: K34339214
Component: TMOS
Symptoms:
DHCP Client on the BIG-IP system sends host-name 'localhost' in DISCOVER packet after first boot.
Note: The problem goes away after the first boot.
Conditions:
-- DHCP is enabled (this is the default on BIG-IP systems).
-- Initial startup.
Impact:
This can affect the lease given out by the DHCP server in the given network if the DHCP server is configured in such a way as to dynamically update the DNS based on the host-name option in the lease.
Workaround:
-- Empty the /var/lib/dhclient/dhclient.leases file.
-- Run the following command: bigstart restart dhclient
Fix:
DHCP Client on the BIG-IP system no longer sends 'localhost' as the host-name in DISCOVER packet after first boot.
718817-1 : Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail.
Component: TMOS
Symptoms:
Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest fails due to a race condition.
There are log entries in /var/log/liveinstall.log:
-- error: status 256 returned by command: F5_INSTALL_SESSION_TYPE=install tmsh -f save sys ucs /var/tmp/kRf24pKXTQ.ucs.
-- info: tar: config/.ucs_base_mac: Cannot stat: No such file or directory.
-- info: Unexpected Error: UCS saving process failed.
Conditions:
-- Installing onto secondary VIPRION blade or onto VIPRION-based vCMP guest.
Impact:
Software installation fails.
Workaround:
You can use either workaround:
-- Add 'ignore .ucs_base_mac' to the 'monitor dir /config' stanza in /etc/csyncd.conf on all blades, and then restart csyncd on all blades by running "clsh bigstart restart csyncd"
-- Retry the installation until it succeeds.
718525-2 : PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting
Component: TMOS
Symptoms:
After removing the mcpd binary database and restarting, occasionally there are errors similar to the following in /var/log/ltm:
warning postgres[7663]: [3-1] ERROR: duplicate key value violates unique constraint "vlan_pkey"
(The object type may be something other than 'vlan_pkey'.)
Conditions:
This occurs when you remove the mcpd binary database and reboot the system.
Impact:
The configuration does not load until 'bigstart restart' is executed.
Workaround:
None.
Fix:
The 'duplicate key value' errors are no longer seen when removing the mcpd binary database and restarting.
717888-4 : TMM may leak memory when a virtual server uses the MQTT profile.
Solution Article: K26583415
717742-6 : Oracle Java SE vulnerability CVE-2018-2783
Solution Article: K44923228
717346-1 : [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total
Solution Article: K13040347
Component: Local Traffic Manager
Symptoms:
WebSocket profile statistics for current and maximum connections are always very large, even right after restarting the system. The numbers are several orders of magnitude larger than the statistics for total connections.
Conditions:
Rarely occurring, unstable network could be one of the reasons.
Impact:
Cannot use stats for troubleshooting.
Workaround:
Reset the stats using the following command:
# tmsh reset-stats ltm profile websocket
716922-1 : Reduction in PUSH flags when Nagle Enabled
Component: Local Traffic Manager
Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.
Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.
Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.
Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.
Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.
Mote: To take advantage of some of the Nagle benefits, use 'Auto'.
Fix:
Revised PUSH flag setting logic to set the flag in cases where sending is Nagle-limited.
716900-3 : TMM core when using MPTCP
Component: Local Traffic Manager
Symptoms:
In some cases TMM may crash when processing MPTCP traffic.
Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.
Impact:
Traffic interrupted while TMM restarts.
Workaround:
There is no workaround other than to disable MPTCP.
Fix:
TMM no longer produces a core.
716716-1 : Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core
Component: Local Traffic Manager
Symptoms:
TMM cores when the system has a kernel route configured, but no matching TMM route.
Conditions:
The scenario that can lead to this state is unknown.
Impact:
TMM cores. Traffic disrupted while tmm restarts.
Workaround:
Either remove the kernel route, or add a matching TMM route.
Fix:
This release prevents the core that occurred when the kernel has a route that has no corresponding TMM route.
716392-2 : Support for 24 vCMP guests on a single 4450 blade
Component: TMOS
Symptoms:
Cannot create more than 12 vCMP guests per blade.
Conditions:
-- Using vCMP.
-- VIPRION blades.
Impact:
Cannot configure more than 12 vCMP guests.
Workaround:
None.
Fix:
This release supports 24 vCMP guests on 4450 blades. Increased vCMP density ensures that all guests can access the hardware capabilities available from the BIG-IP platforms and VIPRION blades.
Behavior Change:
This release supports 24 vCMP guests on VIPRION 4450 blades. Increased vCMP density ensures that all guests can access the hardware capabilities available from BIG-IP platforms and VIPRION blades.
715923-7 : When processing TLS traffic TMM may reset connections
Solution Article: K43625118
715883-1 : tmm crash due to invalid cookie attribute
Component: Local Traffic Manager
Symptoms:
tmm crash due to invalid request-side cookie attribute.
Conditions:
While processing an HTTP request, an iRule tries to add a cookie attribute to a cookie that is only valid in an HTTP response (for instance, an 'expires' attribute).
Impact:
TMM cored. Traffic disrupted while tmm restarts.
Workaround:
None.
715750-1 : The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.
Component: Local Traffic Manager
Symptoms:
Upon receiving a FIN midstream in an SSL connection, the BIG-IP system will immediately proxy the FIN to the remote host on the peer side. At this point, depending on the specific configuration of the remote host on the peer side, the BIG-IP system may exhibit behaviors that may be deemed undesirable.
For instance, if the remote host on the peer side acknowledges the FIN but ignores it and keeps sending data to the BIG-IP system, the BIG-IP system will drop all ingress data (i.e., not proxy it) while keeping the side that transmitted the original FIN open indefinitely.
Once the remote host on the peer side completes transmitting data and sends a FIN of its own, the BIG-IP system will finally release the side that sent the original FIN by allowing it to close.
Conditions:
This issue occurs when the following conditions are met:
-- A standard virtual server with the clientssl and serverssl profiles in use.
-- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.
Impact:
There is no real impact to the BIG-IP system because of this issue. However, both the client and the server can be negatively impacted by this issue.
For example, if the original FIN was received by the BIG-IP system on the clientside:
-- The client connection is not allowed to close for potentially a very long time. During this time, the client does not receive anything other than Keep-Alive packets from the BIG-IP system. This can delay or adversely impact applications on the client.
-- The server continues to send data to the BIG-IP system unnecessarily. After accounting for the fact this could be a lot of data and many connections could be in this state, the server and/or its surrounding network could become impacted/congested. At a minimum, this might cause a waste of resources.
Workaround:
There is no workaround at this time.
Fix:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.
Behavior Change:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.
715467-1 : Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY
Component: Local Traffic Manager
Symptoms:
If the 'A' record for an FQDN node is removed or replaced on the DNS server, then the BIG-IP system does not remove the old ephemeral pool member or create the new pool member and node.
Conditions:
-- FQDN nodes.
-- Pool members with a service port of ANY.
Impact:
Ephemeral pool member and nodes are not removed or updated when the DNS 'A' record is removed or changed.
Workaround:
There is no workaround at this time.
Fix:
Upon a DNS 'A' record being removed or changed, the ephemeral pool members and nodes based on the old value are removed or changed.
715448-3 : Providing LB::status with a GTM Pool name in a variable caused validation issues
Component: Global Traffic Manager (DNS)
Symptoms:
When utilizing an LB::status iRule where the GTM Pool name was provided in a variable, instead of directly written into the command, the system posts the following error message: Can't read 'monkey': no such variable.
Conditions:
LB::status pool a <Variable containing string>.
Impact:
Unable to use LB::status iRule.
Workaround:
There is no workaround at this time.
Fix:
Can now use LB::status iRule command to display the status of a GTM Pool when the name of the pool is provided in a variable.
714749-1 : cURL Vulnerability: CVE-2018-1000120
Component: TMOS
Symptoms:
It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.
Conditions:
BIG-IP systems are not affected by this vulnerability.
Impact:
None.
Workaround:
None.
Fix:
Patched CVE-2018-1000120
714384-2 : DHCP traffic may not be forwarded when BWC is configured
Component: Local Traffic Manager
Symptoms:
DHCP traffic may not be forwarded when BWC is configured on the system.
Conditions:
-- DHCP virtual server configured.
-- BWC policy configured and attached to the route-domain.
Impact:
DHCP traffic may not be forwarded.
Workaround:
There is no workaround other than to remove the BWC policy.
Fix:
DHCP traffic is now forwarded when BWC is configured,
714303-2 : X520 virtual functions do not support MAC masquerading
Component: TMOS
Symptoms:
MAC masquerading is not supported when using X520 virtual functions via SR-IOV in Virtual Edition (VE). This is due to a lack of functionality in the underlying hardware.
Conditions:
-- Use SR-IOV virtual functions as interfaces within VE.
-- Configure MAC masquerading with a shared MAC that should follow the active system after traffic group failovers.
Impact:
MAC masquerading will not function in this environment.
Workaround:
There is no workaround other than not to use MAC masquerading, as conventional failover works for this environment.
Fix:
MAC masquerading is now supported when using X520 virtual functions via SR-IOV in Virtual Edition (VE).
713951-6 : tmm core files produced by nitrox_diag may be missing data
Component: Local Traffic Manager
Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.
Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.
Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
When the nitrox_diag utility generates a tmm core file, that file now includes data for all tmm threads instead of only one.
713934-1 : Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response
Component: Local Traffic Manager
Symptoms:
Received malformed Truncated DNS response.
Conditions:
-- Using iRule 'DNS::question name' to shorten the name.
-- DNS response is longer than 4096 UDP limit.
Impact:
DNS request might not be resolved correctly.
Workaround:
There is no workaround at this time.
Fix:
In this release, when DNS::query name changes the query name, the software ensures that the request is updated with proper lengths.
713932-2 : Commands are replicated to PostgreSQL even when not in use.
Component: TMOS
Symptoms:
In MCP, PostgreSQL is used only by AFM. Even when AFM is not provisioned, however, commands are being replicated to PostgreSQL.
Conditions:
AFM is not provisioned.
Impact:
Unnecessary CPU cycles spent by MCP replicating commands to PostgreSQL.
Workaround:
None.
Fix:
Prevented replication of commands to PostgreSQL when it is not in use.
713766-1 : VLAN failsafe failover may not occur
Component: Local Traffic Manager
Symptoms:
VLAN failsafe may not take effect and cause failover.
Conditions:
If the VLAN failsafe is disabled, and then re-enabled, it might not properly take effect.
Impact:
System will not fail over when it should.
Workaround:
The failure condition is cleared by the next reboot following the disable/enable.
Fix:
Failover occurs as expected.
713533-1 : list self-ip with queries does not work
Component: Local Traffic Manager
Symptoms:
"list net self" command always returns all Self IPs, regardless of the regex patterns.
Conditions:
list net self always returns all Self IPs
Impact:
You are unable to filter the Self IP list using a regex pattern.
Fix:
You can now use pattern matching to list Self IPs
713491-3 : IKEv1 logging shows spi of deleted SA with opposite endianess
Component: TMOS
Symptoms:
Sometimes the IKEv1 racoon daemon logs a 32-bit child-SA spi with octets in backwards order (reversing the endianness).
Conditions:
When an SA is deleted.
Impact:
Logging typically shows a network byte order spi in the wrong order. Cosmetic interference with logging interpretation.
Workaround:
There is no workaround at this time.
Fix:
The spi values are shown in the correct endianness now.
712819-1 : 'HTTP::hsts preload' iRule command cannot be used
Component: Local Traffic Manager
Symptoms:
Using the 'HTTP::hsts preload' iRule command in the GUI, you might see error message similar to the following:
01070151:3: Rule [/Common/test] error: /Common/test:3: error: ["invalid argument preload; expected syntax spec: "][HTTP::hsts preload enable].
The message is incorrect: the command has the correct format. However, the system does not run it.
Conditions:
Using the 'HTTP::hsts preload' iRule command in the GUI.
Impact:
The command does not run. Cannot use the 'HTTP::hsts preload' iRule command in the GUI.
Workaround:
None.
Fix:
'HTTP::hsts preload' iRule command now works as expected.
712664-1 : IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address
Component: Local Traffic Manager
Symptoms:
As a result of a known issue IPv6 NS may be dropped if corresponds for host on remote VLAN of transparent vlangroup and matches a Virtual address with disabled ARP setting
Conditions:
- transparent vlan-group
- Virtual Address with ARP disabled
- Virtual Address corresponds to remote IPv6 host address
Impact:
NS for the host is dropped.
Traffic will not reach the remote host as resolution does not complete.
Workaround:
Do not use overlapping Virtual-addresses with ARP disabled, or enable ARP.
Fix:
IPv6 NS is no longer dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address.
712637-1 : Host header persistence not implemented
Component: Local Traffic Manager
Symptoms:
Online documentation describes a persistence mechanism which uses the HTTP Host: header. However, this mechanism is not implemented, and attempts to use it generates an error.
Conditions:
Online help for ltm persistence says that Host persistence can be enabled via iRule, but attempting to do so generates an error 'invalid argument host'.
Impact:
Although this does not impact any existing functionality, the documented function is not available.
Workaround:
There is no workaround at this time.
Fix:
LTM Host: header persistence is implemented.
711281-6 : nitrox_diag may run out of space on /shared
Component: Local Traffic Manager
Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.
Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.
Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.
Workaround:
The only workaround is to ensure there is enough free space for the files to be created.
In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.
Fix:
nitrox_diag now clears the older data before gathering new data, instead of after. Note, however, that if there is insufficient free space on /shared to collect the raw data, the operation still cannot succeed.
711249-3 : NAS-IP-Address added to RADIUS packet unexpectedly
Component: TMOS
Symptoms:
RADIUS authentication request contains NAS-IP-Address attribute with value 127.0.0.1.
Conditions:
VIPRION (single or multiblade) with no cluster member IP addresses configured.
Impact:
Authentication does not work as it has invalid/unrecognized source NAS-IP-Address.
Workaround:
Configure cluster member IP address or define hostname and address via global-settings remote-host.
711093-4 : PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled
Component: Policy Enforcement Manager
Symptoms:
PEM sessions may stay in the marked-for-delete state after session deletion.
Conditions:
This occurs if Gx final usage reporting response comes before Gy delete response (CCA).
Impact:
PEM sessions remain in marked-for-delete state.
Workaround:
None.
Fix:
PEM sessions no longer stay in the marked-for-delete state after session delete
710976-2 : Network Map might take a long time to load
Component: TMOS
Symptoms:
Network Map loading time is directly proportional to the number of profiles/policies associated with a virtual server. When there are a significant number, Network Map might take many tens of seconds to load; when there are fewer associated profiles/policies, loading time is shorter.
For example, consider a configuration that contains virtual servers with a large number of associated profiles/policies.
In the following example config, the virtual server has two associated profiles. The time to load the Network Map page increases with each additional profile/policy.
# tmsh list ltm virtual vs
ltm virtual vs {
creation-time 2018-03-06:18:27:53
destination 0.0.0.0:any
ip-protocol tcp
last-modified-time 2018-03-06:18:27:53
mask any
profiles {
myhttp { }
tcp { }
}
rules {
myrule
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
socks-tunnel
}
vs-index 5
}
Conditions:
-- Navigate to Local Traffic :: Network Map in the BIG-IP Configuration Utility.
-- The configuration contains a significantly large number of profiles/policies associated with the virtual server.
Impact:
It takes tens of seconds to load the Network Map page.
Workaround:
None.
Fix:
The data loading performance was improved to load the page faster.
710827-1 : TMUI dashboard daemon stability issue
Component: TMOS
Symptoms:
Some dashboard requests may cause a crash of TMUI dashboard daemons, affecting the TMUI dashboard.
Conditions:
Request sent to BIG-IP dashboard.
Impact:
Only the TMUI dashboard goes offline. Other TMUI functionality is not affected by this issue.
Workaround:
None available.
Fix:
Setup a correct exception handling prevented TMUI dashboard service failure.
710705-1 : Multiple Wireshark vulnerabilities
Solution Article: K34035645
710246-1 : DNS-Express was not sending out NOTIFY messages on VE
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Express is not sending out NOTIFY messages on BIG-IP Virtual Edition (VE).
Conditions:
-- DNS Express configured to send out NOTIFY messages.
-- Running on BIG-IP VE configuration.
Impact:
DNS secondary servers serving stale data.
Workaround:
There is no workaround at this time.
Fix:
DNS Express now sends out NOTIFY messages on VE.
710232-1 : platform-migrate fails when LACP trunks are in use
Component: TMOS
Symptoms:
Use of the platform-migrate option might fail due to some configurations being invalid on the new system. The error message generated appears as follows:
01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform.
Conditions:
You have a trunk with LACP enabled.
-- You are migrating from a hardware platform to a Virtual Edition (VE).
Impact:
Configuration fails to migrate.
Workaround:
After taking the old system offline, but before saving the UCS, disable LACP on all trunks.
710221-1 : Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled
Solution Article: K67352313
Component: Local Traffic Manager
Symptoms:
In an high availability (HA) configuration where an FQDN template-node on the 'active' unit is 'Force Offline', and the configuration is synchronized to the 'standby' unit, upon 'Enable' on that FQDN template-node in the 'active' unit (and the configuration is synchronized to the 'standby' unit), the ephemeral nodes associated with that FQDN template node remain Unavailable on the 'standby' unit.
Conditions:
HA configuration is configured with 'active' sync.
-- FQDN template-node is configured.
-- After ephemeral nodes are refreshed on the 'active' unit, it transitions to the 'standby' unit.
-- The FQDN template node on the (new-'active') unit is 'Force Offline' by the user.
-- The user explicitly 'Enable' that FQDN template node on the 'active' unit.
Impact:
The ephemerals on the 'standby' unit remain unavailable, even though the associated FQDN template node is 'available'. However, as no traffic is routed to the 'standby' unit, traffic is unaffected. Upon transition from 'standby' to' active', the ephemeral nodes will be refreshed and traffic should continue.
Workaround:
You can use either of these configuration options to prevent this issue from occurring:
-- Select 'Disabled' (rather than 'Force Offline') for the FQDN template node on the 'active' unit.
-- Configure the node without using FQDN.
Fix:
Upon 'Force Offline' and then 'Enable' for an FQDN template node on an 'active' unit in an HA configuration, the ephemerals on the 'standby' unit will reflect the re-enabled status based on the associated FQDN template-node on the 'active' unit.
710148-1 : CVE-2017-1000111 & CVE-2017-1000112
Solution Article: K60250153
710032-2 : 'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system.
Component: Global Traffic Manager (DNS)
Symptoms:
The BIG-IP system posts a 'No Access' error message instead of the virtual server's properties.
Conditions:
-- At least two BIG-IP systems in a sync group.
-- One of the BIG-IP systems has a partition that does not exist on the other with an LTM virtual server on that partition.
-- The issue occurs when a GSLB Server discovers that LTM virtual server and displays it on its virtual server page.
Note: This same error message displays for GSLB pool member properties accessed by navigating to GSLB :: pools :: [pool] :: members :: Member : Address. The differing issues have been fixed in differing releases. You can find information about the similar issue in the AskF5 Bug Tracker article for 722734.
Impact:
It makes the GSLB Server's virtual server's properties page unavailable in this case.
Workaround:
Use either of the following workaroudns:
-- Use TMSH to view or edit the properties of that virtual server.
-- Create partitions on the GTM device to match those appearing to be referenced in the object names.
Fix:
Partition checking has been disabled for virtual servers on the GTM side, since a virtual server owned by a server is always in the partition of that server (/Common).
709972 : CVE-2017-12613: APR Vulnerability
Solution Article: K52319810
709936-2 : Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.
Component: TMOS
Symptoms:
/var/log/boot.log has this error:
dhcp_config: save error: 01070911:3: The requested host (ntp-servers-ip) is invalid for servers in ntp (/Common/ntp).
Conditions:
- The BIG-IP system has DHCP enabled for management interface.
- Multiple NTP servers or domain-search are specified in the dhclient lease (stored at /var/lib/dhclient/dhclient.leases).
Impact:
- DNS and NTP servers are not configured in MCPD.
- Name resolution can break.
Workaround:
None.
Fix:
Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.
709828-1 : fasthttp can crash with Large Receive Offload enabled
Component: Local Traffic Manager
Symptoms:
fasthttp and lro can lead to a tmm crash.
Conditions:
fasthttp and lro enabled. (lro is enabled by default >= 13.1.0)
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use fasthttp
Fix:
fasthttp with lro enabled no longer causes tmm to crash.
709688-2 : dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733
Solution Article: K08306700
709610-4 : Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM
Component: Policy Enforcement Manager
Symptoms:
Session replacement fails as a result of a race condition between multiple RADIUS Accounting Start and Stop messages for the same subscriber.
Conditions:
This occurs when the following conditions are met:
-- These SysDB variables are set as follows:
sys db tmm.pem.session.radius.retransmit.timeout {
value "0"
}
sys db tmm.pem.session.provisioning.continuous {
value "disable"
}
-- Actions occur in the following order:
1. PEM receives RADIUS START with subscriber ID1 and IP1.
2. PEM receives RADIUS STOP with subscriber ID1 and IP1.
3. PEM receives RADIUS START with subscriber ID1 and IP2.
4. PEM receives RADIUS STOP with subscriber ID1 and IP2.
-- The time interval between steps 1 and 2 is very small (less than ~1ms).
Impact:
Subscriber session creation via PEM may fail.
Workaround:
There is no workaround other than to leave SysDbs variables set to the default values.
Fix:
The system now handles PEM subscriber session updates properly, so this issue no longer occurs.
709256-1 : CVE-2017-9074: Local Linux Kernel Vulnerability
Solution Article: K61223103
709192-2 : GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart
Component: TMOS
Symptoms:
The export operation of SSL keys and certificate into a .tgz archive file fails when the httpd daemon is restarted.
Conditions:
-- Export SSL Keys and certificates into archive file.
-- httpd is restarted.
Impact:
Export of SSL Keys and certificates into archive file does not work immediately after httpd restart via GUI/iControl.
Workaround:
After httpd restart, perform other operation like creating a key/cert before exporting archive file.
Fix:
The system allows exporting SSL keys and certificate to be archived into .tgz files after httpd restart.
709133-1 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur
Component: Local Traffic Manager
Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error can occur.
Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- An error occurs when reading the certificate serial number.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than not setting the tmm.ssl.loggingcreatedcerts BigDB variable.
Fix:
Double-free removed.
709132-2 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur
Component: Local Traffic Manager
Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a buffer overflow can occur.
Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- A malformed certificate with a serial number length equal to 256 bytes is parsed during forging.
Impact:
A off-by-one error causes one byte to write off the end of an array.
Workaround:
There is no workaround other than to not set tmm.ssl.loggingcreatedcerts BigDB variable.
Fix:
Buffer no longer overflows.
708484-1 : Network Map might take a long time to load
Component: TMOS
Symptoms:
Network Map loading time is directly proportional to the number of profiles/policies associated with a virtual server. When there are a significant number, Network Map might take many tens of seconds to load; when there are fewer associated profiles/policies, loading time is shorter.
For example, consider a configuration that contains virtual servers with a large number of associated profiles/policies.
In the following example config, the virtual server has two associated profiles. The time to load the Network Map page increases with each additional profile/policy.
# tmsh list ltm virtual vs
ltm virtual vs {
creation-time 2018-03-06:18:27:53
destination 0.0.0.0:any
ip-protocol tcp
last-modified-time 2018-03-06:18:27:53
mask any
profiles {
myhttp { }
tcp { }
}
rules {
myrule
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
socks-tunnel
}
vs-index 5
}
Conditions:
-- Navigate to Local Traffic :: Network Map in the BIG-IP Configuration Utility.
-- The configuration contains a significantly large number of profiles/policies associated with the virtual server.
Impact:
It takes tens of seconds to load the Network Map page.
Workaround:
None.
708249-1 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit
Component: Local Traffic Manager
Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.
Conditions:
Run the nitrox_diag command.
Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.
Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0
Fix:
Nitrox_diag utility now uses the -s0 command to generate QKView files, so there is no longer a 5 MB maximum file size limit, and the full QKView file is created.
707961-1 : Unable to add policy to virtual server; error = Failed to compile the combined policies
Solution Article: K50013510
Component: Local Traffic Manager
Symptoms:
LTM policy does not compile if it has more than one similar condition, and some of them refer to datagroup and others to non-datagroup types. The policy compiles if similar conditions all refer to datagroups or to non-datagroups.
010716d8:3: Compilation of ltm policies for virtual server /Common/vs_name failed; Failed to compile the combined policies.
Conditions:
-- LTM policy that has more than one similar condition.
-- Some conditions refer to datagroup types.
-- Some conditions refer to non-datagroup types.
Following is an example of such an LTM policy (i.e., referring to both datagroup and non-datagroup types):
ltm policy /Common/example_ltm_policy {
published-copy /Common/block_URI
requires { http }
rules {
example_Rule {
conditions {
0 {
http-host
host
datagroup /Common/example_datagroup <------ Datagroup
}
1 {
http-host
host
values { example.com } <------ Non-Datagroup
}
}
}
}
strategy /Common/first-match
}
Impact:
LTM policy does not compile. Cannot use the policy.
Workaround:
Create a datagroup for the non-datagroup type and use it in policy instead.
Fix:
LTM Policy compiles if it has more than one similar condition, and some of them refer to datagroup and others to non-datagroup types.
707951-3 : Stalled mirrored flows on HA next-active when OneConnect is used.
Component: Local Traffic Manager
Symptoms:
-- 'tmctl -d blade tmm/umem_usage_stat | grep xdata' may show increased memory usage.
-- 'tmsh show sys connect' shows idle flows.
Conditions:
- OneConnect profile is configured.
- High availability (HA) mirroring is enabled.
Impact:
- Some flows are mirrored incorrectly.
- Stalled flows may occupy a lot of memory.
Workaround:
Disable OneConnect.
Fix:
Stalled mirrored flows no longer appear when OneConnect is used.
707585-2 : Use native driver for 82599 NICs instead of UNIC
Component: TMOS
Symptoms:
-- Lower performance in TPS.
-- Increased CPU consumption for throughput.
Conditions:
-- Running BIG-IP Virtual Edition (VE) (UNIC is the default Virtual Function Network Driver for VE).
-- High data rates, perhaps particularly when connection mirroring is configured.
Impact:
Lower TPS performance numbers and higher CPU usage in throughput tests.
Workaround:
In case of UNIC, extra CPUs must be allocated to handle SoftIRQs for higher performance.
Fix:
This release provides a native driver based on F5's physical platforms.
707391-1 : BGP may keep announcing routes after disabling route health injection
Component: TMOS
Symptoms:
As a result of a known issue BIG-IP with BGP configured may continue to announce routes even after disabling the virtual address or disabling route announcement on the virtual address.
Conditions:
BGP configured with multiple routes announced via Virtual-address route announcements.
Configuration changes made on the BGP configuration itself.
Virtual address or its route health announcement disabled.
Impact:
Prefixes continue to exist in the BGP table even after disabling the virtual address (visible via imish with the "show ip bgp" command); which will continue to announce the prefix to configured peers.
Workaround:
Workaround would be to restart the dynamic routing process.
Fix:
BGP may no longer keeps announcing routes after disabling route health injection
707267-2 : REST Framework HTTP header limit size increased to 8 KB
Component: TMOS
Symptoms:
HTTP Header size limit causing 'Error getting auth token from login provider' GUI messages.
Conditions:
A client uses an HTTP Header larger than 4 KB to make a request to the REST framework.
Impact:
Users cannot login or access certain pages in the GUI.
Workaround:
Clear browser cookies, or otherwise reduce the size of the HTTP headers, so that the entire content HTTP headers is smaller than 4 KB.
Fix:
The HTTP header size limit for the REST Framework has been increased to 8 KB to match the limit set by Apache.
707100-1 : Potentially fail to create user in AzureStack
Component: TMOS
Symptoms:
Using Microsoft Azure Stack on the BIG-IP Virtual Edition (VE) configured with password authentication, the system sometimes fails to create the provided user, which means that the VE admin cannot ssh in after deployment. Note that an unexpected reboot causes this to occur during provisioning, and that Microsoft might have already fixed this issue.
Conditions:
Azure Stack VE provisioned with password authentication.
Impact:
Admin loses provisioned VE instance because there is no way to ssh in.
Workaround:
Deploy VE with key authentication.
Fix:
Extra handling was added to make user creation work even with unexpected reboots happening during Azure Stack provisioning.
706688-2 : Automatically add additional certificates to BIG-IP system in C2S and IC environments
Component: TMOS
Symptoms:
In order to function properly, the BIG-IP system's failover and autoscale features need extra certificates (which are used inside C2S environments) and endpoint URL. The extra certificates must be pointed to by the $AWS_CA_BUNDLE environment variable. The BIG-IP system's failover and autoscale feature use AWS CLI commands. Those AWS CLI commands need to have the $AWS_CA_BUNDLE pointing to the certificate files location and endpoint URL. These must be configured manually.
Conditions:
-- BIG-IP is running in AWS C2S (Commercial Cloud Services) where the domain is either c2s.ic.gov or sc2c.sgov.gov.
-- The BIG-IP system is configured to do failover or autoscale in those environments.
Impact:
Requires manual copying of the extra certificates, which are pointed to by AWS_CA_BUNDLE, to the BIG-IP system.
Workaround:
None.
Fix:
In this release, you can add all the needed certificates' URLs in the AWS user-data. The BIG-IP system then automatically downloads and stores the certificate and sets the $AWS_CA_BUNDLE environment variable and endpoint-url.
To use the functionality, when launching the BIG-IP system from the AWS web console, specify the C2S certificate URL and test URL in the following format:
c2s-keys-urls=url1,url2,url3;c2s-cert-test-url=ec2.us-iso-east-1.c2s.ic.gov:443;
Where the syntax explanation is as follows:
1. The string literal : c2s-keys-urls=
2. List of comma separated URLs.
3. A semicolon (;).
4. The string literal : c2s-cert-test-url=
5. A URL which is of following format
<A service name (e.g., ec2)>.<The region where it is running (e.g., us-iso-east-1)>.<the domain name :443 (e.g., c2s.ic.gov:443)>
Example: ec2.us-iso-east-1.c2s.ic.gov:443;
706642-1 : wamd may leak memory during configuration changes and cluster events
Component: WebAccelerator
Symptoms:
wamd memory consumption increases over time.
Conditions:
-- AAM is provisioned so wamd is running.
-- User-initiated configuration change and/or other internal configuration or cluster events.
Impact:
wamd grows slowly over time, eventually crashing due to lack of memory. Temporary outage of services provided by wamd such as PDF linearization, invalidation, etc.
Workaround:
No workaround available.
Fix:
wamd n longer leaks memory during configuration changes and cluster events.
706423-3 : tmm may restart if an IKEv2 child SA expires during an async encryption or decryption
Component: TMOS
Symptoms:
TMM may discard an existing child-SA via timer during the moment it is in use for encryption or decryption. And in another spot, an error aborting negotiation can cause multiple timers associated with one child-SA, which fight one another.
Conditions:
Errors in IPsec config that fail negotiation can happen when a child-SA is in a state that does not manage timers correctly.
A config with short SA lifetime, causing frequent re-keying, can have the effect of searching for a race condition when expire happens during active use in crypto.
Impact:
TMM restarts, disrupting traffic and causing HA failover.
Workaround:
Ensure that the IPsec IKEv2 configuration in the IPsec policy is correct (the same) on both IPsec peers. Also, ensure SA lifetime has longer duration, instead of merely seconds. (The default is one day.)
Fix:
Now we ensure only one timer can be associated with a child-SA related to short-term progress toward maturity during negotiation, even if an error happens.
Now we also ensure a child-SA is safe during async crypto operations, even if they expire while currently in use.
706169-2 : tmsh memory leak
Component: TMOS
Symptoms:
tmsh is leaking approximately 24 KB for every 'save sys config' call.
Conditions:
this occurs under the following conditions:
-- In tmsh, run the following command repeatedly:
save sys config
-- In the GUI, modify the configuration and click Update, change pages, or otherwise cause a save to the configuration.
Impact:
This results in a memory leak, and a possible out-of-memory condition.
Workaround:
None.
Fix:
tmsh no longer leaks memory when performing configuration-save operations.
705476-1 : Appliance Mode does not follow design best practices
Solution Article: K28003839
704804-4 : The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address
Component: TMOS
Symptoms:
The NAS-IP-Address in RADIUS remote authentication requests is set to the loopback address, not the management IP.
Conditions:
This applies to remote authentication for the control plane, not APM.
Impact:
Login may be impacted.
Workaround:
There is no workaround at this time.
Fix:
NAS-IP-Address Attribute is now set correctly when the the BIG-IP system is configured to use RADIUS authentication.
704764-1 : SASP monitor marks members down with non-default route domains
Component: Local Traffic Manager
Symptoms:
The LTM SASP monitor marks pool members down, whose address include non-default route domains.
Conditions:
1. Using the SASP health monitor to monitor a pool or pool member.
2. The address of the pool member includes a non-default route domain, such as:
ltm pool rd_test {
members {
test_1:http {
address 12.34.56.78%99
}
}
monitor my_sasp
}
Impact:
Pool members with non-default route domains will never be marked up by the SASP monitor.
Workaround:
Do not specify non-default route domains in the addresses of pool members monitored by the SASP health monitor.
The SASP protocol does not support the use of route domains in member addresses. Thus, the SASP GWM (Global Workload Manager) will ignore route domain information included in the member addresses when registered by the SASP monitor in BIG-IP, and will report the status of members using addresses without route domains.
Therefore, even with a fixed version of the SASP monitor, BIG-IP LTM administrators must be careful to avoid configuring multiple pool members with the same address except for different route domains, to be monitored by the SASP monitor. If case of such a configuration error, the status of the member reported by the SASP GWM may not accurately reflect the status of one or more of the pool members with matching IP addresses.
Fix:
The LTM SASP monitor will correctly report the status of pool members configured with addresses that include a non-default route domain, if the SASP GWM is monitoring members with matching addresses (minus route-domain information).
704755-3 : EUD_M package could not be installed on 800 platforms
Component: TMOS
Symptoms:
Attempts to install the EUD_M EUD package fail on 800 platforms even though they are supposed to be supported.
Conditions:
Attempt to install EUD_M package on 800 platforms.
Impact:
Cannot install EUD_M package on a platform that is claimed to support it.
Workaround:
None.
Fix:
EUD_M package can now be installed on 800 platforms as expected.
704733-3 : NAS-IP-Address is sent with the bytes in reverse order
Component: TMOS
Symptoms:
The NAS-IP-Address has the address of the local device sent with the bytes in reverse order (e.g., 78.56.30.172, where 172.30.56.78 is expected).
Conditions:
-- This affects IPv4 addresses only.
-- BIG-IP system is configured for RADIUS authentication.
Impact:
The server may be configured to check the NAS-IP-Address before allowing logins, in which case it would fail.
Workaround:
There is no workaround at this time.
Fix:
This has been corrected.
704552-1 : Support for ONAP site licensing
Component: TMOS
Symptoms:
ONAP site licensing not supported.
Conditions:
-- Attempting to use ONAP site licensing
Impact:
BIG-IP system does not license.
Workaround:
None.
Fix:
Ported ONAP site licensing support to this version of the software.
Behavior Change:
This version of the software supports ONAP site licensing.
704381-6 : SSL/TLS handshake failures and terminations are logged at too low a level
Component: Local Traffic Manager
Symptoms:
SSL/TLS handshake failures and terminations are being logged at too low of a level (INFO).
Conditions:
-- SSL/TLS connections are received or sent.
-- Handshake failures are logged.
Impact:
Sometimes other errors are produced, and the cause is a SSL/TLS handshake failure, but this failure is not being logged.
Workaround:
There is no workaround.
Fix:
SSL/TLS handhake failures and terminations are now logged at a higher level (WARNING).
704247-1 : BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted
Component: TMOS
Symptoms:
BIG-IP .iso images may fail to install if multiple copies of the same image are present and have been deleted.
Conditions:
-- Have multiple copies of the same image .iso in the /shared directory on a BIG-IP system.
-- Delete one of them.
Impact:
Installation attempt of the remaining image(s) might fail.
Workaround:
Restart the lind process, so the installation can continue.
Fix:
The BIG-IP system now installs an image if multiple copies of the same image are present and have been deleted
703869-4 : Waagent updated to 2.2.21
Component: TMOS
Symptoms:
Microsoft updates waagent via an opensource process, but it is not compatible with BIG-IP software, and so cannot be upgraded outside of BIG-IP releases. Without this, Microsoft will not support older releases of BIG-IP systems in their environment.
Conditions:
Using Microsoft Azure.
Impact:
Microsoft does not support the version of waagent shipped as part of BIG-IP software.
Workaround:
None.
Fix:
Waagent was updated to 2.2.21 from Microsoft along with F5 changes for compatibility with BIG-IP software.
703669-1 : Eventd restarts on NULL pointer access
Component: TMOS
Symptoms:
The loop that reads /config/eventd.xml to load configuration data processes data in 1024-byte chunks. If the size of the file is a multiple of 1024 bytes, the end of file condition that terminates the file read does not occur until the subsequent read. The subsequent read returns zero (0) bytes and passes an empty buffer to the parser, which causes eventd to restart repeatedly.
Conditions:
The length of the file /config/eventd.xml is a multiple of 1024 bytes.
Impact:
Causes eventd to crash.
Workaround:
To work around the problem, insert whitespace in /config/eventd.xml to pad the file to a size that is not a multiple of 1024 bytes.
703045-2 : If using TMSH commands with deprecated attributes in iApp, the upgrade will fail.
Component: TMOS
Symptoms:
TMSH commands with deprecated attributes will fail if used in iApp.
Conditions:
TMSH commands with deprecated attributes will fail if used in iApp. This is so whether the iApp is activated during the upgrade process or simply run under iApp service at the user display.
Impact:
TMSH commands will not execute like create command will result in no objects (e.g., monitor, virtual server, etc.) being created.
Workaround:
Try to avoid deprecated attributes of the object in the iApp.
Fix:
All TMSH commands should handle deprecated attributes of objects consistently across TMSH command line, CLI Script and iApp and like so:
- run TMSH commands to full execution with only warning message.
- full execution means objects action should be executed without error and no something amiss silently either.
702227-2 : Memory leak in TMSH load sys config
Component: TMOS
Symptoms:
When loading a configuration, either through tmsh load sys config or the corresponding iControl REST command, the TMSH or icrd_child processes can leak memory.
Conditions:
When configuration is loaded via TMSH or iControl REST.
Impact:
The TMSH process memory or icrd_child process memory continues to grow every time the config is loaded.
Workaround:
If memory consumption grows in the TMSH process, restart the TMSH process.
If memory consumption grows in iControl REST, restart the REST service using the following command: bigstart restart restjavad.
Fix:
There is no longer a memory leak when loading configuration in TMSH or iControl REST.
701785-1 : Linux kernel vulnerability: CVE-2017-18017
Solution Article: K18352029
701253-6 : TMM core when using MPTCP
Solution Article: K16248201
701249-3 : RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1
Component: TMOS
Symptoms:
RADIUS requests from BIG-IP have attribute NAS-IP-Address = 127.0.0.1, which might cause authentication to fail.
The NAS-IP-Address is essentially the resource an end user client is trying to authenticate to. This is typically the management IP address of the BIG-IP system, but the BIG-IP system always sends 127.0.0.1 instead. That might fail or it might work, depending on how the server is configured.
Conditions:
This is an issue for all RADIUS authentication requests that use the attribute NAS-IP-Address.
Note: This affects remote control plane authentication only, not APM or other uses of RADIUS.
Impact:
BIG-IP system always sends 127.0.0.1 instead of the BIG-IP system's management IP address. RADIUS server might not service the request, so authentication fails.
Workaround:
There is no workaround.
700086-2 : AWS C5/M5 Instances do not support BIG-IP VE
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) does not function on AWS C5/M5 instances.
Conditions:
BIG-IP VE on AWS C5/M5 instances.
Impact:
Cannot use BIG-IP VE on AWS C5/M5 instances.
Workaround:
None.
Fix:
BIG-IP VE now functions on AWS C5/M5 Instances.
700056-2 : MCPD process may lock up and restart when applying Local Traffic Policy to virtual server
Component: Local Traffic Manager
Symptoms:
The mcpd process becomes unresponsive while attempting to load the configuration, or attempting to apply a configuration change that associates a particular local traffic policy to a virtual server. The mcpd process may also periodically restart every 5 minutes.
Conditions:
- Virtual servers configured.
- Specific policies configured and attached used by virtual servers.
Only policies configured in a specific way will trigger this situation. The specifics are not well understood, however, the vast majority of Local Traffic Policies are unaffected by this issue.
Impact:
Traffic disrupted while mcpd restarts.
Workaround:
There is no workaround.
Fix:
mcpd is responsive when an LTM Policy is attached to a virtual server, or when an already-attached policy is updated.
699598-1 : HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR
Component: Local Traffic Manager
Symptoms:
HTTP/2 requests with a large body may result in the BIG-IP system sending RST_STREAM with FRAME_SIZE_ERROR.
Conditions:
-- HTTP/2 profile is configured on the virtual server.
-- Request has body size greater than 16 KB.
Impact:
HTTP/2 stream is reset with FRAME_SIZE_ERROR and transfer does not complete.
Workaround:
None.
Fix:
Large HTTP/2 requests are now processed as expected.
699531-5 : Potential TMM crash due to incorrect number of attributes in a PEM iRule command
Component: Policy Enforcement Manager
Symptoms:
TMM crash.
Conditions:
An iRule with a PEM iRule command that does not have the minimum number of attributes.
Impact:
Loss of service. Traffic disrupted while tmm restarts.
Workaround:
Make sure the PEM iRule command is called with at least the minimum number of parameters.
For example, make sure to call 'PEM::subscriber config policy referential set' with referential policies.
Fix:
The system now provides the correct number of attributes, preventing a NULL pointer dereference.
699454-6 : Web UI does not follow current best coding practices
Component: Advanced Firewall Manager
Symptoms:
The web UI does not follow current best coding practices while processing URL DB updates.
Conditions:
Authenticated web UI user.
Impact:
UI does not respond as intended.
Workaround:
None.
Fix:
The web UI now follows current best coding practices while processing URL DB updates.
699453-6 : Web UI does not follow current best coding practices
Solution Article: K20222812
695072-3 : CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558
Solution Article: K23030550
693359-2 : AWS M5 and C5 instance families are supported
Component: TMOS
Symptoms:
AWS has announced support for M5 and C5 instance families. No previous BIG-IP Virtual Edition (VE) software supports these new AWS instance families.
Conditions:
Attempting to install pre-v14.0.0.1 VE software on M5 and C5 instance families.
Impact:
The system experiences a kernel panic and might crash.
Workaround:
None.
Fix:
All necessary components are added to support AWS M5 and C5 instance families.
Behavior Change:
No previous BIG-IP Virtual Edition (VE) software supports the newly announced AWS M5 and C5 instance families. Version 14.0.0.1 officially supports the AWS M5 and C5 instance families.
693244-3 : BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned
Component: Local Traffic Manager
Symptoms:
BIG-IP silently drop the serverside TCP flow, when it receives a client-side reset and the server-side flow is still in the SYN-SENT state.
Conditions:
BIG-IP receives a client-side reset when client-side TCP flow is in ESTABLISHED state and server-side TCP flow is in SYN-SENT state, serverside flow is silently dropped.
Impact:
Since serverside pool member does not receive the RST, it remains in SYN-RECEIVED state until it runs out of syn retransmissions and eventually, due to timeout, it returns to LISTEN state.
Fix:
BIG-IP resets serverside TCP flow with RST when it receives a client-side reset and the server-side flow is still in the SYN-SENT state.
682283-1 : Malformed HTTP/2 request with invalid Content-Length value is served against RFC
Component: Local Traffic Manager
Symptoms:
HTTP/2 request can include Content-Length header. When the value of a Content-Length header does not match the sum of lengths of all DATA frames from the stream, RFC requires that the system reset the stream.
Conditions:
-- A virtual server is configured with HTTP/2 profile.
-- The value of Content-Length header does not match the sum of lengths of all DATA frames from the stream.
Impact:
The BIG-IP system sends a request to a server and serves a provided response, which is not in conformance with the RFC.
Workaround:
None.
Fix:
Now, when a client sends a request over an HTTP/2 connection with a malformed HEADERS frame in which Content-Length does not match the payload size in DATA frames, the BIG-IP system correctly resets the stream with RST_STREAM frame.
677088-1 : BIG-IP tmsh vulnerability CVE-2018-15321
Solution Article: K01067037
676346-1 : PEM displays incorrect policy action counters when the gate status is disabled.
Component: Policy Enforcement Manager
Symptoms:
Action counters are incorrect.
Conditions:
PEM policy actions enabled with gate status of disabled.
Impact:
May provide an inconsistent view of PEM actions.
Workaround:
There is no workaround.
Fix:
Counters are managed correctly regardless of the gate status.
671712-3 : The values returned for the ltmUserStatProfileStat table are incorrect.
Component: TMOS
Symptoms:
An SNMP table entry that intermittently comes back incorrectly. Specifically, an LTM profile user statistic value is returned with an OID that is off by one in the table.
Conditions:
A statistics profile is attached to a virtual server with an iRule that increments statistics on the profile. The SNMP walk of the table created by the statistics profile intermittently returns the values shifted up one OID such that the last row is zero and the first row is lost. A subsequent request is correct.
Impact:
Incorrect data returned in SNMP walk of LTM profile table.
Workaround:
The statistics themselves are kept correctly and can be accessed without using SNMP.
Fix:
The values in the ltmUserStatProfileStat table are always correct.
658557-4 : The snmpd daemon may leak memory when processing requests.
Component: TMOS
Symptoms:
Under certain conditions, the snmpd daemon may leak memory when processing requests.
Conditions:
A client allowed to send SNMP queries to the BIG-IP system, sends specially crafted requests.
Impact:
Once enough memory has leaked, the system may become unstable and fail unpredictably.
Workaround:
If the snmpd daemon is consuming excessive memory, restart it with the following command:
bigstart restart snmpd
Fix:
The snmpd daemon no longer leaks memory when handling specially crafted requests.
651741 : CVE-2017-5970 kernel.el7: ipv4: Invalid IP options could cause skb->dst drop
Solution Article: K60104355
648802-4 : Required custom AVPs are not included in an RAA when reporting an error.
Component: Policy Enforcement Manager
Symptoms:
Custom Attribute-Value-Pairs (AVPs) defined on the system will not be visible in a Re-Auth-Answer (RAA).
Conditions:
This occurs when the following conditions are met:
-- PEM enabled with Gx.
-- Custom AVPs configured.
-- PEM responds with an error code in an RAA against a Policy and Charging Rules Function (PCRF) triggered action.
Impact:
Lack of custom AVPs in such an RAA may result in loss of AVP dependent service.
Workaround:
There is no workaround at this time.
Fix:
Custom AVPs included regardless of an error code in an RAA.
602708-5 : Traffic may not passthrough CoS by default
Solution Article: K84837413
Component: Local Traffic Manager
Symptoms:
Traffic being forwarded by TMM may not passthrough the Class of Service (CoS) received.
Conditions:
-- IP forwarding Virtual server.
-- Traffic received with priority other than 3.
Impact:
Traffic is set to L2 QoS priority 3 and may cause issues on other networking devices.
Workaround:
Create a default CoS configuration or apply L2 QoS settings in the FastL4 profile.
Fix:
TMM now correctly passes through CoS by default.
530775-2 : Login page may generate unexpected HTML output
Component: TMOS
Symptoms:
Under certain circumstance the administrative login page may generate unexpected HTML output
Conditions:
External authentication enabled
Impact:
Unexpected output to client browser
Workaround:
None.
Fix:
The login page now generates the expected output.
Known Issues in BIG-IP v14.0.x
TMOS Issues
ID Number | Severity | Solution Article(s) | Description |
708956-3 | 1-Blocking | K51206433 | During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform' |
753650-1 | 2-Critical | The BIG-IP system reports frequent kernel page allocation failures. | |
752835-4 | 2-Critical | Mitigate mcpd out of memory error with auto-sync enabled. | |
746464-2 | 2-Critical | MCPD sync errors and restart after multiple modifications to file object in chassis | |
743810-2 | 2-Critical | AWS: Disk resizing in m5/c5 instances fails silently. | |
743271 | 2-Critical | Querying vCMP Health Status May Show Stale Statistics | |
742419-2 | 2-Critical | BIG-IP NIC teaming of SR-IOV interfaces does not work under VMware ESXi | |
741423-3 | 2-Critical | Secondary blade goes offline when provisioning ASM/FPS on already established config-sync | |
737900-1 | 2-Critical | mcpd might crash on an unlicensed system | |
737692-2 | 2-Critical | Handle x520 PF DOWN/UP sequence automatically by VE | |
737055-1 | 2-Critical | Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy | |
734539-4 | 2-Critical | The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads | |
726487-3 | 2-Critical | MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change. | |
721350-3 | 2-Critical | The size of the icrd_child process is steadily growing | |
717785-4 | 2-Critical | Interface-cos shows no egress stats for CoS configurations | |
716391-1 | 2-Critical | High priority for MySQL on 2 core vCMP may lead to control plane process starvation | |
714795-1 | 2-Critical | ospfd cores when configured with 'area 0 range 0.0.0.0/0' | |
711683-1 | 2-Critical | bcm56xxd crash with empty trunk in QinQ VLAN | |
710277-4 | 2-Critical | IKEv2 further child_sa validity checks | |
708968-1 | 2-Critical | OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address | |
707013-2 | 2-Critical | vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest | |
704681 | 2-Critical | Kernel panic with mcpd or system shutdown | |
668041-3 | 2-Critical | K27535157 | Config load fails when an iRule comment ends with backslash in a config where there is also a policy.★ |
621260-3 | 2-Critical | mcpd core on iControl REST reference to non-existing pool | |
753423-5 | 3-Major | Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation | |
752994-2 | 3-Major | Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod | |
751409-2 | 3-Major | MCP Validation does not detect when virtual servers differ only by overlapping VLANs | |
751024-3 | 3-Major | i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd | |
751021-2 | 3-Major | One or more TMM instances may be left without dynamic routes. | |
751011-2 | 3-Major | ihealth.sh script and qkview locking mechanism not working | |
751009-2 | 3-Major | Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out | |
750447-2 | 3-Major | GUI VLAN list page loading slowly with 50 records per screen | |
750318-2 | 3-Major | HTTPS monitor does not appear to be using cert from server SSL profile | |
748295 | 3-Major | TMM crashes on shutdown when using virtio NICs for dataplane | |
748187-3 | 3-Major | 'Transaction Not Found' Error on PATCH after Transaction has been Created | |
747799-1 | 3-Major | 'Unable to load the certificate file' error and configuration-load failure upgrading from 11.5.4-HF2 to a later version, due to empty cert/key in client SSL profile | |
747676-2 | 3-Major | Remote logging needs 'localip' to set source IP properly | |
746657-2 | 3-Major | tmsh help for FQDN node or pool member shows incorrect default for fqdn interval | |
746266-2 | 3-Major | Vcmp guest vlan mac mismatch across blades. | |
745825-2 | 3-Major | The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading | |
744520-2 | 3-Major | virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface | |
744252-1 | 3-Major | BGP route map community value: either component cannot be set to 65535 | |
743132-5 | 3-Major | mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile | |
742753-3 | 3-Major | Accessing the BIG-IP system's WebUI via special proxy solutions may fail | |
742170-1 | 3-Major | REST PUT command fails for data-group internal | |
741902-2 | 3-Major | sod does not validate message length vs. received packet length | |
741599-1 | 3-Major | After upgrade, Client SSL profile may have extra cert-key-chain structure | |
740746-1 | 3-Major | RSA key creation fails for generating key/csr pair when using gen-csr challenge-password | |
740589-2 | 3-Major | mcpd crash with core after 'tmsh edit /sys syslog-all-properties' | |
740517-2 | 3-Major | Application Editor users are unable to edit HTTPS Monitors via the Web UI | |
740413-2 | 3-Major | sod not logging Failover Condition messages | |
740135-2 | 3-Major | Traffic Group ha-order list does not load correctly after reset to default configuration | |
739872-1 | 3-Major | The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover | |
739820-2 | 3-Major | Validation does not reject IPv6 address for TACACS auth configuration | |
739533-5 | 3-Major | In rare circumstances, config sync may fail to delete files in /config/filestore/.snapshots_d/, filling up /config | |
739118-2 | 3-Major | Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration | |
738445-3 | 3-Major | IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup | |
737901-3 | 3-Major | Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode | |
737536-3 | 3-Major | Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others. | |
737437-3 | 3-Major | IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages | |
737397-2 | 3-Major | User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP | |
737346-2 | 3-Major | After entering username and before password, the logging on user's failure count is incremented. | |
735565-4 | 3-Major | BGP neighbor peer-group config element not persisting | |
734846-2 | 3-Major | Redirection to logon summary page does not occur after session timeout | |
734836 | 3-Major | Network Map summary counts pool members more than once if they are shared across pools | |
733585-4 | 3-Major | Merged can use %100 of CPU if all stats snapshot files are in the future | |
727467-2 | 3-Major | Some iSeries appliances can experience traffic disruption when the HA peer is upgraded from 12.1.3 and earlier to 13.1.0 or later. | |
727297-2 | 3-Major | GUI TACACS+ remote server list should accept hostname | |
725791-5 | 3-Major | Potential HW/HSB issue detected | |
724143-2 | 3-Major | IKEv2 connflow expiration upon ike-peer change | |
722380-1 | 3-Major | The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core. | |
721020-2 | 3-Major | Changes to the master key are reverted after full sync | |
720819-3 | 3-Major | Certain platforms may take longer than expected to detect and recover from HSB lock-ups | |
720610-1 | 3-Major | Updatecheck logs bogus 'Update Server unavailable' on every run | |
720461-1 | 3-Major | qkview prompts for password on chassis | |
720269-1 | 3-Major | TACACS audit logging may append garbage characters to the end of log strings | |
718800-1 | 3-Major | Cannot set a password to the current value of its encrypted password | |
718405-3 | 3-Major | RSA signature PAYLOAD_AUTH mismatch with certificates | |
718397-2 | 3-Major | IKEv2: racoon2 appends spurious trailing null byte to ID payloads | |
718291-1 | 3-Major | iHealth upload error doesn't clear | |
715379-2 | 3-Major | IKEv2 accepts asn1dn for peers-id only as file path of certificate file | |
714986-4 | 3-Major | Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot | |
714974-1 | 3-Major | Platform-migrate of UCS containing QinQ fails on VE★ | |
714903-3 | 3-Major | Errors in chmand | |
714654-1 | 3-Major | Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM | |
714216-1 | 3-Major | Folder in a partition may result in load sys config error | |
713793 | 3-Major | Loading sys config using merge does not work for client SSL profiles with passphrase-protected key | |
713708-6 | 3-Major | Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI | |
712102-1 | 3-Major | K11430165 | customizing or changing the HTTP Profile's IPv6 field hides the field or the row |
712033-3 | 3-Major | When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name | |
710666-2 | 3-Major | VE with interface(s) marked down may report high cpu usage | |
709559-1 | 3-Major | LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name | |
709444-1 | 3-Major | "NTP not configured on device" warning seen when NTP symmetric key authentication is configured | |
708063 | 3-Major | In older RAID BIG-IP systems, storage provisioning is not possible when a drive is missing. | |
707740-5 | 3-Major | Failure deleting GTM Monitors when used on mulitple Virtual Servers with the same ip:port combination | |
707445-4 | 3-Major | Nitrox 3 compression hangs/unable to recover | |
706804-2 | 3-Major | SNMP trap destination configuration of network option is missing "default" keyword | |
705651-2 | 3-Major | Async transaction may ignore polling requests | |
705442 | 3-Major | GUI Network Map objects search on Virtual Server IP Address and Port does not work | |
705037-1 | 3-Major | System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart | |
704449-1 | 3-Major | Orphaned tmsh processes might eventually lead to an out-of-memory condition | |
703090-3 | 3-Major | With many iApps configured, scriptd may fail to start | |
701341-3 | 3-Major | K52941103 | If /config/BigDB.dat is empty, mcpd continuously restarts |
700827-3 | 3-Major | B2250 blades may lose efficiency when source ports form an arithmetic sequence. | |
698619-3 | 3-Major | Disable port bridging on HSB ports for non-vCMP systems | |
698432-1 | 3-Major | Invalid error messages: warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10 | |
696731-4 | 3-Major | K94062594 | The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled |
684096-3 | 3-Major | stats self-link might include the oid twice | |
683135-3 | 3-Major | Hardware syncookies number for virtual server stats is unrealistically high | |
673018-1 | 3-Major | Parsed text violates expected format error encountered while upgrading or loading UCS★ | |
667618-5 | 3-Major | Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts | |
641450-6 | 3-Major | K30053855 | A transaction that deletes and recreates a virtual may result in an invalid configuration |
639619-6 | 3-Major | UCS may fail to load due to Master key decryption failure on EEPROM-less systems★ | |
606032-4 | 3-Major | Network Failover-based HA in AWS may fail | |
591305-2 | 3-Major | Audit log messages with "user unknown" appear on install | |
569859-4 | 3-Major | Password policy enforcement for root user when mcpd is not available | |
486712-4 | 3-Major | GUI PVA connection maximum statistic is always zero | |
726317-5 | 4-Minor | Improved debugging output for mcpd | |
723988-1 | 4-Minor | IKEv1 phase2 key length can be changed during SA negotiation | |
723711-2 | 4-Minor | IPsec keys are once again logged when db variable ipsec.debug.logkeys equals 1 | |
719770-1 | 4-Minor | tmctl -H -V and -l options without values crashed | |
715331-2 | 4-Minor | IKEv2 logs peers_id comparisons and cert verfication failures | |
713138-3 | 4-Minor | TMUI ILX Editor inserts an unnecessary linefeed | |
713134-1 | 4-Minor | Small tmctl memory leak when viewing stats for snapshot files | |
708415-3 | 4-Minor | Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled | |
707631-3 | 4-Minor | The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI | |
704336-5 | 4-Minor | Updating 3rd party device cert not copied correctly to trusted certificate store | |
703509-3 | 4-Minor | Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled | |
689491-2 | 4-Minor | cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled | |
685582-8 | 4-Minor | Incorrect output of b64 unit key hash by command f5mku -f | |
648917-2 | 4-Minor | Need to re-provision vCMP after upgrading to 13.1.x or later on the BIG-IP 10350F platform★ | |
394873 | 4-Minor | Upgrade process does not update Tcl scripts★ | |
720669-1 | 5-Cosmetic | Within the GUI, the 'MQTT-TLS' service port is incorrectly reported as 'common.all.MQTT-TLS'. | |
713519-1 | 5-Cosmetic | Enabling MCP Audit logging does not produce log entry for audit logging change | |
662725 | 5-Cosmetic | tmsh kernel default log levels does not match documentation |
Local Traffic Manager Issues
ID Number | Severity | Solution Article(s) | Description |
752930-2 | 2-Critical | Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state | |
747617-3 | 2-Critical | TMM core when processing invalid timer | |
745589-5 | 2-Critical | In very rare situations, some filters may cause data-corruption. | |
744269-1 | 2-Critical | dynconfd restarts if FQDN template node deleted while IP address change in progress | |
742627-1 | 2-Critical | SSL session mirroring may cause memory leakage if HA channel is down | |
742184-2 | 2-Critical | TMM memory leak | |
741919-2 | 2-Critical | HTTP response may be dropped following a 100 continue message. | |
741814-1 | 2-Critical | Auto Last Hop for management connections cannot be disabled/enabled | |
740963-1 | 2-Critical | VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart | |
740490 | 2-Critical | Configuration changes involving HTTP2 or SPDY may leak memory | |
739927-2 | 2-Critical | Bigd crashes after a specific combination of logging operations | |
738945-3 | 2-Critical | SSL persistence does not work when there are multiple handshakes present in a single record | |
726900 | 2-Critical | Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters | |
724214-4 | 2-Critical | TMM core when using Multipath TCP | |
716714-2 | 2-Critical | OCSP should be configured to avoid TMM crash. | |
716213-5 | 2-Critical | BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic | |
707207-3 | 2-Critical | iRuleLx returning undefined value may cause TMM restart | |
571651-5 | 2-Critical | K66544028 | Reset Nitrox3 crypto accelerator queue if it becomes stuck. |
431480-6 | 2-Critical | K17297 | Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message |
753526-2 | 3-Major | IP::addr iRule command does not allow single digit mask | |
753159-2 | 3-Major | Pool IP ToS/QoS settings are not preserved on mirrored FastL4 connections | |
752530-2 | 3-Major | TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput. | |
752334-2 | 3-Major | Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation | |
751036-2 | 3-Major | Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone | |
750843 | 3-Major | HTTP data re-ordering when receiving data while iRule parked | |
750200-2 | 3-Major | DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode | |
749689-3 | 3-Major | HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart | |
749414-3 | 3-Major | Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects | |
749294-3 | 3-Major | TMM cores when query session index is out of boundary | |
748891-1 | 3-Major | Traffic bridged between VLANs in virtual-wire setups. | |
748252-1 | 3-Major | Connection reset seen with SSL bypass on a L2 wire setup | |
747077 | 3-Major | Potential crash in TMM when updating pool members | |
746922-5 | 3-Major | When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain. | |
746078-2 | 3-Major | Upgrades break existing iRulesLX workspaces that use node version 6 | |
745923-1 | 3-Major | Virtual server may reset a connection with port zero when client sends ACK after a 4-way close | |
744686-1 | 3-Major | Wrong certificate can be chosen during SSL handshake | |
743900-2 | 3-Major | Custom DIAMETER monitor requests do not have their 'request' flag set | |
743257-2 | 3-Major | Fix block size insecurity init and assign | |
742838-2 | 3-Major | A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition | |
742237-3 | 3-Major | CPU spikes appear wider than actual in graphs | |
740959-3 | 3-Major | User with manager rights cannot delete FQDN node on non-Common partition | |
740345-2 | 3-Major | TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled. | |
739963-3 | 3-Major | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup | |
739638-3 | 3-Major | BGP failed to connect with neighbor when pool route is used | |
739379-1 | 3-Major | Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error | |
739349-2 | 3-Major | LRO segments might be erroneously VLAN-tagged. | |
738523-1 | 3-Major | SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages | |
738521-3 | 3-Major | i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag. | |
738450-2 | 3-Major | Parsing pool members as variables with IP tuple syntax | |
737147-1 | 3-Major | Key creation on Thales fails with thales 12.40 on tmm interface | |
726734-3 | 3-Major | DAGv2 port lookup stringent may fail | |
726232-3 | 3-Major | iRule drop/discard may crash tmm | |
723306-2 | 3-Major | Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition | |
722707-3 | 3-Major | mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall | |
721261-2 | 3-Major | v12.x Policy rule names containing slashes are not migrated properly | |
720460-3 | 3-Major | Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly | |
720440-2 | 3-Major | Radius monitor marks pool members down after 6 seconds | |
720219-2 | 3-Major | K13109068 | HSL::log command can fail to pick new pool member if last picked member is 'checking' |
718867-1 | 3-Major | tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades★ | |
718790-2 | 3-Major | Traffic does not forward to fallback host when all pool members are marked down | |
717896-3 | 3-Major | Monitor instances deleted in peer unit after sync | |
717100-2 | 3-Major | FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member | |
715785-1 | 3-Major | Incorrect encryption error for monitors during sync or upgrade | |
715756-1 | 3-Major | Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only | |
714559-4 | 3-Major | Removal of HTTP hash persistence cookie when a pool member goes down. | |
714503-1 | 3-Major | When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl | |
714495-1 | 3-Major | When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl" | |
714372-1 | 3-Major | Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari | |
713585-2 | 3-Major | K31544054 | When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long |
712489-1 | 3-Major | TMM crashes with message 'bad transition' | |
711981-6 | 3-Major | BIG-IP system accepts larger-than-egress MTU, PMTU update | |
710930-2 | 3-Major | Enabling BigDB key bigd.tmm may cause SSL monitors to fail | |
710028-1 | 3-Major | LTM SQL monitors may stop monitoring if multiple monitors querying same database | |
709963-1 | 3-Major | Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members. | |
709837-1 | 3-Major | Cookie persistence profile may be configured with invalid parameter combination. | |
708068-1 | 3-Major | Tcl commands like "HTTP::path -normalize" do not return normalized path. | |
707691-5 | 3-Major | BIG-IP handles some pathmtu messages incorrectly | |
706505-3 | 3-Major | iRule table lookup command may crash tmm when used in FLOW_INIT | |
706102-1 | 3-Major | SMTP monitor does not handle all multi-line banner use cases | |
704450-4 | 3-Major | bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration | |
703266-1 | 3-Major | Potential MCP memory leak in LTM policy compile code | |
702450-2 | 3-Major | The validation error message generated by deleting certain object types referenced by a policy action is incorrect | |
702439-4 | 3-Major | K04964898 | Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset |
700696-4 | 3-Major | SSID does not cache fragmented Client Certificates correctly via iRule | |
689361-5 | 3-Major | Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor) | |
688553-4 | 3-Major | SASP GWM monitor may not mark member UP as expected | |
686059-3 | 3-Major | FDB entries for existing VLANs may be flushed when creating a new VLAN. | |
679687-2 | 3-Major | LTM Policy applied to large number of virtual servers causes mcpd restart | |
677709 | 3-Major | pkcs11d daemon can generate a very large number of log messages | |
674591-4 | 3-Major | Packets with payload smaller than MSS are being marked to be TSOed | |
672410 | 3-Major | K58551820 | High CPU load when HTTP/2 gateway is configured with source-persistence. |
672312-4 | 3-Major | IP ToS may not be forwarded to serverside with syncookie activated | |
620053-3 | 3-Major | Gratuitous ARPs may be transmitted by active unit being forced offline | |
504522-3 | 3-Major | Trailing space present after 'tmsh ltm pool members monitor' attribute value | |
473787 | 3-Major | System might fail to unchunk server response when compression is enabled | |
747968-1 | 4-Minor | DNS64 stats not increasing when requests go through dns cache resolver | |
747628-2 | 4-Minor | BIG-IP sends spurious ICMP PMTU message to server | |
744210-3 | 4-Minor | DHCPv6 does not have the ability to override the hop limit from the client. | |
743116-3 | 4-Minor | Chunked responses may be incorrectly handled by HTTP/2 | |
738045-4 | 4-Minor | HTTP filter complains about invalid action in the LTM log file. | |
722534-2 | 4-Minor | load sys config merge not supported for iRulesLX | |
719247-1 | 4-Minor | K10845686 | HTTP::path and HTTP::query iRule functions cannot be set to a blank string |
693901-5 | 4-Minor | Active FTP data connection may change source port on client-side | |
688005-1 | 4-Minor | The maximum-connection count doubles pva traffic counts for virtuals | |
664618-2 | 4-Minor | Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block' | |
594064-6 | 4-Minor | K57004151 | tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows. |
513310-6 | 4-Minor | TMM might core when a profile is changed. | |
666378-2 | 5-Cosmetic | A virtual server's connections per second (precision.last_value) is confusingly named. |
Performance Issues
ID Number | Severity | Solution Article(s) | Description |
746620-2 | 3-Major | "source-port preserve" does not work on BIG-IP Virtual Edition |
Global Traffic Manager (DNS) Issues
ID Number | Severity | Solution Article(s) | Description |
737726-1 | 2-Critical | If named is restarted and zrd is not restarted, ZoneRunner can lose contact with the DNS server daemon | |
722741-2 | 2-Critical | Damaged tmm dns db file causes zxfrd/tmm core | |
751540-2 | 3-Major | GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server | |
750213-3 | 3-Major | DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records. | |
749508-2 | 3-Major | LDNS and DNSSEC: Various OOM conditions need to be handled properly | |
749222-2 | 3-Major | dname compression offset overflow causes bad compression pointer | |
746877-2 | 3-Major | Omitted check for success of memory allocation for DNSsec resource record | |
746719-2 | 3-Major | SERVFAIL when attempting to view or edit NS resource records in zonerunner | |
745035-3 | 3-Major | gtmd crash | |
744787-3 | 3-Major | Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias | |
744707-3 | 3-Major | Fixed crash related to DNSSEC key rollover | |
739553-2 | 3-Major | Setting large number for Wide IP Persistence TTL breaks Wide IP persistence | |
737529-3 | 3-Major | [GTM] load or save configs removes backslash \ from GTM pool member name | |
723288-1 | 3-Major | DNS cache replication between TMMs does not always work for net dns-resolver | |
723095-3 | 3-Major | Add record type breaks commands 'modify gtm pool type all'; errors on nonexistent pool | |
722734-2 | 3-Major | 'No Access' error when viewing properties page of a GTM Pool member whose name includes a partition that does not exist on that BIG-IP system. | |
714507-1 | 3-Major | [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server | |
701232-3 | 3-Major | Two-way iQuery connections fail to get established between GTM devices with the same address on different networks connected through address translation | |
698211-4 | 3-Major | K35504512 | DNS express response to non-existent record is NOERROR instead of NXDOMAIN. |
688335-6 | 3-Major | K00502202 | big3d may restart in a loop on secondary blades of a chassis system |
688266-6 | 3-Major | big3d and big3d_install use different logics to determine which version of big3d is newer | |
679316-6 | 3-Major | iQuery connections reset during SSL renegotiation | |
615222-6 | 3-Major | K79580892 | GTM configuration fails to load when it has GSLB pool with members containing more than one colon character★ |
222220-3 | 3-Major | Distributed application statistics | |
752216-5 | 4-Minor | DNS queries without the RD bit set may generate responses with the RD bit set | |
748177-2 | 4-Minor | Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character | |
744280-3 | 4-Minor | Enabling or disabling a Distributed Application results in a small memory leak | |
740284-1 | 4-Minor | Virtual servers 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM' | |
712335-2 | 4-Minor | GTMD may intermittently crash under unusual conditions. | |
699733-1 | 4-Minor | DNS NOTIFY not sent to mgmt IP under Zone Transfer Clients list after DNS Express zone update |
Application Security Manager Issues
ID Number | Severity | Solution Article(s) | Description |
750922-2 | 2-Critical | BD crash when content profile used for login page has no parse parameters set | |
739635-1 | 2-Critical | No learning when creating policy using guided configuration | |
726090 | 2-Critical | No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense | |
716788-1 | 2-Critical | TMM may crash while response modifications are being performed within DoSL7 filter | |
606983-1 | 2-Critical | ASM errors during policy import | |
751710-3 | 3-Major | False positive cookie hijacking violation | |
750356-1 | 3-Major | Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted | |
749109-2 | 3-Major | CSRF situation on BIGIP-ASM GUI | |
748851-2 | 3-Major | Bot Detection injection include tags which may cause faulty display of application | |
748409-1 | 3-Major | Illegal parameter violation when json parsing a parameter on a case-insensitive policy | |
747777-2 | 3-Major | Extractions are learned in manual learning mode | |
746394-2 | 3-Major | With ASM CORS set to "Disabled" it strips all CORS headers in response. | |
745802-2 | 3-Major | Brute Force CAPTCHA response page truncates last digit in the support id | |
744347-3 | 3-Major | Protocol Security logging profiles cause slow ASM upgrade and apply policy | |
743961-2 | 3-Major | Signature Overrides for Content Profiles do not work after signature update | |
740719-1 | 3-Major | ASM CSP header parser does not honor unsafe-inline attribute within script-src directive | |
739945-3 | 3-Major | JavaScript challenge on POST with 307 breaks application | |
739373 | 3-Major | ASM restart loop after sync from non-ASM to ASM device | |
739342-1 | 3-Major | Learning not occurring for some policies | |
738864-2 | 3-Major | javascript functions in href are learned from response as new URLs | |
738789-1 | 3-Major | ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog | |
738211-1 | 3-Major | pabnagd core when centralized learning is turned on | |
737500-1 | 3-Major | Apply Policy and Upgrade time degradation when there are previous enforced rules | |
734228 | 3-Major | False-positive illegal-length violation can appear | |
724414-1 | 3-Major | ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled | |
724032-2 | 3-Major | Searching Request Log for value containing backslash does not return expected result | |
723790-2 | 3-Major | Idle asm_config_server handlers consumes a lot of memory | |
722862 | 3-Major | ASM CAPTCHA sends non url-encoded payload when captcha is submitted by pressing 'Enter' | |
721752-3 | 3-Major | Null char returned in REST for Suggestion with more than MAX_INT occurrences | |
721399-1 | 3-Major | Signature Set cannot be modified to Accuracy = 'All' after another value | |
719459-1 | 3-Major | Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled | |
719005-2 | 3-Major | Login request may arrive corrupted to the backend server after CAPTCHA mitigation | |
718232-3 | 3-Major | Some FTP servers may cause false positive for ftp_security | |
716940-1 | 3-Major | Traffic Learning screen graphs shows data for the last day only | |
716324-1 | 3-Major | CSRF protection fails when the total size of the configured URL list is more than 2 KB | |
715128-2 | 3-Major | Simple mode Signature edit does not escape semicolon | |
713282-2 | 3-Major | Remote logger violation_details field does not appear when virtual server has more than one remote logger | |
712362-4 | 3-Major | ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase | |
711818-4 | 3-Major | Connection might get reset when coming to virtual server with offload iRule | |
711405-2 | 3-Major | K14770331 | ASM GUI Fails to Display Policy List After Upgrade |
706184 | 3-Major | Disabling l7dos using LTM policy, and original DoS on the virtual server has no features enabled, connection hangs | |
704643-2 | 3-Major | Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule | |
701025-3 | 3-Major | BD restart on a device where 'provision.tmmcountactual' is set to a non-default value | |
687759 | 3-Major | bd crash | |
754365-4 | 4-Minor | Updated flags for countries that changed their flags since 2010 | |
754109-2 | 4-Minor | ASM content-security-policy header modification violates Content Security Policy directive | |
752797-2 | 4-Minor | BD is not correctly closing a shared memory segment | |
750682 | 4-Minor | Trying to remove a user-created 'Bot Signature' on IE11 fails | |
748999-2 | 4-Minor | invalid inactivity timeout suggestion for cookies | |
747905-2 | 4-Minor | 'Illegal Query String Length' violation displays wrong length | |
747560-4 | 4-Minor | ASM REST: Unable to download Whitehat vulnerabilities | |
722294-1 | 4-Minor | Reported session ID keeps changing for the same user session when ASM doesn't track sessions | |
720581-1 | 4-Minor | Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files | |
717525-2 | 4-Minor | Behavior for classification in manual learning mode | |
652793 | 4-Minor | "Signature Update Available" message is not cleared by UCS load/sync |
Application Visibility and Reporting Issues
ID Number | Severity | Solution Article(s) | Description |
746941-1 | 2-Critical | avrd memory leak when BIG-IQ fails to receive stats information | |
746823-2 | 2-Critical | AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members | |
726852-1 | 2-Critical | AVR inject CSPM event when there is no analytics profile on the virtual server | |
753446-3 | 3-Major | avrd process crash during shutdown if connected to BIG-IQ | |
749464-1 | 3-Major | Race condition while BIG-IQ updates common file | |
749461-1 | 3-Major | Race condition while modifying analytics global-settings | |
746837-1 | 3-Major | AVR JS injection can cause error on page if the JS was not injected | |
745027-1 | 3-Major | AVR is doing extra activity of DNS data collection even when it should not | |
744595-2 | 3-Major | DoS-related reports might not contain some of the activity that took place | |
744589-2 | 3-Major | Missing data for Firewall Events Statistics | |
740086-4 | 3-Major | AVR report ignore partitions for Admin users | |
740024-1 | 3-Major | Web page not load correctly if load time is enabled | |
737867-2 | 3-Major | Scheduled reports are being incorrectly displayed in different partitions | |
737863-2 | 3-Major | Advanced Filters for Captured Transactions not working on Multi-Blade Platforms | |
648242-3 | 3-Major | K73521040 | Administrator users unable to access all partition via TMSH for AVR reports |
741767-1 | 5-Cosmetic | ASM Resource :: CPU Utilization statistics are in wrong scale |
Access Policy Manager Issues
ID Number | Severity | Solution Article(s) | Description |
739716-1 | 1-Blocking | APM Subroutine loops without finishing | |
747621-1 | 2-Critical | Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used | |
747192-1 | 2-Critical | Small memory leak while creating Access Policy items | |
745600-2 | 2-Critical | Removal of timer object from tmm timer-ring when a tcl context is released. | |
740277-1 | 2-Critical | Extra policy_release (per-request policy) in policy engine causes core due to use-after-free condition | |
739674-2 | 2-Critical | TMM might core in SWG scenario with per-request policy. | |
722013-2 | 2-Critical | MCPD restarts on all secondary blades post config-sync involving APM customization group | |
713820-2 | 2-Critical | Pass in IP to urldb categorization engine | |
704587-3 | 2-Critical | Authentication with UTF-8 chars in password fails | |
752875-1 | 3-Major | tmm core while using service chaining for SSLO | |
750823-2 | 3-Major | Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD | |
750496 | 3-Major | TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP | |
749036-1 | 3-Major | Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM | |
748451-2 | 3-Major | Manager users cannot perform changes in per-request policy properties | |
746771-4 | 3-Major | APMD recreates config snapshots for all access profiles every minute | |
746768-3 | 3-Major | APMD leaks memory if access policy policy contains variable/resource assign policy items | |
745654-3 | 3-Major | Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server | |
745574-2 | 3-Major | URL is not removed from custom category when deleted | |
744532-1 | 3-Major | Websso fails to decrypt secured session variables | |
744316-2 | 3-Major | Config sync of APM policy fails with Cannot update_indexes validation error. | |
743437-2 | 3-Major | Portal Access: Issue with long 'data:' URL | |
739939-2 | 3-Major | Ping Access Agent Module leaks memory in TMM. | |
739024-1 | 3-Major | Kerberos auth fails intermittently after upgrade from v14.0.0 | |
738582-2 | 3-Major | Ping Access Agent Module leaks memory in TMM. | |
738547-2 | 3-Major | SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII | |
738397-3 | 3-Major | SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails. | |
737355-2 | 3-Major | HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files | |
737064-1 | 3-Major | ACCESS::session iRule commands may not work in serverside events | |
734316-1 | 3-Major | Per-Request Policy may require enabling SSL Forward Proxy Bypass | |
726616-2 | 3-Major | TMM crashes when a session is terminated | |
725867-1 | 3-Major | ADFS proxy does not fetch configuration for non-floating virtual servers | |
725840-1 | 3-Major | Customization group object is not deleted when SAML resource object is deleted | |
722991-1 | 3-Major | File "dead.letter" may show up in /root directory | |
722423-2 | 3-Major | Analytics agent always resets when Category Lookup is of type custom only | |
720757-2 | 3-Major | Without proper licenses Category Lookup always fails with license error in Allow Ending | |
720030-5 | 3-Major | Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U) | |
713655-1 | 3-Major | RouteDomainSelectionAgent might fail under heavy control plane traffic/activities | |
710884-2 | 3-Major | Portal Access might omit some valid cookies when rewriting HTTP request. | |
710044-4 | 3-Major | Portal Access: same-origin AJAX request may fail in some case. | |
707953-3 | 3-Major | Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page | |
706797-2 | 3-Major | Portal Access: some multibyte characters in JavaScript code may not be handled correctly | |
706374-5 | 3-Major | Heavy use of APM Kerberos SSO can sometimes lead to memory corruption | |
704524-5 | 3-Major | [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries | |
703984-8 | 3-Major | Machine Cert agent improperly matches hostname with CN and SAN | |
701800-1 | 3-Major | SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x | |
698836-1 | 3-Major | Increased APM session capacity is not available after installing an APM session count License | |
673357-2 | 3-Major | SWG puts flow in intercept mode when session is not found | |
660654 | 3-Major | The APM 'epsec refresh' CLI command works incorrectly if install package is deleted | |
600985-2 | 3-Major | Network access tunnel data stalls | |
534187-4 | 3-Major | Passphrase protected signing keys are not supported by SAML IDP/SP |
WebAccelerator Issues
ID Number | Severity | Solution Article(s) | Description |
701977-6 | 3-Major | Non-URL encoded links to CSS files are not stripped from the response during concatenation | |
748031-2 | 4-Minor | Invalidation trigger parameter containing reserved XML characters does not create invalidation rule |
Service Provider Issues
ID Number | Severity | Solution Article(s) | Description |
745397-2 | 2-Critical | Virtual server configured with FIX profile can leak memory. | |
704555-1 | 2-Critical | Core occurs if DIAMETER::persist reset is called if no persistence key is set. | |
752822-2 | 3-Major | SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type | |
751179-2 | 3-Major | MRF: Race condition may create to many outgoing connections to a peer | |
749603-2 | 3-Major | MRF SIP ALG: Potential to end wrong call when BYE received | |
749528-2 | 3-Major | IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap | |
749227-2 | 3-Major | MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE | |
749041-1 | 3-Major | MRSIP log of subscriber deletion outputs '(null)" for subscriber URI | |
748253-2 | 3-Major | Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection | |
748043-1 | 3-Major | MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP | |
747187-1 | 3-Major | SIP falsely detects media flow collision when SDP is in both 183 and 200 response | |
746825-2 | 3-Major | MRF SIP ALG with SNAT: Ephemeral listeners not created for un-subscribed outgoing calls | |
746731-2 | 3-Major | BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set | |
745628-2 | 3-Major | MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message | |
745514-2 | 3-Major | MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message | |
744949-2 | 3-Major | MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix | |
744275-2 | 3-Major | BIG-IP system sends Product-Name AVP in CER with Mandatory bit set | |
742829-2 | 3-Major | SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0 | |
741951-5 | 3-Major | Multiple extensions in SIP NOTIFY request cause message to be dropped. | |
738070-1 | 3-Major | Persist value for the RADIUS Framed-IP-Address attribute is not correct | |
727288-2 | 3-Major | Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC | |
709383-1 | 3-Major | DIAMETER::persist reset non-functional | |
753790-1 | 4-Minor | Allow 'DIAMETER::persist reset' command in EGRESS events | |
749704-1 | 4-Minor | GTPv2 Serving-Network field with mixed MNC digits | |
747909-4 | 4-Minor | GTPv2 MEI and Serving-Network fields decoded incorrectly |
Advanced Firewall Manager Issues
ID Number | Severity | Solution Article(s) | Description |
752363-3 | 2-Critical | Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled | |
751869-1 | 2-Critical | Possible tmm crash when using manual mode mitigation in DoS Profile | |
749402 | 2-Critical | AFM ACL Rule with Redirect to Virtual action can on rare occasions cause TMM restart | |
747922-4 | 2-Critical | With AFM enabled, during bootup, there is a small possibility of a tmm crash | |
724532-3 | 2-Critical | SIG SEGV during IP intelligence category match in TMM | |
751116-2 | 3-Major | DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring | |
749761-2 | 3-Major | AFM Policy with Send to Virtual and TMM crash in a specific scenario | |
748176 | 3-Major | BDoS Signature can wrongly match a DNS packet | |
748081-3 | 3-Major | Memory leak in BDoS module | |
747926-1 | 3-Major | Rare TMM restart due to NULL pointer access during AFM ACL logging | |
726154-3 | 3-Major | TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies | |
724679-1 | 3-Major | Non-attacking IP addresses could be logged along with attacking IP addresses when DoS detects an attack | |
720242-1 | 3-Major | GUI for AFM rules shows protocol value IPENCAP for rules under rule-list | |
703165-3 | 3-Major | shared memory leakage | |
663946-5 | 3-Major | VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments | |
707054-2 | 4-Minor | SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162 |
Policy Enforcement Manager Issues
ID Number | Severity | Solution Article(s) | Description |
753163-3 | 3-Major | PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days | |
753014-3 | 3-Major | PEM iRule action with RULE_INIT event fails to attach to PEM policy | |
747065-4 | 3-Major | PEM iRule burst of session ADDs leads to missing sessions | |
746344-2 | 3-Major | PEM may not re-establish diameter connection after HA switchover | |
726011-3 | 3-Major | PEM transaction-enabled policy action lookup optimization to be controlled by a sys db | |
709670-4 | 3-Major | iRule triggered from RADIUS occasionally fails to create subscribers. | |
663874-1 | 3-Major | K77173309 | Off-box HSL logging does not work with PEM in SPAN mode. |
719107-1 | 4-Minor | Message type is not displayed in CLI and incorrect message type is displayed in GUI for Subscriber Management diameter protocol profile message type CCA-T. |
Carrier-Grade NAT Issues
ID Number | Severity | Solution Article(s) | Description |
744516-3 | 2-Critical | TMM panics after a large number of LSN remote picks | |
723658-2 | 2-Critical | TMM core when processing an unexpected remote session DB response. | |
669645-4 | 2-Critical | tmm crashes after LSN pool member change | |
727212-2 | 3-Major | Subscriber-id query using full length IPv6 address fails. | |
721579-2 | 4-Minor | LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing |
Fraud Protection Services Issues
ID Number | Severity | Solution Article(s) | Description |
745783-2 | 3-Major | Anti-fraud: remote logging of login attempts | |
742037-4 | 3-Major | FPS live updates do not install when minor version is different | |
738669-1 | 3-Major | Login validation may fail for a large request with early server response | |
737368-2 | 3-Major | Fingerprint cookie large value may result in tmm core. | |
719186-1 | 3-Major | Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts | |
716318-1 | 3-Major | Engine/Signatures automatic update check may fail to find/download the latest update | |
660759-2 | 3-Major | Cookie hash persistence sends alerts to application server. | |
741449-2 | 4-Minor | alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts | |
738677-2 | 4-Minor | Configured name of wildcard parameter is not sent in data integrity alerts |
Anomaly Detection Services Issues
ID Number | Severity | Solution Article(s) | Description |
748121-2 | 2-Critical | admd livelock under CPU starvation | |
741761-2 | 2-Critical | admd might fail the heartbeat, resulting in a core | |
739277-2 | 2-Critical | TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode | |
714334-2 | 2-Critical | admd stops responding and generates a core while under stress. | |
653573-5 | 2-Critical | ADMd not cleaning up child rsync processes | |
741993-2 | 3-Major | The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured. | |
720585-2 | 3-Major | Signatures generated by Behavioral DOS algorithm can create false-positive signatures | |
718772-1 | 3-Major | The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists) |
Traffic Classification Engine Issues
ID Number | Severity | Solution Article(s) | Description |
737379-1 | 3-Major | URLCAT doesn't work when we have uppercase characters in feedlist | |
726303-2 | 3-Major | Unlock 10 million custom db entry limit | |
741435-1 | 4-Minor | Using local traffic policies with type 'CE Profile', a new rule does not have the option to classify traffic |
Device Management Issues
ID Number | Severity | Solution Article(s) | Description |
718033-3 | 3-Major | REST calls fail after installing BIG-IP software or changing admin passwords | |
710809-3 | 3-Major | Restjavad hangs and causes GUI page timeouts |
iApp Technology Issues
ID Number | Severity | Solution Article(s) | Description |
726872-1 | 3-Major | IApp LX directory disappears after upgrade or restoring from ucs★ |
Known Issue details for BIG-IP v14.0.x
754365-4 : Updated flags for countries that changed their flags since 2010
Component: Application Security Manager
Symptoms:
Old flags for countries that changed their flags since 2010.
Conditions:
Requests from one of the following counties:
-- Myanmar
-- Iraq
-- Libya
Impact:
Old flag is shown.
Workaround:
None.
754109-2 : ASM content-security-policy header modification violates Content Security Policy directive
Component: Application Security Manager
Symptoms:
When the backend server sends a content-security-policy header where source-src and default-src directives are missing, ASM will modify the header when it does its own JavaScript injection, which might cause a csp policy violation for inline JavaScript code.
Conditions:
-- ASM provisioned.
-- ASM policy attached on a virtual server.
-- ASM policy has CSRF or AJAX Blocking page enabled.
Impact:
Inline JavaScript does not run. The Browser reports a content-security-policy violation.
Workaround:
Disable csp in ASM by running the following commands:
-- /usr/share/ts/bin/add_del_internal add csp_enabled 0
-- bigstart restart asm
753790-1 : Allow 'DIAMETER::persist reset' command in EGRESS events
Component: Service Provider
Symptoms:
The 'DIAMETER::persist reset' command is not allowed in EGRESS events; it is blocked by validation.
Conditions:
In an iRule, attempt to use 'DIAMETER::persist reset' in an EGRESS event for DIAMETER.
Impact:
Unable to reset persistence records on an EGRESS event in DIAMETER through iRules.
Workaround:
None.
753650-1 : The BIG-IP system reports frequent kernel page allocation failures.
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:
swapper/16: page allocation failure: order:2, mode:0x104020
After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This issue is known to occur on the following VIPRION blade models:
- B2250 (A112)
- B4450 (A114)
Please note the issue is known to occur regardless of whether the system is running in vCMP mode or not, and regardless of whether the system is Active or Standby.
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.
It is recommend to increase this to either 64 MB (65536 KB) or 128 MB (131072 KB). You must do this on all blades installed in the system.
When instantiating this workaround, you must consider whether you want the workaround to only survive reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the primary blade only and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
753526-2 : IP::addr iRule command does not allow single digit mask
Component: Local Traffic Manager
Symptoms:
When plain literal IP address and mask are used in IP::addr command, the validation fails if the mask is single digit.
Conditions:
The address mask is single digit.
Impact:
Validation fails.
Workaround:
Assign address/mask to a variable and use the variable in the command.
753446-3 : avrd process crash during shutdown if connected to BIG-IQ
Component: Application Visibility and Reporting
Symptoms:
During shutdown of BIG-IP, if it is connected to BIG-IQ then avrd might crash.
Conditions:
BIG-IP is set to shutdown and configured to send statistics to BIG-IQ.
Impact:
No serious impact, since the BIG-IP is already instructed to shutdown, so the process crash is not causing any damage.
Workaround:
N/A
753423-5 : Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation
Component: TMOS
Symptoms:
working-mbr-count not showing correct number of interfaces.
Conditions:
Slot got disabled and re-enabled immediately.
Impact:
Interfaces may be removed from an aggregation permanently.
Workaround:
Disable and re-enable the slot with time gap of one second.
753163-3 : PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days
Component: Policy Enforcement Manager
Symptoms:
No connection request with PCRF/OCS if high availability (HA) failover occurs after 26 days. tmm crash
Conditions:
-- Using PEM.
-- HA failover occurs after 26 days.
Impact:
PEM does send the reconnect request within the configured reconnect, so there is no connection initiated with PCRF/OCS.
Workaround:
To restart the connection, restart tmm restart using the following command:
tmm restart
Note: Traffic disrupted while tmm restarts.
753159-2 : Pool IP ToS/QoS settings are not preserved on mirrored FastL4 connections
Component: Local Traffic Manager
Symptoms:
Mirrored serverside FastL4 connections do not inherit the IP ToS/QoS values from the selected pool or values set via iRule IP::tos/LINK::qos commands.
Conditions:
-- FastL4 virtual server with mirroring.
-- Pool with non-zero IP ToS/QoS values.
or
-- iRule with IP::tos/LINK::qos serverside commands
Impact:
IP ToS/QoS values are not set on mirrored connection after failover.
Workaround:
Configure desired IP ToS/QoS values in FastL4 profile
753014-3 : PEM iRule action with RULE_INIT event fails to attach to PEM policy
Component: Policy Enforcement Manager
Symptoms:
PEM iRule action with RULE_INIT event fails to attach to PEM policy.
Conditions:
Attaching PEM policy with PEM iRule action that contains a RULE_INIT event.
Impact:
PEM fails to update the new iRule action.
Workaround:
Force mcpd to reload the BIG-IP configuration.
To do so, follow the steps in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.
752994-2 : Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod
Component: TMOS
Symptoms:
With a large number of client SSL profiles, combined with shallow nesting of these profiles, all referring to a single SSL certificate file object, mcpd can take a lot of time to process an update to that certificate. It is possible this amount of time will be longer than sod's threshold, and cause it to kill mcpd.
Conditions:
- A large number (hundreds or thousands) of client SSL profiles that have a shallow nesting structure and all point back to a single SSL certificate file object.
- Happens when the SSL certificate is updated.
Impact:
sod kills mcpd, which causes a failover (when high availability (HA) is configured) or an outage (when there is no HA configured).
Workaround:
None.
752930-2 : Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state
Component: Local Traffic Manager
Symptoms:
Virtual Servers left in unknown state. Blade keeps restarting.
Conditions:
Change default route domain (RD) of partition with wildcard Virtual Servers.
Impact:
-- Cannot persist the wildcard virtual server RD configuration.
-- Changing virtual server description after moving route-domain fails.
-- Secondary blade in constant reboot loop.
Workaround:
1. Delete wildcard virtual servers before changing default route-domain on partition.
2. Execute the following commands, in sequence, substituting your values for the configuration-specific ones in this example:
# ssh slot2 bigstart stop
# modify auth partition pa-1098-blkbbsi0000csa21ad1142 default-route-domain 109
# save sys config
# clsh rm -f /var/db/mcpdb.bin
# ssh slot2 bigstart start
Note: This recovery method might have to be executed multiple times to restore a working setup.
752875-1 : tmm core while using service chaining for SSLO
Component: Access Policy Manager
Symptoms:
tmm cores when using security services (service connect agent in per-request policies) for SSLO deployment.
Conditions:
-- Service connect agent in per-request policy.
-- SSLO deployment.
Impact:
tmm cores. Traffic disrupted while tmm restarts.
Workaround:
None.
752835-4 : Mitigate mcpd out of memory error with auto-sync enabled.
Component: TMOS
Symptoms:
If auto-sync is enabled and many configuration changes are sent quickly, it is possible for a peer system to fall behind in syncs. Once it does, it will exponentially get further behind due to extra sync data, leading to the sending mcpd running out of memory and core dumping.
Conditions:
-- Auto-sync enabled in an HA pair.
-- High volume of configuration changes made in rapid succession. Typically, this requires hundreds or thousands of changes per minute for several minutes to encounter this condition.
Impact:
mcpd crashes.
Workaround:
There are no workarounds other than not using auto-sync, or reducing the frequency of system configuration changes.
752822-2 : SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type
Component: Service Provider
Symptoms:
SIP ALG calls that fail translation during ingress are not cleaned up by the system, which might result in memory being leaked inside the TMM processes.
Conditions:
SIP ALG calls that fail translation during ingress.
Impact:
TMM leaks memory, which can slow down performance and eventually cause TMM to run out of memory and restart. Traffic disrupted while tmm restarts.
Workaround:
None.
752797-2 : BD is not correctly closing a shared memory segment
Component: Application Security Manager
Symptoms:
Number shared memory segments is increasing.
Conditions:
There are many ASM restarts.
Impact:
Memory increases on the system.
Workaround:
None.
752530-2 : TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.
Component: Local Traffic Manager
Symptoms:
Fast L4 TCP Analytics reports incorrect goodput when server sequence number and the TMM generated sequence number are different.
Conditions:
This occurs when either of the following conditions are met:
-- tcp-generate-isn is set in the Fast L4 profile.
-- SYN cookie is active.
Impact:
The GUI page Statistics :: Analytics :: TCP :: Goodput page displays incorrect goodput values.
Workaround:
None.
752363-3 : Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled
Component: Advanced Firewall Manager
Symptoms:
Client request fails, due to being dropped on the BIG-IP system.
Conditions:
-- The BIG-IP AFM L4 BDoS feature is enabled.
-- Virtual server setup is such that the client-facing virtual server's destination is forwarded through another virtual server, which is an internally forwarded flow.
Impact:
Client request gets dropped due to BIG-IP AFM dropping the flow.
Workaround:
Disable BDoS feature. The feature can be disabled using the following commands:
-- To disable BDoS globally, run the following command:
modify security dos device-config dos-device-config dynamic-signatures { network { detection disabled mitigation none }}
To disable BDoS globally per-profile, run the following command:
modify security dos profile <profile-name> dos-network modify { test { dynamic-signatures { detection disabled mitigation none } } }
modify security dos profile test protocol-dns modify { test { dynamic-signatures { detection disabled mitigation none } } }
752334-2 : Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation
Component: Local Traffic Manager
Symptoms:
When Fast L4 receives out of order TCP packets, TCP analytics may compute wrong goodput value.
Conditions:
When FAST L4 receives out-of-order packets.
Impact:
Fast L4 reports an incorrect goodput value for the connection.
Workaround:
None.
752216-5 : DNS queries without the RD bit set may generate responses with the RD bit set
Component: Global Traffic Manager (DNS)
Symptoms:
If the BIG-IP system is configured to use forward zones, responses to DNS queries may include the RD bit, even if RD bit is not set on the query.
Conditions:
-- Forward zone is configured.
-- Processing a query without the RD bit.
Impact:
Some responses to DNS queries may include the RD bit, even thought the RD bit is not set on the query. This is cosmetic, but some DNS tools may report this as an RFC violation.
Workaround:
None.
751869-1 : Possible tmm crash when using manual mode mitigation in DoS Profile
Component: Advanced Firewall Manager
Symptoms:
tmm crash and restart is possible when using manual mode mitigation in DoS Profile.
Conditions:
When manual mode mitigation is used for any vector that is enabled in the DoS Profile that is attached to a Protected Object.
Impact:
tmm crash and restart is possible. Traffic disrupted while tmm restarts.
Workaround:
None.
751710-3 : False positive cookie hijacking violation
Component: Application Security Manager
Symptoms:
A false positive cookie hijacking violation.
Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.
Impact:
False positive violation / blocking.
Workaround:
N/A
751540-2 : GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server
Component: Global Traffic Manager (DNS)
Symptoms:
GTM changes in some devices are not synced to other GTM-configured devices in the same syncgroup.
Conditions:
-- There are multiple self IP addresses configured on one VLAN.
-- Some, but not all, self IP addresses are configured for GTM server.
Impact:
GTM Sync group not syncing properly.
Workaround:
Configure all self IP addresses in the syncgroup for GTM server.
751409-2 : MCP Validation does not detect when virtual servers differ only by overlapping VLANs
Component: TMOS
Symptoms:
It is possible to configure two virtual servers with the same address, port, and route domain, and have them overlap only in VLANs. MCP does not detect the overlap.
Errors like this may be seen in the ltm log:
err tmm1[29243]: 01010009:3: Failed to bind to address
Conditions:
Two (or more) virtual servers with the same address, port, and route domain, and have them overlap only in VLANs
Impact:
Traffic does not get routed properly.
Workaround:
There is no workaround other than ensuring that virtual servers that have the same address, port, and route domain have no overlap of VLANs.
751179-2 : MRF: Race condition may create to many outgoing connections to a peer
Component: Service Provider
Symptoms:
If two different connections attempt to create an outgoing connection to a peer at the same time, multiple connections may be created, even if the peer object is configured for one connection per peer. This is due to a race condition in message routing framework during connection creation.
Conditions:
-- Two different connections attempt to create an outgoing connection to a peer at the same time.
-- The peer is configured for one connection per peer.
Impact:
More than one connection to a peer is created.
Workaround:
None.
751116-2 : DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring
Component: Advanced Firewall Manager
Symptoms:
The DoS visibility screens (Monitoring :: Security :: Reporting : DoS) may display DNS and Network protocol DoS attacks with the incorrect mitigation details.
Conditions:
An attacked object assigned to a DoS profile with either DNS or Network security protocols that are configured to have detect-only or learn-only states for DoS attacks.
Impact:
Network or DNS DoS attacks, detected by a DoS profile with detect-only or learn-only protection, display mitigation as Blocking instead of the configured Transparent protection. This does not affect the reported traffic data found in the DoS visibility dimensions and charts.
Workaround:
None.
751036-2 : Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone
Component: Local Traffic Manager
Symptoms:
Virtual server status becomes unavailable when the connections are over the rate limit, and stays unavailable when the number of connections fall below the limit.
Conditions:
-- The connections are over the rate limit, making the virtual server status unavailable.
-- The number of connections fall below the limit.
Impact:
Virtual server status reports unavailable, even though it should be available.
Workaround:
This problem does not impact virtual server processing traffic. It simply reports the wrong status.
751024-3 : i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd
Component: TMOS
Symptoms:
Messages similar to the following appear in /var/log/ltm:
info bcm56xxd: 012c0012:6: I2C muxes are not cleared. Problem with mux 224:
Conditions:
-- i5000/i7000/i10000 platforms.
-- May be caused by a defective optic, rebooting/upgrading BIG-IP, removing and reinserting optics.
Impact:
Changes in optic state may be ignored while I2C bus is unavailable.
Workaround:
For each SFP, perform the following procedure:
1. Unplug the optic.
2. Wait 10 seconds.
3. Plug optic back in.
Note: This message might be caused by a defective optic. If error messages stop when one optic is removed, and error messages resume when the optic is inserted, replace that optic.
751021-2 : One or more TMM instances may be left without dynamic routes.
Component: TMOS
Symptoms:
Inspecting the BIG-IP's routing table (for instance, using tmsh or ZebOS commands) shows that dynamic routes have been learnt correctly and should be in effect.
However, while passing traffic through the system, you experience intermittent failures. Further investigation reveals that the failures are limited to one or more TMM instances (all other TMM instances are processing traffic correctly). The situation does not self-recover and the system remains in this state indefinitely.
An example of a traffic failure can be a client connection reset with cause 'No route to host'. If the client retries the same request, and this hits a different TMM instance, the request might succeed.
Conditions:
This issue is known to occur when all of the following conditions are met:
- The system is a multi-blade VIPRION or vCMP cluster.
- The system just underwent an event such as a software upgrade, a reboot of one or more blades, a restart of the services on one or more blades, etc.
Impact:
Traffic fails intermittently, with errors that point to lack of routes to certain destinations.
Workaround:
You can try to temporarily resolve the issue by restarting the tmrouted daemon on all blades. To do so, run the following command:
# clsh "bigstart restart tmrouted"
However, there is no strict guarantee this will resolve the issue, given the nature of the issue.
Alternatively, you could temporarily replace the dynamic routes with static routes.
751011-2 : ihealth.sh script and qkview locking mechanism not working
Component: TMOS
Symptoms:
Two qkviews can be started up on a system at the same time, which results in conflicts for each.
Conditions:
Running qkview on one terminal and then ihealth.sh in another.
Impact:
Running of two qkviews at the same time breaks both qkviews since they compete for the same files.
Workaround:
Run either qkview or ihealth.sh, not both simultaneously.
751009-2 : Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out
Component: TMOS
Symptoms:
After generating a Qkview or collecting a tcpdump via the BIG-IP GUI, or using the 'tmsh run util ihealth' command to do the equivalent, the /var/tmp/mcpd.out file is missing.
Conditions:
-- Generating a Qkview or collecting a tcpdump via the BIG-IP GUI.
-- Using the 'tmsh run util ihealth' command to do the equivalent operation.
Impact:
The file /var/tmp/mpcd.out is a debug file used by mcpd, primarily for collecting debug-level log information from MCPD.
The file being deleted causes challenges with trying to collect diagnostic information from a BIG-IP system (turning on mcpd debug logging), because it now requires a service impact (restarting mcpd).
Additionally, may cause challenges in managing disk space on /shared filesystem, as mcpd keeps writing to a deleted file, and it cannot be truncated.
Workaround:
Generating Qkviews by invoking the 'qkview' command directly avoids this issue.
Edit the /usr/bin/ihealth.sh script to remove the corresponding line.
From a bash shell:
1. mount -o remount,rw /usr
2. /bin/cp /usr/bin/ihealth.sh{,751009.bak}
3. sed -i '/\/bin\/rm -f \/var\/tmp\/mcpd.out/d' /usr/bin/ihealth.sh
4. mount -o remount,ro /usr
Note: This workaround does not persist across software installs/upgrades, nor does it ConfigSync or replicate across blades in a VIPRION chassis.
750922-2 : BD crash when content profile used for login page has no parse parameters set
Component: Application Security Manager
Symptoms:
Bd crashes. No traffic goes through ASM.
Conditions:
-- A Json Login page is configured.
-- The content profile used for the login page does not have parse parameters set.
Impact:
No traffic goes through ASM. Bd crashes.
Workaround:
Set the parse parameters setting.
750843 : HTTP data re-ordering when receiving data while iRule parked
Component: Local Traffic Manager
Symptoms:
Under certain circumstances tmm can reorder or omit HTTP data segments when they are received while processing an iRule which is parked.
Conditions:
- HTTP iRule execution suspended, e.g., waiting for a table command to return.
- Ingress data is processed during this state.
Impact:
Data corruption or loss can occur.
Workaround:
There is no workaround other than not using iRule suspend commands in HTTP_* events.
750823-2 : Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD
Component: Access Policy Manager
Symptoms:
Memory usage in TMM keeps going up.
Conditions:
Access::policy evaluate command fails with error message in /var/log/ltm:
TCL error: ... - Failed to forward request to apmd.
Impact:
Memory leaks in TMM, which cause a TMM crash eventually.
Workaround:
Limit the amount of data that will be forwarded to APMD.
750682 : Trying to remove a user-created 'Bot Signature' on IE11 fails
Component: Application Security Manager
Symptoms:
Trying to remove a user-created 'Bot Signature' on Microsoft Internet Explorer v11 (IE11) fails with the following message:
To continue, please select one or more items from the list!
Conditions:
-- Using IE11.
-- Attempting to remove a user-created 'Bot Signature'.
Impact:
The operation fails.
Workaround:
Use Google Chrome or Mozilla Firefox browsers.
750496 : TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP
Component: Access Policy Manager
Symptoms:
TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP.
Conditions:
Create a basic SSO item.
Create a PRP that has the SSO Assign in it and select the basic SSO item.
Create a PSP that is Start->Allow
Create a VS that uses the PRP, PSP, and an pool.
Delete the SSO item in the UI.
Run traffic through the VS
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not delete the SSO config object referenced by SSO Configuration Select agent in PRP.
750447-2 : GUI VLAN list page loading slowly with 50 records per screen
Component: TMOS
Symptoms:
GUI VLAN list page is loading slowly with there are 3200+ VLANs with the Records Per Screen Preference set to 50.
Conditions:
-- Using a VIPRION system.
-- Configuration containing 3200 or more VLANs.
-- System Preferences Records Per Screen set to 50.
Impact:
Cannot use the page.
Workaround:
Use tmsh or guishell tool to see the VLANs.
You can also try using a smaller value for the Records Per Screen option in System :: Preferences.
750356-1 : Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted
Component: Application Security Manager
Symptoms:
In any Split View page (Request Log, Learning, etc.): All user-defined filters are removed if you delete a newly created filter without reloading the page first.
Conditions:
-- Create a new filter.
-- Remove the new filter.
Impact:
The system removes all user-defined filters.
Workaround:
Before you delete a newly created filter, reload the page.
750318-2 : HTTPS monitor does not appear to be using cert from server SSL profile
Component: TMOS
Symptoms:
An HTTPS monitor using a client certificate configured in the server SSL profile fails to send the certificate during the SSL handshake.
A tcpdump shows a 0-byte certificate being sent.
Conditions:
-- In-tmm monitoring is disabled (default).
-- The server SSL profile has been modified but without changing the configured certificate or key.
The resulting message passed from mcpd to bigd will contain only the incremental modification to the profile, which bigd treats as a complete profile, meaning that it is possible for the certificate and key parameters to be lost.
Impact:
SSL handshake might fail to complete and the HTTPS monitor fails.
Workaround:
Restart bigd process by running the following command:
bigstart restart bigd
750213-3 : DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.
Component: Global Traffic Manager (DNS)
Symptoms:
FPGA hardware-accelerated DNS Cache can respond improperly to DNS queries that contain EDNS OPT Records. This improper response can take several forms, ranging from not responding with an OPT record, to a query timeout, to a badvers response.
Conditions:
This may occur if a client sends a query with an EDNS OPT record that has an unknown version or other values that the Hardware-accelerated Cache does not understand. These errors only occur when matching the query to a hardware cached response.
Note: If the response is not in the hardware cache, then the query should be properly handled.
Impact:
Hardware-accelerated DNS Cache drops the request. Clients will experience a timeout for that query.
This is occurring now because of the changes coming to software from certain DNS software vendors that remove specific workarounds on February 1st, 2019. This is known as DNS Flag Day.
Workaround:
None.
750200-2 : DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode
Component: Local Traffic Manager
Symptoms:
DHCP requests from the client are sent only to the first member in the DHCP server pool.
Conditions:
- BIG-IP system configured as a DHCP Relay.
- DHCP server pool contains more than one DHCP server.
Impact:
- DHCP server load balancing is not achieved.
- If the first DHCP server in the DHCP server pool does not respond or is unreachable, the DHCP client will not be assigned an IP address.
Workaround:
None.
749761-2 : AFM Policy with Send to Virtual and TMM crash in a specific scenario
Component: Advanced Firewall Manager
Symptoms:
TMM restart in a specific scenario when AFM Policy is configured in multiple contexts (Global, Route Domain, Virtual Server), with Log Translations enabled, and Send-To-VS feature configured in at least one of the rules in the Security Policy.
Conditions:
-- When using Firewall ACL Policy in more than one context, i.e., more than one of the following context has ACL Security Policy applied:
+ Global Context
+ Route Domain
+ Virtual Server Context
-- Send To Virtual Server is configured on any Rule on the Security policy.
-- Traffic matching a Rule (with logging enabled) in more than one context.
-- AFM Security Logging Profile has log Translation Field Enabled.
Impact:
TMM restart causes service disruption. Traffic disrupted while tmm restarts.
Workaround:
Disable Logging of Translation Fields in Security Logging Profile.
749704-1 : GTPv2 Serving-Network field with mixed MNC digits
Component: Service Provider
Symptoms:
iRules command 'GTP::ie get value' incorrectly decodes Serving-Network field, putting the least significant digit of mobile network codes (MNC) value before the other two.
Conditions:
Using the iRule command 'GTP::ie get value' to retrieve the Serving-Network field from a GTP message (the iRule construction: GTP::ie get value -message $gtp_message 83).
Impact:
The operation returns results in which the least significant digit is inserted before the other two, resulting in incorrect data being returned.
Workaround:
None.
749689-3 : HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart
Component: Local Traffic Manager
Symptoms:
HTTPS monitor sends different amount of cipher suites in client hello during SSL handshake and sometimes back end server fails to find a desired cipher suite from client hello. As a result, sometimes SSL handshake fails and monitor wrongly marks pool member down.
Conditions:
-- Have an SSL profile to be used by an HTTPS monitor.
-- Load the same config more than once.
Impact:
HTTPS monitor might incorrectly mark pool member down because of a failed SSL handshake.
Workaround:
Restart bigd using the following command:
bigstart restart bigd
749603-2 : MRF SIP ALG: Potential to end wrong call when BYE received
Component: Service Provider
Symptoms:
When a BYE is received, the media flows for a different call might be closed in error.
Conditions:
If the hash of the call-id (masked to 12 bits) matches the hash of another's call-id.
Impact:
The media flows for both calls will be closed when one receives a BYE command. A call may be incorrectly terminated early.
Workaround:
None.
749528-2 : IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap
Component: Service Provider
Symptoms:
Under certain conditions the wrong self-IP can be selected as a source address for connections from an Internal Virtual Server to remote servers.
Conditions:
- Using an Internal Virtual Server (IVS).
- The VLAN being used to connect from the IVS to the server does not have a floating self-IP configured.
- At least one other VLAN has a floating self-IP configured.
- The primary virtual server that connects to the IVS is using SNAT automap.
Impact:
IVS traffic might not be routed properly.
Workaround:
- Configure a floating self-IP on the IVS server side VLAN.
or
- Use a SNAT pool instead of automap.
749508-2 : LDNS and DNSSEC: Various OOM conditions need to be handled properly
Component: Global Traffic Manager (DNS)
Symptoms:
Some LDNS and DNSSEC out-of-memory (OOM) conditions are not handled properly.
Conditions:
LDNS and DNSSEC OOM conditions.
Impact:
Various traffic-processing issue, for example, TMM panic during processing of DNSSEC activity.
Workaround:
None.
749464-1 : Race condition while BIG-IQ updates common file
Component: Application Visibility and Reporting
Symptoms:
The file /var/config/rest/downloads/app_mapping.json is being used by two processes: BIG-IQ and avrd.
This can cause a race-condition between the two and in some rare cases can cause avrd to crash.
Conditions:
BIG-IQ updating /var/config/rest/downloads/app_mapping.json while avrd is reading it.
Impact:
avrd might read incomplete data, and can even core in some rare cases.
Workaround:
None.
749461-1 : Race condition while modifying analytics global-settings
Component: Application Visibility and Reporting
Symptoms:
Updating the analytics global-settings might cause a core for avrd.
The avrd.log contains the following record:
AVRD_CONFIG|NOTICE... 13931|lib/avrpublisher/infrastructure/avr_mcp_msg_parser.cpp:2985| Modified Analytics Global Settings, added "0" offbox TCP addresses
Conditions:
Analytics global-settings are updated either explicitly, using a tmsh command, or implicitly, by internal process script.
Impact:
Might cause a core for avrd. After coring once, avrd is expected to start normally without any additional cores. The configuration change is expected to be applied correctly after restart is complete.
Workaround:
None.
749414-3 : Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects
Component: Local Traffic Manager
Symptoms:
There are two symptoms:
-- Modifying the monitor for a node or pool-member might remove monitor rule instances and monitor instances for other nodes/pool-members.
-- After those unrelated monitor rule instances and monitor instances are removed, if you try to alter the state of the pool-member/node, the system posts the following message: Invalid monitor rule instance identifier.
Conditions:
-- BIG-IP system is configured with nodes, pool-members, and pools with monitors.
-- Modify one of the nodes that is not in a pool.
-- Run the following command: tmsh load /sys config
-- Loading ucs/scf file can trigger the issue also.
Impact:
The system might delete monitor rule instances for unrelated nodes/pool-members. Pool members are incorrectly marked down.
Workaround:
Failover or failback traffic to the affected device.
749402 : AFM ACL Rule with Redirect to Virtual action can on rare occasions cause TMM restart
Component: Advanced Firewall Manager
Symptoms:
TMM restart when Traffic hits AFM Policy Rule having Redirect to Virtual Action, and when the Redirected to Virtual is being modified or when traffic hits the box immediately on TMM service being up.
During the time when the TMM has just started, some of the Virtual Server could be in the process of being Ready. When traffic hits the TMM right after TMM startup, and if the Redirect to Virtual is not yet Ready is when this crash is likely.
Virtual Server can also be in a not yet Ready state during configuration change of the Virtual Server.
Conditions:
AFM Rule with Redirect to Virtual configured
Traffic Matching the Redirect to Virtual rule
The Redirect to Virtual Server is not Ready. When a Virtual Server goes through configuration change, or when TMM has just started and not all Virtual Servers are in Ready state yet, this problem can be hit.
Impact:
TMM restart and service disruption.
Since the issue can happen when TMM is just up after initialization, when the Virtual Servers are in the process of being initialized one by one, a restart of TMM could cause repeated such TMM crash and restarts.
749294-3 : TMM cores when query session index is out of boundary
Component: Local Traffic Manager
Symptoms:
TMM cores when the queried session index is out of boundary. This is not a usual case. It is most likely caused by the memory corrupted issue.
Conditions:
When session index equals the size of session caches.
Impact:
TMM cores. Traffic disrupted while tmm restarts.
Workaround:
None.
749227-2 : MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE
Component: Service Provider
Symptoms:
INVITE message being processed operation creates a temporary registration entry for a unregistered subscriber, this registration entry is not extended if a subsequent invite occurs. This could cause the registration to expire during a call, thus allowing the reserved translated addresses to be provided to a different subscriber.
Conditions:
An INVITE message is received when unregistered-subscriber-callout attribute in the siprouter-alg profile
Impact:
The system adds a temporary registration entry to the registration table. The lifetime for this entry is the max-session-timeout value from the siprouter-alg profile. Subsequent INVITES will not extend the lifetime.
This could cause the registration to expire during a call, allowing the reserved translated addresses to be provided to a different subscriber.
Workaround:
None.
749222-2 : dname compression offset overflow causes bad compression pointer
Component: Global Traffic Manager (DNS)
Symptoms:
DNS requests receive error response:
- Got bad packet: bad compression pointer
- Got bad packet: bad label type
Conditions:
When dns response is large enough so that dname redirect to an offset larger than 0x3f ff.
Impact:
DNS response is malformed.
749109-2 : CSRF situation on BIGIP-ASM GUI
Component: Application Security Manager
Symptoms:
CSRF situation on the BIG-IP ASM GUI that might potentially lead to resource exhaustion on the device for the moment it is being run.
Conditions:
The following URL accepts a wildcard in the parameter id, making it a heavy URL:
https://BIG-IP/dms/policy/pl_negsig.php?id=*
Impact:
Once multiple requests are sent to the target GUI, it is possible to see httpd process spiking even in core 0 (VMWare).
Workaround:
None.
749041-1 : MRSIP log of subscriber deletion outputs '(null)" for subscriber URI
Component: Service Provider
Symptoms:
New logging was added for SIP subscriber registration and deletion. The deletion log MRSIPERR_SUBSCRIBER_DELETION_LOG() fails to show the subscriber URI, and instead, /var/log/ltm shows messages similar to the following:
MR_SIP: Subscriber registration deleted (xxx.xxx.xxx.xxx:5060 -> yyy.yyy.yyy.yyy:5060) subscriber URI: (null)
Conditions:
-- A SIP subscriber registration is deleted.
-- The log level DB variable log.mrsip.level is 'notice' or above.
Impact:
Prevents correlation of the deletion with the corresponding registration of the subscriber URI.
Workaround:
None.
749036-1 : Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM
Component: Access Policy Manager
Symptoms:
Some tmsh list commands may fail while SSLO is provisioned but no urldb or APM modules are provisioned with the following message: 'Password could not be retrieved'.
Conditions:
-- SSLO is provisioned.
-- Neither APM or URLDB are provisioned.
-- Run the generic tmsh list command.
Impact:
tmsh command fails and posts the error: Unexpected Error: Password could not be retrieved.
Note: Some 'tmsh list' commands with arguments do run. For example, 'tmsh list net vlan' provides correct output, but 'tmsh list' does not.
Workaround:
There is no workaround other than provisioning APM or URLDB.
Note: You can provision APM or URLDB even if they are not licensed. Although the full feature set is not available without a license, provisioning loads the daemons needed to support the generic 'tmsh list' command.
748999-2 : invalid inactivity timeout suggestion for cookies
Component: Application Security Manager
Symptoms:
ASM will report "invalid inactivity timeout" suggestions to delete a cookie, even though the cookies are being sent and are valid.
Conditions:
- Inactivity timeout feature is configured in Policy Builder
- Cookie entity is configured in the policy
- Valid, non-violating traffic containing cookies is passed
Impact:
Since non-violating traffic is not sent to the policy engine, the inactivity timeout timer is never reset, which will eventually lead to suggestions to delete the inactive cookie entities. These suggestions are erroneous because valid cookies are being sent in the traffic.
Workaround:
Ignore the inactive entity suggestions for cookies
748891-1 : Traffic bridged between VLANs in virtual-wire setups.
Component: Local Traffic Manager
Symptoms:
Traffic gets bridged between VLANs configured in virtual-wire setups.
Conditions:
-- DB variable connection.vlankeyed set to disabled.
-- Multiple virtual-wires configured with overlapping VLAN IDs.
Impact:
Incorrect/undesirable packet forwarding.
Workaround:
There is no workaround other than re-enabling sys db connection.vlankeyed.
748851-2 : Bot Detection injection include tags which may cause faulty display of application
Component: Application Security Manager
Symptoms:
The Bot Detection feature / Bot Defense profile includes JavaScript which is injected within <APM_DO_NOT_TOUCH> tags. Some web applications may be displayed incorrectly due to these tags.
Conditions:
- Your application includes JavaScript which dynamically adds HTML elements and expects a certain set of tags in the <head> section of the HTML.
- Bot Detection / Bot Defense are enabled.
Impact:
Some web applications may be displayed incorrectly.
Workaround:
None
748451-2 : Manager users cannot perform changes in per-request policy properties
Component: Access Policy Manager
Symptoms:
Users with Admin role can edit and administer per-request policy properties. Users with Manager role, which can manage most APM objects, cannot manage this specific one.
Conditions:
User with Manager role tries to modify or change per-request policies properties.
Impact:
Cannot manage per-request policy properties if user role is Manager.
Workaround:
There is no workaround other than having an Admin user manage these objects.
748409-1 : Illegal parameter violation when json parsing a parameter on a case-insensitive policy
Component: Application Security Manager
Symptoms:
An illegal parameter violation is raised although the parameter is configured
Conditions:
The policy is configured as case insensitive, and a parameter is configured with capital letters
Impact:
False positive illegal parameter violation
Workaround:
Configure violation as case sensitive
748295 : TMM crashes on shutdown when using virtio NICs for dataplane
Component: TMOS
Symptoms:
TMM crash on stop or restart.
Conditions:
1. Put the virtio NIC in a bad state while TMM is running (for example, detach the NIC from the host).
2. Run the following command: bigstart stop tmm
Impact:
TMM crash generates a core file. However, there is no impact on traffic as the device is already in a bad state before the crash.
Workaround:
None.
748253-2 : Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection
Component: Service Provider
Symptoms:
Depending on the DIAMETER settings of the BIG-IP, there can be a race condition in a mirrored device cluster where where the standby BIG-IP resets its mirror connection to the active.
Conditions:
- MRF DIAMETER in use.
- The DIAMETER session profile on the BIG-IP is configured to use Reset on Timeout.
- This is more likely to happen if (in the DIAMETER session profile) the Maximum Watchdog Failures is set to 1, and the Watchdog Timeout is configured to be the same value as the remote DIAMETER system.
Impact:
The standby is no longer mirroring the active system, and will get out of sync with it. There may be connections lost if a failover occurs.
Workaround:
More of a mitigation than a workaround:
- Configure the Maximum Watchdog Failures to a value greater than 1.
- Configure the Watchdog Timeout as something different than the same timeout on the remote peer, preferably to something that will have little overlap (i.e. the two timers should fire at the exact same time very infrequently).
748252-1 : Connection reset seen with SSL bypass on a L2 wire setup
Component: Local Traffic Manager
Symptoms:
A connection reset occurs when trying to bypass SSL forward proxy on a L2 Wire setup.
Conditions:
-- configure an SSL policy to bypass the SSL forward proxy in an L2 Wire setup.
-- Attempt to pass traffic that matches the policy.
Impact:
Traffic that matches the policy experiences a reset when attempting to do the bypass. Cannot bypass SSL forward proxy on a L2 wire setup
Workaround:
None.
748187-3 : 'Transaction Not Found' Error on PATCH after Transaction has been Created
Component: TMOS
Symptoms:
In systems under heavy load of transactions with multiple icrd_child processes, the system might post an erroneous 'Transaction Not Found' response after the transaction has definitely been created.
Conditions:
Systems under heavy load of transactions with multiple icrd_child processes.
Impact:
Failure to provide PATCH to a transaction whose ID has been created and logged as created.
Workaround:
If transaction is not very large, configure icrd_child to only run single-threaded.
748177-2 : Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character
Component: Global Traffic Manager (DNS)
Symptoms:
Multiple wildcards not matched to the most specific WideIP.
Conditions:
Two wildcard WideIPs differ on a '?' and a non-wildcard character.
Impact:
DNS request will get wrong answer.
Workaround:
There is no workaround at this time.
748176 : BDoS Signature can wrongly match a DNS packet
Component: Advanced Firewall Manager
Symptoms:
When using BDoS feature for DNS protocol, and when there are auto-generated DNS Signatures or if Custom DNS signatures are configured manually, it is found that at times, a valid DNS request is dropped because it wrongly matches the configured/dynamically generated DNS Signature when the box is under load, and BDoS mitigation is ongoing.
Conditions:
Configured DNS Signature (Or) there exists a Dynamically generated DNS Signature.
Such a DNS signature is found to match a DNS packet wrongly, even though the signature match criteria is different from the matched DNS packet.
Impact:
When box is under load, the configured DNS signature gets into Attack Mitigation mode (which is normal), but may wrongly drop a DNS packet that does not match the signature.
Workaround:
Disable BDoS for protocol DNS. Also, do not use Manually configured DNS Signatures.
748121-2 : admd livelock under CPU starvation
Component: Anomaly Detection Services
Symptoms:
Due to the resources starvation the worker thread of admd does not get CPU for more than two minutes. At the same time, the configuration thread does get CPU.
The admd heartbeat failure occurs at 120 seconds. The SOD daemon kills admd.
The system posts messages similar to the following:
-- notice sod[6783]: 01140041:5: Killing /usr/bin/admd pid 6732
-- warning sod[6783]: 01140029:4: HA daemon_heartbeat ADMD.Anomaly0 fails action is restart.
-- warning sod[6783]: 01140029:4: HA daemon_heartbeat ADMD.Publisher0 fails action is restart.
Conditions:
-- High CPU / memory utilization,
-- Very large configuration.
Note: There are no known special configuration requirements to have this occur.
Impact:
admd restarts.
Behavioral DoS does not work.
Workaround:
Reboot the BIG-IP system.
748081-3 : Memory leak in BDoS module
Component: Advanced Firewall Manager
Symptoms:
TMM runs out of memory and restarts.
The memory usage as shown in "tmctl memory_usage_stat", under module line tag "session" is noticed to be high, and keeps growing.
Conditions:
The issue is seen when BDoS feature is configured, and if there exits Custom or Auto Generated BDoS Signatures. When such signatures exist, the BDoS one second timer callback leaks memory.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable BDoS feature.
Disable all configured and auto generated BDoS signatures using TMSH command:
modify security dos dos-signature all { state disabled }
748043-1 : MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP
Component: Service Provider
Symptoms:
SIP Server sends SIP Request to the client.
The SIP Server inserts a different port, so that response are received on a different port.
The Client sends the response on the new requested port.
BIG-IP drops the packet
Conditions:
SIP Server wants the SIP Response to be coming on a different port.
Impact:
SIP Request will not receive the SIP Response
Workaround:
There is no workaround.
748031-2 : Invalidation trigger parameter containing reserved XML characters does not create invalidation rule
Component: WebAccelerator
Symptoms:
If a parameter value for an invalidation trigger contains reserved XML characters, compilation of the resulting invalidation rule fails due to the reserved characters not being escaped.
Conditions:
- AAM policy with invalidation trigger defined
- trigger request with parameter value(s) containing reserved XML characters
Impact:
The invalidation rule requested by the trigger request is not created. Content is not invalidated as expected.
Workaround:
No workaround exists.
747968-1 : DNS64 stats not increasing when requests go through dns cache resolver
Component: Local Traffic Manager
Symptoms:
DNS64 stats are not incrementing when running the tmsh show ltm profile dns or in tmctl profile_dns_stat commands if responses are coming from dns cache resolver.
Conditions:
DNS responses are coming from dns cache resolver.
Impact:
DNS64 stats not correct.
Workaround:
There is no workaround at this time.
747926-1 : Rare TMM restart due to NULL pointer access during AFM ACL logging
Component: Advanced Firewall Manager
Symptoms:
Tmm crashes while performing log ACL match logging.
Conditions:
The problem can happen only with the following configuration:
1) AFM Logging for ACLs enabled.
2) Security Network Logging profile has the property "log-translation-fields enabled"
The problem happens under extremely rare circumstances.
Impact:
Traffic disrupted while tmm restarts.
747922-4 : With AFM enabled, during bootup, there is a small possibility of a tmm crash
Component: Advanced Firewall Manager
Symptoms:
During bootup, with AFM enabled, there is a small possibility of a tmm crash. The tmm process generates a core file and then automatically restart.
Conditions:
-- AFM enabled.
-- sPVA-capable hardware platform.
-- Boot up the system.
Impact:
tmm crashes, coredumps, and then restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
747909-4 : GTPv2 MEI and Serving-Network fields decoded incorrectly
Component: Service Provider
Symptoms:
MEI and Serving-Network vales obtained with GTP::ie get iRule command contains digits swapped in pairs, first digit missing and a random digit added at the back.
Conditions:
Processing GTP traffic with iRules.
Impact:
It is impossible to obtain correct value of MEI and Serving-Network fields of the GTPv2 packets when processing with iRules.
Workaround:
No workaround.
747905-2 : 'Illegal Query String Length' violation displays wrong length
Component: Application Security Manager
Symptoms:
When the system decodes a query string that exceeds the allowed query string length, the system reports the incorrect 'Illegal Query String Length' violation string length.
Conditions:
-- 'Illegal Query String Length' violation is encountered.
-- The query string is decoded and reported.
Impact:
The system reports the decoded character count rather than bytes. For example, for a Detected Query String Length = 3391, the system posts a Detected Query String Length = 1995.
Workaround:
None.
747799-1 : 'Unable to load the certificate file' error and configuration-load failure upgrading from 11.5.4-HF2 to a later version, due to empty cert/key in client SSL profile
Component: TMOS
Symptoms:
During upgrade, the configuration fails to load due to an invalid client SSL profile cert/key configuration. The system posts an error: Unable to load the certificate file.
This occurs as a result of an invalid configuration that can be created as a result of a bug (614675) that exists in 11.5.4-HF2 (and only in 11.5.4-HF2). Because of the bug, it is possible to create a client SSL profile with an empty cert-key-chain, as shown in the following example:
ltm profile client-ssl /Common/cssl {
app-service none
cert none
cert-key-chain {
"" { } <=============== empty cert-key-chain
defualt_rsa_ckc { <==== typo: 'defualt'
cert /Common/default.crt
key /Common/default.key
}
}
key none
}
Note: This upgrade failure has an unique symptom: the typo 'defualt_rsa_ckc'. However, the name has no specific negative impact; the issue is with the empty cert-key-chain.
After upgrading such a configuration from 11.5.4-HF2 to any later version of the software, the system posts a validation error, and the configuration fails to load.
Conditions:
The issue occurs when all the following conditions are met:
-- You are using 11.5.4-HF2.
-- The 11.5.4-HF2 configuration contains an invalid client SSL profile (i.e., a client SSL profile containing an empty cert-key-chain).
-- You upgrade to any software version later than 11.5.4-HF2.
Impact:
After upgrade, the configuration fails to load. The system posts an error message similar to the following:
-- "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- Loading schema version: 11.5.4 Loading schema version: 13.1.0.8 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file. Unexpected Error: Loading configuration process failed.
Workaround:
You can fix the profile configuration in /config/bigip.conf either before the upgrade (in 11.5.4-HF2), or after the upgrade failure.
To do so:
1. Replace 'cert none' with a cert name, such as /Common/default.crt.
2. Replace 'key none' with a key name, such as /Common/default.key.
3. Remove the entire line containing the following: "" { }.
4. Correct the spelling of 'defualt' to 'default'. Although there are no negative consequences of this typo, it is still a good idea.
The new profile should appear similar to the following:
ltm profile client-ssl /Common/cssl {
app-service none
cert /Common/default.crt
chain none
cert-key-chain {
default_rsa_ckc {
cert /Common/default.crt
key /Common/default.key
}
}
key /Common/default.key
}
747777-2 : Extractions are learned in manual learning mode
Component: Application Security Manager
Symptoms:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"
Conditions:
Direct cause: Policy contains parameters with dynamic type
Indirect cause: Policy Builder is configured to classify parameters as dynamic (related to bug 717525)
Impact:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"
Workaround:
- Change all dynamic parameters value types to User Input with Alpha Numeric data type
- Unset parameters' dynamic value type (or uncheck all parameters' dynamic classification options in 'Learning And Blocking Settings').
747676-2 : Remote logging needs 'localip' to set source IP properly
Component: TMOS
Symptoms:
Source ip of log entries sometimes use self-ip.
Conditions:
It happens when configuring mgmt IP and route is slower than syslog-ng start.
This issue happens in case of the HA scenario also.
Impact:
Remote log entry has wrong source IP address.
Workaround:
Use localip keyword to force specific IP address.
udp("1.1.1.9" port (514) localip("100.100.100.101"));
In case of the HA configuration, use persist-name key word or syslog-ng may fail to start.
# setting for device A
udp("1.1.1.9" port (514) localip("100.100.100.101") persist-name(devA) );
# setting for device B
udp("1.1.1.9" port (514) localip("100.100.100.102") persist-name(devB));
747628-2 : BIG-IP sends spurious ICMP PMTU message to server
Component: Local Traffic Manager
Symptoms:
After negotiating an MSS in the TCP handshake, BIG-IP then sends an ICMP PMTU message because the packet is too large.
Conditions:
The serverside allows timestamps and the clientside doesn't negotiate them.
The clientside MTU is lower than the serverside's.
There is no ICMP message on the clientside connection.
Impact:
Unnecessary retransmission by server, suboptimal xfrag sizes (and possibly packet sizes)
Workaround:
Disable timestamps on the serverside TCP profile, or proxy-mss on the clientside profile.
747621-1 : Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used
Component: Access Policy Manager
Symptoms:
Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used, e.g. RADIUS server performs two factor authentication.
Conditions:
1. Native VMware Horizon client is used to connect via APM.
2. RADIUS authentication agent is present in Access Policy.
3. RADIUS server asks for challenge response (e.g. 2FA).
Impact:
Authentication fails. User can't get access to VMware Horizon resources.
Workaround:
None.
747617-3 : TMM core when processing invalid timer
Component: Local Traffic Manager
Symptoms:
TMM crashes while processing an SSLO iRules that enables the SSL filter on an aborted flow.
Conditions:
SSLO is configured and passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround
747560-4 : ASM REST: Unable to download Whitehat vulnerabilities
Component: Application Security Manager
Symptoms:
When using the Whitehat Sentinel scanner, the REST endpoint for importing vulnerabilities (/mgmt/tm/asm/tasks/import-vulnerabilities) does not download the vulnerabilities from the server automatically when no file is provided.
Conditions:
The ASM REST API (/mgmt/tm/asm/tasks/import-vulnerabilities) is used to download vulnerabilities from the server when a Whitehat Sentinel Scanner is configured.
Impact:
Vulnerabilities from the Whitehat server are not automatically downloaded when no file is provided, and it must be downloaded manually, or the GUI must be used.
Workaround:
The ASM GUI can be used to download the vulnerabilities from the Whitehat Server, or the file can be downloaded separately, and provided to the REST endpoint directly.
747192-1 : Small memory leak while creating Access Policy items
Component: Access Policy Manager
Symptoms:
Memory slowly leaks for every access policy item added: 32 + 80 bytes for each item.
Conditions:
The leak occurs while creating new policy items in Access.
Impact:
After long uptime mcpd may crash due to lack of memory.
Workaround:
restart mcpd periodically if you modify Access policies frequently by adding or deleting policy items.
747187-1 : SIP falsely detects media flow collision when SDP is in both 183 and 200 response
Component: Service Provider
Symptoms:
A spurious error message is logged ("MR SIP: Media flow creation (...) failed due to collision") and media does not flow.
Conditions:
A SIP server responds to an INVITE with both a 183 "Session Progress" and later a "200 OK" for a single SIP call, and both responses contain an SDP with the same media info.
Impact:
Media does not flow on pinholes for which a collision was detected and reported.
Workaround:
None
747077 : Potential crash in TMM when updating pool members
Component: Local Traffic Manager
Symptoms:
In very rare cases, TMM can crash while updating pool members.
Conditions:
The conditions that lead to this are not known.
Impact:
TMM crashes, which can cause a failover or outage.
Workaround:
There is no workaround.
747065-4 : PEM iRule burst of session ADDs leads to missing sessions
Component: Policy Enforcement Manager
Symptoms:
Some PEM sessions that were originally added, later disappear and cannot be added back.
Conditions:
-- Subscriber addition is done by iRule on UDP virtual servers.
-- The sessions are added in a burst.
-- A small fraction of such sessions cannot be added back after delete.
Impact:
Policies available in the missing session cannot be accessed.
Workaround:
Add a delay of at least a few milliseconds between adding multiple session with same subscriber-id and IP address.
746941-1 : avrd memory leak when BIG-IQ fails to receive stats information
Component: Application Visibility and Reporting
Symptoms:
AVRD has memory leak when it is failing to send statistical information to BIG-IQ.
Conditions:
BIG-IP is used by BIG-IQ version 6.0.0 or higher, and stats collection is enabled.
Plus, BIG-IQ has some malfunction that prevents it from receiving the statistical information that BIG-IP is sending (for example: all DCDs are down, or not network connection between BIG-IP and BIG-IQ).
Impact:
avrd memory is increased over time, leading to avrd restart when it is getting too large
Workaround:
Connectivity issue between BIG-IP and BIG-IQ should be fixed, not just in order to prevent this memory leak, but for more important functionality such as visibility and alerts features in BIG-IQ.
746922-5 : When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
Component: Local Traffic Manager
Symptoms:
In a situation when a routing entity belonging to the child route domain is searching for an egress point for a traffic flow, it's searching for a routing entry in the child domain first, then if nothing is found, it searches for it in the parent route domain and returns the best found routing entry.
If the best routing entry from the parent route domain is selected, then it is held by a routing entity and is used to forward a traffic flow. Later, a new route entry is added to the child route domain's routing table and this route entry could be better than the current previously selected routing entry. But previously selected entry doesn’t get invalidated, thus the routing entity which is holding this entry is forwarding traffic to a less preferable egress point.
#Example:
RD0(parent) -> RD1(child)
routing table: default gw for RD0 is 0.0.0.0/0%0
pool member is 1.1.1.1/32%1
-
Pool member searched for the best egress point and found nothing in the routing table for the route domain 1 and later found a routing entry, but from the parent route domain - 0.0.0.0/0%0.
Later new gw for RD1 was added - 0.0.0.0/0%1, it's more preferable for 1.1.1.1/32%1 pool member. 0.0.0.0/0%0 should be (but is not) invalidated to force the pool member to search for a new routing entry and find a better one if it exists, as in our case - 0.0.0.0/0%1.
Conditions:
1) There are more than one route domains in the parent-child relationship.
2) There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object(for instance, pool member) which is from child route domain.
3) The routing entry from a parent route domain was selected as an egress point for the object from the child route domain.
4) New routing entry for child route domain is added.
Impact:
If a new added route is more preferable than existing in a different route domain, then the new route is not going to be used by a routing object, which has selected an "old" route previously. Thus traffic flows through these routing objects to the unexpected/incorrect egress point. This could present undesirable behavior: the route could be unreachable and all traffic for a specific pool member is dropped or virtual server couldn't find an available SNAT address or just that the wrong egress interface is being used.
Workaround:
There are several ways:
Either of this workaround should be done after a new route in child domain was added.
- Recreate a route.
Recreate a parent route domain's routes. Restart tmrouted deamon if routes were gathered via routing protocols.
-----
- Recreate a routing object.
If a pool member is affected, recreate the pool member.
If a SNAT pool list is affected, recreate it.
And so on.
746877-2 : Omitted check for success of memory allocation for DNSsec resource record
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM may panic from SIGABRT while logging this message:
./rdata.c:25: ldns_rdf_size: Assertion `rd != ((void *)0)' failed.
Conditions:
During memory stress while handling DNSsec traffic.
Impact:
TMM panic and subsequent interruption of network traffic.
Workaround:
Keeping the workload within normal ranges reduces the probability of encounter.
746837-1 : AVR JS injection can cause error on page if the JS was not injected
Component: Application Visibility and Reporting
Symptoms:
If page-load-time is enabled in the AVR profile, and the response is small enough to not be chunked, AVR 'promises' to the client a JS injection in the response by adding the expected length of the JS to the Content-length header.
If later, it is identified that the response contains no HTML tag, AVR does not inject the JS; instead it wraps the response with spaces.
This can lead to errors in cases where the change in response size is not supported.
Conditions:
AVR is configured to collect 'Page Load Time' and the response from the web server has these conditions:
-- The response is uncompressed.
-- The context-type header is text/html.
-- The response is not chunked (Context-length header exists).
-- The payload does not include the HTML head tag.
Impact:
White Spaces at the end of the page can cause it to be invalid for some applications.
Workaround:
To avoid trying to inject to pages where the JS does not fit, use iRules to control which pages should get the JS injection.
For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.
746825-2 : MRF SIP ALG with SNAT: Ephemeral listeners not created for un-subscribed outgoing calls
Component: Service Provider
Symptoms:
When a temporary registration is created for an un-subscribed user making an outgoing call, an ephemeral listener to receive incoming messages is not created.
Conditions:
If nonregister-subscriber-callout attribute in the siprouter-alg profile is enabled, and an unregiatered client device places an outgoing call, a temporary registration is created. This temporary registration lives for the life of the call. During the lifetime of the temporary registration if the connection from the client is closed, it is not possible for an external device to reach the client.
Impact:
The callee of an outgoing call initiated by an un-registered sip device will not be able to end the call.
Workaround:
There is no workaround at this time.
746823-2 : AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members
Component: Application Visibility and Reporting
Symptoms:
In a configuration that AVR is set to send telemetry data to external source (like connection with BIG-IQ), and there is large number of config objects in the system, such as virtual servers and pool-members. AVRD is constantly crashing.
Conditions:
1. AVR is set to send telemetry data to external source (like connection with BIG-IQ).
2. Large number of config objects in the system, such as virtual servers and pool-members.
Impact:
AVRD process is crashing and telemetry data is not collected.
Workaround:
N/A
746771-4 : APMD recreates config snapshots for all access profiles every minute
Component: Access Policy Manager
Symptoms:
When the access profile configurations in APMD and MCPD are out of sync, APMD will detect the config snapshot for one access profile is missing. This triggers AMPD to recreates the config snapshots for all access profiles. The detect-recreate cycle will repeat every minute.
Sep 11 17:57:39 BIG-IP err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...
Sep 11 17:57:59 BIG-IP notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
...
Sep 11 17:58:39 BIG-IP err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...
Sep 11 17:59:00 BIG-IP notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
Conditions:
The condition under which the access profile configurations in APMD and MCPD become out of sync is unknown.
Impact:
TMM memory usage will increase due to excessive config snapshots created.
Workaround:
Restart APMD to clear the APMD and MCPD out of sync condition.
746768-3 : APMD leaks memory if access policy policy contains variable/resource assign policy items
Component: Access Policy Manager
Symptoms:
If an access policy contains variable/resource assign policy items, APMD will leak memory every time the policy is modified and applied.
Conditions:
1. Access policy has variable/resource assign policy items.
2. The access policy is modified and applied.
Impact:
APMD's memory footprint will increase whenever the access policy is applied.
Workaround:
There is no workaround.
746731-2 : BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set
Component: Service Provider
Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Firmware-Revision AVPs in DIAMETER Capabilities Exchange Request messages.
Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Firmware-Revision AVP.
Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.
Workaround:
Configure an iRule in the MRF transport-config, for example:
ltm rule workaround {
when DIAMETER_EGRESS {
if {[serverside] && [DIAMETER::command] == "257" } {
DIAMETER::avp flags set 267 0
}
}
}
746719-2 : SERVFAIL when attempting to view or edit NS resource records in zonerunner
Component: Global Traffic Manager (DNS)
Symptoms:
While attempting to use ZoneRunner to edit NS resource records, getting error:
01150b21:3: RCODE returned from query: 'SERVFAIL'.
Conditions:
- An NS resource record is selected using the zonerunner GUI
- The NS record points to a zone that bind is not authoritative for.
- Recursion is enabled on the zone in question
- The bind process is not able to reach the nameserver referenced in the NS record.
Impact:
Administrator is unable to use ZoneRunner to edit NS records.
Workaround:
Set recursion to no for the appropriate zone, perform the change, set recursion back to yes.
Note: This will be impacting to any clients expecting recursion for the duration of the change.
746657-2 : tmsh help for FQDN node or pool member shows incorrect default for fqdn interval
Component: TMOS
Symptoms:
The tmsh help text for LTM nodes and pools shows the incorrect default for the fqdn 'interval' value.
The default is indicated as the TTL, whereas the actual default value is 3600 seconds (1 hour).
The configured value is displayed correctly if the node or pool is displayed using the 'all-properties' keyword.
Conditions:
Always.
Impact:
FQDN nodes and pool members may be created with a different fqdn refresh interval than intended.
Workaround:
When creating an FQDN node or pool member, specify the desired fqdn 'interval' value (either TTL, or the desired number of seconds).
746620-2 : "source-port preserve" does not work on BIG-IP Virtual Edition
Component: Performance
Symptoms:
BIG-IP Virtual Edition uses RSS hashing for selecting TMMs which has the side effect of causing "source-port preserve" to reuse ports aggressively. This can ultimately lead to connection failures.
Conditions:
BIG-IP virtual edition with "source-port preserve" configured on a fastl4 virtual server and VE configures RSS hash. VE will configure RSS hash if both the below conditions are met
1. VE supports RSS hash on the NIC. Currently, RSS is supported on ixlv and vmxnet3 NICs
2. The number of TMMs <= maximum number of queues supported by the NIC. For ixlv this is 4 and for vmxnet3 this is 8
Impact:
Connections may fail due to reusing ports too quickly.
Workaround:
On the Virtual Server, set source-port to "change".
746464-2 : MCPD sync errors and restart after multiple modifications to file object in chassis
Component: TMOS
Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:
1. Errors are logged to /var/log/ltm similar to the following:
-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..
2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.
Conditions:
This can be encountered when rapidly making changes to files such as creating and then deleting them while the config sync of the file creation is still in progress.
Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.
Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.
746394-2 : With ASM CORS set to "Disabled" it strips all CORS headers in response.
Component: Application Security Manager
Symptoms:
All access-control-* headers are removed by asm, including Cross-Origin Resource Sharing (CORS) headers. This causes CORS related javascript errors on browser console and blocks cross-domain requests that should be allowed.
Conditions:
-- ASM Provision
-- ASM policy attached to a virtual
-- Backed server sends CORS headers access-control-*
Impact:
Webapp which sends cross origin ajax requests could be broken.
Workaround:
Setup an irule on a virtual server.
when HTTP_RESPONSE {
array set header_list { }
foreach header_name [HTTP::header names] {
if { [string tolower $header_name] starts_with "access-control-" } {
set header_list($header_name) [HTTP::header $header_name]
}
}
}
when HTTP_RESPONSE_RELEASE {
foreach header_name [array names header_list] {
if {!([HTTP::header exists $header_name])} {
HTTP::header insert $header_name $header_list($header_name)
}
}
}
746344-2 : PEM may not re-establish diameter connection after HA switchover
Component: Policy Enforcement Manager
Symptoms:
PEM diameter may not establish diameter connection after a failover, if more than 25 days have elapsed between failovers
Conditions:
If 25 days have elapsed between failovers
Impact:
Diameter connection may not happen
Workaround:
tmm restart
746266-2 : Vcmp guest vlan mac mismatch across blades.
Component: TMOS
Symptoms:
Guests running on blades in a single chassis report different MAC addresses on a single vlan upon host reboot for vcmp guest.
Conditions:
This issue may be seen when all of the following conditions are met:
- One (or more) blade(s) are turned off completely via AOM.
- Create two vlans.
- Deploy a multi-slot guest with the higher lexicographic vlan.
- Now, assign the smaller vlan to the guest.
- Reboot the host
Impact:
Incorrect MAC addresses are reported by some blades.
Workaround:
There is no workaround at this time.
746078-2 : Upgrades break existing iRulesLX workspaces that use node version 6
Component: Local Traffic Manager
Symptoms:
When upgrading a BIG-IP with iRulesLX plugins, if those plugins are based on workspaces that use node version 6 (instead of version 0.12) they will fail to work properly after the upgrade once the plugin is reloaded from the workspace.
Errors like this will be seen in /var/log/ltm:
Oct 5 06:37:12 B7200-R14-S36 info sdmd[17582]: 018e0017:6: pid[26853] plugin[/Common/test-jt-plugin.test-jt-extension] Starting the server.....jt...after upgrade...
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: Resuming log processing at this invocation; held 233 messages.
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] /var/sdm/plugin_store/plugins/:Common:test-jt-plugin_62858_3/extensions/test-jt-extension/node_modules/f5-nodejs/lib/ilx_server.js:30
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] ILXServerWrap = process.binding('ILXServerWrap').ILXServerWrap;
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] ^
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] Error: No such module: ILXServerWrap
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] at Error (native)
Conditions:
Upgrading a version of BIG-IP that is using iRulesLX that has a workspace based on node version 6. Later reloading the iRulesLX plugin from the workspace.
Impact:
The iRulesLX plugin no longer works.
Workaround:
- Navigate to the workspace folder on the BIG-IP (/var/ilx/workspaces/<partition>/<workspace name>.
- Make the file "node_version" writable (chmod +w node_version).
- Edit the node_version file: change "0.12" to "6"
- Save the node_version file.
- Make the file "node_version" read-only (chmod -w node_version).
- Reload the iRulesLX plugin from the workspace.
745923-1 : Virtual server may reset a connection with port zero when client sends ACK after a 4-way close
Component: Local Traffic Manager
Symptoms:
Virtual sends a reset of port zero.
Conditions:
Here is an observed sequence for the problem to happen:
1. Three way handshake initiated by client to VIP.
2. Client actively closing the connection - 4 way close
3. Client continues to send ACK after 4 way close
Impact:
Virtual does a wrong reset.
Workaround:
There is no workaround at this time.
745825-2 : The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading
Component: TMOS
Symptoms:
This message may be logged while the audit_forwarder is loading the configuration:
audit_forwarder is disabled as the configuration is incomplete. Please define the following db variables: config.auditing.forward.sharedsecret, config.auditing.forward.destination and config.auditing.forward.type. And make sure config.auditing.forward.destination is not set to "::".
These DB variables may all be actually configured correctly, but since the configuration has not loaded yet this message may be logged multiple times.
Conditions:
The audit_forwarder process is starting up and loading the configuration.
Impact:
Confusing error messages in /var/log/ltm. Logging will still work as configured.
Workaround:
There is no workaround.
745802-2 : Brute Force CAPTCHA response page truncates last digit in the support id
Component: Application Security Manager
Symptoms:
Brute Force CAPTCHA response page shown to an end-user has a support id and the last digit is truncated.
Conditions:
- ASM Provisioned
- ASM policy attached to a virtual server
- ASM Brute Force Protection enabled in the asm policy
- ASM Brute Force sends captcha mitigation page when a website is under brute force attack.
Impact:
The support id presented to an end-user won't be matched to the one shown in the asm logs
Workaround:
There is no workaround at this time.
745783-2 : Anti-fraud: remote logging of login attempts
Component: Fraud Protection Services
Symptoms:
There is no support for logging of login attempts to a remote service.
Conditions:
Using high speed logging (HSL) to log login attempts.
Impact:
There is no support for logging of login attempts.
Workaround:
None.
745654-3 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
Component: Access Policy Manager
Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.
Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.
Impact:
Low throughput and slow responses from Virtual server.
Workaround:
There is no workaround at this time.
745628-2 : MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message
Component: Service Provider
Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a NOTIFY message has been processed.
Conditions:
This occurs because the NOTIFY message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.
Impact:
Media addresses in the SDP payload are not translated.
Workaround:
There is no workaround.
745600-2 : Removal of timer object from tmm timer-ring when a tcl context is released.
Component: Access Policy Manager
Symptoms:
If a tcl context is associated with a tmm-timer (while creating access session) using iRule, the timer object is removed during tcl context release but its association remains. When the timer fires, it tries to access a memory which is already freed, causing tmm to crash and generate a core.
Conditions:
Creating access session using iRule.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
745589-5 : In very rare situations, some filters may cause data-corruption.
Component: Local Traffic Manager
Symptoms:
In very rare situations, an internal data-moving function may cause corruption.
Filters that use the affected functionality are:
HTTP2, Sip, Sipmsg, MQTTsession, serdes_diameter, FTP.
Conditions:
The affected filters are used, and some very rare situation occurs.
Impact:
This may cause silent data corruption, or a TMM crash.
Workaround:
There is no workaround at this time.
745574-2 : URL is not removed from custom category when deleted
Component: Access Policy Manager
Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.
Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.
Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.
Workaround:
"bigstart restart tmm" will resolve the issue.
745514-2 : MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message
Component: Service Provider
Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a SUBSCRIBE message has been processed.
Conditions:
This occurs because the SUBSCRIBE message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.
Impact:
Media addresses in the SDP payload are not translated.
Workaround:
There is no workaround.
745397-2 : Virtual server configured with FIX profile can leak memory.
Component: Service Provider
Symptoms:
System memory increases with each transmitted FIX message. tmm crash.
Conditions:
-- Virtual server configured with a FIX profile.
-- FIX profile specifies a message-log-publisher.
Impact:
Memory leak. Specifically, in the xdata cache. Potential traffic disruption while tmm restarts.
Workaround:
If possible, discontinue use of message logging functionality. Removing the message-log-publisher from the FIX profile stops xdata growth.
745035-3 : gtmd crash
Component: Global Traffic Manager (DNS)
Symptoms:
gtmd crashes
Conditions:
This rarely occurs when an iQuery connection is abnormally terminated.
Impact:
Under rare circumstances, gtmd may crash and restart.
Workaround:
None
745027-1 : AVR is doing extra activity of DNS data collection even when it should not
Component: Application Visibility and Reporting
Symptoms:
When collecting DNS data, AVR generates data that is used only for BIG-IQ, even if not connected to BIG-IQ.
Conditions:
DNS Statistics collection or DNS-DoS is configured.
Impact:
avrd process is taking more CPU cycles for activity that is not needed. There is no impact to functionality.
Workaround:
None.
744949-2 : MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix
Component: Service Provider
Symptoms:
SIP response messages have the wrong IP address in the FROM header when using NAT64.
Conditions:
If the client's IPv6 address does not match the virtual server's configured IPv6 prefix, the FROM header on a response message will have a different IP address that the request message.
Impact:
The SIP ALG with SNAT system will be unable to establish a call for the client.
Workaround:
There is no workaround at this time.
744787-3 : Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias
Component: Global Traffic Manager (DNS)
Symptoms:
WideIP alias will be replaced.
Conditions:
There is an existing alias for a WideIP and adding the same alias for another WideIP.
Impact:
The previous WideIP will be replaced.
Workaround:
Avoid adding existing WideIP for other WideIP.
744707-3 : Fixed crash related to DNSSEC key rollover
Component: Global Traffic Manager (DNS)
Symptoms:
When running out of memory, a DNSSKEY rollover event can cause a tmm core dump.
Conditions:
System low/out of memory.
DNSSKEY rollover event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround.
744686-1 : Wrong certificate can be chosen during SSL handshake
Component: Local Traffic Manager
Symptoms:
If two certificates of the same type are configured in an SSL profile, one marked `usage CA' and the other not, the wrong one could be chosen during the handshake.
Conditions:
Two certificates of the same type are configured in an SSL profile.
Impact:
The wrong certificate could be chosen during the handshake.
Workaround:
Do not configure two certificates of the same type on an SSL profile.
744595-2 : DoS-related reports might not contain some of the activity that took place
Component: Application Visibility and Reporting
Symptoms:
Occasionally, some telemetry data of DoS related activity is lost.
Conditions:
No specific condition other than using the BIG-IP system anti-DDoS feature.
Impact:
DoS related reports might not contain some of the activity that takes place.
Workaround:
None.
744589-2 : Missing data for Firewall Events Statistics
Component: Application Visibility and Reporting
Symptoms:
Statistical information that is collected for Firewall event, has some data that is getting lost and not reported.
When this is taking place, the following message appears at avrd log:
Some rows of load_stat_firewall_events_<some number> not loaded
Conditions:
AFM is used, no particular condition that leads to this situation of losing some of the stats, usually takes place under heavy activity.
Impact:
Statistical reports of Firewall Events are missing some the the activity that actually took place.
Workaround:
There is no workaround at this time.
744532-1 : Websso fails to decrypt secured session variables
Component: Access Policy Manager
Symptoms:
Whenever websso tries to decrypt secure session variables, the following error is seen /var/log/apm:
Aug 15 21:36:25 abcd err websso.0[20421]: 014d0028:3: /Common/Test_PRP:Common:2b8e7abc: Master Decrypt failed for user test with error 'ckDecrypt: invalid ciphertext'
Aug 15 21:36:25 abcd info websso.0[20421]: 014d0009:6: /Common/Test_PRP:Common:2b8e7abc: Websso basic authentication for user 'test' using config '/Common/sso_test_obj'
Conditions:
- Per-req policy is attached to virtual server.
- Secure subsession variables are assigned to session variables using Variable Assign Agent in per-req policy.
- SSO Configuration Select agent is used in per-req policy.
Impact:
Single Sign-On (SSO) won't work correctly.
Workaround:
There is no workaround at this time.
744520-2 : virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface
Component: TMOS
Symptoms:
virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface.
Conditions:
Virtual server with pem profile and Vxlan-GRE tunnel interface.
Impact:
Traffic drop.
Workaround:
There is no workaround.
744516-3 : TMM panics after a large number of LSN remote picks
Component: Carrier-Grade NAT
Symptoms:
TMM panics with the assertion "nexthop ref valid" failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.
Conditions:
A LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.
Impact:
TMM restarts. Traffic is interrupted.
Workaround:
There is no workaround.
744347-3 : Protocol Security logging profiles cause slow ASM upgrade and apply policy
Component: Application Security Manager
Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.
Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.
Impact:
ASM upgrade and apply policy are delayed.
Workaround:
There is no workaround at this time.
744316-2 : Config sync of APM policy fails with Cannot update_indexes validation error.
Component: Access Policy Manager
Symptoms:
Config sync operation fails for APM policy when policy item of same name points to different agent on source and target
The system posts errors similar to the following:
Sync error on rfang-vemgmt.lab.labnet.com: Load failed from /Common/rfang-ve-3mgmt.lab.labnet.com 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (access_policy_item_agent) object ID (/Common/resm_act_message_box_1 /Common/resm_act_message_box_ag_1). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:access_policy_item_agent status:13)"
Conditions:
This occurs in the following scenario:
1. Configure a failover device group containing two BIG-IP systems.
2. Create an APM access profile on one unit.
+ Launch VPE for the policy.
+ Add a macro.
+ In macro add an agent, e.g., Message box.
+ Add macro to the main policy.
3. Initiate config sync to another device.
4. On one BIG-IP system, add another Message box agent using the same macro. On the other BIG-IP system, make a copy of the access profile.
5. On either BIG-IP system, initiate another config sync operation.
Impact:
Unable to sync configuration in a failover device group.
Workaround:
You can work around this using the following procedure:
1. On the device receiving the config sync, delete the APM policies that contain the referenced APM policy items.
2. Perform an overwrite-config-sync operation from the sending device to this device.
744280-3 : Enabling or disabling a Distributed Application results in a small memory leak
Component: Global Traffic Manager (DNS)
Symptoms:
Enabling or disabling a Distributed Application results in an 8 byte memory leak.
Conditions:
Enabling or disabling a Distributed Application.
Impact:
8 bytes of memory are leaked every time a Distributed Application is enabled or disabled. If Distributed Applications are repeatedly programmatically enabled and disabled, over time, the system might eventually exhaust all available memory.
Workaround:
None.
744275-2 : BIG-IP system sends Product-Name AVP in CER with Mandatory bit set
Component: Service Provider
Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.
Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Product-Name AVP.
Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.
Workaround:
Configure an iRule in the MRF transport-config, for example:
ltm rule workaround {
when DIAMETER_EGRESS {
if {[serverside] && [DIAMETER::command] == "257" } {
DIAMETER::avp flags set 269 0
}
}
}
744269-1 : dynconfd restarts if FQDN template node deleted while IP address change in progress
Component: Local Traffic Manager
Symptoms:
The dynconfd daemon may crash and restart if an FQDN template node is deleted (by user action or config sync) while ephemeral nodes are in the process of being created, and deleted as the result of new IP addresses being returned by a recent DNS query.
Conditions:
This may occur on BIG-IP version 14.0.0.3 (and BIG-IP versions 13.1.x or v12.1.x with engineering hotfixes for ID 720799, ID 721621 and ID 726319), under the following conditions:
1. A DNS query returns a different set of IP addresses for one or more FQDN names.
2. While new ephemeral node(s) are being created (for new IP addresses and deleted (for old IP addresses), an FQDN template node is deleted (either by user action or config sync).
Impact:
The dynconfd daemon crashes and restarts.
Ephemeral nodes may not be updated in a timely manner while the dynconfd daemon is restarting.
744252-1 : BGP route map community value: either component cannot be set to 65535
Component: TMOS
Symptoms:
The community value for BGP route map entries should allow values of 1-65535 for both components, but it is not allowing 65535 for either component.
Conditions:
-- Using BGP route map community values.
-- Attempting to set one or both components to 65535.
Impact:
Unable to use the full range of BGP route map community values
Workaround:
There is no workaround at this time.
744210-3 : DHCPv6 does not have the ability to override the hop limit from the client.
Component: Local Traffic Manager
Symptoms:
DHCPv6 packet may be dropped by a device after the DHCP relay if the client provided hop limit is 1.
Conditions:
DHCPv6 Relay configured on the BIG-IP.
Impact:
Loss of DHCPv6 service.
Workaround:
There is no workaround at this time.
743961-2 : Signature Overrides for Content Profiles do not work after signature update
Component: Application Security Manager
Symptoms:
JSON profile signature override does not include legacy signature after Automatic Signature Update (ASU).
Conditions:
Signature override on content profile ASU with major update to targeted sig.
Impact:
-- Unexpected block on a previously white-listed signature.
-- Confusing logging for why the signature was blocked (should indicate it was due to using an old signature version).
Workaround:
-- Create the signature override at higher context, e.g., the URL. Removing the URL context override again keeps it fixed.
-- Enforce new version of sig globally.
743900-2 : Custom DIAMETER monitor requests do not have their 'request' flag set
Component: Local Traffic Manager
Symptoms:
Using the technique detailed in the Article: K14536: Customizing the BIG-IP Diameter monitor https://support.f5.com/csp/article/K14536 to create custom DIAMETER monitor requests fails for any request that uses the numeric form of a DIAMETER command code, because the 'request' flag is not set in the DIAMETER packet.
Conditions:
-- Using custom DIAMETER monitor requests.
-- Using numeric DIAMETER command codes.
Impact:
The monitor probes fail because the BIG-IP system does not set the DIAMETER 'request' flag for requests it sends when using a numeric value for the command code, so the DIAMETER server thinks it is a response
Workaround:
None.
743810-2 : AWS: Disk resizing in m5/c5 instances fails silently.
Component: TMOS
Symptoms:
Resizing the disk in an m5/c5 instance in AWS has no impact on the disk size, and this operation fails silently.
Conditions:
BIG-IP system deployed in AWS with m5/c5 instance type that uses NVME disks instead of the usual native paravirt disks.
Impact:
Disk resizing fails; administrators cannot grow the instance disk in response to their requirements and instance utilization post-deployment.
Workaround:
There is no workaround.
743437-2 : Portal Access: Issue with long 'data:' URL
Component: Access Policy Manager
Symptoms:
HTML page may contain a very long 'data:' URL. Portal Access cannot handle such URLs correctly.
Conditions:
HTML page with very long 'data:' similar to the following example:
data:image/png;base64,...
Such URLs might be several megabytes long.
Impact:
The rewrite plugin cannot process HTML pages with very long URLs and restarts. The page is not sent to the end user client; web application may not work correctly.
Workaround:
There is no workaround at this time.
743271 : Querying vCMP Health Status May Show Stale Statistics
Component: TMOS
Symptoms:
Stale statistics collected while the guest was running a pre-13.1.0 version may periodically be seen when querying vCMP health status in the Configuration Utility or via tmsh show vcmp health commands.
Conditions:
This issue may be seen when all of the following conditions are met:
- the vCMP guest is deployed on more than one blade
- the vCMP guest is upgraded from a pre-13.1.0 release to 13.1.0 or above
Impact:
Health status is not always accurately reported
Workaround:
The issue may be resolved by setting the guest status temporarily to configured and then back to deployed.
743257-2 : Fix block size insecurity init and assign
Component: Local Traffic Manager
Symptoms:
After an HA failover the block size insecurity checks were creating conditions for an infinite loop. This causes tmm to be killed by sod daemon via SIGABRT.
Conditions:
Rare not reproducible.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround.
743132-5 : mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile
Component: TMOS
Symptoms:
On a chassis platform, if 'tmsh modify sys httpd ssl-certificate' is run immediately after creating a new certificate file, it's possible for mcpd to restart on the secondary blades. This happens when it takes longer for csyncd to copy the new certificate file to the other blades than it takes mcpd to send the modify message to the other blades.
Conditions:
Chassis platform with multiple blades.
Setting the httpd ssl-certificate to a new file.
Impact:
mcpd stops on secondary blades, causing those blades to go offline for a short time while mcpd and other daemons restart.
Workaround:
When setting the httpd ssl-certificate to a new file, wait a few seconds after creating the file before issuing the tmsh modify command.
743116-3 : Chunked responses may be incorrectly handled by HTTP/2
Component: Local Traffic Manager
Symptoms:
When a chunked HTTP response is serialized by HTTP/2, the chunking headers should be removed. This does not occur in some cases.
Conditions:
The HTTP/2 filter is used. Some other profiles are used on the same virtual. (In particular, the request logging profile triggers this issue.)
Impact:
The HTTP/2 payload will include chunking headers, corrupting it.
Workaround:
An iRule may be used to detect a HTTP/2 client, and forcibly turn on unchunking in the HTTP_RESPONSE event.
Example:
ltm rule unchunk_http2 {
when HTTP_REQUEST {
set is_http2 [HTTP2::active]
}
when HTTP_RESPONSE {
if { $is_http2 } {
HTTP::payload unchunk
}
}
}
742838-2 : A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition
Component: Local Traffic Manager
Symptoms:
If you have a published policy in /Common that is in use by a virtual server in a different partition, if you try to create and modify a draft of the existing policy, you will get an error like this:
"01070726:3: Policy /Common/Drafts/test-policy in partition Common cannot reference policy reference /Common/Drafts/test-policy /test/test-vs in partition test"
This happens in both the GUI and TMSH.
Conditions:
-- A published policy exists in /Common.
-- The published policy is attached to a virtual server in a different partition.
-- Attempt to create and modify a draft of the policy.
Impact:
Inability to edit the published policy.
Workaround:
None.
742829-2 : SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0
Component: Service Provider
Symptoms:
The BIG-IP system incorrectly handles SDP media ports. UAC sends SDP message body publishing capable of handling voice, text, and video. UAS responds, publishing voice, text and video not desired by setting video port to '0'. The BIG-IP system does not honor the fact that UAS does not want video, and translates video port '0' to an ephemeral port, causing the UAC to believe it must open a video channel. When the UAC sends a video connection request, the BIG-IP system sends the request to the wrong port, i.e., to the media port for text, which causes the connection to fail.
Conditions:
RTP media port defined in the SIP message is set to 0.
Impact:
Improper media channel creation.
Workaround:
You can use an iRule workaround to remove the media attributes with ports set to 0 at the ingress, and update the message body size accordingly.
742753-3 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail
Component: TMOS
Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.
Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:
- Remove the Referer header.
- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.
Impact:
Users cannot log on to the BIG-IP system's WebUI.
Workaround:
As a workaround, you can do any of the following things:
- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).
- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).
- Modify the proxy solution so that it inserts compatible Referer and Host headers.
742627-1 : SSL session mirroring may cause memory leakage if HA channel is down
Component: Local Traffic Manager
Symptoms:
If SSL session mirroring is enabled, but the HA channel is down, attempts to mirror may result in memory leakage.
Conditions:
- SSL session mirroring enabled
- HA channel is down
Impact:
Memory leakage over time resulting in eventual memory pressure leading to performance degradation and possible TMOS restart.
Workaround:
Ensuring that the HA peer is present and connected will avoid the leakage. Otherwise, no reasonable workaround exists short of disabling SSL session mirroring.
742419-2 : BIG-IP NIC teaming of SR-IOV interfaces does not work under VMware ESXi
Component: TMOS
Symptoms:
Configuring multiple SR-IOV interfaces into a trunk does not function correctly when running BIG-IP as a guest under VMware ESXi. The interface will show as uninitialized.
Conditions:
A system that passes SR-IOV virtual functions directly to a BIG-IP guest when running on VMware ESXi.
Impact:
The trunk will fail to initialize.
Workaround:
None.
742237-3 : CPU spikes appear wider than actual in graphs
Component: Local Traffic Manager
Symptoms:
Graphs of CPU usage show spikes that are wider than actual CPU usage.
Conditions:
CPU usage has spikes.
Impact:
Graphs of CPU spikes appear to last longer than they actually last.
Workaround:
Restart statsd to change the start of the RRD sampling interval.
742184-2 : TMM memory leak
Component: Local Traffic Manager
Symptoms:
-- High TMM memory utilization;
-- Aggressive sweeper activated;
-- the 'packet', 'xdata' and 'xhead' caches in the memory_usage_stat tmstat table have high 'allocated' and 'curr_allocs' numbers with a steadily increasing profile.
Conditions:
A fastL4 and a L7 profile (e.g. HTTP) are assigned to a virtual server.
Impact:
Degraded performance, possible TMM crash due to out-of-memory condition.
Workaround:
Do not add a L7 profile to a fastL4 virtual server.
742170-1 : REST PUT command fails for data-group internal
Component: TMOS
Symptoms:
Cannot change content of existing data-group internal using REST PUT command.
Conditions:
Using REST API.
Impact:
Cannot modify data-group internal via the REST API.
Workaround:
Add 'type' in the content
742037-4 : FPS live updates do not install when minor version is different
Component: Fraud Protection Services
Symptoms:
Install update file with a different minor version.
For example, install update file versioned 13.1.1 on BIG-IP version 13.1.0.
Conditions:
FPS is licensed and provisioned.
Impact:
FPS engine and signature cannot be updated.
Workaround:
N/A
741993-2 : The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured.
Component: Anomaly Detection Services
Symptoms:
The BIG-IP system does not answer the request matching the L7 policy that disabled DOSL7 when BADOS is configured. The connection hangs.
Conditions:
1. Create a DoS profile Behavioral & Stress-based (D)DoS Detection.
2. Create an L7 policy to disable DoS profile (even on all URLs).
3. Attach both to a virtual server.
4. Send a request to the virtual server.
Impact:
Connection hangs.
Workaround:
There is no workaround other than disabling the Behavioral & Stress-based (D)DoS Detection from the DoS profile.
741951-5 : Multiple extensions in SIP NOTIFY request cause message to be dropped.
Component: Service Provider
Symptoms:
When SIP NOTIFY messages are sent with a request URI that contains multiple client extensions, the system does not forward the message as expected.
Conditions:
SIP NOTIFY messages sent with a request URI that contains multiple client extensions.
Impact:
NOTIFY message is not forwarded.
Workaround:
None.
741919-2 : HTTP response may be dropped following a 100 continue message.
Component: Local Traffic Manager
Symptoms:
When a 100 response a quickly followed by another HTTP response (2xx/4xx), the second response might be dropped.
Conditions:
When a 100 response is quickly followed by another HTTP response (i.e., a 2xx/4xx response arrives within a few microseconds).
Impact:
The second response might be dropped, so the end user client might not receive all the HTTP responses coming from the server.
Note: This does not happen all the time, and depends on how the underlying data packets are formed and delivered to the HTTP filter.
Workaround:
You can use either of the following workarounds:
-- Use an iRule to disable the HTTP filter in the HTTP_REQUEST event.
-- Disable LRO by running the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable
741902-2 : sod does not validate message length vs. received packet length
Component: TMOS
Symptoms:
sod may crash or produce unexpected behavior.
Conditions:
If a malformed network failover packet is received by sod, it may cause an invalid memory access.
Impact:
sod may crash, causing a failover.
Workaround:
None.
741814-1 : Auto Last Hop for management connections cannot be disabled/enabled
Component: Local Traffic Manager
Symptoms:
Disabling/Enabling Auto Last Hop for management connections does not take effect. By default, it is enabled and stays enabled after a change.
Conditions:
-- Manual BIG-IP Management Port Configuration is configured. IP address and Network Mask is set, but Management Route is empty.
-- Auto Last Hop for management connections is disabled.
# tmsh mod ltm global-settings general mgmt-auto-last-hop disable
-- BIG-IP system is rebooted.
# full_box_reboot
Impact:
Auto Last Hop for management connections is still enabled on management interface and the BIG-IP system is still accessible outside local management network.
Workaround:
To work around this issue, use the following commands to move the lasthop.modules script to the /etc/sysconfig/sysinit directory:
# mv -v /etc/sysconfig/modules/lasthop.modules
/etc/sysconfig/sysinit/00activate-early-lasthop.sysinit
2. Reboot the BIG-IP system.
# full_box_reboot
741767-1 : ASM Resource :: CPU Utilization statistics are in wrong scale
Component: Application Visibility and Reporting
Symptoms:
Security :: Reporting : ASM Resources : CPU Utilization have the wrong scale for statistics.
Conditions:
Having the 'CPU Utilization' statistics under 'ASM Resources' available.
Impact:
Wrong scale of statistics.
Workaround:
To work around this issue:
1. Edit the following file: /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
2. Remove all division by 100 on 'formula' of each entity.
3. Save the change and restart monpd (bigstart restart monpd).
741761-2 : admd might fail the heartbeat, resulting in a core
Component: Anomaly Detection Services
Symptoms:
When the system is under heavy I/O stress, admd might fail the heartbeat (which is required by sod, the failover daemon), so sod kills the admd daemon, resulting in a core.
Conditions:
-- System is under heavy I/O stress.
-- admd fails the heartbeat.
Impact:
The system generates an admd core file. Traffic disrupted while admd restarts.
Workaround:
None.
741599-1 : After upgrade, Client SSL profile may have extra cert-key-chain structure
Component: TMOS
Symptoms:
Extra cert-key-chain structure appears in Client SSL profile after upgrade from pre-v14.0.0 versions to v14.0.0. The extra cert-key-chain object with a 'usage CA' attribute appears even when the SSL profile is not configured for SSL forward proxy prior to upgrade.
The 'usage CA' cert-key-chain structure is expected when an SSL profile is configured for SSL forward proxy.
Conditions:
-- SSL profiles have had their 'proxy-ca-cert' and 'proxy-ca-key' attributes modified (even if simply set to the default value of 'none' explicitly).
-- The 'clientssl' built-in profile if that profile is modified via the GUI.
-- Upgrade from pre-v14.0.0 versions to v14.0.0.
Impact:
Extraneous 'usage CA' cert-key-chain entries added to configuration after upgrade.
Workaround:
Before upgrading, use tmsh to set the 'proxy-ca-cert' and 'proxy-ca-key' attributes values back to their default by specifying the value as 'default-value'.
After upgrade on an affected system, for SSL profiles that are not configured for SSL forward proxy:
1. Delete the extra cert-key-chain object.
2. Edit the configuration file with a text editor and remove the 'proxy-ca-cert' and 'proxy-ca-key' attributes for those profiles.
3. Re-load the configuration using the following command: tmsh load sys config
741449-2 : alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts
Component: Fraud Protection Services
Symptoms:
JAVASCRIPT_THRESHOLD alert should contain 2 timestamps:
1. component-validation cookie timestamp (set on cookie creation)
2. current BIG-IP timestamp
currently, these timestamps are not available in the alert details
Conditions:
JAVASCRIPT_THRESHOLD alert is triggered
Impact:
it is impossible to analyze the alert
Workaround:
There is no workaround at this time.
741435-1 : Using local traffic policies with type 'CE Profile', a new rule does not have the option to classify traffic
Component: Traffic Classification Engine
Symptoms:
In a local traffic policy with type 'CE Profile', a new rule does not have the option to classify traffic.
Conditions:
-- PEM, AFM, APM, or SWG is provisioned.
-- Local traffic policy with type 'CE Profile'.
-- Create a new rule.
Impact:
No GUI option to classify traffic. Cannot use the GUI reclassify traffic using LTM Policies.
Workaround:
Use TMSH to configure the policies and rules for classifying traffic.
741423-3 : Secondary blade goes offline when provisioning ASM/FPS on already established config-sync
Component: TMOS
Symptoms:
When provisioning ASM for the first time on a device that is already linked in a high availability (HA) config-sync configuration, any other cluster device that is on the trust domain experiences mcpd restarting on all secondary blades due to a configuration error.
The system logs messages similar to the following in /var/log/ltm:
-- notice mcpd[12369]: 010718ed:5: DATASYNC: Done initializing datasync configuration for provisioned modules [ none ].
-- err mcpd[9791]: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.
-- err mcpd[9791]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.... failed validation with error 16908342.
-- notice mcpd[12369]: 0107092a:5: Secondary slot 2 disconnected.
Conditions:
-- Cluster devices are joined in the trust for HA or config-sync.
-- Provisioning ASM or FPS on clusters which are already joined in a trust.
-- ASM and FPS have not been provisioned on any of the devices: this is the first ASM/FPS provisioning in the trust.
Impact:
Traffic on all secondary blades is interrupted while mcpd restarts. Then, traffic is resumed.
Workaround:
Before provisioning ASM/FPS (but after setting up a trust configuration):
1. On the device on which ASM/FPS is about to be provisioned, create the datasync-global-dg device group and add all of the available devices.
For example, if there are two devices in the Trust Domain: test1.lab.com and test2.lab.com, and you plan to provision ASM/FPS for the first time on test1.lab.com, first run the following command from test1.lab.com:
tmsh create cm device-group datasync-global-dg devices add { test1.lab.com test2.lab.com }
2. Do not sync the device group.
3. Then on test1.lab.com, you can provision ASM/FPS.
740963-1 : VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart
Component: Local Traffic Manager
Symptoms:
VIP-on-VIP traffic might cause TCP retransmit bursts, which in certain situations can cause tmm to restart.
Conditions:
- Virtual server handling TCP traffic.
- iRule using the 'virtual' command.
Impact:
Temporary memory consumption and potential for tmm to restart. Traffic disrupted while tmm restarts.
Workaround:
None.
740959-3 : User with manager rights cannot delete FQDN node on non-Common partition
Component: Local Traffic Manager
Symptoms:
A user that has manager rights for a non-Common partition, but not for the /Common partition, may be denied delete privileges for an FQDN template node that is created on the non-Common partition for which the user does have manager rights.
This occurs because ephemeral nodes created from the FQDN template node are 'shared' in the /Common partition, so the delete transaction fails because the user has insufficient permissions to delete the dependent ephemeral nodes on the /Common partition.
Conditions:
-- A user is created with manager rights for a non-Common partition.
-- That user does not have manager rights for the /Common partition;
-- At least one ephemeral node is created from that FQDN template node (due to DNS lookup), which is not also shared by other FQDN template nodes.
-- That user attempts to delete an FQDN template node on the non-Common partition for which the user has manager rights.
Impact:
The transaction to delete the FQDN template node fails due to insufficient permissions. No configuration changes occur as a result of the FQDN template node-delete attempt.
Workaround:
You can use either of the following workarounds:
-- Perform the FQDN template node-delete operation with a user that has manager rights to the /Common partition.
-- Create the FQDN template node on the /Common partition.
740746-1 : RSA key creation fails for generating key/csr pair when using gen-csr challenge-password
Component: TMOS
Symptoms:
Failed to generate RSA key in pair with CSR via TMSH command when using key password options.
Response from create sys crypto key command when using challenge-password option:
Syntax Error: Key creation doesn't support challenge-password option.
Response from create sys crypto key command when using prompt-for-password option:
Syntax Error: Key creation doesn't support prompt-for-password option.
Conditions:
This issue happens while using either of the key password protect options while generating CSR and RSA key via tmsh command: create sys crypto key.
Impact:
Cannot generate password-protected RSA key via tmsh command.
Workaround:
There is no workaround.
740719-1 : ASM CSP header parser does not honor unsafe-inline attribute within script-src directive
Component: Application Security Manager
Symptoms:
Browser reports Content-Security-Policy error when ASM modifies the 'Content-Security-Policy' (CSP) header.
Conditions:
1. ASM provisioned.
2. ASM policy attached to a virtual server.
3. CSRF or Ajax blocking page enabled within ASM policy
4. Backend server sends 'Content-Security-Policy' header with 'script-src' 'unsafe-inline' directive.
Impact:
Browser posts 'Content-Security-Policy' error and stops JavaScript execution.
Workaround:
Disable 'Content-Security-Policy' header parsing for ASM policies. To do so, follow these steps:
1. In /usr/share/ts/bin/add_del_internal, run the following command:
add csp_enabled 0
2. Restart ASM by running the following command:
bigstart restart asm
740589-2 : mcpd crash with core after 'tmsh edit /sys syslog-all-properties'
Component: TMOS
Symptoms:
Syslog-ng consumes more than 95% CPU starving other processes of CPU time. This leads to eventual mcpd crash with core.
Conditions:
Configuring nonexistent local IP addresses and remote log server.
Impact:
Abnormal CPU usage. Potential eventual mcpd crash with core.
Workaround:
To mitigate the issue, you can use either of the following:
-- Follow these two steps:
1. Remove the remote log server from the configuration.
2. Replace the nonexistent local IP addresses with self IP addresses.
-- Configure the remote destination host with a unique parameter in the configuration so that syslog does not get confused if there are multiple entries:
udp(190.45.32.51 port(514) localip(190.46.2.221) persist-name(r1));
udp(190.45.32.51 port(514) localip(190.46.2.222) persist-name(r2));
udp(190.200.60.1 port(514) localip(190.46.2.221) persist-name(r3));
udp(190.200.60.1 port(514) localip(190.46.2.222) persist-name(r4));
740517-2 : Application Editor users are unable to edit HTTPS Monitors via the Web UI
Component: TMOS
Symptoms:
A user with Application Editor role cannot modify an HTTPS Monitor via the GUI. The user is sent the the following, misleading and incorrect error message: Access Denied: user does not have delete access to object (ssl_cert_monitor_param)
Conditions:
The logged in GUI user must be an Application Editor role for the partition containing the HTTPS Monitor
Impact:
The user must use TMSH to modify an HTTPS Monitor.
Workaround:
Run the following tmsh command: modify ltm monitor https"\
740490 : Configuration changes involving HTTP2 or SPDY may leak memory
Component: Local Traffic Manager
Symptoms:
If virtual servers which have HTTP2 or SPDY profiles are updated, then the TMM may leak memory.
Conditions:
-- A virtual server has a HTTP2 or SPDY profile.
-- Any configuration object attached to that virtual server changes.
Impact:
The TMM leaks memory, and may take longer to execute future configuration changes. If the configuration changes take too long, the TMM may be restarted by SOD.
Workaround:
None.
740413-2 : sod not logging Failover Condition messages
Component: TMOS
Symptoms:
When a failsafe fault occurs, sod does not log a message indicating that the device is unable to become Active.
Conditions:
Failsafe fault.
Impact:
No 'Failover Condition'messages logged in /var/log/ltm.
Workaround:
None.
740345-2 : TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled.
Component: Local Traffic Manager
Symptoms:
TMM generates cores files on the device.
Conditions:
Issue is seen when connection mirroring, session mirroring and OCSP stapling is enabled.
Impact:
If a failover happens when a SSL handshake is in progress,
TMM restarts and a core file is generated on the standby device. Traffic disrupted while tmm restarts.
Workaround:
None.
740284-1 : Virtual servers 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM'
Component: Global Traffic Manager (DNS)
Symptoms:
Virtual servers on generic-hosts may be marked as Yellow, with a message of 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM'.
Conditions:
The conditions under which this occurs are not known.
Impact:
Virtual server is marked Yellow erroneously 'In Maintenance Mode'.
Workaround:
Use any of the following to reset the condition:
-- Restart gtmd by issuing the following command:
bigstart restart gtmd
-- Restart the system.
-- Remove any monitors from the affected server, save the configuration, and then add any required monitors.
-- Delete the affected server from the configuration and recreate it.
740277-1 : Extra policy_release (per-request policy) in policy engine causes core due to use-after-free condition
Component: Access Policy Manager
Symptoms:
In some execution paths of per-request policies, policy ref count gets unbalanced and causes a core dump and/or memory leak.
Conditions:
This is a very rarely occurring issue encountered when using per-request policies.
Impact:
Memory leak (in case of per-session policy not released). It may cause a core dump in some cases, if the per-request policy is over-released.
Workaround:
None.
740135-2 : Traffic Group ha-order list does not load correctly after reset to default configuration
Component: TMOS
Symptoms:
After resetting the BIG-IP configuration to default (i.e., 'tmsh load sys config default'), if a configuration is loaded where the name of the self-device changes, this may cause the self-device to be removed from any traffic group HA Order lists.
Conditions:
-- Must be loading a configuration after resetting to default.
-- Must have at least one traffic group using the 'HA Order' Failover Method.
Impact:
Incorrect HA configuration.
Workaround:
Reload the configuration a second time.
740086-4 : AVR report ignore partitions for Admin users
Component: Application Visibility and Reporting
Symptoms:
The behavior of AVR's reporting feature changed after an upgrade.
Reports generated for specific partition include data from all partitions.
Conditions:
-- Users with Admin role.
-- AVR provisioned.
-- AVR profile configured and attached to a virtual server.
-- User with Admin role creates Scheduled Reports or uses GUI to view AVR reports.
Impact:
AVR GUI pages or Scheduled Reports defined for one partition include AVR data from other partitions.
Workaround:
One workaround is to have non-Admin users generate reports.
For non-Admin users, the partition is honored.
740024-1 : Web page not load correctly if load time is enabled
Component: Application Visibility and Reporting
Symptoms:
The web page does not load correctly. The TSPD_101 cookie is not present. All headers after the f5_cspm cookie are ignored.
Conditions:
-- AVR profile is attached to a virtual server.
-- Load time is enabled.
Impact:
Resources, such as scripts and CSS, are blocked when using Bot Defense Browser Verification due to anomaly 'Resource request without browser verification cookie'.
Workaround:
There is no workaround.
739963-3 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
Component: Local Traffic Manager
Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.
Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.
Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.
Workaround:
To restore the state of the member, remove it and add it back to the pool.
739945-3 : JavaScript challenge on POST with 307 breaks application
Component: Application Security Manager
Symptoms:
A JavaScript whitepage challenge does not reconstruct when the challenge is on a POST request and the response from the back-end server is 307 Redirect. This happens only if the challenged URL is on a different path than the redirected URL. This prevents the application flow from completing.
Conditions:
- JavaScript challenge / CAPTCHA is enabled from either Bot Defense, Proactive Bot Defense, Web Scraping, DoSL7 Mitigation or Brute Force Mitigation.
- The challenge is happening on a POST request on which the response from the server is a 307 Redirect to a different path.
Impact:
Server is not able to parse the request payload and application does not work. This issue occurs because the TS*75 cookie is set on the path of the challenged URL, so the redirected URL does not contain the cookie, and the payload is not reconstructed properly to the server.
Workaround:
As a workaround, you can construct an iRule to identify that the response from the server is 307 Redirect, retrieve the TS*75 cookie from the request, and add to the response a Set-Cookie header, setting the TS*75 cookie on the '/' path.
739939-2 : Ping Access Agent Module leaks memory in TMM.
Component: Access Policy Manager
Symptoms:
Whenever a ping access request traverses through apm_ivs (internal virtual server) to the Ping Access Agent (e.g., Cache-Miss), a memory leak occurs.
Conditions:
Ping Access Agent request that is not served from local cache (e.g., in the Cache-Miss case).
Impact:
The slow memory leak might eventually cause TMM to restart. Traffic disrupted while tmm restarts.
Workaround:
None.
739927-2 : Bigd crashes after a specific combination of logging operations
Component: Local Traffic Manager
Symptoms:
Bigd crashes. Bigd core will be generated.
Conditions:
1. Boot the system and set up any monitor.
2. Enable and disable bigd.debug:
-- tmsh modify sys db bigd.debug value enable
-- tmsh modify sys db bigd.debug value disable
3. Enable monitor logging.
Impact:
Bigd crashes.
Workaround:
None.
739872-1 : The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover
Component: TMOS
Symptoms:
Running the 'load sys config verify' command for a configuration that would alter the high availability (HA) Group score for a Traffic Group can cause the HA group score to be updated.
Conditions:
Run 'load sys config verify' with configuration data that affects a Traffic Group's HA Group score.
Impact:
Unintended failover.
Workaround:
None.
739820-2 : Validation does not reject IPv6 address for TACACS auth configuration
Component: TMOS
Symptoms:
TACACS authentication does not support IPv6 address for the authentication server, but both GUI and TMSH allow IPv6 addresses to be configured for TACACS. Such configurations may result in failed logins with messages in /var/log/secure like
Aug 8 10:47:39 gtm-13108-174 err httpd[5948]: pam_tacplus: skip invalid server: 2001::1001:1001 (invalid port: no digits)
Conditions:
Use the GUI or TMSH to create or modify a TACACS server
Impact:
Remote authentication will fail unless a second server is configured with IPv4 address.
Workaround:
Do not configure IPv6 address for TACACS server
739716-1 : APM Subroutine loops without finishing
Component: Access Policy Manager
Symptoms:
Some APM subroutines never finish. In authentication use cases, the end-users will continue to see logon pages, even after submitting correct credentials. In SWG confirm-and-continue use cases, the end-users will continue to see confirm boxes, even if they had already clicked "continue".
Conditions:
APM with a subroutine. Reproducibility will vary by platform and deployment.
Impact:
Subroutines never finish. End-users are not able to access resources.
Workaround:
TMM restart does resolve the issue.
739674-2 : TMM might core in SWG scenario with per-request policy.
Component: Access Policy Manager
Symptoms:
TMM can core when Secure Web Gateway (SWG) is configured, and SSL is resumed through per-request policy.
Conditions:
-- SWG is configured.
-- SSL is resumed through per-request policy.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
739638-3 : BGP failed to connect with neighbor when pool route is used
Component: Local Traffic Manager
Symptoms:
BGP peering fails to be established.
Conditions:
- Dynamic routing enabled.
- BGP peer connect through a pool route or ECMP route.
Impact:
BGP dynamic route paths are not created.
Workaround:
Use a gateway route.
739635-1 : No learning when creating policy using guided configuration
Component: Application Security Manager
Symptoms:
No learning suggestions for policy
Conditions:
Creating a policy using WGC (guided configuration)
Impact:
Policy is not learned by the policy builder
Workaround:
Either of:
- deactivate (disconnect policy from VS) and re-activate the policy
- restart to policy builder fixes the problem
[killall -s SIGHUP pabnagd]
739553-2 : Setting large number for Wide IP Persistence TTL breaks Wide IP persistence
Component: Global Traffic Manager (DNS)
Symptoms:
Wide IP persistence is not working. Previous Wide IP persistence records are cleared.
Conditions:
This occurs when the Wide IP Persistence TTL plus the persist-record creation time is greater than 4294967295.
Impact:
Wide IP persistence does not work.
Workaround:
There is no workaround other than not setting Wide IP Persistence TTL to a number greater than 4294967295.
739533-5 : In rare circumstances, config sync may fail to delete files in /config/filestore/.snapshots_d/, filling up /config
Component: TMOS
Symptoms:
If mcpd loses connection with a peer in the middle of a config sync operation when a large file is being transferred, the temporary copy of that file in /config/filestore/.snapshots_d/ might not be deleted. If this happens enough times with large enough files, those temporary files might fill the /config filesystem.
Conditions:
-- A config sync of a large file is happening.
-- The mcp connection between peers is lost.
Impact:
When that happens, the temporary files that should be deleted, might not be. This is not a problem until the issue has occurred many times, leaving many temporary files, at which point /config can run out of space. /config may get to 100% full. Having /config at 100% full might cause config sync to fail, prevent configuration changes, and other issues.
Workaround:
Delete all files in /config/filestore/.snapshots_d that are more than an hour old.
739379-1 : Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error
Component: Local Traffic Manager
Symptoms:
In situation where multiple SSL forward proxies are connected via virtual targeting, the SNI value extracted from ClientHello and saved in 1st layer of SSL forward proxy may get overwritten by the 2nd layer of SSL forward proxy. When this happens, certification verification will fail when 1st layer of SSL forward proxy attempts to validate certificate.
Conditions:
Two SSL forward proxies connected via virtual command in iRule.
Impact:
Client traffic gets random reset.
Workaround:
None.
739373 : ASM restart loop after sync from non-ASM to ASM device
Component: Application Security Manager
Symptoms:
When two or more device are configured with Configuration Management interface in a sync-failover device group: if one of the devices does not have ASM provisioned while another one does, performing a config sync of the sync-failover device group from the non-ASM device will cause the /Common/asm-hidden folder to be deleted along with its content.
The next time ASM is restarted (for any reason) on one of the ASM devices, ASM keeps restarting in a loop. Messages similar to the following appear in /var/log/ltm :
-- err mcpd[6550]: 01070734:3: Configuration error: Can't associate Bot Signature Category (/Common/asm-hidden/ASM-search-engines) folder does not exist.
Similarly messages similar to the following appear in /var/log/ts/ts_debug.log:
asm|INFO|Jul 30 12:03:02.481|5282|,,01070734:3: Configuration error: Can't associate Bot Signature Category (/Common/asm-hidden/ASM-search-engines) folder does not exist.
Conditions:
- Two or more devices are connected with a sync-failover device group.
- One device has ASM provisioned, while another device does not have ASM provisioned.
- Performing a sync from the non-ASM device to the ASM device.
Impact:
-- Search Engines are not applied on JavaScript challenges.
-- Upon an ASM restart, ASM restarts in a loop, and the device will remain offline.
Workaround:
Reload the configuration by running the following command:
tmsh save sys config && tmsh load sys config
As an alternative, re-provision ASM by running the following command:
tmsh modify sys provision asm level nominal
739349-2 : LRO segments might be erroneously VLAN-tagged.
Component: Local Traffic Manager
Symptoms:
Segments being processed for large receive offload (LRO) (the action the system performs to aggregate multiple incoming packets within a buffer before passing them up)
might be erroneously VLAN-tagged when LRO is enabled.
Conditions:
-- TCP LRO enabled.
-- Egress VLAN untagged.
Impact:
Egress traffic might sometimes be tagged.
Workaround:
Disable TCP LRO. To enable or disable LRO functionality, you can use the following command syntax:
tmsh modify sys db tm.tcplargereceiveoffload value <enable | disable>
739342-1 : Learning not occurring for some policies
Component: Application Security Manager
Symptoms:
No learning suggestions for some policies
Conditions:
Exact conditions are unknown. This occurred during a specific internal automated scenario, but any manual attempts to reproduce it failed.
Impact:
Learning not occurring for several policies.
Workaround:
restart to policy builder fixes the problem
[killall -s SIGHUP pabnagd]
739277-2 : TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode
Component: Anomaly Detection Services
Symptoms:
TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode
Conditions:
-- The virtual server is deleted during POST data.
-- BADOS configured in standard/aggressive mode.
Impact:
TMM core / traffic does not path through till TMM restarts.
Workaround:
You can work around this issue using either of the following options if you plan to delete a virtual server:
-- First detach the DoS protection profile.
-- Remove BADOS configuration or change BADOS mitigation to Conservative.
739118-2 : Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration
Component: TMOS
Symptoms:
Changing existing self IP addresses in bigip_base.conf file directly. After uploading the changed configuration file, BIG-IP routing service provides out of date Self IP route information to dependent services.
Conditions:
- Self IP address is configured on the BIG-IP system.
- Manually change the IP address of a self IP in bigip_base.conf file.
- Load changed configuration via tmsh.
Impact:
Different services have different route information:
-- tmsh table - has the old route.
-- Dynamic routing - hHas the old and new routes.
-- Kernel table - has the new route.
Workaround:
There are two workarounds, preventive and corrective.
Preventive:
Do not manually change self IP addresses in bigip_base.conf file. It is not recommended way to add/change BIG-IP configuration. Use GUI or tmsh instead.
Corrective:
If changed configuration is uploaded. In GUI or tmsh, delete changed self IP address, and then create a self IP address with old IP address and delete it as well. Now, all affected routes are removed.
739024-1 : Kerberos auth fails intermittently after upgrade from v14.0.0
Component: Access Policy Manager
Symptoms:
Kerberos auth fails and the client get credentials prompt (although it does not work even when entering credentials).
Conditions:
1. Configure SWG explicit or transparent proxy.
2. Configure start -> 401 negotiate -> variable assign <session.server.network.name = return "your_proxy_fqdn"> (required for Kerberos auth) -> Kerberos auth in main access policy.
3. Configure start -> SSL check -> [HTTPS | HTTP ] -> category lookup -> allow in per-request policy.
4. Send HTTP/HTTPS request from explicit or transparent client.
Impact:
Kerberos authentication fails.
Workaround:
Change the permission and ownership of the Kerberos keytab file with these commands:
chmod 640 <Kerberos keytab file>
chgrp root <Kerberos keytab file>
738945-3 : SSL persistence does not work when there are multiple handshakes present in a single record
Component: Local Traffic Manager
Symptoms:
SSL persistence hangs while parsing SSL records comprising multiple handshake messages.
Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.
Impact:
SSL persistence parser fails to parse such messages correctly. The start of the record may be forwarded on to server but then connection will stall and eventually idle timeout.
Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.
After changing or disabling persistence, the transaction succeeds and no longer hangs.
738864-2 : javascript functions in href are learned from response as new URLs
Component: Application Security Manager
Symptoms:
New urls representing javascript functions are learned from response.
Conditions:
Learn from response is turned on and URLs learning set to 'Always'
Impact:
Wrong URLs are created and added to the policy (not really interfering with enforcement but adds redundant noise to the policy)
Workaround:
Either:
- Change URL learning from 'Always' to any of the other learning options (Compact \ Selective \ Never).
- Disable learn from response
738789-1 : ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog
Component: Application Security Manager
Symptoms:
ASM blocks requests when a request payload is an xml document with a prolog line at the begging with encoding="us-ascii"
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- ASM handles xml traffic with encoding="us-ascii" (this is very unlikely, the common case is encoding="utf-8")
Impact:
Blocked xml requests
Workaround:
Remove xml profile from a url in asm policy or disable XML malformed document detection via asm policy blocking settings
738677-2 : Configured name of wildcard parameter is not sent in data integrity alerts
Component: Fraud Protection Services
Symptoms:
FPS sends a data integrity alert when a parameter is configured with 'Check Data Manipulation' enabled.
the alert includes parameter's actual-name, actual-val-crc, and expected-val-crc.
For wildcard parameters, it is difficult to tell which parameter was found and triggered the data integrity alert, since FPS sends only the actual name that was found in the request.
Conditions:
Wildcard parameter defined for integrity check.
Impact:
Alert analysis is more difficult, as the actual matched parameter is not obvious.
Workaround:
None.
738669-1 : Login validation may fail for a large request with early server response
Component: Fraud Protection Services
Symptoms:
in case of large request/response, if FPS needs to store ingress and ingress chunks in buffer for additional processing (ingress :: for parameter parsing, egress :: for login validation's banned/mandatory strings check or scripts injection), if the server responds fast enough, the buffer may contain mixed parts of request/response. This may have several effects, from incorrectly performing login-validation to generating a tmm core file.
Conditions:
-- Login validation is enabled and configured to check for banned/mandatory string.
-- A username parameter is configured.
-- There are no parameters configured for encrypt/HTML Field Obfuscation (HFO), and no decoy parameters.
-- There is a large request and response.
-- The system response very quickly.
Impact:
This results in one or more of the following:
-- Login validation failure/skip.
-- Bad response/script injection.
-- tmm core. In this case, traffic is disrupted while tmm restarts.
Workaround:
None.
738582-2 : Ping Access Agent Module leaks memory in TMM.
Component: Access Policy Manager
Symptoms:
While handling Ping Access Request, if the internal events passing between modules fail, it might cause a memory leak inside TMM.
Conditions:
Internal events passing between Ping Access Request processing modules fail.
Impact:
Ping Access Agent Module leaks memory in TMM.
Workaround:
None.
738547-2 : SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII
Component: Access Policy Manager
Symptoms:
When SAML metadata file that contains certain UTF-8 characters other than ASCII is imported, SAML SAX Parser returns error
Conditions:
When SAML metadata file contains certain UTF-8 characters other than the ASCII set,
Impact:
SAML metadata file is not imported, and the system reports an error. SAML configuration on BIG-IP systems is impacted.
Workaround:
Remove the non-ASCII UTF-8 characters, and try the import operation again.
738523-1 : SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages
Component: Local Traffic Manager
Symptoms:
When monitoring an SMTP server that emits multi-line '250' responses to the initial 'HELO' message, the monitor fails. If monitor logging is enabled on the pool member, the system posts an error similar to the following in the monitor log:
09:50:08.580145:(_Tcl /Common/mysmtp): ERROR: failed to complete the transfer, Failed to identify domain.
Conditions:
-- Monitoring an SMTP server.
-- SMTP server is configured to return a multi-line '250' response to the initial 'HELO' message.
Impact:
The pool member is marked down even though it is actually up.
Workaround:
None.
738521-3 : i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.
Component: Local Traffic Manager
Symptoms:
A trunk configured between a BIG-IP i4x00/i2x00 platform and an upstream switch may go down due to the presence of the VLAN tag.
Conditions:
LACP configured between a BIG-IP i4x00/i2x00 platform and an upstream switch.
Impact:
Trunks are brought down by upstream switch.
Workaround:
There are two workarounds:
-- Configure the trunk as 'untagged' in one of the VLANs in which it's configured.
-- Disable LACP.
738450-2 : Parsing pool members as variables with IP tuple syntax
Component: Local Traffic Manager
Symptoms:
There is a config loading warning at tmsh similar to the following: unexpected end of arguments;expected argument spec:PORT.
Conditions:
Tcl variable is used for the IP tuple instead of a plain value.
Impact:
iRule LB::reselect command may not recognize an IP tuple when it is a variable. tmsh warning shows.
Note: There is no warning in the GUI.
Workaround:
Use plain value instead of variable.
738445-3 : IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup
Component: TMOS
Symptoms:
INVALID_SPI notification does not delete the IPsec-SA with the SPI value that appears in the notify payload. This occurs because the handler of INVALID-SPI notifications performs the following incorrect actions:
-- Fetches SPI from payload as if it's a string, rather than the network byte order integer it actually is.
-- Attempts phase 2 lookup via selector ID (reqid) rather than SPI.
Either alone prevents finding the SA to delete.
Conditions:
An IKEv1 IPsec peer sends an INVALID-SPI notification to the BIG-IP system.
Impact:
The IPsec-SA with that SPI cannot be found and is not deleted.
Workaround:
From the BIG-IP command line, you can still manually delete any IPsec-SA, including the invalid SPI, using the following command:
# tmsh delete net ipsec ipsec-sa spi <spi number>
738397-3 : SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.
Component: Access Policy Manager
Symptoms:
For a BIG-IP system configured as IdP, in the SAML-IdP-initiated case: If the IdP has a Per-Request policy (in addition to a V1 policy), such that the Per-Request policy has a subroutine or a subroutine macro with a logon page, the system reports access failure on running the policy.
The error logged is similar to the following: '/Common/sso_access:Common:218f759e: Authorization failure: Denied request for SAML resource /Common/saml_resource_obj1&state=000fffff032db022'.
Conditions:
-- BIG-IP system configured as IdP.
-- SAML IdP initiated case in which the following is true:
+ The IdP has a Per-Request policy (in addition to a V1 policy).
+ That Per-Request policy has a subroutine or a subroutine macro with a logon page.
Impact:
Access is denied. The request URI has '&state=<per-flow-id>' appended to the SAML Resource name.
Workaround:
None.
738211-1 : pabnagd core when centralized learning is turned on
Component: Application Security Manager
Symptoms:
pabnagd (the process responsible for automated and manual policy building operations) restarts and generates a core file. This might result in a loss of learning progress.
Note: This is a very rarely occurring issue.
Conditions:
Centralized learning is enabled for a policy.
Impact:
If there are locally learned policies, the system might lose some number of hours of learning progress. How many hours might be lost depends on the version, as follows:
-- For 13.1.0: 24 hours (12 hours, on average).
-- For 14.0.0: 1 hour (1/2 hour, on average).
Workaround:
None.
738070-1 : Persist value for the RADIUS Framed-IP-Address attribute is not correct
Component: Service Provider
Symptoms:
Using the RADIUS Framed-IP-Address attribute as a persistence value does not work correctly.
Conditions:
Using RADIUS and persisting on the Framed-IP Address attribute (RADIUS AVP 8).
Impact:
RADIUS requests may not get persisted to the servers they should be.
Workaround:
Use an iRule to persist instead, e.g.:
ltm rule radius-persistence {
when CLIENT_DATA {
persist uie [RADIUS::avp 8]
}
}
738045-4 : HTTP filter complains about invalid action in the LTM log file.
Component: Local Traffic Manager
Symptoms:
Payload data is collected at the HTTP_REQUEST event and finishes collecting (HTTP::release) when the NAME_RESOLVED event occurs. On releasing, data is forwarded to the serverside, triggering the HTTP_REQUEST_SEND event.
When trying to raise HTTP_REQUEST_SEND, the iRule queues it and returns IN_PROGRESS, because the system is already in the process of running TCLRULE_NAME_RESOLVED. (Nested iRules: TCLRULE_NAME_RESOLVED -> TCLRULE_HTTP_REQUEST_SEND)
Due to the IN_PROGRESS status, tcp_proxy skips forwarding HUDCTL_REQUEST to the serverside, but not the subsequent payload. So the HTTP filter considers this an invalid action.
Conditions:
-- Standard virtual server with iRules attached (for example, using the following configuration for a virtual server):
when HTTP_REQUEST {
HTTP::collect
NAME::lookup @10.0.66.222 'f5.com'
}
when NAME_RESOLVED {
HTTP::release
}
when HTTP_REQUEST_SEND {
log local0. "Entering HTTP_REQUEST_SEND"
}
-- Client sends two HTTP Post requests.
-- After the first request, the second connection is kept alive (for example, by using HTTP header Connection) so that the second request can reuse the same connection.
Impact:
The second request gets reset, and the system logs errors in the LTM log file.
Workaround:
To avoid nested iRules in this instance, simply remove the HTTP_REQUEST_SEND from the iRule.
737901-3 : Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode
Component: TMOS
Symptoms:
On iSeries platforms, when a VLAN is attached to a vCMP guest, the management MAC address and the host VLAN MAC address will be the same.
Conditions:
-- Creating a VLAN on the host and attaching it to a vCMP guest.
-- iSeries platforms.
Impact:
The management MAC address is the same as the Host VLAN MAC address, resulting in the same MAC being used for the VLAN traffic originating from the vCMP Host along with the Host's mgmt Interface traffic, potentially resulting in issues relating to the inability to differentiate traffic to mgmt port or traffic ports.
Workaround:
There is no workaround at this time.
737900-1 : mcpd might crash on an unlicensed system
Component: TMOS
Symptoms:
On an unlicensed system with a built-in iRule attached to a virtual server, mcpd might crash.
Conditions:
-- Unlicensed system (including as a result of the service agreement check date validation treating a license as invalid).
-- At least one built-in, system-supplied iRule is attached to a virtual server.
-- mcpd loads from the config files, such as when having just upgraded.
Impact:
On an unlicensed system, mcpd might crash repeatedly.
Workaround:
Perform the following procedure:
1. Reactivate the license on the system from the command-line, following the instructions in K2595: Activating and installing a license file from the command line :: https://support.f5.com/csp/article/K2595.
2. License the system.
Note: Running commands (e.g., tmsh show /sys hardware) on VIPRION systems while mcpd is down might fail or otherwise not work as expected.
737867-2 : Scheduled reports are being incorrectly displayed in different partitions
Component: Application Visibility and Reporting
Symptoms:
Scheduled analytics reports are being displayed in the list regardless of selected partition. However, you can only open reports belonging to the selected partition, even if they belong to 'Common'.
Conditions:
System configured with multiple partitions.
Impact:
It makes it difficult to modify reports from different partitions.
Workaround:
Switch to the report's partition before editing it.
737863-2 : Advanced Filters for Captured Transactions not working on Multi-Blade Platforms
Component: Application Visibility and Reporting
Symptoms:
On multi-blade systems, when you navigates to System :: Logs : Captured Transactions, click on Expand Advanced Filters, choose something, and click Update, the GUI reports a 'Could not get captured events' message.
Conditions:
-- Multi-blade systems.
-- AVR provisioned.
-- AVR HTTP Analytics Profile configured with 'Internal Traffic Capturing Logging Type' option enabled.
Impact:
The Captured Transactions filter does not work.
Workaround:
None.
737726-1 : If named is restarted and zrd is not restarted, ZoneRunner can lose contact with the DNS server daemon
Component: Global Traffic Manager (DNS)
Symptoms:
ZoneRunner displays the following error message when attempting to list resource records: No route to host.
Conditions:
-- named is restarted outside of the normal start up procedure.
-- zrd is not restarted.
Impact:
ZoneRunner cannot communicate with named, and thus cannot display resource records.
There are temporary addresses created on the loopback address to facilitate communication between the zrd and named processes. When named is restarted, these temporary address are inadvertently removed.
Workaround:
Restart the zrd process using the following command:
bigstart restart zrd
737692-2 : Handle x520 PF DOWN/UP sequence automatically by VE
Component: TMOS
Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that is passed to the BIG-IP-VE). If an x520 device's PF is set down and then up, tmm does not recover traffic on that interface.
Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.
Impact:
VE does not process any traffic on that VF.
Workaround:
Reboot VE.
737536-3 : Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
Component: TMOS
Symptoms:
The use case is the following:
|OSPF 1|---|Network1|------[|OSPF process 1|---BIG-IP system---|OSPF process 2|]-----|Network2|---|OSPF 2|
Attempting to redistribute default route received from OSPF process that is peering with the Internet to OSPF process 2. However, if that route is removed (e.g., an Internet link goes down), OSPF process 2 removes the associated route and the 'default-information originate' command is the ideal choice, because as long as the OSPF process 1 default route is in the routing table, the default route is redistributed into OSPF process 2. If that route is gone, OSPF process 2 immediately removes it from routing table. Enabling 'default-information originate' on OSPF process 2 does not affect the outcome, and a default route is not injected like it should be.
Conditions:
-- On the BIG-IP system, OSPF routing protocol is enabled on a route-domain.
-- Routing configuration example:
OSPF router config examples:
***
OSPF 1:
!router ospf 1
ospf router-id 10.13.0.7
redistribute ospf
network 10.13.0.0/16 area 0.0.0.1
default-information originate
OSPF 2:
router ospf 1
ospf router-id 10.14.0.5
redistribute ospf
network 10.14.0.0/16 area 0.0.0.1
BIG-IP system:
router ospf 1
ospf router-id 10.13.0.2
network 10.13.0.0/16 area 0.0.0.1
router ospf 2
ospf router-id 10.14.0.9
network 10.14.0.0/16 area 0.0.0.1
***
-- Enable 'default-information originate' on BIG-IP OSPF process 2 should allow OSPF process 2 to receive advertised default route from BIG-IP OSPF process 1 if such exists.
# expected OSPF routers configuration on the BIG-IP system:
router ospf 1
ospf router-id 10.13.0.2
network 10.13.0.0/16 area 0.0.0.1
router ospf 2
ospf router-id 10.14.0.9
network 10.14.0.0/16 area 0.0.0.1
default-information originate
Impact:
A default route from OSPF process 1 is not advertised into OSPF process 2 routing table.
Workaround:
None.
737529-3 : [GTM] load or save configs removes backslash \ from GTM pool member name
Component: Global Traffic Manager (DNS)
Symptoms:
GTM config fails to load, and posts an error similar to the following:
Syntax Error:(/config/bigip_gtm.conf at line: 47) the "create" command does not accept wildcard configuration identifiers
Conditions:
GTM server virtual server name contains a backslash (\) character.
Impact:
GTM config fails to load.
Workaround:
Edit bigip_gtm.conf manually and add the \ character.
Important: The system removes the \ (which results in further validation failures) in response to any of the following actions:
-- Load the GTM config.
-- Make changes to the GTM config, and you or the system saves it.
-- cpcfg operation.
-- Upgrade the system.
737500-1 : Apply Policy and Upgrade time degradation when there are previous enforced rules
Component: Application Security Manager
Symptoms:
When there are previously enforced rules present in the system, the time to apply changes made to a policy, and the time to upgrade the configuration to a new version suffers.
Conditions:
-- Signature Staging is enabled.
-- Updated Signature Enforcement is set to 'Retain previous rule enforcement and place updated rule in staging'.
-- Signatures are enforced on a policy.
-- A new ASM Signature Update is installed, which modifies the matching rule for some enforced signatures.
Impact:
The time to apply changes made to a policy, and the time to upgrade the configuration to a new version, suffers from a inefficiently performing query related to the existence of previously enforced rules.
Workaround:
There is no workaround at this time.
737437-3 : IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages
Component: TMOS
Symptoms:
The BIG-IP system might fail to re-establish an IKEv1 phase 1 security association (ISAKMP-SA) when the Initiator starts the exchange using UDP port 4500. The exchange progresses to the point of NAT detection, whereupon the BIG-IP system stops using the Non-ESP marker and sends malformatted ISAKMP.
Conditions:
All of the following must be true:
-- The BIG-IP system is an IKEv1 Responder.
-- ISAKMP phase 1 negotiation starts on UDP port 4500.
-- NAT is detected on only one side during the phase 1 exchange.
Impact:
-- Establishment of an ISAKMP-SA will fail until the peer device switches to UDP port 500.
-- The remote peer may send INVALID-SPI messages quoting SPI numbers that do not exist.
Workaround:
To help workaround this issue, you can try the following:
-- Make sure the BIG-IP system is always the Initiator.
-- Bypass NAT.
-- Configure both the BIG-IP system and remote peer to use address IDs that are not the same as the IP addresses used in the ISAKMP exchange, thus causing the BIG-IP system to think there is NAT on both sides.
737397-2 : User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP
Component: TMOS
Symptoms:
Unable to archive certificates or keys using GUI and iControlSOAP.
Conditions:
When the user is in Certificate Manager role.
Impact:
Unable to backup certificates or keys.
Workaround:
The user in Certificate Manager role is still be able to export the key and see its PEM string. So you can manually create an archive file by copying the PEM string into a file.
737379-1 : URLCAT doesn't work when we have uppercase characters in feedlist
Component: Traffic Classification Engine
Symptoms:
A URL does not get classified when there are uppercase characters in the feedlist.
Conditions:
Using uppercase characters in the feedlist.
Impact:
URL is not classified as expected.
Workaround:
There is no workaround at this time.
737368-2 : Fingerprint cookie large value may result in tmm core.
Component: Fraud Protection Services
Symptoms:
The JavaScript component calculates part of the fingerprint cookie value. In some rare cases, large values are generated and may result in tmm core.
Conditions:
A large value (more than 35 characters) inside the fingerprint cookie.
Impact:
Memory overrun, tmm core in some cases.
Workaround:
N/A
737355-2 : HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files
Component: Access Policy Manager
Symptoms:
HTTP Strict-Transport-Security (HSTS) headers are missing for some APM-generated files.
Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS enabled.
-- HTTP GET requests for APM renderer files, including CSS, JS, and image files from the webtop.
Impact:
Without these headers, the user agent (browser) may switch to non-secure communication.
Workaround:
None.
737346-2 : After entering username and before password, the logging on user's failure count is incremented.
Component: TMOS
Symptoms:
Listing login failures (i.e., using the following command: 'tmsh show auth login-failures') shows a failed login for the user who is currently logging in via console or SSH.
Conditions:
-- A user is logging in via console or SSH.
-- Between the time the system presents the password prompt and the user enters the password.
Note: This does not apply to GUI or iControl REST logins.
Impact:
If many logins for the same user get to this state simultaneously, it may be enough to exceed a specified lockout threshold, locking the user out.
Workaround:
There is no workaround other than using the GUI or iControl REST to log in to the system.
737147-1 : Key creation on Thales fails with thales 12.40 on tmm interface
Component: Local Traffic Manager
Symptoms:
The key creation is failing for Thales 12.40 installed on tmm interface on BIG-IP.
Conditions:
This occurs when creating keys using tmsh on Thales 12.40 via the tmm interface on BIG-IP
Impact:
You cannot create any keys/certs on Thales.
Workaround:
No workaround.
737064-1 : ACCESS::session iRule commands may not work in serverside events
Component: Access Policy Manager
Symptoms:
-- 'ACCESS::session sid' will returns empty.
-- 'ACCESS::session data get <varname>' returns empty.
Conditions:
-- Using IP-based sessions
-- ACCESS::session iRule commands in a serverside iRule event, such as HTTP_PROXY_CONNECT.
-- Using SSL Bypass. Note: This issue is known to occur when using SSL Bypass, but this is not the only configuration that exhibits the problem.
Impact:
iRules may not work as expected.
Workaround:
There is no workaround at this time.
737055-1 : Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy
Component: TMOS
Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you cannot login to the Configuration Utility. Instead the system presents a blank page, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP system.
Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.
Impact:
You are unable to login to the Configuration Utility.
Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP system in the Referer header.
735565-4 : BGP neighbor peer-group config element not persisting
Component: TMOS
Symptoms:
neighbor peer-group configuration element not persisting after restart
Conditions:
- dynamic routing enabled
- BGP neighbor configured with peer-group
- BIG-IP or tmrouted daemon restart
Impact:
BGP peer-group configuration elements don't persist
Workaround:
Reconfigure BGP neighbor peer-group after restart
734846-2 : Redirection to logon summary page does not occur after session timeout
Component: TMOS
Symptoms:
After a BIG-IP Administrator user session times out, the user is not automatically redirected to the logon summary page, despite being configured to do so.
Conditions:
-- The BIG-IP system is configured to redirect to the logon summary page immediately after logging in, using the following db variable:
ui.users.redirectsuperuserstoauthsummary = true
-- The BIG-IP Administrator users' session automatically times out.
Impact:
The system does not comply with government security requirements that BIG-IP Administrator users be sent automatically to the logon summary. BIG-IP Administrator users must manually navigate to the logon summary page
Workaround:
Manually navigate to the logon summary page.
734836 : Network Map summary counts pool members more than once if they are shared across pools
Component: TMOS
Symptoms:
On the page at Local Traffic :: Network Map, in the summary view, the total number of pool members shows a larger number if there are pool members referenced by multiple pools.
Conditions:
-- Network Map summary view.
-- Pool members referenced by multiple pools.
Impact:
The number of pools value is higher than the actual number of pools because of how the system tracks a single pool member referenced in multiple pools.
Workaround:
There is no workaround at this time.
734539-4 : The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads
Component: TMOS
Symptoms:
When an IKEv1 peer sends an INVALID-SPI payload, and BIG-IP system cannot find the phase-two Security Association (SA) for that SPI but can find phase-one SA involved; the racoon daemon may crash if there are additional INVALID-SPI payloads afterward.
Conditions:
-- An INVALID-SPI notification is received.
-- That phase-two SA is already gone.
-- The phase-one parent SA is still around.
-- Subsequent notification INVALID-SPI payloads involve the same phase-one SA.
Impact:
The v1 racoon daemon cores, interrupting traffic until new tunnels can be established after racoon restarts.
Workaround:
There is no workaround at this time.
734316-1 : Per-Request Policy may require enabling SSL Forward Proxy Bypass
Component: Access Policy Manager
Symptoms:
For some SSL/TLS traffic, the per-request policy does not complete, leading to hanging connections and/or connection resets.
Conditions:
Reproducible with any forward proxy configuration involving per-request policies. This includes Secure Web Gateway (SWG) and SSL Orchestrator (SSLO).
To reproduce, the SSL Forward Proxy Bypass feature must be disabled in the client and server SSL profiles. This is equivalent to 'always intercept'.
Impact:
Policy execution may stall. Clients may experience hanging connections and/or connection resets.
Workaround:
Perform the following procedure:
1. Enable the SSL Forward Proxy Bypass feature in the client and server SSL profiles.
2. Set the default action to 'Intercept'.
734228 : False-positive illegal-length violation can appear
Component: Application Security Manager
Symptoms:
A false-positive illegal-length violation.
Conditions:
A chunked request where the request length is more than half of the configured max-request length.
Impact:
False-positive illegal-length violation.
Workaround:
Configure a higher max request length violation.
733585-4 : Merged can use %100 of CPU if all stats snapshot files are in the future
Component: TMOS
Symptoms:
Merged uses %100 of CPU if it cannot remove the oldest snapshot file, due to all snapshot files having timestamps in the future.
Conditions:
All stats snapshot file having timestamps in the future, release has the fix for issue 721740, but not this issue.
Impact:
Merged using %100 of the CPU.
Workaround:
Remove snapshot stats files that have timestamps in the future and restart merged.
727467-2 : Some iSeries appliances can experience traffic disruption when the HA peer is upgraded from 12.1.3 and earlier to 13.1.0 or later.
Component: TMOS
Symptoms:
-- CPU core 0 can be seen utilizing 100% CPU.
-- Other even cores may show a 40% increase in CPU usage.
-- Pool monitors are seen flapping in /var/log/ltm.
-- System posts the following messages:
+ In /var/log/ltm:
- err tmm4[21025]: 01340004:3: HA Connection detected dissimilar peer: local npgs 1, remote npgs 1, local npus 8, remote npus 8, local pg 0, remote pg 0, local pu 4, remote pu 0. Connection will be aborted.
+ In /var/log/tmm:
- notice DAGLIB: Invalid table size 12
- notice DAG: Failed to consume DAG data
Conditions:
-- Active unit on a pre-12.1.3.1 release.
-- Standby peer upgraded to a 13.1.0 or later release.
-- Device is an iSeries device (i5600 or later).
Important: This issue may also affect iSeries HA peers on the same software version if the devices do not share the same model number.
Note: Although this also occurs when upgrading to 12.1.3.8 and 13.0.x, the issue is not as severe.
Impact:
- High CPU usage.
- Traffic disruption.
Workaround:
Minimize impact on affected active devices by keeping the upgraded post-13.1.0 unit offline as long as possible before going directly to Active.
For example, on a 12.1.3 unit to be upgraded (pre-upgrade):
-- Run the following command: tmsh run sys failover offline persist
-- Run the following command: tmsh save sys config
-- Upgrade to 13.1.0.8.
-- Unit comes back up on 13.1.0.8 as 'Forced Offline' and does not communicate with the active unit running 12.1.3 at all.
-- Set up HA group and make sure the 12.1.3 Active unit's HA score is lower than 13.1.0.8.
-- To cause the 13.1.0.8 unit to go directly to Active and take over traffic, run the following command on the unit running 13.1.0.8:
tmsh run sys failover online
At this point, the 12.1.3 unit starts to show symptoms of this issue, however, because it is no longer processing traffic, there is no cause for concern.
727297-2 : GUI TACACS+ remote server list should accept hostname
Component: TMOS
Symptoms:
Cannot add hostnames to the Remote - TACACS+ server list in the GUI.
Conditions:
-- On the System :: Users : Authentication page with Remote - TACACS+ specified.
-- Add hostname to the server list.
Impact:
Validation does not accept a hostname. Cannot add hostname as a server.
Workaround:
Use tmsh to add a hostname.
727288-2 : Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC
Component: Service Provider
Symptoms:
Diameter message routing framework sends Capabilities-Exchange-Request (CER)/Device-Watchdog-Request (DWR) with hop-by-hop (h2h) ID and end-to-end (e2e) ID set to 0 as the server.
Conditions:
Diameter Message Routing Framework (MRF) in use
Impact:
The BIG-IP system sends CER and DWR to remote peers.
However, the BIG-IP system sends e2e=0 and h2h=0 as the server ID in the CER and DWR requests. This does not comply with RFC 6733 (https://tools.ietf.org/html/rfc6733).
Workaround:
Use an DIAMETER_EGRESS iRule event to change the hop-by-hop ID and end-to-end server ID.
727212-2 : Subscriber-id query using full length IPv6 address fails.
Component: Carrier-Grade NAT
Symptoms:
FW NAT / CGNAT modules query the subscriber ID using IPv6 address. If the query is done using the IPv6 mask, under some circumstances the query fails.
Conditions:
The network is using an IPv6 mask other than 128. Subscribers are created using the masked IP address as the key. If NAT module uses the complete IP address as the query key, the subscriber will not be found.
Impact:
Logs contain UNKNOWN subscriber-id.
Workaround:
There is no workaround at this time.
726900 : Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters
Component: Local Traffic Manager
Symptoms:
Virtual server may attempt to use syncookies on first SYN packet rather than allowing the connection to pass through to the real server.
Conditions:
Modifying a virtual server (CLI/iControl/GUI) to switch from FastL4 or TCP profiles to an 'ip-other' profile.
Impact:
The configured 'ip-other' virtual server will fail to accept all traffic. For example, a TCP or a UDP flow which should have been accepted and processed by the 'ip-other' virtual server will be dropped incorrectly, trying to enforce 'Syn Cookie' validation.
Workaround:
When switching a virtual server profile from FastL4/TCP to the 'ip-other' profile, delete the virtual server and then re-add it with the 'ip-other' profile.
726872-1 : IApp LX directory disappears after upgrade or restoring from ucs★
Component: iApp Technology
Symptoms:
After BIG-IP version upgrade or restoring from UCS, iApps/Application Services/Applications LX screen displays instances of iApps LX, but their UI is not functional. That is caused by the software defect causing iApp LX directory to disappear from /var/config/rest/iapps.
Conditions:
This issue can only happen during initial start after BIG-IP version upgrade or restoring from UCS. The more iApps LX instances and the more configuration they use, the more likely this issue to happen. We observed this issue with 90+ instances of f5-ddos-hybrid-defender iApp LX.
Impact:
The code of iAppLX is removed from the system because of the defect. That makes iAppLX UI unusable. The configuration deployed by the iApp LX instances remains in effect. The iApp LX configuration data remain intact and UI can be completely restored after manual installation of iApp LX code.
Workaround:
1. Copy iAppLX code from an unaffected BIG-IP to the BIG-IP impacted by this defect. For example,
/var/config/rest/iapps/f5-ddos-hybrid-defender.
2. Create a symlink to UI code for UI to work. For example,
ln -sfvn /var/config/rest/iapps/f5-ddos-hybrid-defender/presentation /var/iapps/www/f5-ddos-hybrid-defender
3. Restart restjavad:
bigstart restart restjavad
4. Restart restnoded:
bigstart restart restnoded
726852-1 : AVR inject CSPM event when there is no analytics profile on the virtual server
Component: Application Visibility and Reporting
Symptoms:
When there is a request for page load time in the analytics profile, and changes to the configuration remove the analytics profile, AVR will continue to inject the Client Side Performance Monitoring (CSPM) cookie.
Conditions:
-- Request for page-load-time statistic.
-- The analytics profile has been removed from the virtual server.
Impact:
Page-load-time cookie is injected when it should not be.
Workaround:
Uncheck the page-load-time checkbox before removing the profile from the virtual server.
726734-3 : DAGv2 port lookup stringent may fail
Component: Local Traffic Manager
Symptoms:
Under certain circumstances tmm might not be able to find a local port, and the connection may fail. This happens, for example, for active FTP with mirroring enabled.
Conditions:
Active FTP with mirroring enabled.
Impact:
Connection cannot get established.
Workaround:
There is no workaround other than to disable mirroring.
726616-2 : TMM crashes when a session is terminated
Component: Access Policy Manager
Symptoms:
TMM crashes when it is releasing the memory used by a session that is terminated. Either one of the following error messages might appear in the TMM log:
-- notice panic: ../kern/umem.c:4166: Assertion "valid type" failed.
-- notice panic: ../kern/page_alloc.c:705: Assertion "vmem_hashlist_remove not found" failed.
Conditions:
The memory used by a session is corrupted during the lifetime of the session. This issue happens infrequently.
Impact:
TMM restarts, causing service interruption if the BIG-IP system is not part of a high-availability setup.
Workaround:
There is no workaround at this time.
726487-3 : MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
Component: TMOS
Symptoms:
The MCPD daemon on secondary VIPRION or vCMP blades exits and restarts, logging errors similar to the following:
-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.
-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.
Or:
--- err mcpd[8320]: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).
--- err mcpd[8320]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).... failed validation with error 17236027.
Conditions:
This issue occurs when all of the following conditions are met:
-- VIPRION or vCMP platform with more than one blade.
-- A partition with a non-default route domain.
-- Creating a pool member in the aforementioned partition while a configuration save is taking place at the same time (either system or user initiated).
Impact:
If the system is Active, traffic will be disrupted as the secondary blades restart. The capacity of the system will be reduced until all blades are on-line again. Additionally, depending on the system configuration, the system may fail over to its peer (if one exists).
Workaround:
There is no workaround other than not to create pool members from a different client while saving configuration changes in another client. However, this does not help if the configuration save operation was system-initiated.
726317-5 : Improved debugging output for mcpd
Component: TMOS
Symptoms:
In some cases, mcpd debugging output is insufficient for diagnosing a problem.
Conditions:
Using debugging in mcpd, specifically, setting log.mcpd.level to debug.
Impact:
None. Has no effect without log.mcpd.level set to debug.
Workaround:
None.
726303-2 : Unlock 10 million custom db entry limit
Component: Traffic Classification Engine
Symptoms:
Cannot add more than 10 million custom db entries.
Conditions:
This happens when you try to add more than 10 million custom db entries.
Impact:
Not able to add more than 10 million entries.
Workaround:
There is no workaround at this time.
726232-3 : iRule drop/discard may crash tmm
Component: Local Traffic Manager
Symptoms:
TMM crash after an iRule attempts to drop packet.
Conditions:
Virtual server with UDP profile, and following iRule:
when LB_SELECTED {
drop
# discard - drop is the same as discard
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
726154-3 : TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies
Component: Advanced Firewall Manager
Symptoms:
TMM might restart when changing firewall or NAT configurations on a virtual server with the same name as a route-domain.
Conditions:
- There is a virtual server and a route-domain that have the same name in the configuration.
- A firewall or NAT policy is being attached or removed from one or both of the virtual server or route-domain.
Impact:
TMM might halt and traffic processing temporarily ceases. TMM restarts and traffic processing resumes.
Workaround:
There is no workaround other than not to use the same name for virtual server and route-domain objects.
726090 : No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense
Component: Application Security Manager
Symptoms:
Device ID challenges are not logged in the Bot Defense Request Log (local and remote) when associating the Bot Defense logging profile to the virtual server.
Conditions:
-- Device ID is enabled on the ASM Policy.
-- DoS profile with Proactive Bot Defense is not associated with the virtual server.
Impact:
There are no logs to show the browser challenges and the requests from clients that do not support JavaScript.
Workaround:
There is no workaround at this time.
726011-3 : PEM transaction-enabled policy action lookup optimization to be controlled by a sys db
Component: Policy Enforcement Manager
Symptoms:
There is no way to disable optimization if time-based actions are enabled in the PEM policy and a statistical transaction-based action enforcement is desired.
Conditions:
If the PEM classification tokens do not change.
Impact:
Time-based actions such as insert content may not get applied to such flows.
Workaround:
None.
725867-1 : ADFS proxy does not fetch configuration for non-floating virtual servers
Component: Access Policy Manager
Symptoms:
If the virtual address of a virtual server has a non-floating traffic group (e.g., traffic-group-local-only), ADFS proxy does not perform periodic configuration updates, including listing allowed URIs from ADFS, and thus blocks all the requests (by responding with 404).
Conditions:
-- Virtual address of virtual server has non-floating traffic group.
-- ADFS proxy feature is enabled on the virtual server.
Impact:
All the requests to ADFS are blocked.
Workaround:
Set floating traffic group for virtual address (e.g., traffic-group-1).
725840-1 : Customization group object is not deleted when SAML resource object is deleted
Component: Access Policy Manager
Symptoms:
Customization group object for the corresponding SAMLResource object is in the configuration store, even after SAMLResource is deleted in GUI/TMSH.
Conditions:
-- Customization Object is in the configuration store.
-- Delete the SAMLResource.
Impact:
There is no functional impact, but additional configuration objects exist in the configuration store.
Workaround:
Delete the customization group object manually in TMSH.
The BIG-IP system administrator can delete those customization groups if the corresponding SAML resources are deleted or do not exist in the configuration.
The command 'list apm policy customization-group' lists all the customization groups. The SAML-specific customization groups end with '_resource_saml_customization' and are prefixed with the SAML resource name (SAML resource name concatenated with literal 'resource_saml_customization').
725791-5 : Potential HW/HSB issue detected
Component: TMOS
Symptoms:
There are a number of High-Speed Bridge (HSB) stats registers that monitor the errors in HSB SRAM that are critical for passing traffic, for example, RQM_CRC_ERROR Count 0, RQM_CRC_ERROR count 1, RQM_CRC_ERROR Count 2, etc. Any errors in any of these registers may indicate a hardware error in the HSB SRAM that impedes traffic through embedded Packet Velocity Acceleration (ePVA). In that case, ePVA-accelerated flow might fail.
With a burst of CRC errors in the SRAM for ePVA transformation cache, it won't trigger a failover and causes a silent traffic outage on the FastL4 VIP with hardware traffic acceleration. This is because the health check watchdog packets are still functioning correctly, and the current TMOS software primarily monitors watchdog packets tx/rx failures to trigger failover.
In these cases, there might be the following messages in /var/log/tmm*:
Device error: hsb_lbb* tre2_crc_errs count *
Conditions:
Traffic is offloaded to HSB hardware for acceleration.
Impact:
Hardware accelerated traffic drop.
Workaround:
Switch traffic to software acceleration.
724679-1 : Non-attacking IP addresses could be logged along with attacking IP addresses when DoS detects an attack
Component: Advanced Firewall Manager
Symptoms:
During an attack, MySQL might log IP addresses that are not part of an attack along with the IP addresses that are part of the attack.
Conditions:
This occurs when the system detects a BadEndpoint attack.
Impact:
The system might log messages related to IP addresses that are not part of the attack. These IP addresses are not part of the attack and may be ignored.
Workaround:
None.
724532-3 : SIG SEGV during IP intelligence category match in TMM
Component: Advanced Firewall Manager
Symptoms:
TMM restart while matching traffic from source IP to IP Intelligence category.
Conditions:
Multiple configuration changes that include deleting the custom IP intelligence categories.
Impact:
TMM restart. Traffic disrupted while tmm restarts.
Workaround:
None.
724414-1 : ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled
Component: Application Security Manager
Symptoms:
When ASM inspects WebSocket frames, the bd daemon memory is leaking; eventually ASM stops inspecting traffic and sends resets or bypass requests.
Conditions:
ASM module is provisioned.
-- ASM policy and WebSocket profile are attached to a virtual server.
-- WebSocket URL has JSON profile attached to it.
-- JSON profile has parse parameters flag enabled (this is the default).
Impact:
ASM may reset connections; failover might occur.
Workaround:
There are two workarounds:
-- Remove JSON profile from WebSocket URL in the ASM policy.
-- Disable parse parameters flag in the json profile.
724214-4 : TMM core when using Multipath TCP
Component: Local Traffic Manager
Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.
Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.
Impact:
Traffic interrupted while TMM restarts.
Workaround:
There is no workaround other than to disable MPTCP.
724143-2 : IKEv2 connflow expiration upon ike-peer change
Component: TMOS
Symptoms:
Altering the definition of an ike-peer does not expire the connflow used for the tunnel, so it remains in use for the tunnel.
Conditions:
-- Making any change to an IKEv2 ike-peer, even insignificant changes such as a description change.
-- Running a system version that has new attribute auth-rule inside ike-peer.
Note: This is not likely to occur in older system versions where no ike-peer state exists inside a connflow, because any ike-peer changes do replace the associated objects. In those cases, even though the same connflow is used, the system uses new algorithms for the ike-peer.
Impact:
In effect, you cannot change the configuration of the flow by changing the peer definition.
Workaround:
There is no workaround at this time.
724032-2 : Searching Request Log for value containing backslash does not return expected result
Component: Application Security Manager
Symptoms:
Searching within Request Log for a value containing backslash does not return the expected result. This happens because escaping of backslashes in REST API access is handled differently with 'eq' and 'contains' filters.
Conditions:
Searching within Request Log for a value containing backslash.
Impact:
Search within Request Log record containing backslash does not return the expected result.
Workaround:
Backslashes in REST API requests should be doubled when searching using 'contains' filter, but must not be doubled when searching with 'eq' filter.
723988-1 : IKEv1 phase2 key length can be changed during SA negotiation
Component: TMOS
Symptoms:
Using IKEv1, if phase2 key length does not agree on both sides, a responder accepts whatever the initiator proposes as key length, but only after an initiator is authenticated. This results in key length downgrade or upgrade at a trusted peer's request, because the IKEv1 daemon was configured to obey the other peer's key length request.
Conditions:
The value of the ike-phase2-encrypt-algorithm on both sides agree on the encryption algorithm, but differ in key length. For example, if the initiator picks AES128 when the responder expects AES256.
Impact:
The responder accepts AES128 anyway. Although phase1 key length must be an exact match, when phase2 key length does not match, this allows an initiating peer to change the key length a responder uses, thus changing the strength configured by that responder.
Workaround:
No workaround is known at this time.
723790-2 : Idle asm_config_server handlers consumes a lot of memory
Component: Application Security Manager
Symptoms:
Idle asm_config_server handlers needlessly uses a large amount of memory.
Conditions:
This issue might result from several sets of conditions. Here is one:
Exporting a big XML ASM policy and then leaving the BIG-IP system idle. Relevant asm_config_server handler process increases its memory consumption and stays that way, holding on to the memory until it is released with a restart.
Impact:
Unnecessary memory consumption.
Workaround:
1) Lower the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server:
---------------
# perl -pi.bak -e 's/MaxMemorySize=471859200/MaxMemorySize=262144000/' /etc/ts/tools/asm_config_server.cfg
---------------
2) Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
Notes:
-- The provided workaround does not permanently fix the issue. Instead it alleviates the symptoms of memory pressure, by (1) lowering the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server, and (2) freeing up all the memory that is currently taken by all asm_config_server processes.
-- This workaround does not cause any down time; the asm_config_server processes automatically start within ~30 seconds.
723711-2 : IPsec keys are once again logged when db variable ipsec.debug.logkeys equals 1
Component: TMOS
Symptoms:
Logging of keys when debug mode was "debug" or higher in IKEv1's /var/log/racoon.log was disabled in an earlier release. IKEv2's logging of keys in other log files was disabled as well.
Conditions:
-- When negotiating any IKEv1 security association.
-- When negotiating any IKEv2 security association when ikedaemon log level has been set to debug or debug2.
Impact:
Keys, nonces, and several other "sensitive" values are no longer logged for either IKEv1 or IKEv2, making it hard to decrypt test traffic when debugging in the aftermath of problems.
Workaround:
There is no work around on the BIG-IP. However, debug logs on the remote peer, if not a BIG-IP, may provide the desired key information.
723658-2 : TMM core when processing an unexpected remote session DB response.
Component: Carrier-Grade NAT
Symptoms:
Using CGNAT or FW-NAT on a cluster may cause a TMM core if there are intra-cluster communication issues that cause CMP state transitions.
The system writes messages to /var/log/tmm* similar to the following:
notice CDP: exceeded 1/2 timeout for PG 1
notice CDP: PG 1 timed out
notice CDP: New pending state 0f -> 0d
notice Immediately transitioning dissaggregator to state 0xd
notice cmp state: 0xd
notice CDP: New pending state 0d -> 0f
...
notice cmp state: 0xf
notice CDP: exceeded 1/2 timeout for PG 1
Conditions:
-- A LSN pool or FW-NAT source translation that has persistence enabled.
-- Intra-cluster communication issues that cause CMP state transitions.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
723306-2 : Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
Component: Local Traffic Manager
Symptoms:
Loading correct configuration with 'tmsh load /sys config' fails. The error message appears similar to the following:
01070726:3: Virtual Address /test/0.0.0.0 in partition test cannot be referenced by Virtual Server /Common/test-internal in partition Common.
Unexpected Error: Loading configuration process failed.
Conditions:
Creating internal virtual server, when 0.0.0.0 address exists on another partition.
Impact:
Inability to load config, with created internal virtual server.
Workaround:
Create internal virtual server first; then create the 0.0.0.0 address on different partition.
723288-1 : DNS cache replication between TMMs does not always work for net dns-resolver
Component: Global Traffic Manager (DNS)
Symptoms:
System DNS resolvers (net dns-resolver objects) do not share DNS reply information between the dns resolver instances across TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.
Conditions:
There are no LTM DNS *cache* objects present in the BIG-IP configuration.
Impact:
A performance impact resulting from each TMM having to perform unnecessary DNS lookups.
Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.
Note: This workaround is effective even without a DNS license (although in that case, the placeholder object must be created using tmsh, as the GUI menu would not be available without a DNS license.)
723095-3 : Add record type breaks commands 'modify gtm pool type all'; errors on nonexistent pool
Component: Global Traffic Manager (DNS)
Symptoms:
tmsh command returns an error similar to the following message:
01070227:3: Pool Member references a nonexistent Pool (/Common/poolname of type NAPTR)
Conditions:
Changing the record type on GTM pool members by running the following command: tmsh modify gtm pool type all members add.
Impact:
Unable to add pool members quickly to all pools of the same type.
Workaround:
There is no workaround at this time.
722991-1 : File "dead.letter" may show up in /root directory
Component: Access Policy Manager
Symptoms:
In /root directory, there is a file named "dead.letter" with
/etc/cron.daily/cleanup_sync_files:
ls: cannot access /config/filestore/sync_file_request_d: No such file or directory
Conditions:
If your device does not use LocalDB feature or there is no local user created.
Impact:
The file /root/dead.letter grows daily by 5 lines regarding missing sync_file_request_d directory.
Workaround:
Having MAILTO="" in /etc/crontab will stop this from happening.
722862 : ASM CAPTCHA sends non url-encoded payload when captcha is submitted by pressing 'Enter'
Component: Application Security Manager
Symptoms:
When an APM end-user gets the ASM CAPTCHA page, types the correct CAPTCHA letters and presses the 'Enter' key, rather than clicking the Submit button. The CAPTCHA letters are sent to the BIG-IP system along with other request parameters, these additional parameters are forwarded to the backend server incorrectly as non-url-encoded, they should be url-encoded.
Conditions:
This occurs when the following conditions are met:
-- ASM provisioned.
-- DoS application or ASM policy attached to a virtual server.
-- DoS application or ASM policy has CAPTCHA enabled.
-- User submits the CAPTCHA form using the 'Enter' key.
Impact:
Application receives unexpected content, which might cause the backend server's application business logic to not work as expected.
Workaround:
Disable CAPTCHA within the DoS application or ASM policy.
722741-2 : Damaged tmm dns db file causes zxfrd/tmm core
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd/tmm cores on startup.
Conditions:
Damaged tmm dns db file.
Impact:
System remains in a tmm-restart loop caused by tmm opening a corrupted tmmdns.bin on startup and segfaulting. Traffic disrupted while tmm restarts.
Workaround:
Delete the damaged db files.
722734-2 : 'No Access' error when viewing properties page of a GTM Pool member whose name includes a partition that does not exist on that BIG-IP system.
Component: Global Traffic Manager (DNS)
Symptoms:
The BIG-IP system posts a 'No Access' error message instead of the GTM Pool member's properties.
Conditions:
-- At least two BIG-IP systems in a sync group.
-- One of the BIG-IP systems has a partition that does not exist on the other, with a GTM Pool member on that partition.
-- The issue occurs when a GSLB Server discovers that GTM Pool member and displays it on its properties page.
Note: This same error message displays for GSLB Server's virtual server properties accessed by navigating to GSLB :: servers :: [server] :: virtual servers :: [virtual server]. The differing issues have been fixed in differing releases. You can find information about the similar issue in the AskF5 Bug Tracker article for 710032.
Impact:
It makes the GSLB pool member's properties page unavailable in this case.
Workaround:
Use either of the following workaroudns:
-- Use TMSH to view or edit the properties of that GTM Pool member.
-- Create partitions on the GTM device to match those appearing to be referenced in the object names.
722707-3 : mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall
Component: Local Traffic Manager
Symptoms:
The 'debug' log for a 'mysql' monitor may incorrectly report data being received from the database when network routing is configured to drop packets from that database, causing confusion when diagnosing packet traffic. This might be stimulated by configuring the firewall to enable traffic to/from the 'mysql' database, and then (after the 'mysql' monitor successfully connecting with the database) changing firewall rules to drop packets returned *from* the database.
Conditions:
-- A 'mysql' monitor successfully connects to the 'MySql' database.
2. Once connection is established, firewall rules are changed to 'DROP' packets returned from the 'MySQL' database, resulting in several entries in the 'mysql' monitor 'debug' log that incorrectly suggest packets were received from the 'MySQL' database.
Impact:
Several log entries may be made in the 'mysql' debug log suggesting packets were received from the 'MySQL' database (after a previous successful database probe connection), when in fact those packets were dropped due to changes in the firewall rules. These log entries may confuse debugging scenarios, but will typically self-correct (such as after three log message entries).
Workaround:
When configuring network traffic for 'MySQL' database resources, ensure symmetry for traffic handling (either bi-directional packet routing between 'bigd' and the 'MySQL' database is supported, or neither 'send' nor 'receive' packet routing to the 'MySQL' database is supported).
722534-2 : load sys config merge not supported for iRulesLX
Component: Local Traffic Manager
Symptoms:
iRulesLX configurations are (for the most part) contained in the file system, rather than the 'traditional' BIG-IP config files. An attempt to merge configurations containing iRulesLX using the tmsh command 'load sys config merge' options fails with an error similar to the following:
# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ilx plugin test-plugin {
from-workspace test-ws
}
Validating configuration...
Unexpected Error: "basic_string::at"
Conditions:
The configuration being merged contains iRulesLX.
Impact:
The merge will fail with the error: Unexpected Error: "basic_string::at". The previous configuration will continue to work.
Workaround:
There is no workaround at this time for merging iRulesLX configuration. If the iRulesLX configuration is removed from the configuration to be merged, the merge will work.
722423-2 : Analytics agent always resets when Category Lookup is of type custom only
Component: Access Policy Manager
Symptoms:
Analytics errors out with a log that says you cannot use custom lookup only along with analytics (/var/log/apm). Even if the Analytics agent is set to disable RST on failure, the agent will send a RST.
Conditions:
In the per-request policy, Category Lookup agent is set to custom lookup only.
Impact:
This configuration leads to an Analytics agent with 'RST on Failure' disabled. The BIG-IP Admin cannot make the choice to disable RST on failure for this particular setup (even though it is a misconfiguration).
Workaround:
You can avoid the RST and error by modifying the configuration to use a standard category lookup before the analytics agent.
Using a custom-only 'Category Lookup' immediately followed by 'Response Analytics' is not a valid configuration. In this configuration, Analytics cannot run the way it is supposed to because it does not have the right information. 'Response Analytics' gives the option to choose what to do on error: RST, or continue on, implying that the non-RST option is valid. If the admin chooses to not reset, the system should log the error and continue. In this case, the system actually does send a RST, even though the RST is not what the BIG-IP admin intended to configure.
722380-1 : The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.
Component: TMOS
Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then TMM panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On these platforms, the reboot occurs before the core file is fully written, resulting in a truncated core.
Conditions:
An HSB lockup occurs on an i10600 or i10800 platform, triggering a core dump and a nic_failsafe reboot.
Impact:
The reboot happens after the core dump begins before it completes, resulting in a truncated core dump, which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.
Workaround:
None.
722294-1 : Reported session ID keeps changing for the same user session when ASM doesn't track sessions
Component: Application Security Manager
Symptoms:
A reported session ID is not maintained for the same user session.
Conditions:
-- Simple, feature-less policy (i.e., policy contains only attack signatures).
-- There are no cookies coming in from the server.
Impact:
The TS cookie is not created since there is no cookie-enforcing feature that is turned on (such as session tracking). Although this is correct behavior, it might result in confusion when there is a different, random session ID on each request.
Workaround:
Turn on a cookie-related feature (such as session tracking).
722013-2 : MCPD restarts on all secondary blades post config-sync involving APM customization group
Component: Access Policy Manager
Symptoms:
After performing a series of specific config-sync operations between multi-blade systems, the MCPD daemon restarts on all secondary blades of one of the systems.
Each affected blade will log an error message similar to the following example:
-- err mcpd[5038]: 01070711:3: Caught runtime exception, Failed to collect files (snapshot path () req (7853) pmgr (7853) not valid msg (create_if { customization_group { customization_group_name "/Common/Test-A_secure_access_client_customization" customization_group_app_id "" customization_group_config_source 0 customization_group_cache_path "/config/filestore/files_d/Common_d/customization_group_d/:Common:Test-A_secure_access_client_customization_66596_1" customization_group_system_path "" customization_group_is_system 0 customization_group_access 3 customization_group_is_dynamic 0 customization_group_checksum "SHA1:62:fd61541c1097d460e42c50904684def2794ba70d" customization_group_create_time 1524643393 customization_group_last_update_time 1524643393 customization_group_created_by "admin" customization_group_last_updated_by "admin" customization_group_size 62 customization_group_mode 33188 customization_group_update_revision 1
Conditions:
This issue occurs when all of the following conditions are met:
- You have configured a device-group consisting of multi-blade systems (such as VIPRION devices or vCMP guests).
- Systems are provisioned for APM.
- The device-group is configured for incremental manual synchronizations.
- On one system (for example, source_system), you create an APM configuration object (for example, a connectivity profile) that causes the automatic creation of an associated customization group.
- You synchronize the configuration from the source_system to the device-group.
- On the source_system, you create a new configuration object of any kind (for example, an LTM node).
- Instead of synchronizing the newest configuration to the device-group, you synchronize the configuration from another device in the device-group to the source_system (which effectively undoes your recent change).
- The MCPD daemon restarts on all secondary blades of the source_system.
Impact:
While the MCPD daemon restarts, the blade is offline, and many other BIG-IP daemons need to restart along with MCPD.
-- If the source_system is Active, the load capacity of the system temporarily decreases proportionally to the number of blades restarting. Additionally, if the systems use the min-up-members or HA-Group features, losing a certain number of secondary blades may trigger a failover.
-- If the source_system is Standby, some of the previously mirrored information may become lost as TMM on secondary blades restarts along with MCPD. Should this system later become the Active system, traffic may be impacted by the lack of previously mirrored information.
Workaround:
None.
721752-3 : Null char returned in REST for Suggestion with more than MAX_INT occurrences
Component: Application Security Manager
Symptoms:
Unable to view ASM event log details for a majority of violations.
Conditions:
Suggestion with more than MAX_INT (2,147,483,647) occurrences.
Impact:
Null char returned in REST for Suggestion with more than MAX_INT occurrences.
Workaround:
Use the following sql command:
UPDATE PLC.PL_SUGGESTIONS set occurrence_count = 2147483647 where occurrence_count < 0;
721579-2 : LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing
Component: Carrier-Grade NAT
Symptoms:
When checking persistence TTL by using 'lsndb list all', TTL for 'LSN Persistence Entries' and Age for 'LSN Inbound Mapping Entries' are reset once at around the halfway point of the persistence timeout, even though there is no traffic.
Conditions:
-- LSN with persistence timeout configured.
-- Using the following command: lsndb list all.
Impact:
lsndb shows misleading stats.
Workaround:
There is no workaround at this time.
721399-1 : Signature Set cannot be modified to Accuracy = 'All' after another value
Component: Application Security Manager
Symptoms:
ASM Signature Set cannot be modified to Accuracy = 'All' after another value was used previously.
Conditions:
-- ASM Signature Set has a value set for Accuracy filter.
-- Accuracy is subsequently set to 'All'.
Impact:
The change to Accuracy = 'All' does not take effect. ASM Signature Set cannot be modified to Accuracy = 'All'.
Workaround:
You can use either of the following workarounds:
-- Delete and re-create the Signature Set with the desired value.
-- Modify the filter to a value that will match all results (such as Accuracy is greater than or equal to 'Low').
721350-3 : The size of the icrd_child process is steadily growing
Component: TMOS
Symptoms:
The resident segment size (rss) for the icrd_child process continues to increase on issuing iCR GET requests. This increase is permanent and the rss does not drop back to its original size.
Conditions:
The following is an example config under which this issue occurs. Note this is an illustrative example; the actual issue might occur for various config objects.
GET tm/ltm/virtual?expandSubcollections=true wherein the virtual has some profiles associated with it.
ltm pool p-http { }
ltm virtual novel-1000 {
...
pool p-http
profiles {
analytics { }
http { }
tcp { }
}
....
}
# tmctl proc_pid_stat 'proc_name=icrd_child' -s proc_name,ppid,vsize,rss
On subsequent GET requests the rss size continues to increase.
Impact:
Increase in the rss of the icrd_child process. This increase could lead to icrd_child core or swapping of processes into the rss due to limited memory left for other processes.
Workaround:
There is no workaround.
721261-2 : v12.x Policy rule names containing slashes are not migrated properly
Component: Local Traffic Manager
Symptoms:
When migrating from v12.x to v13.0.x, 13.1.x, or 14.0.x, LTM polices that have rules containing the slash character will not migrate properly, and roll-forward migration will fail.
Conditions:
-- BIG-IP systems running v12.x.
-- Configuration contains LTM Policy rules whose names include the slash (/) character.
-- Upgrading to v13.0.x, 13.1.x, or 14.0.x.
Impact:
Roll-forward migration fails with the error: illegal characters in rule name.
Workaround:
Edit the rule names within LTM Policies, replacing the now-illegal slash (/) character with a legal alternative, such as the underscore (_).
Alternately, prior to migration, rename the rules on the v12.x system, and then perform the upgrade.
721020-2 : Changes to the master key are reverted after full sync
Component: TMOS
Symptoms:
Changing the master key on a device that is in a device cluster are reverted when performing a full sync of any device-group. The master key is reset to its previous value.
Conditions:
-- The BIG-IP system is in a device cluster.
-- You change the master key from within TMSH.
Impact:
Subsequent configuration loads fail on the device.
Workaround:
There is no workaround.
720819-3 : Certain platforms may take longer than expected to detect and recover from HSB lock-ups
Component: TMOS
Symptoms:
In the unlikely event of a HSB lock-up, certain BIG-IP platforms may take longer than expected to detect and recover from the condition.
For instance, it may take several minutes for an affected unit to detect the condition and initiate the predefined failsafe action.
Instead, the recovery mechanism should trigger almost instantaneously.
Conditions:
This issue occurs when all of the following conditions are met:
-- The BIG-IP system is an i56xx/i58xx, i76xx/i78xx, or i106xx/i108xx platform.
-- The HSB locks-up due to a different issue.
Impact:
Traffic is negatively impacted until the BIG-IP system detects and remedies the condition. This might take up to 15 minutes before remedied by a reboot, depending on other traffic being processed.
Workaround:
None.
720757-2 : Without proper licenses Category Lookup always fails with license error in Allow Ending
Component: Access Policy Manager
Symptoms:
When a per-request policy's Category Lookup agent queries Standard Categories with an expired SWG/URLF license (and has 'RST on failure' disabled), the execution always ends with the following log messages:
Error: Global concurrent url filter session limit reached
The connection is aborted.
Conditions:
Category Lookup agent set to query the urldb engine (standard categories) with either no SWG/URLF license or an expired license.
Impact:
Even if 'RST on failure' is disabled, traffic cannot reach the allow ending successfully.
Workaround:
Remove the Category Lookup with standard category lookup from the per-request policy if the licenses do not allow for its use.
720669-1 : Within the GUI, the 'MQTT-TLS' service port is incorrectly reported as 'common.all.MQTT-TLS'.
Component: TMOS
Symptoms:
In some sections of the GUI, the 'MQTT-TLS' service port may be incorrectly reported as 'common.all.MQTT-TLS'.
Conditions:
This is currently known to happen in the 'Virtual Server List' screen when a virtual server is configured to listen on port 8883 (a.k.a. MQTT-TLS).
Impact:
None. The issue is cosmetic and has no effect on traffic.
Workaround:
None.
720610-1 : Updatecheck logs bogus 'Update Server unavailable' on every run
Component: TMOS
Symptoms:
The updatecheck operation erroneously logs that the Update Server is unavailable on every run, successful or not.
Conditions:
The BIG-IP system is configured to run the Automatic Update Check feature.
Impact:
Misleading messages in the log file, implying that the update server is not available.
Workaround:
None.
720585-2 : Signatures generated by Behavioral DOS algorithm can create false-positive signatures
Component: Anomaly Detection Services
Symptoms:
There is probability that the generated signatures will block unknown traffic (the traffic that was not presenting before the attack) even if it's not necessary from service health perspective
Conditions:
Run attack traffic.
In parallel run unknown traffic.
It should exceed the learned baseline together with the good traffic.
Impact:
The signatures may block unknown traffic even if it's not necessary from S/H perspective
Workaround:
There is no workaround at this time.
720581-1 : Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files
Component: Application Security Manager
Symptoms:
When using Policy Merge to add an XML Profile from policy A to policy B, if there are any Schema files (such as xsd or wsdl) associated with the profile, then the XML Profile added to policy B erroneously points to the file that is in policy A and does not create a new reference within policy B.
Conditions:
Policy Merge is used to add an XML Policy that contains a schema file from one policy to another.
Impact:
-- The reference to an object in another policy breaks BIG-IQ discovery.
-- The policy is not consistent after export/import.
Workaround:
None.
720461-1 : qkview prompts for password on chassis
Component: TMOS
Symptoms:
Qkview prompts for a password when executing getnodedates from the chassis module.
Conditions:
SSH auth keys are missing or corrupted.
Impact:
This blocks collecting qkview.
Workaround:
Edit the /user/bin/getnodedates script and add -oBatchMode=yes for the SSH command as shown in the following example:
$date = `/usr/bin/ssh -q -oBatchMode=yes -oStrictHostKeyChecking=no $ip /bin/date`;
720460-3 : Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly
Component: Local Traffic Manager
Symptoms:
The sys db compression.strategy is used to control the compression-provider selection. When it is set to 'softwareonly', compression somehow still selects a hardware accelerator.
Conditions:
This always happens when compression.strategy is set to 'softwareonly'.
Impact:
Compression.strategy set to 'softwareonly' does not work, and if there is a problem in a hardware accelerator, compression will still select the hardware accelerator, even though software compression is desired.
Workaround:
There is no workaround.
720440-2 : Radius monitor marks pool members down after 6 seconds
Component: Local Traffic Manager
Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.
Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.
Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.
Workaround:
There is no workaround at this time.
720269-1 : TACACS audit logging may append garbage characters to the end of log strings
Component: TMOS
Symptoms:
When using TACACS audit logging, you might see extra 'garbage' characters appended to the end of logging strings.
Conditions:
Using audit forwarding with a remote TACACS server.
Impact:
Confusing log messages. Remote TACACS logging might stop altogether after some time.
Workaround:
There is no workaround at this time.
720242-1 : GUI for AFM rules shows protocol value IPENCAP for rules under rule-list
Component: Advanced Firewall Manager
Symptoms:
When you set the protocol field to 'IPv4', it is displayed as 'IPENCAP' after saving.
Conditions:
This occurs only for rules under RuleList.
Impact:
Protocol value is displayed as 'IPENCAP' as opposed to 'IPv4'.
Workaround:
None.
720219-2 : HSL::log command can fail to pick new pool member if last picked member is 'checking'
Solution Article: K13109068
Component: Local Traffic Manager
Symptoms:
This occurs in certain configurations where the HSL::log command is using a remote high speed log (HSL) pool with failing pool members. If a pool member goes into a 'checking' state and the command attempts to send the log via that pool member, it can fail to send and all future log commands from that iRule will also fail, if that pool member is actually unavailable.
Conditions:
-- Using HSL::log command.
-- iRule with a remote high speed logging configured.
Impact:
Failure to send log messages via HSL.
Workaround:
Follow this procedure:
1. Change the 'distribution' method of the remote high speed config to something else.
2. Save the configuration.
3. Change the method back.
720030-5 : Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)
Component: Access Policy Manager
Symptoms:
Kerberos DNS SRV requests are generated without enabling EDNS0. Without this, internal DNS server (dnscached) truncates the UDP response if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in a lot of TIME_WAIT connections on the socket using dnscached.
Conditions:
APM end users using Kerberos SSO to access backend resources.
Impact:
Ability to create new DNS requests is affected, if there are numerous sockets in TIME_WAIT. This can result in scalability issues.
Workaround:
For BIG-IP software v12.x and later,
Edit the /etc/resolv.conf file to add an EDNS0 option.
There is no workaround if you are running a version earlier than 12.x.
719770-1 : tmctl -H -V and -l options without values crashed
Component: TMOS
Symptoms:
When the -H, -V or -l options were passed to tmctl without a following value, then tmctl crashed.
Conditions:
Use one of these options without the required value.
Impact:
Core file. No other impact.
Workaround:
Be sure to pass the required value with these options.
719459-1 : Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled
Component: Application Security Manager
Symptoms:
Policy builder suggests adding already existing URLs (as HTTPS) learned from response.
Conditions:
-- Differentiate HTTP and HTTPS URLs is disabled.
-- Learn-from response is enabled.
-- Server responses contain HTTPS links for HTTP requests instead of using protocol-relative URLs.
Impact:
This is a cosmetic issue in that incorrect suggestions are created. There is no impact to functionality.
Workaround:
Add the incorrect suggestions to the 'ignore' list.
719247-1 : HTTP::path and HTTP::query iRule functions cannot be set to a blank string
Solution Article: K10845686
Component: Local Traffic Manager
Symptoms:
The HTTP::path and HTTP::query iRule functions generate an error if called with an argument that is a blank string, resulting in connection termination.
Conditions:
In an iRule where the argument is a blank string:
HTTP::path ""
HTTP::query ""
Impact:
Error encountered while executing iRule "HTTP::query $blank", and the connection is terminated with an error in the logs similar to the following:
-- err tmm[17219]: 01220001:3: TCL error: /Common/ir_1-4045405141_query <HTTP_REQUEST>
Workaround:
To set HTTP::query to blank, use the following function:
HTTP::uri [HTTP::path]
To set HTTP::path to blank, use the following function:
HTTP::uri [HTTP::query]
719186-1 : Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts
Component: Fraud Protection Services
Symptoms:
Multipart/form-data requests are not supported in FPS. FPS-protected pages which have the enhanced data-manipulation feature enabled, may generate a false-positive 'missing strong integrity parameter' alert for multipart/form-data requests.
Conditions:
-- FPS profile attached to a virtual server.
-- Multipart/form-data requests to a URL.
-- Enhanced data-manipulation feature enabled on a protected URL.
Impact:
False-positive 'missing strong integrity parameter' alert.
Workaround:
Use the ANTIFRAUD::disable_alert iRule command to drop the alert:
(set the static::drop_alert variable, probably matching URL name and checking that Content-Type header starts with 'multipart/form-data')
when ANTIFRAUD_ALERT {
if {$static::drop_alert eq 1 &&
[ANTIFRAUD::alert_type] eq "vtoken" &&
[ANTIFRAUD::alert_component] eq "no_strong_integrity_param" } {
ANTIFRAUD::disable_alert
set static::drop_alert 0
}
}
719107-1 : Message type is not displayed in CLI and incorrect message type is displayed in GUI for Subscriber Management diameter protocol profile message type CCA-T.
Component: Policy Enforcement Manager
Symptoms:
If versions earlier than v13.1.0 have Subscriber Management diameter protocol message type CCA-T, their message type is not displayed on the command-line interface (CLI) and is incorrectly displayed as CCR-I in the GUI when upgraded to later versions.
Conditions:
-- Upgrade to v13.1.0 or later.
-- Configuration has Subscriber Management diameter protocol message type CCA-T.
Impact:
incorrectly displayed as CCR-I in the GUI.
Note: This configuration has no effect.
Workaround:
Delete the Subscriber Management diameter protocol message that has no message-type when viewed from CLI.
719005-2 : Login request may arrive corrupted to the backend server after CAPTCHA mitigation
Component: Application Security Manager
Symptoms:
Login request arrives corrupted (specifically, some of the characters in the payload are changed).
Conditions:
-- A brute force CAPTCHA mitigation happens.
-- Specific traffic conditions.
Impact:
Login request fails.
Workaround:
None.
718867-1 : tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades★
Component: Local Traffic Manager
Symptoms:
The db variable 'tmm.umem_reap_aggrlevel' (to set the memory-usage level at which aggressive connection-reaping begins) does not persist across upgrades; on upgrade it will be reset to its default value (80%).
Conditions:
-- The db variable 'tmm.umem_reap_aggrlevel' is set to a custom value (specifically, not '80').
-- The BIG-IP system is upgraded.
Impact:
The value for 'tmm.umem_reap_aggrlevel' has reset to '80', its default value.
Workaround:
Reset the variable's custom value after upgrade.
718800-1 : Cannot set a password to the current value of its encrypted password
Component: TMOS
Symptoms:
Attempting to set a password to the current value of its encrypted password silently fails without changing the password. For example, running the following tmsh command sets the encrypted password to the value 'password':
modify auth user <username> encrypted-password password
Attempting to set the password to 'password' using the command does not report an error, but does not change the password (meaning that encrypted password remains 'password'):
modify auth user <username> password password
Conditions:
Changing a password to the value of encrypted-password.
Impact:
Difficult to recover from this situation because trying to simply change the password to the correct value doesnot work.
(It is likely this initially happened by accident: attempting to set 'password', but setting 'encrypted-password' instead.)
Workaround:
First, change the password to something else. Then, change it back to the correct value.
718790-2 : Traffic does not forward to fallback host when all pool members are marked down
Component: Local Traffic Manager
Symptoms:
Traffic does not get forwarded to fallback hosts.
Conditions:
All the pool members are marked administrative down.
Impact:
Traffic does not get forwarded.
Workaround:
Pick a monitor working properly for the pool.
718772-1 : The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists)
Component: Anomaly Detection Services
Symptoms:
The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists).
Conditions:
Attack with traffic with 'unknown' header, for example
'Upgrade-Insecure-Requests: 1'.
Impact:
In the GUI, when the signature with the predicate 'unknown_header' is edited, this predicate is empty (instead of exists / does not exist).
Workaround:
There is no workaround.
718405-3 : RSA signature PAYLOAD_AUTH mismatch with certificates
Component: TMOS
Symptoms:
IPsec IKEv2 negotiation with other vendors may fail to establish tunnels when certificate authentication is configured, using either RSA signature or DSS.
The value of PAYLOAD_AUTH does not match when the BIG-IP system compares it with what the remote peer sends. The same certificate works when the BIG-IP system is the initiator, but not when another vendor is the initiator.
Conditions:
Interoperating with other vendors under IKEv2 while using certificates.
Impact:
IKEv2 tunnels fail to establish, failing the second IKE_AUTH exchange in the protocol.
Workaround:
Use pre-shared key authentication.
718397-2 : IKEv2: racoon2 appends spurious trailing null byte to ID payloads
Component: TMOS
Symptoms:
IPsec clients implementing RFC5996 correctly cannot interoperate with the BIG-IP system when the peers-id-type is anything other than address, because racoon2 inside BIG-IP appends a null byte to any string-based ID type (for both peers_id and my_id). This makes the IKE_AUTH exchange fail, usually because the ID_I from the initiator cannot match the peers-id-value in config for that ike-peer, because there is a one-byte difference between the compared strings.
Conditions:
When any non-BIG-IP client initiates an IKE negotiation using any id-type that is not IPv4 or IPv6. In particular, fqdn and asn1dn for peers-id-type in local BIG-IP configurations.
Impact:
IKE negotiation fails during the second IKE_AUTH exchange of messages, preventing any tunnel from being established. Outage with a non-BIG-IP client is permanent until the config is changed to use peers-id-type=address.
Workaround:
Use peers-id-type=address to interoperate with non-BIG-IP clients for IPsec.
718291-1 : iHealth upload error doesn't clear
Component: TMOS
Symptoms:
If an error occurs that sets the iHealth error string, then this string is never cleared.
Conditions:
Setting an invalid hostname for db variable proxy.host.
Impact:
The system reports the following error string: curl: (56) Recv failure: Connection reset by peer. This error message is never cleared, despite running a successful upload. The bogus error message could result in unnecessary confusion after a successful upload.
Workaround:
To clear the error message, run the following command:
/usr/bin/guishell -c "update diags_ihealth_request set error_str='';"
718232-3 : Some FTP servers may cause false positive for ftp_security
Component: Application Security Manager
Symptoms:
A login might get rejected after a lower number of failed logins than is configured for 'Maximum Username Login Retries'. BIG-IP system posts the following error message: 530 Too many failed login attempts by the user.
Conditions:
-- The server sends unexpected ingresses that are rejected.
-- There is a value specified for 'Maximum Username Login Retries'.
Impact:
A legitimate user might be rejected and have to wait until the configured 'Re-enable login' time.
Workaround:
There is no workaround at this time.
718033-3 : REST calls fail after installing BIG-IP software or changing admin passwords
Component: Device Management
Symptoms:
After installing the latest BIG-IP software, or changing the BIG-IP admin passwords once or twice, REST calls might fail with the following error: 400 - Bad Request.
Conditions:
The conditions under which this occurs are not well understood. The issue occurs randomly, and is likely the result of a timing issue.
Impact:
REST calls or GUI operations fail to work. Get errors on screen.
Workaround:
Run the following command on the BIG-IP system:
$ bigstart restart restjavad
717896-3 : Monitor instances deleted in peer unit after sync
Component: Local Traffic Manager
Symptoms:
An incremental-sync from a modified-node that was set to 'user-down' causes the target-node on the target-device to have only a single monitor instance, rather than the several monitor instances that were present on the from-node.
During the incremental sync, the system issues several messages similar to the following: err mcpd[6900]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 24913.
Conditions:
-- In high availability (HA) configurations.
-- A node is modified, and then manually set to 'user-down'.
-- That node has more than one associated monitor.
-- An incremental-sync occurs to the paired device.
Impact:
After incremental-sync, a single monitor instance exists for the node on a 'backup' unit in an HA configuration, rather than the several monitor instances that exist for that node on the 'active' unit; and that node session is 'enabled' (where the 'from-node' was 'disabled); and that node status may be 'up' (where the 'from-node' was 'user-down'), and later transition to 'down' from a monitor-fail.
Thus, after incremental-sync, the target-node may then be 'down', while the active unit in the HA configuration continues to function as expected.
Workaround:
There are several workarounds:
-- Perform a 'full-sync' (rather than an 'incremental-sync').
-- Ensure the node is 'user-up' (not 'user-down') before the incremental-sync.
-- Perform 'tmsh load sys config' on the target unit. In this case, the 'Invalid monitor rule instance identifier' messages will be seen, but the configuration will successfully load, and the target-unit will run correctly with the expected configuration.
717785-4 : Interface-cos shows no egress stats for CoS configurations
Component: TMOS
Symptoms:
No egress packet counts per CoS queue are reported on B21x0 and 5x00/7x00 platforms. The issue affects the egress packet statistics reporting per CoS queue only. The operation of the CoS feature is not affected and the egress packets statistics reporting per external interface is also not affected.
Conditions:
-- Valid 8 HW CoS feature configuration has been enabled and passing traffic.
-- BIG-IP 5x00/7x00 platforms and VIPRION 21x0 blades.
-- Running the show net interface-cos command.
Impact:
Egress packet statistics reported per CoS queue shows no counts.
Workaround:
None.
717525-2 : Behavior for classification in manual learning mode
Component: Application Security Manager
Symptoms:
- Extractions are added to parameters in manual mode.
- In manual learning mode on 'fallback to default' URL classification is not ended properly (resulting in repetitive audit log attempts to end URL classification).
- In manual learning mode on 'fallback to default', parameter staging is set to true.
- The system writes errors to pabnagd.log.
Conditions:
- Manual learning mode.
- Classification is on for either parameters or URLs.
- Any option of 'Learn Dynamic Parameters' is turned on (even if checkbox is disabled).
Impact:
- URL content types are not enforced in manual mode.
- Parameters are getting staged automatically in manual mode.
- Parameters are classified as dynamic (value type).
- Extractions are added to dynamic parameters
Workaround:
- Update the URLs manually (any update will take them out of classification).
- Manually unstage parameters with 'fallback to default'.
- Unset parameters' dynamic value type (or uncheck all parameters' dynamic classification options in 'Learning And Blocking Settings').
717100-2 : FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member
Component: Local Traffic Manager
Symptoms:
FQDN ephemeral pool members and corresponding FQDN ephemeral nodes may not be created if multiple FQDN template pool members are created rapidly, without the corresponding FQDN template nodes being created first.
The missing FQDN ephemeral pool members may be created an hour after initial operations.
Conditions:
This may occur when all of the following conditions are true:
-- Multiple FQDN template pool members are created rapidly, such as during config load or multiple FQDN template pool members created in a single tmsh cli transaction, without the corresponding FQDN template nodes being created first.
-- The FQDN names in the newly-created FQDN template nodes all resolve to the same IP address.
Impact:
One or more FQDN ephemeral pool members may not be created, which could result in a pool with no members, and any virtual servers using that pool to fail to pass traffic.
Workaround:
The following steps, alone or in combination, may help avoid this issue:
1. Avoid rapid creation of multiple FQDN template pool members (such as by creating multiple in a single tmsh CLI transaction).
2. Create the corresponding FQDN template nodes first, before creating the FQDN template pool members.
Once this issue occurs (such as, after a config load), you can recover from this condition by deleting and recreating the FQDN template pool members that have no corresponding FQDN ephemeral pool members.
In addition, creating the corresponding FQDN template nodes first, with an FQDN 'interval' value set to a shorter timeout than the default (3600 seconds) allows automatic recovery from this condition after the configured FQDN 'interval' period (instead of after the default period of one hour).
716940-1 : Traffic Learning screen graphs shows data for the last day only
Component: Application Security Manager
Symptoms:
Traffic Learning screen graphs shows data for the last day only.
Conditions:
Visit Learning screen 1 hour after policy creation.
Impact:
Statistics shown are for the last day. No statistics for longer or for shorter periods of time.
Workaround:
There is no workaround.
716788-1 : TMM may crash while response modifications are being performed within DoSL7 filter
Component: Application Security Manager
Symptoms:
TMM might crash when a response is modified by the DoSL7 filter while injecting an HTML response from a backend server.
Conditions:
-- ASM provisioned.
-- DoS application profile is attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts, failover may occur.
Workaround:
There is no workaround other than to remove the DoS application profile from the virtual server.
716714-2 : OCSP should be configured to avoid TMM crash.
Component: Local Traffic Manager
Symptoms:
TMM generates a core if OCSP is not configured in the SSL profile.
Conditions:
OCSP not configured in the SSL profile.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than configuring OCSP in SSL profiles.
716391-1 : High priority for MySQL on 2 core vCMP may lead to control plane process starvation
Component: TMOS
Symptoms:
vCMP guest with only 2 cores (or 2 cores per blade for multi-blade guests) may undergo control plane process starvation, which could lead to failover due to CPU starvation of sod.
Conditions:
-- A device using Intel Hyper-Threading Technology is configured with only 2 cores (or 2 cores per blade for multi-blade vCMP guests).
-- A module using MySQL is provisioned, MySQL, for example BIG-IP ASM and BIG-IP Analytics (AVR). These other modules also implicitly provision AVR: ASM, AFM, DOS, APM, PEM, and vCMP.
Impact:
Control plane processes may experience CPU starvation, including failover due to CPU starvation of sod. This is a rarely occurring issue.
Workaround:
Revert to pre-11.5.1 HF4 behavior by setting the scheduler.splitplanes.asmopt database key to false.
IMPORTANT: You should not revert to pre-11.5.1 HF4 behavior unless requested by F5 Support. However, if required, you can disable this new behavior and revert to pre-11.5.1-HF4 behavior. For instructions on how to do so, see K16469: Certain BIG-IP ASM control plane processes are now pinned to the highest-numbered logical CPU core :: https://support.f5.com/csp/article/K16469.
716324-1 : CSRF protection fails when the total size of the configured URL list is more than 2 KB
Component: Application Security Manager
Symptoms:
When the cross-site request forgery (CSRF) protection URL list is of a total size that is greater than 2 KB. As a result, CSRF injection fails.
Conditions:
- CSRF protection is enabled.
- The total length of the defined CSRF URL list is more than 2 KB.
- A protected URL is accessed.
Impact:
CSRF false-positive violation.
Workaround:
Use wildcards to minimize total CSRF URL size.
716318-1 : Engine/Signatures automatic update check may fail to find/download the latest update
Component: Fraud Protection Services
Symptoms:
Engine/Signatures automatic update check may fail to find/download the latest update if the timestamp of the factory update file is later than the timestamp of the update file in downloads.f5.com.
Note: This issue is relevant only for engineering hotfixes.
Conditions:
This occurs when the following conditions are met:
-- Engineering hotfix.
-- The factory update file timestamp is later than the timestamp of the update file in downloads.f5.com.
Impact:
Automatic update check will detect the wrong update file.
Workaround:
Manually check, and then download and install the update file from downloads.f5.com, if needed.
716213-5 : BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic
Component: Local Traffic Manager
Symptoms:
When APM connects to Active Directory Federation Services (ADFS), a blank page is observed. The log file /var/log/ltm exhibits a TCP reset issued by the BIG-IP system. The TCP capture informs that the issue is due to an out-of-bounds error that occurs when traffic gets parsed by the SSL Persistence Parser (SSID).
Conditions:
-- SSL persistence (SSID) is enabled for a virtual host.
-- APM connects to ADFS.
Impact:
A blank page is observed due to the TCP reset.
Workaround:
No workaround is available.
715785-1 : Incorrect encryption error for monitors during sync or upgrade
Component: Local Traffic Manager
Symptoms:
The system logs an error message similar to the following in /var/log/ltm:
err mcpd[6823]: 01071768:3: Encryption of the field (password) for object (<monitor name>) failed.
This may cause a configuration sync to fail, or an upgrade to fail.
Conditions:
The exact conditions are unknown, however it may occur under these circumstances:
-- Performing a config sync operation.
-- Performing an upgrade.
Impact:
Inability to sync peer devices, or an inability to upgrade.
Workaround:
There is no workaround at this time.
715756-1 : Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only
Component: Local Traffic Manager
Symptoms:
When filesystems critical to TMOS functional operation are mounted read-only, clusterd on that blade should trigger a primary election if it was primary. Either way, the cluster should be informed of this critical error state.
Conditions:
A critical filesystem (e.g., '/', '/var', '/var/run', '/config', '/shared') has been mounted read-only.
Impact:
The blade with read-only filesystems and degraded functionality might stay primary and claim to be passing traffic.
Workaround:
There is no workaround other than to avoid mounting filesystems read-only on a BIG-IP system.
715379-2 : IKEv2 accepts asn1dn for peers-id only as file path of certificate file
Component: TMOS
Symptoms:
IKEv2 only has a very inconvenient way to specify ID for an ike-peer when using peers-id-type asn1dn. The string value of peers-id-value was understood only as a file path, and not as a representation of the asn1dn value itself. The file had to be a certificate, whose subject happened to be the ID of the remote peer as a distinguished name (DN), so this could be extracted as binary DER for asn1dn. This was both awkward and error prone, requiring what amounts to a copy of a peer's certificate before it is sent during negotiation.
Conditions:
-- Using certificate based authentication in IPsec IKEv2.
-- Configuring an ike-peer with peers-id-type as asn1dn.
Impact:
Very difficult to use asn1dn as the ID of a peer, impeding inter-operation with other vendors.
Workaround:
If you can install a local copy of the peer's certificate, with an asn1dn value inside matching what that peer will actually send in an IKE_AUTH exchange, IKEv2 can extract the asn1dn provided the value of peers-id-value is an absolute file system path to this local certificate copy.
715331-2 : IKEv2 logs peers_id comparisons and cert verfication failures
Component: TMOS
Symptoms:
Insufficient information is logged when a certificate fails verification, or when ID_I in an IKE_AUTH request does not match configuration for peers_id in the ike-peer description.
Conditions:
When IKE_AUTH fails due to either certificate verification failure or mismatch of ID_I and peers_id.
Impact:
Hard to diagnose proximate cause of IKE negotiation failure during IKE_AUTH exchange.
Workaround:
There is no workaround at this time.
715128-2 : Simple mode Signature edit does not escape semicolon
Component: Application Security Manager
Symptoms:
When creating a user-defined ASM Signature in Simple mode, semicolon followed by space cannot be used in a keyword.
Conditions:
-- Using a user-defined ASM Signature in Simple mode.
-- There is a semicolon followed by a space in a keyword.
Impact:
The signature cannot be created.
Workaround:
The signature can be created in Advanced Mode by escaping semicolon as "|3B|".
714986-4 : Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot
Component: TMOS
Symptoms:
On an iSeries platform, when the console baud rate is changed through TMSH, new terminal sessions revert back to the previous baud rate instead of adopting the new setting unless the unit is rebooted.
Conditions:
1. Modify the console baud rate in BIG-IP through TMSH on an iSeries platform (i2xxx, i4xxx, i5xxx, i7xxx, i10xxx, i15xxx), for example: tmsh modify sys console baud-rate 9600.
2. Exit from the login prompt in the current terminal session, or kill it and start a new session.
Impact:
The BIG-IP system reverts to the previous baud rate instead of the new setting. Inability to create any new serial console connections with the modified baud-rate without a reboot.
Workaround:
The problem can be mitigated by manually reprogramming the TTY device and restarting the agetty process and bash login sessions. This closes any existing console connections, but newly established connections will connect at the modified baud rate.
1. Use TMSH to modify the baud rate to the desired speed by running a command similar to the following:
tmsh modify sys console baud-rate 9600
2. Re-program the TTY device with the desired speed by running a command similar to the following:
stty -F /dev/ttyS0 9600
3. Kill the existing agetty process so it will re-start at the new baud rate by running the following command:
/usr/bin/killall -q agetty
4. Restart bash logins by running the following command:
/bin/kill -HUP `/bin/ps -A | /bin/grep ttyS0 | /bin/grep -v grep | /bin/grep bash | /bin/awk '{print $1}'` >/dev/null 2>&1
714974-1 : Platform-migrate of UCS containing QinQ fails on VE★
Component: TMOS
Symptoms:
If you are doing platform-migrate from a hardware device to a Virtual Edition (VE) guest, and the UCS that came from the hardware device has a QinQ VLAN configuration, then the upgrade will fail.
Conditions:
-- VLAN with a QinQ configuration exists on the hardware configuration.
-- UCS file is saved on the hardware device.
-- UCS is copied to a VE guest.
-- Attempt to load the configuration using the following command: load sys ucs <UCS filename> no-license platform-migrate.
Impact:
The UCS load will fail and generate an error:
01071bd8:3: The tag-mode for requested member <VLAN name> has to be 'none' on platforms that do not support QinQ. Unexpected Error: Loading configuration process failed.
Workaround:
None.
714903-3 : Errors in chmand
Component: TMOS
Symptoms:
VIPRION cluster does not form; only primary blade stays online. Chassis manager chmand generated a core file. System logs the following error in ltm log: err clusterd[11162]: 013a0004:3: Error adding cluster mgmt addr, HAL error 7.
Conditions:
-- Restoring UCS.
-- Chassis starting up.
-- System in stressed condition, where there is very little or no memory available.
Impact:
Cluster does not form.
Workaround:
None.
714795-1 : ospfd cores when configured with 'area 0 range 0.0.0.0/0'
Component: TMOS
Symptoms:
ospfd core. Loss of dynamic routing functionality.
Conditions:
- Enable dynamic routing with OSPFv2.
- Configure OSPF with the following value: area 0 range 0.0.0.0/0.
Impact:
Loss of dynamic routing functionality.
Workaround:
None.
714654-1 : Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM
Component: TMOS
Symptoms:
While creating a static route, tmrouted disconnects with error: existing entry is not a dynamic.
Conditions:
Creating a static route for a network that already has an advertised dynamic route.
Impact:
TMM's connection to tmrouted goes down, which results in loss of the dynamic route for TMM.
Workaround:
There is no workaround other than not creating a static route for routes received through dynamic routing.
714559-4 : Removal of HTTP hash persistence cookie when a pool member goes down.
Component: Local Traffic Manager
Symptoms:
When HTTP cookie hash persistence is configured the cookie is removed when a pool member goes down. This is incorrect if pool members are using session replication.
Conditions:
- Cookie hash persistence is configured.
- A pool member that the persistence record points to goes down.
- Pool members are using session replication.
Impact:
Connected clients must establish a new session.
Workaround:
To configure HTTP cookie hash persistence, use an iRule similar to the following:
when CLIENT_ACCEPTED {
persist cookie hash JSESSIONID
}
714507-1 : [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server
Component: Global Traffic Manager (DNS)
Symptoms:
GTM pool member dependency cannot be listed correctly using the following command:
# tmsh list gtm pool
Conditions:
-- Virtual server dependency in GTM server.
-- Running the command: tmsh list gtm pool.
Impact:
1. Pool member dependencies are not listed.
2. Pool member dependency information is missing when saving config:
# tmsh save sys config gtm-only
Workaround:
List specific gtm pools instead by running a command similar to the following:
# tmsh list gtm pool a p1
714503-1 : When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl
Component: Local Traffic Manager
Symptoms:
When using the GUI to create a new iRulesLX rule with the extension .tcl as part of the rule name, the GUI will append another .tcl at the end of the file. This is problematic when attempting to view the iRule in the iRulesLX workspace (at Local Traffic :: iRules : LX Workspaces :: <workspace name>).
Conditions:
-- Creating a new iRulesLX iRule in the GUI.
-- Adding the extension .tcl.
Impact:
Cannot view or delete the iRule from the iRulesLX GUI.
Workaround:
Do not name rules with the .tcl extension. The system will do that for you.
714495-1 : When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl"
Component: Local Traffic Manager
Symptoms:
When using TMSH to create a new iRulesLX rule with the extension '.tcl' as part of the rule name, TMSH will append another '.tcl' at the end of the file. This is problematic when attempting to view the iRule in the GUI (in the iRulesLX workspace at Local Traffic :: iRules : LX Workspaces :: <workspace name>).
Conditions:
Creating a new iRulesLX iRule in TMSH.
Impact:
Cannot view or delete the iRule from the iRulesLX GUI.
Workaround:
Do not name rules with the '.tcl' extension.
714372-1 : Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari
Component: Local Traffic Manager
Symptoms:
If the BIG-IP system has a web-acceleration which provides a number of caching and optimization options suitable for HTTP/1.1. It uses 'Connection: Keep-Alive' header on a server side, which results in appearance of 'Keep-Alive' header in a response. Such a HTTP header was adopted by the industry but not standardized. When a web-acceleration profile is configured and provides a response, Safari clients do not accept responses with a such header and reject those with a RST_STREAM message.
Conditions:
-- BIG-IP has a virtual server with HTTP/2 profile and a web-acceleration profile.
-- A pool member responds with 'Keep-Alive' header in the following format: Keep-Alive: timeout=<number>, max=<number>.
Impact:
A response to a request is rejected, which might cause incorrect rendering of HTTP page.
Workaround:
Use an iRule to remove the Keep-Alive header:
when HTTP_RESPONSE_RELEASE {
HTTP::header remove keep-alive
}
Alternatively use an LTM Policy where this header is removed from a server's response.
714334-2 : admd stops responding and generates a core while under stress.
Component: Anomaly Detection Services
Symptoms:
admd stops responding and generates a core while under stress.
Conditions:
-- The BIG-IP system is under stress.
-- CPU starvation is occurring.
Impact:
admd core and restart.
Note: The admd process provides stress-based DoS detection and mitigation control. When admd is not running, there is no stress-based anomaly detection or behavioral statistics aggregation.
Workaround:
None.
714216-1 : Folder in a partition may result in load sys config error
Component: TMOS
Symptoms:
If you run the command 'tmsh load sys config current_partition' in a partition that includes a folder, the command may return an error.
Conditions:
This occurs in the following scenario:
-- Create a partition.
-- Create a folder in that partition.
-- In the newly-created partition.
-- Save the configuration with the command 'save sys conf'.
-- In the same partition, run the following command to load the configuration: 'tmsh load sys config current_partition'.
Impact:
The load configuration process fails with an error that the folder does not exist.
Workaround:
There is no workaround at this time.
713820-2 : Pass in IP to urldb categorization engine
Component: Access Policy Manager
Symptoms:
Category lookup results might be less accurate. In some cases, the system returns 'uncategorized' when the reference (Forcepoint) returns a specific category.
Conditions:
Category Lookup agent is in per-request policy using the categorization engine to lookup up a website's classification.
Impact:
Actions leveraging categorization results will be applied incorrectly.
Workaround:
None.
713793 : Loading sys config using merge does not work for client SSL profiles with passphrase-protected key
Component: TMOS
Symptoms:
BIG-IP system posts an error similar to the following when merging configuration of a client SSL profile: 010717e7:3: Client SSL profile (/Common/test): cert-key-chain and profile cert, key or chain options cannot be specified together.
Conditions:
This occurs when the SSL key of the client SSL profile is passphrase-protected.
Impact:
Unable to merge configuration.
Workaround:
To work around this issue, remove the cert/key/chain/passprase outside of the cert-key-chain block before issuing the following command: load sys config from-terminal merge.
In particular, use the following text as the configuration:
root@(big4)(cfg-sync Standalone)(Active)(/Common)(tmos)# load sys config from-terminal merge
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ltm profile client-ssl test {
app-service none
cert-key-chain {
test12345 {
cert test12345
key test12345
passphrase $M$SIwDQYJKoZIhvcNAQEBBQABOC==
}
}
inherit-certkeychain false
}
In this example, this is the text to replace::
root@(big4)(cfg-sync Standalone)(Active)(/Common)(tmos)# load sys config from-terminal merge
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ltm profile client-ssl test {
app-service none
cert test12345
cert-key-chain {
test12345 {
cert test12345
key test12345
passphrase $M$EAAaOBsTCBrjAzBggrBgEFBQc==
}
}
chain none
inherit-certkeychain false
key test12345
passphrase $M$S/4S5uRf8leryRGv5MX9DAAvK==
}
Loading configuration...
010717e7:3: Client SSL profile (/Common/test): cert-key-chain and profile cert, key or chain options cannot be specified together.
Unexpected Error: Loading configuration process failed.
713708-6 : Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI
Component: TMOS
Symptoms:
On the BIG-IP GUI, under System :: Software Management :: Update Check, after pressing 'Check now', the 'Available Update' shows a long string 'OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install' instead of the EPSEC version, e.g.: epsec-1.0.0-679.0.
Conditions:
-- Under System :: Software Management :: Update Check.
-- Press 'Check now'.
Impact:
Cannot determine what version is available by viewing 'Available Update'. Although this is how all the other updates work, it can result in a confusing BIG-IP user experience.
Workaround:
To have the browser show the link's destination address, view the browser's status fields while hovering the cursor over the following link text: OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install.
713655-1 : RouteDomainSelectionAgent might fail under heavy control plane traffic/activities
Component: Access Policy Manager
Symptoms:
If per-session access policy requests route domain selection during policy evaluation, the agent might hang and fail to retrieve route domain information. APMD might restart and produce a core file.
Conditions:
-- Policy sync operation.
-- System receives a query for route domain information.
-- There is a heavy load of control plane traffic to process.
Impact:
Poor performance and/or APMD restarts with a core file, causing brief disruption of the authentication service.
Workaround:
None.
713585-2 : When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long
Solution Article: K31544054
Component: Local Traffic Manager
Symptoms:
Config load could be very long and CPU usage very high.
Conditions:
There are many iRule and they are installed on many virtual servers.
Impact:
BIG-IP system performance could be degraded during the load and may cause system lock up.
Workaround:
Run "tmsh modify sys db rule.validation value syntax", this causes iRule validation to check iRule syntax only; the semantic checks will not be performed.
713519-1 : Enabling MCP Audit logging does not produce log entry for audit logging change
Component: TMOS
Symptoms:
When you enable MCP audit logging, the action of changing the audit logging entry is not logged. All actions after the configuration change are logged.
Conditions:
This occurs when enabling MCP audit logging.
Impact:
The audit logging change itself is not logged in the audit logs.
Workaround:
None.
713282-2 : Remote logger violation_details field does not appear when virtual server has more than one remote logger
Component: Application Security Manager
Symptoms:
Remote logger violation_details field appears empty.
Conditions:
-- More than one remote logger is attached to the virtual server.
-- A violation occurs.
-- Viewing the associated log.
Impact:
Violation_details field appears empty in logs.
Workaround:
There is no workaround at this time.
713138-3 : TMUI ILX Editor inserts an unnecessary linefeed
Component: TMOS
Symptoms:
If you use the TMUI edit for ILX, the system will append a linefeed character every time you save. This is not usually apparent, but if you edit the file, then delete your changes, and then save it, it will still register as changed.
A message indicates the need to refresh the workspace, and the actual content of the file will change, but not the functionality.
Conditions:
Edit a workspace file in ILX via the TMUI editor (i.e., the GUI).
Impact:
File contents can change unexpectedly and have needless characters at the end.
Workaround:
Use TMSH or a different editor, that is not TMUI, to change those files.
713134-1 : Small tmctl memory leak when viewing stats for snapshot files
Component: TMOS
Symptoms:
When viewing statistics for snapshot files, tmctl leaks a small amount of memory and displays the message:
tmctl: BUG: tmstat_dealloc invoked on a handle with rows outstanding; release all rows before calling tmstat_dealloc at <address>
Conditions:
Using tmctl to view statistics of snapshot files, for example:
tmctl -D /shared/tmstat/snapshots memory_usage_stat -s time,name,allocated,max_allocated name=access
Impact:
Errors written to output when running tmctl. The leak itself is very small and is only for tmctl (i.e., it does not have a cumulative, detrimental effect on the system that a TMM or MCP leak might).
Workaround:
None.
712489-1 : TMM crashes with message 'bad transition'
Component: Local Traffic Manager
Symptoms:
TMM crashes under a set of conditions in which the system detects an internal inconsistency. The system posts an error similar to the following in the LTM and TMM logs:
crit tmm[18755]: 01010289:2: Oops @ 0x2285e10:5157: bad transition
Conditions:
Conditions that cause this to happen are not predictable, but these might make it more likely:
-- FastL4 virtual server and HTTP are configured
-- db variable tmm.oops set to 'panic'.
-- Client sends three GET requests at once, and then closes the connection after a few seconds.
-- The server sends a partial 'Connection: close' response.
Impact:
TMM crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
712362-4 : ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase
Component: Application Security Manager
Symptoms:
When the WebSocket HTTP handshake response comes without 'Switching Protocols' reason phrase at the first line, the ASM does not follow up WebSocket frames on the WebSocket's connection.
The system posts the following messages in /ts/log/bd.log:
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0269|101 Switching Protocols HTTP status arrived, but the websocket hanshake failed.
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0270|Possible reasons are websocket profile isn't assigned on a virtual server or handshake is illegal.
Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- WebSocket backend server sends 101 response without the 'Switching Protocols' phrase.
Impact:
WebSocket frames stalls.
Workaround:
#1 Change the backend server:
Change WebSocket backend server to return 101 response to include the 'Switching Protocols' reason phrase:
HTTP/1.1 101 Switching Protocols
#2 Use an irRule:
when SERVER_CONNECTED {
TCP::collect 15
}
when SERVER_DATA {
if { [TCP::payload 15] contains "HTTP/1.1 101 \r\n" } {
TCP::payload replace 0 12 "HTTP/1.1 101 Switching Protocols"
}
}
712335-2 : GTMD may intermittently crash under unusual conditions.
Component: Global Traffic Manager (DNS)
Symptoms:
GTMD may intermittently crash when an unexpected error occurs while creating a statistics row for a resource added to the configuration.
Conditions:
When a pool member is added to the system and there is an unexpected failure to create the associated statistics row.
Impact:
GTMD restarts.
Workaround:
There is no workaround at this time.
712102-1 : customizing or changing the HTTP Profile's IPv6 field hides the field or the row
Solution Article: K11430165
Component: TMOS
Symptoms:
Customizing or changing the HTTP Profile's IPv6 field hides the field or the row.
Conditions:
Customizing or changing the HTTP Profile's IPv6 field.
Impact:
The HTTP Profile's IPv6 field cannot be customized or changed.
Workaround:
Use tmsh to set the HTTP Profile's IPv6 field.
712033-3 : When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name
Component: TMOS
Symptoms:
When you make a REST request to association list in /stats you get a duplicate name in the selfLink after members in both the entries and the selfLink, e.g.:
# restcurl -X GET -u admin /tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats
{
"kind": "tm:ltm:pool:members:membersstats",
"generation": 3,
"selfLink": "https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats?ver\u003d14.0.0",
"entries": {
"https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/~Common~node1:8105/stats": {
Conditions:
When making a REST request to an object in /stats that is an association list.
Impact:
The selfLink has a duplicate name. SelfLinks for associations do not work.
Workaround:
None.
711981-6 : BIG-IP system accepts larger-than-egress MTU, PMTU update
Component: Local Traffic Manager
Symptoms:
A Path MTU (PMTU) message can lead to the BIG-IP system to falsely assume an egress MTU on the related flow to be larger than the interface egress MTU.
Conditions:
A valid PMTU message.
Impact:
BIG-IP sends larger-than-configured interface egress MTU messages.
Workaround:
None.
711818-4 : Connection might get reset when coming to virtual server with offload iRule
Component: Application Security Manager
Symptoms:
When IN_DOSL7_ATTACK event is triggered, and iRule has an async command in it, events might be released out of order, causing connection RST.
Conditions:
1. Have DoS profile with iRule turned on.
2. iRule is async (such as wait, DNS resolving, etc.).
3. Send POST request.
Impact:
Connection receives a RST.
Workaround:
There is no workaround at this time.
711683-1 : bcm56xxd crash with empty trunk in QinQ VLAN
Component: TMOS
Symptoms:
When an empty trunk (no members) is configured 'tagged' in a QinQ VLAN, bcm56xxd will continuously crash.
Conditions:
Trunk with no members, configured as 'tagged' in a QinQ VLAN.
Impact:
bcm56xxd continuously crashes.
Workaround:
Use either of the following workarounds:
-- Add members to the trunk.
-- Remove the trunk from the QinQ VLAN.
711405-2 : ASM GUI Fails to Display Policy List After Upgrade
Solution Article: K14770331
Component: Application Security Manager
Symptoms:
After upgrade to version 13.1.0 or later, ASM GUI fails to display the Policy List.
Conditions:
Using an 11.5.0 to 11.5.4-HF1 version that is affected by the issue of policies with duplicate REST IDs that occurred after restoring from policy history or using Policy Diff to compare policies.
Impact:
ASM GUI starting using the REST API from version 13.1.0, so any systems that have been affected by this issue on a previous version now cause the GUI to fail to display the Policy List.
Workaround:
On the device run the following script:
---------------------------------
perl -MF5::DbUtils -MF5::Utils::Rest -MF5::ASMConfig::Entity::Policy -e '$dbh = F5::DbUtils::get_dbh();
$dbh->begin_work();
$dbh->do("UPDATE PLC.PL_POLICIES a SET a.rest_uuid = \"\" WHERE a.rest_uuid IN ( SELECT rest_uuid FROM (SELECT rest_uuid FROM PLC.PL_POLICIES GROUP BY rest_uuid having count(*) > 1) b)");
F5::Utils::Rest::populate_uuids(dbh => $dbh);
$dbh->commit();'
---------------------------------
Note: In a management environment, this change must be pushed to the peer as a full sync. The easiest way to do so is to ensure that the ASM sync device group is in manual sync mode, and to push the config to the peers from the device where the script was run.
710930-2 : Enabling BigDB key bigd.tmm may cause SSL monitors to fail
Component: Local Traffic Manager
Symptoms:
When bigd.tmm is enabled, SSL monitors may begin to fail.
Conditions:
-- The in-tmm monitoring feature is enabled via the bigd.tmm db variable (it is disabled by default)
-- The cipher string of the attached SSL profile uses keywords that are invalid with TMM.
Impact:
The cipher string will no longer be valid when bigd.tmm is enabled and the keywords will need to be modified or removed. SSL monitors begin to fail after modifying bigd.tmm.
Workaround:
Modify or remove incompatible keywords from the ciphers string; the in-tmm monitoring feature only allows ciphers that are allowed by SSL profiles.
710884-2 : Portal Access might omit some valid cookies when rewriting HTTP request.
Component: Access Policy Manager
Symptoms:
Portal Access is not sending certain cookies to the backend application.
Conditions:
-- Request path and cookie path are equal.
-- The last character of request path is not a forward slash (/).
Impact:
Backend application does not receive some cookies and may decide that APM end users are not authenticated, when they are.
Workaround:
There is no workaround at this time.
710809-3 : Restjavad hangs and causes GUI page timeouts
Component: Device Management
Symptoms:
Restjavad stops responding, causing GUI page timeouts.
Conditions:
The conditions behind this issue are not known.
Impact:
restjavad is active, but all endpoints are nonresponsive.
Workaround:
Restart restjavad
710666-2 : VE with interface(s) marked down may report high cpu usage
Component: TMOS
Symptoms:
The "tmm" process may appear to be running at 90% or above in linux cpu reporting utilities such as "top" or "ps", even if the system is not handling a large amount of traffic.
In this case, "tmsh show sys tmm-info" continues to report tmm's cpu usage accurately.
Conditions:
- BIG-IP Virtual Edition
- One or more interfaces configured and used in the BIG-IP configuration is marked down
Impact:
tmm consumes cpu cycles even when idle. This may impact other guests running on the same hardware if the hypervisor has oversubscribed its cpu resources.
Workaround:
Disable any interface that is currently marked down.
For example:
tmsh modify net interface 1.1 disabled
and then restart tmm:
bigstart restart tmm
710277-4 : IKEv2 further child_sa validity checks
Component: TMOS
Symptoms:
A tmm restart can occur when a child_sa is rekeyed at expiration time, provided a race condition occurs.
Conditions:
Encountering the issue in which rekeying a child_sa might core when race conditions allowed that child_sa to be destroyed while in use.
Impact:
Restart of tmm and outage of IPsec tunnels until renegotiated.
Workaround:
None.
710044-4 : Portal Access: same-origin AJAX request may fail in some case.
Component: Access Policy Manager
Symptoms:
If base URL for current HTML page contains default port number, same-origin AJAX request from this page may fail via Portal Access.
Conditions:
- HTML page with explicit default port in base URL, for example:
<base href='https://some.com:443/path/'>
- Same-origin AJAX request from this page, for example:
var xhr = new XMLHttpRequest;
xhr.open('GET', 'some.file');
Impact:
Web application may not work correctly.
Workaround:
It is possible to use iRule to remove default port number from encoded back-end host definition in Portal Access requests, for example:
when RULE_INIT {
# hex-encoded string for 'https://some.com'
set ::encoded_backend {68747470733a2f2f736f6d652e636f6d}
# '3a343433' is hex-encoded form for ':443'
set ::pattern "/f5-w-${encoded_backend}3a343433\$"
set ::remove_end [ expr { [ string length $::pattern ] - 2 } ]
set ::remove_start [ expr {$::remove_end - 7} ]
}
when HTTP_REQUEST {
if { [HTTP::path] starts_with "$::pattern" } {
set path [ string replace [HTTP::path] $::remove_start $::remove_end "" ]
HTTP::path "$path"
}
}
710028-1 : LTM SQL monitors may stop monitoring if multiple monitors querying same database
Component: Local Traffic Manager
Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.
When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:
[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'
then multiple, periodic instances of the following message, referencing the same connection string:
Abandoning hung SQL query: '<query string>' for: '<connection string>'
or:
<connection string>(<thread-number>): Hung SQL query; abandoning
Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.
And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.
Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.
Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.
To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.
709963-1 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
Component: Local Traffic Manager
Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.
Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.
Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.
Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.
709837-1 : Cookie persistence profile may be configured with invalid parameter combination.
Component: Local Traffic Manager
Symptoms:
Configuring Cookie persistence profile via TMSH or iControl REST allows invalid parameter combinations.
Conditions:
Cookie persistence profile is configured via TMSH or iControl REST. TMUI is not affected.
Impact:
Invalid parameters for any method type of a Cookie persistence profile are ignored by TMM, no functional impact.
Workaround:
Use only the allowed parameters of each method type when Cookie persistence is configured via TMSH or iControl REST.
709670-4 : iRule triggered from RADIUS occasionally fails to create subscribers.
Component: Policy Enforcement Manager
Symptoms:
The subscriber can not be added with the same IP address after retries. This is a rarely occurring issue: if the daily average of subscriber additions is ~30000 subscribers, 5 to 6 subscribers face this problem (0.02%).
Conditions:
Running iRule to create PEM sessions from RADIUS packets using the 'PEM::subscriber create' command.
Impact:
Intermittently (a few operations per day), the command silently fails. No session is created, and no TCL error is produced. Subscriber addition requires manual intervention.
Workaround:
Trigger a RADIUS START using a different IP address for the subscriber.
709559-1 : LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name
Component: TMOS
Symptoms:
Loading configuration fails on upgrade
Conditions:
Must have a profile named "/Common/ssh" and must be upgrading to v12.1.2
Impact:
The system won't be functional
Workaround:
Delete or rename "/Common/ssh"
709444-1 : "NTP not configured on device" warning seen when NTP symmetric key authentication is configured
Component: TMOS
Symptoms:
When NTP symmetric key authentication is configured, as per https://support.f5.com/csp/article/K14120, and the BIG-IP is part of a device service cluster, then a warning similar to this will be seen periodically in /var/log/ltm:
warning mcpd[6317]: 01071af0:4: NTP not configured on device 1.2.3.4 - within a trust
Conditions:
- NTP symmetric key authentication must be configured.
- The BIG-IP must be part of a device service cluster.
- Non-authenticated NTP servers must not be in-use.
Impact:
Incorrect NTP warnings are seen periodically in /var/log/ltm.
Workaround:
There is no workaround at this time.
709383-1 : DIAMETER::persist reset non-functional
Component: Service Provider
Symptoms:
When the iRule DIAMETER::persist reset is called, it is meant to remove existing persistence records from diadb. Without this bug fix, calling DIAMETER::persist reset has no effect and the persistence record remains.
Conditions:
Diameter session profile has persistence enabled and an iRule attempts to remove a persistence record.
Impact:
You are unable to remove diameter persistence entries.
Workaround:
none
708968-1 : OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address
Component: TMOS
Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not created in TMM when passed from Dynamic Routing protocols like OSPFv3.
Conditions:
- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.
Impact:
- Route entry is not created in TMM, packets addressed to such a destination might not be delivered at all or might not be delivered using the most efficient route.
- Connection between TMM and tmrouted is restarted that is a small performance overhead.
Workaround:
- If possible IPv4 address or IPv4-compatible IPv6 address should be passed instead of IPv4-mapped IPv6 address, however this depends on other routers.
708956-3 : During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'
Solution Article: K51206433
Component: TMOS
Symptoms:
During system bootup, the system occasionally posts the following error message and the system does not come up:
Dataplane INOPERABLE - only 1 HSBes found on this platform.
Conditions:
This occurs occasionally at system bootup.
-- Using the following platforms:
i4600, i4800, i10600, i10800, i2600, i2800, i7600, i7800, i5600, i5800, i15600, i15800, i12600, i12800, HERCULON i2800, HERCULON i5800, HERCULON i10800, i11600, i11800, i11800-DS, i5820-DF, i7820-DF.
Impact:
System does not come up.
Workaround:
Reboot system.
Because this condition only happens occasionally, rebooting typically corrects the issue.
708415-3 : Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled
Component: TMOS
Symptoms:
When setting the flow control value of an interface with a copper SFP to any value other than 'none' and the link partner has flow control disabled on their end, the interface stats will not reflect the configured flow control setting. This is because the interface stats reflect the negotiated link state rather than the advertised capabilities.
Conditions:
BIG-IP device is using copper SFPs.
-- Flow control is enabled on an interface.
-- That interface is connected to another device where flow control has not been enabled.
For example, an administrator might perform the following on a BIG-IP system with a copper SFP on interface 1.1:
# modify net interface 1.1 flow-control tx-rx
# show net interface 1.1 all-properties
Under the 'Flow Ctrl' column of the interface properties, the value will indicate 'none' even though the interface was configured to enable transmit and receive flow control. This is because the column does not indicate the advertised capabilities but rather the negotiated property of the link.
Impact:
There is no functional impact, as flow control cannot be performed until both link partners agree to support it.
Workaround:
Flow control must be enabled on the remote device and the link must be re-negotiated, in order for the flow control configuration to take effect and be reflected in the interface properties of the link.
708068-1 : Tcl commands like "HTTP::path -normalize" do not return normalized path.
Component: Local Traffic Manager
Symptoms:
When using HTTP::path with the -normalized parameter:
"%2E%2E" is converted to ".." (expected)
"/foo/../bar" is converted to "/bar" (expected)
"/foo/%2E%2E/bar" is converted to "/foo/../bar" (unexpected)
Conditions:
The TCL command HTTP::path -normalize does not return normalized path as expected.
Impact:
Unexpected result.
Workaround:
There is no workaround.
708063 : In older RAID BIG-IP systems, storage provisioning is not possible when a drive is missing.
Component: TMOS
Symptoms:
Any task requiring modification of application storage volumes does not succeed. This includes re-provisioning, which occurs automatically during software upgrades.
Conditions:
-- When a drive is not present in a drive bay on the following platforms:
+ BIG-IP 6900
+ BIG-IP 8900
+ BIG-IP 10000
+ BIG-IP 11050
-- An application that requires storage volumes is provisioned, such as ASM.
Impact:
Tasks requiring modification of application storage volumes such as software upgrades or re-provisioning fails.
Workaround:
Check RAID status before software upgrades or re-provisioning. Address any degraded RAID issues, such as a missing drive, before upgrades and/or re-provisioning.
707953-3 : Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page
Component: Access Policy Manager
Symptoms:
APM and APM Lite licenses are not distinguishable from the Provisioning UI: they both show as Licensed but APM lite only includes licenses for 10 sessions.
Conditions:
Viewing APM and APM Lite licenses in the GUI.
Impact:
Cannot distinguish the difference in types of licenses.
Workaround:
Check license file and verify what type of apm license is enabled: mod_apm (Full APM) or mod_apml (APM Lite).
707740-5 : Failure deleting GTM Monitors when used on mulitple Virtual Servers with the same ip:port combination
Component: TMOS
Symptoms:
User would get "monitor is in use" when attempting to delete a GTM Monitor, even after removing that monitor from all GTM Virtual Servers
Conditions:
Attach a gtm monitor to multiple gtm virtual servers in the same transaction, where both of the virtual servers are monitoring the same ip:port
Impact:
User will not be able to ever delete the un-used gtm monitor
Workaround:
Remove monitor from VSs
Reload GTM configuration with tmsh load sys config gtm-only
Delete monitor
707691-5 : BIG-IP handles some pathmtu messages incorrectly
Component: Local Traffic Manager
Symptoms:
FastL4 virtual servers incorrectly handle some pathmtu messages, such as ICMPv4 unreachable/fragmentation needed and ICMPv6 packet too big.
Conditions:
This occurs when the following conditions are true:
-- The client sends a window scaling factor greater than 0 (zero).
-- The server sends a window scaling factor equal to 0 (zero).
-- The pmtu message is within the window, but does not reflect the exact expected sequence number. The delta is bigger than the advertised window scaled at a factor of 0 (zero).
Impact:
pmtu message is erroneously ignored.
Workaround:
There is no workaround at this time.
707631-3 : The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI
Component: TMOS
Symptoms:
The 'SYN Challenge Handling' setting of a TCP profile can be reverted to defaults when a TCP profile is updated using the BIG-IP management GUI.
Conditions:
The SYN Challenge Handling settings of a TCP profile have previously been set to non-default values, and a configuration change is later made to the same TCP profile using the GUI.
Impact:
Loss of TCP profile syn challenge configuration settings
Workaround:
In the GUI, specifically set the SYN Challenge Handling fields after making an update to other TCP profile fields, or use tmsh to make the changes instead
SYN Challenge
GUI Setting: Nominal
TMSH:
syn-cookie-enable enabled
syn-cookie-whitelist disabled
GUI Setting: Challenge and Remember
TMSH:
syn-cookie-enable enabled
syn-cookie-whitelist enabled
GUI Setting: Disable Challenges:
syn-cookie-enable disabled
syn-cookie-whitelist disabled
707445-4 : Nitrox 3 compression hangs/unable to recover
Component: TMOS
Symptoms:
LTM logs show the following message:
Nitrox 3, Hang Detected: compression device was reset
When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.
Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.
Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.
Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.
Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.
There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:
A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).
Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.
707207-3 : iRuleLx returning undefined value may cause TMM restart
Component: Local Traffic Manager
Symptoms:
When an iRulesLX rule returns an undefined value, TMM may restart. An example of an undefined value is one where
its jsonrpc v2.0 representation is missing required fields, such as "result".
Conditions:
iRulesLX is licensed, and a rule is run that returns an undefined value.
Impact:
Traffic is interrupted.
Workaround:
There is no workaround at this time.
707054-2 : SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162
Component: Advanced Firewall Manager
Symptoms:
User cannot configure SYN Cookie MSS values for Fast L4 Profiles outside of 256-9162.
Conditions:
Under syncookie activated condition, SYN Cookie MSS value is set to < 256.
Impact:
Under syncookie activated condition, server side MSS lower than SYN Cookie MSS lower limit cannot be honored on client side. As a result, server side MSS discards data segment if larger than SYN Cookie MSS lower limit.
707013-2 : vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest
Component: TMOS
Symptoms:
- clusterd restarts on secondary blade
- /var/log/ltm: "Management IP (<guest_management-ip>) already in use by (vcmp guest <guest_name>)"
Conditions:
1. blade power off/on using bladectl command allows to reproduce ~80% of the time
2. not sure if this is specific to platform:
- was able to reproduce easily on (B2100 - A109),
- issue reproduced multiple times in cusomter environment on (B2150 - A113)
- not able to reproduce with the same steps and version on 4800 (PB300) viprion
Impact:
- Secondary slot on viprion hypervisor is in "INOPERATIVE" state
Workaround:
On the VMCP Host, copy the file /shared/db/cluster.conf from the primary to all secondary cluster members.
For a four slot chassis, issue this command from the primary:
$ for i in 1 2 3 4; scp /shared/db/cluster.conf slot$i:shared/db/cluster.conf ; done
Clusterd should then recover from the restart loop on secondary blades.
706804-2 : SNMP trap destination configuration of network option is missing "default" keyword
Component: TMOS
Symptoms:
When SNMP trap destinations are configured, the user can specify the network that the traps are transmitted out from. By default, the routing table is consulted. Use the network keyword to overwrite this with either "management" or "other". There is also a "default" keyword, which was removed since it was confusing. However, this broke backward compatibility of the REST API; so, it was put back.
Conditions:
Including the "network default" keywords in trap configuration reports an error with version 13.0.0 where the "default" keyword was removed.
Impact:
Existing scripts may encounter errors if they used this keyword.
Workaround:
Don't use the "default" keyword with the snmp trap destination network configuration.
706797-2 : Portal Access: some multibyte characters in JavaScript code may not be handled correctly
Component: Access Policy Manager
Symptoms:
If JavaScript code contains multi-byte character which contains 0x0A in the last byte after conversion to UTF-32 form, then this character is handled as NEW LINE by Portal Access server-side JavaScript parser. If NEW LINE is not valid in this place, JavaScript code cannot be parsed.
Conditions:
JavaScript code with multi-byte character which contains 0x0A in the last byte after conversion to UTF-32 form, for example:
//上 aa bb
(上) gives (4E 0A) in UTF32 form. So this line is processed as the following TWO lines:
//
aa bb
The second line is not a valid JavaScript code.
Impact:
Web application may not work correctly.
Workaround:
There is no workaround at this time.
706505-3 : iRule table lookup command may crash tmm when used in FLOW_INIT
Component: Local Traffic Manager
Symptoms:
iRule table lookup command may crash tmm when used in FLOW_INIT.
Conditions:
iRule table lookup command is used in FLOW_INIT.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use table lookup in the events after the flow is constructed.
706374-5 : Heavy use of APM Kerberos SSO can sometimes lead to memory corruption
Component: Access Policy Manager
Symptoms:
Kerberos SSO under high load can sometimes lead to system instability.
Conditions:
APM users using Kerberos SSO to access backend resources.
Impact:
This might result in unpredictable behavior such as memory corruption or core. However, the occurrence is rare since it only impacts concurrent DNS SRV requests to resolve different KDCs.
Workaround:
There is no workaround.
706184 : Disabling l7dos using LTM policy, and original DoS on the virtual server has no features enabled, connection hangs
Component: Application Security Manager
Symptoms:
Using an LTM policy rule to disable l7dos when the DoS profile on the virtual server contains an application profile with no feature enabled, causes the transaction to hang instead of forwarding the request to server.
Conditions:
-- LTM policy with 'disable l7dos' rule.
-- DoS profile on a virtual server contains an application profile without any features enabled.
Impact:
The connection hangs. Requests are not forwarded to server.
Workaround:
Enable any DoS application feature in the DoS profile attached to the virtual server (e.g., bot signatures, proactive bot defense, TPS-based DoS Detection, etc.).
The profile can be disabled by default using the LTM rules.
706102-1 : SMTP monitor does not handle all multi-line banner use cases
Component: Local Traffic Manager
Symptoms:
An SMTP monitor does not handle all multi-line banner use cases, such as when the banner is physically split across two packets. This issue is due to attempting to parse the banner value from the first packet without a portion of the banner value that may arrive in a second packet.
Conditions:
An SMTP monitor is configured; and uses a multi-line banner; and the SMTP monitor banner is split across two physical packets.
Impact:
The SMTP monitor sends an RST after the first packet, and marks the resource down.
Workaround:
Use an SMTP monitor with a single-line banner. Or, rather than using an SMTP monitor, instead use a TCP monitor with send/recv strings.
705651-2 : Async transaction may ignore polling requests
Component: TMOS
Symptoms:
Querying for the status of an asynchronous transaction by making a GET request may cause the query to block. The transaction will complete, even though the query may return an error status (400) to indicate that the GET request timed out.
Conditions:
A typical asynchronous transaction that returns a 202 status to indicate that you successfully created a transaction.
Impact:
The query returns an error.
Workaround:
To avoid having the query request block, refrain from querying the transaction for status.
705442 : GUI Network Map objects search on Virtual Server IP Address and Port does not work
Component: TMOS
Symptoms:
Searching for a Virtual Server using the IP Address and Port of the Virtual Server does not work.
Conditions:
Create a Virtual Server with name vs1 and address.
Impact:
Users are unable to search using an IP Address to filter Virtual Server results.
Workaround:
There is no workaround at this time.
705037-1 : System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
Component: TMOS
Symptoms:
It is possible for the BIG-IP system to present duplicate if_index statistics of network objects, either viewed internally or polled via SNMP.
Conditions:
-- High availability (HA) configuration.
-- Tunnels configured.
-- If dynamic routing is configured, additional impact may be noted.
Impact:
-- Unreliable or confusing statistics via SNMP polling.
-- If dynamic routing is also configured, possible nsm daemon restart, which may lead to loss of dynamic routes.
Workaround:
None.
704681 : Kernel panic with mcpd or system shutdown
Component: TMOS
Symptoms:
Kernel panic possible when mcpd shutdown occurs. The mcpd shutdown may be explicit (bigstart stop), or as a side-effect of system shutdown.
Conditions:
Conditions are rare, and requires encountering a small timing window.
-- vCMP on bare-metal systems. .
-- Multiple admin domains defined.
-- At least two admin domains have a default route interface called 'tmm'.
-- The problem occurs when route-domains are cleaned up (via mcpd exit) and the kernel sees two interfaces with the same name (tmm) being moved back to the system default route domain.
Impact:
The system crashes when running the following command: bigstart stop. Otherwise, there is a kernel panic when the system shuts down.
Workaround:
None.
704643-2 : Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule
Component: Application Security Manager
Symptoms:
When adding or modifying a user-defined Attack Signature in Simple Edit Mode, backslashes preceding a forward slash are mistakenly doubled in regular expression keywords within the Signature.
Conditions:
-- Add or modify a user-defined Attack Signature with a regular expression keyword containing an escaped forward slash in Simple Edit Mode.
Impact:
The backslash escaping the forward slash is doubled, which changes the enforced signature rule.
Workaround:
Create or modify the Signature rule using Advanced Edit Mode.
704587-3 : Authentication with UTF-8 chars in password fails
Component: Access Policy Manager
Symptoms:
APM end users cannot login to the server. The log contains a message similar to the following: iRule err 'bad IP address format'.
Conditions:
-- APM end users who have UTF-8 characters in their password.
Impact:
Service is unavailable.
This occurs because the IP address is not coerced into a string. The Tcl marshaling routine used by the iRule function HTTP::header insert (and others) coerces the header name/value arguments into the bytearray type. Bytearrays receive special treatment when coerced into IP address objects; it is expected that the binary IP address is present in the byte array, not a string representation. Thus when presented with a string coerced to bytearray, the coercion fails and the error noted in the logs is produced. Changes in the Tcl marshaling introduced an issue in which bytearrays are left while other types are coerced to strings (in this context, strings are the norm).
Workaround:
Put a Variable Assign agent after Logon Page with following assignment:
(check the secure checkbox)
session.logon.last.password = set pass [mcget -secure session.logon.last.password]; binary scan $pass c* chars; set newpass ""; foreach {ch} $chars { append newpass [format %c [expr $ch & 0xFF]] }; return $newpass
704555-1 : Core occurs if DIAMETER::persist reset is called if no persistence key is set.
Component: Service Provider
Symptoms:
tmm crashes and restarts.
Conditions:
The system is configured to use a custom persistence key, but no persistence key has been set and DIAMETER::persist reset command is used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid using DIAMETER::persist reset if a persistence key has not been set.
704524-5 : [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries
Component: Access Policy Manager
Symptoms:
Kerberos DNS SRV requests do not contain EDNS headers. Without this header, DNS server truncates the UDP responses if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in unnecessary round trips in order to resolve DNS SRV queries.
Conditions:
APM users using Kerberos SSO to access backend resources.
Impact:
Increased latency of HTTP request processing. If the number of APM users is large, then this issue is magnified.
Workaround:
There is no workaround at this time.
704450-4 : bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
Component: Local Traffic Manager
Symptoms:
A rarely seen scenario exists where 'bigd' crashes when the BIG-IP system is under extremely heavy load, due to 'bigd' running with an incomplete configuration and attempting to interact with 'mcpd' prior to being fully configured by 'mcpd'. This may occur when 'mcpd' is sufficiently delayed in configuring 'bigd' upon 'bigd' process start (at system-start, or upon 'bigd' process re-start), such that 'bigd' attempts to report monitoring results to 'mcpd' prior to fully receiving its configuration (from 'mcpd').
Conditions:
BIG-IP is under heavy load; and 'bigd' process is (re-)started; and 'mcpd' is delayed in relaying the full configuration to 'bigd'; and 'bigd' attempts to report monitoring results to 'mcpd'.
Impact:
Monitoring is delayed while bigd is restarting. If the load lasts for a long enough period of time, bigd might repeatedly fail to start and monitoring will not resume. In some cases 'bigd' may run with an incomplete configuration.
Workaround:
Reduce the load on the system.
704449-1 : Orphaned tmsh processes might eventually lead to an out-of-memory condition
Component: TMOS
Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.
An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:
/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh
If this issue occurs often enough, it might cause the BIG-IP system to run out of memory.
Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.
Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.
Workaround:
There are several workarounds for this issue:
-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Halt orphaned tmsh processes.
704336-5 : Updating 3rd party device cert not copied correctly to trusted certificate store
Component: TMOS
Symptoms:
When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.
Conditions:
Updating Device certificate which also includes multiple intermediate and root certificates.
Impact:
The Trusted Device and Trusted server Certificates do not include intermediate CA and root certificates.
Workaround:
Manually copy/append the missing intermediate and root certificate to /config/big3d/client.crt and /config/gtm/server.crt.
703984-8 : Machine Cert agent improperly matches hostname with CN and SAN
Component: Access Policy Manager
Symptoms:
MacOS Machine certificate agent matches the configured hostname with the actual hostname upon a beginning partial string match.
Conditions:
MacOS APM client using Machine Certificate Check agent.
Impact:
Hostname match may be incorrect in these cases.
Workaround:
There is no workaround at this time.
703509-3 : Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled
Component: TMOS
Symptoms:
Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled.
...notice tmsh[32418]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.
...notice tmsh[32418]: 01420003:5: The current session has been terminated.
...err tmsh[32417]: 01420006:3: Project-Id-Version: f5_tmsh 9.7.0 POT-Creation-Date: 2008-05-13 16:18-0700 PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE Last-Translator: F5 Networks <support@f5.com> Language-Team: LANGUAGE <en@li.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit
...err tmsh[32415]: 01420006:3: UCS saving process failed.
Conditions:
The default admin account is disabled, using an alternate user that has the administrator role.
Impact:
User is unable to save the configuration.
Workaround:
A user with the administrator role can save the config.
The root user can save the config.
703266-1 : Potential MCP memory leak in LTM policy compile code
Component: Local Traffic Manager
Symptoms:
Failure in processing LTM policy may result in MCP memory leak
Conditions:
When Centralized Policy Management (CPM) fails to process LTM policy
Impact:
MCP memory leak
Workaround:
There is no workaround at this time.
703165-3 : shared memory leakage
Component: Advanced Firewall Manager
Symptoms:
Processes that require shared memory to operate are failing (e.g. pabnagd).
Conditions:
Many shmem segments allocated and used by tmm.
Impact:
Potential failures in any process that requires shared memory segments, causing lack of services such as learning (bd+pabnagd), request logging (pabnagd+asm-config), etc.
Workaround:
There is no workaround at this time.
703090-3 : With many iApps configured, scriptd may fail to start
Component: TMOS
Symptoms:
If many iApp instances are installed, scriptd may have issues starting up, including the log message:
"script has exceeded its time to live, terminating the script"
Conditions:
This occurs when many iApp instances exist. F5's internal testing has been able to show that it occurs with 70 instances.
Impact:
The error message will show up, and some instances of the script will not run.
Workaround:
Restarting scriptd will resolve the issue.
702450-2 : The validation error message generated by deleting certain object types referenced by a policy action is incorrect
Component: Local Traffic Manager
Symptoms:
When deleting certain objects that are referenced by policy actions, you may see a validation error like this:
# tmsh delete ltm virtual test-vs
01071726:3: Cannot delete policy action '/Common/test-vs'. It is in use by ltm policy '/Common/test-policy'.
The referenced object is not a "policy action" in this case, but is a virtual server.
Conditions:
LTM policies must be in use, and at least one policy action must forward to an object. The user must attempt to delete that object.
Impact:
Possible confusion at the error message.
Workaround:
There is no workaround at this time.
702439-4 : Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset
Solution Article: K04964898
Component: Local Traffic Manager
Symptoms:
If the HTTP/2 configuration header_table_size is changed from the default value of 4096, then streams will be reset with a RST_STREAM error.
Conditions:
The header_table_size field in the HTTP/2 profile is changed from the default.
Impact:
HTTP/2 connections will be unusable.
Workaround:
Set the header table size argument back to its default.
701977-6 : Non-URL encoded links to CSS files are not stripped from the response during concatenation
Component: WebAccelerator
Symptoms:
Non-URL encoded links to CSS files are not stripped from the response during concatenation.
Conditions:
White space in the URLs.
Impact:
As above.
Workaround:
No workaround at this time.
701800-1 : SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x
Component: Access Policy Manager
Symptoms:
Mac RDP client 10.x shows credentials prompt when SSO-enabled native RDP resource is launched from the APM Webtop. If the user enters credentials manually, the RDP client will display an error message.
Conditions:
-- Mac RDP client is of version 10.x (e.g., 10.1.6).
-- Native RDP resource is assigned to the webtop.
-- SSO is enabled on the RDP Resource.
Impact:
RDP resource cannot be launched.
Workaround:
Add the following to 'Custom Parameters' of SSO-enabled RDP resources:
full address:s:%{session.server.network.name}
promptcredentialonce:i:1
701341-3 : If /config/BigDB.dat is empty, mcpd continuously restarts
Solution Article: K52941103
Component: TMOS
Symptoms:
If another issue causes /config/BigDB.dat to be empty, mcpd will fail to start up.
Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.
Impact:
The system will fail to start up, and mcpd will continually restart.
Workaround:
Remove this empty file. (If BigDB.dat is nonexistent, the issue will not occur.)
701232-3 : Two-way iQuery connections fail to get established between GTM devices with the same address on different networks connected through address translation
Component: Global Traffic Manager (DNS)
Symptoms:
Two GTM devices that have the same local IP address are not able to establish an iQuery connection, even when a translated address is configured.
Conditions:
This condition may occur if two GTM servers have the same self IP address on separate networks that are attempting to use address translation to establish a connection.
Impact:
When one or more GTM devices attempt to establish an iQuery connection to another device, it actually establishes a connection with itself instead of the other device.
Workaround:
To resolve the issue,
1. Configure the devices to have different self IP addresses.
2. Change the addresses and translated addresses of the corresponding GTM servers to match the new configuration using the following example command:
tmsh modify gtm server <server_name> addresses ...
701025-3 : BD restart on a device where 'provision.tmmcountactual' is set to a non-default value
Component: Application Security Manager
Symptoms:
BD restarts with this error:
Plugin configuration load timeout. Exiting.
Conditions:
The db variable 'provision.tmmcountactual' is set to a number lower than the actual CPU count.
Impact:
BD restarts continuously.
Workaround:
You can use any of these workarounds:
-- In the GUI, set 'RWThreads' under Security :: Options : Application Security : Advanced Configuration : System Variables.
-- Use the 'add_del_internal' utility:
----------------------
# /usr/share/ts/bin/add_del_internal
USAGE:
/usr/share/ts/bin/add_del_internal add <param_name> <param_value> [--default <default_value>]
/usr/share/ts/bin/add_del_internal update <param_name> <param_value> [--default <default_value>]
/usr/share/ts/bin/add_del_internal delete <param_name>
----------------------
-- Set the bd internal parameter num_rw_threads to the amount of plugin channels that TMM expects.
-- Revert 'provision.tmmcountactual' sys db to the default value.
700827-3 : B2250 blades may lose efficiency when source ports form an arithmetic sequence.
Component: TMOS
Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command: tmsh show sys tmm-traffic
Conditions:
Source ports used to connect to B2250 blade form an arithmetic sequence.
For example, some servers always use randomly selected even source port numbers. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8… 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.
Impact:
Traffic imbalance between tmm threads may result in sub-optimal performance.
Workaround:
Randomize source ports when connecting via a BIG-IP system.
700696-4 : SSID does not cache fragmented Client Certificates correctly via iRule
Component: Local Traffic Manager
Symptoms:
The last few bytes of a very large-sized Client Certificate (typically greater than 16,384 bytes) are not cached correctly if the certificate is received fragmented by the SSL Session ID (SSID) parser.
Conditions:
-- Client Authentication is enabled.
-- A very large Client Certificate is supplied (typically greater than 16,384 bytes).
-- SSL Session ID Persistence is enabled.
-- The iRule CLIENTSSL_CLIENTCERT is enabled.
Impact:
The client certificate is not stored on the BIG-IP device correctly. The last few bytes are missing.
Workaround:
Disable the CLIENTSSL_CLIENTCERT iRule when SSL Session ID (SSID) persistence is in use. Even though the Client Certificate does not get cached, that is preferable to caching an incorrect client certificate.
699733-1 : DNS NOTIFY not sent to mgmt IP under Zone Transfer Clients list after DNS Express zone update
Component: Global Traffic Manager (DNS)
Symptoms:
When a DNS Express zone gets some zone entries updated, the BIG-IP system does not send DNS NOTIFY to nameserver with IP addresses from the mgmt subnet listed under Zone Transfer Clients.
Conditions:
* nameserver has IP address from mgmt subnet.
* nameserver id listed under Zone Transfer Clients of DNS Express zone.
* DNS Express zone gets entries updated.
Impact:
BIG-IP system does not send NOTIFY request to the nameserver.
Workaround:
There is no workaround at this time.
698836-1 : Increased APM session capacity is not available after installing an APM session count License
Component: Access Policy Manager
Symptoms:
Unable to use extra capacity after installing an APM add-on license with a larger session count.
Conditions:
This occurs when the add-on License generated lacks the mod_apm license, meaning that no full APM license was previously installed, only the APM Light license (which constrains connections to a 10-session maximum).
To determine whether this condition exists, check the bigip.license file, or execute the following command: tmsh show sys license details. If only mod_apml is present and session counts are higher than 10, then the system is in the condition that triggers the problem.
Impact:
Unable to use extra session capability; can use only the 10-session maximum provided by the APM Light license.
Workaround:
Contact your F5 sales representative to get the correct APM add-on license with mod_apm, as well as the additional session count capability.
698619-3 : Disable port bridging on HSB ports for non-vCMP systems
Component: TMOS
Symptoms:
Internal packets flooded on internal switch interfaces by the HSB can be bridged back to the HSB on BIG-IP 5000/7000 and VIPRION B2100 blades configured to enable port bridging by the switch.
Conditions:
-- Packets being flooded from the HSB to VLAN members when adding/deleting VLANs.
-- Non-vCMP systems.
-- Virtual server configured for Direct Server Return (DSR or nPath Routing).
Impact:
This triggers a FDB flush and can result in packet flooding back to the HSB and potential network saturation.
Workaround:
None.
698432-1 : Invalid error messages: warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Component: TMOS
Symptoms:
Loading a UCS in a vCMP guest which was taken from a different guest or a hardware device can produce the following error messages:
warning mcpd[5953]: 012a0004:4: halStorageRead: unable to read storage on this platform.
warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
This is a cosmetic issue that occurs when the encrypted master key on a VCMP guest cannot be decrypted with the unit key of that system. This most often occurs when a UCS taken on a different guest is loaded.
Conditions:
Taking a UCS from one vCMP guest or hardware device and loading it onto a different vCMP guest.
Note: F5 does not support this configuration.
Impact:
Although there is no adverse effect on the system, error messages will be logged.
Workaround:
None.
698211-4 : DNS express response to non-existent record is NOERROR instead of NXDOMAIN.
Solution Article: K35504512
Component: Global Traffic Manager (DNS)
Symptoms:
The DNS express response to a non-existent record is NOERROR instead of NXDOMAIN.
Conditions:
Delete a wildcard resource record to the related DNS express zone.
Impact:
DNS returns the incorrect response.
Workaround:
Delete the old db files: /var/db/tmmdns.bin and /var/db/zxfrd.bin, and then restart zxfrd.
696731-4 : The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled
Solution Article: K94062594
Component: TMOS
Symptoms:
The standard LinkUp/LinkDown traps are issued when a port's status changes; that is, the link goes up or down. Additionally, the network manager can administratively enable and disable ports. For some platforms, there is no reliably issued standard LinkUp/LinkDown trap when a port is administratively enabled/disabled.
Conditions:
Administrative disabling an interface on BIG-IP
Impact:
May issue only the F5 Link change trap and not the additional standard MIB trap. The standard LinkUp/LinkDown traps may not be issued.
Workaround:
Use the F5-proprietary MIB: 1.3.6.1.4.1.3375.2.4.0.37 F5-BIG-IP-COMMON-MIB::BIG-IPExternalLinkChange trap to track administrative changes to links.
693901-5 : Active FTP data connection may change source port on client-side
Component: Local Traffic Manager
Symptoms:
The active FTP data connection on the client-side may use source port other than what was configured in the 'Data Port' parameter of the FTP profile.
Conditions:
FTP profile is attached to a virtual server and the 'Data Port' parameter is either left as default (20) or defined as a specific value.
Impact:
Active FTP data connection may be blocked by firewalls that expect a pre-defined source port.
Workaround:
None.
689491-2 : cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled
Component: TMOS
Symptoms:
CPU usage stats are incorrect and system looks idle when it's actually busy
Conditions:
vcmp guests with 1-core or htsplit disabled
Impact:
CPU stats are incorrect and it might make it difficult to trouble shoot problems.
689361-5 : Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)
Component: Local Traffic Manager
Symptoms:
It is possible for an overwrite-configsync to change an 'unchecked' monitor to 'up', when that unchecked monitor references a node that does not respond to ICMP requests. This may occur when a node does not respond to ICMP requests for exactly one of two paired devices, but a configuration change made to one device causes the 'up' status to be propagated to the 'unchecked' device.
Conditions:
Two pool members are monitored; and one references a node not responding to ICMP requests; and a gateway_icmp monitor is on both nodes; and an overwrite-configsync is initiated from a paired device, where the node does respond to ICMP requests from that paired device.
Impact:
The overwrite-configsync causes the 'unchecked' monitor to transition to 'up', when it should remain 'unchecked' for the device to which the node does not respond to ICMP requests.
Workaround:
Ensure network configuration such that a monitored node responds to ICMP requests from both (or neither) of each paired-device. Alternatively, initiate configuration changes only from the device to which the node will not respond to ICMP requests.
688553-4 : SASP GWM monitor may not mark member UP as expected
Component: Local Traffic Manager
Symptoms:
Pool members monitored by the SASP monitor may be incorrectly marked DOWN when they should be marked UP.
Conditions:
This may occur on affected BIG-IP versions when using the SASP monitor targeting a Load Balancing Advisor GWM (Global Workload Manager).
This is more likely to occur if pool members monitored by the SASP monitor are also monitored by an additional monitor which has marked the members DOWN, or if one or more pool members monitored by the SASP monitor have been manually marked down (state user-down via tmsh, or Disabled in the GUI).
This is not expected to occur with non-affected BIG-IP versions or when using the SASP monitor targeting a Lifeline GWM (Global Workload Manager).
Impact:
Traffic handled by pool members monitored by the SASP monitor may be disrupted.
Workaround:
Removing the SASP monitor from the pool or pool member configuration then re-adding the SASP monitor may reset the pool member status to the correct state.
688335-6 : big3d may restart in a loop on secondary blades of a chassis system
Solution Article: K00502202
Component: Global Traffic Manager (DNS)
Symptoms:
After big3d_install is run against a target system, and this target system is a multi-blade chassis, the big3d utility may begin restarting in a loop on all secondary blades of the target system. The primary blade is not affected, where big3d continues to run stable.
Conditions:
The following conditions are required to encounter this issue:
-- The big3d_install utility is used against a target system.
-- The target system is a multi-blade chassis.
-- The big3d_install utility picks the iQuery installation method (and not the SSH one).
-- The big3d_install utility incorrectly determines that the local version of the big3d utility should be copied to the remote system.
Impact:
big3d does not typically do anything on secondary blades, so this issue should have no immediate material impact.
However, should the cluster elect a new primary blade, and should big3d still be restarting on that blade, this could cause iQuery communication failures between that system and remote BIG-IP systems.
Workaround:
To stop secondary blades from restarting, manually restart big3d on the primary blade using the following command:
bigstart restart big3d
To prevent this issue from happening, you can run the big3d_install by specifying that the SSH installation method be used using the following command:
big3d_install -use_ssh <target IP>
688266-6 : big3d and big3d_install use different logics to determine which version of big3d is newer
Component: Global Traffic Manager (DNS)
Symptoms:
The big3d_install utility includes logic to determine whether the local system should copy its version of the big3d daemon to the remote system specified by the user.
This logic is incorrect and may result in the local copy of the big3d daemon being unnecessarily copied to the remote system or not copied when actually necessary.
Conditions:
A user runs the big3d_install utility.
Impact:
If the local big3d daemon was unnecessarily copied over to the remote system, there is no tangible impact (other than the fact big3d restarts on the remote system, which is expected). Eventually, the remote system restores and uses its version of the big3d daemon.
If the local big3d daemon was not copied over when it should have been, then the remote system may continue to run an older version of the big3d daemon, which may impede iQuery communication.
Workaround:
If the local big3d daemon was unnecessarily copied over to the remote system, you do not need to perform any remedial action. The remote system will automatically resolve this situation by restoring the intended (i.e., newer) big3d version.
If the local big3d daemon was not copied over when it should have been, you can invoke the big3d_install utility using the -f argument, which forces an install of the big3d daemon regardless of the local and remote versions.
688005-1 : The maximum-connection count doubles pva traffic counts for virtuals
Component: Local Traffic Manager
Symptoms:
The counters maintaining virtual server statistics double count packets processed by the pva hardware. This makes maximum connection counts for pva unreliable.
Conditions:
Connections utilizing PVA incorrectly report PVA counts.
Impact:
Fast L4 virtuals may report unreliable maximum connection counts.
687759 : bd crash
Component: Application Security Manager
Symptoms:
A bd crash.
Conditions:
-- A config change follows a bd crash.
-- There is a policy that is misconfigured, for example, a form-data parsing is applied on a non-form-data payload (such as XML or JSON).
Impact:
bd crashes; system fails over; traffic disturbance occurs.
Workaround:
Set the following internal parameter to 0: max_converted_length_to_cache
686059-3 : FDB entries for existing VLANs may be flushed when creating a new VLAN.
Component: Local Traffic Manager
Symptoms:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN.
Conditions:
- Creating a new VLAN with existing VLANs using trunk members. - STP is enabled on its trunk member.
Impact:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN. This will result in potential network saturation.
Workaround:
To avoid the FDB flushing on trunk member interfaces of existing, unrelated VLANs, ensure that STP is disabled on its trunk member.
685582-8 : Incorrect output of b64 unit key hash by command f5mku -f
Component: TMOS
Symptoms:
The output of the b64 unit key hash is inconsistent upon each 'f5mku -f' command, whereas the hex version of the unit key hash was always correct/consistent.
Conditions:
Viewing output of 'f5mku -f' command.
Impact:
Inconsistent output of the b64 unit key.
Workaround:
Adding the verbose option (v) to the f5mku command will print additional information. The following command prints the hex version of the unit key header hash, which will be stable and can be used to detect changes to the unit key:
f5mku -vf
For example:
# f5mku -vf
...
-- hdr.hash = c9:0d:13:2a:74:d4:7e:31:a4:78:5e:c8:3e:9c:b5:3d:7b:65:9c:7d
...
684096-3 : stats self-link might include the oid twice
Component: TMOS
Symptoms:
The object ID might be erroneously embedded in the self-link twice.
Conditions:
query for stats such as https://<host>/mgmt/tm/ltm/pool/p1/stats
Impact:
incorrect self-link returned
Workaround:
be mindful when parsing the self-link
683135-3 : Hardware syncookies number for virtual server stats is unrealistically high
Component: TMOS
Symptoms:
In rare situations "tmsh show ltm virtual" shows unrealistically high hardware syncookie numbers.
Conditions:
Virtual server with hardware syncookie protection enabled.
Impact:
Stats issue. No impact to traffic.
679687-2 : LTM Policy applied to large number of virtual servers causes mcpd restart
Component: Local Traffic Manager
Symptoms:
When a large policy (on the order of several dozen rules), is applied to a large number of virtual servers (on the order of hundreds), the mcpd process compiles the policy to an optimized, intermediate form for each virtual server. The compilation occurs in the mcpd process, and because it becomes so busy/non-responsive, a watchdog process intervenes and restarts the mcpd process.
Conditions:
-- Relatively large policy (~30 or more rules) applied to large number of virtual servers (~100 or more).
-- Creating a draft of the policy that is currently applied to those virtual servers, when a similarly attached policy is published.
Impact:
The mcpd process becomes unresponsive and is reset by a watchdog process.
Workaround:
Two possible workarounds:
-- Make copies of the policy and apply a different copy of policy to different subsets of virtual servers.
-- Implement the policy using iRules.
679316-6 : iQuery connections reset during SSL renegotiation
Component: Global Traffic Manager (DNS)
Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
Conditions:
This occurs when a system tries to send data over the iQuery connection while the two endpoints are performing SSL renegotiation.
Note: iQuery connections automatically perform SSL renegotiation every 24 hours.
Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.
Note: This is a subtly different issue from the one (with a very similar error, 140940F5 vs 140940E5) described in Bug ID 477240: iQuery connection resets every 24 hours :: https://cdn.f5.com/product/bugtracker/ID477240.html (K16185: BIG-IP GTM iQuery connections may be reset during SSL key renegotiation :: https://support.f5.com/csp/article/K16185).
This issue occurs even in versions where ID477240 is fixed. There is no fix for this specific trigger of the same message.
Workaround:
There is no workaround at this time.
677709 : pkcs11d daemon can generate a very large number of log messages
Component: Local Traffic Manager
Symptoms:
If communication between a BIG-IP instance and the Hardware Security Module (HSM) is interrupted, during its attempts to re-establish a connection, the TMOS pkcs11d daemon will log many error messages in the /var/log/ltm log file (or in daemon.log for earlier versions).
Messages appear similar to the following:
-- err pkcs11d[21325]: 01680002:3: Session initialization error.
-- err pkcs11d[21325]: 01680032:3: netHSM: PKCS11d stopped. Verify password, and restart PKCS11d.
-- err pkcs11d[21325]: 01680029:3: netHSM: Failed login: password[incorrect]. Error[160].
Conditions:
-- Configurations employing an external HSM.
-- communication between the BIG-IP instance and the HSM is interrupted
Impact:
A sufficiently large amount of log-message handling may consume processor time and I/O resources, to the detriment of other processing.
Workaround:
None.
674591-4 : Packets with payload smaller than MSS are being marked to be TSOed
Component: Local Traffic Manager
Symptoms:
Packets with length less than the specified MSS are sent as TSO packets, and the Broadcom NIC drops those to degrade performance.
Conditions:
When TM.TcpSegmentationOffload is enabled, Packets with length less than MSS are sent as TSO packets.
Impact:
TCP Packets are dropped.
Workaround:
Disable TSO option by setting the following SYS DB variable to disable: TM.TcpSegmentationOffload.
673357-2 : SWG puts flow in intercept mode when session is not found
Component: Access Policy Manager
Symptoms:
In SWG, flows that should be getting bypassed are placed in intercept mode.
Conditions:
This occurs when the per-request policy receives an https request and a session is not established.
Impact:
In some cases, the client sees certificate warning.
Workaround:
If the access policy is "start->allow"; following iRule can be used for workaround:
when CLIENT_ACCEPTED {
if { [ACCESS::session exists] } {
log local0. "Found Access Session"
log local0. [ACCESS::session exists]
} else {
set sid [ACCESS::session create -lifetime 300 -timeout 300 -flow]
log local0. "No Access Session found, creating $sid"
ACCESS::session data set session.ui.mode "0"
ACCESS::session data set session.policy.result "allow"
}
}
673018-1 : Parsed text violates expected format error encountered while upgrading or loading UCS★
Component: TMOS
Symptoms:
During a configuration roll-forward on an upgrade, the UCS load fails and reports the following error:
Parsed text violates expected format.
Conditions:
This can occur under the following conditions:
-- When loading a configuration that contains iFiles.
-- During an upgrade process, when the source-path for an iFile contain a URL with a space or other invalid URL character in it, for example: http://myfiles.com/get this file.txt.
Impact:
Configuration fails to load, and the system reports the following error: Parsed text violates expected format.
Workaround:
You can use either of the following workarounds:
-- Modify the URL to the iFile to remove any spaces, and then reload the configuration.
-- Use the HTTP specification for specifying spaces (and other characters) in URLs. For example, represent a space using the string %20 in the URL: http://myfiles.com/get%20this%20file.txt.
672410 : High CPU load when HTTP/2 gateway is configured with source-persistence.
Solution Article: K58551820
Component: Local Traffic Manager
Symptoms:
High CPU load when HTTP/2 gateway is configured with source-persistence.
Conditions:
-- HTTP/2 gateway is configured on the virtual server.
-- Source-persistence is turned on.
Impact:
High CPU load may lead to performance degradation.
Workaround:
Setting 'match-across-services' might help improve performance.
672312-4 : IP ToS may not be forwarded to serverside with syncookie activated
Component: Local Traffic Manager
Symptoms:
IP ToS field may not be preserved on forwarding in a FastL4 virtual server when syncookie is activated.
Conditions:
-- FastL4 ip-forwarding virtual server.
-- ToS in passthrough mode.
-- Syncookie is activated in hardware mode.
-- On a hardware platform with ePVA.
Impact:
IP ToS header is not forwarded to the serverside.
Workaround:
None.
669645-4 : tmm crashes after LSN pool member change
Component: Carrier-Grade NAT
Symptoms:
Changing LSN pool members while processing traffic may cause tmm to crash.
Conditions:
-- Changing, using, or removing an LSN pool.
-- Traffic is being processed.
Impact:
When tmm crashes, traffic processing will stop until tmm restarts. Note that this can occur, even if the change was on a high-availability peer unit and config-sync has taken place.
Workaround:
Recommend to change LSN pool members during a maintainence window with low traffic or ideally to use an HA pair with a standby unit for implementing configuration changes on live traffic.
668041-3 : Config load fails when an iRule comment ends with backslash in a config where there is also a policy.★
Solution Article: K27535157
Component: TMOS
Symptoms:
Config load fails when an iRule contains a commented line that ends with an escape character (backslash), and the config also contains an LTM policy. Depending on the iRule, you might also see the following error: Syntax Error:(/config/bigip.conf at line: 42078) double quotes are not balanced.
Conditions:
-- iRule contains commented line that ends with a backslash.
-- The config also contains a policy.
For example, an iRule similar to the first example, and a policy similar to the second:
ltm rule /Common/log_info {
when HTTP_RESPONSE {
#log local0. "Original Location header value: [HTTP::header value Location],\
updated: [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]"
}
}
...
ltm policy /Common/Test_Policy {
controls { forwarding }
requires { http tcp }
rules {
TestPol_Rule1 {
actions {
0 {
forward
select
node 10.2.10.20
}
}
conditions {
0 {
tcp
address
matches
values { 10.1.10.20 }
}
}
}
}
strategy /Common/first-match
}
Impact:
Config load fails.
Workaround:
You can use any of the following workarounds:
-- Delete the line of code with the comment.
-- Put the entire comment on one line of code.
-- Divide lengthy comments into a series of smaller ones, so that each comment fits within one line of code.
-- Move the iRule so that it is sequentially before the LTM policy in the config file.
667618-5 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
Component: TMOS
Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection will continue to be unsupported until the machine exit hardware SYN cookies.
Conditions:
A SYN flood attack or similar SYN attack where SYNs are flooded into the BIG-IP system.
Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.
Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options will not be taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.
Note that if no good traffic hits the virtual server, syncookies will also fail to deactivate, but will do so once both good traffic has been seen, and the attack has ended.
Workaround:
There is no workaround at this time.
666378-2 : A virtual server's connections per second (precision.last_value) is confusingly named.
Component: Local Traffic Manager
Symptoms:
A virtual server's current connections-per-second statistic has a confusing name. The statistic is maintained when rate limiting is configured for a virtual server. The statistic is updated when the virtual hits a rate-limiting condition, and it stays at the last value it held when the limit was hit.
Conditions:
If the rate limit is never configured then the value is 0. If the rate limit is configured and is hit, then the value is the active count when the limit was hit. The value stays at that count until the limit is hit again.
Impact:
There is no functional impact, but the statistic's meaning is confusing.
Workaround:
The MIB description should clarify the meaning of this statistic.
664618-2 : Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block'
Component: Local Traffic Manager
Symptoms:
When using Protocol Security profiles for HTTP, the HTTP Protocol Checks 'Alarm' vs. 'Block' setting will not be honored for the 'Check maximum number of headers' check. If an HTTP response contains more than the configured maximum number of headers, the connection will be reset.
Client traffic with more than the maximum allowed headers will be allowed through to the server, and an alert will be generated, as expected. The server response will also have too many headers, but the connection will be reset.
Conditions:
-- PSM HTTP Protocol Checks configured in 'Alarm' mode ('Block' disabled).
-- The maximum number of headers is exceeded for server responses.
Impact:
Connections are reset, when only alerting is expected.
Workaround:
None.
663946-5 : VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments
Component: Advanced Firewall Manager
Symptoms:
When DNS is under load greater than the AFM-configured rate limit, certain IPv4 packets are categorized as IPv6 atomic fragments and may be dropped due to rate limits.
Conditions:
-- AFM enabled.
-- DNS load greater than AFM-configured rate limit for IPv6 atomic fragments (default 10 KB).
Impact:
May result in lower than expected DNS load test results.
Workaround:
Use either of the following workarounds:
-- Disable AFM.
-- Increase detection limit for IPv6 atomic fragments under AFM.
Note: For AFM HW DoS protection, the host and vCMP guest must be the same version, disable hardware DoS checking on the vCMP guest to prevent this issue. To do so, set sys db dos.forceswdos to 'true'.
663874-1 : Off-box HSL logging does not work with PEM in SPAN mode.
Solution Article: K77173309
Component: Policy Enforcement Manager
Symptoms:
While on-box HSL logging works, off-box HSL logging does not work with PEM in SPAN mode.
Conditions:
-- PEM in SPAN mode.
-- Off-box HSL logging is configured.
Impact:
Cannot use off-box HSL logging with PEM in SPAN mode; must use on-box HSL logging instead.
Workaround:
There is no workaround at this time.
662725 : tmsh kernel default log levels does not match documentation
Component: TMOS
Symptoms:
Actual tmsh default was 'notice', but changed to 'debug'
so that kern.log files in qkviews are complete.
This was done so that diagnosing issues, support
has all the information in terms of kernel output.
This documentation discrepancy is a non-functional
change that should have been done in 11.5.0 when
the actual default value was changed.
Conditions:
None.
Impact:
None.
Workaround:
None.
660759-2 : Cookie hash persistence sends alerts to application server.
Component: Fraud Protection Services
Symptoms:
When Persistence cookie insert is enabled with a non-default cookie name, the cookie might be overwritten after an alert is handled.
Conditions:
-- Persistence profile in their virtual server.
-- Profile relies on cookie hash persistence.
-- Non-default Cookie name used for cookie persistence.
(Default cookie naming strategy appends Pool Name, which results in two cookies set with different names and different values, leaving the application pool persistence cookie unmodified.)
Impact:
Sends alerts to application server. Traffic might be sent to wrong pool member.
Workaround:
Use an iRule similar to the following to remove persistence cookie in case of alerts:
ltm rule /Common/cookie_persist_exclude_alerts {
when HTTP_REQUEST {
#enable the usual persistence cookie profile.
if { [HTTP::path] eq "/<alert-path>/" } {
persist none
}
}
}
660654 : The APM 'epsec refresh' CLI command works incorrectly if install package is deleted
Component: Access Policy Manager
Symptoms:
If the install EPSEC package is deleted before running the 'epsec refresh' command, the existing EPSEC version is refreshed instead of the new version.
Conditions:
-- Upload and install EPSEC package with a later version than is on the system.
-- Delete the install package.
-- Run the command: epsec refresh.
Impact:
System package will be installed (essentially, a rollback to the previous version).
Workaround:
Leave the install package on the system until after you run the epsec refresh command.
653573-5 : ADMd not cleaning up child rsync processes
Component: Anomaly Detection Services
Symptoms:
ADMd daemon on device is spinning up rsync processes and not cleaning them up properly, causing tons of this zombie processes
Conditions:
If rsync process ends via exit (in the case of some trouble)
Impact:
No technical impact, but there are many zombie processes
Workaround:
Restart admd (bigstart restart admd) to remove all existing rsync zombies.
652793 : "Signature Update Available" message is not cleared by UCS load/sync
Component: Application Security Manager
Symptoms:
If the most recent Signature Update was loaded by device group sync or UCS load, the "Signature Update Available" message is never cleared out.
Conditions:
ASM provisioned and "Signature Update Available" was indicated prior to loading the most recent Signature Update by device group sync or UCS load.
Impact:
The "Signature Update Available" message is never cleared out.
Workaround:
Restart ASM, or kill asmcrond ("pkill -f asmcrond").
648917-2 : Need to re-provision vCMP after upgrading to 13.1.x or later on the BIG-IP 10350F platform★
Component: TMOS
Symptoms:
With vCMP provisioned, upgrading to 13.1.x or later release will not enable IOMMU support after the upgrade.
Conditions:
-- Upgrading to 13.1.x or later.
-- vCMP already provisioned.
-- Running on the BIG-IP 10350F platform.
Impact:
Guests configured with FIPS functionality will fail to start until IOMMU is enabled.
Workaround:
You can use either of the following workarounds:
-- Re-provision vCMP after the upgrade to enable IOMMU support.
1. Modify the value of the DB variable kernel.iommu to 'enable'.
2. Restart the BIG-IP system.
648242-3 : Administrator users unable to access all partition via TMSH for AVR reports
Solution Article: K73521040
Component: Application Visibility and Reporting
Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).
Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.
Impact:
AVR reports via TMSH will fail when using partition based entities.
Workaround:
None.
641450-6 : A transaction that deletes and recreates a virtual may result in an invalid configuration
Solution Article: K30053855
Component: TMOS
Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.
Config load error:
01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.
Configuration-change-time error in /var/log/ltm:
err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>
Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).
Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.
Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
1. Delete virtual server.
2. Create virtual server (with an empty profile list).
3. Modify the virtual server's profile list.
639619-6 : UCS may fail to load due to Master key decryption failure on EEPROM-less systems★
Component: TMOS
Symptoms:
The following error:
'Symmetric Unit Key decrypt failure - decrypt failure'
is logged to /var/log/ltm when attempting to load a UCS.
Configuration fails then to load due to a secure attribute decryption failure.
Conditions:
1. UCS contains secure attributes.
2. UCS contains a '/config/bigip/kstore/.unitkey' file.
3. The current '/config/bigip/kstore/.unitkey' file does not match the '.unitkey' file within UCS.
4. System does not utilize an EEPROM for storing its unitkey. (For more information, see K73034260: Overview of the BIG-IP system Secure Vault feature :: https://support.f5.com/csp/article/K73034260.)
Impact:
The configuration fails to load.
Workaround:
Perform the following procedure:
1. Stop the system:
# bigstart stop
2. Replace the '/config/bigip/kstore/.unitkey' file with the '.unitkey' file from the UCS
3. Replace the '/config/bigip/kstore/master' file with the 'master' file from the UCS
4. Remove the mcp db to forcibly reload the keys:
# rm -f /var/db/mcpd.bin
# rm -f /var/db/mcpd.info
5. Restart the system and reload the configuration:
# bigstart start
# tmsh load sys config
or
# reboot
621260-3 : mcpd core on iControl REST reference to non-existing pool
Component: TMOS
Symptoms:
MCPd cores when attempting to create a pool and a monitor reference by using a REST call such as:
curl -u admin:admin -H "Content-Type: application/json" -X POST http://localhost:8100/tm/ltm/pool -d'{"name":"test_pool","monitor":" "}'
Conditions:
The monitor reference in the REST call must be comprised of a single space character.
Impact:
MCPd restarts, causing many of the system daemons to restart as well.
Workaround:
Don't use spaces in the monitor reference name.
620053-3 : Gratuitous ARPs may be transmitted by active unit being forced offline
Component: Local Traffic Manager
Symptoms:
When cluster's active is forced offline, the non-primary blades may send gratuitous ARPs.
Conditions:
Cluster's active blade is forced offline.
Impact:
Potential impact to traffic if the gratuitous ARPs of the blade which goes offline is received before the unit taking over as primary, or if gratuitous ARPs are rate-limited on upstream or downstream devices.
Workaround:
Failover the cluster before forcing offline or configuring MAC masquerading.
615222-6 : GTM configuration fails to load when it has GSLB pool with members containing more than one colon character★
Solution Article: K79580892
Component: Global Traffic Manager (DNS)
Symptoms:
The user configuration set (UCS) configuration file may fail to load due to the global server load balancing (GSLB)-referenced virtual server name syntax. The system posts errors similar to the following:
01070226:3: Pool Member 20002 references a nonexistent Virtual Server.
Conditions:
This issue occurs when all of the following conditions are met:
-- You have configured your BIG-IP DNS system (formerly known as BIG-IP GTM) with a virtual server name that includes the colon (:) character.
-- The virtual server is included as a GSLB pool member.
-- You save the configuration to a UCS file.
-- You attempt to load the UCS configuration file.
Impact:
Unable to create GTM Pool Member from TMSH, or to load a configuration with this object in it.
Workaround:
None.
606983-1 : ASM errors during policy import
Component: Application Security Manager
Symptoms:
Import failure when importing ASM policy with many Session Awareness Data Points.
ASM logs errors similar to the following:
-- crit g_server_rpc_handler_async.pl[10933]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): Could not update the Export Policy Task 'Export Policy Task (1469519765.114479)'. DBD::mysql::db do failed: Got a packet bigger than 'max_allowed_packet' bytes.
Conditions:
-- ASM provisioned.
-- Session Awareness enabled.
-- Many (more than 1000) active Session Awareness 'Block All' data points are present.
-- Export a policy.
-- Import the same policy.
Impact:
asm_config_server crash occurs. asm_config_server recovers automatically, within ~15-30 seconds.
Workaround:
Either release all Session Awareness Data Points before export, or remove them from the exported policy before importing it back.
606032-4 : Network Failover-based HA in AWS may fail
Component: TMOS
Symptoms:
MCPD posts an error that network failover is not configurable:
01071ac2:3: Device-group (/Common/autoscale-group): network-failover property must be disabled in VE-1NIC.
Conditions:
Attempting to setup high availability (HA) in Amazon Web Services (AWS) with only 1 network interface.
Impact:
Configuration of HA in AWS cannot be completed.
Workaround:
The current workaround is to configure HA in AWS with at least 2 network interfaces.
600985-2 : Network access tunnel data stalls
Component: Access Policy Manager
Symptoms:
In certain scenarios, the network access tunnel stays up; however, no data transfer occurs on the tunnel. This issue occurs intermittently.
Conditions:
The cause of this issue is not yet known.
Impact:
Data stalls on the tunnel and hence wont be able to access any applications. However, Edge Client shows the VPN tunnel as 'Connected'.
Workaround:
Manually re-establish the tunnel.
594064-6 : tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.
Solution Article: K57004151
Component: Local Traffic Manager
Symptoms:
When the tcpdump utility is used with the ':p' modifier, it appears that the first few serverside packets are not captured.
Conditions:
-- Using the ':p' modifier with the tcpdump utility to capture serverside flows associated with clientside flows that match a tcpdump filter.
-- FastL4 or standard virtual server UDP flows are being captured.
Impact:
Typically, the peer flow will not be captured until the second packet is processed on the original flow that is captured by the tcpdump filter. Although there is no operational impact, it might cause confusion when looking for serverside traffic when capturing using a command similar to the following: tcpdump -i <vlan>:p host <client-ip>
Typical examples of missing packets include:
-- Serverside syn and syn-ack from FastL4 TCP traffic.
-- All serverside packets for single packet request/reply traffic, e.g., dns request/reply.
Workaround:
Specify filter that includes serverside traffic (e.g., include pool member addresses as 'host <addr>').
591305-2 : Audit log messages with "user unknown" appear on install
Component: TMOS
Symptoms:
Multiple log entries in /var/log/audit similar to
May 4 11:37:35 localhost notice mcpd[5488]: 01070417:5: AUDIT - client Unknown, user Unknown - transaction #33-1 - object 0 - create_if { db_variable { db_variable_name "version.edition" db_variable_value "<none>" db_variable_sync_type "private_internal" db_variable_data_type "string" db_variable_display_name "Version.Edition" } } [Status=Command OK]
Conditions:
This happens on initial install, it is not yet known what triggers it.
Impact:
This is the result of a daemon on the system not properly identifying itself to mcpd. The log messages can be safely ignored.
571651-5 : Reset Nitrox3 crypto accelerator queue if it becomes stuck.
Solution Article: K66544028
Component: Local Traffic Manager
Symptoms:
Certain configuration parameters used during an SSL handshake can elicit a 'queue stuck' message from the accelerator. When this happens, the /var/log/ltm log file will contain a message similar to the following:
'n3-cryptoX request queue stuck'.
Conditions:
The BIG-IP system uses Nitrox 3 encryption hardware to perform SSL encryption.
An SSL handshake sent to the BIG-IP system is incorrectly configured or contains bad information.
Impact:
In-flight and queued contexts for the specific accelerator are dropped. After device recovery, new requests will be accelerated.
Workaround:
Disable crypto acceleration.
569859-4 : Password policy enforcement for root user when mcpd is not available
Component: TMOS
Symptoms:
When the mcpd configuration database is not available password policy is not enforced when changing passwords for the user "root" using the command-line utility `passwd`.
Conditions:
Advanced shell access
mcpd is not available
Change root password with the `passwd` utility
Impact:
Root password may be set to a string that does not comply with the current password policy
534187-4 : Passphrase protected signing keys are not supported by SAML IDP/SP
Component: Access Policy Manager
Symptoms:
Signing operation may fail if the BIG-IP system is used as a SAML Identity Provider or Service Provider and is configured to use passphrase-protected signing keys.
Conditions:
Private key used to perform digital signing operations is passphrase protected.
Impact:
SAML protocol will not function properly due to inability to sign messages.
Workaround:
To work around the problem, remove the passphrase from the signing key.
513310-6 : TMM might core when a profile is changed.
Component: Local Traffic Manager
Symptoms:
TMM might core when a profile is changed.
Conditions:
A "standard" type virtual server configured with the TCP or SCTP protocol profile, and a Persistence, Access or Auth profile. This issue might occur in either of the following scenarios:
-- Change profile on the active device.
-- Change profile on the standby device and perform a config sync to the active ones.
Impact:
TMM might core. Traffic disrupted while tmm restarts.
Workaround:
None.
504522-3 : Trailing space present after 'tmsh ltm pool members monitor' attribute value
Component: Local Traffic Manager
Symptoms:
Values returned from the tmsh command 'ltm pool pool members monitor' have a trailing space, such as returning '/Common/myhttps ' (note the trailing-space). This trailing-space is also observed for the value returned from a REST call.
Conditions:
'tmsh' or a REST call is used to return the 'monitor' for pool members.
Impact:
Scripts or custom applications processing this returned output may wish to 'trim' whitespace on the value (as a trailing space is present); or should not assume the trailing space will be present in the future (as this behavior is not guaranteed).
Workaround:
Use a script or custom applications to 'trim' trailing whitespace for returned values.
486712-4 : GUI PVA connection maximum statistic is always zero
Component: TMOS
Symptoms:
The GUI PVA connection maximum statistic is always zero, regardless of the number of PVA connections established.
Conditions:
This occurs when fastL4 connections are used.
Impact:
The customer cannot determine the maximum number of PVA connections because the stat is always zero.
473787 : System might fail to unchunk server response when compression is enabled
Component: Local Traffic Manager
Symptoms:
If a BIG-IP virtual server is configured with a compression profile and either:
- an NTLM profile
- or an APM access policy
When a pool member sends a chunked (and uncompressed) HTTP response to the BIG-IP system (Transfer-Encoding: chunked), if the BIG-IP system compresses the payload, it does so without unchunking it.
This results in the BIG-IP system sending the client a malformed response that contains chunked encoding markers in the compressed content.
Conditions:
This issue occurs when the following conditions are met:
-- The NTLM and OneConnect profiles are applied to a virtual server. This can also be triggered when replacing the NTLM profile with an APM access policy configuration on the virtual server.
-- HTTP compression is enabled on the virtual server.
Impact:
HTTP responses to the client are malformed. When decompressed, the HTTP response payload incorrectly contains HTTP chunked encoding markers.
Workaround:
To work around this issue, you can either modify the type of response chunking or disable compression. For information on how to do so, see K14030: The BIG-IP system may fail to unchunk server responses when compression is enabled, available here: https://support.f5.com/csp/article/K14030.
431480-6 : Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message
Solution Article: K17297
Component: Local Traffic Manager
Symptoms:
Occasionally, you might encounter a situation in which tmm dumps a core, and the system writes to the logs a message similar to the following: notice panic: ../base/listener.c:1116: Assertion 'laddr is not NULL' failed.
Conditions:
The exact conditions that result in this error are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time, but the system recovers without any user action.
394873 : Upgrade process does not update Tcl scripts★
Component: TMOS
Symptoms:
The upgrade process does not update Tcl scripts (such as iRules) in the configuration.
Conditions:
Upgrading Tcl scripts (such as iRules).
Impact:
This might cause issues when iRule syntax changes between releases. After upgrading, you might need to modify iRules to reflect any changes in iRule syntax.
Workaround:
None.
222220-3 : Distributed application statistics
Component: Global Traffic Manager (DNS)
Symptoms:
Distributed application statistics shows only requests passed to its first wide IP.
Conditions:
Using Distributed application statistics and multiple wide-IP-members.
Impact:
The system does not include statistics for requests passed to other wide-IP-members of the distributed application.
Workaround:
None.
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/