Applies To:
Show Versions
BIG-IP AAM
- 14.0.1
BIG-IP APM
- 14.0.1
BIG-IP Analytics
- 14.0.1
BIG-IP Link Controller
- 14.0.1
BIG-IP LTM
- 14.0.1
BIG-IP PEM
- 14.0.1
BIG-IP AFM
- 14.0.1
BIG-IP FPS
- 14.0.1
BIG-IP DNS
- 14.0.1
BIG-IP ASM
- 14.0.1
BIG-IP Release Information
Version: 14.0.1.1
Build: 6.0
Cumulative fixes from BIG-IP v14.0.1 that are included in this release
Cumulative fixes from BIG-IP v14.0.0.5 that are included in this release
Cumulative fixes from BIG-IP v14.0.0.4 that are included in this release
Cumulative fixes from BIG-IP v14.0.0.3 that are included in this release
Cumulative fixes from BIG-IP v14.0.0.2 that are included in this release
Cumulative fixes from BIG-IP v14.0.0.1 that are included in this release
Known Issues in BIG-IP v14.0.x
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 795197-2 | CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 | K26618426 | Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 |
| 771873-4 | CVE-2019-6642 | K40378764 | TMSH Hardening |
| 756538-3 | CVE-2019-6645 | K15759349 | Failure to open data channel for active FTP connections mirrored across an HA pair. |
| 739971-1 | CVE-2018-5391 | K95343321 | Linux kernel vulnerability: CVE-2018-5391 |
| 739970-1 | CVE-2018-5390 | K95343321 | Linux kernel vulnerability: CVE-2018-5390 |
| 738735-1 | CVE-2018-1336 | K73008537 | Tomcat Vulnerability: CVE-2018-1336 |
| 737731-1 | CVE-2019-6622 | K44885536 | iControl REST input sanitization |
| 737565-1 | CVE-2019-6620 | K20445457 | iControl REST input sanitization |
| 788773-3 | CVE-2019-9515 | K50233772 | HTTP/2 Vulnerability: CVE-2019-9515 |
| 788769-3 | CVE-2019-9514 | K01988340 | HTTP/2 Vulnerability: CVE-2019-9514 |
| 773673-3 | CVE-2019-9512 | K98053339 | HTTP/2 Vulnerability: CVE-2019-9512 |
| 745257-2 | CVE-2018-14634 | K20934447 | Linux kernel vulnerability: CVE-2018-14634 |
| 712876-1 | CVE-2017-8824 | K15526101 | CVE-2017-8824: Kernel Vulnerability |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 782529-3 | 2-Critical | iRules does not follow current design best practices | |
| 744685-3 | 2-Critical | BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension | |
| 744188-3 | 2-Critical | First successful auth iControl REST requests will now be logged in audit and secure log files | |
| 725878-1 | 3-Major | AVR does not collect all of APM TMStats | |
| 788269-2 | 4-Minor | Adding toggle to disable AVR widgets on device-groups | |
| 749704-1 | 4-Minor | GTPv2 Serving-Network field with mixed MNC digits |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 708956-3 | 1-Blocking | K51206433 | During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform' |
| 788033-1 | 2-Critical | tpm-status may return "Invalid" after engineering hotfix installation | |
| 781377-6 | 2-Critical | tmrouted may crash while processing Multicast Forwarding Cache messages | |
| 762453-3 | 2-Critical | Hardware cryptography acceleration may fail | |
| 757722-4 | 2-Critical | Unknown notify message types unsupported in IKEv2 | |
| 756402-4 | 2-Critical | Re-transmitted IPsec packets can have garbled contents | |
| 756071-2 | 2-Critical | MCPD crash | |
| 753650-1 | 2-Critical | The BIG-IP system reports frequent kernel page allocation failures. | |
| 734539-4 | 2-Critical | The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads | |
| 726487-3 | 2-Critical | MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change. | |
| 724680-5 | 2-Critical | OpenSSL Vulnerability: CVE-2018-0732 | |
| 708968-1 | 2-Critical | OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address | |
| 707013-2 | 2-Critical | vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest | |
| 648270-2 | 2-Critical | mcpd can crash if viewing a fast-growing log file through the GUI | |
| 621260-3 | 2-Critical | mcpd core on iControl REST reference to non-existing pool | |
| 788301-4 | 3-Major | K58243048 | SNMPv3 Hardening |
| 777261-3 | 3-Major | When SNMP cannot locate a file it logs messages repeatedly | |
| 768981-3 | 3-Major | vCMP Hypervisor Hardening | |
| 758119-5 | 3-Major | K58243048 | qkview may contain sensitive information |
| 751009-2 | 3-Major | Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out | |
| 748187-3 | 3-Major | 'Transaction Not Found' Error on PATCH after Transaction has been Created | |
| 747592-3 | 3-Major | PHP vulnerability CVE-2018-17082 | |
| 738445-3 | 3-Major | IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup | |
| 738236-1 | 3-Major | UCS does not follow current best practices | |
| 737437-3 | 3-Major | IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages | |
| 735565-4 | 3-Major | BGP neighbor peer-group config element not persisting | |
| 720269-1 | 3-Major | TACACS audit logging may append garbage characters to the end of log strings | |
| 705037-1 | 3-Major | K32332000 | System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart |
| 639619-6 | 3-Major | UCS may fail to load due to Master key decryption failure on EEPROM-less systems★ | |
| 581921-4 | 3-Major | K22327083 | Required files under /etc/ssh are not moved during a UCS restore |
| 789893-3 | 4-Minor | SCP file transfer hardening |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 810537-4 | 2-Critical | TMM may consume excessive resources while processing iRules | |
| 809165-3 | 2-Critical | TMM may crash will processing connector traffic | |
| 808301-3 | 2-Critical | TMM may crash while processing IP traffic | |
| 787825-6 | 2-Critical | K58243048 | Database monitors debug logs have plaintext password printed in the log file |
| 778077-5 | 2-Critical | Virtual to virtual chain can cause TMM to crash | |
| 767653-3 | 2-Critical | Malformed HTTP request can result in endless loop in an iRule script | |
| 757441-3 | 2-Critical | Specific sequence of packets causes Fast Open to be effectively disabled | |
| 752930-2 | 2-Critical | Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state | |
| 747617-3 | 2-Critical | TMM core when processing invalid timer | |
| 738945-3 | 2-Critical | SSL persistence does not work when there are multiple handshakes present in a single record | |
| 716714-2 | 2-Critical | OCSP should be configured to avoid TMM crash. | |
| 795437-3 | 3-Major | Improve handling of TCP traffic for iRules | |
| 790205-5 | 3-Major | Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core | |
| 788325-3 | 3-Major | Header continuation rule is applied to request/response line | |
| 777737-6 | 3-Major | TMM may consume excessive resources when processing IP traffic | |
| 761014-3 | 3-Major | TMM may crash while processing local traffic | |
| 760550-4 | 3-Major | Retransmitted TCP packet has FIN bit set | |
| 758631-3 | 3-Major | ec_point_formats extension might be included in the server hello even if not specified in the client hello | |
| 754349-3 | 3-Major | FTP connections to virtual server drop when both sides of data channel are offloaded via FastL4 | |
| 753514-2 | 3-Major | Large configurations containing LTM Policies load slowly | |
| 750200-2 | 3-Major | DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode | |
| 749414-3 | 3-Major | Invalid monitor rule instance identifier error | |
| 749294-3 | 3-Major | TMM cores when query session index is out of boundary | |
| 746922-5 | 3-Major | When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain. | |
| 739963-3 | 3-Major | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup | |
| 739638-3 | 3-Major | BGP failed to connect with neighbor when pool route is used | |
| 739349-2 | 3-Major | LRO segments might be erroneously VLAN-tagged. | |
| 738523-1 | 3-Major | SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages | |
| 726232-3 | 3-Major | iRule drop/discard may crash tmm | |
| 720219-2 | 3-Major | K13109068 | HSL::log command can fail to pick new pool member if last picked member is 'checking' |
| 717896-3 | 3-Major | Monitor instances deleted in peer unit after sync | |
| 717100-2 | 3-Major | FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member | |
| 712919-3 | 3-Major | Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server. | |
| 599567-5 | 3-Major | APM assumes SNAT automap, does not use SNAT pool | |
| 504522-3 | 3-Major | Trailing space present after 'tmsh ltm pool members monitor' attribute value |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 761032-3 | 3-Major | TMSH displays TSIG keys |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 775105-2 | 2-Critical | False positive on bot defense logs | |
| 636400-2 | 2-Critical | CPB (BIGIP->BIGIQ log node) Hardening | |
| 781637-3 | 3-Major | ASM brute force counts unnecessary failed logins for NTLM | |
| 773553-3 | 3-Major | ASM JSON parser false positive. | |
| 764373-2 | 3-Major | 'Modified domain cookie' violation with multiple enforced domain cookies with different paths | |
| 763001-3 | 3-Major | Web-socket enforcement might lead to a false negative | |
| 761941-2 | 3-Major | ASM does not remove CSRT token query parameter before forwarding a request to the backend server | |
| 746394-2 | 3-Major | With ASM CORS set to 'Disabled' it strips all CORS headers in response. | |
| 739945-3 | 3-Major | JavaScript challenge on POST with 307 breaks application | |
| 738789-1 | 3-Major | ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog | |
| 734228-2 | 3-Major | False-positive illegal-length violation can appear | |
| 727107-3 | 3-Major | Request Logs are not stored locally due to shmem pipe blockage | |
| 704643-2 | 3-Major | Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule | |
| 772473-2 | 4-Minor | Request reconstruct issue after challenge | |
| 768761-3 | 4-Minor | Improved accept action description for suggestions to disable signature/enable metacharacter in policy | |
| 761553-3 | 4-Minor | Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic | |
| 761549-3 | 4-Minor | Traffic Learning: Accept and Stage action is shown only in case entity is not in staging | |
| 750689-2 | 4-Minor | Request Log: Accept Request button available when not needed | |
| 749184-3 | 4-Minor | Added description of subviolation for the suggestions that enabled/disabled them | |
| 747905-2 | 4-Minor | 'Illegal Query String Length' violation displays wrong length | |
| 695878-3 | 4-Minor | Signature enforcement issue on specific requests | |
| 769061-3 | 5-Cosmetic | Improved details for learning suggestions to enable violation/sub-violation |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 787677-2 | 3-Major | AVRD stays at 100% CPU constantly on some systems | |
| 737867-2 | 3-Major | Scheduled reports are being incorrectly displayed in different partitions | |
| 741767-1 | 5-Cosmetic | ASM Resource :: CPU Utilization statistics are in wrong scale |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 811145-3 | 2-Critical | VMware View resources with SAML SSO are not working | |
| 784989-3 | 2-Critical | TMM may crash with panic message: Assertion 'cookie name exists' failed | |
| 779177-3 | 2-Critical | Apmd logs "client-session-id" when access-policy debug log level is enabled | |
| 777173-3 | 2-Critical | Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error | |
| 757782-3 | 2-Critical | OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default | |
| 740277-1 | 2-Critical | Extra policy_release (per-request policy) in policy engine causes core due to use-after-free condition | |
| 815753-3 | 3-Major | TMM leaks memory when explicit SWG is configured with Kerberos authentication | |
| 794561-3 | 3-Major | TMM may crash while processing JWT/OpenID traffic. | |
| 783817-3 | 3-Major | UI becomes unresponsive when accessing Access active session information | |
| 769853-3 | 3-Major | Access Profile option to restrict connections from a single client IP is not honored for native RDP resources | |
| 766577-3 | 3-Major | APMD fails to send response to client and it already closed connection. | |
| 758018-4 | 3-Major | APD/APMD may consume excessive resources | |
| 752875-1 | 3-Major | tmm core while using service chaining for SSLO | |
| 722991-1 | 3-Major | 'dead.letter' file might appear in the /root directory | |
| 643935-3 | 3-Major | Rewriting may cause an infinite loop while processing some objects | |
| 737603-2 | 4-Minor | Apmd leaks memory when executing per-session policy via iRule |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 808525-3 | 2-Critical | TMM may crash while processing Diameter traffic | |
| 763157-3 | 3-Major | MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped | |
| 761685-1 | 3-Major | Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set | |
| 760370-3 | 3-Major | MRF SIP ALG with SNAT: Next active ingress queue filling | |
| 759077-3 | 3-Major | MRF SIP filter queue sizes not configurable | |
| 755630-4 | 3-Major | MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes | |
| 754615-1 | 3-Major | Tmm crash (assert) during SIP message processing on MRF-SIP-ALG setup. | |
| 752822-2 | 3-Major | SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type | |
| 749603-2 | 3-Major | MRF SIP ALG: Potential to end wrong call when BYE received | |
| 749227-2 | 3-Major | MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE | |
| 748043-1 | 3-Major | MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP | |
| 747187-1 | 3-Major | SIP falsely detects media flow collision when SDP is in both 183 and 200 response | |
| 746825-2 | 3-Major | MRF SIP ALG with SNAT: Ephemeral listeners not created for unsubscribed outgoing calls | |
| 745628-2 | 3-Major | MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message | |
| 745590-3 | 3-Major | SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added | |
| 745514-2 | 3-Major | MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message | |
| 745404-1 | 3-Major | MRF SIP ALG does not reparse SDP payload if replaced | |
| 744949-2 | 3-Major | MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix | |
| 742829-2 | 3-Major | SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0 | |
| 760930-1 | 4-Minor | MRF SIP ALG with SNAT: Added additional details to log events | |
| 747909-4 | 4-Minor | GTPv2 MEI and Serving-Network fields decoded incorrectly |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 805837-3 | 2-Critical | REST does not follow current design best practices | |
| 778869-2 | 2-Critical | ACLs and other AFM features (e.g., IPI) may not function as design |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 726665-3 | 2-Critical | tmm core dump due to SEGFAULT | |
| 759192-2 | 3-Major | TMM core during display of PEM session under some specific conditions | |
| 756311-3 | 3-Major | High CPU during erroneous deletion |
Fraud Protection Services Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 821133-3 | 3-Major | Wrong wildcard URL matching when none of the configured URLS include QS | |
| 804185-4 | 3-Major | Some WebSafe request signatures may not work as expected | |
| 737368-2 | 3-Major | Fingerprint cookie large value may result in tmm core. | |
| 719186-1 | 3-Major | Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts |
iApp Technology Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 726872-1 | 3-Major | iApp LX directory disappears after upgrade or restoring from UCS★ |
Cumulative fixes from BIG-IP v14.0.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 807477-6 | CVE-2019-6650 | K04280042 | ConfigSync Hardening |
| 797885-3 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
| 796469-4 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
| 810557-3 | CVE-2019-6649 | K05123525 | ASM ConfigSync Hardening |
| 809377-3 | CVE-2019-6649 | K05123525 | AFM ConfigSync Hardening |
| 799617-3 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
| 799589-3 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
| 794389-2 | CVE-2019-6651 | K89509323 | iControl REST endpoint response inconsistency |
| 794413-3 | CVE-2019-6471 | K10092301 | BIND vulnerability CVE-2019-6471 |
Functional Change Fixes
None
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 744937-7 | 3-Major | K00724442 | Make authenticated-denial-of-existence NSEC3 RR Types Bitmap reflect available Resource Records |
Cumulative fixes from BIG-IP v14.0.0.5 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 769361-1 | CVE-2019-6630 | K33444350 | TMM may crash while processing SSLO traffic |
| 758909-2 | CVE-2019-6628 | K04730051 | TMM may crash will processing PEM traffic |
| 757025-2 | CVE-2018-5744 | K00040234 | BIND Update |
| 757023-3 | CVE-2018-5743 | K74009656 | BIND vulnerability CVE-2018-5743 |
| 754944-2 | CVE-2019-6626 | K00432398 | AVR reporting UI does not follow best practices |
| 754345-1 | CVE-2019-6625 | K79902360 | WebUI does not follow best security practices |
| 754103-6 | CVE-2019-6644 | K75532331 | iRulesLX NodeJS daemon does not follow best security practices |
| 753776-4 | CVE-2019-6624 | K07127032 | TMM may consume excessive resources when processing UDP traffic |
| 749879-3 | CVE-2019-6611 | K47527163 | Possible interruption while processing VPN traffic |
| 748502-2 | CVE-2019-6623 | K72335002 | TMM may crash when processing iSession traffic |
| 744035-5 | CVE-2018-15332 | K12130880 | APM Client Vulnerability: CVE-2018-15332 |
| 739947-2 | CVE-2019-6610 | K42465020 | TMM may crash while processing APM traffic |
| 739094-6 | CVE-2018-5546 | K54431371 | APM Client Vulnerability: CVE-2018-5546 |
| 739090-6 | CVE-2018-5546 | K54431371 | BIG-IP APM client vulnerability: CVE-2018-5546 |
| 737574-1 | CVE-2019-6621 | K20541896 | iControl REST input sanitization★ |
| 737443-6 | CVE-2018-5546 | K54431371 | BIG-IP APM client for Linux and macOS vulnerability CVE-2018-5546 |
| 737441-6 | CVE-2018-5546 | K54431371 | Disallow hard links to svpn log files |
| 737362-6 | CVE-2018-5547 | K10015187 | APM Client Vulnerability: CVE-2018-5547 |
| 726393-3 | CVE-2019-6643 | K36228121 | DHCPRELAY6 can lead to a tmm crash |
| 710244-4 | CVE-2018-5536 | K27391542 | Memory Leak of access policy execution objects |
| 704184-7 | CVE-2018-5529 | K52171282 | APM MAC Client create files with owner only read write permissions |
| 693810-7 | CVE-2018-5529 | K52171282 | CVE-2018-5529: APM Linux Client Vulnerability |
| 757455-3 | CVE-2019-6647 | K87920510 | Excessive resource consumption when processing REST requests |
| 757027-2 | CVE-2019-6465 | K01713115 | BIND Update |
| 753796-6 | CVE-2019-6640 | K40443301 | SNMP does not follow best security practices |
| 750460-2 | CVE-2019-6639 | K61002104 | Subscriber management configuration GUI |
| 750298-2 | CVE-2019-6638 | K67825238 | iControl REST may fail while processing requests |
| 750187-2 | CVE-2019-6637 | K29149494 | ASM REST may consume excessive resources |
| 745713-3 | CVE-2019-6619 | K94563344 | TMM may crash when processing HTTP/2 traffic |
| 745371-6 | CVE-2019-6636 | K68151373 | AFM GUI does not follow best security practices |
| 745165-2 | CVE-2019-6617 | K38941195 | Users without Advanced Shell Access are not allowed SFTP access |
| 742226-1 | CVE-2019-6635 | K11330536 | TMSH platform_check utility does not follow best security practices |
| 741858-2 | CVE-2018-15324 | K52206731 | TMM may crash while processing Portal Access requests |
| 737910-3 | CVE-2019-6609 | K18535734 | Security hardening on the following platforms |
| 737442-3 | CVE-2019-6591 | K32840424 | Error in APM Hosted Content when set to public access |
| 710857-1 | CVE-2019-6634 | K64855220 | iControl requests may cause excessive resource usage |
| 703835-1 | CVE-2019-6616 | K82814400 | When using SCP into BIG-IP systems, you must specify the target filename |
| 702472-1 | CVE-2019-6615 | K87659521 | Appliance Mode Security Hardening |
| 702469-1 | CVE-2019-6633 | K73522927 | Appliance mode hardening in scp |
| 673842-5 | CVE-2019-6632 | K01413496 | vCMP does not follow best security practices |
| 773653-5 | CVE-2019-6656 | K23876153 | APM Client Logging |
| 773649-5 | CVE-2019-6656 | K23876153 | APM Client Logging |
| 773641-5 | CVE-2019-6656 | K23876153 | APM Client Logging |
| 773637-5 | CVE-2019-6656 | K23876153 | APM Client Logging |
| 773633-5 | CVE-2019-6656 | K23876153 | APM Client Logging |
| 773621-5 | CVE-2019-6656 | K23876153 | APM Client Logging |
| 714879-4 | CVE-2018-15326 | K34652116 | APM CRLDP Auth passes all certs |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 745387-2 | 3-Major | Resource-admin user roles can no longer get bash access | |
| 708389-1 | 3-Major | BADOS monitoring with Grafana requires admin privilege | |
| 700827-3 | 3-Major | B2250 blades may lose efficiency when source ports form an arithmetic sequence. | |
| 698376-1 | 3-Major | Non-admin users have limited bash commands and can only write to certain directories |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 774445-2 | 1-Blocking | K74921042 | BIG-IP VE does not pass traffic on ESXi 6.7 Update 2 |
| 769809-3 | 2-Critical | vCMP guests 'INOPERATIVE' after upgrade | |
| 769581-4 | 2-Critical | Timeout when sending many large requests iControl Rest requests | |
| 769169 | 2-Critical | BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring | |
| 760408-2 | 2-Critical | K23438711 | System Integrity Status: Invalid after BIOS update★ |
| 752835-4 | 2-Critical | K46971044 | Mitigate mcpd out of memory error with auto-sync enabled. |
| 744331-2 | 2-Critical | OpenSSH hardening | |
| 741423-3 | 2-Critical | Secondary blade goes offline when provisioning ASM/FPS on already established config-sync | |
| 716391-1 | 2-Critical | K76031538 | High priority for MySQL on 2 core vCMP may lead to control plane process starvation |
| 710277-4 | 2-Critical | IKEv2 further child_sa validity checks | |
| 668041-3 | 2-Critical | K27535157 | Config load fails when an iRule comment ends with backslash in a config where there is also a policy.★ |
| 760222-6 | 3-Major | SCP fails unexpected when FIPS mode is enabled | |
| 758527-3 | 3-Major | BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode | |
| 758387-3 | 3-Major | BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it | |
| 757026-2 | 3-Major | BIND Update | |
| 741599-1 | 3-Major | After upgrade, Client SSL profile may have extra cert-key-chain structure | |
| 737536-3 | 3-Major | Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others. | |
| 737397-2 | 3-Major | User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP | |
| 727467-2 | 3-Major | Some iSeries appliances can experience traffic disruption when the high availability (HA) peer is upgraded from 12.1.3 and earlier to 13.1.0 or later. | |
| 724143-2 | 3-Major | IKEv2 connflow expiration upon ike-peer change | |
| 718397-2 | 3-Major | IKEv2: racoon2 appends spurious trailing null byte to ID payloads | |
| 714903-3 | 3-Major | Errors in chmand | |
| 707740-5 | 3-Major | Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination | |
| 719770-1 | 4-Minor | tmctl -H -V and -l options without values crashed |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 753975-3 | 2-Critical | TMM may crash while processing HTTP traffic with AAM | |
| 753912-3 | 2-Critical | K44385170 | UDP flows may not be swept |
| 745533-5 | 2-Critical | NodeJS Vulnerability: CVE-2016-5325 | |
| 744269-1 | 2-Critical | dynconfd restarts if FQDN template node deleted while IP address change in progress | |
| 744117-4 | 2-Critical | K18263026 | The HTTP URI is not always parsed correctly |
| 742627-1 | 2-Critical | SSL session mirroring may cause memory leakage if HA channel is down | |
| 741919-2 | 2-Critical | HTTP response may be dropped following a 100 continue message. | |
| 740963-1 | 2-Critical | VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart | |
| 740490 | 2-Critical | Configuration changes involving HTTP2 or SPDY may leak memory | |
| 727206-5 | 2-Critical | Memory corruption when using SSL Forward Proxy on certain platforms | |
| 724214-4 | 2-Critical | TMM core when using Multipath TCP | |
| 718210-1 | 2-Critical | Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused | |
| 716213-5 | 2-Critical | BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic | |
| 707207-3 | 2-Critical | iRuleLx returning undefined value may cause TMM restart | |
| 571651-5 | 2-Critical | Reset Nitrox3 crypto accelerator queue if it becomes stuck. | |
| 750843 | 3-Major | HTTP data re-ordering when receiving data while iRule parked | |
| 743257-2 | 3-Major | Fix block size insecurity init and assign | |
| 742078-5 | 3-Major | Incoming SYNs are dropped and the connection does not time out. | |
| 740345-2 | 3-Major | TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled. | |
| 739379-1 | 3-Major | Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error | |
| 738521-3 | 3-Major | i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag. | |
| 721261-2 | 3-Major | v12.x Policy rule names containing slashes are not migrated properly | |
| 715785-1 | 3-Major | Incorrect encryption error for monitors during sync or upgrade | |
| 713690-4 | 3-Major | IPv6 cache route metrics are locked | |
| 711981-6 | 3-Major | BIG-IP system accepts larger-than-egress MTU, PMTU update | |
| 710028-1 | 3-Major | LTM SQL monitors may stop monitoring if multiple monitors querying same database | |
| 708068-1 | 3-Major | Tcl commands like "HTTP::path -normalize" do not return normalized path. | |
| 707691-5 | 3-Major | BIG-IP handles some pathmtu messages incorrectly | |
| 706102-1 | 3-Major | SMTP monitor does not handle all multi-line banner use cases | |
| 702450-2 | 3-Major | The validation error message generated by deleting certain object types referenced by a policy action is incorrect | |
| 688553-4 | 3-Major | SASP GWM monitor may not mark member UP as expected | |
| 672312-4 | 3-Major | IP ToS may not be forwarded to serverside with syncookie activated | |
| 719247-1 | 4-Minor | K10845686 | HTTP::path and HTTP::query iRule functions cannot be set to a blank string |
| 664618-2 | 4-Minor | Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block' | |
| 513310-6 | 4-Minor | TMM might core when a profile is changed. |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 756774-5 | 2-Critical | Aborted DNS queries to a cache may cause a TMM crash | |
| 769385-3 | 3-Major | GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message | |
| 759721-3 | 3-Major | K03332436 | DNS GUI does not follow best practices |
| 749508-2 | 3-Major | LDNS and DNSSEC: Various OOM conditions need to be handled properly | |
| 749222-2 | 3-Major | dname compression offset overflow causes bad compression pointer | |
| 748902-6 | 3-Major | Incorrect handling of memory allocations while processing DNSSEC queries | |
| 746877-2 | 3-Major | Omitted check for success of memory allocation for DNSSEC resource record | |
| 744707-3 | 3-Major | Crash related to DNSSEC key rollover | |
| 723288-1 | 3-Major | DNS cache replication between TMMs does not always work for net dns-resolver | |
| 721895-4 | 3-Major | Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery) | |
| 702457-1 | 3-Major | DNS Cache connections remain open indefinitely | |
| 744280-3 | 4-Minor | Enabling or disabling a Distributed Application results in a small memory leak |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 750922-2 | 2-Critical | BD crash when content profile used for login page has no parse parameters set | |
| 739635-1 | 2-Critical | No learning when creating policy using guided configuration | |
| 737282-1 | 2-Critical | bd crash. | |
| 726090 | 2-Critical | No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense | |
| 723790-2 | 2-Critical | Idle asm_config_server handlers consumes a lot of memory | |
| 716788-1 | 2-Critical | TMM may crash while response modifications are being performed within DoSL7 filter | |
| 606983-1 | 2-Critical | ASM errors during policy import | |
| 759483-2 | 3-Major | Message about HTTP status code which are set by default disappeared from the UI | |
| 754420-2 | 3-Major | Missing policy name in exported ASM request details | |
| 751710-3 | 3-Major | False positive cookie hijacking violation | |
| 750793-1 | 3-Major | Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition | |
| 750356-1 | 3-Major | Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted | |
| 749109-2 | 3-Major | CSRF situation on BIGIP-ASM GUI | |
| 748848-1 | 3-Major | Anti-Bot Mobile SDK cookie name change to support identical cookies for multiple virtual servers | |
| 748409-1 | 3-Major | Illegal parameter violation when json parsing a parameter on a case-insensitive policy | |
| 747777-2 | 3-Major | Extractions are learned in manual learning mode | |
| 747550-2 | 3-Major | Error 'This Logout URL already exists!' when updating logout page via GUI | |
| 745802-2 | 3-Major | Brute Force CAPTCHA response page truncates last digit in the support id | |
| 744347-3 | 3-Major | Protocol Security logging profiles cause slow ASM upgrade and apply policy | |
| 743961-2 | 3-Major | Signature Overrides for Content Profiles do not work after signature update | |
| 740719-1 | 3-Major | ASM CSP header parser does not honor unsafe-inline attribute within script-src directive | |
| 739342-1 | 3-Major | Learning not occurring for some policies | |
| 738864-2 | 3-Major | javascript functions in href are learned from response as new URLs | |
| 738680-1 | 3-Major | Update to global list of disallowed filetypes not propagated to the policies | |
| 738647-3 | 3-Major | Add the login detection criteria of 'status code is not X' | |
| 738211-1 | 3-Major | pabnagd core when centralized learning is turned on | |
| 737500-1 | 3-Major | Apply Policy and Upgrade time degradation when there are previous enforced rules | |
| 724414-1 | 3-Major | ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled | |
| 724032-2 | 3-Major | Searching Request Log for value containing backslash does not return expected result | |
| 721752-3 | 3-Major | Null char returned in REST for Suggestion with more than MAX_INT occurrences | |
| 719459-1 | 3-Major | Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled | |
| 719005-2 | 3-Major | Login request may arrive corrupted to the backend server after CAPTCHA or CSID mitigation | |
| 716940-1 | 3-Major | Traffic Learning screen graphs shows data for the last day only | |
| 715128-2 | 3-Major | Simple mode Signature edit does not escape semicolon | |
| 714153-2 | 3-Major | REST filter on nested entities has no effect | |
| 713282-2 | 3-Major | Remote logger violation_details field does not appear when virtual server has more than one remote logger | |
| 712362-4 | 3-Major | ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase | |
| 711405-2 | 3-Major | K14770331 | ASM GUI Fails to Display Policy List After Upgrade |
| 707570-1 | 3-Major | 'Export Suggestions' from Traffic Learning fails for suggestions that previously associated requests are no longer available. | |
| 687759 | 3-Major | bd crash | |
| 765413-2 | 4-Minor | ASM cluster syncs caused by PB ignored suggestions updates | |
| 761921-2 | 4-Minor | avrd high CPU utilization due to perpetual connection attempts | |
| 761231-3 | 4-Minor | Bot Defense Search Engines getting blocked after configuring DNS correctly | |
| 755005-2 | 4-Minor | Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations | |
| 754365-4 | 4-Minor | Updated flags for countries that changed their flags since 2010 | |
| 748999-2 | 4-Minor | invalid inactivity timeout suggestion for cookies | |
| 717525-2 | 4-Minor | Behavior for classification in manual learning mode |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 763349-2 | 2-Critical | AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out | |
| 756205-2 | 2-Critical | TMSTAT offbox statistics are not continuous | |
| 746941-1 | 2-Critical | avrd memory leak when BIG-IQ fails to receive stats information | |
| 746823-2 | 2-Critical | AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members | |
| 737813-2 | 2-Critical | BIG-IP is unable to send statistics to BIG-IQ DCD node using IPv6 address | |
| 726852-1 | 2-Critical | AVR inject CSPM event when there is no analytics profile on the virtual server | |
| 771025-1 | 3-Major | AVR send domain names as an aggregate | |
| 764665-3 | 3-Major | AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change | |
| 763005-4 | 3-Major | Aggregated Domain Names in DNS statistics are shown as random domain name | |
| 760356-3 | 3-Major | Users with Application Security Administrator role cannot delete Scheduled Reports | |
| 753446-3 | 3-Major | avrd process crash during shutdown if connected to BIG-IQ | |
| 749464-1 | 3-Major | Race condition while BIG-IQ updates common file | |
| 749461-1 | 3-Major | Race condition while modifying analytics global-settings | |
| 745027-1 | 3-Major | AVR is doing extra activity of DNS data collection even when it should not | |
| 744595-2 | 3-Major | DoS-related reports might not contain some of the activity that took place | |
| 744589-2 | 3-Major | Missing data for Firewall Events Statistics | |
| 740086-4 | 3-Major | AVR report ignore partitions for Admin users | |
| 740024-1 | 3-Major | Web page not load correctly if load time is enabled | |
| 738614-1 | 3-Major | 'Internal error' appears on Goodput GUI page | |
| 737863-2 | 3-Major | Advanced Filters for Captured Transactions not working on Multi-Blade Platforms | |
| 648242-3 | 3-Major | K73521040 | Administrator users unable to access all partition via TMSH for AVR reports |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 739716-1 | 1-Blocking | APM Subroutine loops without finishing | |
| 770557-2 | 2-Critical | Per-Session RADIUS Acct STOP message is forged based on pool route domain, but is sent through default one | |
| 769281-2 | 2-Critical | Per-request Acess Policy may show user interface pages incorrectly i nlanguages other than English | |
| 753370-2 | 2-Critical | RADIUS auth might not be working as configured when there is change in RADIUS auth config name. | |
| 747621-1 | 2-Critical | Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used | |
| 722013-2 | 2-Critical | MCPD restarts on all secondary blades post config-sync involving APM customization group | |
| 704587-3 | 2-Critical | Authentication with UTF-8 chars in password or handling of IP addresses fail due to byte-array processing in iRules | |
| 759343-5 | 3-Major | MacOS Edge Client installer does not follow best security practices | |
| 758764-3 | 3-Major | APMD Core when CRLDP Auth fails to download revoked certificate | |
| 757992-2 | 3-Major | RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup | |
| 757781-2 | 3-Major | Portal Access: cookie exchange may be broken sometimes | |
| 755507-2 | 3-Major | [App Tunnel] 'URI sanitization' error | |
| 755475-2 | 3-Major | Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync | |
| 754346-3 | 3-Major | Access policy was not found while creating configuration snapshot. | |
| 750496 | 3-Major | TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP | |
| 749057-2 | 3-Major | VMware Horizon idle timeout is ignored when connecting via APM | |
| 745654-3 | 3-Major | Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server | |
| 745574-2 | 3-Major | URL is not removed from custom category when deleted | |
| 743437-2 | 3-Major | Portal Access: Issue with long 'data:' URL | |
| 743106-1 | 3-Major | IP-related agents in Per-Request Policy do not work correctly when APM and SWG are configured | |
| 739939-2 | 3-Major | Ping Access Agent Module leaks memory in TMM. | |
| 739024-1 | 3-Major | Kerberos auth fails intermittently after upgrade from v14.0.0 | |
| 738704-6 | 3-Major | APM client does not support untrusted SSL certificate | |
| 738582-2 | 3-Major | Ping Access Agent Module leaks memory in TMM. | |
| 738430-2 | 3-Major | APM is not able to do compliance check on iOS devices running F5 Access VPN client | |
| 738397-3 | 3-Major | SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails. | |
| 726616-2 | 3-Major | TMM crashes when a session is terminated | |
| 725867-1 | 3-Major | ADFS proxy does not fetch configuration for non-floating virtual servers | |
| 722423-2 | 3-Major | Analytics agent always resets when Category Lookup is of type custom only | |
| 720757-2 | 3-Major | Without proper licenses Category Lookup always fails with license error in Allow Ending | |
| 713655-1 | 3-Major | RouteDomainSelectionAgent might fail under heavy control plane traffic/activities | |
| 710884-2 | 3-Major | Portal Access might omit some valid cookies when rewriting HTTP request. | |
| 701800-1 | 3-Major | K29064506 | SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x |
| 695985-3 | 3-Major | Access HUD filter has URL length limit (4096 bytes) |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 704555-1 | 2-Critical | Core occurs if DIAMETER::persist reset is called if no persistence key is set. | |
| 758065-1 | 3-Major | TMM may consume excessive resources while processing FIX traffic | |
| 741951-5 | 3-Major | Multiple extensions in SIP NOTIFY request cause message to be dropped. |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 745809-3 | 3-Major | The /var partition may become 100% full requiring manual intervention to clear space | |
| 737035-1 | 3-Major | New and improved infrastructure for BDoS to share learned traffic characteristics within the device group/cluster setup. |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 740228-2 | 2-Critical | TMM crash while sending a DHCP Lease Query to a DHCP server | |
| 709670-4 | 3-Major | iRule triggered from RADIUS occasionally fails to create subscribers. |
Carrier-Grade NAT Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 723658-2 | 2-Critical | TMM core when processing an unexpected remote session DB response. | |
| 727212-2 | 3-Major | Subscriber-id query using full length IPv6 address fails. |
Fraud Protection Services Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 752782-2 | 3-Major | 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe' | |
| 742037-4 | 3-Major | FPS live updates do not install when minor version is different | |
| 717552-1 | 3-Major | FPS GUI does not save wildcard parameter order state | |
| 716318-1 | 3-Major | Engine/Signatures automatic update check may fail to find/download the latest update | |
| 741449-2 | 4-Minor | alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts | |
| 718044-1 | 4-Minor | Wildcard URLs order fails to save between different pages in FPS GUI |
Anomaly Detection Services Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 748813-2 | 2-Critical | tmm cores under stress test on virtual server with DoS profile with admd enabled | |
| 748121-2 | 2-Critical | admd livelock under CPU starvation | |
| 741761-2 | 2-Critical | admd might fail the heartbeat, resulting in a core | |
| 739277-2 | 2-Critical | TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode | |
| 714334-2 | 2-Critical | admd stops responding and generates a core while under stress. | |
| 653573-5 | 2-Critical | ADMd not cleaning up child rsync processes | |
| 756877-2 | 3-Major | Virtual server created with Guided Configuration is not visible in Grafana | |
| 741993-2 | 3-Major | The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured. | |
| 720585-2 | 3-Major | Signatures generated by Behavioral DOS algorithm can create false-positive signatures | |
| 718772-1 | 3-Major | The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists) |
Cumulative fixes from BIG-IP v14.0.0.4 that are included in this release
Functional Change Fixes
None
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 749774-4 | 3-Major | EDNS0 client subnet behavior inconsistent when DNS Caching is enabled | |
| 749675-4 | 3-Major | DNS cache resolver may return a malformed truncated response with multiple OPT records |
Cumulative fixes from BIG-IP v14.0.0.3 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 738119-1 | CVE-2019-6589 | K23566124 | SIP routing UI does not follow best practices |
| 725815-2 | CVE-2018-15320 | K72442354 | vlangroup usage may cause a excessive resource consumption |
| 722677-5 | CVE-2019-6604 | K26455071 | High-Speed Bridge may lock up |
| 722387-4 | CVE-2019-6596 | K97241515 | TMM may crash when processing APM DTLS traffic |
| 722091-4 | CVE-2018-15319 | K64208870 | TMM may crash while processing HTTP traffic |
| 717888-4 | CVE-2018-15323 | K26583415 | TMM may leak memory when a virtual server uses the MQTT profile. |
| 717742-6 | CVE-2018-2798, CVE-2018-2811, CVE-2018-2795, CVE-2018-2790, CVE-2018-2783, CVE-2018-2825, CVE-2018-2826, CVE-2018-2796, CVE-2018-2799, CVE-2018-2815, CVE-2018-2800, CVE-2018-2814, CVE-2018-2797, CVE-2018-2794 | K44923228 | Oracle Java SE vulnerability CVE-2018-2783 |
| 715923-7 | CVE-2018-15317 | K43625118 | When processing TLS traffic TMM may terminate connections unexpectedly |
| 709972 | CVE-2017-12613 | K52319810 | CVE-2017-12613: APR Vulnerability |
| 709688-2 | CVE-2017-3144 CVE-2018-5732 CVE-2018-5733 |
K08306700 | dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733 |
| 701253-6 | CVE-2018-15318 | K16248201 | TMM core when using MPTCP |
| 695072-3 | CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558 |
K23030550 | CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558 |
| 651741 | CVE-2017-5970, | K60104355 | CVE-2017-5970 kernel.el7: ipv4: Invalid IP options could cause skb->dst drop |
| 745358-2 | CVE-2019-6607 | K14812883 | ASM GUI does not follow best practices |
| 734822-2 | CVE-2018-15325 | K77313277 | TMSH improvements |
| 725801-5 | CVE-2017-7889 | K80440915 | CVE-2017-7889: Kernel Vulnerability |
| 725635-1 | CVE-2018-3665 | K21344224 | CVE-2018-3665: Intel Lazy FPU Vulnerability |
| 721924-6 | 2018-17539 | K17264695 | bgpd may crash processing extended ASNs |
| 719554-1 | CVE-2018-8897 | K17403481 | Linux Kernel Vulnerability: CVE-2018-8897 |
| 716900-3 | CVE-2019-6594 | K91026261 | TMM core when using MPTCP |
| 710827-1 | CVE-2019-6598 | K44603900 | TMUI dashboard daemon stability issue |
| 710705-1 | CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421 | K34035645 | Multiple Wireshark vulnerabilities |
| 710148-1 | CVE-2017-1000111 CVE-2017-1000112 |
K60250153 | CVE-2017-1000111 & CVE-2017-1000112 |
| 709256-1 | CVE-2017-9074 CVE-2017-7542 |
K61223103 | CVE-2017-9074: Local Linux Kernel Vulnerability |
| 705476-1 | CVE-2018-15322 | K28003839 | Appliance Mode does not follow design best practices |
| 699453-6 | CVE-2018-15327 | K20222812 | Web UI does not follow current best coding practices |
| 677088-1 | CVE-2018-15321 | K01067037 | BIG-IP tmsh vulnerability CVE-2018-15321 |
| 658557-4 | CVE-2019-6606 | K35209601 | The snmpd daemon may leak memory when processing requests. |
| 530775-2 | CVE-2019-6600 | K23734425 | Login page may generate unexpected HTML output |
| 701785-1 | CVE-2017-18017 | K18352029 | Linux kernel vulnerability: CVE-2017-18017 |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 734527-3 | 3-Major | BGP 'capability graceful-restart' for peer-group not properly advertised when configured | |
| 715750-1 | 3-Major | K41515225 | The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection. |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 743082-2 | 2-Critical | Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members★ | |
| 738887-4 | 2-Critical | The snmpd daemon may leak memory when processing requests. | |
| 725696-2 | 2-Critical | A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted | |
| 723722-1 | 2-Critical | MCPD crashes if several thousand files are created between config syncs. | |
| 723298-1 | 2-Critical | BIND upgrade to version 9.11.4 | |
| 719597-1 | 2-Critical | HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0 | |
| 706423-3 | 2-Critical | tmm may restart if an IKEv2 child SA expires during an async encryption or decryption | |
| 703669-1 | 2-Critical | Eventd restarts on NULL pointer access | |
| 703045-2 | 2-Critical | If using TMSH commands with deprecated attributes in iApp, the upgrade will fail. | |
| 743803-3 | 3-Major | IKEv2 potential double free of object when async request queueing fails | |
| 743233-1 | 3-Major | Default engineID may have different lengths | |
| 726409-5 | 3-Major | Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 | |
| 722682-3 | 3-Major | Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load★ | |
| 720713-1 | 3-Major | TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail | |
| 720651-1 | 3-Major | Running Guest Changed to Provisioned Never Stops | |
| 720104-2 | 3-Major | BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware' | |
| 718817-1 | 3-Major | Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail. | |
| 718525-2 | 3-Major | PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting | |
| 711249-3 | 3-Major | NAS-IP-Address added to RADIUS packet unexpectedly | |
| 710976-2 | 3-Major | Network Map might take a long time to load | |
| 710232-1 | 3-Major | platform-migrate fails when LACP trunks are in use | |
| 709192-2 | 3-Major | GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart | |
| 708484-1 | 3-Major | Network Map might take a long time to load | |
| 707391-1 | 3-Major | BGP may keep announcing routes after disabling route health injection | |
| 706169-2 | 3-Major | tmsh memory leak | |
| 704804-4 | 3-Major | The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address | |
| 704755-3 | 3-Major | EUD_M package could not be installed on 800 platforms | |
| 704733-3 | 3-Major | NAS-IP-Address is sent with the bytes in reverse order | |
| 704247-1 | 3-Major | BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted | |
| 702227-2 | 3-Major | Memory leak in TMSH load sys config | |
| 701249-3 | 3-Major | RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1 | |
| 671712-3 | 3-Major | The values returned for the ltmUserStatProfileStat table are incorrect. | |
| 738985-1 | 4-Minor | BIND vulnerability: CVE-2018-5740 | |
| 725612-2 | 4-Minor | syslog-ng does not send any messages to the remote servers after reconfiguration | |
| 714749-1 | 4-Minor | cURL Vulnerability: CVE-2018-1000120 | |
| 713932-2 | 4-Minor | Commands are replicated to PostgreSQL even when not in use. | |
| 707267-2 | 4-Minor | REST Framework HTTP header limit size increased to 8 KB | |
| 720391-3 | 5-Cosmetic | BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' | |
| 713491-3 | 5-Cosmetic | IKEv1 logging shows spi of deleted SA with opposite endianess |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 737758-3 | 2-Critical | MPTCP Passthrough and VIP-on-VIP can lead to TMM core | |
| 737445-1 | 2-Critical | Use of TCP Verified Accept can disable server-side flow control | |
| 727044-3 | 2-Critical | TMM may crash while processing compressed data | |
| 726239-5 | 2-Critical | interruption of traffic handling as sod daemon restarts TMM | |
| 724906-3 | 2-Critical | sasp_gwm monitor leaks memory over time | |
| 724868-3 | 2-Critical | dynconfd memory usage increases over time | |
| 724213-2 | 2-Critical | K74431483 | Modified ssl_profile monitor param not synced correctly |
| 710221-1 | 2-Critical | K67352313 | Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled |
| 709828-1 | 2-Critical | fasthttp can crash with Large Receive Offload enabled | |
| 700056-2 | 2-Critical | MCPD process may lock up and restart when applying Local Traffic Policy to virtual server | |
| 726319-1 | 3-Major | 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses | |
| 722363-3 | 3-Major | Client fails to connect to server when using PVA offload at Established | |
| 721621-3 | 3-Major | Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node | |
| 720799-1 | 3-Major | Virtual Server/VIP flaps with FQDN pool members when all IP addresses change | |
| 720293-4 | 3-Major | HTTP2 IPv4 to IPv6 fails | |
| 719600-1 | 3-Major | TCP::collect iRule with L7 policy present may result in connection reset | |
| 717346-1 | 3-Major | K13040347 | [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total |
| 716716-1 | 3-Major | Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core | |
| 715883-1 | 3-Major | Tmm crash due to invalid cookie attribute | |
| 715467-1 | 3-Major | Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY | |
| 714384-2 | 3-Major | DHCP traffic may not be forwarded when BWC is configured | |
| 713951-6 | 3-Major | tmm core files produced by nitrox_diag may be missing data | |
| 713934-1 | 3-Major | Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response | |
| 713766-1 | 3-Major | VLAN failsafe failover may not occur | |
| 712819-1 | 3-Major | 'HTTP::hsts preload' iRule command cannot be used | |
| 712664-1 | 3-Major | IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address | |
| 711281-6 | 3-Major | nitrox_diag may run out of space on /shared | |
| 709133-1 | 3-Major | When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur | |
| 709132-2 | 3-Major | When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur | |
| 707961-1 | 3-Major | K50013510 | Unable to add policy to virtual server; error = Failed to compile the combined policies |
| 707951-3 | 3-Major | Stalled mirrored flows on HA next-active when OneConnect is used. | |
| 704764-1 | 3-Major | SASP monitor marks members down with non-default route domains | |
| 704381-6 | 3-Major | SSL/TLS handshake failures and terminations are logged at too low a level | |
| 699598-1 | 3-Major | HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR | |
| 693244-3 | 3-Major | BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned | |
| 682283-1 | 3-Major | Malformed HTTP/2 request with invalid Content-Length value is served against RFC | |
| 602708-5 | 3-Major | K84837413 | Traffic may not passthrough CoS by default |
| 716922-1 | 4-Minor | Reduction in PUSH flags when Nagle Enabled | |
| 713533-1 | 4-Minor | list self-ip with queries does not work | |
| 712637-1 | 4-Minor | Host header persistence not implemented | |
| 708249-1 | 4-Minor | nitrox_diag utility generates QKView files with 5 MB maximum file size limit |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 739846-2 | 2-Critical | Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection | |
| 726255-1 | 3-Major | dns_path lingering in memory with last_access 0 causing high memory usage | |
| 723792-1 | 3-Major | GTM regex handling of some escape characters renders it invalid | |
| 719644-3 | 3-Major | If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★ | |
| 715448-3 | 3-Major | Providing LB::status with a GTM Pool name in a variable caused validation issues | |
| 710246-1 | 3-Major | DNS-Express was not sending out NOTIFY messages on VE | |
| 710032-2 | 3-Major | 'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system. |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 746341 | 1-Blocking | Virtual server page is blank when SSLO is provisioned | |
| 724341-1 | 3-Major | Import of Access Profile with Machine Cert Checker and default CA Profile is failing |
WebAccelerator Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 706642-1 | 2-Critical | wamd may leak memory during configuration changes and cluster events |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 699454-6 | 4-Minor | Web UI does not follow current best coding practices |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 699531-5 | 2-Critical | Potential TMM crash due to incorrect number of attributes in a PEM iRule command | |
| 726647-4 | 3-Major | PEM content insertion in a compressed response may truncate some data | |
| 711093-4 | 3-Major | PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled | |
| 709610-4 | 3-Major | Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM | |
| 676346-1 | 3-Major | PEM displays incorrect policy action counters when the gate status is disabled. | |
| 648802-4 | 3-Major | Required custom AVPs are not included in an RAA when reporting an error. |
Carrier-Grade NAT Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 734446-1 | 2-Critical | TMM crash after changing LSN pool mode from PBA to NAPT |
Cumulative fixes from BIG-IP v14.0.0.2 that are included in this release
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 716392-2 | 1-Blocking | Support for 24 vCMP guests on a single 4450 blade | |
| 704552-1 | 3-Major | Support for ONAP site licensing |
Cumulative fixes from BIG-IP v14.0.0.1 that are included in this release
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 693359-2 | 1-Blocking | AWS M5 and C5 instance families are supported |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 721364-1 | 1-Blocking | BIG-IP per-application VE BYOL license does not support three wildcard virtual servers | |
| 707100-1 | 2-Critical | Potentially fail to create user in AzureStack | |
| 706688-2 | 2-Critical | Automatically add additional certificates to BIG-IP system in C2S and IC environments | |
| 700086-2 | 2-Critical | AWS C5/M5 Instances do not support BIG-IP VE | |
| 721985-1 | 3-Major | PAYG License remains inactive as dossier verification fails. | |
| 721342-2 | 3-Major | No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments. | |
| 720961-4 | 3-Major | Upgrading in Intelligence Community AWS environment may fail | |
| 719396-2 | 3-Major | K34339214 | DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot. |
| 714303-2 | 3-Major | K25057050 | X520 virtual functions do not support MAC masquerading |
| 709936-2 | 3-Major | Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration. | |
| 707585-2 | 3-Major | Use native driver for 82599 NICs instead of UNIC | |
| 703869-4 | 3-Major | Waagent updated to 2.2.21 |
Cumulative fix details for BIG-IP v14.0.1.1 that are included in this release
821133-3 : Wrong wildcard URL matching when none of the configured URLS include QS
Component: Fraud Protection Services
Symptoms:
Wildcard URLs has a flag (include_query_string) which indicates if the matching should include traffic URL's QS or not
For example, if the traffic URL is '/path?a=b' and configured URL is '/path*b':
1. if include QS enabled, URL is matched
2. otherwise, no match (since matching against '/path' only)
if there are no configured URLs with "Include Query String" enabled, matching may be wrong
Conditions:
1. Wildcard URL configured in anti-fraud profile (URL name contains an asterisk)
2. None of the configured URLs has "Include Query String" enabled
3. Traffic URL contains a query-string
Impact:
URL is incorrectly matched (when it either shouldn't be matched at all or should match another configured URL). Features/signatures might not work as expected.
Workaround:
Configure at least one URL with "Include Query String" enabled
Fix:
FPS should match query string correctly (according to configuration)
815753-3 : TMM leaks memory when explicit SWG is configured with Kerberos authentication
Component: Access Policy Manager
Symptoms:
Memory usage of filter keeps increasing over time and becomes one of major consumers of the TMM memory.
Conditions:
This issue happens if the following conditions are met:
1. Access profile type is SWG-explicit.
2. Access policy contains HTTP 407 Response policy item with HTTP Auth Level being Negotiate.
3. Kerberos is used to authenticate a user.
Impact:
TMM sweeper enters aggressive mode and reaps connections.
Workaround:
None.
811145-3 : VMware View resources with SAML SSO are not working
Component: Access Policy Manager
Symptoms:
Connections to SAML-enabled VMware View resources fail with following error in /var/log/apm:
err vdi[18581]: 019cffff:3: /pathname: {a7.C} Failed to handle View request: Can't find 'artifact' parameter.
Conditions:
VMware View resource is configured with SAML SSO method.
Impact:
Users cannot launch VMware View apps/desktops via SAML-enabled resource.
Workaround:
None.
Fix:
Can now successfully use VMware View resources with SAML SSO.
810557-3 : ASM ConfigSync Hardening
Solution Article: K05123525
810537-4 : TMM may consume excessive resources while processing iRules
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may consume excessive resources while processing iRules.
Conditions:
HTTP VS enabled.
iRule using HTTP_PROXY_REQUEST configured.
Impact:
Excessive resource consumption, potentially leading to a failover event.
Workaround:
None.
Fix:
TMM now consumes resources as expected.
809377-3 : AFM ConfigSync Hardening
Solution Article: K05123525
809165-3 : TMM may crash will processing connector traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions TMM may crash will processing connector traffic.
Conditions:
Virtual service with Connector profile enabled.
Impact:
TMM crash leading to a failover event.
Workaround:
None.
Fix:
TMM now handles connector traffic as expected.
808525-3 : TMM may crash while processing Diameter traffic
Component: Service Provider
Symptoms:
Under certain conditions, TMM may crash while processing Diameter traffic.
Conditions:
Virtual server with Diameter profile enabled.
Impact:
TMM crash leading to a failover event.
Workaround:
None.
Fix:
TMM now processes Diameter traffic as expected.
808301-3 : TMM may crash while processing IP traffic
Component: Local Traffic Manager
Symptoms:
TMM crash with 'Assertion "l4hdr set" failed' panic message in /var/log/tmm* log.
Conditions:
Packet filter is enabled.
Impact:
TMM crash leading to a failover event.
Workaround:
Disable the packet filter.
Fix:
TMM handles IP traffic as expected.
807477-6 : ConfigSync Hardening
Solution Article: K04280042
805837-3 : REST does not follow current design best practices
Component: Advanced Firewall Manager
Symptoms:
Under certain conditions, REST endpoints do not follow current design best practices.
Conditions:
Authenticated REST request with malicious content.
Impact:
REST endpoints do not follow current design best practices.
Workaround:
None.
Fix:
REST endpoints now follow current design best practices.
804185-4 : Some WebSafe request signatures may not work as expected
Component: Fraud Protection Services
Symptoms:
Request signatures are part of the WebSafe signature mechanism. The request signature is achieved by configuring an FPS-protected URL and a corresponding custom-alert. If the URL is a wildcard, a priority must be assigned to determine the order of matching. URL matching by priority is not working properly. As a result, the signature do not work as expected
Conditions:
There is at least one wildcard URL configured by the request signature update file.
Impact:
A portion of WebSafe request signature do not work as expected:
-- An alert is sent, though it should not be (false-positive).
-- An alert was not sent, though it should be (false-negative).
Workaround:
Configure the same signature manually in the BIG-IP system's GUI/tmsh.
Fix:
FPS now correctly handles signature-based wildcard URL's priority.
799617-3 : ConfigSync Hardening
Solution Article: K05123525
799589-3 : ConfigSync Hardening
Solution Article: K05123525
797885-3 : ConfigSync Hardening
Solution Article: K05123525
796469-4 : ConfigSync Hardening
Solution Article: K05123525
795437-3 : Improve handling of TCP traffic for iRules
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM stops processing TCP traffic when processed by an iRule
Conditions:
-- TCP profile is configured
-- Invalid packet construction
Impact:
TMM may crash, leading to a failover event.
Workaround:
None.
Fix:
TMM handles TCP traffic for iRule as expected.
795197-2 : Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Solution Article: K26618426
794561-3 : TMM may crash while processing JWT/OpenID traffic.
Component: Access Policy Manager
Symptoms:
Under certain conditions, TMM may crash while processing JWT/OpenID traffic.
Conditions:
APM provisioned and configured.
JWT/OpenID session enabled.
Impact:
TMM crash, leading to a failover event.
Workaround:
None.
Fix:
TMM now processes JWT/OpenID traffic as expected.
794413-3 : BIND vulnerability CVE-2019-6471
Solution Article: K10092301
794389-2 : iControl REST endpoint response inconsistency
Solution Article: K89509323
790205-5 : Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core
Component: Local Traffic Manager
Symptoms:
TMM cores when adding a route (either statically or dynamically) to a child route domain.
Conditions:
Adding a more-specific route to a child domain that overrides a route in the default domain.
Impact:
TMM cores. A failover or outage. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores when adding routes to child domains.
789893-3 : SCP file transfer hardening
Component: TMOS
Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.
Conditions:
Administrative user with SCP access.
Impact:
Under certain conditions, the SCP file transfer system does not follow current best practices.
Workaround:
None.
Fix:
The SCP file transfer system now follows current best practices.
788773-3 : HTTP/2 Vulnerability: CVE-2019-9515
Solution Article: K50233772
788769-3 : HTTP/2 Vulnerability: CVE-2019-9514
Solution Article: K01988340
788325-3 : Header continuation rule is applied to request/response line
Component: Local Traffic Manager
Symptoms:
When a browser communicates with a server over HTTP, it can split a long header into several lines, prepending continuation lines with leading whitespace symbols. This rule does not apply to request or response line, so having leading whitespace in a first header line is invalid. The BIG-IP system parses such line a header with empty value.
Conditions:
A virtual server is configured on the BIG-IP system with HTTP profile.
Impact:
The BIG-IP system can hide some important HTTP headers either passing those to the pool member or failing to properly handle the request (or response) or failing to correctly load balance a connection (or request in case of OneConnect profile).
Workaround:
None.
Fix:
Now, when the BIG-IP system receives an invalid request or response with leading whitespace in first header line, it properly parses the header and handles it correctly.
788301-4 : SNMPv3 Hardening
Solution Article: K58243048
Component: TMOS
Symptoms:
SNMPv3 agents do not follow current best practices.
Conditions:
SNMPv3 agents enabled.
Impact:
SNMPv3 agents do not follow current best practices.
Fix:
SNMPv3 features now follow current best practices.
788269-2 : Adding toggle to disable AVR widgets on device-groups
Component: Application Visibility and Reporting
Symptoms:
Devices on device-group get into state of not-synced when AVR-related widgets are created or modified.
It occurs more frequently when manual config sync is enabled.
It can also occur when visiting a widgets page for the first time that automatically creates default widgets on the first page visit, such as Security :: Overview : Application : Traffic. This can make it appear that a 'read-only' user visiting the page has triggered the need for a config sync.
Conditions:
-- Two or more devices are in a device-group.
-- AVR-related widgets are created or modified.
Impact:
Devices go into a non-synced state.
Workaround:
None.
Fix:
A DB-variable called avr.gui.widgets.sync has been added to disable widgets syncing. Possible values are 'disable' or 'enable', it is enabled by default.
Behavior Change:
This release adds a DB-variable, avr.gui.widgets.sync, to disable widget syncing. Possible values are 'disable' or 'enable'. It is enabled by default.
788033-1 : tpm-status may return "Invalid" after engineering hotfix installation
Component: TMOS
Symptoms:
When installing certain engineering hotfixes, tpm-status may return "System Integrity: Invalid".
Conditions:
Engineering hotfix installed.
Impact:
System integrity check fails.
Workaround:
None.
Fix:
System integrity check now works as expected on system with engineering hotfixes installed.
787825-6 : Database monitors debug logs have plaintext password printed in the log file
Solution Article: K58243048
Component: Local Traffic Manager
Symptoms:
When monitor instance is in "debug" logging enabled mode for certain monitor types, the resulting monitor instance logs may contain sensitive details like password
Conditions:
When debug mode is enabled for following monitoring types
1. mssql
2. mysql
3. oracle
4. postgresql
Impact:
The user-account password configured in the health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors/.
Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected monitor types. 2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes , remove the resulting log files from the BIG-IP system after troubleshooting is completed.
Fix:
The password filed for monitor will now be redacted by external monitors when monitor debugging is enabled.
787677-2 : AVRD stays at 100% CPU constantly on some systems
Component: Application Visibility and Reporting
Symptoms:
One thread of the avrd process spontaneously starts to consume 100% CPU.
Conditions:
The exact conditions under which this occurs are unknown, but might occur only on vCMP configurations.
Impact:
System performance degrades.
Workaround:
Restart TMM:
bigstart restart tmm
Fix:
Added processing that prevents AVRD from entering endless loops.
784989-3 : TMM may crash with panic message: Assertion 'cookie name exists' failed
Component: Access Policy Manager
Symptoms:
TMM crashes with SIGFPE panic
panic: ../modules/hudfilter/http/http_cookie.c:489: Assertion 'cookie name exists' failed.
Conditions:
-- Virtual server with remote desktop or VDI profile attached.
-- VDI logging level is set to Debug.
-- iRule that modifies/reads HTTP cookies.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Increase the log-level for VDI from 'Debug' to a higher level.
Fix:
Fixed TMM crash, which occurred when remotedesktop/VDI profile was used together with custom iRule and Debug level logging.
783817-3 : UI becomes unresponsive when accessing Access active session information
Component: Access Policy Manager
Symptoms:
When accessing Admin UI Access :: Overview :: Active Sessions page, the page status is stuck in 'Receiving configuration data from your device'. TMSH command 'show apm access-info' also hangs.
The following error messages shows up in TMM log:
-- notice mcp error: 0x1020002 at ../mcp/db_access.c:831
-- notice mcp error: 0x1020031 at ../mcp/mcp_config.c:588
Conditions:
-- Two vCMP guests or two chassis are set up in high availability mode.
-- If Network Mirroring is toggled between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.
Impact:
Some session variables may be lost, which results in UI hang. Admin UI becomes unusable.
Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.
782529-3 : iRules does not follow current design best practices
Component: Local Traffic Manager
Symptoms:
iRules does not follow current design best practices.
Conditions:
iRules does not follow current design best practices.
Impact:
iRules does not follow current design best practices.
Workaround:
None.
Fix:
iRules now follows current design best practices.
Behavior Change:
Database variable 'tmm.tcl.rule.connect.allow_loopback_addresses' was created to toggle whether or not to allow loopback addresses; TRUE will restore previous behavior and enable loopback connections.
Default value is FALSE.
781637-3 : ASM brute force counts unnecessary failed logins for NTLM
Component: Application Security Manager
Symptoms:
False positive brute force violation raised and login request is blocked
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM Brute force protection enabled for NTLM login type
Impact:
login request blocked by asm policy
Workaround:
Define higher thresholds in brute force protection settings
Fix:
asm code has been fixed and do not count unnecessary failed logins for NTLM
781377-6 : tmrouted may crash while processing Multicast Forwarding Cache messages
Component: TMOS
Symptoms:
Under certain conditions, tmrouted may crash while processing Multicast Forwarding Cache (MFC) messages.
Conditions:
tmrouted processing MFC messages.
Impact:
tmrouted crash, leading to a failover event.
Workaround:
None.
Fix:
tmrouted now processes MFC messages as expected.
779177-3 : Apmd logs "client-session-id" when access-policy debug log level is enabled
Component: Access Policy Manager
Symptoms:
Apmd logs the "client-session-id" when access-policy debug log level is enabled.
Conditions:
-- APM is provisioned and licensed.
-- Per-session policy is attached to virtual server.
-- Access-policy log level set to Debug.
Impact:
Client session ID is available in debug log files and may be visible to authenticated administrators
Workaround:
None.
Fix:
Apmd now no longer logs the client-session-id when access-policy debug log level is enabled.
778869-2 : ACLs and other AFM features (e.g., IPI) may not function as design
Component: Advanced Firewall Manager
Symptoms:
Under certain conditions, ACLs, IPI and other AFM features may not function as designed.
Conditions:
AFM provisioned and configured.
TCP mitigations actives.
Impact:
AFM features do not function as designed.
Workaround:
None.
Fix:
ACLs and other AFM rules (e.g., IPI) features now function as designed.
778077-5 : Virtual to virtual chain can cause TMM to crash
Component: Local Traffic Manager
Symptoms:
when using a virtual to virtual chain using the virtual irule command a specific packet might core tmm.
Conditions:
a virtual to virtual chain using the virtual irule command
Impact:
TMM crash leading to a failover event.
Workaround:
none
Fix:
TMM now processes virtual to virtual chains as expected
777737-6 : TMM may consume excessive resources when processing IP traffic
Component: Local Traffic Manager
Symptoms:
Under certain condition, TMM may consume excessive resources when processing IP traffic
Conditions:
CMP forwarding
Impact:
Excessive resource consumption, potentially leading to a failover event.
Workaround:
None.
Fix:
TMM now consumes resources as expected while processing IP traffic2
777261-3 : When SNMP cannot locate a file it logs messages repeatedly
Component: TMOS
Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.
Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.
Impact:
This can fill up the log with errors.
Fix:
The SNMP daemon has been fixed to log this error once.
777173-3 : Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error
Component: Access Policy Manager
Symptoms:
When administrator runs Citrix vdi iApp in APM standalone deployment (LTM is not licensed), iApp fails with the following error:
01070356:3: HTTP header transformation feature not licensed
This is result of a license check added for HTTP header transformation.
Conditions:
- APM is licensed as stand alone (no LTM license)
- Admin tries to run Citrix vdi iApp
Impact:
Administrator is not able to use the iApp to configure Citrix vdi access
Workaround:
Adding LTM module license will resolve the error.
Fix:
Citrix vdi iApp now can be used to configure Citrix vdi access in an APM standalone deployment.
775105-2 : False positive on bot defense logs
Component: Application Security Manager
Symptoms:
Remote log entries suggest that blocking events have occurred although their DoS profile is not set to block any traffic.
Conditions:
DoS profile is not set to block any traffic.
Impact:
False positives where remote log entries which suggest blocking events have occurred.
Workaround:
None.
Fix:
Bot defense remote logging profile attached to virtual servers and some bot signatures is be set to 'Report'.
774445-2 : BIG-IP VE does not pass traffic on ESXi 6.7 Update 2
Solution Article: K74921042
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) does not pass traffic when deployed on ESXi 6.7 Update 2 hypervisors, when the VE is using VMXNET 3 network interfaces (VMXNET 3 interfaces are the default).
Conditions:
-- BIG-IP VE running on VMware ESXi 6.7 Update 2 (build number 13006603) hypervisor.
-- VMXNET 3 NICs.
Impact:
Traffic does not pass through non-mgmt interfaces.
Workaround:
You can use the following workarounds:
-- Until this issue is fixed in a Point-Release for your software branch, you can contact F5 Networks Technical Support to obtain an Engineering Hotfix to address the issue. This workaround allows TMM to continue to use the VMXNET3 driver, which is preferable.
-- On BIG-IP version 14.1.0, you can switch to the 'sock' driver.
-- On BIG-IP versions earlier than 14.1.0, you can switch to the 'unic' driver.
Note: The workarounds that switch driver must be applied individually to devices, as they do not synchronize via ConfigSync.
To switch driver:
1. Add a line to /config/tmm_init.tcl that reads 'device driver vendor_dev 15ad:07b0 DRIVER' (replacing DRIVER with 'unic' or 'sock', as appropriate). For example:
echo "device driver vendor_dev 15ad:07b0 sock" >> /config/tmm_init.tcl
2. Restart tmm for the changes to take effect (restarting tmm disrupts traffic):
bigstart restart tmm
3. After tmm restarts, confirm the driver in use by examining the output of:
tmctl -d blade tmm/device_probed
Fix:
BIG-IP VE now passes traffic on ESXi 6.7 Update 2.
773673-3 : HTTP/2 Vulnerability: CVE-2019-9512
Solution Article: K98053339
773653-5 : APM Client Logging
Solution Article: K23876153
773649-5 : APM Client Logging
Solution Article: K23876153
773641-5 : APM Client Logging
Solution Article: K23876153
773637-5 : APM Client Logging
Solution Article: K23876153
773633-5 : APM Client Logging
Solution Article: K23876153
773621-5 : APM Client Logging
Solution Article: K23876153
773553-3 : ASM JSON parser false positive.
Component: Application Security Manager
Symptoms:
False positive JSON malformed violation.
Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.
Impact:
HTTP request is blocked or an alarm is raised.
Workaround:
There is no workaround other than disabling the JSON profile.
Fix:
JSON parser has been fixed as per RFC8259.
772473-2 : Request reconstruct issue after challenge
Component: Application Security Manager
Symptoms:
False positive on Content-Type header in GET request.
Conditions:
After challenge is completed, the server responds to the reconstructed request with a 302-redirect.
Impact:
The BIG-IP adds to the next request (GET request) a Content-Type header.
Workaround:
There is no workaround at this time.
Fix:
The BIG-IP no longer reconstructs the next request after a redirect.
771873-4 : TMSH Hardening
Solution Article: K40378764
771025-1 : AVR send domain names as an aggregate
Component: Application Visibility and Reporting
Symptoms:
AVR sends domain name as an aggregate of a number of domain names.
Conditions:
-- AVR receives more than the number of domain names it can handle.
-- After AVR gets DNS calls with different domain name, it no longer clears the domain name.
-- When AVR receives the maximum number of total domain names, it start to aggregate all the new domain names.
Impact:
Cannot see the correct domain name.
Workaround:
None.
Fix:
AVR now removes old domain names, so it can add new ones and send the actual domain names it collected.
770557-2 : Per-Session RADIUS Acct STOP message is forged based on pool route domain, but is sent through default one
Component: Access Policy Manager
Symptoms:
The per-Session RADIUS Acct STOP message is forged based on the pool route domain, but is sent through the default one.
Conditions:
1. Deploy the BIG-IP system with two route domains
2. Under each route domains you have a path to the RADIUS server.
3. Create Access Policy with a Logon Page, RADIUS Acct agent fallback-to-Deny ending.
4. Attach it to the virtual server.
5. Run tcpdump -i any port 1813 -ne on the BIG-IP system.
5. Navigate to the virtual server.
6. Wait 20 seconds till STOP packets arrive.
Impact:
The BIG-IP system sends the STOP packets according to the default routing table instead of the configured route domain RADIUS server.
Workaround:
None.
Fix:
The BIG-IP system now sends the STOP packets according to the configured route domain RADIUS server.
769853-3 : Access Profile option to restrict connections from a single client IP is not honored for native RDP resources
Component: Access Policy Manager
Symptoms:
When launching a native RDP resource (desktop/application) from APM Webtop, APM provides an RDP file to the browser and the browser invokes the native RDP client to launch the resource with the parameters specified in the RDP file.
When Access profile option 'Restrict to Single Client IP' option is enabled, user should only be allowed to launch the resource from the client that initiated the request.
Conditions:
-- APM Webtop is configured with native RDP resource.
-- 'Restrict to Single Client IP' option is enabled in Access Profile.
Impact:
RDP file provided by APM can be used for launching the RDP resource on a client machine that did not initiate the APM session.
Workaround:
None.
Fix:
When Access Profile option 'Restrict to Single Client IP' is enabled, APM restricts native RDP resource launch from the client that initiated the APM session.
769809-3 : vCMP guests 'INOPERATIVE' after upgrade
Component: TMOS
Symptoms:
After upgrading the host or creating new vCMP guests, the prompt in the vCMP guests report as INOPERATIVE.
Conditions:
-- The system truncates the unit key. (Note: This occurs because the unit key is designed to be a certain length, and the internally generated unit key for the guest has a NULL in it.)
-- Upgrading the host.
-- Creating new guests.
Impact:
vCMP guests are sent a truncated unit key and fail to decrypt the master key needed to load the config. vCMP Guests report 'INOPERATIVE' after upgrade.
Workaround:
None.
Fix:
The system now handles a guest unit key that has a NULL in it, so vCMP guests are no longer 'INOPERATIVE' after upgrade
769581-4 : Timeout when sending many large requests iControl Rest requests
Component: TMOS
Symptoms:
After sending hundreds of REST requests, REST requests eventually begins to time out. This is the case for applications such as an AS3, with requests with 700 services.
Conditions:
1. Download and install the AS3 iApp. This adds the /mgmt/shared/appsvcs/ endpoint to the the BIG-IP system.
2. Deploy config with AS3:
curl -X POST \
https://<$IP_address>/mgmt/shared/appsvcs/declare \
-H 'Content-Type: application/json' \
-d //This should be the data from an AS3 body
3. While deployment in step 2 is happening, make a GET to the tasks:
curl -X GET \
https://<$IP_address>/mgmt/shared/appsvcs/task \
-H 'Content-Type: application/json'
4. Delete configuration:
curl -X DELETE \
https://<$IP_address>/mgmt/shared/appsvcs/declare
It may take 3 or 4 times repeating steps 2 through 4 for the issue to show up. When it appears, you will start seeing messages in the AS3 task response like the following:
-- 'message': 'failed to save BIG-IP config (POST http://<$USERNAME>:<$PASSWORD>@<$IP_address>:8100/mgmt/tm/task/sys/config create task save sys config response=400 body={\"code\":400,\"message\":\"remoteSender:Unknown, method:POST \",\"originalRequestBody\":\"{\\\"command\\\":\\\"save\\\"}\",\"referer\":\"Unknown\",\"restOperationId\":6924816,\"kind\":\":resterrorresponse\"})'
Impact:
Saving new configuration data does not work. Any new transaction tasks fail.
Workaround:
1. Restart restjavad and all iControl Rest (icrd_child) instances.
2. Wait longer for large requests to finish before performing additional requests.
Fix:
Changes to handle the new transaction iControl Rest creation process creation properly when the existing process was killed with a timeout operation.
769385-3 : GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message
Component: Global Traffic Manager (DNS)
Symptoms:
GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message:
err mcpd[7649]: error: crypto codec New token is smaller with added values.
Conditions:
Two or more GTM devices with internal FIPS modules are configured with DNSSEC keys with 'use-fips internal' set, and GTM config sync between the devices is configured and enabled.
Impact:
DNSSEC keys are not imported into the FIPS cards of devices that receive the key via a synchronization from another device.
Workaround:
None.
769361-1 : TMM may crash while processing SSLO traffic
Solution Article: K33444350
769281-2 : Per-request Acess Policy may show user interface pages incorrectly i nlanguages other than English
Component: Access Policy Manager
Symptoms:
If per-request Access Policy contains a user interface page (logon page, message box, etc.), this page may not be shown correctly in the browser if English is not the preferred language.
Conditions:
-- Browser with preferred language other than English.
-- Per-request Access Policy with support of this language.
-- Access Policy Agent with user interface included in the policy (logon page, message box, decision box, various forms of Rejected Ending Agent).
Impact:
The browser shows incorrect items on the response page presented to the APM end user (e.g., the page displays incorrect language strings).
Workaround:
None.
Fix:
Now, user interface pages in non-English languages are shown correctly by per-request Access Policy Agents.
769169 : BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring
Component: TMOS
Symptoms:
BIG-IQ sends a lot of request to the BIG-IP system to collect the stats it makes the BIG-IP slow and eventually GUI goes unresponsive.
Conditions:
-- BIG-IQ monitoring a large BIG-IP configuration.
-- With a very large number of requests, and with resource-expensive requests.
Impact:
ICRD requests wait longer in the ICRD queue, which can make the BIG-IP system becomes unresponsive. Policy Creation, Device Overview, and stats pages take more time to respond, and eventually, the GUI becomes unresponsive on these three pages.
Lot of process terminated/re-created messages in restjavad logs.
Workaround:
Remove the BIG-IP device from the BIG-IQ and restart the mcpd.
Fix:
The system now handles the queue so that there is time for BIG-IP system to recover and become responsive.
769061-3 : Improved details for learning suggestions to enable violation/sub-violation
Component: Application Security Manager
Symptoms:
The title for the entity in suggestions to enable violation/sub-violation is 'Match violation'/'Matched HTTP Check', though these suggestions are created when there is no match in the observed traffic.
Conditions:
There are learning suggestions to enable violations/sub-violation in the policy
Impact:
Misleading suggestion details.
Workaround:
None.
Fix:
The misleading word 'Matched' was removed from the title.
768981-3 : vCMP Hypervisor Hardening
Component: TMOS
Symptoms:
The vCMP hypervisor does not apply current design best practices.
Conditions:
vCMP hypervisor enabled.
Impact:
The vCMP hypervisor does not apply current design best practices.
Workaround:
None.
Fix:
The vCMP hypervisor now applies current best practices.
768761-3 : Improved accept action description for suggestions to disable signature/enable metacharacter in policy
Component: Application Security Manager
Symptoms:
It is difficult to understand the description for suggestions to disable signature or enable metacharacter on parameter/URL alternative action (accept for all entities).
Conditions:
There are suggestions to disable signature or enable metacharacter on parameter/URL.
Impact:
Action description can be difficult to understand.
Workaround:
None.
Fix:
'Accept for Any Entity' action has been renamed to 'Accept Globally'. The 'Charset' type is now mentioned in the action description for better understanding of the applied action.
767653-3 : Malformed HTTP request can result in endless loop in an iRule script
Component: Local Traffic Manager
Symptoms:
When BIG-IP system receives an HTTP request, its parser determines a version of used HTTP protocol. A malformed HTTP/1.1 request can be recognized as having HTTP/0.9 version but still having headers. Attempt to remove existing HTTP header can result in an endless loop.
Conditions:
The BIG-IP system has a virtual server with an HTTP profile and an iRule, removing all appearances of a specific header.
Impact:
The BIG-IP system enters into an endless loop, and SOD kills the TMM process handling the request. The BIG-IP system fails over and may cause interruption in traffic processing.
Workaround:
Stop the processing of a request when HTTP/0.9 is detected:
if {[HTTP::version] equals "0.9"} {return}
Fix:
When a malformed request is recognized as HTTP/0.9 it no longer provides inconsistent results for iRule commands and prevents endless loops due to such version transformation.
766577-3 : APMD fails to send response to client and it already closed connection.
Component: Access Policy Manager
Symptoms:
APMD fails to send response to client and produces error message:
err apmd[8353]: 01490085:3: /pt-qp-campus/apm-cdp-qp-qa:pt-qp-campus:bb651ae6: Response could not be sent to remote client. Socket error: Connection reset by peer
APMD does most of its action with backend authentication servers (e.g., AD, LDAP, RADIUS). If the backend server response is very slow (because of various reasons such as network issues), it might cause slow apmd client response. Sometimes, the client has already closed the connection to the virtual server, so the client connection is no longer valid.
Conditions:
Backend server is slow, causing longer-than-usual response times.
Impact:
This causes the client to close the connection. APMD fails to respond to the client.
The cumulative slowness of the backend server causes delay in response. Most of the time, the client connection is already closed. As a result, the request queue gets full. When apmd starts processing the request from the queue, the client connection is already closed for some of them, and processing those requests still continues, which is unnecessary and causes more delay.
Fix:
The system now tests the client connection after picking up the request from the request queue and before processing.
-- If the connection is already closed, the system drops the request.
-- If the request is already in progress, the system checks the client connection before saving the session variables and sending the response to client.
765413-2 : ASM cluster syncs caused by PB ignored suggestions updates
Component: Application Security Manager
Symptoms:
Frequent syncs occurring within an ASM device group.
Conditions:
Several (updating) suggestions are marked 'ignored'.
Impact:
Syncs appear in the logs (no actual performance degradation).
Workaround:
-- Remove the Ignored Suggestions. (Note: These might be re-added and you must refrain from clicking the Ignore button).
-- Remove the Ignored Suggestions and uncheck the Learn flag for the violation that causes it. (Note: The impact is that the system does not learn this violation anymore, so any future suggestions to amend the policy for that violation will not be created.)
Fix:
Policy Builder (PB) no longer updates Ignored Suggestions, so unnecessary sync operations no longer occur.
764665-3 : AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change
Component: Application Visibility and Reporting
Symptoms:
When BIG-IP is registered on BIG-IQ system, sometimes avrd crashes with core.
Conditions:
-- BIG-IP is registered at BIG-IQ.
-- BIG-IQ sends configuration update to BIG-IP.
Impact:
Avrd cores and restarts. Functionality is not impacted, stats data are sent to BIG-IQ.
Workaround:
None.
Fix:
Corrected issue in setting value for internal flag.
764373-2 : 'Modified domain cookie' violation with multiple enforced domain cookies with different paths
Component: Application Security Manager
Symptoms:
When the server sends enforced cookies with the same name for different paths, a false-positive 'Modified domain cookie' violation is reported.
Conditions:
Server sends enforced cookies with the same name but with different paths.
Impact:
A valid request might be rejected.
Workaround:
None.
Fix:
The system now checks all enforced cookies correctly, so this issue no longer includes.
763349-2 : AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out
Component: Application Visibility and Reporting
Symptoms:
avrd application on BIG-IP crashes; core is generated.
Conditions:
-- The BIG-IP is configured to send data to BIG-IQ DCD node via the HTTPS protocol.
-- Connection to DCD is established but response does not arrive within the timeout interval, so the connection times out.
Impact:
avrd crashes, and a core is generated.
Workaround:
None.
Fix:
avrd now reconnects to BIG-IQ DCD in a different sequence so this issue no longer occurs.
763157-3 : MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped
Component: Service Provider
Symptoms:
Processing the response to an outbound request at the same time as an inbound request message on the same connection could cause internal state generated to be confused and the inbound request to be dropped.
Conditions:
Processing the response to an outbound request at the same time as an inbound request message on the same connection.
Impact:
The inbound request will be dropped.
Workaround:
None.
Fix:
The internal state generated is no longer confused so the inbound request is no longer dropped.
763005-4 : Aggregated Domain Names in DNS statistics are shown as random domain name
Component: Application Visibility and Reporting
Symptoms:
Many DNS queries (e.g., 50000) with different query domain names are sent and AVR aggregates data it shows aggregated names using a random name taken from the first lookup table record.
Conditions:
-- Run 50000 DNS queries, all with different domain names.
-- View Statistics :: Analytics :: DNS, and choose View By : Domain Names.
Impact:
There is one random domain name with a high counter value, other domains are shown with counter 1.
Workaround:
None.
763001-3 : Web-socket enforcement might lead to a false negative
Component: Application Security Manager
Symptoms:
A request that should be blocked will be passed to server.
Conditions:
Parse parameters flag in json profile is enabled.
Requests are sent in json websocket.
Impact:
Bad requests may be passed to the server
Workaround:
Disable parse parameters flag in json profile
Fix:
Web-socket enforcement now filters requests as expected.
762453-3 : Hardware cryptography acceleration may fail
Component: TMOS
Symptoms:
Host reports the following error message:
Device error: crypto codec qat-cryptoXX-Y queue is stuck.
Conditions:
Platform with access to Intel QAT cryptography hardware
Hardware cryptography acceleration enabled
Impact:
Hardware cryptography acceleration failure, leading to a failover event.
Workaround:
Disable hardware crypto acceleration for impacted device.
Fix:
Platforms with QAT accelerators now function as expected.
761941-2 : ASM does not remove CSRT token query parameter before forwarding a request to the backend server
Component: Application Security Manager
Symptoms:
CSRT query parameter observed in tcpdump on the BIG-IP system's server side.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- CSRF enabled in ASM policy.
Impact:
Backend app gets CSRT parameter, which might impact its business logic.
Workaround:
You can remove a CSRT query parameter using a URI modification iRule on the server side.
Fix:
The system now removes the csrt query parameter before forwarding a request to the backend server
761921-2 : avrd high CPU utilization due to perpetual connection attempts
Component: Application Security Manager
Symptoms:
avrd shows high CPU utilization. Repeated retries on auth token client failed connection attempts.
Conditions:
-- The BIG-IQ system is not available (even though it is configured).
-- Frequent connection retries.
Impact:
avrd consumes a large amount of CPU.
Workaround:
Correct BIG-IQ availability and restart avrd.
Fix:
avrd now waits between connection retries, so this issue does not occur.
761685-1 : Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set
Component: Service Provider
Symptoms:
Systems desiring to create a unique connection per connection client may silently end up with clients sharing an outgoing connection if routing uses a virtual server as the outgoing connection transport definition, and the virtual server has the source-port attribute set to preserve-strict.
Conditions:
-- Routing using a virtual server as the transport definition for the outgoing connection.
-- The virtual server has the source-port attribute set to preserve-strict.
Impact:
Systems desiring to create a unique connection per connection client may silently end up sharing an outgoing connection.
Workaround:
None.
Fix:
Per-client mode is now maintained when routing to a virtual server, even when preserve-strict is selected.
761553-3 : Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic
Component: Application Security Manager
Symptoms:
Text for analyzed requests might be misleading for suggestions that are created as result of an absence of violations in traffic:
X requests triggered this suggestion from date:time until date:time.
Actually:
-- 'X requests' did not trigger a violation, and no sampled are requests provided.
-- The format of the time in 'from date:time until date:time' is difficult to parse.
Conditions:
There are suggestions that were created as result of an absence of violations in traffic in the policy.
Impact:
Text might be misleading.
Workaround:
None.
Fix:
Improved text for analyzed requests for suggestions that were created as result of absence of violations in traffic
761549-3 : Traffic Learning: Accept and Stage action is shown only in case entity is not in staging
Component: Application Security Manager
Symptoms:
Accept and Stage action is available, even for entities that are in staging already.
Conditions:
Create suggestion for the entity (e.g., Attack signature on parameter) that is in staging.
Impact:
Action that is not relevant is shown.
Workaround:
None.
Fix:
Accept and Stage action is available only for suggestions on entities that are not in staging
761231-3 : Bot Defense Search Engines getting blocked after configuring DNS correctly
Component: Application Security Manager
Symptoms:
Bot Defense performs a reverse DNS for requests with User-Agents of known Search Engines.
A cache is stored for legal / illegal requests to prevent querying the DNS again.
This cache never expires, so in case of an initial misconfiguration, after fixing the DNS configuration, or routing or networking issue, the Search Engines may still be blocked until TMM is restarted.
Conditions:
-- Initial misconfiguration of DNS or routing or networking issue.
-- Cache stores requests to prevent future queries to DNS.
-- Correct the misconfiguration.
Impact:
Cache does not expire and is never updated, so it retains the misconfigured requests. As a result, valid Search Engines are getting blocked by Bot Defense.
Workaround:
Restart TMM by running the following command:
bigstart restart tmm
Fix:
The internal DNS cache within Bot Defense and DoSL7 now expires after five minutes.
761032-3 : TMSH displays TSIG keys
Component: Global Traffic Manager (DNS)
Symptoms:
TSIG key is displayed when related configuration is listed in TMSH.
Conditions:
Authenticated administrative user.
Listing TSIG keys using TMSH.
Impact:
Displaying TSIG keys is a security exposure.
Workaround:
None.
Fix:
TMSH no longer displays TSIG keys when listing configuration.
761014-3 : TMM may crash while processing local traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing local network traffic.
Conditions:
Multi-blade chassis, including multi-blade vCMP guests.
Impact:
TMM crash leading to a failover event.
Workaround:
None.
Fix:
TMM now processes local network traffic as expected.
760930-1 : MRF SIP ALG with SNAT: Added additional details to log events
Component: Service Provider
Symptoms:
Subscriber name is not included in debug log events for temporary subscriber registration creation and deletion.
Conditions:
debug log events for temporary subscriber registration creation and deletion.
Impact:
No functional impact, but the associated MRF SIP ALG with SNAT issue might be difficult to debug.
Workaround:
None.
Fix:
Subscriber ID is now included in the log events.
760550-4 : Retransmitted TCP packet has FIN bit set
Component: Local Traffic Manager
Symptoms:
After TCP sends a packet with FIN, retransmitted data earlier in the sequence space might also have the FIN bit set.
Conditions:
-- Nagle is enabled.
-- TCP has already sent a FIN.
-- A packet is retransmitted with less than MSS bytes in the send queue.
Impact:
The retransmitted packet has the FIN bit set even if it does not contain the end of the data stream. This might cause the connection to stall near the end.
Workaround:
Set Nagle to disabled in the TCP profile.
Fix:
The incorrect FIN bit is removed.
760408-2 : System Integrity Status: Invalid after BIOS update★
Solution Article: K23438711
Component: TMOS
Symptoms:
When BIG-IP system boots, it performs a System Integrity Check. The System Integrity Status may return one of three states: Valid, Unavailable, or Invalid.
This issue causes the System Integrity Status to return a value of 'Invalid'.
Conditions:
-- BIG-IP systems that have been manufactured using a earlier BIOS version.
-- Updating to a newer BIOS version.
Impact:
The System Integrity Status returns a status of Invalid, which may falsely indicate that the system BIOS or OS has been compromised.
Workaround:
Install the new BIOS, which fixes the issue that causes the 'Invalid' status to be reported, and, on systems where the BIOS and OS have not been compromised, returns a status of 'Valid'.
Fix:
The System Integrity Status check now return 'Valid' for systems that have not been compromised.
760370-3 : MRF SIP ALG with SNAT: Next active ingress queue filling
Component: Service Provider
Symptoms:
When running MRF SIP ALG with SNAT, the ingress queue may fill, causing messages to be dropped on the next-active device.
Conditions:
-- The active device determines that an operation can be skipped because the details are already discovered processing a previous message.
-- The next-active device has not yet processed the previous message and is not able to skip the operation.
Impact:
Mirroring state is lost for the connection.
Workaround:
None.
Fix:
When the connection is mirrored, the processing operation is not skipped on either the active or next-active device.
760356-3 : Users with Application Security Administrator role cannot delete Scheduled Reports
Component: Application Visibility and Reporting
Symptoms:
User accounts configured with the Application Security Administrator role cannot delete scheduled reports, while they can create/view/edit them.
Conditions:
-- Logged on with a user account configured as an Application Security Administrator.
-- Attempting to delete a scheduled report.
Impact:
Cannot complete the delete operation. Deleting scheduled reports requires root/admin intervention.
Workaround:
Use root or a user account configured as Administrator to delete scheduled reports.
Fix:
User accounts configured with the Application Security Administrator role can now delete Scheduled Reports
760222-6 : SCP fails unexpected when FIPS mode is enabled
Component: TMOS
Symptoms:
Secure Copy (scp) to some locations fails with the following message:
Path not allowed.
Conditions:
-- FIPS mode is enabled.
-- Copying a file to a restricted location using SCP.
Impact:
Cannot use SCP to copy to restricted locations on the BIG-IP system.
Workaround:
None.
Fix:
This scp issue no longer occurs when FIPS cards are installed.
759721-3 : DNS GUI does not follow best practices
Solution Article: K03332436
Component: Global Traffic Manager (DNS)
Symptoms:
The DNS WebUI does not follow best security practices.
Conditions:
DNS services provisioned, enabled, and configured
Impact:
The DNS WebUI does not follow best security practices.
Workaround:
None.
Fix:
The DNS WebUI now follows best security practices.
759483-2 : Message about HTTP status code which are set by default disappeared from the UI
Component: Application Security Manager
Symptoms:
When creating a new policy using the policy-creation page, there are status codes (200-399) that are enabled by default. There is no message about HTTP status codes that are set by default does not appear in the GUI.
Conditions:
Open Create a New Policy page.
Impact:
The message is not shown on Create Policy page
Workaround:
None.
Fix:
The message was added and shown always next to Allowed Response Status Codes input.
759343-5 : MacOS Edge Client installer does not follow best security practices
Component: Access Policy Manager
Symptoms:
The MacOS Edge Client installer does not follow current best security practices.
Conditions:
MacOS Edge Client installer executed by a malicious user without high privileges.
Impact:
Installation log file contents are not protected as expected.
Workaround:
Delete the installation log file.
Fix:
The issue is fixed by removing any existing installation log file before modification.
759192-2 : TMM core during display of PEM session under some specific conditions
Component: Policy Enforcement Manager
Symptoms:
TMM crashes during display of PEM session if the session has multiple IP addresses added under certain conditions.
Conditions:
-- Session has multiple IP addresses added.
-- When the session was created, addition of multiple IP addresses was not allowed.
Impact:
TMM restart. Traffic disrupted while tmm restarts.
Workaround:
Do not change the value of sys db variable tmm.pem.session.ip.addr.max while some sessions are already created.
Fix:
TMM core during display of PEM session no longer occurs.
759077-3 : MRF SIP filter queue sizes not configurable
Component: Service Provider
Symptoms:
The ingress and egress queues of the MRF SIP filter have fixed sizes that cannot be configured.
Conditions:
If the hard-coded queue size of 512 messages or 65535 bytes are exceeded, the filter enables its flow control logic.
Impact:
Messages may be dropped.
Workaround:
None.
Fix:
The max-pending-messages and max-pending-bytes values in the SIP router profile will be used as the limits for the SIP filter's queues. If the configured value is less than the existing hard-coded limits (512 bytes or 65535 bytes), the hard-coded limits will be used.
758909-2 : TMM may crash will processing PEM traffic
Solution Article: K04730051
758764-3 : APMD Core when CRLDP Auth fails to download revoked certificate
Component: Access Policy Manager
Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.
Conditions:
Empty revoked-certificate list handling.
Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.
Workaround:
None.
Fix:
The system now checks for empty revoked certificate lists (for NULL) and lets the validation OK (because there is nothing to validate against).
758631-3 : ec_point_formats extension might be included in the server hello even if not specified in the client hello
Component: Local Traffic Manager
Symptoms:
RFC 5246 states that if an extension does not exist in the client hello, it must not exist in the server hello. When an EC cipher suite is selected, the server might send the ec_point_formats extension, even if none exists in the client hello.
Conditions:
-- An EC cipher suite is selected.
-- The client does not send an ec_point_formats extension.
Impact:
Some clients abort the connection in this case.
Workaround:
There is no workaround other than not configuring any EC cipher suites.
Fix:
With this change, the server does not send an unsolicited ec_point_formats extension.
758527-3 : BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode
Component: TMOS
Symptoms:
Under certain conditions BIG-IP may forward VLAN-tagged frames even if the VLAN is not defined on the ingress interface.
Conditions:
Tagged VLANs in use.
STP pass-through mode enabled.
Impact:
Frames not delivered as expected.
Workaround:
Disable global STP.
Fix:
Frames now delivered as expected.
758387-3 : BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it
Component: TMOS
Symptoms:
In STP 'passthru' mode, any packet sent to the BIG-IP system with a destination MAC of 01-80-c2-00-00-00 is treated as an STP bridge protocol data unit (BPDU), and is flooded to the VLAN.
Conditions:
-- The BIG-IP system is configured for STP 'passthru' mode
-- The BIG-IP system receives a packet with MAC 01-80-c2-00-00-00.
Impact:
A packet that is not an STP BPDU, but is sent to the same destination MAC address may be flooded as if it was a BPDU.
Workaround:
None.
758119-5 : qkview may contain sensitive information
Solution Article: K58243048
Component: TMOS
Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048
Conditions:
For more information see: https://support.f5.com/csp/article/K58243048
Impact:
For more information see: https://support.f5.com/csp/article/K58243048
Workaround:
For more information see: https://support.f5.com/csp/article/K58243048
Fix:
For more information see: https://support.f5.com/csp/article/K58243048
758065-1 : TMM may consume excessive resources while processing FIX traffic
Component: Service Provider
Symptoms:
Under certain conditions, the TMM may consume excessive resources when processing traffic for a Virtual Server with FIX profile applied.
Conditions:
Virtual Server with FIX profile.
Impact:
Excessive resource consumption, potentially leading to a failover event.
Workaround:
None.
Fix:
TMM now processes FIX traffic as expected.
758018-4 : APD/APMD may consume excessive resources
Component: Access Policy Manager
Symptoms:
APD/APMD may consume excessive resources when processing certain requests
Conditions:
-- APM provisioned and enabled.
-- The service type is either SWG Explicit or Clientless Mode 3.
Impact:
Excessive resource consumption, potentially degrading overall throughput or leading to a failover event.
Workaround:
For Clientless Mode 3, replace with Clientless Mode 1 to work around the issue.
Fix:
APD/APMD now consumes the expected resources when processing requests
757992-2 : RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup
Component: Access Policy Manager
Symptoms:
RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup
Conditions:
-- Configure Floating IP with route domain.
-- Configure RADIUS accounting server with Pool Setup.
-- Configure the virtual server containing the access policy to use the RADIUS Accounting server.
-- Access the virtual server.
Impact:
-- START message is being sent through proper egress floating IP address.
-- STOP message is not sent, and the system logs the following error message:
-- err tmm1[11193]: 01490586:3: (null):Common:8a505e8c: Processing radius acct stop message failed, connection failure.
-- err tmm1[11193]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_RTE. File: ../modules/hudfilter/access/access_session.c, Function: access_session_final_callback, Line: 4439.
Workaround:
This issue is present only when the floating IP address is configured with a non-default route domain. It works fine with the default route domain. Use of default route domain is recommended.
Fix:
RADIUS Acct STOP message is now sent as expected.
757782-3 : OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default
Component: Access Policy Manager
Symptoms:
Invalid 'sub' claim in JWT access token that is generated by OAuth Authorization Server.
Conditions:
-- OAuth Authorization Server is configured to return JWT access token.
-- Subject field is configured to be a session variable other than the default '%{session.assigned.uuid}'.
Impact:
Invalid value in 'sub' claim in JWT access token. If OAuth resource server depends on the value of 'sub' claim, then that functionality does not work.
Workaround:
Add Variable assign agent after OAuth Authorization agent, and assign session.assigned.oauth.authz.token.subject with the session variable name such as the following:
session.logon.last.logonname.
Fix:
OAuth Authorization Server sends valid value in 'sub' claim in the generated JWT token when subject is configured to use a session variable.
757781-2 : Portal Access: cookie exchange may be broken sometimes
Component: Access Policy Manager
Symptoms:
Portal Access uses special HTTP request with URL '/private/fm/volatile.html' to exchange cookie data between client and BIG-IP. Sometimes the BIG-IP system might send an invalid response to such a request. As a result, no cookie data can be sent from the backend server to the client.
Conditions:
Invalid response to HTTP requests with the following URL:
/private/fm/volatile.html.
Impact:
Portal Access client cannot see cookies set by the backend server. Backend server does not send cookie data to the client.
Workaround:
None.
Fix:
Portal Access now sends correct HTTP responses with backend cookie data to the client.
757722-4 : Unknown notify message types unsupported in IKEv2
Component: TMOS
Symptoms:
IKE negotiation fails when an unrecognized notify payload type is seen in a message processed by IKEv2.
Conditions:
Receiving an IKE message that contains a notify payload whose numeric type value is unrecognized by IKEv2.
Impact:
Negotiation fails with an aborted connection, preventing tunnel creation.
Workaround:
A peer can suppress notification payloads with advisory values that get rejected by IKEv2 within the BIG-IP system.
Fix:
All unknown notify types are now logged and then ignored.
757455-3 : Excessive resource consumption when processing REST requests
Solution Article: K87920510
757441-3 : Specific sequence of packets causes Fast Open to be effectively disabled
Component: Local Traffic Manager
Symptoms:
You see this warning in the logs:
warning tmm[21063]: 01010055:4: Syncookie embryonic connection counter -1 exceeded sys threshold 64000.
Conditions:
-- TCP Fast Open and ECN are both enabled.
-- There are multiple RST segments from the receive window received in SYN_RECEIVED state.
Impact:
TCP Fast open is disabled, as the pre_established_connections becomes very large (greater than a threshold).
Workaround:
TCP ECN option can be disabled.
Fix:
TCP Fast Open is prevented from being disabled when some conditions are met.
757027-2 : BIND Update
Solution Article: K01713115
757026-2 : BIND Update
Component: TMOS
Symptoms:
Upgrade BIND to 9.11.5-P4 per recommendation from ISC
Conditions:
GTM provisioned.
Impact:
BIND not up-to-date
Workaround:
None.
Fix:
Upgrade to BIND 9.11.5-P4
757025-2 : BIND Update
Solution Article: K00040234
757023-3 : BIND vulnerability CVE-2018-5743
Solution Article: K74009656
756877-2 : Virtual server created with Guided Configuration is not visible in Grafana
Component: Anomaly Detection Services
Symptoms:
The traffic of Virtual Server created with the Guided Configuration is not visible with Grafana monitoring tool.
Statistics of this virtual server are not included in the admdb part of qkview.
Conditions:
-- Create virtual server using Guided Configuration.
-- Use the Grafana monitoring tool to view virtual server statistics.
-- Create a qkview.
Impact:
Cannot view virtual server using the Grafana monitoring tool. The resulting qkview contains no statistics for this virtual server. Lack of information for debugging and troubleshooting
Workaround:
Configure virtual server manually, without the Guided Configuration
Fix:
Virtual server created with Guided Configuration is visible in Grafana and its statistics present in qkview.
756774-5 : Aborted DNS queries to a cache may cause a TMM crash
Component: Global Traffic Manager (DNS)
Symptoms:
TMM may crash if an attempt is made to send a response to a TCP connection that has already been torn down.
Conditions:
TCP connections that are aborted before receiving a RESPONSE from a cache.
Impact:
Loss of service until TMM is restarted. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Aborted DNS queries to a cache no longer cause a TMM crash.
756538-3 : Failure to open data channel for active FTP connections mirrored across an HA pair.
Solution Article: K15759349
756402-4 : Re-transmitted IPsec packets can have garbled contents
Component: TMOS
Symptoms:
Before re-transmitting a packet, it is discovered to be garbled, mainly in the form of having physical length that no longer matches the logical length recorded inside the packet.
Conditions:
Possibly rare condition that might cause packet freeing while still in use.
Impact:
Likely tunnel outage until re-established.
Workaround:
No workaround is known at this time.
Fix:
This release adds checksums to verify IPsec packets are not altered between first creation and later re-transmission.
756311-3 : High CPU during erroneous deletion
Component: Policy Enforcement Manager
Symptoms:
The utilization of some CPU cores increases and remains high for a long time. Rebooting just one blade can cause the high CPU usage to move to another blade in the chassis.
There might be messages similar to the following in tmm logs:
-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.10.10%0-4a89723e; Instance ID mismatch ERR_OK for subscriber id 310012348494 with 10.1.10.10-0-4a8987ea.
-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.18.10%0-4a8b850c; Look up returned err ERR_OK for subscriber id 3101512411557
Conditions:
The exact conditions under which this occurs are not fully understood, but one way it can be triggered is when a single TMM is crashing on a chassis system.
Impact:
The CPU usage is coming from an erroneous cleanup function, which is only running on a TMM when it's not busy; traffic is not expected to have a significant impact. However, recovering may result in a cluster-wide TMM restart, if the CPU usage does not subside. Traffic disrupted while tmm restarts.
Workaround:
Delete all subscribers from the CLI.
756205-2 : TMSTAT offbox statistics are not continuous
Component: Application Visibility and Reporting
Symptoms:
When BIG-IP systems are manged by BIG-IQ, the device health statistics have gaps (missing samples).
Conditions:
BIG-IP systems managed by BIG-IQ,
Impact:
Missing data on device health, such as CPU load and memory occupancy.
Workaround:
None.
Fix:
Functionality restored - BIG-IP systems send all the data as expected.
756071-2 : MCPD crash
Component: TMOS
Symptoms:
mcpd crashes on out of memory.
Conditions:
MCPD experiences a memory leak under one of the following conditions:
- A tmsh command such as the following is run:
tmsh reset-stats ltm virtual
- The ASM or AVR module is provisioned.
In both circumstances, the 'cur_allocs' for one of MCPD's internal memory allocation types generally increases and becomes very high (eg millions):
tmctl -I --select cur_allocs memory_stat program=mcpd name=umem_alloc_40
Impact:
MCPD can run out of memory and crash. Traffic disrupted while mcpd restarts.
Workaround:
None.
Fix:
A memory leak that occurred in the MCPD process has been fixed.
755630-4 : MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes
Component: Service Provider
Symptoms:
The media flows get terminated after the UDP idle timeout expires on a Standby device.
Conditions:
-- High availability (HA) configuration.
-- SIP media calls on a SIP-ALG with SNAT feature enabled.
Impact:
SIP calls fail to deliver media when high availability (HA) failover occurs.
Workaround:
Partial mitigation is to set the UDP idle timeout to a higher value.
Fix:
Properly set SIP ALG media pinhole connection flags so that to not time out due to inactivity on the next active device.
755507-2 : [App Tunnel] 'URI sanitization' error
Component: Access Policy Manager
Symptoms:
URI sanitization error with app tunnel (application tunnel). The system posts messages similar to the following:
-- APM log: warning tmm[19703]: 01490586:4: /Common/AP-AD:Common:ff776e4a: Invalid Resource Access For RESOURCENAME. RST due to URI sanitization
-- LTM log: err tmm[19703]: 01230140:3: RST sent from 10.0.0.1:80 to 10.0.0.1:228, [0x2263e2c:7382] Unrecognized resource access (RESOURCENAME)
Conditions:
Access Policy that includes a 'Logon Page' and 'Advanced Resource Assign' (full webtop and app tunnel).
Impact:
APM does not send a response after receiving a request to 'GET /vdesk/resource_app_tunnels_info.xml'.
Workaround:
None.
755475-2 : Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync
Component: Access Policy Manager
Symptoms:
After making changes to the logon page agent field, performing config sync to another device and opening the logon agent in VPE on the sync target device encounters an error. Though this problem described to the logon page agent, this is applicable to any agent that is tied to customization group.
Conditions:
1. Form a failover device group with two devices.
2. On one device, create an access policy with logon page agent. Initiate config sync to sync the policy to other devices. Verify everything is correct on target device (specifically: open VPE for the policy, Logon Page is in the policy, click on the agent, and edit box appears without issue).
3. On source device, launch VPE for the policy, click on Logon Page agent, make changes to Agent (e.g., choose 'password' type for field3. Save the change and make a config sync again.
4. Go to target device, open VPE for the policy, and click on Logon Page is in the policy.
Impact:
Config is not synced properly to another device in the device group.
Workaround:
- Workaround 1:
Step1. On Standby (where the problem happens): delete the policy in question.
Step2. On Active: modify the access policy and Sync it.
* Problem with this workaround: sometimes, you cannot properly delete access policy in question on standby (as customization is corrupted, some related config deletion fails).
- Workaround 2:
Step1. On Standby (where the problem happens): try to open up access policy item using VPE. Error will show the exact location of the file that is missing, for example:
Step2. You encounter this issue.
Step3. On Standby: using VPE when you open "Logon Page" action item, you get an error like:
"An error 'customization::getMessages: Unable to get xml dom from /config/filestore/files_d/Common_d/customization_group_d/:Common:MyAccessPolicy_act_logon_page_ag_5678_4' has occured on server... Dialogue loading has failed."
Step4. On Standby: copy the exact file from active unit to standby unit, change the permission (ownership/group, permission flags) of the file so that it looks similar to active.
Fix:
Target device receives identical configuration as source one after config sync after user updates logon page field in logon agent editing dialog.
755005-2 : Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations
Component: Application Security Manager
Symptoms:
Illegal Request Length uses Illegal Query String Length template and vice versa, so the incorrect titles are shown in violation details.
Conditions:
Open details of Illegal Request Length or Illegal Query String Length violation in request log.
Impact:
Illegal Request Length uses Illegal Query String Length template and vice versa. Only the titles are wrong. The actual requests are recorded correctly.
Workaround:
None.
Fix:
Correct templates are now used for Illegal Request Length and Illegal Query String Length violations, so the correct titles show.
754944-2 : AVR reporting UI does not follow best practices
Solution Article: K00432398
754615-1 : Tmm crash (assert) during SIP message processing on MRF-SIP-ALG setup.
Component: Service Provider
Symptoms:
tmm crashes.
Conditions:
-- SIP calls under load.
-- MRF-SIP-ALG setup.
-- Most of the calls re-use the conn flow.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fix:
If connections reach a threshold value of 64500, the connection is dropped, drop stats are updated, and a log message is reported: Message handling threshold reached on flow.
754420-2 : Missing policy name in exported ASM request details
Component: Application Security Manager
Symptoms:
No Policy name in exported ASM Request details.
Conditions:
This is encountered when viewing the Security Events Report.
Impact:
Missing policy name in request details.
Workaround:
None.
Fix:
Policy name is now displayed in exported ASM request details.
754365-4 : Updated flags for countries that changed their flags since 2010
Component: Application Security Manager
Symptoms:
Old flags for countries that changed their flags since 2010.
Conditions:
Requests from one of the following counties:
-- Myanmar
-- Iraq
-- Libya
Impact:
Old flag is shown.
Workaround:
None.
Fix:
The three flags are now updated in ASM.
754349-3 : FTP connections to virtual server drop when both sides of data channel are offloaded via FastL4
Component: Local Traffic Manager
Symptoms:
FTP uploads that are offloaded on both sides drop after the idle timeout period, even though data is flowing.
Conditions:
-- FTP virtual server set up with a standard profile and FastL4 offloading.
-- Attempt a file upload to the virtual server where both client and server side of the data channel are offloaded.
Impact:
Dropped connections; data loss.
Workaround:
You can do either of the following:
-- Enable Inherit Parent Profile on the FTP profile.
-- Turn off FastL4 offloading.
Fix:
-- FTP connections to virtual servers no longer drop when both sides of data channel are offloaded via FastL4.
-- The output of the following command displays the correct acceleration state: tmsh show sys conn all-properties.
754346-3 : Access policy was not found while creating configuration snapshot.
Component: Access Policy Manager
Symptoms:
APMD fails to create configuration snapshot with the following error:
--err apmd[16675]: 01490000:3: AccessPolicyProcessor/AccessPolicyProcessor.cpp func: "dispatchEvent()" line: 1195 Msg: EXCEPTION AccessPolicyProcessor/ProfileAccess.cpp line:234 function: snapshotConfigVariables - AccessPolicy ("/Common/myPolicy") not found while creating configuration snapshot!!!!
If you attempt to modify the policy in question, the system reports a second error:
-- err apmd[16675]: 01490089:3: 00000000: Configuration change notification received for an unknown access profile: /Common/myPolicy
Conditions:
If TMM restarts and new access policy is added before TMM is fully up and running.
Impact:
Configuration snapshot is not created, and users cannot log on.
Workaround:
Recreate the access profile when TMM is stable.
754345-1 : WebUI does not follow best security practices
Solution Article: K79902360
754103-6 : iRulesLX NodeJS daemon does not follow best security practices
Solution Article: K75532331
753975-3 : TMM may crash while processing HTTP traffic with AAM
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing HTTP traffic with AAM.
Conditions:
An active virtual server with an AAM profile and RAM cache enabled.
Impact:
TMM crash leading to a failover event.
Workaround:
None.
Fix:
TMM now processes AAM traffic as expected.
753912-3 : UDP flows may not be swept
Solution Article: K44385170
Component: Local Traffic Manager
Symptoms:
Some UDP connection flows do not show in connection table but do show up in stats. This might occur with datagram_lb mode is enabled on the UDP profile under heavy load.
Conditions:
-- UDP profile with datagram_lb mode enabled.
-- System under heavy load.
Impact:
Increased memory utilization of TMM.
Workaround:
None.
Fix:
The system now correctly manages all expired flows.
753796-6 : SNMP does not follow best security practices
Solution Article: K40443301
753776-4 : TMM may consume excessive resources when processing UDP traffic
Solution Article: K07127032
753650-1 : The BIG-IP system reports frequent kernel page allocation failures.
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:
swapper/16: page allocation failure: order:2, mode:0x104020
After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This issue is known to occur on the following VIPRION blade models:
- B2250 (A112)
- B4450 (A114)
Please note the issue is known to occur regardless of whether the system is running in vCMP mode or not, and regardless of whether the system is Active or Standby.
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.
It is recommend to increase this to either 64 MB (65536 KB for 2250 blades) or 128 MB (131072 KB for 4450 blades). You must do this on each blades installed in the system.
When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the primary blade only and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
Fix:
The BIG-IP system no longer experiences kernel page allocation failures.
753514-2 : Large configurations containing LTM Policies load slowly
Component: Local Traffic Manager
Symptoms:
Very slow performance when loading a configuration, for example, at system start up. During this time, the tmsh process shows high CPU usage.
Conditions:
Big IP 13.1.x, 14.x. Large configuration (1 MB or larger) and at least one, but more likely tens or hundreds of LTM policies defined in the configuration.
Impact:
Slow configuration loading, or in cases with very large configurations, full config load may fail after a long wait. Slowness increases with overall configuration size and number of LTM policies defined.
Workaround:
None.
Fix:
Large configurations containing LTM Policies load normally.
753446-3 : avrd process crash during shutdown if connected to BIG-IQ
Component: Application Visibility and Reporting
Symptoms:
During shutdown of BIG-IP, if it is connected to BIG-IQ then avrd might crash.
Conditions:
BIG-IP is set to shutdown and configured to send statistics to BIG-IQ.
Impact:
No serious impact, since the BIG-IP is already instructed to shutdown, so the process crash is not causing any damage.
Workaround:
N/A
Fix:
Issue is fixed, avrd does not crash during shutdown
753370-2 : RADIUS auth might not be working as configured when there is change in RADIUS auth config name.
Component: Access Policy Manager
Symptoms:
RADIUS auth might not be working as configured when there is change in RADIUS auth config name. You might also see an error:
err apmd[14182]: 01490108:3: /Common/:Common:cc55b9e2: RADIUS module: authentication with 'testuser@example' failed: no response from server (0).
Conditions:
In an LTM pool that uses APM AAA RADIUS to authenticate, change (modify/delete) the name of the RADIUS authentication server in config file.
Impact:
When using tmm.default version, intermittently MCP error messages in tmm logs indicate that the RADIUS server cannot be found, and RADIUS authentication does not work as expected.
Workaround:
None.
752930-2 : Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state
Component: Local Traffic Manager
Symptoms:
Virtual Servers left in unknown state. Blade keeps restarting.
Conditions:
Change default route domain (RD) of partition with wildcard Virtual Servers.
Impact:
-- Cannot persist the wildcard virtual server RD configuration.
-- Changing virtual server description after moving route-domain fails.
-- Secondary blade in constant reboot loop.
Workaround:
1. Delete wildcard virtual servers before changing default route-domain on partition.
2. Execute the following commands, in sequence, substituting your values for the configuration-specific ones in this example:
# ssh slot2 bigstart stop
# modify auth partition pa-1098-blkbbsi0000csa21ad1142 default-route-domain 109
# save sys config
# clsh rm -f /var/db/mcpdb.bin
# ssh slot2 bigstart start
Note: This recovery method might have to be executed multiple times to restore a working setup.
752875-1 : tmm core while using service chaining for SSLO
Component: Access Policy Manager
Symptoms:
tmm cores when using security services (service connect agent in per-request policies) for SSLO deployment.
Conditions:
-- Service connect agent in per-request policy.
-- SSLO deployment.
Impact:
tmm cores. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm no longer cores when using security services (service connect agent in per-request policies) for SSLO deployment.
752835-4 : Mitigate mcpd out of memory error with auto-sync enabled.
Solution Article: K46971044
Component: TMOS
Symptoms:
If auto-sync is enabled and many configuration changes are sent quickly, it is possible for a peer system to fall behind in syncs. Once it does, it will exponentially get further behind due to extra sync data, leading to the sending mcpd running out of memory and core dumping.
Conditions:
-- Auto-sync enabled in an high availability (HA) pair.
-- High volume of configuration changes made in rapid succession. Typically, this requires hundreds or thousands of changes per minute for several minutes to encounter this condition.
Impact:
Mcpd crashes.
Workaround:
There are no workarounds other than not using auto-sync, or reducing the frequency of system configuration changes.
Fix:
This is not a complete fix. It is still possible for mcpd to run out of memory due to a peer not processing sync messages quickly enough. It does, however, make it more difficult for this scenario to happen, so configuration changes with auto-sync on can be sent somewhat more quickly without crashing mcpd as often.
752822-2 : SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type
Component: Service Provider
Symptoms:
SIP ALG calls that fail translation during ingress are not cleaned up by the system, which might result in memory being leaked inside the TMM processes.
Conditions:
SIP ALG calls that fail translation during ingress.
Impact:
TMM leaks memory, which can slow down performance and eventually cause TMM to run out of memory and restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now cleans up SIP ALG calls that fail translation during ingress, so this issue no longer occurs.
752782-2 : 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'
Component: Fraud Protection Services
Symptoms:
The 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'.
Conditions:
FPS Provisioning and a DataSafe license.
Impact:
The menu name has changed in this release.
Workaround:
None.
Fix:
'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'.
751710-3 : False positive cookie hijacking violation
Component: Application Security Manager
Symptoms:
A false positive cookie hijacking violation.
Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.
Impact:
False positive violation / blocking.
Workaround:
N/A
751009-2 : Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out
Component: TMOS
Symptoms:
After generating a Qkview or collecting a tcpdump via the BIG-IP GUI, or using the 'tmsh run util ihealth' command to do the equivalent, the /var/tmp/mcpd.out file is missing.
Conditions:
-- Generating a Qkview or collecting a tcpdump via the BIG-IP GUI.
-- Using the 'tmsh run util ihealth' command to do the equivalent operation.
Impact:
The file /var/tmp/mpcd.out is a debug file used by mcpd, primarily for collecting debug-level log information from MCPD.
The file being deleted causes challenges with trying to collect diagnostic information from a BIG-IP system (turning on mcpd debug logging), because it now requires a service impact (restarting mcpd).
Additionally, may cause challenges in managing disk space on /shared filesystem, as mcpd keeps writing to a deleted file, and it cannot be truncated.
Workaround:
Generating Qkviews by invoking the 'qkview' command directly avoids this issue.
Edit the /usr/bin/ihealth.sh script to remove the corresponding line.
From a bash shell:
1. mount -o remount,rw /usr
2. /bin/cp /usr/bin/ihealth.sh{,751009.bak}
3. sed -i '/\/bin\/rm -f \/var\/tmp\/mcpd.out/d' /usr/bin/ihealth.sh
4. mount -o remount,ro /usr
Note: This workaround does not persist across software installs/upgrades, nor does it ConfigSync or replicate across blades in a VIPRION chassis.
Fix:
The problem line has been removed from the script, so this mcpd debug file is left alone (not deleted) after running ihealth.sh. Note that the GUI version of running qkview uses ihealth.sh script.
750922-2 : BD crash when content profile used for login page has no parse parameters set
Component: Application Security Manager
Symptoms:
Bd crashes. No traffic goes through ASM.
Conditions:
-- A Json Login page is configured.
-- The content profile used for the login page does not have parse parameters set.
Impact:
No traffic goes through ASM. Bd crashes.
Workaround:
Set the parse parameters setting.
Fix:
BD no longer crashes when the content profile used for login page has no parse parameters set.
750843 : HTTP data re-ordering when receiving data while iRule parked
Component: Local Traffic Manager
Symptoms:
Under certain circumstances tmm can reorder or omit HTTP data segments when they are received while processing an iRule which is parked.
Conditions:
- HTTP iRule execution suspended, e.g., waiting for a table command to return.
- Ingress data is processed during this state.
Impact:
Data corruption or loss can occur.
Workaround:
There is no workaround other than not using iRule suspend commands in HTTP_* events.
Fix:
tmm now handles ingress data correctly when in the parked iRule state.
750793-1 : Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition
Component: Application Security Manager
Symptoms:
Removing Bot/Logging/Security Service profiles that were created in a user-defined partition fails via GUI.
Conditions:
Attempting to delete Bot/Logging/Security Service profiles that were created in a user-defined partition.
Impact:
The Bot/Logging/Security Service Profile cannot be deleted via GUI.
Workaround:
Remove Bot/Logging/Cloud Security Service profiles via TMSH.
Fix:
You can now remove Bot profiles, Logging profiles, and Cloud Security Service profiles from user-defined partition.
750689-2 : Request Log: Accept Request button available when not needed
Component: Application Security Manager
Symptoms:
There are several violations that make requests unlearnable, but the Accept Request Button is still enabled.
Conditions:
This occurs in the following scenarios:
1. Request log has requests with following violations that make requests unlearnable:
- Threat Campaign detected.
- Null character found in WebSocket text message.
- Access from disallowed User/Session/IP/Device ID.
- Failed to convert character.
2. Subviolations of HTTP protocol compliance fails violation:
- Unparsable request content.
- Null in request.
- Bad HTTP version.
3. Only the following violations are detected:
- Access from malicious IP address.
- IP address is blacklisted.
- CSRF attack detected.
- Brute Force: Maximum login attempts are exceeded.
Impact:
Accept Request button is available, but pressing it does not change the policy.
Workaround:
None.
Fix:
The Accept Request button is now disabled when there is nothing to be learned from request.
750496 : TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP
Component: Access Policy Manager
Symptoms:
TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP.
Conditions:
Create a basic SSO item.
Create a PRP that has the SSO Assign in it and select the basic SSO item.
Create a PSP that is Start->Allow
Create a VS that uses the PRP, PSP, and an pool.
Delete the SSO item in the UI.
Run traffic through the VS
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not delete the SSO config object referenced by SSO Configuration Select agent in PRP.
Fix:
SSO Configuration Select agent should fail with error code when sso_config cannot be found (i.e. NULL).
750460-2 : Subscriber management configuration GUI
Solution Article: K61002104
750356-1 : Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted
Component: Application Security Manager
Symptoms:
In any Split View page (Request Log, Learning, etc.): All user-defined filters are removed if you delete a newly created filter without reloading the page first.
Conditions:
-- Create a new filter.
-- Remove the new filter.
Impact:
The system removes all user-defined filters.
Workaround:
Before you delete a newly created filter, reload the page.
Fix:
Filter removal now completes successfully for all scenarios.
750298-2 : iControl REST may fail while processing requests
Solution Article: K67825238
750200-2 : DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode
Component: Local Traffic Manager
Symptoms:
DHCP requests from the client are sent only to the first member in the DHCP server pool.
Conditions:
- BIG-IP system configured as a DHCP Relay.
- DHCP server pool contains more than one DHCP server.
Impact:
- DHCP server load balancing is not achieved.
- If the first DHCP server in the DHCP server pool does not respond or is unreachable, the DHCP client will not be assigned an IP address.
Workaround:
None.
750187-2 : ASM REST may consume excessive resources
Solution Article: K29149494
749879-3 : Possible interruption while processing VPN traffic
Solution Article: K47527163
749774-4 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
Component: Global Traffic Manager (DNS)
Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.
Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.
Impact:
Inconsistent behavior.
Workaround:
None.
Fix:
In this release, responses are now consistent when caching is enabled.
749704-1 : GTPv2 Serving-Network field with mixed MNC digits
Component: Service Provider
Symptoms:
iRules command 'GTP::ie get value' incorrectly decodes Serving-Network field, putting the least significant digit of mobile network codes (MNC) value before the other two.
Conditions:
Using the iRule command 'GTP::ie get value' to retrieve the Serving-Network field from a GTP message (the iRule construction: GTP::ie get value -message $gtp_message 83).
Impact:
The operation returns results in which the least significant digit is inserted before the other two, resulting in incorrect data being returned.
Workaround:
None.
Fix:
The iRule command 'GTP::ie get -message $gtp_message 83' that retrieves the Serving-Network now returns the correctly ordered, three-digit values for mobile country codes (MCC) and mobile network codes (MNC) as a two-element list: {{<MCC> <MNC>} <optional data>}, where the first element is another list containing actual MCC and MNC values, while the second element is optional binary data which follows MCC and MNC. It is the same format as used for ULI field decoding.
Behavior Change:
The iRule command 'GTP::ie get -message $gtp_message 83' that retrieves the Serving-Network now returns the correctly ordered, three-digit values for mobile country codes (MCC) and mobile network codes (MNC) as a two-element list: {{<MCC> <MNC>} <optional data>}, where the first element is another list containing actual MCC and MNC values, while the second element is optional binary data which follows MCC and MNC. It is the same format as used for ULI field decoding.
749675-4 : DNS cache resolver may return a malformed truncated response with multiple OPT records
Component: Global Traffic Manager (DNS)
Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.
Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).
Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.
Workaround:
A second query will return the cached record, which will only have one OPT record.
Fix:
DNS cache resolver now returns the correct response under these conditions.
749603-2 : MRF SIP ALG: Potential to end wrong call when BYE received
Component: Service Provider
Symptoms:
When a BYE is received, the media flows for a different call might be closed in error.
Conditions:
If the hash of the call-id (masked to 12 bits) matches the hash of another's call-id.
Impact:
The media flows for both calls will be closed when one receives a BYE command. A call may be incorrectly terminated early.
Workaround:
None.
Fix:
Entire call-id checked before terminating media flows.
749508-2 : LDNS and DNSSEC: Various OOM conditions need to be handled properly
Component: Global Traffic Manager (DNS)
Symptoms:
Some LDNS and DNSSEC out-of-memory (OOM) conditions are not handled properly.
Conditions:
LDNS and DNSSEC OOM conditions.
Impact:
Various traffic-processing issue, for example, TMM panic during processing of DNSSEC activity.
Workaround:
None.
Fix:
The system contains improvements for handling OOM conditions properly.
749464-1 : Race condition while BIG-IQ updates common file
Component: Application Visibility and Reporting
Symptoms:
The file /var/config/rest/downloads/app_mapping.json is being used by two processes: BIG-IQ and avrd.
This can cause a race-condition between the two and in some rare cases can cause avrd to crash.
Conditions:
BIG-IQ updating /var/config/rest/downloads/app_mapping.json while avrd is reading it.
Impact:
avrd might read incomplete data, and can even core in some rare cases.
Workaround:
None.
Fix:
This race condition no longer occurs.
749461-1 : Race condition while modifying analytics global-settings
Component: Application Visibility and Reporting
Symptoms:
Updating the analytics global-settings might cause a core for avrd.
The avrd.log contains the following record:
AVRD_CONFIG|NOTICE... 13931|lib/avrpublisher/infrastructure/avr_mcp_msg_parser.cpp:2985| Modified Analytics Global Settings, added "0" offbox TCP addresses
Conditions:
Analytics global-settings are updated either explicitly, using a tmsh command, or implicitly, by internal process script.
Impact:
Might cause a core for avrd. After coring once, avrd is expected to start normally without any additional cores. The configuration change is expected to be applied correctly after restart is complete.
Workaround:
None.
Fix:
This represents a partial fix. See bug 764665 for an additional fix.
749414-3 : Invalid monitor rule instance identifier error
Component: Local Traffic Manager
Symptoms:
Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects.
Conditions:
-- BIG-IP system is configured with nodes, pool-members, and pools with monitors.
-- Modify one of the nodes that is in a pool.
-- Run the following command: tmsh load /sys config
-- Loading UCS/SCF file can trigger the issue also.
-- Nodes share the same monitor instance.
-- default-node-monitor is not configured.
Impact:
-- The system might delete monitor rule instances for unrelated nodes/pool-members.
-- Pool members are incorrectly marked down.
Workaround:
You can use either of the following:
-- Failover or failback traffic to the affected device.
-- Run the following command: tmsh load sys config.
749294-3 : TMM cores when query session index is out of boundary
Component: Local Traffic Manager
Symptoms:
TMM cores when the queried session index is out of boundary. This is not a usual case. It is most likely caused by the memory corrupted issue.
Conditions:
When session index equals the size of session caches.
Impact:
TMM cores. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The index boundary check now operates correctly in this situation, so tmm no longer cores.
749227-2 : MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE
Component: Service Provider
Symptoms:
INVITE message being processed operation creates a temporary registration entry for a unregistered subscriber, this registration entry is not extended if a subsequent invite occurs. This could cause the registration to expire during a call, thus allowing the reserved translated addresses to be provided to a different subscriber.
Conditions:
An INVITE message is received when unregistered-subscriber-callout attribute in the siprouter-alg profile
Impact:
The system adds a temporary registration entry to the registration table. The lifetime for this entry is the max-session-timeout value from the siprouter-alg profile. Subsequent INVITES will not extend the lifetime.
This could cause the registration to expire during a call, allowing the reserved translated addresses to be provided to a different subscriber.
Workaround:
None.
Fix:
Subsequent INVITEs now extend the lifetime by another max-session-timeout value.
749222-2 : dname compression offset overflow causes bad compression pointer
Component: Global Traffic Manager (DNS)
Symptoms:
DNS requests receive error response:
-- Got bad packet: bad compression pointer.
-- Got bad packet: bad label type.
Conditions:
When the DNS response is large enough so that dname redirects to an offset larger than 0x3f ff.
Impact:
DNS response is malformed. Because the DNS record is corrupted, zone transfer fails.
Workaround:
None.
Fix:
dname compression offset overflow no longer causes bad compression pointer.
749184-3 : Added description of subviolation for the suggestions that enabled/disabled them
Component: Application Security Manager
Symptoms:
Missing description of subviolation for the suggestions that enabled/disabled them.
Conditions:
There are suggestions that enabled/disabled subviolations in the security policy.
Impact:
Cannot determine the subviolation for the suggestions that enabled/disabled them.
Workaround:
Open Description in an additional tab in Learning and Blocking settings screen.
Fix:
Added description of subviolation for the suggestions that enabled/disabled them.
749109-2 : CSRF situation on BIGIP-ASM GUI
Component: Application Security Manager
Symptoms:
CSRF situation on the BIG-IP ASM GUI that might potentially lead to resource exhaustion on the device for the moment it is being run.
Conditions:
The following URL accepts a wildcard in the parameter id, making it a heavy URL:
https://BIG-IP/dms/policy/pl_negsig.php?id=*
Impact:
Once multiple requests are sent to the target GUI, it is possible to see httpd process spiking even in core 0 (VMWare).
Workaround:
None.
Fix:
If the query string parameter has a string value the query is not executed.
749057-2 : VMware Horizon idle timeout is ignored when connecting via APM
Component: Access Policy Manager
Symptoms:
VMware Horizon has an option to set idle timeout under "View Configuration\Global Settings\General\Client-dependent settings\For clients that support applications". When there is no keyboard or mouse activity for the given time, application sessions should be disconnected (desktop sessions are staying, though).
This settings has no effect when connecting via APM.
Conditions:
VMware Horizon idle timeout setting for applications is configured and remote application is launched via APM.
Impact:
VMware Horizon idle timeout setting for applications has no effect.
Workaround:
None.
Fix:
VMware Horizon idle timeout "For clients that support applications" is now honored when connecting via APM.
748999-2 : invalid inactivity timeout suggestion for cookies
Component: Application Security Manager
Symptoms:
ASM will report "invalid inactivity timeout" suggestions to delete a cookie, even though the cookies are being sent and are valid.
Conditions:
- Inactivity timeout feature is configured in Policy Builder
- Cookie entity is configured in the policy
- Valid, non-violating traffic containing cookies is passed
Impact:
Since non-violating traffic is not sent to the policy engine, the inactivity timeout timer is never reset, which will eventually lead to suggestions to delete the inactive cookie entities. These suggestions are erroneous because valid cookies are being sent in the traffic.
Workaround:
Ignore the inactive entity suggestions for cookies
Fix:
Inactivity learning for cookies has been deprecated, the feature does not cover cookies anymore.
748902-6 : Incorrect handling of memory allocations while processing DNSSEC queries
Component: Global Traffic Manager (DNS)
Symptoms:
tmm crashes.
Conditions:
-- Heavy DNS traffic using DNS security signatures.
-- Use of external HSM may aggravate the problem.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release corrects the handling of memory allocations while processing DNSSEC queries.
748848-1 : Anti-Bot Mobile SDK cookie name change to support identical cookies for multiple virtual servers
Component: Application Security Manager
Symptoms:
Multiple virtual servers are each using different cookie names for cookies 72, 74, and 76. This occurred because these cookie names are dependent on virtual server properties.
Conditions:
-- Multiple subdomains are configured to resolve to different virtual servers with different ASM policies.
-- Anti-Bot Mobile SDK attempts to connect to these virtual servers.
Impact:
Anti-Bot Mobile SDK is not able to connect to multiple virtual servers using the same cookie.
Workaround:
None.
Fix:
The relevant cookie names were changed.
The format TS00000000_7x (prefix/suffix may change according to configuration) is now used for cookies 72, 74, and 76, which results in identical cookie names for all configured virtual servers.
This will allow Anti-Bot Mobile SDK to connect to multiple virtual servers using the same cookie.
748813-2 : tmm cores under stress test on virtual server with DoS profile with admd enabled
Component: Anomaly Detection Services
Symptoms:
tmm cores
Conditions:
-- Systems under stress testing.
-- Virtual server with DoS profile with admd enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Turn off Behavioral DOS.
Fix:
This tmm core no longer occurs under these conditions.
748502-2 : TMM may crash when processing iSession traffic
Solution Article: K72335002
748409-1 : Illegal parameter violation when json parsing a parameter on a case-insensitive policy
Component: Application Security Manager
Symptoms:
An illegal parameter violation is raised although the parameter is configured
Conditions:
The policy is configured as case insensitive, and a parameter is configured with capital letters
Impact:
False positive illegal parameter violation
Workaround:
Configure violation as case sensitive
748187-3 : 'Transaction Not Found' Error on PATCH after Transaction has been Created
Component: TMOS
Symptoms:
In systems under heavy load of transactions with multiple icrd_child processes, the system might post an erroneous 'Transaction Not Found' response after the transaction has definitely been created.
Conditions:
Systems under heavy load of transactions with multiple icrd_child processes.
Impact:
Failure to provide PATCH to a transaction whose ID has been created and logged as created.
Workaround:
If transaction is not very large, configure icrd_child to only run single-threaded.
Fix:
Erroneous 'Transaction Not Found' messages no longer occur under these conditions.
748121-2 : admd livelock under CPU starvation
Component: Anomaly Detection Services
Symptoms:
Due to the resources starvation the worker thread of admd does not get CPU for more than two minutes. At the same time, the configuration thread does get CPU.
The admd heartbeat failure occurs at 120 seconds. The SOD daemon kills admd.
The system posts messages similar to the following:
-- notice sod[6783]: 01140041:5: Killing /usr/bin/admd pid 6732
-- warning sod[6783]: 01140029:4: high availability (HA) daemon_heartbeat ADMD.Anomaly0 fails action is restart.
-- warning sod[6783]: 01140029:4: high availability (HA) daemon_heartbeat ADMD.Publisher0 fails action is restart.
Conditions:
-- High CPU / memory utilization,
-- Very large configuration.
Note: There are no known special configuration requirements to have this occur.
Impact:
admd restarts.
Behavioral DoS does not work.
Workaround:
Reboot the BIG-IP system.
Fix:
admd livelock event no longer occurs in response to CPU starvation in very large configurations.
748043-1 : MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP
Component: Service Provider
Symptoms:
SIP Server sends SIP Request to the client.
The SIP Server inserts a different port, so that response are received on a different port.
The Client sends the response on the new requested port.
BIG-IP drops the packet
Conditions:
SIP Server wants the SIP Response to be coming on a different port.
Impact:
SIP Request will not receive the SIP Response
Workaround:
There is no workaround.
Fix:
Fix BIG-IP to process the SIP Response and send it to the SIP Server
747909-4 : GTPv2 MEI and Serving-Network fields decoded incorrectly
Component: Service Provider
Symptoms:
MEI and Serving-Network vales obtained with GTP::ie get iRule command contains digits swapped in pairs, first digit missing and a random digit added at the back.
Conditions:
Processing GTP traffic with iRules.
Impact:
It is impossible to obtain correct value of MEI and Serving-Network fields of the GTPv2 packets when processing with iRules.
Workaround:
No workaround.
Fix:
Decoding of GTPv2 MEI and Serving-Network fields corrected.
747905-2 : 'Illegal Query String Length' violation displays wrong length
Component: Application Security Manager
Symptoms:
When the system decodes a query string that exceeds the allowed query string length, the system reports the incorrect 'Illegal Query String Length' violation string length.
Conditions:
-- 'Illegal Query String Length' violation is encountered.
-- The query string is decoded and reported.
Impact:
The system reports the decoded character count rather than bytes. For example, for a Detected Query String Length = 3391, the system posts a Detected Query String Length = 1995.
Workaround:
None.
747777-2 : Extractions are learned in manual learning mode
Component: Application Security Manager
Symptoms:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"
Conditions:
Direct cause: Policy contains parameters with dynamic type
Indirect cause: Policy Builder is configured to classify parameters as dynamic (related to bug 717525)
Impact:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"
Workaround:
- Change all dynamic parameters value types to User Input with Alpha Numeric data type
- Unset parameters' dynamic value type (or uncheck all parameters' dynamic classification options in 'Learning And Blocking Settings').
Fix:
Policy Builder does not set extractions for dynamic parameters in manual mode
747621-1 : Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used
Component: Access Policy Manager
Symptoms:
Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used, e.g. RADIUS server performs two factor authentication.
Conditions:
1. Native VMware Horizon client is used to connect via APM.
2. RADIUS authentication agent is present in Access Policy.
3. RADIUS server asks for challenge response (e.g. 2FA).
Impact:
Authentication fails. User can't get access to VMware Horizon resources.
Workaround:
None.
Fix:
Fixed issue preventing native VMware Horizon client to authenticate with RADIUS challenge.
747617-3 : TMM core when processing invalid timer
Component: Local Traffic Manager
Symptoms:
TMM crashes while processing an SSLO iRules that enables the SSL filter on an aborted flow.
Conditions:
SSLO is configured and passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround
Fix:
SSL filter will no longer be enabled after connection close.
747592-3 : PHP vulnerability CVE-2018-17082
Component: TMOS
Symptoms:
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.
Conditions:
This exploit doesn't need any authentication and can be exploited via POST request. Because of 'Transfer-Encoding: Chunked' header php is echoing the body as response.
Impact:
F5 products not affected by this vulnerability. Actual impact of this vulnerability is possible XSS attack.
Workaround:
No known workaround.
Fix:
The brigade seems to end up in a messed up state if something fails in shutdown, so we clean it up.
747550-2 : Error 'This Logout URL already exists!' when updating logout page via GUI
Component: Application Security Manager
Symptoms:
When you try to update the Logout Page, you get an error about the URL existence: Error 'This Logout URL already exists!'
Conditions:
1. Create any Logout page.
2. Try to update it.
Impact:
The properties of the Logout Page cannot be updated.
Workaround:
Delete the logout page and create a new one.
Fix:
This release addresses the issue, so that no error is reported when updating the Logout Page.
747187-1 : SIP falsely detects media flow collision when SDP is in both 183 and 200 response
Component: Service Provider
Symptoms:
A spurious error message is logged ("MR SIP: Media flow creation (...) failed due to collision") and media does not flow.
Conditions:
A SIP server responds to an INVITE with both a 183 "Session Progress" and later a "200 OK" for a single SIP call, and both responses contain an SDP with the same media info.
Impact:
Media does not flow on pinholes for which a collision was detected and reported.
Workaround:
None
Fix:
No collision is detected or logged when multiple messages with SDP recreate the same flows in the same call.
746941-1 : avrd memory leak when BIG-IQ fails to receive stats information
Component: Application Visibility and Reporting
Symptoms:
AVRD has memory leak when it is failing to send statistical information to BIG-IQ.
Conditions:
BIG-IP is used by BIG-IQ version 6.0.0 or higher, and stats collection is enabled.
Plus, BIG-IQ has some malfunction that prevents it from receiving the statistical information that BIG-IP is sending (for example: all DCDs are down, or not network connection between BIG-IP and BIG-IQ).
Impact:
avrd memory is increased over time, leading to avrd restart when it is getting too large
Workaround:
Connectivity issue between BIG-IP and BIG-IQ should be fixed, not just in order to prevent this memory leak, but for more important functionality such as visibility and alerts features in BIG-IQ.
Fix:
Memory leak is fixed.
746922-5 : When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
Component: Local Traffic Manager
Symptoms:
In a situation when a routing entity belonging to the child route domain is searching for an egress point for a traffic flow, it's searching for a routing entry in the child domain first, then if nothing is found, it searches for it in the parent route domain and returns the best found routing entry.
If the best routing entry from the parent route domain is selected, then it is held by a routing entity and is used to forward a traffic flow. Later, a new route entry is added to the child route domain's routing table and this route entry might be better than the current, previously selected, routing entry. But the previously selected entry doesn't get invalidated, thus the routing entity that is holding this entry is forwarding traffic to a less-preferable egress point.
#Example:
RD0(parent) -> RD1(child)
routing table: default gw for RD0 is 0.0.0.0/0%0
pool member is 1.1.1.1/32%1
-
Pool member searches for the best egress point and finds nothing in the routing table for route domain 1, and then later finds a routing entry, but from the parent route domain - 0.0.0.0/0%0.
Later a new gw for RD1 was added - 0.0.0.0/0%1, it's preferable for the 1.1.1.1/32%1 pool member. 0.0.0.0/0%0 should be (but is not) invalidated to force the pool member to search for a new routing entry and find a better one if it exists, as in this case, with - 0.0.0.0/0%1.
Conditions:
1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. New routing entry for child route domain is added.
Impact:
If a new added route is preferable to an existing one in a different route domain, the new, preferable, route is not going to be used by a routing object that has previously selected a route. Thus, traffic flows through these routing objects to an unexpected/incorrect egress point. This might result in undesirable behavior:
-- The route might be unreachable, and all traffic for a specific pool member is dropped.
-- The virtual server cannot find an available SNAT address.
-- Simply, the wrong egress interface is being used.
Workaround:
Use either of these workaround after a new route in child domain is added.
-- Recreate a route.
Recreate a parent route domain's routes. Restart tmrouted daemon if routes are gathered via routing protocols.
-- Recreate a routing object.
- If a pool member is affected, recreate the pool member.
- If a SNAT pool list is affected, recreate it.
- And so on.
Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table.
746877-2 : Omitted check for success of memory allocation for DNSSEC resource record
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM may panic from SIGABRT while logging this message:
./rdata.c:25: ldns_rdf_size: Assertion `rd != ((void *)0)' failed.
Conditions:
During memory stress while handling DNSSEC traffic.
Impact:
TMM panic and subsequent interruption of network traffic.
Workaround:
Keeping the workload within normal ranges reduces the probability of encounter.
Fix:
The system now checks for success of memory allocation for DNSSEC resource record, so this issue no longer occurs.
746825-2 : MRF SIP ALG with SNAT: Ephemeral listeners not created for unsubscribed outgoing calls
Component: Service Provider
Symptoms:
When a temporary registration is created for an unsubscribed user making an outgoing call, an ephemeral listener to receive incoming messages is not created.
Conditions:
-- If nonregister-subscriber-callout attribute is enabled in the siprouter-alg profile.
-- An unregistered client device places an outgoing call. At this point, a temporary registration is created. This temporary registration lives for the life of the call.
-- During the lifetime of the temporary registration, if the connection from the client is closed, it is not possible for an external device to reach the client device.
Impact:
The callee of an outgoing call initiated by an unregistered SIP device cannot end the call.
Workaround:
There is no workaround at this time.
Fix:
When a temporary registration is created, an ephemeral listener is created to receive SIP commands to be forwarded to the client device.
746823-2 : AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members
Component: Application Visibility and Reporting
Symptoms:
In a configuration that AVR is set to send telemetry data to external source (like connection with BIG-IQ), and there is large number of config objects in the system, such as virtual servers and pool-members. AVRD is constantly crashing.
Conditions:
1. AVR is set to send telemetry data to external source (like connection with BIG-IQ).
2. Large number of config objects in the system, such as virtual servers and pool-members.
Impact:
AVRD process is crashing and telemetry data is not collected.
Workaround:
N/A
Fix:
The issue is fixed, AVR can handle any number of virtuals/pool-members when sending its telemetry.
746394-2 : With ASM CORS set to 'Disabled' it strips all CORS headers in response.
Component: Application Security Manager
Symptoms:
All access-control-* headers are removed by ASM, including Cross-Origin Resource Sharing (CORS) headers. This causes CORS-related JavaScript errors on the browser console, and blocks cross-domain requests that should be allowed.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Backend server sends CORS headers access-control-*.
Impact:
Any webapp that sends cross origin AJAX requests might not work.
Workaround:
Set up an iRule on a virtual server, for example:
when HTTP_RESPONSE {
array set header_list { }
foreach header_name [HTTP::header names] {
if { [string tolower $header_name] starts_with "access-control-" } {
set header_list($header_name) [HTTP::header $header_name]
}
}
}
when HTTP_RESPONSE_RELEASE {
foreach header_name [array names header_list] {
if {!([HTTP::header exists $header_name])} {
HTTP::header insert $header_name $header_list($header_name)
}
}
}
Fix:
ASM no longer removes CORS headers when the feature is set to set to 'Disabled'. This is correct behavior.
746341 : Virtual server page is blank when SSLO is provisioned
Component: Access Policy Manager
Symptoms:
When SSLO is provisioned and trying to create a new virtual server, the virtual server page is blank.
Conditions:
SSLO is provisioned
Impact:
Cannot create a new virtual server when SSLO is provisioned.
Workaround:
N/A
Fix:
The issue has been fixed in this release.
745809-3 : The /var partition may become 100% full requiring manual intervention to clear space
Component: Advanced Firewall Manager
Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free
Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.
Conditions:
Process traffic while DoS Dashboard is open.
Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition
Workaround:
This workaround is temporary in nature, and may need to be periodically performed either manually or from a script. While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.
Run the following commands, in sequence:
bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad
Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.
745802-2 : Brute Force CAPTCHA response page truncates last digit in the support id
Component: Application Security Manager
Symptoms:
Brute Force CAPTCHA response page shown to an end-user has a support id and the last digit is truncated.
Conditions:
- ASM Provisioned
- ASM policy attached to a virtual server
- ASM Brute Force Protection enabled in the asm policy
- ASM Brute Force sends captcha mitigation page when a website is under brute force attack.
Impact:
The support id presented to an end-user won't be matched to the one shown in the asm logs
Workaround:
There is no workaround at this time.
Fix:
The code is fixed, correct support id is shown in the captcha response page.
745713-3 : TMM may crash when processing HTTP/2 traffic
Solution Article: K94563344
745654-3 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
Component: Access Policy Manager
Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.
Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.
Impact:
Low throughput and slow responses from Virtual server.
Workaround:
There is no workaround at this time.
Fix:
Increase the size of websso worker queue, so that tmm and websso process can communicate effectively. This eliminates VS slowness and hence increase throughput.
745628-2 : MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message
Component: Service Provider
Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a NOTIFY message has been processed.
Conditions:
This occurs because the NOTIFY message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.
Impact:
Media addresses in the SDP payload are not translated.
Workaround:
There is no workaround.
Fix:
Hairpin mode is not entered when processing NOTIFY messages
745590-3 : SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added
Component: Service Provider
Symptoms:
In MRF SIP ALG, the hairpin flag is part of the translation_details structure. Because a connection/translation might be used for multiple simultaneous calls, if any call is hairpinned, subsequent calls on the same connection will not translate SDP addresses.
Conditions:
-- A connection/translation using multiple simultaneous calls
-- A call is hairpinned.
Impact:
Subsequent calls on the same connection do not translate SDP addresses.
Workaround:
None.
Fix:
SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added.
745574-2 : URL is not removed from custom category when deleted
Component: Access Policy Manager
Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.
Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.
Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.
Workaround:
"bigstart restart tmm" will resolve the issue.
Fix:
Made sure that the deletion takes effect properly and SSL traffic is no longer miscategorized after removal of the URL from the custom category.
745533-5 : NodeJS Vulnerability: CVE-2016-5325
Component: Local Traffic Manager
Symptoms:
It was found that the reason argument in ServerResponse#writeHead() was not properly validated.
Conditions:
iRules LX is running at the BigIP.
Impact:
A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request.
Workaround:
N/A.
Fix:
NodeJS updated to patch for CVE-2016-5325
745514-2 : MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message
Component: Service Provider
Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a SUBSCRIBE message has been processed.
Conditions:
This occurs because the SUBSCRIBE message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.
Impact:
Media addresses in the SDP payload are not translated.
Workaround:
There is no workaround.
Fix:
Hairpin mode is not entered when processing SUBSCRIBE messages
745404-1 : MRF SIP ALG does not reparse SDP payload if replaced
Component: Service Provider
Symptoms:
When a SIP message is loaded, the SDP is parsed. If modified or replaced, the system does not reparse the modified payload.
Conditions:
This occurs internally while processing SDP in a SIP message.
Impact:
Changes to the SDP are ignored when creating media pinhole flows
Workaround:
None.
Fix:
The SDP payload is now reparsed if modified or replaced.
745387-2 : Resource-admin user roles can no longer get bash access
Component: TMOS
Symptoms:
Resource-admin users with bash access may write to system files beyond the scope of their assigned access.
Conditions:
Resource-admin users configured with bash shell access.
Impact:
Resource-admin users with bash access may write to system files causing security risks.
Workaround:
Do not assign bash access for resource-admin users.
Fix:
Resource-admin users restricted to tmsh access now. If a resource-admin user had bash access in a prior version and upgrades to this version, that user will get converted to tmsh access automatically after the upgrade process.
Behavior Change:
Resource-admin roles can no longer have bash shell access. And upon upgrade, resource-admin users with bash access will get converted to tmsh shell access.
745371-6 : AFM GUI does not follow best security practices
Solution Article: K68151373
745358-2 : ASM GUI does not follow best practices
Solution Article: K14812883
745257-2 : Linux kernel vulnerability: CVE-2018-14634
Solution Article: K20934447
745165-2 : Users without Advanced Shell Access are not allowed SFTP access
Solution Article: K38941195
745027-1 : AVR is doing extra activity of DNS data collection even when it should not
Component: Application Visibility and Reporting
Symptoms:
When collecting DNS data, AVR generates data that is used only for BIG-IQ, even if not connected to BIG-IQ.
Conditions:
DNS Statistics collection or DNS-DoS is configured.
Impact:
avrd process is taking more CPU cycles for activity that is not needed. There is no impact to functionality.
Workaround:
None.
Fix:
The system no longer performs extra computation that is not needed in this case.
744949-2 : MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix
Component: Service Provider
Symptoms:
SIP response messages have the wrong IP address in the FROM header when using NAT64.
Conditions:
If the client's IPv6 address does not match the virtual server's configured IPv6 prefix, the FROM header on a response message will have a different IP address that the request message.
Impact:
The SIP ALG with SNAT system will be unable to establish a call for the client.
Workaround:
There is no workaround at this time.
Fix:
The FROM header will now contain the client's IP address.
744937-7 : Make authenticated-denial-of-existence NSEC3 RR Types Bitmap reflect available Resource Records
Solution Article: K00724442
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP does not know what resource records some external zone holds at the time the BIG-IP is responding to some dnssec query that asked for some record type at some owner name.
If the resource record type does not exist, then as part of the response, the BIG-IP generates an NSEC3 record (to authenticate denial of existence along with RRSIG) containing a types bitmap that is supposed to have the available RRs at the owner name.
With some new feature supported in BIND 9.12 (RFC 8198) called Aggressive use of Negative Cache, that negative response with the inaccurate types bitmap is cached which can then be re-used to show that some resource records do not exist but are in fact available at the owner name.
Conditions:
A query comes in for a zone that is not hosted on the BIG-IP where the BIG-IP is only responsible for DNSSEC signing.
Impact:
Validating resolvers implementing Aggressive Use of DNSSEC-Validated Cache may respond with NODATA for an existing resource record.
Workaround:
N/A
744707-3 : Crash related to DNSSEC key rollover
Component: Global Traffic Manager (DNS)
Symptoms:
When running out of memory, a DNSSKEY rollover event might cause a tmm crash and core dump.
Conditions:
-- System has low memory or is out of memory.
-- DNSSKEY rollover event occurs.
Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround.
Fix:
Fixed an issue in DNSSEC Key Rollover event that could cause a crash.
744685-3 : BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension
Component: Local Traffic Manager
Symptoms:
An intermediate CA certificate should be considered invalid if the certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension. The BIG-IP system does not enforce this.
Conditions:
The SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop.
Impact:
The system might unexpectedly accept the SSL connection while the peer is using an inappropriate certificate.
Workaround:
None.
Fix:
With this fix, if the SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the SSL handshake if the peer's CA certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension.
Behavior Change:
When authenticating a peer's SSL certificate, the system requires a CA certificate to have the 'Basic Constraints' and 'CA:True' in its extension, like this:
X509v3 Basic Constraints: critical
CA:TRUE
If an SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the handshake if the peer's CA certificate does not satisfy this requirement.
744595-2 : DoS-related reports might not contain some of the activity that took place
Component: Application Visibility and Reporting
Symptoms:
Occasionally, some telemetry data of DoS related activity is lost.
Conditions:
No specific condition other than using the BIG-IP system anti-DDoS feature.
Impact:
DoS related reports might not contain some of the activity that takes place.
Workaround:
None.
Fix:
Issue was fixed, all telemetry data is collected without errors.
744589-2 : Missing data for Firewall Events Statistics
Component: Application Visibility and Reporting
Symptoms:
Statistical information that is collected for Firewall event, has some data that is getting lost and not reported.
When this is taking place, the following message appears at avrd log:
Some rows of load_stat_firewall_events_<some number> not loaded
Conditions:
AFM is used, no particular condition that leads to this situation of losing some of the stats, usually takes place under heavy activity.
Impact:
Statistical reports of Firewall Events are missing some the the activity that actually took place.
Workaround:
There is no workaround at this time.
Fix:
Issue with missing data was fixed.
744347-3 : Protocol Security logging profiles cause slow ASM upgrade and apply policy
Component: Application Security Manager
Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.
Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.
Impact:
ASM upgrade and apply policy are delayed.
Workaround:
There is no workaround at this time.
744331-2 : OpenSSH hardening
Component: TMOS
Symptoms:
The default OpenSSH configuration does not follow best practices for security hardening.
Conditions:
Administrative SSH access enabled.
Impact:
OpenSSH does not follow best practices.
Fix:
The default OpenSSH configuration includes best practices for security hardening.
744280-3 : Enabling or disabling a Distributed Application results in a small memory leak
Component: Global Traffic Manager (DNS)
Symptoms:
Enabling or disabling a Distributed Application results in an 8 byte memory leak.
Conditions:
Enabling or disabling a Distributed Application.
Impact:
8 bytes of memory are leaked every time a Distributed Application is enabled or disabled. If Distributed Applications are repeatedly programmatically enabled and disabled, over time, the system might eventually exhaust all available memory.
Workaround:
None.
Fix:
Enabling or disabling a Distributed Application no longer results in a memory leak.
744269-1 : dynconfd restarts if FQDN template node deleted while IP address change in progress
Component: Local Traffic Manager
Symptoms:
The dynconfd daemon may crash and restart if an FQDN template node is deleted (by user action or config sync) while ephemeral nodes are in the process of being created, and deleted as the result of new IP addresses being returned by a recent DNS query.
Conditions:
This may occur on BIG-IP version 14.0.0.3 (and BIG-IP versions 13.1.x or v12.1.x with engineering hotfixes for ID 720799, ID 721621 and ID 726319), under the following conditions:
1. A DNS query returns a different set of IP addresses for one or more FQDN names.
2. While new ephemeral node(s) are being created (for new IP addresses and deleted (for old IP addresses), an FQDN template node is deleted (either by user action or config sync).
Impact:
The dynconfd daemon crashes and restarts.
Ephemeral nodes may not be updated in a timely manner while the dynconfd daemon is restarting.
Fix:
The dynconfd daemon does not crash and restart if an FQDN template node is deleted while ephemeral nodes are in the process of being created and deleted as the result of new IP addresses being returned by a recent DNS query.
744188-3 : First successful auth iControl REST requests will now be logged in audit and secure log files
Component: TMOS
Symptoms:
Previously, when making a REST request from a client for the first time and it is successful, this action was not logged.
Just subsequent REST calls were logged or initial failed REST calls from a client were logged.
Conditions:
Making a successfully auth-ed initial REST request from a new client to BIG-IP.
Impact:
BIG-IP admins would not know when a new client first made a successful REST call to BIG-IP.
Workaround:
None.
Fix:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.
Here's an example of what shows in audit log:
-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user bart2 - RAW: httpd(pam_audit): user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
Here's an example of what shows in secure log:
-- info httpd(pam_audit)[26561]: user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user usr2 - RAW: httpd(pam_audit): user=usr2(usr2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
Subsequent REST calls will continue to be logged normally.
Behavior Change:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.
Subsequent REST calls will continue to be logged normally.
744117-4 : The HTTP URI is not always parsed correctly
Solution Article: K18263026
Component: Local Traffic Manager
Symptoms:
The HTTP URI exposed by the HTTP::uri iRule command, Traffic Policies, or used by ASM is incorrect.
Conditions:
-- HTTP profile is configured.
-- The URI is inspected.
Impact:
If the URI is used for security checks, then those checks might be bypassed.
Workaround:
None.
Fix:
The HTTP URI is parsed in a more robust manner.
744035-5 : APM Client Vulnerability: CVE-2018-15332
Solution Article: K12130880
743961-2 : Signature Overrides for Content Profiles do not work after signature update
Component: Application Security Manager
Symptoms:
JSON profile signature override does not include legacy signature after Automatic Signature Update (ASU).
Conditions:
Signature override on content profile ASU with major update to targeted sig.
Impact:
-- Unexpected block on a previously white-listed signature.
-- Confusing logging for why the signature was blocked (should indicate it was due to using an old signature version).
Workaround:
-- Create the signature override at higher context, e.g., the URL. Removing the URL context override again keeps it fixed.
-- Enforce new version of sig globally.
Fix:
Signature Overrides for Content Profiles now work after signature update.
743803-3 : IKEv2 potential double free of object when async request queueing fails
Component: TMOS
Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.
Conditions:
When an async IPsec crypto operation fails to queue.
Impact:
Restart of tmm. All tunnels lost must be re-established.
Workaround:
No workaround known at this time.
743437-2 : Portal Access: Issue with long 'data:' URL
Component: Access Policy Manager
Symptoms:
HTML page may contain a very long 'data:' URL. Portal Access cannot handle such URLs correctly.
Conditions:
HTML page with very long 'data:' similar to the following example:
data:image/png;base64,...
Such URLs might be several megabytes long.
Impact:
The rewrite plugin cannot process HTML pages with very long URLs and restarts. The page is not sent to the end user client; web application may not work correctly.
Workaround:
There is no workaround at this time.
Fix:
Now Portal Access handles very long 'data:' URLs correctly.
743257-2 : Fix block size insecurity init and assign
Component: Local Traffic Manager
Symptoms:
After an HA failover the block size insecurity checks were creating conditions for an infinite loop. This causes tmm to be killed by sod daemon via SIGABRT.
Conditions:
Rare not reproducible.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround.
Fix:
The init and assign of block size insecurity were modified and debug checks added. A possible loop condition in ssl renegotiation was removed.
743233-1 : Default engineID may have different lengths
Component: TMOS
Symptoms:
The initial engineIDType on an unconfigured system is NETSNMP_RND. If the snmpd configuration file is read and there is no stored engine ID then one is generated based on current system time (and some other bits) to produce a random engineID. When randomly generated engineID changed length in release 14.0.0 of the BIG-IP to include some trailing zeros.
Conditions:
Use of unconfigured engineID on a clean install with version 14.0.0 or later. Note the engineIDType of NETSNMP_RND cannot be user configured.
Impact:
This can be confusing because the alert daemon and the snmp agent both issue traps and the alert daemon traps did not include the trailing zeros.
Workaround:
There is no workaround.
Fix:
The bug has been fixed and the trailing zeros are no longer included in the randomly generated engine ID.
743106-1 : IP-related agents in Per-Request Policy do not work correctly when APM and SWG are configured
Component: Access Policy Manager
Symptoms:
IP-related agents fail.
Conditions:
1. APM and SWG configured.
2. Any of the following IP related agents is added to the Per-Request Policy:
a. Client IP Subnet Match
b. Client Port Match
c. IP Geolocation Lookup
d. IP Reputation Lookup
e. Server IP Subnet Match
f. Server Port Match
Impact:
Agent fails to work properly and will take the fallback branch.
Workaround:
None.
Fix:
IP-related agents in Per-Request policy now work correctly when APM and SWG are configured.
743082-2 : Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members★
Component: TMOS
Symptoms:
Upgrading to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 might result a configuration that fails to load due to a stray colon-character that gets added to the configuration file.
Conditions:
-- Upgrade from pre-12.1.3 to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2.
-- GTM Pool Members.
Impact:
Configuration fails to load.
Workaround:
Remove stray colon-character from bigip_gtm.conf.
Fix:
Fixed an issue preventing configurations from loading into 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from a version before 12.1.3.
742829-2 : SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0
Component: Service Provider
Symptoms:
The BIG-IP system incorrectly handles SDP media ports. UAC sends SDP message body publishing capable of handling voice, text, and video. UAS responds, publishing voice, text and video not desired by setting video port to '0'. The BIG-IP system does not honor the fact that UAS does not want video, and translates video port '0' to an ephemeral port, causing the UAC to believe it must open a video channel. When the UAC sends a video connection request, the BIG-IP system sends the request to the wrong port, i.e., to the media port for text, which causes the connection to fail.
Conditions:
RTP media port defined in the SIP message is set to 0.
Impact:
Improper media channel creation.
Workaround:
You can use an iRule workaround to remove the media attributes with ports set to 0 at the ingress, and update the message body size accordingly.
742627-1 : SSL session mirroring may cause memory leakage if HA channel is down
Component: Local Traffic Manager
Symptoms:
If SSL session mirroring is enabled, but the HA channel is down, attempts to mirror may result in memory leakage.
Conditions:
- SSL session mirroring enabled
- HA channel is down
Impact:
Memory leakage over time resulting in eventual memory pressure leading to performance degradation and possible TMOS restart.
Workaround:
Ensuring that the HA peer is present and connected will avoid the leakage. Otherwise, no reasonable workaround exists short of disabling SSL session mirroring.
Fix:
SSL session mirroring no longer leaks memory when the HA channel is down.
742226-1 : TMSH platform_check utility does not follow best security practices
Solution Article: K11330536
742078-5 : Incoming SYNs are dropped and the connection does not time out.
Component: Local Traffic Manager
Symptoms:
There is a hard-coded limit on the number of SYNs forwarded on a FastL4 connection. This might cause a problem when a connection is reused, for example, if a connection is not correctly closed.
Conditions:
-- SYN forwarding on FastL4 connections.
-- The number of SYNs on a single connection reaches the hard-coded limit.
Impact:
If the number of SYNs on a single connection reaches this limit, subsequent incoming SYNs are dropped and the connection might not time out.
Workaround:
There is no workaround.
Fix:
The following command enables the forwarding of an an unlimited number of SYNs:
tmsh modify sys db tm.dupsynenforce value disable
742037-4 : FPS live updates do not install when minor version is different
Component: Fraud Protection Services
Symptoms:
Install update file with a different minor version.
For example, install update file versioned 13.1.1 on BIG-IP version 13.1.0.
Conditions:
FPS is licensed and provisioned.
Impact:
FPS engine and signature cannot be updated.
Workaround:
N/A
Fix:
The minor version in update file is now ignored and only the major version is validated.
741993-2 : The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured.
Component: Anomaly Detection Services
Symptoms:
The BIG-IP system does not answer the request matching the L7 policy that disabled DOSL7 when BADOS is configured. The connection hangs.
Conditions:
1. Create a DoS profile Behavioral & Stress-based (D)DoS Detection.
2. Create an L7 policy to disable DoS profile (even on all URLs).
3. Attach both to a virtual server.
4. Send a request to the virtual server.
Impact:
Connection hangs.
Workaround:
There is no workaround other than disabling the Behavioral & Stress-based (D)DoS Detection from the DoS profile.
Fix:
The system now correctly handles a disabled DOSL7 policy.
741951-5 : Multiple extensions in SIP NOTIFY request cause message to be dropped.
Component: Service Provider
Symptoms:
When SIP NOTIFY messages are sent with a request URI that contains multiple client extensions, the system does not forward the message as expected.
Conditions:
SIP NOTIFY messages sent with a request URI that contains multiple client extensions.
Impact:
NOTIFY message is not forwarded.
Workaround:
None.
Fix:
Improved SIP URI parser now correctly handles multiple extensions in a URI.
741919-2 : HTTP response may be dropped following a 100 continue message.
Component: Local Traffic Manager
Symptoms:
When a 100 response a quickly followed by another HTTP response (2xx/4xx), the second response might be dropped.
Conditions:
When a 100 response is quickly followed by another HTTP response (i.e., a 2xx/4xx response arrives within a few microseconds).
Impact:
The second response might be dropped, so the end user client might not receive all the HTTP responses coming from the server.
Note: This does not happen all the time, and depends on how the underlying data packets are formed and delivered to the HTTP filter.
Workaround:
You can use either of the following workarounds:
-- Use an iRule to disable the HTTP filter in the HTTP_REQUEST event.
-- Disable LRO by running the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable
741858-2 : TMM may crash while processing Portal Access requests
Solution Article: K52206731
741767-1 : ASM Resource :: CPU Utilization statistics are in wrong scale
Component: Application Visibility and Reporting
Symptoms:
Security :: Reporting : ASM Resources : CPU Utilization have the wrong scale for statistics.
Conditions:
Having the 'CPU Utilization' statistics under 'ASM Resources' available.
Impact:
Wrong scale of statistics.
Workaround:
To work around this issue:
1. Edit the following file: /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
2. Remove all division by 100 on 'formula' of each entity.
3. Save the change and restart monpd (bigstart restart monpd).
Fix:
Scale is now fixed and is not pre-divided by 100.
741761-2 : admd might fail the heartbeat, resulting in a core
Component: Anomaly Detection Services
Symptoms:
When the system is under heavy I/O stress, admd might fail the heartbeat (which is required by sod, the failover daemon), so sod kills the admd daemon, resulting in a core.
Conditions:
-- System is under heavy I/O stress.
-- admd fails the heartbeat.
Impact:
The system generates an admd core file. Traffic disrupted while admd restarts.
Workaround:
None.
741599-1 : After upgrade, Client SSL profile may have extra cert-key-chain structure
Component: TMOS
Symptoms:
Extra cert-key-chain structure appears in Client SSL profile after upgrade from pre-v14.0.0 versions to v14.0.x. The extra cert-key-chain object with a 'usage CA' attribute appears even when the SSL profile is not configured for SSL forward proxy prior to upgrade.
The 'usage CA' cert-key-chain structure is expected when an SSL profile is configured for SSL forward proxy.
Conditions:
-- SSL profiles have had their 'proxy-ca-cert' and 'proxy-ca-key' attributes modified (even if simply set to the default value of 'none' explicitly).
-- The 'clientssl' built-in profile, if that profile has been modified via the GUI.
-- Upgrade from pre-v14.0.0 versions to v14.0.x.
Impact:
Extraneous 'usage CA' cert-key-chain entries added to configuration after upgrade.
Workaround:
There are two parts to this workaround: one to complete before upgrading and one after.
Before Upgrade:
Use tmsh to set the 'proxy-ca-cert' and 'proxy-ca-key' attributes values back to their default by specifying the value as 'default-value'.
After Upgrade:
Perform the following procedure for SSL profiles that are not configured for SSL forward proxy:
1. Delete the extra cert-key-chain objects by doing either a) or b):
a) Manually edit the /config/bigip.conf configuration file with a text editor, remove the 'proxy-ca-cert' and 'proxy-ca-key' attributes for those profiles, and save the config
b) Assuming no Forward Proxy is in use, run the following command, and then save the config.
tmsh modify ltm profile client-SSL all cert-key-chain delete { CA_default }
3. Reload the configuration:
tmsh load sys config
4. Check that the config loads correctly and there are no more CA objects:
tmsh list ltm profile client-SSL all cert-key-chain | grep CA_default
Fix:
The system no longer adds an extra cert-key-chain structure in Client SSL profiles after upgrade from pre-v14.0.0 versions.
741449-2 : alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts
Component: Fraud Protection Services
Symptoms:
JAVASCRIPT_THRESHOLD alert should contain 2 timestamps:
1. component-validation cookie timestamp (set on cookie creation)
2. current BIG-IP timestamp
currently, these timestamps are not available in the alert details
Conditions:
JAVASCRIPT_THRESHOLD alert is triggered
Impact:
it is impossible to analyze the alert
Workaround:
There is no workaround at this time.
Fix:
FPS should always include both timestamps when triggering the JAVASCRIPT_THRESHOLD alert
741423-3 : Secondary blade goes offline when provisioning ASM/FPS on already established config-sync
Component: TMOS
Symptoms:
When provisioning ASM for the first time on a device that is already linked in a high availability (HA) config-sync configuration, any other cluster device that is on the trust domain experiences mcpd restarting on all secondary blades due to a configuration error.
The system logs messages similar to the following in /var/log/ltm:
-- notice mcpd[12369]: 010718ed:5: DATASYNC: Done initializing datasync configuration for provisioned modules [ none ].
-- err mcpd[9791]: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.
-- err mcpd[9791]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.... failed validation with error 16908342.
-- notice mcpd[12369]: 0107092a:5: Secondary slot 2 disconnected.
Conditions:
-- Cluster devices are joined in the trust for high availability (HA) or config-sync.
-- Provisioning ASM or FPS on clusters which are already joined in a trust.
-- ASM and FPS have not been provisioned on any of the devices: this is the first ASM/FPS provisioning in the trust.
Impact:
Traffic on all secondary blades is interrupted while mcpd restarts. Then, traffic is resumed.
Workaround:
Before provisioning ASM/FPS (but after setting up a trust configuration):
1. On the device on which ASM/FPS is about to be provisioned, create the datasync-global-dg device group and add all of the available devices.
For example, if there are two devices in the Trust Domain: test1.lab.com and test2.lab.com, and you plan to provision ASM/FPS for the first time on test1.lab.com, first run the following command from test1.lab.com:
tmsh create cm device-group datasync-global-dg devices add { test1.lab.com test2.lab.com }
2. Do not sync the device group.
3. Then on test1.lab.com, you can provision ASM/FPS.
Fix:
Secondary blades no longer go offline when provisioning ASM/FPS on already established high availability (HA) or config-sync configurations.
740963-1 : VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart
Component: Local Traffic Manager
Symptoms:
VIP-on-VIP traffic might cause TCP retransmit bursts, which in certain situations can cause tmm to restart.
Conditions:
- Virtual server handling TCP traffic.
- iRule using the 'virtual' command.
Impact:
Temporary memory consumption and potential for tmm to restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TCP retransmit bursts are now handled gracefully.
740719-1 : ASM CSP header parser does not honor unsafe-inline attribute within script-src directive
Component: Application Security Manager
Symptoms:
Browser reports Content-Security-Policy error when ASM modifies the 'Content-Security-Policy' (CSP) header.
Conditions:
1. ASM provisioned.
2. ASM policy attached to a virtual server.
3. CSRF or Ajax blocking page enabled within ASM policy
4. Backend server sends 'Content-Security-Policy' header with 'script-src' 'unsafe-inline' directive.
Impact:
Browser posts 'Content-Security-Policy' error and stops JavaScript execution.
Workaround:
Disable 'Content-Security-Policy' header parsing for ASM policies. To do so, follow these steps:
1. In /usr/share/ts/bin/add_del_internal, run the following command:
add csp_enabled 0
2. Restart ASM by running the following command:
bigstart restart asm
Fix:
ASM 'Content-Security-Policy' header parser no longer modifies the 'Content-Security-Policy' header when there is 'script-src' 'unsafe-inline' directive arriving from a backend server. This is correct behavior.
740490 : Configuration changes involving HTTP2 or SPDY may leak memory
Component: Local Traffic Manager
Symptoms:
If virtual servers which have HTTP2 or SPDY profiles are updated, then the TMM may leak memory.
Conditions:
-- A virtual server has a HTTP2 or SPDY profile.
-- Any configuration object attached to that virtual server changes.
Impact:
The TMM leaks memory, and may take longer to execute future configuration changes. If the configuration changes take too long, the TMM may be restarted by SOD.
Workaround:
None.
Fix:
The TMM no longer leaks memory when virtual servers that contain a HTTP2 or SPDY profile are reconfigured.
740345-2 : TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled.
Component: Local Traffic Manager
Symptoms:
TMM generates cores files on the device.
Conditions:
Issue is seen when connection mirroring, session mirroring and OCSP stapling is enabled.
Impact:
If a failover happens when a SSL handshake is in progress,
TMM restarts and a core file is generated on the standby device. Traffic disrupted while tmm restarts.
Workaround:
None.
740277-1 : Extra policy_release (per-request policy) in policy engine causes core due to use-after-free condition
Component: Access Policy Manager
Symptoms:
In some execution paths of per-request policies, policy ref count gets unbalanced and causes a core dump and/or memory leak.
Conditions:
This is a very rarely occurring issue encountered when using per-request policies.
Impact:
Memory leak (in case of per-session policy not released). It may cause a core dump in some cases, if the per-request policy is over-released.
Workaround:
None.
Fix:
This has been addressed in two ways;
-- To prevent the core, the system now ensures that the per-request policy ref-count never goes below 1 while executing per-request policies.
- To prevent the memory leak, corrected the instances in which policy was not released.
740228-2 : TMM crash while sending a DHCP Lease Query to a DHCP server
Component: Policy Enforcement Manager
Symptoms:
TMM crashes.
Conditions:
- DHCP Lease Query is enabled on the BIG-IP system.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes while sending a DHCP Lease Query to a DHCP server.
740086-4 : AVR report ignore partitions for Admin users
Component: Application Visibility and Reporting
Symptoms:
The behavior of AVR's reporting feature changed after an upgrade.
Reports generated for specific partition include data from all partitions.
Conditions:
-- Users with Admin role.
-- AVR provisioned.
-- AVR profile configured and attached to a virtual server.
-- User with Admin role creates Scheduled Reports or uses GUI to view AVR reports.
Impact:
AVR GUI pages or Scheduled Reports defined for one partition include AVR data from other partitions.
Workaround:
One workaround is to have non-Admin users generate reports.
For non-Admin users, the partition is honored.
Fix:
AVR GUI pages or Scheduled Reports defined for one partition now show all users AVR data from only that partition.
740024-1 : Web page not load correctly if load time is enabled
Component: Application Visibility and Reporting
Symptoms:
The web page does not load correctly. The TSPD_101 cookie is not present. All headers after the f5_cspm cookie are ignored.
Conditions:
-- AVR profile is attached to a virtual server.
-- Load time is enabled.
Impact:
Resources, such as scripts and CSS, are blocked when using Bot Defense Browser Verification due to anomaly 'Resource request without browser verification cookie'.
Workaround:
There is no workaround.
Fix:
All page resources now load correctly.
739971-1 : Linux kernel vulnerability: CVE-2018-5391
Solution Article: K95343321
739970-1 : Linux kernel vulnerability: CVE-2018-5390
Solution Article: K95343321
739963-3 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
Component: Local Traffic Manager
Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.
Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.
Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.
Workaround:
To restore the state of the member, remove it and add it back to the pool.
739947-2 : TMM may crash while processing APM traffic
Solution Article: K42465020
739945-3 : JavaScript challenge on POST with 307 breaks application
Component: Application Security Manager
Symptoms:
A JavaScript whitepage challenge does not reconstruct when the challenge is on a POST request and the response from the back-end server is 307 Redirect. This happens only if the challenged URL is on a different path than the redirected URL. This prevents the application flow from completing.
Conditions:
- JavaScript challenge / CAPTCHA is enabled from either Bot Defense, Proactive Bot Defense, Web Scraping, DoSL7 Mitigation or Brute Force Mitigation.
- The challenge is happening on a POST request on which the response from the server is a 307 Redirect to a different path.
Impact:
Server is not able to parse the request payload and application does not work. This issue occurs because the TS*75 cookie is set on the path of the challenged URL, so the redirected URL does not contain the cookie, and the payload is not reconstructed properly to the server.
Workaround:
As a workaround, you can construct an iRule to identify that the response from the server is 307 Redirect, retrieve the TS*75 cookie from the request, and add to the response a Set-Cookie header, setting the TS*75 cookie on the '/' path.
Fix:
Having a JavaScript challenge on a POST request with 307 Response no longer prevents the application from working.
739939-2 : Ping Access Agent Module leaks memory in TMM.
Component: Access Policy Manager
Symptoms:
Whenever a ping access request traverses through apm_ivs (internal virtual server) to the Ping Access Agent (e.g., Cache-Miss), a memory leak occurs.
Conditions:
Ping Access Agent request that is not served from local cache (e.g., in the Cache-Miss case).
Impact:
The slow memory leak might eventually cause TMM to restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Ping Access Agent Module no longer leaks memory in TMM.
739846-2 : Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection
Component: Global Traffic Manager (DNS)
Symptoms:
When the big3d runs out of memory for iQuery connections, a segmentation fault might occur.
Conditions:
-- Not enough memory to create additional iQuery connections.
-- Receive an new iQuery connection.
Impact:
Segmentation fault and big3d restarts. No statistics collection or auto-discovery while big3d restarts.
Workaround:
None.
Fix:
The big3d process no longer gets a segmentation fault when reaching the limits of the memory footprint while trying to establish iQuery connections.
739716-1 : APM Subroutine loops without finishing
Component: Access Policy Manager
Symptoms:
Some APM subroutines never finish. In authentication use cases, the end-users will continue to see logon pages, even after submitting correct credentials. In SWG confirm-and-continue use cases, the end-users will continue to see confirm boxes, even if they had already clicked "continue".
Conditions:
APM with a subroutine. Reproducibility will vary by platform and deployment.
Impact:
Subroutines never finish. End-users are not able to access resources.
Workaround:
TMM restart does resolve the issue.
Fix:
The memory corruption issue was resolved and the subroutines now correctly finish.
739638-3 : BGP failed to connect with neighbor when pool route is used
Component: Local Traffic Manager
Symptoms:
BGP peering fails to be established.
Conditions:
- Dynamic routing enabled.
- BGP peer connect through a pool route or ECMP route.
Impact:
BGP dynamic route paths are not created.
Workaround:
Use a gateway route.
Fix:
BGP peering can be properly established through a pool route.
739635-1 : No learning when creating policy using guided configuration
Component: Application Security Manager
Symptoms:
No learning suggestions for policy
Conditions:
Creating a policy using WGC (guided configuration)
Impact:
Policy is not learned by the policy builder
Workaround:
Either of:
- deactivate (disconnect policy from VS) and re-activate the policy
- restart to policy builder fixes the problem
[killall -s SIGHUP pabnagd]
Fix:
Policy created using WGC (guided configuration) is now initialized correctly and being learned
739379-1 : Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error
Component: Local Traffic Manager
Symptoms:
In situation where multiple SSL forward proxies are connected via virtual targeting, the SNI value extracted from ClientHello and saved in 1st layer of SSL forward proxy may get overwritten by the 2nd layer of SSL forward proxy. When this happens, certification verification will fail when 1st layer of SSL forward proxy attempts to validate certificate.
Conditions:
Two SSL forward proxies connected via virtual command in iRule.
Impact:
Client traffic gets random reset.
Workaround:
None.
Fix:
The search scope of storing parsed SNI is now local to each SSL forward proxy.
739349-2 : LRO segments might be erroneously VLAN-tagged.
Component: Local Traffic Manager
Symptoms:
Segments being processed for large receive offload (LRO) (the action the system performs to aggregate multiple incoming packets within a buffer before passing them up)
might be erroneously VLAN-tagged when LRO is enabled.
Conditions:
-- TCP LRO enabled.
-- Egress VLAN untagged.
Impact:
Egress traffic might sometimes be tagged.
Workaround:
Disable TCP LRO. To enable or disable LRO functionality, you can use the following command syntax:
tmsh modify sys db tm.tcplargereceiveoffload value <enable | disable>
Fix:
The system now ensures that fragment packet flags are correctly set.
739342-1 : Learning not occurring for some policies
Component: Application Security Manager
Symptoms:
No learning suggestions for some policies
Conditions:
Exact conditions are unknown. This occurred during a specific internal automated scenario, but any manual attempts to reproduce it failed.
Impact:
Learning not occurring for several policies.
Workaround:
restart to policy builder fixes the problem
[killall -s SIGHUP pabnagd]
Fix:
Fixed the case where the policy builder learns only for some of the policies.
739277-2 : TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode
Component: Anomaly Detection Services
Symptoms:
TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode
Conditions:
-- The virtual server is deleted during POST data.
-- BADOS configured in standard/aggressive mode.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can work around this issue using either of the following options if you plan to delete a virtual server:
-- First detach the DoS protection profile.
-- Remove BADOS configuration or change BADOS mitigation to Conservative.
Fix:
This release corrects an TMM crash that occurred when the virtual server was deleted during POST data and BADOS was in standard/aggressive mode.
739094-6 : APM Client Vulnerability: CVE-2018-5546
Solution Article: K54431371
739090-6 : BIG-IP APM client vulnerability: CVE-2018-5546
Solution Article: K54431371
739024-1 : Kerberos auth fails intermittently after upgrade from v14.0.0
Component: Access Policy Manager
Symptoms:
Kerberos auth fails and the client get credentials prompt (although it does not work even when entering credentials).
Conditions:
1. Configure SWG explicit or transparent proxy.
2. Configure start -> 401 negotiate -> variable assign <session.server.network.name = return "your_proxy_fqdn"> (required for Kerberos auth) -> Kerberos auth in main access policy.
3. Configure start -> SSL check -> [HTTPS | HTTP ] -> category lookup -> allow in per-request policy.
4. Send HTTP/HTTPS request from explicit or transparent client.
Impact:
Kerberos authentication fails.
Workaround:
Change the permission and ownership of the Kerberos keytab file with these commands:
chmod 640 <Kerberos keytab file>
chgrp root <Kerberos keytab file>
Fix:
The permission of the Kerberos keytab file will be rw-r----- tomcat root which will make sure Kerberos auth does not fail.
738985-1 : BIND vulnerability: CVE-2018-5740
Component: TMOS
Symptoms:
deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c.
Conditions:
"deny-answer-aliases" feature is explicitly enabled
Impact:
Crash of the BIND process and loss of service while the process is restarted
Workaround:
Only servers which have explicitly enabled the "deny-answer-aliases" feature are at risk and disabling the feature prevents exploitation.
Fix:
BIND patched to correct CVE-2018-5740
738945-3 : SSL persistence does not work when there are multiple handshakes present in a single record
Component: Local Traffic Manager
Symptoms:
SSL persistence hangs while parsing SSL records comprising multiple handshake messages.
Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.
Impact:
SSL persistence parser fails to parse such messages correctly. The start of the record may be forwarded on to server but then connection will stall and eventually idle timeout.
Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.
After changing or disabling persistence, the transaction succeeds and no longer hangs.
738887-4 : The snmpd daemon may leak memory when processing requests.
Component: TMOS
Symptoms:
Under certain conditions, the snmpd daemon may leak memory when processing requests.
Conditions:
This issue is known to occur on a multi-blade vCMP guest after specific maintenance operations have been carried out by an Administrator on the guest.
Impact:
Once enough memory has leaked, the system may become unstable and fail unpredictably.
Workaround:
If the snmpd daemon is consuming excessive memory, restart it with the following command:
bigstart restart snmpd
Fix:
The snmpd daemon no longer leaks memory when a multi-blade vCMP guest reaches a certain condition.
738864-2 : javascript functions in href are learned from response as new URLs
Component: Application Security Manager
Symptoms:
New urls representing javascript functions are learned from response.
Conditions:
Learn from response is turned on and URLs learning set to 'Always'
Impact:
Wrong URLs are created and added to the policy (not really interfering with enforcement but adds redundant noise to the policy)
Workaround:
Either:
- Change URL learning from 'Always' to any of the other learning options (Compact \ Selective \ Never).
- Disable learn from response
Fix:
javacript functions are no longer learned from responses as new URLs.
738789-1 : ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog
Component: Application Security Manager
Symptoms:
ASM blocks requests when a request payload is an xml document with a prolog line at the begging with encoding="us-ascii".
Conditions:
- ASM provisioned.
- ASM policy attached to a virtual server.
- ASM handles XML traffic with encoding="us-ascii" (use of the value encoding="us-ascii" is very uncommon, the typical value is encoding="utf-8").
Impact:
Blocked XML requests.
Workaround:
You can use either of the following workarounds:
-- Remove XML profile from a URL in the ASM policy.
-- Disable XML malformed document detection via ASM policy blocking settings.
Fix:
XML parser now supports encoding="us-ascii".
738735-1 : Tomcat Vulnerability: CVE-2018-1336
Solution Article: K73008537
738704-6 : APM client does not support untrusted SSL certificate
Component: Access Policy Manager
Symptoms:
When connecting to APM server configured with untrusted SSL certificate, the Windows Logon integration / Custom dialup entry displays a security warning and asks users for confirmation.
Conditions:
APM Virtual Server configured with untrusted SSL certificate (self-signed certificate or SSL Certificate issued by an untrusted CA).
Impact:
Custom dialup does not establish VPN Tunnel.
Workaround:
Configure APM server with a trusted SSL Certificate.
Fix:
Now with this release, any connection to the APM server configured with untrusted SSL certificate is denied. To override this default, perform the following steps:
1. In Registry Editor, locate the following registry folder:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\F5 Networks\RemoteAccess
2. Set the following registry key:
"AskAboutUntrustedSSLCert"=dword:00000001
738680-1 : Update to global list of disallowed filetypes not propagated to the policies
Component: Application Security Manager
Symptoms:
Existing policies do not get updates to the global list of disallowed filetypes.
Conditions:
A disallowed filetype is added or removed from the global list of disallowed filetypes
Impact:
Existing policies are not 'informed' of changes to the global list of disallowed filetypes.
The policies keep using the disallowed filetypes list that existed on startup (or if the policy was created after startup, then its the list that existed when the policy was created).
Workaround:
Restart ASM by running the command:
restart asm
Upon restart all policies get the updated list of disallowed filetypes.
Fix:
All policies are now updated with changes to the global disallowed filetypes list.
738647-3 : Add the login detection criteria of 'status code is not X'
Component: Application Security Manager
Symptoms:
There is a criterion needed to detect successful login.
Conditions:
Attempting to detect successful login when the response code is not X (where 'x' = some code).
Impact:
Cannot configure login criteria.
Workaround:
None.
Fix:
This release adds a new criterion to the login criteria.
738614-1 : 'Internal error' appears on Goodput GUI page
Component: Application Visibility and Reporting
Symptoms:
The Statistics :: Analytics : TCP : Goodput GUI page displays 'Internal Error', and data does not display.
Conditions:
This can occur on multi-blade VIPRION systems.
Impact:
You are unable to see statistics for TCP Goodput on a multi-blade system.
Workaround:
1. Edit /etc/avr/monpd/monp_tcp_measures.cfg file:
-- In [cs_avg_conn_goodput_rcv_m] section replace existing value of merge_formula parameter with the following one:
merge_formula=IF(SUM(cs_avg_conn_goodput_rcv_m)=0,"N/A",ROUND(SUM(cs_numendings_m*cs_avg_conn_goodput_rcv_m)/SUM(cs_numendings_m),2))
-- In [cs_avg_conn_goodput_snt_m]section replace existing value of merge_formula parameter with the following one:
merge_formula=IF(SUM(cs_avg_conn_goodput_snt_m)=0,"N/A",ROUND(SUM(cs_numendings_m*cs_avg_conn_goodput_snt_m)/SUM(cs_numendings_m),2))
-- In both aforementioned sections add the following parameter:
merge_deps=cs_numendings_m
2. Restart the monpd daemon:
tmsh restart sys service monpd
Fix:
Fixed an issue with Goodput statistics on multi-blade systems.
738582-2 : Ping Access Agent Module leaks memory in TMM.
Component: Access Policy Manager
Symptoms:
While handling Ping Access Request, if the internal events passing between modules fail, it might cause a memory leak inside TMM.
Conditions:
Internal events passing between Ping Access Request processing modules fail.
Impact:
Ping Access Agent Module leaks memory in TMM.
Workaround:
None.
738523-1 : SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages
Component: Local Traffic Manager
Symptoms:
When monitoring an SMTP server that emits multi-line '250' responses to the initial 'HELO' message, the monitor fails. If monitor logging is enabled on the pool member, the system posts an error similar to the following in the monitor log:
09:50:08.580145:(_Tcl /Common/mysmtp): ERROR: failed to complete the transfer, Failed to identify domain.
Conditions:
-- Monitoring an SMTP server.
-- SMTP server is configured to return a multi-line '250' response to the initial 'HELO' message.
Impact:
The pool member is marked down even though it is actually up.
Workaround:
None.
Fix:
The system now handles multi-line '250' responses to the initial 'HELO' message.
738521-3 : i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.
Component: Local Traffic Manager
Symptoms:
A trunk configured between a BIG-IP i4x00/i2x00 platform and an upstream switch may go down due to the presence of the VLAN tag.
Conditions:
LACP configured between a BIG-IP i4x00/i2x00 platform and an upstream switch.
Impact:
Trunks are brought down by upstream switch.
Workaround:
There are two workarounds:
-- Configure the trunk as 'untagged' in one of the VLANs in which it's configured.
-- Disable LACP.
Fix:
The system no longer transmits a VLAN tag for LACP PDUs, so this issue no longer occurs.
738445-3 : IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup
Component: TMOS
Symptoms:
INVALID_SPI notification does not delete the IPsec-SA with the SPI value that appears in the notify payload. This occurs because the handler of INVALID-SPI notifications performs the following incorrect actions:
-- Fetches SPI from payload as if it's a string, rather than the network byte order integer it actually is.
-- Attempts phase 2 lookup via selector ID (reqid) rather than SPI.
Either alone prevents finding the SA to delete.
Conditions:
An IKEv1 IPsec peer sends an INVALID-SPI notification to the BIG-IP system.
Impact:
The IPsec-SA with that SPI cannot be found and is not deleted.
Workaround:
From the BIG-IP command line, you can still manually delete any IPsec-SA, including the invalid SPI, using the following command:
# tmsh delete net ipsec ipsec-sa spi <spi number>
Fix:
SPI is now extracted correctly from the payload as a binary integer, and the phase 2 SA lookup is done with a proper SPI search, which also requires a match in the peer address.
738430-2 : APM is not able to do compliance check on iOS devices running F5 Access VPN client
Component: Access Policy Manager
Symptoms:
Compliance check against Microsoft Intune fails when an APM end user attempts a VPN connection from a managed iOS device running the F5 Access VPN client.
Conditions:
-- APM policy is configured to use Microsoft Intune for device compliance check.
-- APM end user is attempting VPN connection using the F5 Access VPN client on an iOS device.
Impact:
APM is not able to do compliance checks on the device, and VPN connection fails.
Workaround:
None.
Fix:
APM can now check iOS devices for compliance against Microsoft Intune.
738397-3 : SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.
Component: Access Policy Manager
Symptoms:
For a BIG-IP system configured as IdP, in the SAML-IdP-initiated case: If the IdP has a Per-Request policy (in addition to a V1 policy), such that the Per-Request policy has a subroutine or a subroutine macro with a logon page, the system reports access failure on running the policy.
The error logged is similar to the following: '/Common/sso_access:Common:218f759e: Authorization failure: Denied request for SAML resource /Common/saml_resource_obj1&state=000fffff032db022'.
Conditions:
-- BIG-IP system configured as IdP.
-- SAML IdP initiated case in which the following is true:
+ The IdP has a Per-Request policy (in addition to a V1 policy).
+ That Per-Request policy has a subroutine or a subroutine macro with a logon page.
Impact:
Access is denied. The request URI has '&state=<per-flow-id>' appended to the SAML Resource name.
Workaround:
None.
Fix:
The system now checks for additional query parameters in the request_uri while extracting Resource name so it is not incorrectly set to 'ResourceName&state=<per-flow-id>' which causes the access failure.
738236-1 : UCS does not follow current best practices
Component: TMOS
Symptoms:
Under certain conditions,
Conditions:
Administrative access to system status data
Impact:
UCS save operations do not follow current best practices.
Workaround:
None.
Fix:
UCS save operations now follow current best practices.
738211-1 : pabnagd core when centralized learning is turned on
Component: Application Security Manager
Symptoms:
pabnagd (the process responsible for automated and manual policy building operations) restarts and generates a core file. This might result in a loss of learning progress.
Note: This is a very rarely occurring issue.
Conditions:
Centralized learning is enabled for a policy.
Impact:
If there are locally learned policies, the system might lose some number of hours of learning progress. How many hours might be lost depends on the version, as follows:
-- For 13.1.0: 24 hours (12 hours, on average).
-- For 14.0.0: 1 hour (1/2 hour, on average).
Workaround:
None.
Fix:
The pabnagd process no longer restarts/cores when centralized learning is enabled.
738119-1 : SIP routing UI does not follow best practices
Solution Article: K23566124
737910-3 : Security hardening on the following platforms
Solution Article: K18535734
737867-2 : Scheduled reports are being incorrectly displayed in different partitions
Component: Application Visibility and Reporting
Symptoms:
Scheduled analytics reports are being displayed in the list regardless of selected partition. However, you can only open reports belonging to the selected partition, even if they belong to 'Common'.
Conditions:
System configured with multiple partitions.
Impact:
It makes it difficult to modify reports from different partitions.
Workaround:
Switch to the report's partition before editing it.
Fix:
Report's partition is now indicated in the list and correct handling is performed according to standard partition rules.
737863-2 : Advanced Filters for Captured Transactions not working on Multi-Blade Platforms
Component: Application Visibility and Reporting
Symptoms:
On multi-blade systems, when you navigates to System :: Logs : Captured Transactions, click on Expand Advanced Filters, choose something, and click Update, the GUI reports a 'Could not get captured events' message.
Conditions:
-- Multi-blade systems.
-- AVR provisioned.
-- AVR HTTP Analytics Profile configured with 'Internal Traffic Capturing Logging Type' option enabled.
Impact:
The Captured Transactions filter does not work.
Workaround:
None.
Fix:
The Captured Transactions filter now works as expected.
737813-2 : BIG-IP is unable to send statistics to BIG-IQ DCD node using IPv6 address
Component: Application Visibility and Reporting
Symptoms:
When IPv6 is used for transferring data from BIG-IP systems to BIG-IQ DCD nodes, no traffic arrives to the BIG-IQ.
Conditions:
-- DCD node uses IPv6 interface for collecting data from BIG-IP systems.
-- BIG-IP is registered on BIG-IQ as 'BIG-IP device' the regular way (not necessary via IPv6 management interface).
Impact:
No statistics from BIG-IP systems are collected.
Workaround:
Use IPv4 addresses instead.
Fix:
You can now use IPv6 addresses in BIG-IP systems, and statistics arrive to the BIG-IQ.
737758-3 : MPTCP Passthrough and VIP-on-VIP can lead to TMM core
Component: Local Traffic Manager
Symptoms:
If a FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled, TMM may produce a core upon receiving certain traffic.
Conditions:
A FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with a TCP profile attached that has MPTCP passthrough enabled, and certain traffic is received.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than not using an iRule with the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled.
Fix:
If MPTCP passthrough is enabled, the system now processes incoming MPTCP connections coming from the loop device as if MPTCP is disabled.
737731-1 : iControl REST input sanitization
Solution Article: K44885536
737603-2 : Apmd leaks memory when executing per-session policy via iRule
Component: Access Policy Manager
Symptoms:
Apmd leaks memory when executing per-session policy via iRule.
Conditions:
-- APM is licensed and provisioned.
-- Per-session policy is executed via iRules or APM-based System Authentication is used.
Impact:
Apmd leaks memory.
Workaround:
None.
Fix:
Apmd no longer leaks memory when per-session policy is executed via Rules.
737574-1 : iControl REST input sanitization★
Solution Article: K20541896
737565-1 : iControl REST input sanitization
Solution Article: K20445457
737536-3 : Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
Component: TMOS
Symptoms:
The use case is the following:
|OSPF 1|---|Network1|------[|OSPF process 1|---BIG-IP system---|OSPF process 2|]-----|Network2|---|OSPF 2|
Attempting to redistribute default route received from OSPF process that is peering with the Internet to OSPF process 2. However, if that route is removed (e.g., an Internet link goes down), OSPF process 2 removes the associated route and the 'default-information originate' command is the ideal choice, because as long as the OSPF process 1 default route is in the routing table, the default route is redistributed into OSPF process 2. If that route is gone, OSPF process 2 immediately removes it from routing table. Enabling 'default-information originate' on OSPF process 2 does not affect the outcome, and a default route is not injected like it should be.
Conditions:
-- On the BIG-IP system, OSPF routing protocol is enabled on a route-domain.
-- Routing configuration example:
OSPF router config examples:
***
OSPF 1:
!router ospf 1
ospf router-id 10.13.0.7
redistribute ospf
network 10.13.0.0/16 area 0.0.0.1
default-information originate
OSPF 2:
router ospf 1
ospf router-id 10.14.0.5
redistribute ospf
network 10.14.0.0/16 area 0.0.0.1
BIG-IP system:
router ospf 1
ospf router-id 10.13.0.2
network 10.13.0.0/16 area 0.0.0.1
router ospf 2
ospf router-id 10.14.0.9
network 10.14.0.0/16 area 0.0.0.1
***
-- Enable 'default-information originate' on BIG-IP OSPF process 2 should allow OSPF process 2 to receive advertised default route from BIG-IP OSPF process 1 if such exists.
# expected OSPF routers configuration on the BIG-IP system:
router ospf 1
ospf router-id 10.13.0.2
network 10.13.0.0/16 area 0.0.0.1
router ospf 2
ospf router-id 10.14.0.9
network 10.14.0.0/16 area 0.0.0.1
default-information originate
Impact:
A default route from OSPF process 1 is not advertised into OSPF process 2 routing table.
Workaround:
None.
Fix:
Enabling 'default-information originate' on OSPF process 2 forces OSPF process 2 to receive a default route from OSPF process 1 if such exists.
737500-1 : Apply Policy and Upgrade time degradation when there are previous enforced rules
Component: Application Security Manager
Symptoms:
When there are previously enforced rules present in the system, the time to apply changes made to a policy, and the time to upgrade the configuration to a new version suffers.
Conditions:
-- Signature Staging is enabled.
-- Updated Signature Enforcement is set to 'Retain previous rule enforcement and place updated rule in staging'.
-- Signatures are enforced on a policy.
-- A new ASM Signature Update is installed, which modifies the matching rule for some enforced signatures.
Impact:
The time to apply changes made to a policy, and the time to upgrade the configuration to a new version, suffers from a inefficiently performing query related to the existence of previously enforced rules.
Workaround:
There is no workaround at this time.
Fix:
Query indexing and performance is fixed: Apply Policy executes in the same time whether there are previously enforced rules in the system or not.
Enforcing all signatures in a set now correctly removes the previously enforced rule from the signature.
737445-1 : Use of TCP Verified Accept can disable server-side flow control
Component: Local Traffic Manager
Symptoms:
Unexpectedly high memory usage, aggressive sweeper messages, TCP memory pressure messages in logs.
Conditions:
Verified Accept is enabled in TCP profiles that are associated with virtual servers.
Impact:
Excessive memory usage.
Workaround:
There is no workaround other than disabling Verified Accept.
Fix:
Fixed server-side flow control.
737443-6 : BIG-IP APM client for Linux and macOS vulnerability CVE-2018-5546
Solution Article: K54431371
737442-3 : Error in APM Hosted Content when set to public access
Solution Article: K32840424
737441-6 : Disallow hard links to svpn log files
Solution Article: K54431371
737437-3 : IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages
Component: TMOS
Symptoms:
The BIG-IP system might fail to re-establish an IKEv1 phase 1 security association (ISAKMP-SA) when the Initiator starts the exchange using UDP port 4500. The exchange progresses to the point of NAT detection, whereupon the BIG-IP system stops using the Non-ESP marker and sends malformatted ISAKMP.
Conditions:
All of the following must be true:
-- The BIG-IP system is an IKEv1 Responder.
-- ISAKMP phase 1 negotiation starts on UDP port 4500.
-- NAT is detected on only one side during the phase 1 exchange.
Impact:
-- Establishment of an ISAKMP-SA will fail until the peer device switches to UDP port 500.
-- The remote peer may send INVALID-SPI messages quoting SPI numbers that do not exist.
Workaround:
To help workaround this issue, you can try the following:
-- Make sure the BIG-IP system is always the Initiator.
-- Bypass NAT.
-- Configure both the BIG-IP system and remote peer to use address IDs that are not the same as the IP addresses used in the ISAKMP exchange, thus causing the BIG-IP system to think there is NAT on both sides.
Fix:
The BIG-IP system now keeps the Non-ESP marker when NAT is detected.
737397-2 : User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP
Component: TMOS
Symptoms:
Unable to archive certificates or keys using GUI and iControlSOAP.
Conditions:
When the user is in Certificate Manager role.
Impact:
Unable to backup certificates or keys.
Workaround:
The user in Certificate Manager role is still be able to export the key and see its PEM string. So you can manually create an archive file by copying the PEM string into a file.
737368-2 : Fingerprint cookie large value may result in tmm core.
Component: Fraud Protection Services
Symptoms:
The JavaScript component calculates part of the fingerprint cookie value. In some rare cases, large values are generated and may result in tmm core.
Conditions:
A large value (more than 35 characters) inside the fingerprint cookie.
Impact:
Memory overrun, tmm core in some cases. Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
FPS will check the value and truncate it if it exceeds the maximum length.
737362-6 : APM Client Vulnerability: CVE-2018-5547
Solution Article: K10015187
737282-1 : bd crash.
Component: Application Security Manager
Symptoms:
bd might crash when enabling a specific internal parameter used for debugging.
Conditions:
The internal param pb_force_sampling is enabled.
Note: This internal parameter is used to debug the system and is not needed for use in production environments.
Impact:
bd crashes.
Workaround:
Do not enable pb_force_sampling. There is no need for it in normal operations.
Fix:
Fixed a possible crash scenario with an internal parameter.
737035-1 : New and improved infrastructure for BDoS to share learned traffic characteristics within the device group/cluster setup.
Component: Advanced Firewall Manager
Symptoms:
BDoS feature (AFM/DHD) needs to share learned traffic characteristics across nodes (within a cluster) and across devices (within the device group).
Previous infrastructure used by BDOS could cause spikes in disk usage due to a large number of snapshot files being saved under /config/filestore/ partition (.trash_bin_d and files_d/Common_d/l4bdos_context_d sub-directories).
Conditions:
BDOS feature is enabled on at least 1 context (either at global context or at least 1 virtual server).
Impact:
The /config partition on the BIG-IP system consistently fills up with large numbers of directories/files under /config/filestore/, eventually causing system to run out of disk space under /config partition.
Workaround:
As a workaround, manually delete files/directories filling up under /config/filestore/ partition (.trash_bin_d and files_d/Common_d/l4bdos_context_d sub-directories) to free up disk space.
Fix:
BDOS now uses a new (and improved) infrastructure for sharing data across nodes/devices (within device group/cluster setup) that does not require snapshot files to be maintained under /config/filestore/ partition.
735565-4 : BGP neighbor peer-group config element not persisting
Component: TMOS
Symptoms:
neighbor peer-group configuration element not persisting after restart
Conditions:
- dynamic routing enabled
- BGP neighbor configured with peer-group
- BIG-IP or tmrouted daemon restart
Impact:
BGP peer-group configuration elements don't persist
Workaround:
Reconfigure BGP neighbor peer-group after restart
Fix:
BGP neighbor peer-group configuration is properly save to configuration, and persists after restart
734822-2 : TMSH improvements
Solution Article: K77313277
734539-4 : The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads
Component: TMOS
Symptoms:
When an IKEv1 peer sends an INVALID-SPI payload, and BIG-IP system cannot find the phase-two Security Association (SA) for that SPI but can find phase-one SA involved; the racoon daemon may crash if there are additional INVALID-SPI payloads afterward.
Conditions:
-- An INVALID-SPI notification is received.
-- That phase-two SA is already gone.
-- The phase-one parent SA is still around.
-- Subsequent notification INVALID-SPI payloads involve the same phase-one SA.
Impact:
The v1 racoon daemon cores, interrupting traffic until new tunnels can be established after racoon restarts.
Workaround:
There is no workaround at this time.
Fix:
The system no longer destroys the parent phase-one SA when an INVALID-SPI notification cannot find the target phase-two SA, so this issue does not occur.
734527-3 : BGP 'capability graceful-restart' for peer-group not properly advertised when configured
Component: TMOS
Symptoms:
BGP neighbor using peer-group with 'capability graceful-restart' enabled (which is the default). However, on the system, peer-group defaults to disable. Because there is no config statement to enable 'capability graceful-restart' after restart, it gets turned off after config load, which also turns it off for any BGP neighbor using it.
Conditions:
- Neighbor configured to use peer-group.
- Peer-group configured with capability graceful-restart, but with the default: disabled.
Impact:
Because peer-group is set to disable by default, and there is no operation to enable it after restart, 'capability graceful-restart' gets turned off after config load, and neighbors using it from peer-group get turned off as well.
Workaround:
Re-issue the commands to set peer-group 'capability graceful-restart' and 'clear ip bgp *' to reset BGP neighbors.
Fix:
The peer-group now has 'capability graceful-restart' enabled by default, so this issue no longer occurs.
Behavior Change:
In this release, peer-group has 'capability graceful-restart' enabled by default.
734446-1 : TMM crash after changing LSN pool mode from PBA to NAPT
Component: Carrier-Grade NAT
Symptoms:
TMM crashes after changing LSN pool mode from PBA to NAPT when long lived connections are killed due to the PBA block lifetime and zombie timeout expiring.
Conditions:
An LSN pool using PBA mode with a block lifetime and zombie timeout set and long lived connections.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Instead of changing the LSN pool mode from PBA to NAPT, create a new LSN pool configured for NAPT and change the source-address-translation pool on the virtual servers that use the PBA pool.
The PBA pool can be deleted after the virtual servers are no longer using it.
Fix:
TMM no longer crashes after changing LSN pool mode from PBA to NAPT.
734228-2 : False-positive illegal-length violation can appear
Component: Application Security Manager
Symptoms:
A false-positive illegal-length violation.
Conditions:
A chunked request where the request length is more than half of the configured max-request length.
Impact:
False-positive illegal-length violation.
Workaround:
Configure a higher max request length violation.
Fix:
Fixed a false-positive request-length violation.
727467-2 : Some iSeries appliances can experience traffic disruption when the high availability (HA) peer is upgraded from 12.1.3 and earlier to 13.1.0 or later.
Component: TMOS
Symptoms:
-- CPU core 0 can be seen utilizing 100% CPU.
-- Other even cores may show a 40% increase in CPU usage.
-- Pool monitors are seen flapping in /var/log/ltm.
-- System posts the following messages:
+ In /var/log/ltm:
- err tmm4[21025]: 01340004:3: high availability (HA) Connection detected dissimilar peer: local npgs 1, remote npgs 1, local npus 8, remote npus 8, local pg 0, remote pg 0, local pu 4, remote pu 0. Connection will be aborted.
+ In /var/log/tmm:
- notice DAGLIB: Invalid table size 12
- notice DAG: Failed to consume DAG data
Conditions:
-- Active unit on a pre-12.1.3.1 release.
-- Standby peer upgraded to a 13.1.0 or later release.
-- Device is an iSeries device (i5600 or later).
Important: This issue may also affect iSeries high availability (HA) peers on the same software version if the devices do not share the same model number.
Note: Although this also occurs when upgrading to 12.1.3.8 and 13.0.x, the issue is not as severe.
Impact:
- High CPU usage.
- Traffic disruption.
Workaround:
Minimize impact on affected active devices by keeping the upgraded post-13.1.0 unit offline as long as possible before going directly to Active.
For example, on a 12.1.3 unit to be upgraded (pre-upgrade):
-- Run the following command: tmsh run sys failover offline persist
-- Run the following command: tmsh save sys config
-- Upgrade to 13.1.0.8.
-- Unit comes back up on 13.1.0.8 as 'Forced Offline' and does not communicate with the active unit running 12.1.3 at all.
-- Set up high availability (HA) group and make sure the 12.1.3 Active unit's high availability (HA) score is lower than 13.1.0.8.
-- To cause the 13.1.0.8 unit to go directly to Active and take over traffic, run the following command on the unit running 13.1.0.8:
tmsh run sys failover online
At this point, the 12.1.3 unit starts to show symptoms of this issue, however, because it is no longer processing traffic, there is no cause for concern.
Fix:
This release introduces a new bigdb variable DAG.OverrideTableSize. To prevent the issue on an upgraded post-13.1.0 unit, set DAG.OverrideTableSize to 3.
In order to return the system to typical CPU usage, you must set the db variable, and then restart tmm by running the following command:
bigstart restart tmm
(Restarting tmm is required for 13.1.1.2 and newer 13.1.1.x releases.)
Note: Because the restart is occurring on the Standby unit, no traffic is disrupted while tmm restarts.
727212-2 : Subscriber-id query using full length IPv6 address fails.
Component: Carrier-Grade NAT
Symptoms:
FW NAT / CGNAT modules query the subscriber ID using IPv6 address. If the query is done using the IPv6 mask, under some circumstances the query fails.
Conditions:
The network is using an IPv6 mask other than 128. Subscribers are created using the masked IP address as the key. If NAT module uses the complete IP address as the query key, the subscriber will not be found.
Impact:
Logs contain UNKNOWN subscriber-id.
Workaround:
There is no workaround at this time.
Fix:
Subscriber ID queries using IPv6 address are now returning the subscriber-id.
727206-5 : Memory corruption when using SSL Forward Proxy on certain platforms
Component: Local Traffic Manager
Symptoms:
When using SSL Forward proxy, memory corruption can occur, which can eventually lead to a tmm crash.
Conditions:
Client SSL profile on a virtual server with SSL Forward proxy enabled.
-- Using the following platforms:
- vCMP host
- 2000s / 2200s
- 5000s / 5200v
- 5050s / 5250v / 5250v-F
- 10350V-F
Impact:
TMM crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes under these conditions.
727107-3 : Request Logs are not stored locally due to shmem pipe blockage
Component: Application Security Manager
Symptoms:
An unknown issue causes the communication layer between pabnagd and asmlogd to be become stuck. Messages similar to the following appear in pabnagd.log:
----------------------------------------------------------------------
account |NOTICE|... src/Account.cpp:183|Skipped 36 repeated messages. Request Log protobuf subscription queue is full. Message dropped.
rqlgwriter |WARNIN|... src/RequestLogWriter.cpp:137|Skipped 599 repeated messages. No space to write in shmem.
Messages similar to the following appear in pabnagd.log:
Conditions:
Request Logs are not stored locally due to shmem pipe blockage.
Impact:
Event logs stop logging locally.
Workaround:
Restart policy builder with:
killall -s SIGHUP pabnagd
Fix:
The policy builder now detects the blockage, and restarts the connection with the request logger.
727044-3 : TMM may crash while processing compressed data
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing compressed data.
Conditions:
Compression enabled
Hardware compression disabled
Impact:
TMM crash leading to a failover event.
Workaround:
No workaround.
Fix:
TMM now correctly processes compressed traffic
726872-1 : iApp LX directory disappears after upgrade or restoring from UCS★
Component: iApp Technology
Symptoms:
After BIG-IP version upgrade or restoring from UCS, iApps/Application Services/Applications LX screen displays instances of iApps LX, but their UI is not functional. That is caused by the software defect causing iApp LX directory to disappear from /var/config/rest/iapps.
Conditions:
Initial startup after BIG-IP version upgrade or restoring from UCS.
The more iApps LX instances and the more configuration they use, the more likely this issue is to occur, for example, this issue occurs with 90 or more instances of f5-ddos-hybrid-defender iApp LX.
Impact:
The iAppLX code is removed from the system, which makes iAppLX UI unusable. The configuration deployed by iApp LX instances remains in effect. The iApp LX configuration data remain intact, and the UI can be completely restored after manual installation of iApp LX code.
Workaround:
To workaround this issue, follow these steps:
1. Copy iAppLX code from an unaffected BIG-IP system to the BIG-IP system impacted by this defect, for example,
/var/config/rest/iapps/f5-ddos-hybrid-defender
2. Create a symlink to the UI code for UI to work, for example:
ln -sfvn /var/config/rest/iapps/f5-ddos-hybrid-defender/presentation /var/iapps/www/f5-ddos-hybrid-defender
3. Restart restjavad:
bigstart restart restjavad
4. Restart restnoded:
bigstart restart restnoded
Fix:
iApp LX directory no longer disappears after upgrading or restoring from UCS
726852-1 : AVR inject CSPM event when there is no analytics profile on the virtual server
Component: Application Visibility and Reporting
Symptoms:
When there is a request for page load time in the analytics profile, and changes to the configuration remove the analytics profile, AVR will continue to inject the Client Side Performance Monitoring (CSPM) cookie.
Conditions:
-- Request for page-load-time statistic.
-- The analytics profile has been removed from the virtual server.
Impact:
Page-load-time cookie is injected when it should not be.
Workaround:
Uncheck the page-load-time checkbox before removing the profile from the virtual server.
Fix:
AVR now injects CSPM cookie only when it needed.
726665-3 : tmm core dump due to SEGFAULT
Component: Policy Enforcement Manager
Symptoms:
tmm core dump due to SEGFAULT.
Conditions:
System under load in network. Other conditions required to recreate this are unknown, but indicated a potential memory-handling issue.
Impact:
The blade reboots resulting in failover. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The apparent memory-handling issue leading to the SEGFAULT has been corrected, so the tmm core and failover no longer occur.
726647-4 : PEM content insertion in a compressed response may truncate some data
Component: Policy Enforcement Manager
Symptoms:
HTTP compressed response with content insert action can truncate data.
Conditions:
PEM content insertion action with compressed HTTP response.
Impact:
Data might be truncated.
Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.
Fix:
HTTP compressed response with content insert action no longer truncates data.
726616-2 : TMM crashes when a session is terminated
Component: Access Policy Manager
Symptoms:
TMM crashes when it is releasing the memory used by a session that is terminated. Either one of the following error messages might appear in the TMM log:
-- notice panic: ../kern/umem.c:4166: Assertion "valid type" failed.
-- notice panic: ../kern/page_alloc.c:705: Assertion "vmem_hashlist_remove not found" failed.
Conditions:
The memory used by a session is corrupted during the lifetime of the session. This issue happens infrequently.
Impact:
TMM restarts, causing service interruption if the BIG-IP system is not part of a high-availability setup.
Workaround:
There is no workaround at this time.
Fix:
TMM no longer crashes when removing an access session.
726487-3 : MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
Component: TMOS
Symptoms:
The MCPD daemon on secondary VIPRION or vCMP blades exits and restarts, logging errors similar to the following:
-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.
-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.
Or:
--- err mcpd[8320]: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).
--- err mcpd[8320]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).... failed validation with error 17236027.
Conditions:
This issue occurs when all of the following conditions are met:
-- VIPRION or vCMP platform with more than one blade.
-- A partition with a non-default route domain.
-- Creating a pool member in the aforementioned partition while a configuration save is taking place at the same time (either system or user initiated).
Impact:
If the system is Active, traffic will be disrupted as the secondary blades restart. The capacity of the system will be reduced until all blades are on-line again. Additionally, depending on the system configuration, the system may fail over to its peer (if one exists).
Workaround:
There is no workaround other than not to create pool members from a different client while saving configuration changes in another client. However, this does not help if the configuration save operation was system-initiated.
Fix:
MCPD on secondary blades no longer restarts if a pool member is created in a partition that uses a non-default route domain at the same as the configuration is being saved.
726409-5 : Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
Component: TMOS
Symptoms:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or
possibly have unspecified other impact by leveraging use of the accept system call.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.
Conditions:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439
Impact:
denial of service
Workaround:
don't allow login
Fix:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439
726393-3 : DHCPRELAY6 can lead to a tmm crash
Solution Article: K36228121
726319-1 : 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses
Component: Local Traffic Manager
Symptoms:
When FQDN nodes and pool members are used in LTM pools, a message similar to the following may be logged if the DNS server returns a different set of IP address records to resolve the FQDN name:
err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.
Conditions:
This message may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name, and new ephemeral pool members are created corresponding to the new IP addresses.
This may occur intermittently depending on timing conditions.
Impact:
These log messages are cosmetic and do not indicate any impact to traffic or BIG-IP operations.
Workaround:
None.
Fix:
'The requested Pool Member ... already exists' messages are no longer logged occasionally when an FQDN pool member name resolves to different IP addresses.
726255-1 : dns_path lingering in memory with last_access 0 causing high memory usage
Component: Global Traffic Manager (DNS)
Symptoms:
dns_path not released after exceeding the inactive path ttl.
Conditions:
1. Multiple tmm's in sync group
2. Multiple dns paths per GTM needed for load balancing.
Impact:
High memory usage.
Workaround:
There is no workaround at this time.
Fix:
dns_path memory will be released after ttl.
726239-5 : interruption of traffic handling as sod daemon restarts TMM
Component: Local Traffic Manager
Symptoms:
When the receiving host in a TCP connection has set its send window to zero (stopping the flow of data), following certain unusual protocol sequences, the logic in the TMM that persists in probing the zero window may enter an endless loop.
Conditions:
When the TCP implementation is probing a zero-window connection under control of a persist timer.
Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This fix handles a rare TMM crash when TCP persist timer is active.
726232-3 : iRule drop/discard may crash tmm
Component: Local Traffic Manager
Symptoms:
TMM crash after an iRule attempts to drop packet.
Conditions:
Virtual server with UDP profile, and following iRule:
when LB_SELECTED {
drop
# discard - drop is the same as discard
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
TMM correctly handles 'drop' command in 'LB_SELECTED' event.
726090 : No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense
Component: Application Security Manager
Symptoms:
Device ID challenges are not logged in the Bot Defense Request Log (local and remote) when associating the Bot Defense logging profile to the virtual server.
Conditions:
-- Device ID is enabled on the ASM Policy.
-- DoS profile with Proactive Bot Defense is not associated with the virtual server.
Impact:
There are no logs to show the browser challenges and the requests from clients that do not support JavaScript.
Workaround:
There is no workaround at this time.
Fix:
Requests are now logged to the Bot Defense Request Log with Device ID enabled on the ASM Policy and no associated DoS profile.
725878-1 : AVR does not collect all of APM TMStats
Component: Application Visibility and Reporting
Symptoms:
AVR does not collect all of APM TMStats
Conditions:
Using AVR to view APM stats.
Impact:
Cannot view all values.
Workaround:
None.
Fix:
This release now provides stats for the following:
-- License Stats :: show apm license
-- Session Stats (ACL Stats) :: show apm acl
-- Access Profile Stats :: show apm profile access
-- OAuth Client Stats :: show apm aaa oauth-server
-- OAuth Profile Stats :: show apm profile oauth
-- Network Access Stats :: show net tunnels ppp
Behavior Change:
This release now provides stats for the following:
-- License Stats :: show apm license
-- Session Stats (ACL Stats) :: show apm acl
-- Access Profile Stats :: show apm profile access
-- OAuth Client Stats :: show apm aaa oauth-server
-- OAuth Profile Stats :: show apm profile oauth
-- Network Access Stats :: show net tunnels ppp
725867-1 : ADFS proxy does not fetch configuration for non-floating virtual servers
Component: Access Policy Manager
Symptoms:
If the virtual address of a virtual server has a non-floating traffic group (e.g., traffic-group-local-only), ADFS proxy does not perform periodic configuration updates, including listing allowed URIs from ADFS, and thus blocks all the requests (by responding with 404).
Conditions:
-- Virtual address of virtual server has non-floating traffic group.
-- ADFS proxy feature is enabled on the virtual server.
Impact:
All the requests to ADFS are blocked.
Workaround:
Set floating traffic group for virtual address (e.g., traffic-group-1).
Fix:
ADFS proxy now fetches configuration from ADFS for non-floating virtual servers.
725815-2 : vlangroup usage may cause a excessive resource consumption
Solution Article: K72442354
725801-5 : CVE-2017-7889: Kernel Vulnerability
Solution Article: K80440915
725696-2 : A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted
Component: TMOS
Symptoms:
When OCSP Stapling is enabled on a client SSL profile, certain uncommon operations might result in a tmm timer queue getting into a loop, which results in tmm being aborted by sod. tmm restart
Conditions:
-- There are SSL handshakes waiting for an OCSP response, and one of the following:
+ There is a CMP transition.
+ There are changes made to the OCSP object.
Impact:
tmm restarts. Traffic interrupted while tmm restarts.
Workaround:
There is no workaround other than disabling OCSP stapling.
Fix:
The timer issue has been corrected.
725635-1 : CVE-2018-3665: Intel Lazy FPU Vulnerability
Solution Article: K21344224
725612-2 : syslog-ng does not send any messages to the remote servers after reconfiguration
Component: TMOS
Symptoms:
Changing syslog remote server IP address (tmsh sys syslog remote-servers) requires a syslog-ng process restart to take effect. Syslog operations do not use the new remote destination address on syslog service reconfiguration.
Conditions:
1. Add a Remote Syslog server (Server A) using System :: Logs :: Configuration :: Remote Syslog.
2. Click Update (Syslog messages go out toward Server A).
3. Remove Server A from configuration.
4. Add new Server B (different IP address).
5. Click Update.
Impact:
After reconfiguring remote syslog host IP addresses, syslog messages continue to be sent to the previously configured addresses.
Workaround:
Restart the syslog service using the following command:
bigstart restart syslog-ng
Messages will now properly be sent toward Server B (the new IP address).
Fix:
Syslog operations now use the new remote destination address on syslog service reconfiguration.
724906-3 : sasp_gwm monitor leaks memory over time
Component: Local Traffic Manager
Symptoms:
The Server/Application State Protocol (SASP) monitor, sasp_gwm memory usage slowly increases over time.
Conditions:
The Server/Application State Protocol (SASP) monitor is configured.
The leakage occurs during normal operation of the monitor and is not tied to any specific user or traffic action.
Impact:
sasp_gwm grows over time and eventually the system may be pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.
Workaround:
Periodic restarts of sasp_gwm processes avoids the growth affecting the system.
Fix:
The sasp_gwm monitor no longer leaks memory when processing messages.
724868-3 : dynconfd memory usage increases over time
Component: Local Traffic Manager
Symptoms:
dynconfd memory usage slowly increases over time as it processes various state-related messages.
Conditions:
No special conditions as dynconfd is a core LTM process. Large numbers of pool members combined with flapping might increase the rate of memory usage increase.
Impact:
dynconfd grows over time and eventually the system is pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.
Workaround:
Periodic restarts of dynconfd avoids the growth affecting the system.
Fix:
dynconfd no longer leaks memory when processing messages.
724680-5 : OpenSSL Vulnerability: CVE-2018-0732
Component: TMOS
Symptoms:
For more information see: https://support.f5.com/csp/article/K21665601
Conditions:
For more information see: https://support.f5.com/csp/article/K21665601
Impact:
For more information see: https://support.f5.com/csp/article/K21665601
Workaround:
None.
Fix:
For more information see: https://support.f5.com/csp/article/K21665601
724414-1 : ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled
Component: Application Security Manager
Symptoms:
When ASM inspects WebSocket frames, the bd daemon memory is leaking; eventually ASM stops inspecting traffic and sends resets or bypass requests.
Conditions:
ASM module is provisioned.
-- ASM policy and WebSocket profile are attached to a virtual server.
-- WebSocket URL has JSON profile attached to it.
-- JSON profile has parse parameters flag enabled (this is the default).
Impact:
ASM may reset connections; failover might occur.
Workaround:
There are two workarounds:
-- Remove JSON profile from WebSocket URL in the ASM policy.
-- Disable parse parameters flag in the json profile.
Fix:
The system now frees the allocated memory when it finishes the inspect of a WebSocket frame.
724341-1 : Import of Access Profile with Machine Cert Checker and default CA Profile is failing
Component: Access Policy Manager
Symptoms:
Export and then reimport of Access Profile with Machine Cert Checker agent configured with default CA Profile is failing the following error:
The requested profile_certificateauthority (Common/certificateauthority) was not found. Unexpected Error: Loading configuration process failed.
Conditions:
Any Profile/Policy with Machine cert and default settings
Impact:
Low: affecting only import/export.
Workaround:
Use non-default CA Profile at the export time.
Fix:
Export and import of Profile with default CA Profile works properly.
724214-4 : TMM core when using Multipath TCP
Component: Local Traffic Manager
Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.
Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.
Impact:
Traffic interrupted while TMM restarts.
Workaround:
There is no workaround other than to disable MPTCP.
Fix:
TMM no longer produces a core.
724213-2 : Modified ssl_profile monitor param not synced correctly
Solution Article: K74431483
Component: Local Traffic Manager
Symptoms:
After modifying the ssl_profile attribute on an HTTPS monitor on a device in a high availability (HA) configuration, and after performing a full ConfigSync, the corresponding monitor on the peer-sync unit does not have the updated value.
Conditions:
-- An HTTPS monitor is used on BIG-IP systems in an high availability (HA) configuration.
-- The ssl_profile field is modified on an HTTPS monitor.
-- A sync-to-peer (full ConfigSync, not incremental sync) is attempted to propagate the modified ssl_profile value to the peer units.
Impact:
The ssl_profile value for the HTTPS monitor on the peer unit is set to none, resulting in the two devices reporting themselves as in-sync, but having potentially different HTTPS monitor configurations.
Workaround:
-- Do not run HTTPS monitors using in-tmm monitors,
-- Use the traditional HTTPS monitor configuration for SSL-attributes (cipherlist, key, cert, and compatibility attributes on HTTPS monitor).
Note: Using these attributes generates deprecation warnings, but the configuration still takes effect.
Fix:
After modifying the ssl_profile attribute on an HTTPS monitor on a system within an high availability (HA) configuration, and after performing a full ConfigSync, the corresponding monitor on the peer unit now receives the updated monitor attribute, as expected.
724143-2 : IKEv2 connflow expiration upon ike-peer change
Component: TMOS
Symptoms:
Altering the definition of an ike-peer does not expire the connflow used for the tunnel, so it remains in use for the tunnel.
Conditions:
-- Making any change to an IKEv2 ike-peer, even insignificant changes such as a description change.
-- Running a system version that has new attribute auth-rule inside ike-peer.
Note: This is not likely to occur in older system versions where no ike-peer state exists inside a connflow, because any ike-peer changes do replace the associated objects. In those cases, even though the same connflow is used, the system uses new algorithms for the ike-peer.
Impact:
In effect, you cannot change the configuration of the flow by changing the peer definition.
Workaround:
There is no workaround at this time.
Fix:
Changes in ike-peer now expire any existing connflow for that ike-peer. This affects only a system version that has new attribute auth-rule inside ike-peer.
724032-2 : Searching Request Log for value containing backslash does not return expected result
Component: Application Security Manager
Symptoms:
Searching within Request Log for a value containing backslash does not return the expected result. This happens because escaping of backslashes in REST API access is handled differently with 'eq' and 'contains' filters.
Conditions:
Searching within Request Log for a value containing backslash.
Impact:
Search within Request Log record containing backslash does not return the expected result.
Workaround:
Backslashes in REST API requests should be doubled when searching using 'contains' filter, but must not be doubled when searching with 'eq' filter.
Fix:
Searching within Request Log for a value containing backslash returns the expected result.
723792-1 : GTM regex handling of some escape characters renders it invalid
Component: Global Traffic Manager (DNS)
Symptoms:
The memory footprint of big3d increases.
Conditions:
GTM monitor recv string such as the following: ^http\/\d\.\d[23]\d\d
Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory. The monitor marks the server it is monitoring UP as long as the server returns any response.
Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}
Fix:
Fixed handling of escape characters. Recv strings that previously failed to compile will now compile.
723790-2 : Idle asm_config_server handlers consumes a lot of memory
Component: Application Security Manager
Symptoms:
Idle asm_config_server handlers needlessly uses a large amount of memory.
Conditions:
This issue might result from several sets of conditions. Here is one:
Exporting a big XML ASM policy and then leaving the BIG-IP system idle. Relevant asm_config_server handler process increases its memory consumption and stays that way, holding on to the memory until it is released with a restart.
Impact:
Unnecessary memory consumption.
Workaround:
1) Lower the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server:
---------------
# perl -pi.bak -e 's/MaxMemorySize=471859200/MaxMemorySize=262144000/' /etc/ts/tools/asm_config_server.cfg
---------------
2) Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
Notes:
-- The provided workaround does not permanently fix the issue. Instead it alleviates the symptoms of memory pressure, by (1) lowering the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server, and (2) freeing up all the memory that is currently taken by all asm_config_server processes.
-- This workaround does not cause any down time; the asm_config_server processes automatically start within ~30 seconds.
723722-1 : MCPD crashes if several thousand files are created between config syncs.
Component: TMOS
Symptoms:
If more than several thousand (typically 20,000, but number varies by platform) files, for example SSL certificates or keys, are created between config syncs, the next config sync operation will take too long and mcpd will be killed by sod.
Conditions:
Creation of several thousand SSL certificates or keys followed by a config sync operation.
Impact:
Traffic is disrupted while the MCPD process restarts.
Workaround:
Run a config sync operation after every ~5000 files created.
Fix:
MCPD no longer crashes if several thousand files are created between config sync operations.
723658-2 : TMM core when processing an unexpected remote session DB response.
Component: Carrier-Grade NAT
Symptoms:
Using CGNAT or FW-NAT on a cluster may cause a TMM core if there are intra-cluster communication issues that cause CMP state transitions.
The system writes messages to /var/log/tmm* similar to the following:
notice CDP: exceeded 1/2 timeout for PG 1
notice CDP: PG 1 timed out
notice CDP: New pending state 0f -> 0d
notice Immediately transitioning dissaggregator to state 0xd
notice cmp state: 0xd
notice CDP: New pending state 0d -> 0f
...
notice cmp state: 0xf
notice CDP: exceeded 1/2 timeout for PG 1
Conditions:
-- A LSN pool or FW-NAT source translation that has persistence enabled.
-- Intra-cluster communication issues that cause CMP state transitions.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
TMM does not crash when an unexpected remote session DB response is received.
723298-1 : BIND upgrade to version 9.11.4
Component: TMOS
Symptoms:
The BIG-IP system is running BIND version 9.9.9.
Conditions:
BIND on BIG-IP system.
Impact:
BIND 9.9 Extended Support Version was supported until June, 2018.
Workaround:
None.
Fix:
BIND version has been upgraded to 9.11.4.
723288-1 : DNS cache replication between TMMs does not always work for net dns-resolver
Component: Global Traffic Manager (DNS)
Symptoms:
System DNS resolvers (net dns-resolver objects) do not share DNS reply information between the dns resolver instances across TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.
Conditions:
There are no LTM DNS *cache* objects present in the BIG-IP configuration.
Impact:
A performance impact resulting from each TMM having to perform unnecessary DNS lookups.
Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.
Note: This workaround is effective even without a DNS license (although in that case, the placeholder object must be created using tmsh, as the GUI menu would not be available without a DNS license.)
722991-1 : 'dead.letter' file might appear in the /root directory
Component: Access Policy Manager
Symptoms:
In the /root directory, there is a file named 'dead.letter' containing the following:
/etc/cron.daily/cleanup_sync_files:
ls: cannot access /config/filestore/sync_file_request_d: No such file or directory.
Conditions:
cron is running.
Impact:
The file /root/dead.letter grows daily by 5 lines regarding missing sync_file_request_d directory.
Workaround:
To avoid output that triggers mail to the dead.mail file, do the following:
add '2> /dev/null' to the crontab daily script: /etc/cron.daily/cleanup_sync_files
- for file in `ls $path`
+ for file in `ls $path 2>/dev/null` # <-- the 2>/dev/null
Fix:
The 'dead.letter' is no longer generated.
722682-3 : Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load★
Component: TMOS
Symptoms:
Loading configuration process failed after upgrade when pool member names contain colons. The system posts errors similar to the following:
01070226:3: Pool Member 443:10.10.10.10 references a nonexistent Virtual Server
Unexpected Error: Loading configuration process failed.
Conditions:
-- GTM pool member has colon in its name.
-- Upgrade to any of the following versions:
+ 12.1.3.x
+ Any 13.0.x
+ All 13.1.x earlier than 13.1.1.2
+ 14.0.x earlier than 14.0.0.3
Impact:
The system removes the part of the pool member name that precedes the colon, and configuration load fails. For example, when the configuration contains a pool member named example_pm:443:10:10:10:10, the system removes the part of the pool member name that precedes the first colon, in this case, example_pm, leaving the pool member name 443:10.10.10.10.
Workaround:
After upgrade, add two backslash characters, \\ before the first colon, : character.
1. Upgrade the BIG-IP DNS system to the new version of software.
2. SSH to log into the bash prompt of the BIG-IP DNS system.
3. Run the following command to add the string \\ in front of the first colon character, : in the name of each affected GTM pool member:
for j in $(find /config/ -name bigip_gtm.conf); do for i in $(awk '$0 ~ /^gtm server.*:/ {gsub("[/:]"," ",$0); print $4}' ${j}); do sed -i "s, /Common/${i}, /Common/${i}\\\\\\\,g" ${j} | grep " /Common/${i}"; done; done
4. Run the following command: load sys config gtm-only
Fix:
Configuration load no longer fails when upgrading with a configuration that contains BIG-IP DNS pools with members whose names contain colon characters.
722677-5 : High-Speed Bridge may lock up
Solution Article: K26455071
722423-2 : Analytics agent always resets when Category Lookup is of type custom only
Component: Access Policy Manager
Symptoms:
Analytics errors out with a log that says you cannot use custom lookup only along with analytics (/var/log/apm). Even if the Analytics agent is set to disable RST on failure, the agent will send a RST.
Conditions:
In the per-request policy, Category Lookup agent is set to custom lookup only.
Impact:
This configuration leads to an Analytics agent with 'RST on Failure' disabled. The BIG-IP Admin cannot make the choice to disable RST on failure for this particular setup (even though it is a misconfiguration).
Workaround:
You can avoid the RST and error by modifying the configuration to use a standard category lookup before the analytics agent.
Using a custom-only 'Category Lookup' immediately followed by 'Response Analytics' is not a valid configuration. In this configuration, Analytics cannot run the way it is supposed to because it does not have the right information. 'Response Analytics' gives the option to choose what to do on error: RST, or continue on, implying that the non-RST option is valid. If the admin chooses to not reset, the system should log the error and continue. In this case, the system actually does send a RST, even though the RST is not what the BIG-IP admin intended to configure.
Fix:
Disabling RST on failure now works properly in this scenario now. The configuration is still technically incorrect, but now the system takes the correct specified action-upon-error.
722387-4 : TMM may crash when processing APM DTLS traffic
Solution Article: K97241515
722363-3 : Client fails to connect to server when using PVA offload at Established
Component: Local Traffic Manager
Symptoms:
A client can fail to connect to the server on subsequent attempts if using FastL4 with hardware (HW) acceleration.
When this issue occurs, the profile_bigproto_stat/rxsynatestablished stat is non-zero.
Conditions:
A FastL4 virtual server is configured with offload_state = EST.
Impact:
Clients fail to connect to the server.
Workaround:
There is no workaround other than to disable PVA acceleration.
722091-4 : TMM may crash while processing HTTP traffic
Solution Article: K64208870
722013-2 : MCPD restarts on all secondary blades post config-sync involving APM customization group
Component: Access Policy Manager
Symptoms:
After performing a series of specific config-sync operations between multi-blade systems, the MCPD daemon restarts on all secondary blades of one of the systems.
Each affected blade will log an error message similar to the following example:
-- err mcpd[5038]: 01070711:3: Caught runtime exception, Failed to collect files (snapshot path () req (7853) pmgr (7853) not valid msg (create_if { customization_group { customization_group_name "/Common/Test-A_secure_access_client_customization" customization_group_app_id "" customization_group_config_source 0 customization_group_cache_path "/config/filestore/files_d/Common_d/customization_group_d/:Common:Test-A_secure_access_client_customization_66596_1" customization_group_system_path "" customization_group_is_system 0 customization_group_access 3 customization_group_is_dynamic 0 customization_group_checksum "SHA1:62:fd61541c1097d460e42c50904684def2794ba70d" customization_group_create_time 1524643393 customization_group_last_update_time 1524643393 customization_group_created_by "admin" customization_group_last_updated_by "admin" customization_group_size 62 customization_group_mode 33188 customization_group_update_revision 1
Conditions:
This issue occurs when all of the following conditions are met:
- You have configured a device-group consisting of multi-blade systems (such as VIPRION devices or vCMP guests).
- Systems are provisioned for APM.
- The device-group is configured for incremental manual synchronizations.
- On one system (for example, source_system), you create an APM configuration object (for example, a connectivity profile) that causes the automatic creation of an associated customization group.
- You synchronize the configuration from the source_system to the device-group.
- On the source_system, you create a new configuration object of any kind (for example, an LTM node).
- Instead of synchronizing the newest configuration to the device-group, you synchronize the configuration from another device in the device-group to the source_system (which effectively undoes your recent change).
- The MCPD daemon restarts on all secondary blades of the source_system.
Impact:
While the MCPD daemon restarts, the blade is offline, and many other BIG-IP daemons need to restart along with MCPD.
-- If the source_system is Active, the load capacity of the system temporarily decreases proportionally to the number of blades restarting. Additionally, if the systems use the min-up-members or HA-Group features, losing a certain number of secondary blades may trigger a failover.
-- If the source_system is Standby, some of the previously mirrored information may become lost as TMM on secondary blades restarts along with MCPD. Should this system later become the Active system, traffic may be impacted by the lack of previously mirrored information.
Workaround:
None.
Fix:
The MCPD daemon no longer restarts on secondary blades after config-sync of APM.
721985-1 : PAYG License remains inactive as dossier verification fails.
Component: TMOS
Symptoms:
- BIG-IP is deployed in a cloud environment (AWS/Azure/GCE) with PAYG licenses. The license won't activate on the startup.
Conditions:
- There are multiple ways this can happen but all of those come down to user networking issue where the http calls to the cloud metadata service fails.
- This can be a simple routing issue to the metadata service or a firewall issue.
Impact:
As license activation fails, the instance becomes unusable.
Workaround:
User should look at /var/log/ltm to determine the networking issue that is causing the dossier verification failure. This would be typically printed in the following way:
Curl request to metadata service failed with error(<error-code>): '<error-message>'
By resolving this networking error, license activation should succeed.
Fix:
PAYG License remains inactive as dossier verification fails.
721924-6 : bgpd may crash processing extended ASNs
Solution Article: K17264695
Component: TMOS
Symptoms:
Under certain conditions bgpd may crash while processing extended ASNs.
Conditions:
Dynamic routing enabled.
Extended ASP capabilities enabled: bgp extended-asn-cap enabled
Impact:
Dynamic routing disrupted while bgpd restarts.
Fix:
bgpd now processes extended ASNs as expected.
721895-4 : Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)
Component: Global Traffic Manager (DNS)
Symptoms:
big3d advertises a TLSv1.0 version. Even though big3d requires previously exchanged certificates to validate a connection request, the TLSv1.0 advertisement triggers various vulnerability scanners and is flagged.
Conditions:
Running a vulnerability scanner or other SSL test tool.
Impact:
The scanner or tool reports that big3d might potentially accept a TLSv1.0 connection request (which is considered insecure). Vulnerability scanners then flag the BIG-IP system as vulnerable.
Workaround:
Although there is no workaround, because big3d accepts connections only from clients that match the certificates on the BIG-IP system, the risk is minimal.
In addition, you can deploy firewall rules to accept connections only on port 4353 from know BIG-IP systems.
Fix:
This version adds a db variable for the big3d
big3d.minimum.tls.version. By default the value is 'TLSv1'. You can also specify TLSV1.1 or TLSV1.2 (the setting is case insensitive).
After changing the DB variable, restart big3d. Change the value on all BIG-IP systems that are subject to scans. This includes GTM as well as LTM configurations.
721752-3 : Null char returned in REST for Suggestion with more than MAX_INT occurrences
Component: Application Security Manager
Symptoms:
Unable to view ASM event log details for a majority of violations.
Conditions:
Suggestion with more than MAX_INT (2,147,483,647) occurrences.
Impact:
Null char returned in REST for Suggestion with more than MAX_INT occurrences.
Workaround:
Use the following sql command:
UPDATE PLC.PL_SUGGESTIONS set occurrence_count = 2147483647 where occurrence_count < 0;
Fix:
Null char is no longer returned in REST for Suggestion with more than MAX_INT occurrences.
721621-3 : Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node
Component: Local Traffic Manager
Symptoms:
If an LTM pool is configured with only FQDN members, the DNS server resolves the FQDN to IP addresses that match statically-configured LTM nodes, and the IP address records returned by the DNS server change, an ephemeral pool member may not be added to the pool for the new IP address.
When in this state, if the FQDN template pool member is deleted from the pool, a new ephemeral pool member may be added corresponding to the last IP address record returned by the DNS server.
Conditions:
This may occur when:
1. Static nodes are configured which match addresses that may be returned in the DNS query for a given FQDN name.
2. An FQDN node is created with autopopulate disabled, for an address which may resolve to the same address as one of the static nodes.
3. This FQDN node is added (as a pool member) with autopopulate disabled, to a pool with no other non-FQDN members.
4. The DNS server resolves the FQDN name to an address that matches one of the static nodes.
5. A subsequent DNS query resolves the FQDN name to a different address that matches a different static node.
Impact:
In this case:
-- The original ephemeral member is removed from the pool.
-- A new ephemeral member for the new address may NOT be added to the pool.
-- In this state, if the FQDN template member is deleted from the pool, a new ephemeral member (i.e., the missing ephemeral with new IP address) is re-added to the pool.
Note. This symptom can occur only if the statically-configured node is created prior to an ephemeral pool member being created for the same IP address. If an ephemeral pool member and node are created first, it is not possible to create a statically-configured node or pool member using the same IP address.
Overall, traffic for the affected pool may not be sent to correct pool member (new ephemeral address).
If no other members are defined in the pool, traffic will be interrupted.
Workaround:
This issue can be prevented by:
-- Avoiding configuring a static (non-FQDN) node with an IP address that matches any address that might be returned by the DNS server when resolving the FQDN.
-- Adding a statically-configured pool member to the pool in addition to the FQDN template member.
Once the symptom occurs, recovery is possible by performing either of the following actions:
-- Delete the statically-configured node with the conflicting IP address.
-- Recreate the node using the following procedure:
1. Delete the FQDN template member from the pool.
2. Delete the orphaned ephemeral member from the pool.
3. Re-add the FQDN template member to the pool.
Fix:
When an FQDN pool member address resolves to the same IP address as an existing static node, the corresponding ephemeral pool member is successfully created and deleted as expected, including when the IP address returned by the DNS query changes.
721364-1 : BIG-IP per-application VE BYOL license does not support three wildcard virtual servers
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) admin can create only 1 wildcard virtual servers for per-application BYOL license.
Note: If you are using BIG-IQ 6.0.0 or 6.0.1 to manage AWS-based, per-app BIG-IP VE systems running versions 13.1.0.5 through 13.1.0.8, you must use the following AWS templates:
-- Default-AWS-f5-HTTPS-WAF-lb-template
-- Default-AWS-f5-HTTPS-offload-lb-template
For these two templates, ports 443 and 80 (for HTTP redirect) are hard-coded in an iRule, which enable this functionality.
Conditions:
Per-app VE with BYOL license.
Impact:
Per-app VE with BYOL license does not work as expected.
Workaround:
N/A
Fix:
Per-app VE BYOL license now supports three wildcard virtual servers.
721342-2 : No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments.
Component: TMOS
Symptoms:
No Per-App Virtual Edition (VE) LTM or Per-App VE WAF images for various cloud environments.
Conditions:
Various Cloud environments (i.e., Azure, Google, AWS).
Impact:
No options to use various Per-App VE features.
Workaround:
None.
Fix:
There are now offerings for various cloud environments (Azure, Google, AWS). There are two types of Per-App VE LTM and two of Per-App VE WAF images.
721261-2 : v12.x Policy rule names containing slashes are not migrated properly
Component: Local Traffic Manager
Symptoms:
When migrating from v12.x to v13.0.x, 13.1.x, or 14.0.x, LTM polices that have rules containing the slash character will not migrate properly, and roll-forward migration will fail.
Conditions:
-- BIG-IP systems running v12.x.
-- Configuration contains LTM Policy rules whose names include the slash (/) character.
-- Upgrading to v13.0.x, 13.1.x, or 14.0.x.
Impact:
Roll-forward migration fails with the error: illegal characters in rule name.
Workaround:
Edit the rule names within LTM Policies, replacing the now-illegal slash (/) character with a legal alternative, such as the underscore (_).
Alternately, prior to migration, rename the rules on the v12.x system, and then perform the upgrade.
Fix:
BIG-IP software v12.x Policy rule names containing slashes are properly migrated.
720961-4 : Upgrading in Intelligence Community AWS environment may fail
Component: TMOS
Symptoms:
After importing an AWS instance into the Intelligence Community (IC) AWS environment you cannot upgrade to 13.1.0.2 (or later) because their license fails to validate afterwards.
Conditions:
-- Manually imported BIG-IP image into AWS IC.
-- Upgraded to 13.1.0.2 or newer.
Impact:
The system fails to validate the license after rebooting into the new software. Licenses are inoperative after the upgrade.
Workaround:
To work around this issue, perform the following procedure:
1. Redeploy a BYOL image from the IC marketplace.
2. Move over the license.
3. Configure the system.
Fix:
This release provides improved license validation to address this situation by detecting the IC environment, but allowing prior licenses to function.
720799-1 : Virtual Server/VIP flaps with FQDN pool members when all IP addresses change
Component: Local Traffic Manager
Symptoms:
When using FQDN pool members, if all ephemeral members are removed and replaced by a DNS query that returns an entirely new set of IP addresses (no overlap with previous DNS query results), all ephemeral pool members are removed before the new ephemeral pool members are created.
This results in a brief moment when there are no ephemeral members (that can receive traffic) in the pool.
Conditions:
A DNS query for the FQDN node in which the pool members belong, returns an entirely new set of IP addresses (no overlap with previous DNS query results).
Impact:
The brief moment during which there are no ephemeral members (that can receive traffic) in the pool can cause a Virtual Server or Virtual Address using that pool to flap.
Workaround:
It is possible to work around this issue by:
1. Adding a pool member with a statically-configured IP address.
2. Including multiple FQDN pool members in the pool, to limit the effect of the ephemeral members changing for a single FQDN pool member.
Fix:
When using FQDN pool members, ephemeral members whose IP addresses are not present in the most DNS query results are not immediately deleted from the pool.
To prevent the brief condition in which there are no ephemeral members in the pool (which can cause a Virtual Server or Virtual Address using that pool to flap), creation of new ephemeral nodes and pool members occurs immediately, but deletion of old new ephemeral nodes and pool members occurs after a delay.
The duration of the delay follows the fqdn 'down-interval' value configured for the associated FQDN template node.
720757-2 : Without proper licenses Category Lookup always fails with license error in Allow Ending
Component: Access Policy Manager
Symptoms:
When a per-request policy's Category Lookup agent queries Standard Categories with an expired SWG/URLF license (and has 'RST on failure' disabled), the execution always ends with the following log messages:
Error: Global concurrent url filter session limit reached
The connection is aborted.
Conditions:
Category Lookup agent set to query the urldb engine (standard categories) with either no SWG/URLF license or an expired license.
Impact:
Even if 'RST on failure' is disabled, traffic cannot reach the allow ending successfully.
Workaround:
Remove the Category Lookup with standard category lookup from the per-request policy if the licenses do not allow for its use.
Fix:
The allow ending is now reached successfully and does not error out if Category Lookup fails due to licensing errors but is set to disable 'RST on failure'.
720713-1 : TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail
Component: TMOS
Symptoms:
When a BIG-IP iSeries i5800, i7800, or i10800 device is configured as a vCMP host and at least one vCMP guest is running (or ever ran), TMM traffic to the vCMP host may fail.
Note: Management port traffic to/from the device is unaffected.
Note: TMM traffic to/from the vCMP guests running on the device is unaffected. This issue affects only the vCMP host.
The most visible symptom is that TMM on the vCMP host fails to answer ARP requests that it receives for its own Self-IP addresses.
Conditions:
This issue occurs when all of the following conditions apply:
- BIG-IP iSeries i5800, i7800, or i10800 device in vCMP host mode.
- At least one vCMP guest is deployed or was deployed, at some point.
Impact:
Inability to communicate to/from the vCMP host via its Self-IP addresses.
Workaround:
Ensure that the host is running a compatible version of BIG-IP. For more information on supported host/guest versions, see K14088: vCMP host and compatible guest version matrix, available at https://support.f5.com/csp/article/K14088
Fix:
The vCMP host continues to handle traffic correctly once a guest is started.
720651-1 : Running Guest Changed to Provisioned Never Stops
Component: TMOS
Symptoms:
After changing a vCMP guest status to provisioned the guest remains running showing a status of stopping.
Conditions:
-- Guests deployed on a BIG-IP VCMP host.
-- Changing the state from deployed to provisioned.
Impact:
Guests do not stop and change status until vcmpd process is restarted.
Workaround:
There is no workaround.
Fix:
The guest now stops when the state is changed from deployed to provisioned.
720585-2 : Signatures generated by Behavioral DOS algorithm can create false-positive signatures
Component: Anomaly Detection Services
Symptoms:
There is probability that the generated signatures will block unknown traffic (the traffic that was not presenting before the attack) even if it's not necessary from service health perspective
Conditions:
Run attack traffic.
In parallel run unknown traffic.
It should exceed the learned baseline together with the good traffic.
Impact:
The signatures may block unknown traffic even if it's not necessary from S/H perspective
Workaround:
There is no workaround at this time.
Fix:
Implement adaptive ratio threshold for covering current bad traffic samples. The ratio increases as long as the health is not good.
If the health returns to good levels (below one) the ratio is restarted to the initial value.
720391-3 : BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'
Component: TMOS
Symptoms:
BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' and 'unknown' when OID sysObjectID is queried.
Conditions:
1. Execute 'tmsh show sys hardware'.
2. Query for OID sysObjectID using snmpwalk.
Impact:
System is reported as 'none', when it should be i7800-D. Platform with dual SSD not correctly identified using tmsh command or snmpwalk.
Workaround:
None.
Fix:
Added new SNMP OID for BIG-IP i7800 Dual SSD, reported as BIG-IP i7800-D, which is the correct designation.
720293-4 : HTTP2 IPv4 to IPv6 fails
Component: Local Traffic Manager
Symptoms:
An IPv4-formatted virtual server with an IPv6-formatted pool member cannot establish the connection to the pool member if HTTP2 is configured.
Conditions:
-- IPv4 virtual Server.
-- IPv6 pool member.
-- HTTP2 profile.
Impact:
Traffic connection does not establish; no traffic passes.
Workaround:
None.
Fix:
In this release, an IPv4-formatted virtual server with an IPv6-formatted pool member works with HTTP2.
720269-1 : TACACS audit logging may append garbage characters to the end of log strings
Component: TMOS
Symptoms:
When using TACACS audit logging, you might see extra 'garbage' characters appended to the end of logging strings.
Conditions:
Using audit forwarding with a remote TACACS server.
Impact:
Confusing log messages. Remote TACACS logging might stop altogether after some time.
Workaround:
There is no workaround at this time.
Fix:
Prevented extra characters from being appended to TACACS audit logs.
720219-2 : HSL::log command can fail to pick new pool member if last picked member is 'checking'
Solution Article: K13109068
Component: Local Traffic Manager
Symptoms:
This occurs in certain configurations where the HSL::log command is using a remote high speed log (HSL) pool with failing pool members. If a pool member goes into a 'checking' state and the command attempts to send the log via that pool member, it can fail to send and all future log commands from that iRule will also fail, if that pool member is actually unavailable.
Conditions:
-- Using HSL::log command.
-- iRule with a remote high speed logging configured.
Impact:
Failure to send log messages via HSL.
Workaround:
Follow this procedure:
1. Change the 'distribution' method of the remote high speed config to something else.
2. Save the configuration.
3. Change the method back.
Fix:
This issue no longer occurs. If a 'down' pool member is picked, it will eventually be bypassed to find an 'up' pool member, if possible.
720104-2 : BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'
Component: TMOS
Symptoms:
BIG-IP i2800/i2600 650W AC PSU is missing marketing name under 'show sys hardware' and displays 'unknown' when OID sysObjectID is queried.
Conditions:
-- Execute 'tmsh show sys hardware'.
-- Query for OID sysObjectID using snmpwalk.
-- Using BIG-IP i2800/i2600 platforms.
Impact:
System reports an empty marketing name when queried. Platform with 650W AC PSU not identified using tmsh command or snmpwalk.
Workaround:
There is no workaround at this time.
Fix:
Added new SNMP OID for BIG-IP i2800/i2600 650W AC PSU.
719770-1 : tmctl -H -V and -l options without values crashed
Component: TMOS
Symptoms:
When the -H, -V or -l options were passed to tmctl without a following value, then tmctl crashed.
Conditions:
Use one of these options without the required value.
Impact:
Core file. No other impact.
Workaround:
Be sure to pass the required value with these options.
Fix:
The missing value is now reported as an error.
719644-3 : If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★
Component: Global Traffic Manager (DNS)
Symptoms:
When an LTM configuration has virtual server names containing period (.), a GTM configuration with auto-discovery enabled is upgraded from v11.5.x to a later version might lose consistency.
Conditions:
-- Upgrading GTM from v11.5.x to later versions (e.g., BIG-IP DNS v12.x).
-- Auto-discovery is enabled.
-- LTM configuration containing virtual server names containing the period character (.).
-- The same virtual server name is used in multiple partitions.
Impact:
The configuration after the upgrade might be affected in the following ways:
-- Missing virtual servers.
-- Deletion of some pool members.
-- Virtual servers with incorrect addresses.
Workaround:
There is no workaround at this time.
Fix:
This release supports GTM upgrades from 11.x to BIG-IP DNS 12.x and later versions for cases where:
-- Auto-discovery is enabled.
-- LTM virtual server name a period character (.).
-- The same virtual server name is used in multiple partitions.
719600-1 : TCP::collect iRule with L7 policy present may result in connection reset
Component: Local Traffic Manager
Symptoms:
If an iRule utilizing TCP::collect and HTTP_REQUEST is on a virtual server with an L7 policy, the policy engine may cause the connection to be unexpectedly reset with a 'policy execution error' reset cause, and 'Unable to resume pending policy event on connflow' will be logged to /var/log/ltm.
Conditions:
TCP::collect and HTTP_REQUEST iRule with L7 policy on virtual server.
Impact:
Connections may be unexpectedly reset and errors logged to /var/log/ltm.
Workaround:
At the start of the HTTP_REQUEST event, issue an 'after 1' command to allow the policy engine to reach a consistent state before proceeding with the remainder of the iRule.
719597-1 : HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0
Component: TMOS
Symptoms:
When two VIPRION chassis with B2250 blades try to form a high availability (HA) connection, with one running v12.1.1 and the other running v13.1.0, HA connections between TMMs on Active and TMMs on Standby might fail.
Conditions:
-- Two VIPRION chassis with B2250 blades.
-- One blade running v12.1.1 and the other running v13.1.0.
-- Try to configure HA connection.
Impact:
Fail to form HA connection.
Workaround:
There is no workaround other than installing the same software on both blades.
Fix:
A new sys db mhdag.bitshift is added to support HA configurations using B2250 blades running v12.1.1 and v13.1.x. Set mhdag.bitshift to 5 on VIPRION chassis with B2250 blades running v13.1.x by running the following command: tmsh modify sys db mhdag.bitshift value 5
HA between VIPRION chassis running v12.1.1 and v13.1.x with B2250 blades now works as expected.
719554-1 : Linux Kernel Vulnerability: CVE-2018-8897
Solution Article: K17403481
719459-1 : Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled
Component: Application Security Manager
Symptoms:
Policy builder suggests adding already existing URLs (as HTTPS) learned from response.
Conditions:
-- Differentiate HTTP and HTTPS URLs is disabled.
-- Learn-from response is enabled.
-- Server responses contain HTTPS links for HTTP requests instead of using protocol-relative URLs.
Impact:
This is a cosmetic issue in that incorrect suggestions are created. There is no impact to functionality.
Workaround:
Add the incorrect suggestions to the 'ignore' list.
Fix:
Policy builder no longer creates suggestions to add already existing URLs.
719396-2 : DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot.
Solution Article: K34339214
Component: TMOS
Symptoms:
DHCP Client on the BIG-IP system sends host-name 'localhost' in DISCOVER packet after first boot.
Note: The problem goes away after the first boot.
Conditions:
-- DHCP is enabled (this is the default on BIG-IP systems).
-- Initial startup.
Impact:
This can affect the lease given out by the DHCP server in the given network if the DHCP server is configured in such a way as to dynamically update the DNS based on the host-name option in the lease.
Workaround:
-- Empty the /var/lib/dhclient/dhclient.leases file.
-- Run the following command: bigstart restart dhclient
Fix:
DHCP Client on the BIG-IP system no longer sends 'localhost' as the host-name in DISCOVER packet after first boot.
719247-1 : HTTP::path and HTTP::query iRule functions cannot be set to a blank string
Solution Article: K10845686
Component: Local Traffic Manager
Symptoms:
The HTTP::path and HTTP::query iRule functions generate an error if called with an argument that is a blank string, resulting in connection termination.
Conditions:
In an iRule where the argument is a blank string:
HTTP::path ""
HTTP::query ""
Impact:
Error encountered while executing iRule "HTTP::query $blank", and the connection is terminated with an error in the logs similar to the following:
-- err tmm[17219]: 01220001:3: TCL error: /Common/ir_1-4045405141_query <HTTP_REQUEST>
Workaround:
To set HTTP::query to blank, use the following function:
HTTP::uri [HTTP::path]
To set HTTP::path to blank, use the following function:
HTTP::uri [HTTP::query]
Fix:
HTTP::path and HTTP::query iRule functions now accept blank string arguments.
719186-1 : Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts
Component: Fraud Protection Services
Symptoms:
Multipart/form-data requests are not supported in FPS. FPS-protected pages which have the enhanced data-manipulation feature enabled, may generate a false-positive 'missing strong integrity parameter' alert for multipart/form-data requests.
Conditions:
-- FPS profile attached to a virtual server.
-- Multipart/form-data requests to a URL.
-- Enhanced data-manipulation feature enabled on a protected URL.
Impact:
False-positive 'missing strong integrity parameter' alert.
Workaround:
Use the ANTIFRAUD::disable_alert iRule command to drop the alert:
(set the static::drop_alert variable, probably matching URL name and checking that Content-Type header starts with 'multipart/form-data')
when ANTIFRAUD_ALERT {
if {$static::drop_alert eq 1 &&
[ANTIFRAUD::alert_type] eq "vtoken" &&
[ANTIFRAUD::alert_component] eq "no_strong_integrity_param" } {
ANTIFRAUD::disable_alert
set static::drop_alert 0
}
}
Fix:
FPS no longer sends automatic-transaction alerts for unsupported requests, so multipart/form-data requests no longer generate false positive 'missing strong integrity parameter' alerts.
719005-2 : Login request may arrive corrupted to the backend server after CAPTCHA or CSID mitigation
Component: Application Security Manager
Symptoms:
Login request arrives corrupted (specifically, some of the characters in the payload are changed).
Conditions:
-- A brute force CAPTCHA or CSID mitigation happens.
-- Specific traffic conditions.
Impact:
Login request fails.
Workaround:
None.
Fix:
CAPTCHA or CSID request-handling now works as expected.
718817-1 : Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail.
Component: TMOS
Symptoms:
Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest fails due to a race condition.
There are log entries in /var/log/liveinstall.log:
-- error: status 256 returned by command: F5_INSTALL_SESSION_TYPE=install tmsh -f save sys ucs /var/tmp/kRf24pKXTQ.ucs.
-- info: tar: config/.ucs_base_mac: Cannot stat: No such file or directory.
-- info: Unexpected Error: UCS saving process failed.
Conditions:
-- Installing onto secondary VIPRION blade or onto VIPRION-based vCMP guest.
Impact:
Software installation fails.
Workaround:
You can use either workaround:
-- Add 'ignore .ucs_base_mac' to the 'monitor dir /config' stanza in /etc/csyncd.conf on all blades, and then restart csyncd on all blades by running "clsh bigstart restart csyncd"
-- Retry the installation until it succeeds.
718772-1 : The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists)
Component: Anomaly Detection Services
Symptoms:
The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists).
Conditions:
Attack with traffic with 'unknown' header, for example
'Upgrade-Insecure-Requests: 1'.
Impact:
In the GUI, when the signature with the predicate 'unknown_header' is edited, this predicate is empty (instead of exists / does not exist).
Workaround:
There is no workaround.
Fix:
1. Change 'http.unknown_header' predicate into 'http.unknown_header_exists'.
2. Keep supporting the old format 'http.unknown_header'.
718525-2 : PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting
Component: TMOS
Symptoms:
After removing the mcpd binary database and restarting, occasionally there are errors similar to the following in /var/log/ltm:
warning postgres[7663]: [3-1] ERROR: duplicate key value violates unique constraint "vlan_pkey"
(The object type may be something other than 'vlan_pkey'.)
Conditions:
This occurs when you remove the mcpd binary database and reboot the system.
Impact:
The configuration does not load until 'bigstart restart' is executed.
Workaround:
None.
Fix:
The 'duplicate key value' errors are no longer seen when removing the mcpd binary database and restarting.
718397-2 : IKEv2: racoon2 appends spurious trailing null byte to ID payloads
Component: TMOS
Symptoms:
IPsec clients implementing RFC5996 correctly cannot interoperate with the BIG-IP system when the peers-id-type is anything other than address, because racoon2 inside BIG-IP appends a null byte to any string-based ID type (for both peers_id and my_id). This makes the IKE_AUTH exchange fail, usually because the ID_I from the initiator cannot match the peers-id-value in config for that ike-peer, because there is a one-byte difference between the compared strings.
Conditions:
When any non-BIG-IP client initiates an IKE negotiation using any id-type that is not IPv4 or IPv6. In particular, fqdn and asn1dn for peers-id-type in local BIG-IP configurations.
Impact:
IKE negotiation fails during the second IKE_AUTH exchange of messages, preventing any tunnel from being established. Outage with a non-BIG-IP client is permanent until the config is changed to use peers-id-type=address.
Workaround:
Use peers-id-type=address to interoperate with non-BIG-IP clients for IPsec.
Fix:
Because RFC5996 forbids trailing null bytes in ID payloads, the BIG-IP software was actually not compliant with the RFC by encoding payloads this way itself. It only worked because both initiator and responder did the same thing. Now the BIG-IP software does not add the extra trailing null byte into ID payloads and local ID values, so the BIG-IP system can accept IKE_AUTH messages from non-BIG-IP clients.
Note: this fix creates an incompatibility with previous BIG-IP version when peers-id-type is any other type than address.
718210-1 : Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused
Component: Local Traffic Manager
Symptoms:
In very rare circumstances, connections that use virtual targeting virtual server and time-wait recycle result in a connection being improperly reused.
Conditions:
Virtual server targeting virtual server (usually occurs in an iRule) with time-wait recycle being used on the virtual server's TCP profile.
Note: This is the default value, so any virtual servers defined internally are using it.
Impact:
A connection might be reused even though it is a new one. TMM can crash and restart. Traffic disrupted while tmm restarts.
Note: This is an extremely rare issue.
Workaround:
None.
Fix:
This issue has been fixed.
718044-1 : Wildcard URLs order fails to save between different pages in FPS GUI
Component: Fraud Protection Services
Symptoms:
When switching between pages in the FPS GUI, the wildcard URL ordering changes.
Conditions:
-- FPS license is active.
-- Setting wildcard URLs.
-- Navigating to other pages in the GUI.
Impact:
Wildcard URLs matching priority.
Workaround:
Use tmsh to configure the priority of wildcard URLs.
Fix:
FPS GUI now saves the state of wildcard URLs.
717896-3 : Monitor instances deleted in peer unit after sync
Component: Local Traffic Manager
Symptoms:
An incremental-sync from a modified-node that was set to 'user-down' causes the target-node on the target-device to have only a single monitor instance, rather than the several monitor instances that were present on the from-node.
During the incremental sync, the system issues several messages similar to the following: err mcpd[6900]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 24913.
Conditions:
-- In high availability (HA) configurations.
-- A node is modified, and then manually set to 'user-down'.
-- That node has more than one associated monitor.
-- An incremental-sync occurs to the paired device.
Impact:
After incremental-sync, a single monitor instance exists for the node on a 'backup' unit in an HA configuration, rather than the several monitor instances that exist for that node on the 'active' unit; and that node session is 'enabled' (where the 'from-node' was 'disabled); and that node status may be 'up' (where the 'from-node' was 'user-down'), and later transition to 'down' from a monitor-fail.
Thus, after incremental-sync, the target-node may then be 'down', while the active unit in the HA configuration continues to function as expected.
Workaround:
There are several workarounds:
-- Perform a 'full-sync' (rather than an 'incremental-sync').
-- Ensure the node is 'user-up' (not 'user-down') before the incremental-sync.
-- Perform 'tmsh load sys config' on the target unit. In this case, the 'Invalid monitor rule instance identifier' messages will be seen, but the configuration will successfully load, and the target-unit will run correctly with the expected configuration.
Fix:
An incremental-sync from a modified-node that was set to 'user-down' successfully replicates the several monitor instances on that node to the target-node on the backup device in an HA configuration.
717888-4 : TMM may leak memory when a virtual server uses the MQTT profile.
Solution Article: K26583415
717742-6 : Oracle Java SE vulnerability CVE-2018-2783
Solution Article: K44923228
717552-1 : FPS GUI does not save wildcard parameter order state
Component: Fraud Protection Services
Symptoms:
When switching between pages in the Fraud Protection Service (FPS), the wildcard parameter ordering changes.
Conditions:
-- FPS license is active.
-- Setting wildcard parameters.
-- Navigating to other pages in the GUI.
Impact:
Wildcard parameters matching priority.
Workaround:
Use tmsh to configure the priority of wildcard parameters.
Fix:
FPS GUI now saves the state of wildcard parameters.
717525-2 : Behavior for classification in manual learning mode
Component: Application Security Manager
Symptoms:
- Extractions are added to parameters in manual mode.
- In manual learning mode on 'fallback to default' URL classification is not ended properly (resulting in repetitive audit log attempts to end URL classification).
- In manual learning mode on 'fallback to default', parameter staging is set to true.
- The system writes errors to pabnagd.log.
Conditions:
- Manual learning mode.
- Classification is on for either parameters or URLs.
- Any option of 'Learn Dynamic Parameters' is turned on (even if checkbox is disabled).
Impact:
- URL content types are not enforced in manual mode.
- Parameters are getting staged automatically in manual mode.
- Parameters are classified as dynamic (value type).
- Extractions are added to dynamic parameters
Workaround:
- Update the URLs manually (any update will take them out of classification).
- Manually unstage parameters with 'fallback to default'.
- Unset parameters' dynamic value type (or uncheck all parameters' dynamic classification options in 'Learning And Blocking Settings').
Fix:
- URLs end classification successfully on 'fallback to default' in manual mode.
- Parameters staging is not changed on 'fallback to default' in manual mode.
- Parameters are not classified as dynamic in manual mode.
- Extractions are not added to dynamic parameters in manual mode.
- No errors in pabnagd.log.
717346-1 : [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total
Solution Article: K13040347
Component: Local Traffic Manager
Symptoms:
WebSocket profile statistics for current and maximum connections are always very large, even right after restarting the system. The numbers are several orders of magnitude larger than the statistics for total connections.
Conditions:
Rarely occurring, unstable network could be one of the reasons.
Impact:
Cannot use stats for troubleshooting.
Workaround:
Reset the stats using the following command:
# tmsh reset-stats ltm profile websocket
717100-2 : FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member
Component: Local Traffic Manager
Symptoms:
FQDN ephemeral pool members and corresponding FQDN ephemeral nodes may not be created if multiple FQDN template pool members are created rapidly, without the corresponding FQDN template nodes being created first.
The missing FQDN ephemeral pool members may be created an hour after initial operations.
Conditions:
This may occur when all of the following conditions are true:
-- Multiple FQDN template pool members are created rapidly, such as during config load or multiple FQDN template pool members created in a single tmsh cli transaction, without the corresponding FQDN template nodes being created first.
-- The FQDN names in the newly-created FQDN template nodes all resolve to the same IP address.
Impact:
One or more FQDN ephemeral pool members may not be created, which could result in a pool with no members, and any virtual servers using that pool to fail to pass traffic.
Workaround:
The following steps, alone or in combination, may help avoid this issue:
1. Avoid rapid creation of multiple FQDN template pool members (such as by creating multiple in a single tmsh CLI transaction).
2. Create the corresponding FQDN template nodes first, before creating the FQDN template pool members.
Once this issue occurs (such as, after a config load), you can recover from this condition by deleting and recreating the FQDN template pool members that have no corresponding FQDN ephemeral pool members.
In addition, creating the corresponding FQDN template nodes first, with an FQDN 'interval' value set to a shorter timeout than the default (3600 seconds) allows automatic recovery from this condition after the configured FQDN 'interval' period (instead of after the default period of one hour).
Fix:
Ephemeral pool members are now created for each pool under these conditions.
716940-1 : Traffic Learning screen graphs shows data for the last day only
Component: Application Security Manager
Symptoms:
Traffic Learning screen graphs shows data for the last day only.
Conditions:
Visit Learning screen 1 hour after policy creation.
Impact:
Statistics shown are for the last day. No statistics for longer or for shorter periods of time.
Workaround:
There is no workaround.
Fix:
Statistics are shown for the correct time interval, at most 2 weeks/policy creation date. Possible statistics intervals are as follows: 1 hour, 1 day, 2 weeks.
716922-1 : Reduction in PUSH flags when Nagle Enabled
Component: Local Traffic Manager
Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.
Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.
Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.
Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.
Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.
Mote: To take advantage of some of the Nagle benefits, use 'Auto'.
Fix:
Revised PUSH flag setting logic to set the flag in cases where sending is Nagle-limited.
716900-3 : TMM core when using MPTCP
Solution Article: K91026261
716788-1 : TMM may crash while response modifications are being performed within DoSL7 filter
Component: Application Security Manager
Symptoms:
TMM might crash when a response is modified by the DoSL7 filter while injecting an HTML response from a backend server.
Conditions:
-- ASM provisioned.
-- DoS application profile is attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts, failover may occur.
Workaround:
There is no workaround other than to remove the DoS application profile from the virtual server.
Fix:
Response modification handler has been modified so that this issue no longer occurs.
716716-1 : Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core
Component: Local Traffic Manager
Symptoms:
TMM cores when the system has a kernel route configured, but no matching TMM route.
Conditions:
The scenario that can lead to this state is unknown.
Impact:
TMM cores. Traffic disrupted while tmm restarts.
Workaround:
Either remove the kernel route, or add a matching TMM route.
Fix:
This release prevents the core that occurred when the kernel has a route that has no corresponding TMM route.
716714-2 : OCSP should be configured to avoid TMM crash.
Component: Local Traffic Manager
Symptoms:
TMM generates a core if OCSP is not configured in the SSL profile.
Conditions:
OCSP not configured in the SSL profile.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than configuring OCSP in SSL profiles.
Fix:
In this release, TMM skips processing OCSP if it is not enabled.
716392-2 : Support for 24 vCMP guests on a single 4450 blade
Component: TMOS
Symptoms:
Cannot create more than 12 vCMP guests per blade.
Conditions:
-- Using vCMP.
-- VIPRION blades.
Impact:
Cannot configure more than 12 vCMP guests.
Workaround:
None.
Fix:
This release supports 24 vCMP guests on 4450 blades. Increased vCMP density ensures that all guests can access the hardware capabilities available from the BIG-IP platforms and VIPRION blades.
Behavior Change:
This release supports 24 vCMP guests on VIPRION 4450 blades. Increased vCMP density ensures that all guests can access the hardware capabilities available from BIG-IP platforms and VIPRION blades.
716391-1 : High priority for MySQL on 2 core vCMP may lead to control plane process starvation
Solution Article: K76031538
Component: TMOS
Symptoms:
vCMP guest with only 2 cores (or 2 cores per blade for multi-blade guests) may undergo control plane process starvation, which could lead to failover due to CPU starvation of sod.
Conditions:
-- A device using Intel Hyper-Threading Technology is configured with only 2 cores (or 2 cores per blade for multi-blade vCMP guests).
-- A module using MySQL is provisioned, MySQL, for example BIG-IP ASM and BIG-IP Analytics (AVR). These other modules also implicitly provision AVR: ASM, AFM, DOS, APM, PEM, and vCMP.
Impact:
Control plane processes may experience CPU starvation, including failover due to CPU starvation of sod. This is a rarely occurring issue.
Workaround:
Revert to pre-11.5.1 HF4 behavior by setting the scheduler.splitplanes.asmopt database key to false.
IMPORTANT: You should not revert to pre-11.5.1 HF4 behavior unless requested by F5 Support. However, if required, you can disable this new behavior and revert to pre-11.5.1-HF4 behavior. For instructions on how to do so, see K16469: Certain BIG-IP ASM control plane processes are now pinned to the highest-numbered logical CPU core :: https://support.f5.com/csp/article/K16469.
716318-1 : Engine/Signatures automatic update check may fail to find/download the latest update
Component: Fraud Protection Services
Symptoms:
Engine/Signatures automatic update check may fail to find/download the latest update if the timestamp of the factory update file is later than the timestamp of the update file in downloads.f5.com.
Note: This issue is relevant only for engineering hotfixes.
Conditions:
This occurs when the following conditions are met:
-- Engineering hotfix.
-- The factory update file timestamp is later than the timestamp of the update file in downloads.f5.com.
Impact:
Automatic update check will detect the wrong update file.
Workaround:
Manually check, and then download and install the update file from downloads.f5.com, if needed.
Fix:
The factory update file timestamp is now set to 0, unless there is a reason to install the factory file over the current update file in downloads.f5.com.
716213-5 : BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic
Component: Local Traffic Manager
Symptoms:
When APM connects to Active Directory Federation Services (ADFS), a blank page is observed. The log file /var/log/ltm exhibits a TCP reset issued by the BIG-IP system. The TCP capture informs that the issue is due to an out-of-bounds error that occurs when traffic gets parsed by the SSL Persistence Parser (SSID).
Conditions:
-- SSL persistence (SSID) is enabled for a virtual host.
-- APM connects to ADFS.
Impact:
A blank page is observed due to the TCP reset.
Workaround:
No workaround is available.
Fix:
The SSL persistence parser now validates the handshake message data-bytes are available prior to fetching them, so the bounds error does not get raised.
715923-7 : When processing TLS traffic TMM may terminate connections unexpectedly
Solution Article: K43625118
715883-1 : Tmm crash due to invalid cookie attribute
Component: Local Traffic Manager
Symptoms:
Tmm crash due to invalid request-side cookie attribute.
Conditions:
While processing an HTTP request, an iRule tries to add a cookie attribute to a cookie that is only valid in an HTTP response (for instance, an 'expires' attribute).
Impact:
TMM cored. Traffic disrupted while tmm restarts.
Workaround:
None.
715785-1 : Incorrect encryption error for monitors during sync or upgrade
Component: Local Traffic Manager
Symptoms:
The system logs an error message similar to the following in /var/log/ltm:
err mcpd[6823]: 01071768:3: Encryption of the field (password) for object (<monitor name>) failed.
This may cause a configuration sync to fail, or an upgrade to fail.
Conditions:
The exact conditions are unknown, however it may occur under these circumstances:
-- Performing a config sync operation.
-- Performing an upgrade.
Impact:
Inability to sync peer devices, or an inability to upgrade.
Workaround:
There is no workaround at this time.
Fix:
This error is no longer triggered erroneously.
715750-1 : The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.
Solution Article: K41515225
Component: Local Traffic Manager
Symptoms:
Upon receiving a FIN midstream in an SSL connection, the BIG-IP system will immediately proxy the FIN to the remote host on the peer side. At this point, depending on the specific configuration of the remote host on the peer side, the BIG-IP system may exhibit behaviors that may be deemed undesirable.
For instance, if the remote host on the peer side acknowledges the FIN but ignores it and keeps sending data to the BIG-IP system, the BIG-IP system will drop all ingress data (i.e., not proxy it) while keeping the side that transmitted the original FIN open indefinitely.
Once the remote host on the peer side completes transmitting data and sends a FIN of its own, the BIG-IP system will finally release the side that sent the original FIN by allowing it to close.
Conditions:
This issue occurs when the following conditions are met:
-- A standard virtual server with the clientssl and serverssl profiles in use.
-- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.
Impact:
There is no real impact to the BIG-IP system because of this issue. However, both the client and the server can be negatively impacted by this issue.
For example, if the original FIN was received by the BIG-IP system on the clientside:
-- The client connection is not allowed to close for potentially a very long time. During this time, the client does not receive anything other than Keep-Alive packets from the BIG-IP system. This can delay or adversely impact applications on the client.
-- The server continues to send data to the BIG-IP system unnecessarily. After accounting for the fact this could be a lot of data and many connections could be in this state, the server and/or its surrounding network could become impacted/congested. At a minimum, this might cause a waste of resources.
Workaround:
There is no workaround at this time.
Fix:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.
Behavior Change:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.
715467-1 : Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY
Component: Local Traffic Manager
Symptoms:
If the 'A' record for an FQDN node is removed or replaced on the DNS server, then the BIG-IP system does not remove the old ephemeral pool member or create the new pool member and node.
Conditions:
-- FQDN nodes.
-- Pool members with a service port of ANY.
Impact:
Ephemeral pool member and nodes are not removed or updated when the DNS 'A' record is removed or changed.
Workaround:
There is no workaround at this time.
Fix:
Upon a DNS 'A' record being removed or changed, the ephemeral pool members and nodes based on the old value are removed or changed.
715448-3 : Providing LB::status with a GTM Pool name in a variable caused validation issues
Component: Global Traffic Manager (DNS)
Symptoms:
When utilizing an LB::status iRule where the GTM Pool name was provided in a variable, instead of directly written into the command, the system posts the following error message: Can't read 'monkey': no such variable.
Conditions:
LB::status pool a <Variable containing string>.
Impact:
Unable to use LB::status iRule.
Workaround:
There is no workaround at this time.
Fix:
Can now use LB::status iRule command to display the status of a GTM Pool when the name of the pool is provided in a variable.
715128-2 : Simple mode Signature edit does not escape semicolon
Component: Application Security Manager
Symptoms:
When creating a user-defined ASM Signature in Simple mode, semicolon followed by space cannot be used in a keyword.
Conditions:
-- Using a user-defined ASM Signature in Simple mode.
-- There is a semicolon followed by a space in a keyword.
Impact:
The signature cannot be created.
Workaround:
The signature can be created in Advanced Mode by escaping semicolon as "|3B|".
714903-3 : Errors in chmand
Component: TMOS
Symptoms:
VIPRION cluster does not form; only primary blade stays online. Chassis manager chmand generated a core file. System logs the following error in ltm log: err clusterd[11162]: 013a0004:3: Error adding cluster mgmt addr, HAL error 7.
Conditions:
-- Restoring UCS.
-- Chassis starting up.
-- System in stressed condition, where there is very little or no memory available.
Impact:
Cluster does not form.
Workaround:
None.
Fix:
These errors in chmand are fixed.
714879-4 : APM CRLDP Auth passes all certs
Solution Article: K34652116
714749-1 : cURL Vulnerability: CVE-2018-1000120
Component: TMOS
Symptoms:
It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.
Conditions:
BIG-IP systems are not affected by this vulnerability.
Impact:
None.
Workaround:
None.
Fix:
Patched CVE-2018-1000120
714384-2 : DHCP traffic may not be forwarded when BWC is configured
Component: Local Traffic Manager
Symptoms:
DHCP traffic may not be forwarded when BWC is configured on the system.
Conditions:
-- DHCP virtual server configured.
-- BWC policy configured and attached to the route-domain.
Impact:
DHCP traffic may not be forwarded.
Workaround:
There is no workaround other than to remove the BWC policy.
Fix:
DHCP traffic is now forwarded when BWC is configured,
714334-2 : admd stops responding and generates a core while under stress.
Component: Anomaly Detection Services
Symptoms:
admd stops responding and generates a core while under stress.
Conditions:
-- The BIG-IP system is under stress.
-- CPU starvation is occurring.
Impact:
admd core and restart.
Note: The admd process provides stress-based DoS detection and mitigation control. When admd is not running, there is no stress-based anomaly detection or behavioral statistics aggregation.
Workaround:
None.
Fix:
This issue no longer occurs.
714303-2 : X520 virtual functions do not support MAC masquerading
Solution Article: K25057050
Component: TMOS
Symptoms:
MAC masquerading is not supported when using X520 virtual functions (VFs) via SR-IOV in Virtual Edition (VE). This is due to a lack of functionality in the underlying hardware.
Conditions:
-- Use SR-IOV VFs as interfaces within VE.
-- Configure MAC masquerading with a shared MAC that should follow the active system after traffic group failovers.
Impact:
MAC masquerading does not function in this environment.
Workaround:
None.
Fix:
MAC masquerading is now supported when using X520 VFs via SR-IOV in VE with following prerequisites:
-- VFs must have MAC addresses before deploying the BIG-IP system.
-- Trust mode must be set on the host.
-- The DB variable, tm.macmasqaddr_per_vlan must be set to true if VFs belong to the same PF.
-- The driver version must match the following:
+ Driver: ixgbe
+ Version: 5.1.0-k-rh7.5
+ Firmware-version: 0x80000656
714153-2 : REST filter on nested entities has no effect
Component: Application Security Manager
Symptoms:
REST filter on nested entities has no effect, and all results are returned.
Conditions:
A REST GET request is issued using a filter on a nested entity, such as filtering URLs on CORS originName.
Impact:
The filter is ignored and all results are returned.
Workaround:
None.
Fix:
REST filter on nested entities is applied correctly and only returns the matching entities.
713951-6 : tmm core files produced by nitrox_diag may be missing data
Component: Local Traffic Manager
Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.
Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.
Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
When the nitrox_diag utility generates a tmm core file, that file now includes data for all tmm threads instead of only one.
713934-1 : Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response
Component: Local Traffic Manager
Symptoms:
Received malformed Truncated DNS response.
Conditions:
-- Using iRule 'DNS::question name' to shorten the name.
-- DNS response is longer than 4096 UDP limit.
Impact:
DNS request might not be resolved correctly.
Workaround:
There is no workaround at this time.
Fix:
In this release, when DNS::query name changes the query name, the software ensures that the request is updated with proper lengths.
713932-2 : Commands are replicated to PostgreSQL even when not in use.
Component: TMOS
Symptoms:
In MCP, PostgreSQL is used only by AFM. Even when AFM is not provisioned, however, commands are being replicated to PostgreSQL.
Conditions:
AFM is not provisioned.
Impact:
Unnecessary CPU cycles spent by MCP replicating commands to PostgreSQL.
Workaround:
None.
Fix:
Prevented replication of commands to PostgreSQL when it is not in use.
713766-1 : VLAN failsafe failover may not occur
Component: Local Traffic Manager
Symptoms:
VLAN failsafe may not take effect and cause failover.
Conditions:
If the VLAN failsafe is disabled, and then re-enabled, it might not properly take effect.
Impact:
System will not fail over when it should.
Workaround:
The failure condition is cleared by the next reboot following the disable/enable.
Fix:
Failover occurs as expected.
713690-4 : IPv6 cache route metrics are locked
Component: Local Traffic Manager
Symptoms:
Under certain circumstances IPv6 route metrics are locked for the lifetime of a route metrics cache entry.
Conditions:
Under certain circumstances IPv6 route metrics cache entries are created locked.
Impact:
IPV6 route metrics are locked for the lifetime of a route metrics cache entry. When receiving subsequent icmpv6 packet to big messages with a larger MTU, the value does not get updated.
Workaround:
None.
Fix:
IPv6 route metrics are not locked anymore.
713655-1 : RouteDomainSelectionAgent might fail under heavy control plane traffic/activities
Component: Access Policy Manager
Symptoms:
If per-session access policy requests route domain selection during policy evaluation, the agent might hang and fail to retrieve route domain information. APMD might restart and produce a core file.
Conditions:
-- Policy sync operation.
-- System receives a query for route domain information.
-- There is a heavy load of control plane traffic to process.
Impact:
Poor performance and/or APMD restarts with a core file, causing brief disruption of the authentication service.
Workaround:
None.
Fix:
Route domain selection operations no longer fail under heavy control-plane traffic/activities.
713533-1 : list self-ip with queries does not work
Component: Local Traffic Manager
Symptoms:
"list net self" command always returns all Self IPs, regardless of the regex patterns.
Conditions:
list net self always returns all Self IPs
Impact:
You are unable to filter the Self IP list using a regex pattern.
Fix:
You can now use pattern matching to list Self IPs
713491-3 : IKEv1 logging shows spi of deleted SA with opposite endianess
Component: TMOS
Symptoms:
Sometimes the IKEv1 racoon daemon logs a 32-bit child-SA spi with octets in backwards order (reversing the endianness).
Conditions:
When an SA is deleted.
Impact:
Logging typically shows a network byte order spi in the wrong order. Cosmetic interference with logging interpretation.
Workaround:
There is no workaround at this time.
Fix:
The spi values are shown in the correct endianness now.
713282-2 : Remote logger violation_details field does not appear when virtual server has more than one remote logger
Component: Application Security Manager
Symptoms:
Remote logger violation_details field appears empty.
Conditions:
-- More than one remote logger is attached to the virtual server.
-- A violation occurs.
-- Viewing the associated log.
Impact:
Violation_details field appears empty in logs.
Workaround:
There is no workaround at this time.
Fix:
Remote logger violation_details field is now populated as expected when the virtual server has more than one remote logger.
712919-3 : Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server.
Component: Local Traffic Manager
Symptoms:
When an iRule is removed from a Virtual Server, especially one with explicitly specified high priority (with "priority" keyword), other iRules on the same Virtual Server may become "invisible" i.e. they are present but some of them are no longer executed. It may affect all the events or only certain types of them. Under certain conditions the defect may even disappear upon removing another iRule, particularly if it has low priority and handles the same event as the one which introduced the problem.
Conditions:
Removing an iRule from a Virtual Server.
Impact:
Some or all iRules on given Virtual Servers stop being executed.
Workaround:
Restart or reload the configuration. If removing iRules needs to be performed in run-time and it triggers the problem, it can be prevented by having any iRule (even an empty one) for the same event, as the iRule which is going to be removed, but with higher priority e.g. with attribute "priority 1".
Fix:
Corrected scanning of iRules stored behind the one which is being deleted.
712876-1 : CVE-2017-8824: Kernel Vulnerability
Solution Article: K15526101
712819-1 : 'HTTP::hsts preload' iRule command cannot be used
Component: Local Traffic Manager
Symptoms:
Using the 'HTTP::hsts preload' iRule command in the GUI, you might see error message similar to the following:
01070151:3: Rule [/Common/test] error: /Common/test:3: error: ["invalid argument preload; expected syntax spec: "][HTTP::hsts preload enable].
The message is incorrect: the command has the correct format. However, the system does not run it.
Conditions:
Using the 'HTTP::hsts preload' iRule command in the GUI.
Impact:
The command does not run. Cannot use the 'HTTP::hsts preload' iRule command in the GUI.
Workaround:
None.
Fix:
'HTTP::hsts preload' iRule command now works as expected.
712664-1 : IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address
Component: Local Traffic Manager
Symptoms:
As a result of a known issue IPv6 NS may be dropped if corresponds for host on remote VLAN of transparent vlangroup and matches a Virtual address with disabled ARP setting
Conditions:
- transparent vlan-group
- Virtual Address with ARP disabled
- Virtual Address corresponds to remote IPv6 host address
Impact:
NS for the host is dropped.
Traffic will not reach the remote host as resolution does not complete.
Workaround:
Do not use overlapping Virtual-addresses with ARP disabled, or enable ARP.
Fix:
IPv6 NS is no longer dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address.
712637-1 : Host header persistence not implemented
Component: Local Traffic Manager
Symptoms:
Online documentation describes a persistence mechanism which uses the HTTP Host: header. However, this mechanism is not implemented, and attempts to use it generates an error.
Conditions:
Online help for ltm persistence says that Host persistence can be enabled via iRule, but attempting to do so generates an error 'invalid argument host'.
Impact:
Although this does not impact any existing functionality, the documented function is not available.
Workaround:
There is no workaround at this time.
Fix:
LTM Host: header persistence is implemented.
712362-4 : ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase
Component: Application Security Manager
Symptoms:
When the WebSocket HTTP handshake response comes without 'Switching Protocols' reason phrase at the first line, the ASM does not follow up WebSocket frames on the WebSocket's connection.
The system posts the following messages in /ts/log/bd.log:
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0269|101 Switching Protocols HTTP status arrived, but the websocket hanshake failed.
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0270|Possible reasons are websocket profile isn't assigned on a virtual server or handshake is illegal.
Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- WebSocket backend server sends 101 response without the 'Switching Protocols' phrase.
Impact:
WebSocket frames stalls.
Workaround:
#1 Change the backend server:
Change WebSocket backend server to return 101 response to include the 'Switching Protocols' reason phrase:
HTTP/1.1 101 Switching Protocols
#2 Use an irRule:
when SERVER_CONNECTED {
TCP::collect 15
}
when SERVER_DATA {
if { [TCP::payload 15] contains "HTTP/1.1 101 \r\n" } {
TCP::payload replace 0 12 "HTTP/1.1 101 Switching Protocols"
}
}
Fix:
This release correctly handles 101 responses even without the 'Switching Protocols' reason phrase.
711981-6 : BIG-IP system accepts larger-than-egress MTU, PMTU update
Component: Local Traffic Manager
Symptoms:
A Path MTU (PMTU) message can lead to the BIG-IP system to falsely assume an egress MTU on the related flow to be larger than the interface egress MTU.
Conditions:
A valid PMTU message.
Impact:
BIG-IP sends larger-than-configured interface egress MTU messages.
Workaround:
None.
Fix:
The BIG-IP system now limits the flow egress MTU to the interface egress MTU.
711405-2 : ASM GUI Fails to Display Policy List After Upgrade
Solution Article: K14770331
Component: Application Security Manager
Symptoms:
After upgrade to version 13.1.0 or later, ASM GUI fails to display the Policy List.
Conditions:
Using an 11.5.0 to 11.5.4-HF1 version that is affected by the issue of policies with duplicate REST IDs that occurred after restoring from policy history or using Policy Diff to compare policies.
Impact:
ASM GUI starting using the REST API from version 13.1.0, so any systems that have been affected by this issue on a previous version now cause the GUI to fail to display the Policy List.
Workaround:
On the device run the following script:
---------------------------------
perl -MF5::DbUtils -MF5::Utils::Rest -MF5::ASMConfig::Entity::Policy -e '$dbh = F5::DbUtils::get_dbh();
$dbh->begin_work();
$dbh->do("UPDATE PLC.PL_POLICIES a SET a.rest_uuid = \"\" WHERE a.rest_uuid IN ( SELECT rest_uuid FROM (SELECT rest_uuid FROM PLC.PL_POLICIES GROUP BY rest_uuid having count(*) > 1) b)");
F5::Utils::Rest::populate_uuids(dbh => $dbh);
$dbh->commit();'
---------------------------------
Note: In a management environment, this change must be pushed to the peer as a full sync. The easiest way to do so is to ensure that the ASM sync device group is in manual sync mode, and to push the config to the peers from the device where the script was run.
Fix:
This data inconsistency is now repaired on upgrade, and the GUI loads the policy list successfully.
711281-6 : nitrox_diag may run out of space on /shared
Component: Local Traffic Manager
Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.
Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.
Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.
Workaround:
The only workaround is to ensure there is enough free space for the files to be created.
In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.
Fix:
nitrox_diag now clears the older data before gathering new data, instead of after. Note, however, that if there is insufficient free space on /shared to collect the raw data, the operation still cannot succeed.
711249-3 : NAS-IP-Address added to RADIUS packet unexpectedly
Component: TMOS
Symptoms:
RADIUS authentication request contains NAS-IP-Address attribute with value 127.0.0.1.
Conditions:
VIPRION (single or multiblade) with no cluster member IP addresses configured.
Impact:
Authentication does not work as it has invalid/unrecognized source NAS-IP-Address.
Workaround:
Configure cluster member IP address or define hostname and address via global-settings remote-host.
711093-4 : PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled
Component: Policy Enforcement Manager
Symptoms:
PEM sessions may stay in the marked-for-delete state after session deletion.
Conditions:
This occurs if Gx final usage reporting response comes before Gy delete response (CCA).
Impact:
PEM sessions remain in marked-for-delete state.
Workaround:
None.
Fix:
PEM sessions no longer stay in the marked-for-delete state after session delete
710976-2 : Network Map might take a long time to load
Component: TMOS
Symptoms:
Network Map loading time is directly proportional to the number of profiles/policies associated with a virtual server. When there are a significant number, Network Map might take many tens of seconds to load; when there are fewer associated profiles/policies, loading time is shorter.
For example, consider a configuration that contains virtual servers with a large number of associated profiles/policies.
In the following example config, the virtual server has two associated profiles. The time to load the Network Map page increases with each additional profile/policy.
# tmsh list ltm virtual vs
ltm virtual vs {
creation-time 2018-03-06:18:27:53
destination 0.0.0.0:any
ip-protocol tcp
last-modified-time 2018-03-06:18:27:53
mask any
profiles {
myhttp { }
tcp { }
}
rules {
myrule
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
socks-tunnel
}
vs-index 5
}
Conditions:
-- Navigate to Local Traffic :: Network Map in the BIG-IP Configuration Utility.
-- The configuration contains a significantly large number of profiles/policies associated with the virtual server.
Impact:
It takes tens of seconds to load the Network Map page.
Workaround:
None.
Fix:
The data loading performance was improved to load the page faster.
710884-2 : Portal Access might omit some valid cookies when rewriting HTTP request.
Component: Access Policy Manager
Symptoms:
Portal Access is not sending certain cookies to the backend application.
Conditions:
-- Request path and cookie path are equal.
-- The last character of request path is not a forward slash (/).
Impact:
Backend application does not receive some cookies and may decide that APM end users are not authenticated, when they are.
Workaround:
There is no workaround at this time.
Fix:
Fixed an issue in Portal Access which could cause web-applications to lose some valid cookies.
710857-1 : iControl requests may cause excessive resource usage
Solution Article: K64855220
710827-1 : TMUI dashboard daemon stability issue
Solution Article: K44603900
710705-1 : Multiple Wireshark vulnerabilities
Solution Article: K34035645
710277-4 : IKEv2 further child_sa validity checks
Component: TMOS
Symptoms:
A tmm restart can occur when a child_sa is rekeyed at expiration time, provided a race condition occurs.
Conditions:
Encountering the issue in which rekeying a child_sa might core when race conditions allowed that child_sa to be destroyed while in use.
Impact:
Restart of tmm and outage of IPsec tunnels until renegotiated.
Workaround:
None.
Fix:
The validity of a child_sa and its traffic selector are checked now before use, to prevent failure when freed objects are accidentally used.
710246-1 : DNS-Express was not sending out NOTIFY messages on VE
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Express is not sending out NOTIFY messages on BIG-IP Virtual Edition (VE).
Conditions:
-- DNS Express configured to send out NOTIFY messages.
-- Running on BIG-IP VE configuration.
Impact:
DNS secondary servers serving stale data.
Workaround:
There is no workaround at this time.
Fix:
DNS Express now sends out NOTIFY messages on VE.
710244-4 : Memory Leak of access policy execution objects
Solution Article: K27391542
710232-1 : platform-migrate fails when LACP trunks are in use
Component: TMOS
Symptoms:
Use of the platform-migrate option might fail due to some configurations being invalid on the new system. The error message generated appears as follows:
01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform.
Conditions:
You have a trunk with LACP enabled.
-- You are migrating from a hardware platform to a Virtual Edition (VE).
Impact:
Configuration fails to migrate.
Workaround:
After taking the old system offline, but before saving the UCS, disable LACP on all trunks.
710221-1 : Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled
Solution Article: K67352313
Component: Local Traffic Manager
Symptoms:
In an high availability (HA) configuration where an FQDN template-node on the 'active' unit is 'Force Offline', and the configuration is synchronized to the 'standby' unit, upon 'Enable' on that FQDN template-node in the 'active' unit (and the configuration is synchronized to the 'standby' unit), the ephemeral nodes associated with that FQDN template node remain Unavailable on the 'standby' unit.
Conditions:
HA configuration is configured with 'active' sync.
-- FQDN template-node is configured.
-- After ephemeral nodes are refreshed on the 'active' unit, it transitions to the 'standby' unit.
-- The FQDN template node on the (new-'active') unit is 'Force Offline' by the user.
-- The user explicitly 'Enable' that FQDN template node on the 'active' unit.
Impact:
The ephemerals on the 'standby' unit remain unavailable, even though the associated FQDN template node is 'available'. However, as no traffic is routed to the 'standby' unit, traffic is unaffected. Upon transition from 'standby' to' active', the ephemeral nodes will be refreshed and traffic should continue.
Workaround:
You can use either of these configuration options to prevent this issue from occurring:
-- Select 'Disabled' (rather than 'Force Offline') for the FQDN template node on the 'active' unit.
-- Configure the node without using FQDN.
Fix:
Upon 'Force Offline' and then 'Enable' for an FQDN template node on an 'active' unit in an high availability (HA) configuration, the ephemerals on the 'standby' unit will reflect the re-enabled status based on the associated FQDN template-node on the 'active' unit.
710148-1 : CVE-2017-1000111 & CVE-2017-1000112
Solution Article: K60250153
710032-2 : 'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system.
Component: Global Traffic Manager (DNS)
Symptoms:
The BIG-IP system posts a 'No Access' error message instead of the virtual server's properties.
Conditions:
-- At least two BIG-IP systems in a sync group.
-- One of the BIG-IP systems has a partition that does not exist on the other with an LTM virtual server on that partition.
-- The issue occurs when a GSLB Server discovers that LTM virtual server and displays it on its virtual server page.
Note: This same error message displays for GSLB pool member properties accessed by navigating to GSLB :: pools :: [pool] :: members :: Member : Address. The differing issues have been fixed in differing releases. You can find information about the similar issue in the AskF5 Bug Tracker article for 722734.
Impact:
It makes the GSLB Server's virtual server's properties page unavailable in this case.
Workaround:
Use either of the following workaroudns:
-- Use TMSH to view or edit the properties of that virtual server.
-- Create partitions on the GTM device to match those appearing to be referenced in the object names.
Fix:
Partition checking has been disabled for virtual servers on the GTM side, since a virtual server owned by a server is always in the partition of that server (/Common).
710028-1 : LTM SQL monitors may stop monitoring if multiple monitors querying same database
Component: Local Traffic Manager
Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.
When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:
[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'
then multiple, periodic instances of the following message, referencing the same connection string:
Abandoning hung SQL query: '<query string>' for: '<connection string>'
or:
<connection string>(<thread-number>): Hung SQL query; abandoning
Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.
And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.
Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.
Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.
To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.
Fix:
LTM SQL monitors continue monitoring when multiple monitors/ query the same server and database.
709972 : CVE-2017-12613: APR Vulnerability
Solution Article: K52319810
709936-2 : Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.
Component: TMOS
Symptoms:
/var/log/boot.log has this error:
dhcp_config: save error: 01070911:3: The requested host (ntp-servers-ip) is invalid for servers in ntp (/Common/ntp).
Conditions:
- The BIG-IP system has DHCP enabled for management interface.
- Multiple NTP servers or domain-search are specified in the dhclient lease (stored at /var/lib/dhclient/dhclient.leases).
Impact:
- DNS and NTP servers are not configured in MCPD.
- Name resolution can break.
Workaround:
None.
Fix:
Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.
709828-1 : fasthttp can crash with Large Receive Offload enabled
Component: Local Traffic Manager
Symptoms:
fasthttp and lro can lead to a tmm crash.
Conditions:
fasthttp and lro enabled. (lro is enabled by default >= 13.1.0)
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use fasthttp
Fix:
fasthttp with lro enabled no longer causes tmm to crash.
709688-2 : dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733
Solution Article: K08306700
709670-4 : iRule triggered from RADIUS occasionally fails to create subscribers.
Component: Policy Enforcement Manager
Symptoms:
The subscriber can not be added with the same IP address after retries. This is a rarely occurring issue: if the daily average of subscriber additions is ~30000 subscribers, 5 to 6 subscribers face this problem (0.02%).
Conditions:
Running iRule to create PEM sessions from RADIUS packets using the 'PEM::subscriber create' command.
Impact:
Intermittently (a few operations per day), the command silently fails. No session is created, and no TCL error is produced. Subscriber addition requires manual intervention.
Workaround:
Trigger a RADIUS START using a different IP address for the subscriber.
709610-4 : Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM
Component: Policy Enforcement Manager
Symptoms:
Session replacement fails as a result of a race condition between multiple RADIUS Accounting Start and Stop messages for the same subscriber.
Conditions:
This occurs when the following conditions are met:
-- These SysDB variables are set as follows:
sys db tmm.pem.session.radius.retransmit.timeout {
value "0"
}
sys db tmm.pem.session.provisioning.continuous {
value "disable"
}
-- Actions occur in the following order:
1. PEM receives RADIUS START with subscriber ID1 and IP1.
2. PEM receives RADIUS STOP with subscriber ID1 and IP1.
3. PEM receives RADIUS START with subscriber ID1 and IP2.
4. PEM receives RADIUS STOP with subscriber ID1 and IP2.
-- The time interval between steps 1 and 2 is very small (less than ~1ms).
Impact:
Subscriber session creation via PEM may fail.
Workaround:
There is no workaround other than to leave SysDbs variables set to the default values.
Fix:
The system now handles PEM subscriber session updates properly, so this issue no longer occurs.
709256-1 : CVE-2017-9074: Local Linux Kernel Vulnerability
Solution Article: K61223103
709192-2 : GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart
Component: TMOS
Symptoms:
The export operation of SSL keys and certificate into a .tgz archive file fails when the httpd daemon is restarted.
Conditions:
-- Export SSL Keys and certificates into archive file.
-- httpd is restarted.
Impact:
Export of SSL Keys and certificates into archive file does not work immediately after httpd restart via GUI/iControl.
Workaround:
After httpd restart, perform other operation like creating a key/cert before exporting archive file.
Fix:
The system allows exporting SSL keys and certificate to be archived into .tgz files after httpd restart.
709133-1 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur
Component: Local Traffic Manager
Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error can occur.
Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- An error occurs when reading the certificate serial number.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than not setting the tmm.ssl.loggingcreatedcerts BigDB variable.
Fix:
Double-free removed.
709132-2 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur
Component: Local Traffic Manager
Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a buffer overflow can occur.
Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- A malformed certificate with a serial number length equal to 256 bytes is parsed during forging.
Impact:
A off-by-one error causes one byte to write off the end of an array.
Workaround:
There is no workaround other than to not set tmm.ssl.loggingcreatedcerts BigDB variable.
Fix:
Buffer no longer overflows.
708968-1 : OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address
Component: TMOS
Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not created in TMM when passed from Dynamic Routing protocols like OSPFv3.
Conditions:
- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.
Impact:
- Route entry is not created in TMM, packets addressed to such a destination might not be delivered at all or might not be delivered using the most efficient route.
- Connection between TMM and tmrouted is restarted that is a small performance overhead.
Workaround:
- If possible IPv4 address or IPv4-compatible IPv6 address should be passed instead of IPv4-mapped IPv6 address, however this depends on other routers.
708956-3 : During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'
Solution Article: K51206433
Component: TMOS
Symptoms:
During system bootup, the system occasionally posts the following error message and the system does not come up:
Dataplane INOPERABLE - only 1 HSBes found on this platform.
Conditions:
This occurs occasionally at system bootup.
-- Using the following platforms:
i4600, i4800, i10600, i10800, i2600, i2800, i7600, i7800, i5600, i5800, i15600, i15800, i12600, i12800, HERCULON i2800, HERCULON i5800, HERCULON i10800, i11600, i11800, i11800-DS, i5820-DF, i7820-DF.
Impact:
System does not come up.
Workaround:
Reboot system.
Because this condition only happens occasionally, rebooting typically corrects the issue.
Fix:
This release fixes a race condition that might have occurred while reading FPGA firmware loading status.
708484-1 : Network Map might take a long time to load
Component: TMOS
Symptoms:
Network Map loading time is directly proportional to the number of profiles/policies associated with a virtual server. When there are a significant number, Network Map might take many tens of seconds to load; when there are fewer associated profiles/policies, loading time is shorter.
For example, consider a configuration that contains virtual servers with a large number of associated profiles/policies.
In the following example config, the virtual server has two associated profiles. The time to load the Network Map page increases with each additional profile/policy.
# tmsh list ltm virtual vs
ltm virtual vs {
creation-time 2018-03-06:18:27:53
destination 0.0.0.0:any
ip-protocol tcp
last-modified-time 2018-03-06:18:27:53
mask any
profiles {
myhttp { }
tcp { }
}
rules {
myrule
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
socks-tunnel
}
vs-index 5
}
Conditions:
-- Navigate to Local Traffic :: Network Map in the BIG-IP Configuration Utility.
-- The configuration contains a significantly large number of profiles/policies associated with the virtual server.
Impact:
It takes tens of seconds to load the Network Map page.
Workaround:
None.
708389-1 : BADOS monitoring with Grafana requires admin privilege
Component: Anomaly Detection Services
Symptoms:
Current Grafana monitoring requires admin privilege.
Grafana stores its internal database in unencrypted format, so the admin password can be extracted from a compromised computer.
Conditions:
Monitoring using Grafana.
Impact:
Guest user cannot access data needed for Grafana.
Workaround:
None.
Fix:
There is now a REST call to pool the Grafana statistics. This allows any user (including guest), not just admin or root, to access data needed for Grafana.
Behavior Change:
This release introduces the following tmsh commands:
-- tmsh run util admdb - for help
+ list-element path_folder - lists folder
+ view-element path_file - view file contents
+ list-metrics path vs
+ table-query base_path db sRate tsfiles ts metric_columns_aliases
The path must be under /shared/admdb, for example:
-- run util admdb list-element /shared/admdb/default/_a_l_l
-- run util admdb view-element /shared/admdb/default/_a_l_l/info.sysinfo/1000/1522229248000.txt
-- run util admdb table-query /shared/admdb default 1000 '[1522233344000]' '[1522234774492,1522235074492]' '[["info.attack",["v0"],"Attack"],["sig.health",["v0"],"Health"],["info.learning",["v0"],"Learning"],["info.learning",["v2"],"Learned samples"]]'
708249-1 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit
Component: Local Traffic Manager
Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.
Conditions:
Run the nitrox_diag command.
Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.
Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0
Fix:
Nitrox_diag utility now uses the -s0 command to generate QKView files, so there is no longer a 5 MB maximum file size limit, and the full QKView file is created.
708068-1 : Tcl commands like "HTTP::path -normalize" do not return normalized path.
Component: Local Traffic Manager
Symptoms:
When using HTTP::path with the -normalized parameter:
"%2E%2E" is converted to ".." (expected)
"/foo/../bar" is converted to "/bar" (expected)
"/foo/%2E%2E/bar" is converted to "/foo/../bar" (unexpected)
Conditions:
The TCL command HTTP::path -normalize does not return normalized path as expected.
Impact:
Unexpected result.
Workaround:
There is no workaround.
Fix:
The TCL command HTTP::path -normalize should return normalized path.
707961-1 : Unable to add policy to virtual server; error = Failed to compile the combined policies
Solution Article: K50013510
Component: Local Traffic Manager
Symptoms:
LTM policy does not compile if it has more than one similar condition, and some of them refer to datagroup and others to non-datagroup types. The policy compiles if similar conditions all refer to datagroups or to non-datagroups.
010716d8:3: Compilation of ltm policies for virtual server /Common/vs_name failed; Failed to compile the combined policies.
Conditions:
-- LTM policy that has more than one similar condition.
-- Some conditions refer to datagroup types.
-- Some conditions refer to non-datagroup types.
Following is an example of such an LTM policy (i.e., referring to both datagroup and non-datagroup types):
ltm policy /Common/example_ltm_policy {
published-copy /Common/block_URI
requires { http }
rules {
example_Rule {
conditions {
0 {
http-host
host
datagroup /Common/example_datagroup <------ Datagroup
}
1 {
http-host
host
values { example.com } <------ Non-Datagroup
}
}
}
}
strategy /Common/first-match
}
Impact:
LTM policy does not compile. Cannot use the policy.
Workaround:
Create a datagroup for the non-datagroup type and use it in policy instead.
Fix:
LTM Policy compiles if it has more than one similar condition, and some of them refer to datagroup and others to non-datagroup types.
707951-3 : Stalled mirrored flows on HA next-active when OneConnect is used.
Component: Local Traffic Manager
Symptoms:
-- 'tmctl -d blade tmm/umem_usage_stat | grep xdata' may show increased memory usage.
-- 'tmsh show sys connect' shows idle flows.
Conditions:
- OneConnect profile is configured.
- High availability (HA) mirroring is enabled.
Impact:
- Some flows are mirrored incorrectly.
- Stalled flows may occupy a lot of memory.
Workaround:
Disable OneConnect.
Fix:
Stalled mirrored flows no longer appear when OneConnect is used.
707740-5 : Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination
Component: TMOS
Symptoms:
When attempting to delete a GTM monitor, the system indicates that it is in use, even after removing that monitor from all GTM virtual servers. The system posts a message similar to the following:
01070083:3: Monitor /Common/mon-A is in use.
Conditions:
1. Attach a GTM monitor to multiple GTM virtual servers in the same transaction, where both of the virtual servers are monitoring the same ip:port.
2. Remove the monitor from all virtual servers.
3. Attempt to delete the monitor from the configuration.
Impact:
Cannot delete the unused monitor.
Workaround:
After removing the monitor from all virtual servers, reload the GTM configuration using the following command:
tmsh load sys config gtm-only
You can now delete the monitor.
Fix:
You can now delete an unused GTM monitor, if that monitor was attached to multiple GTM virtual servers of the same ip+port combination.
707691-5 : BIG-IP handles some pathmtu messages incorrectly
Component: Local Traffic Manager
Symptoms:
FastL4 virtual servers incorrectly handle some pathmtu messages, such as ICMPv4 unreachable/fragmentation needed and ICMPv6 packet too big.
Conditions:
This occurs when the following conditions are true:
-- The client sends a window scaling factor greater than 0 (zero).
-- The server sends a window scaling factor equal to 0 (zero).
-- The pmtu message is within the window, but does not reflect the exact expected sequence number. The delta is bigger than the advertised window scaled at a factor of 0 (zero).
Impact:
pmtu message is erroneously ignored.
Workaround:
There is no workaround at this time.
Fix:
This issue no longer occurs.
707585-2 : Use native driver for 82599 NICs instead of UNIC
Component: TMOS
Symptoms:
-- Lower performance in TPS.
-- Increased CPU consumption for throughput.
Conditions:
-- Running BIG-IP Virtual Edition (VE) (UNIC is the default Virtual Function Network Driver for VE).
-- High data rates, perhaps particularly when connection mirroring is configured.
Impact:
Lower TPS performance numbers and higher CPU usage in throughput tests.
Workaround:
In case of UNIC, extra CPUs must be allocated to handle SoftIRQs for higher performance.
Fix:
This release provides a native driver based on F5's physical platforms.
707570-1 : 'Export Suggestions' from Traffic Learning fails for suggestions that previously associated requests are no longer available.
Component: Application Security Manager
Symptoms:
Export Suggestions operations fail when none of the previously associated requests are available.
Conditions:
There are suggestions for which associated requests are no longer available.
Impact:
'Export Suggestions' fails.
Workaround:
None.
Fix:
All suggestions can be successfully exported.
707391-1 : BGP may keep announcing routes after disabling route health injection
Component: TMOS
Symptoms:
As a result of a known issue BIG-IP with BGP configured may continue to announce routes even after disabling the virtual address or disabling route announcement on the virtual address.
Conditions:
BGP configured with multiple routes announced via Virtual-address route announcements.
Configuration changes made on the BGP configuration itself.
Virtual address or its route health announcement disabled.
Impact:
Prefixes continue to exist in the BGP table even after disabling the virtual address (visible via imish with the "show ip bgp" command); which will continue to announce the prefix to configured peers.
Workaround:
Workaround would be to restart the dynamic routing process.
Fix:
BGP may no longer keeps announcing routes after disabling route health injection
707267-2 : REST Framework HTTP header limit size increased to 8 KB
Component: TMOS
Symptoms:
HTTP Header size limit causing 'Error getting auth token from login provider' GUI messages.
Conditions:
A client uses an HTTP Header larger than 4 KB to make a request to the REST framework.
Impact:
Users cannot login or access certain pages in the GUI.
Workaround:
Clear browser cookies, or otherwise reduce the size of the HTTP headers, so that the entire content HTTP headers is smaller than 4 KB.
Fix:
The HTTP header size limit for the REST Framework has been increased to 8 KB to match the limit set by Apache.
707207-3 : iRuleLx returning undefined value may cause TMM restart
Component: Local Traffic Manager
Symptoms:
When an iRulesLX rule returns an undefined value, TMM may restart. An example of an undefined value is one where
its jsonrpc v2.0 representation is missing required fields, such as "result".
Conditions:
iRulesLX is licensed, and a rule is run that returns an undefined value.
Impact:
Traffic is interrupted.
Workaround:
There is no workaround at this time.
Fix:
A TMM restart resulting from an iRulesLX rule returning an undefined value was fixed.
707100-1 : Potentially fail to create user in AzureStack
Component: TMOS
Symptoms:
Using Microsoft Azure Stack on the BIG-IP Virtual Edition (VE) configured with password authentication, the system sometimes fails to create the provided user, which means that the VE admin cannot ssh in after deployment. Note that an unexpected reboot causes this to occur during provisioning, and that Microsoft might have already fixed this issue.
Conditions:
Azure Stack VE provisioned with password authentication.
Impact:
Admin loses provisioned VE instance because there is no way to ssh in.
Workaround:
Deploy VE with key authentication.
Fix:
Extra handling was added to make user creation work even with unexpected reboots happening during Azure Stack provisioning.
707013-2 : vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest
Component: TMOS
Symptoms:
-- clusterd restarts on secondary blade.
-- Messages similar to the following are logged in each secondary blade's /var/log/ltm file as clusterd restarts:
Management IP (<guest_management_ip>) already in use by (vcmp guest <guest_name>)
-- Messages similar to the following are logged in the primary blade's /var/log/ltm file when clusterd restarts on a secondary blade:
notice clusterd[3676]: 013a0006:5: Hello from slot 1.
notice clusterd[3676]: 013a0006:5: Informing MCP about slot ID 1 member status.
notice clusterd[3676]: 013a0006:5: Goodbye from slot 1.
Conditions:
-- Power-cycling a blade reproduces the issue most of the time.
-- Possibly specific to platform:
+ This issue has been seen multiple hardware platforms, including B2100, B2150, B2250, and PB300.
+ Issue does not reproduce under the same conditions on a VIPRION 4800.
Impact:
Secondary slot on VIPRION hypervisor is in 'INOPERATIVE' state.
Workaround:
On the vCMP Host, copy the file /shared/db/cluster.conf from the primary to each secondary cluster members. For each secondary blade's slot, use a command similar to the following:
scp /shared/db/cluster.conf slot<slot number>:/shared/db/cluster.conf
Note: Implementing the workaround does not prevent the issue from recurring. An upgrade to an unaffected version is recommended.
706688-2 : Automatically add additional certificates to BIG-IP system in C2S and IC environments
Component: TMOS
Symptoms:
In order to function properly, the BIG-IP system's failover and autoscale features need extra certificates (which are used inside C2S environments) and endpoint URL. The extra certificates must be pointed to by the $AWS_CA_BUNDLE environment variable. The BIG-IP system's failover and autoscale feature use AWS CLI commands. Those AWS CLI commands need to have the $AWS_CA_BUNDLE pointing to the certificate files location and endpoint URL. These must be configured manually.
Conditions:
-- BIG-IP is running in AWS C2S (Commercial Cloud Services) where the domain is either c2s.ic.gov or sc2c.sgov.gov.
-- The BIG-IP system is configured to do failover or autoscale in those environments.
Impact:
Requires manual copying of the extra certificates, which are pointed to by AWS_CA_BUNDLE, to the BIG-IP system.
Workaround:
None.
Fix:
In this release, you can add all the needed certificates' URLs in the AWS user-data. The BIG-IP system then automatically downloads and stores the certificate and sets the $AWS_CA_BUNDLE environment variable and endpoint-url.
To use the functionality, when launching the BIG-IP system from the AWS web console, specify the C2S certificate URL and test URL in the following format:
c2s-keys-urls=url1,url2,url3;c2s-cert-test-url=ec2.us-iso-east-1.c2s.ic.gov:443;
Where the syntax explanation is as follows:
1. The string literal : c2s-keys-urls=
2. List of comma separated URLs.
3. A semicolon (;).
4. The string literal : c2s-cert-test-url=
5. A URL which is of following format
<A service name (e.g., ec2)>.<The region where it is running (e.g., us-iso-east-1)>.<the domain name :443 (e.g., c2s.ic.gov:443)>
Example: ec2.us-iso-east-1.c2s.ic.gov:443;
706642-1 : wamd may leak memory during configuration changes and cluster events
Component: WebAccelerator
Symptoms:
wamd memory consumption increases over time.
Conditions:
-- AAM is provisioned so wamd is running.
-- User-initiated configuration change and/or other internal configuration or cluster events.
Impact:
wamd grows slowly over time, eventually crashing due to lack of memory. Temporary outage of services provided by wamd such as PDF linearization, invalidation, etc.
Workaround:
No workaround available.
Fix:
wamd n longer leaks memory during configuration changes and cluster events.
706423-3 : tmm may restart if an IKEv2 child SA expires during an async encryption or decryption
Component: TMOS
Symptoms:
TMM may discard an existing child-SA via timer during the moment it is in use for encryption or decryption. And in another spot, an error aborting negotiation can cause multiple timers associated with one child-SA, which fight one another.
Conditions:
Errors in IPsec config that fail negotiation can happen when a child-SA is in a state that does not manage timers correctly.
A config with short SA lifetime, causing frequent re-keying, can have the effect of searching for a race condition when expire happens during active use in crypto.
Impact:
TMM restarts, disrupting traffic and causing HA failover.
Workaround:
Ensure that the IPsec IKEv2 configuration in the IPsec policy is correct (the same) on both IPsec peers. Also, ensure SA lifetime has longer duration, instead of merely seconds. (The default is one day.)
Fix:
Now we ensure only one timer can be associated with a child-SA related to short-term progress toward maturity during negotiation, even if an error happens.
Now we also ensure a child-SA is safe during async crypto operations, even if they expire while currently in use.
706169-2 : tmsh memory leak
Component: TMOS
Symptoms:
tmsh is leaking approximately 24 KB for every 'save sys config' call.
Conditions:
this occurs under the following conditions:
-- In tmsh, run the following command repeatedly:
save sys config
-- In the GUI, modify the configuration and click Update, change pages, or otherwise cause a save to the configuration.
Impact:
This results in a memory leak, and a possible out-of-memory condition.
Workaround:
None.
Fix:
tmsh no longer leaks memory when performing configuration-save operations.
706102-1 : SMTP monitor does not handle all multi-line banner use cases
Component: Local Traffic Manager
Symptoms:
An SMTP monitor does not handle all multi-line banner use cases, such as when the banner is physically split across two packets. This issue is due to attempting to parse the banner value from the first packet without a portion of the banner value that may arrive in a second packet.
Conditions:
An SMTP monitor is configured; and uses a multi-line banner; and the SMTP monitor banner is split across two physical packets.
Impact:
The SMTP monitor sends an RST after the first packet, and marks the resource down.
Workaround:
Use an SMTP monitor with a single-line banner. Or, rather than using an SMTP monitor, instead use a TCP monitor with send/recv strings.
Fix:
An SMTP monitor handles all use cases that include a multi-line banner.
705476-1 : Appliance Mode does not follow design best practices
Solution Article: K28003839
705037-1 : System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
Solution Article: K32332000
Component: TMOS
Symptoms:
It is possible for the BIG-IP system to present duplicate if_index statistics of network objects, either viewed internally or polled via SNMP.
Conditions:
-- High availability (HA) configuration.
-- Tunnels configured.
-- If dynamic routing is configured, additional impact may be noted.
Impact:
-- Unreliable or confusing statistics via SNMP polling.
-- If dynamic routing is also configured, possible nsm daemon restart, which may lead to loss of dynamic routes.
Workaround:
None.
Fix:
System no longer exhibits duplicate if_index statistics.
704804-4 : The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address
Component: TMOS
Symptoms:
The NAS-IP-Address in RADIUS remote authentication requests is set to the loopback address, not the management IP.
Conditions:
This applies to remote authentication for the control plane, not APM.
Impact:
Login may be impacted.
Workaround:
There is no workaround at this time.
Fix:
NAS-IP-Address Attribute is now set correctly when the the BIG-IP system is configured to use RADIUS authentication.
704764-1 : SASP monitor marks members down with non-default route domains
Component: Local Traffic Manager
Symptoms:
The LTM SASP monitor marks pool members down, whose address include non-default route domains.
Conditions:
1. Using the SASP health monitor to monitor a pool or pool member.
2. The address of the pool member includes a non-default route domain, such as:
ltm pool rd_test {
members {
test_1:http {
address 12.34.56.78%99
}
}
monitor my_sasp
}
Impact:
Pool members with non-default route domains will never be marked up by the SASP monitor.
Workaround:
Do not specify non-default route domains in the addresses of pool members monitored by the SASP health monitor.
The SASP protocol does not support the use of route domains in member addresses. Thus, the SASP GWM (Global Workload Manager) will ignore route domain information included in the member addresses when registered by the SASP monitor in BIG-IP, and will report the status of members using addresses without route domains.
Therefore, even with a fixed version of the SASP monitor, BIG-IP LTM administrators must be careful to avoid configuring multiple pool members with the same address except for different route domains, to be monitored by the SASP monitor. If case of such a configuration error, the status of the member reported by the SASP GWM may not accurately reflect the status of one or more of the pool members with matching IP addresses.
Fix:
The LTM SASP monitor will correctly report the status of pool members configured with addresses that include a non-default route domain, if the SASP GWM is monitoring members with matching addresses (minus route-domain information).
704755-3 : EUD_M package could not be installed on 800 platforms
Component: TMOS
Symptoms:
Attempts to install the EUD_M EUD package fail on 800 platforms even though they are supposed to be supported.
Conditions:
Attempt to install EUD_M package on 800 platforms.
Impact:
Cannot install EUD_M package on a platform that is claimed to support it.
Workaround:
None.
Fix:
EUD_M package can now be installed on 800 platforms as expected.
704733-3 : NAS-IP-Address is sent with the bytes in reverse order
Component: TMOS
Symptoms:
The NAS-IP-Address has the address of the local device sent with the bytes in reverse order (e.g., 78.56.30.172, where 172.30.56.78 is expected).
Conditions:
-- This affects IPv4 addresses only.
-- BIG-IP system is configured for RADIUS authentication.
Impact:
The server may be configured to check the NAS-IP-Address before allowing logins, in which case it would fail.
Workaround:
There is no workaround at this time.
Fix:
This has been corrected.
704643-2 : Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule
Component: Application Security Manager
Symptoms:
When adding or modifying a user-defined Attack Signature in Simple Edit Mode, backslashes preceding a forward slash are mistakenly doubled in regular expression keywords within the Signature.
Conditions:
-- Add or modify a user-defined Attack Signature with a regular expression keyword containing an escaped forward slash in Simple Edit Mode.
Impact:
The backslash escaping the forward slash is doubled, which changes the enforced signature rule.
Workaround:
Create or modify the Signature rule using Advanced Edit Mode.
Fix:
When adding or modifying a user-defined Attack Signature in Simple Edit Mode, backslashes preceding a forward slash are handled correctly in regular expression keywords within the Signature rule.
704587-3 : Authentication with UTF-8 chars in password or handling of IP addresses fail due to byte-array processing in iRules
Component: Access Policy Manager
Symptoms:
This issue can have a number of observable effects, including:
1. APM end users cannot login to the server. The log contains a message similar to the following: iRule err 'bad IP address format'.
2. When using the HTTP::header insert command, an iRule produces the following error: bad IP address format.
3. An iRule may produce other 'bad format' errors when processing inputs containing UTF-8 characters or other objects that are handled as byte arrays.
Conditions:
The corresponding conditions under which the above-described symptoms may occur include:
1. APM end users who have UTF-8 characters in their password.
2. An iRule uses the 'HTTP::header insert' command to insert the '[HTTP::header True-Client-IP]' object.
3. An iRule processes other input containing IP addresses (such as 'IP::addr') or UTF-8 characters or other objects that are handled as byte arrays.
These symptoms may occur when low-level Tcl functions servicing iRule APIs parse UTF-8 characters into strings. The Tcl marshaling routines used by some iRule functions (including HTTP::header insert) coerce some arguments into the bytearray type, which receives special treatment when coerced into other objects (such as IP addresses). Under certain conditions, when a string is coerced into a bytearray, the coercion fails and the error noted in the logs is produced.
Because APM user authentication is implemented via iRules, the handling of UTF-8 characters in iRules affects APM user authentication when the user password contains UTF-8 characters.
These symptoms may occur on affected versions of BIG-IP software due to underlying changes in the low-level Tcl implementation.
Impact:
For the above-described symptoms, the corresponding impacts include:
1. APM authentication service is unavailable.
2. An iRule fails when using the HTTP::header insert command.
3. Other iRules may fail when using other APIs that process IP addresses (such as 'IP::addr') or strings containing UTF-8 characters or other objects that are handled as byte arrays.
Workaround:
1. To work around the APM authentication symptom, add a Variable Assign agent after the Logon Page with following assignment:
(check the secure checkbox)
session.logon.last.password = set pass [mcget -secure session.logon.last.password]; binary scan $pass c* chars; set newpass ""; foreach {ch} $chars { append newpass [format %c [expr $ch & 0xFF]] }; return $newpass
2. To work around errors processing 'HTTP::header insert' commands, avoid processing string variables with the 'HTTP::header insert' command. You can first convert the string to an IP address with IP::addr. For example:
Change
HTTP::header insert X-Forwarded-For $myip1
To
HTTP::header insert X-Forwarded-For [IP::addr $myip1 mask "255.255.255.255"]
where $myip1 could be a string representation of an ip address defined earlier with "set myip1 "78.210.81.133"
3. It may be possible to work around other iRule errors related to processing IP addresses (such as 'IP::addr') or UTF-8 characters or other objects that are handled as byte arrays by troubleshooting the iRule to determine the source of the error, and assigning the value to another string variable before further processing.
Fix:
Special UTF-8 characters (including in user passwords authenticated using APM), IP addresses, and other objects that are handled as byte arrays in iRules are now handled properly.
704555-1 : Core occurs if DIAMETER::persist reset is called if no persistence key is set.
Component: Service Provider
Symptoms:
tmm crashes and restarts.
Conditions:
The system is configured to use a custom persistence key, but no persistence key has been set and DIAMETER::persist reset command is used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid using DIAMETER::persist reset if a persistence key has not been set.
Fix:
System ignores the reset command if the key has not been set
704552-1 : Support for ONAP site licensing
Component: TMOS
Symptoms:
ONAP site licensing not supported.
Conditions:
-- Attempting to use ONAP site licensing
Impact:
BIG-IP system does not license.
Workaround:
None.
Fix:
Ported ONAP site licensing support to this version of the software.
Behavior Change:
This version of the software supports ONAP site licensing.
704381-6 : SSL/TLS handshake failures and terminations are logged at too low a level
Component: Local Traffic Manager
Symptoms:
SSL/TLS handshake failures and terminations are being logged at too low of a level (INFO).
Conditions:
-- SSL/TLS connections are received or sent.
-- Handshake failures are logged.
Impact:
Sometimes other errors are produced, and the cause is a SSL/TLS handshake failure, but this failure is not being logged.
Workaround:
There is no workaround.
Fix:
SSL/TLS handhake failures and terminations are now logged at a higher level (WARNING).
704247-1 : BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted
Component: TMOS
Symptoms:
BIG-IP .iso images may fail to install if multiple copies of the same image are present and have been deleted.
Conditions:
-- Have multiple copies of the same image .iso in the /shared directory on a BIG-IP system.
-- Delete one of them.
Impact:
Installation attempt of the remaining image(s) might fail.
Workaround:
Restart the lind process, so the installation can continue.
Fix:
The BIG-IP system now installs an image if multiple copies of the same image are present and have been deleted
704184-7 : APM MAC Client create files with owner only read write permissions
Solution Article: K52171282
703869-4 : Waagent updated to 2.2.21
Component: TMOS
Symptoms:
Microsoft updates waagent via an opensource process, but it is not compatible with BIG-IP software, and so cannot be upgraded outside of BIG-IP releases. Without this, Microsoft will not support older releases of BIG-IP systems in their environment.
Conditions:
Using Microsoft Azure.
Impact:
Microsoft does not support the version of waagent shipped as part of BIG-IP software.
Workaround:
None.
Fix:
Waagent was updated to 2.2.21 from Microsoft along with F5 changes for compatibility with BIG-IP software.
703835-1 : When using SCP into BIG-IP systems, you must specify the target filename
Solution Article: K82814400
703669-1 : Eventd restarts on NULL pointer access
Component: TMOS
Symptoms:
The loop that reads /config/eventd.xml to load configuration data processes data in 1024-byte chunks. If the size of the file is a multiple of 1024 bytes, the end of file condition that terminates the file read does not occur until the subsequent read. The subsequent read returns zero (0) bytes and passes an empty buffer to the parser, which causes eventd to restart repeatedly.
Conditions:
The length of the file /config/eventd.xml is a multiple of 1024 bytes.
Impact:
Causes eventd to crash.
Workaround:
To work around the problem, insert whitespace in /config/eventd.xml to pad the file to a size that is not a multiple of 1024 bytes.
703045-2 : If using TMSH commands with deprecated attributes in iApp, the upgrade will fail.
Component: TMOS
Symptoms:
TMSH commands with deprecated attributes will fail if used in iApp.
Conditions:
TMSH commands with deprecated attributes will fail if used in iApp. This is so whether the iApp is activated during the upgrade process or simply run under iApp service at the user display.
Impact:
TMSH commands will not execute like create command will result in no objects (e.g., monitor, virtual server, etc.) being created.
Workaround:
Try to avoid deprecated attributes of the object in the iApp.
Fix:
All TMSH commands should handle deprecated attributes of objects consistently across TMSH command line, CLI Script and iApp and like so:
- run TMSH commands to full execution with only warning message.
- full execution means objects action should be executed without error and no something amiss silently either.
702472-1 : Appliance Mode Security Hardening
Solution Article: K87659521
702469-1 : Appliance mode hardening in scp
Solution Article: K73522927
702457-1 : DNS Cache connections remain open indefinitely
Component: Global Traffic Manager (DNS)
Symptoms:
Resize / Clearing the DNS cache while a lot of traffic is running can cause numerous connections to remain open indefinitely. tmm crash
Conditions:
Resize / Clear the DNS Cache while it is resolving connections.
Impact:
Connections remain open forever, using up memory
Workaround:
If you are encountering this, you can remove these connections by restarting tmm:
tmsh restart sys service tmm
Impact of workaround: Traffic disrupted while tmm restarts.
Fix:
Fixed an issue where the DNS Cache kept connections open indefinitely when clearing or resizing a cache with active resolutions occurring.
702450-2 : The validation error message generated by deleting certain object types referenced by a policy action is incorrect
Component: Local Traffic Manager
Symptoms:
When deleting certain objects that are referenced by policy actions, you may see a validation error like this:
# tmsh delete ltm virtual test-vs
01071726:3: Cannot delete policy action '/Common/test-vs'. It is in use by ltm policy '/Common/test-policy'.
The referenced object is not a "policy action" in this case, but is a virtual server.
Conditions:
LTM policies must be in use, and at least one policy action must forward to an object. The user must attempt to delete that object.
Impact:
Possible confusion at the error message.
Workaround:
There is no workaround at this time.
Fix:
Made the error message accurately reflect what the user was attempting to delete.
702227-2 : Memory leak in TMSH load sys config
Component: TMOS
Symptoms:
When loading a configuration, either through tmsh load sys config or the corresponding iControl REST command, the TMSH or icrd_child processes can leak memory.
Conditions:
When configuration is loaded via TMSH or iControl REST.
Impact:
The TMSH process memory or icrd_child process memory continues to grow every time the config is loaded.
Workaround:
If memory consumption grows in the TMSH process, restart the TMSH process.
If memory consumption grows in iControl REST, restart the REST service using the following command: bigstart restart restjavad.
Fix:
There is no longer a memory leak when loading configuration in TMSH or iControl REST.
701800-1 : SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x
Solution Article: K29064506
Component: Access Policy Manager
Symptoms:
Mac RDP client 10.x shows credentials prompt when SSO-enabled native RDP resource is launched from the APM Webtop. If the user enters credentials manually, the RDP client will display an error message.
Conditions:
-- Mac RDP client is of version 10.x (e.g., 10.1.6).
-- Native RDP resource is assigned to the webtop.
-- SSO is enabled on the RDP Resource.
Impact:
RDP resource cannot be launched.
Workaround:
Add the following to 'Custom Parameters' of SSO-enabled RDP resources:
full address:s:%{session.server.network.name}
promptcredentialonce:i:1
Fix:
SSO-enabled native RDP resources now can be launched from APM Webtop with Mac RDP client 10.2.0.
701785-1 : Linux kernel vulnerability: CVE-2017-18017
Solution Article: K18352029
701253-6 : TMM core when using MPTCP
Solution Article: K16248201
701249-3 : RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1
Component: TMOS
Symptoms:
RADIUS requests from BIG-IP have attribute NAS-IP-Address = 127.0.0.1, which might cause authentication to fail.
The NAS-IP-Address is essentially the resource an end user client is trying to authenticate to. This is typically the management IP address of the BIG-IP system, but the BIG-IP system always sends 127.0.0.1 instead. That might fail or it might work, depending on how the server is configured.
Conditions:
This is an issue for all RADIUS authentication requests that use the attribute NAS-IP-Address.
Note: This affects remote control plane authentication only, not APM or other uses of RADIUS.
Impact:
BIG-IP system always sends 127.0.0.1 instead of the BIG-IP system's management IP address. RADIUS server might not service the request, so authentication fails.
Workaround:
There is no workaround.
700827-3 : B2250 blades may lose efficiency when source ports form an arithmetic sequence.
Component: TMOS
Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic
Conditions:
Source ports used to connect to B2250 blade form an arithmetic sequence.
For example, some servers always use randomly selected even source port numbers. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.
Impact:
Traffic imbalance between tmm threads may result in sub-optimal performance.
Workaround:
Randomize source ports when connecting via a BIG-IP system.
Fix:
This release introduces a new variable you can use to mitigate the issue:
mhdag.pu.table.size.multiplier
1. Set the variable to to 2 or 3 on the host.
2. Restart tmm on all blades.
3. Restart tmm on the host.
4. Restart tmm on all guests.
Note: Restarting tmm on the guests only does nothing; restarting on the host only means that the guests still use old DAG settings and have high inter-TMM forwarding traffic, resulting in a worse condition than originally experienced.
Behavior Change:
This release introduces a new variable to mitigate this issue:
mhdag.pu.table.size.multiplier.
You must set the variable to 2 or 3 on the host, and then restart tmm on all host blades and then all guests to mitigate the issue.
700086-2 : AWS C5/M5 Instances do not support BIG-IP VE
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) does not function on AWS C5/M5 instances.
Conditions:
BIG-IP VE on AWS C5/M5 instances.
Impact:
Cannot use BIG-IP VE on AWS C5/M5 instances.
Workaround:
None.
Fix:
BIG-IP VE now functions on AWS C5/M5 Instances.
700056-2 : MCPD process may lock up and restart when applying Local Traffic Policy to virtual server
Component: Local Traffic Manager
Symptoms:
The mcpd process becomes unresponsive while attempting to load the configuration, or attempting to apply a configuration change that associates a particular local traffic policy to a virtual server. The mcpd process may also periodically restart every 5 minutes.
Conditions:
- Virtual servers configured.
- Specific policies configured and attached used by virtual servers.
Only policies configured in a specific way will trigger this situation. The specifics are not well understood, however, the vast majority of Local Traffic Policies are unaffected by this issue.
Impact:
Traffic disrupted while mcpd restarts.
Workaround:
There is no workaround.
Fix:
mcpd is responsive when an LTM Policy is attached to a virtual server, or when an already-attached policy is updated.
699598-1 : HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR
Component: Local Traffic Manager
Symptoms:
HTTP/2 requests with a large body may result in the BIG-IP system sending RST_STREAM with FRAME_SIZE_ERROR.
Conditions:
-- HTTP/2 profile is configured on the virtual server.
-- Request has body size greater than 16 KB.
Impact:
HTTP/2 stream is reset with FRAME_SIZE_ERROR and transfer does not complete.
Workaround:
None.
Fix:
Large HTTP/2 requests are now processed as expected.
699531-5 : Potential TMM crash due to incorrect number of attributes in a PEM iRule command
Component: Policy Enforcement Manager
Symptoms:
TMM crash.
Conditions:
An iRule with a PEM iRule command that does not have the minimum number of attributes.
Impact:
Loss of service. Traffic disrupted while tmm restarts.
Workaround:
Make sure the PEM iRule command is called with at least the minimum number of parameters.
For example, make sure to call 'PEM::subscriber config policy referential set' with referential policies.
Fix:
The system now provides the correct number of attributes, preventing a NULL pointer dereference.
699454-6 : Web UI does not follow current best coding practices
Component: Advanced Firewall Manager
Symptoms:
The web UI does not follow current best coding practices while processing URL DB updates.
Conditions:
Authenticated web UI user.
Impact:
UI does not respond as intended.
Workaround:
None.
Fix:
The web UI now follows current best coding practices while processing URL DB updates.
699453-6 : Web UI does not follow current best coding practices
Solution Article: K20222812
698376-1 : Non-admin users have limited bash commands and can only write to certain directories
Component: TMOS
Symptoms:
TMSH access to Linux utilities does not follow best security practices.
Conditions:
Users without Advanced Shell Access running Linux utilities from inside TMSH.
Impact:
TMSH does not follow best security practices
Workaround:
None.
Fix:
TMSH access to Linux utilities now follows best security practices.
Behavior Change:
Some tmsh util commands will be restricted to writing files to certain directories.
695985-3 : Access HUD filter has URL length limit (4096 bytes)
Component: Access Policy Manager
Symptoms:
Access HUD filter cannot process a URL if it is longer than 4096 bytes.
Conditions:
Any URL with a request consisting of more than 4096 bytes.
Impact:
The URL cannot be processed, and client gets a RST.
Workaround:
None.
Fix:
In this release, the URL length limit increased to 8192 bytes.
695878-3 : Signature enforcement issue on specific requests
Component: Application Security Manager
Symptoms:
Request payload does not get enforced by attack signatures on a certain policy configuration with specific traffic.
Conditions:
-- The violation 'Request exceeds max buffer size' is turned off.
-- The request is longer than the max buffer size (i.e., a request is larger than the internal long_request_buffer_size).
Impact:
Attack signatures are not enforced on the payload of this request at all.
Workaround:
Turn on the violation in blocking 'Request exceed max buffer size'.
Fix:
The operation now looks into part of the payload for the attack signatures enforcement.
695072-3 : CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558
Solution Article: K23030550
693810-7 : CVE-2018-5529: APM Linux Client Vulnerability
Solution Article: K52171282
693359-2 : AWS M5 and C5 instance families are supported
Component: TMOS
Symptoms:
AWS has announced support for M5 and C5 instance families. No previous BIG-IP Virtual Edition (VE) software supports these new AWS instance families.
Conditions:
Attempting to install pre-v14.0.0.1 VE software on M5 and C5 instance families.
Impact:
The system experiences a kernel panic and might crash.
Workaround:
None.
Fix:
All necessary components are added to support AWS M5 and C5 instance families.
Behavior Change:
No previous BIG-IP Virtual Edition (VE) software supports the newly announced AWS M5 and C5 instance families. Version 14.0.0.1 officially supports the AWS M5 and C5 instance families.
693244-3 : BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned
Component: Local Traffic Manager
Symptoms:
BIG-IP silently drop the serverside TCP flow, when it receives a client-side reset and the server-side flow is still in the SYN-SENT state.
Conditions:
BIG-IP receives a client-side reset when client-side TCP flow is in ESTABLISHED state and server-side TCP flow is in SYN-SENT state, serverside flow is silently dropped.
Impact:
Since serverside pool member does not receive the RST, it remains in SYN-RECEIVED state until it runs out of syn retransmissions and eventually, due to timeout, it returns to LISTEN state.
Fix:
BIG-IP resets serverside TCP flow with RST when it receives a client-side reset and the server-side flow is still in the SYN-SENT state.
688553-4 : SASP GWM monitor may not mark member UP as expected
Component: Local Traffic Manager
Symptoms:
Pool members monitored by the SASP monitor may be incorrectly marked DOWN when they should be marked UP.
Conditions:
This may occur on affected BIG-IP versions when using the SASP monitor targeting a Load Balancing Advisor GWM (Global Workload Manager).
This is more likely to occur if pool members monitored by the SASP monitor are also monitored by an additional monitor which has marked the members DOWN, or if one or more pool members monitored by the SASP monitor have been manually marked down (state user-down via tmsh, or Disabled in the GUI).
This is not expected to occur with non-affected BIG-IP versions or when using the SASP monitor targeting a Lifeline GWM (Global Workload Manager).
Impact:
Traffic handled by pool members monitored by the SASP monitor may be disrupted.
Workaround:
Removing the SASP monitor from the pool or pool member configuration then re-adding the SASP monitor may reset the pool member status to the correct state.
687759 : bd crash
Component: Application Security Manager
Symptoms:
A bd crash.
Conditions:
-- A config change follows a bd crash.
-- There is a policy that is misconfigured, for example, a form-data parsing is applied on a non-form-data payload (such as XML or JSON).
Impact:
bd crashes; system fails over; traffic disturbance occurs.
Workaround:
Set the following internal parameter to 0: max_converted_length_to_cache
682283-1 : Malformed HTTP/2 request with invalid Content-Length value is served against RFC
Component: Local Traffic Manager
Symptoms:
HTTP/2 request can include Content-Length header. When the value of a Content-Length header does not match the sum of lengths of all DATA frames from the stream, RFC requires that the system reset the stream.
Conditions:
-- A virtual server is configured with HTTP/2 profile.
-- The value of Content-Length header does not match the sum of lengths of all DATA frames from the stream.
Impact:
The BIG-IP system sends a request to a server and serves a provided response, which is not in conformance with the RFC.
Workaround:
None.
Fix:
Now, when a client sends a request over an HTTP/2 connection with a malformed HEADERS frame in which Content-Length does not match the payload size in DATA frames, the BIG-IP system correctly resets the stream with RST_STREAM frame.
677088-1 : BIG-IP tmsh vulnerability CVE-2018-15321
Solution Article: K01067037
676346-1 : PEM displays incorrect policy action counters when the gate status is disabled.
Component: Policy Enforcement Manager
Symptoms:
Action counters are incorrect.
Conditions:
PEM policy actions enabled with gate status of disabled.
Impact:
May provide an inconsistent view of PEM actions.
Workaround:
There is no workaround.
Fix:
Counters are managed correctly regardless of the gate status.
673842-5 : vCMP does not follow best security practices
Solution Article: K01413496
672312-4 : IP ToS may not be forwarded to serverside with syncookie activated
Component: Local Traffic Manager
Symptoms:
IP ToS field may not be preserved on forwarding in a FastL4 virtual server when syncookie is activated.
Conditions:
-- FastL4 ip-forwarding virtual server.
-- ToS in passthrough mode.
-- Syncookie is activated in hardware mode.
-- On a hardware platform with ePVA.
Impact:
IP ToS header is not forwarded to the serverside.
Workaround:
None.
Fix:
The BIG-IP system now forwards IP ToS in syncookie mode.
671712-3 : The values returned for the ltmUserStatProfileStat table are incorrect.
Component: TMOS
Symptoms:
An SNMP table entry that intermittently comes back incorrectly. Specifically, an LTM profile user statistic value is returned with an OID that is off by one in the table.
Conditions:
A statistics profile is attached to a virtual server with an iRule that increments statistics on the profile. The SNMP walk of the table created by the statistics profile intermittently returns the values shifted up one OID such that the last row is zero and the first row is lost. A subsequent request is correct.
Impact:
Incorrect data returned in SNMP walk of LTM profile table.
Workaround:
The statistics themselves are kept correctly and can be accessed without using SNMP.
Fix:
The values in the ltmUserStatProfileStat table are always correct.
668041-3 : Config load fails when an iRule comment ends with backslash in a config where there is also a policy.★
Solution Article: K27535157
Component: TMOS
Symptoms:
Config load fails when an iRule contains a commented line that ends with an escape character (backslash), and the config also contains an LTM policy. Depending on the iRule, you might also see the following error: Syntax Error:(/config/bigip.conf at line: 42078) double quotes are not balanced.
Conditions:
-- iRule contains commented line that ends with a backslash.
-- The config also contains a policy.
For example, an iRule similar to the first example, and a policy similar to the second:
ltm rule /Common/log_info {
when HTTP_RESPONSE {
#log local0. "Original Location header value: [HTTP::header value Location],\
updated: [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]"
}
}
...
ltm policy /Common/Test_Policy {
controls { forwarding }
requires { http tcp }
rules {
TestPol_Rule1 {
actions {
0 {
forward
select
node 10.2.10.20
}
}
conditions {
0 {
tcp
address
matches
values { 10.1.10.20 }
}
}
}
}
strategy /Common/first-match
}
Impact:
Config load fails.
Workaround:
You can use any of the following workarounds:
-- Delete the line of code with the comment.
-- Put the entire comment on one line of code.
-- Divide lengthy comments into a series of smaller ones, so that each comment fits within one line of code.
-- Move the iRule so that it is sequentially before the LTM policy in the config file.
Fix:
Config load no longer fails when an iRule comment ends with backslash in a config where there is also a policy.
664618-2 : Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block'
Component: Local Traffic Manager
Symptoms:
When using Protocol Security profiles for HTTP, the HTTP Protocol Checks 'Alarm' vs. 'Block' setting will not be honored for the 'Check maximum number of headers' check. If an HTTP response contains more than the configured maximum number of headers, the connection will be reset.
Client traffic with more than the maximum allowed headers will be allowed through to the server, and an alert will be generated, as expected. The server response will also have too many headers, but the connection will be reset.
Conditions:
-- PSM HTTP Protocol Checks configured in 'Alarm' mode ('Block' disabled).
-- The maximum number of headers is exceeded for server responses.
Impact:
Connections are reset, when only alerting is expected.
Workaround:
None.
Fix:
Two threshold values are now available for monitoring the number of HTTP headers:
-- Use the HTTP security profile and select 'alarm' (as opposed to 'block').
-- Use the HTTP service protocol profile. When the 'alarm' threshold is hit, the HTTP traffic remains intact, and logging can be seen in the PSM event logs. When the HTTP service protocol profile's threshold is hit, the HTTP traffic will be blocked, and logging to be seen in both LTM log and PSM event logs.
658557-4 : The snmpd daemon may leak memory when processing requests.
Solution Article: K35209601
653573-5 : ADMd not cleaning up child rsync processes
Component: Anomaly Detection Services
Symptoms:
ADMd daemon on the device is spinning up rsync processes and not cleaning them up properly, which can result in zombie processes.
Conditions:
The rsync process ends via exit (which might occur if there is an issue with the process).
Impact:
Although there is no technical impact, there are many zombie processes left behind.
Workaround:
Restart admd to remove all existing rsync zombies:
bigstart restart admd
Fix:
admd now handles the SIGCHLD signal from rsync, so the issue no longer occurs.
651741 : CVE-2017-5970 kernel.el7: ipv4: Invalid IP options could cause skb->dst drop
Solution Article: K60104355
648802-4 : Required custom AVPs are not included in an RAA when reporting an error.
Component: Policy Enforcement Manager
Symptoms:
Custom Attribute-Value-Pairs (AVPs) defined on the system will not be visible in a Re-Auth-Answer (RAA).
Conditions:
This occurs when the following conditions are met:
-- PEM enabled with Gx.
-- Custom AVPs configured.
-- PEM responds with an error code in an RAA against a Policy and Charging Rules Function (PCRF) triggered action.
Impact:
Lack of custom AVPs in such an RAA may result in loss of AVP dependent service.
Workaround:
There is no workaround at this time.
Fix:
Custom AVPs included regardless of an error code in an RAA.
648270-2 : mcpd can crash if viewing a fast-growing log file through the GUI
Component: TMOS
Symptoms:
If the GUI tries to display a log file that is actively growing by thousands of log entries per second, the GUI might hang, and mcpd could run out of memory and crash.
Conditions:
The GUI tries to display a log file that is actively growing by thousands of log entries per second.
Impact:
mcpd crashes, and it and tmm restart. Traffic disrupted while tmm restarts.
Workaround:
Do not use the GUI to view a log file that is growing by thousands of log entries per second.
648242-3 : Administrator users unable to access all partition via TMSH for AVR reports
Solution Article: K73521040
Component: Application Visibility and Reporting
Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).
Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.
Impact:
AVR reports via TMSH will fail when using partition based entities.
Workaround:
None.
Fix:
Allowing for administrator users to get all partitions available on query.
643935-3 : Rewriting may cause an infinite loop while processing some objects
Component: Access Policy Manager
Symptoms:
Browser might become unresponsive when the end user client attempts to access a page containing specific script constructions through Portal Access.
Conditions:
The client application code contains an object that includes a toString() method and property names similar to ones from the JavaScript builtin Location interface.
Impact:
Browser becomes unresponsive when accessing the page through Portal Access.
Workaround:
None.
Fix:
None.
639619-6 : UCS may fail to load due to Master key decryption failure on EEPROM-less systems★
Component: TMOS
Symptoms:
The following error:
'Symmetric Unit Key decrypt failure - decrypt failure'
is logged to /var/log/ltm when attempting to load a UCS.
Configuration fails then to load due to a secure attribute decryption failure.
Conditions:
1. UCS contains secure attributes.
2. UCS contains a '/config/bigip/kstore/.unitkey' file.
3. The current '/config/bigip/kstore/.unitkey' file does not match the '.unitkey' file within UCS.
4. System does not utilize an EEPROM for storing its unitkey. (For more information, see K73034260: Overview of the BIG-IP system Secure Vault feature :: https://support.f5.com/csp/article/K73034260.)
Impact:
The configuration fails to load.
Workaround:
Perform the following procedure:
1. Stop the system:
# bigstart stop
2. Replace the '/config/bigip/kstore/.unitkey' file with the '.unitkey' file from the UCS
3. Replace the '/config/bigip/kstore/master' file with the 'master' file from the UCS
4. Remove the mcp db to forcibly reload the keys:
# rm -f /var/db/mcpd.bin
# rm -f /var/db/mcpd.info
5. Restart the system and reload the configuration:
# bigstart start
# tmsh load sys config
or
# reboot
Fix:
The system now always reload the .unitkey from storage when loading other keys, so the UCS loads as expected.
636400-2 : CPB (BIGIP->BIGIQ log node) Hardening
Component: Application Security Manager
Symptoms:
Centralized Policy Builder (CPB) does not follow current best practices
Conditions:
Centralized Policy Building enabled
Impact:
Centralized Policy Builder (CPB) does not follow current best practices
Workaround:
None.
Fix:
Centralized Policy Builder (CPB) now follows current best practices
621260-3 : mcpd core on iControl REST reference to non-existing pool
Component: TMOS
Symptoms:
MCPd cores when attempting to create a pool and a monitor reference by using a REST call such as:
curl -u admin:admin -H "Content-Type: application/json" -X POST http://localhost:8100/tm/ltm/pool -d'{"name":"test_pool","monitor":" "}'
Conditions:
The monitor reference in the REST call must be comprised of a single space character.
Impact:
MCPd restarts, causing many of the system daemons to restart as well.
Workaround:
Don't use spaces in the monitor reference name.
606983-1 : ASM errors during policy import
Component: Application Security Manager
Symptoms:
Import failure when importing ASM policy with many Session Awareness Data Points.
ASM logs errors similar to the following:
-- crit g_server_rpc_handler_async.pl[10933]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): Could not update the Export Policy Task 'Export Policy Task (1469519765.114479)'. DBD::mysql::db do failed: Got a packet bigger than 'max_allowed_packet' bytes.
Conditions:
-- ASM provisioned.
-- Session Awareness enabled.
-- Many (more than 1000) active Session Awareness 'Block All' data points are present.
-- Export a policy.
-- Import the same policy.
Impact:
asm_config_server crash occurs. asm_config_server recovers automatically, within ~15-30 seconds.
Workaround:
Either release all Session Awareness Data Points before export, or remove them from the exported policy before importing it back.
Fix:
Import failure no longer occurs when importing ASM policy with more than 1000 Session Awareness Data Points. Now, there is a maximum of 1000 Session Awareness Data Points exported into an XML policy export.
602708-5 : Traffic may not passthrough CoS by default
Solution Article: K84837413
Component: Local Traffic Manager
Symptoms:
Traffic being forwarded by TMM may not passthrough the Class of Service (CoS) received.
Conditions:
-- IP forwarding Virtual server.
-- Traffic received with priority other than 3.
Impact:
Traffic is set to L2 QoS priority 3 and may cause issues on other networking devices.
Workaround:
Create a default CoS configuration or apply L2 QoS settings in the FastL4 profile.
Fix:
TMM now correctly passes through CoS by default.
599567-5 : APM assumes SNAT automap, does not use SNAT pool
Component: Local Traffic Manager
Symptoms:
When a virtual server configured to use a SNAT pool is also associated with APM (for example, when configured as a RDP gateway), the SNAT pool setting is not honored.
Also SNAT configuration of 'None' does not work. It always works as if it is configured with Automap.
Conditions:
SNAT pool configured.
-- APM configured (one example is deploying the Horizon View iApp for APM).
Impact:
The VLAN Self IP address is used instead of the SNAT pool addresses.
Workaround:
First, follow the configuration details in K03113285: Overview of BIG-IP APM layered virtual servers :: https://support.f5.com/csp/article/K03113285, to ensure everything is configured properly.
Then ensure that the appropriate SNAT pool is set on the new layered forwarding virtual sever.
Note: This workaround does not work when using a pool of VMware vCenter Server (VCS) as configured by default with the iApp.
Fix:
The system now honors the virtual server SNAT configuration.
581921-4 : Required files under /etc/ssh are not moved during a UCS restore
Solution Article: K22327083
Component: TMOS
Symptoms:
The SSH files required for SSH sign on are not transferred when performing a UCS restore operation. Further, files are not transferred even during upgrade.
Conditions:
This can happen when performing a UCS restore operation, or when upgrading from one version to the next.
Impact:
This might impact SSH operations.
Workaround:
Add the /etc/ssh directory to the UCS backup configuration. This causes all subsequent UCS backup and restore operations will now include the /etc/ssh/ directory.
To complete this procedure, refer to K4422: Viewing and modifying the files that are configured for inclusion in a UCS archive :: https://support.f5.com/csp/article/K4422.
Fix:
The correct folder is now present when performing a UCS restore operation, so that all of the files required for the operation of SSH are transferred.
571651-5 : Reset Nitrox3 crypto accelerator queue if it becomes stuck.
Component: Local Traffic Manager
Symptoms:
Certain configuration parameters used during an SSL handshake can elicit a 'queue stuck' message from the accelerator. When this happens, the /var/log/ltm log file will contain a message similar to the following:
'n3-cryptoX request queue stuck'.
Conditions:
The BIG-IP system uses Nitrox 3 encryption hardware to perform SSL encryption.
An SSL handshake sent to the BIG-IP system is incorrectly configured or contains bad information.
Impact:
In-flight and queued contexts for the specific accelerator are dropped. After device recovery, new requests will be accelerated.
Workaround:
Disable crypto acceleration.
Fix:
The crypto accelerator is gracefully reset when the accelerator stalls due to a misconfigured request.
Note: This issue resolution is limited to SSL handshake issues, and is not a resolution for all possible causes of a 'queue stuck' event.
530775-2 : Login page may generate unexpected HTML output
Solution Article: K23734425
513310-6 : TMM might core when a profile is changed.
Component: Local Traffic Manager
Symptoms:
TMM might core when a profile is changed.
Conditions:
A "standard" type virtual server configured with the TCP or SCTP protocol profile, and a Persistence, Access or Auth profile. This issue might occur in either of the following scenarios:
-- Change profile on the active device.
-- Change profile on the standby device and perform a config sync to the active ones.
Impact:
TMM might core. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now reinitializes the TCP proxy filter chain on profile change, so that tmm no longer cores.
504522-3 : Trailing space present after 'tmsh ltm pool members monitor' attribute value
Component: Local Traffic Manager
Symptoms:
Values returned from the tmsh command 'ltm pool pool members monitor' have a trailing space, such as returning '/Common/myhttps ' (note the trailing-space). This trailing-space is also observed for the value returned from a REST call.
Conditions:
'tmsh' or a REST call is used to return the 'monitor' for pool members.
Impact:
Scripts or custom applications processing this returned output may wish to 'trim' whitespace on the value (as a trailing space is present); or should not assume the trailing space will be present in the future (as this behavior is not guaranteed).
Workaround:
Use a script or custom applications to 'trim' trailing whitespace for returned values.
Fix:
Values returned from the tmsh command 'ltm pool pool members monitor' no longer have a trailing space.
Known Issues in BIG-IP v14.0.x
TMOS Issues
| ID Number | Severity | Solution Article(s) | Description |
| 837637-3 | 2-Critical | Orphaned bigip_gtm.conf can cause config load failure after upgrading★ | |
| 831821-4 | 2-Critical | Corrupted DAG packets causes bcm56xxd core on VCMP host | |
| 817085-3 | 2-Critical | Multicast Flood Can Cause the Host TMM to Restart | |
| 810593-3 | 2-Critical | Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade★ | |
| 796601-5 | 2-Critical | Invalid parameter in errdefsd while processing hostname db_variable | |
| 780817-4 | 2-Critical | TMM can crash on certain vCMP hosts after modifications to VLANs and guests. | |
| 780437-3 | 2-Critical | Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration. | |
| 777993-5 | 2-Critical | Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same | |
| 777389-3 | 2-Critical | In a corner case, for PostgreSQL monitor MCP process restarts | |
| 770953-3 | 2-Critical | 'smbclient' executable does not work | |
| 769817-4 | 2-Critical | BFD fails to propagate sessions state change during blade restart | |
| 767877-2 | 2-Critical | TMM core with Bandwidth Control on flows egressing on a VLAN group | |
| 762205-4 | 2-Critical | IKEv2 rekey fails to recognize VENDOR_ID payload when it appears | |
| 758929-3 | 2-Critical | Bcm56xxd MIIM bus access failure after TMM crash | |
| 756830-2 | 2-Critical | BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict' | |
| 751924-3 | 2-Critical | TSO packet bit fails IPsec during ESP encryption | |
| 749249-4 | 2-Critical | IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP | |
| 747203-3 | 2-Critical | Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding | |
| 746464-2 | 2-Critical | MCPD sync errors and restart after multiple modifications to file object in chassis | |
| 743810-2 | 2-Critical | AWS: Disk resizing in m5/c5 instances fails silently. | |
| 743790-2 | 2-Critical | BIG-IP system should trigger a high availability (HA) failover event when expected HSB device is missing from PCI bus | |
| 743271 | 2-Critical | Querying vCMP Health Status May Show Stale Statistics | |
| 742419-2 | 2-Critical | BIG-IP NIC teaming of SR-IOV interfaces does not work under VMware ESXi | |
| 737900-1 | 2-Critical | mcpd might crash on an unlicensed system | |
| 737692-2 | 2-Critical | Handle x520 PF DOWN/UP sequence automatically by VE | |
| 737055-1 | 2-Critical | Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy | |
| 721350-3 | 2-Critical | The size of the icrd_child process is steadily growing | |
| 717785-4 | 2-Critical | Interface-cos shows no egress stats for CoS configurations | |
| 715511-3 | 2-Critical | Span-port IFP rule shouldn't be created if no span port is configured | |
| 714795-1 | 2-Critical | ospfd cores when configured with 'area 0 range 0.0.0.0/0' | |
| 711683-1 | 2-Critical | bcm56xxd crash with empty trunk in QinQ VLAN | |
| 704681 | 2-Critical | Kernel panic with mcpd or system shutdown | |
| 838337-4 | 3-Major | The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST. | |
| 837481-4 | 3-Major | SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID | |
| 829317-2 | 3-Major | Memory leak observed when running ICRD child | |
| 827021-3 | 3-Major | MCP update message may be lost when primary blade changes in chassis | |
| 826313-3 | 3-Major | Error: Media type is incompatible with other trunk members★ | |
| 824809-3 | 3-Major | bcm56xxd watchdog restart | |
| 820213-1 | 3-Major | 'Application Service List' empty after UCS restore | |
| 819457-4 | 3-Major | LTM high availability (HA) sync should not sync GTM zone configuration | |
| 818505-4 | 3-Major | Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | |
| 814585-4 | 3-Major | PPTP profile option not available when creating or modifying virtual servers in GUI | |
| 814353-4 | 3-Major | Pool member silently changed to user-disabled from monitor-disabled | |
| 812981-3 | 3-Major | MCPD: memory leak on standby BIG-IP device | |
| 812929-3 | 3-Major | mcpd may core when resetting a DSC connection | |
| 812493-1 | 3-Major | When engineID is reconfigured, snmp and alert daemons must be restarted★ | |
| 811053-3 | 3-Major | REBOOT REQUIRED prompt appears after failover and clsh reboot | |
| 811041-4 | 3-Major | Out of shmem, increment amount in /etc/ha_table/ha_table.conf | |
| 810957-3 | 3-Major | Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core | |
| 810613-3 | 3-Major | GUI Login History hides informative message about max number of lines exceeded | |
| 809657-3 | 3-Major | HA Group score not computed correctly for an unmonitored pool when mcpd starts | |
| 808277-3 | 3-Major | Root's crontab file may become empty | |
| 807337-2 | 3-Major | Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed. | |
| 806073-4 | 3-Major | MySQL monitor fails to connect to MySQL Server v8.0 | |
| 804477-3 | 3-Major | Log HSB registers when parts of the device becomes unresponsive | |
| 803833-3 | 3-Major | On Upgrade or UCS Restore Decryption of the vCMP Guest sym-unit-key Field Fails on the Host★ | |
| 803237-1 | 3-Major | PVA does not validate interface MTU when setting MSS | |
| 800185-3 | 3-Major | Saving a large encrypted UCS archive may fail and might trigger failover | |
| 799001-4 | 3-Major | Sflow agent does not handle disconnect from SNMPD manager correctly | |
| 794501-3 | 3-Major | Duplicate if_indexes and OIDs between interfaces and tunnels | |
| 793121-2 | 3-Major | Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication | |
| 788949-1 | 3-Major | MySQL Password Initialization Loses Already Written Password | |
| 788557-4 | 3-Major | BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior | |
| 784733-2 | 3-Major | GUI LTM Stats page freezes for large number of pools | |
| 783293-3 | 3-Major | Special chars < > & displayed incorrectly in BIG-IP GUI logon banner window | |
| 783113-3 | 3-Major | BGP sessions remain down upon new primary slot election | |
| 782613-4 | 3-Major | Security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp | |
| 781733-3 | 3-Major | SNMPv3 user name configuration allows illegal names to be entered | |
| 776489-3 | 3-Major | Remote authentication attempts to resolve only LDAP host against the first three name servers configured. | |
| 772497-4 | 3-Major | When BIG-IP is configured to use a proxy server, updatecheck fails | |
| 767341-4 | 3-Major | If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file. | |
| 765969-2 | 3-Major | Not able to get HSB register dump from hsb_snapshot on B4450 blade | |
| 764873-3 | 3-Major | An accelerated flow transmits packets to a dated, down pool member. | |
| 761993-3 | 3-Major | The nsm process may crash if it detects a nexthop mismatch | |
| 761753-3 | 3-Major | BIG-IP system incorrectly flags UDP checksum as failed on x520 NICs | |
| 761321-3 | 3-Major | 'Connection Rate Limit' is hidden, but 'Connection Rate Limit Mode' is not | |
| 760950-3 | 3-Major | Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment | |
| 760439-3 | 3-Major | After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status | |
| 760234-7 | 3-Major | Configuring Advanced shell for Resource Administrator User has no effect | |
| 759258-3 | 3-Major | Instances shows incorrect pools if the same members are used in other pools | |
| 758781-2 | 3-Major | iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates | |
| 758604-1 | 3-Major | Deleting a port from a single-port trunk does not work. | |
| 756820-3 | 3-Major | Non-UTF8 characters returned from /bin/createmanifest | |
| 756088-3 | 3-Major | The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address | |
| 755197-2 | 3-Major | UCS creation might fail during frequent config save transactions | |
| 753860-5 | 3-Major | Virtual server config changes causing incorrect route injection. | |
| 753423-5 | 3-Major | Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation | |
| 753001-2 | 3-Major | mcpd can be killed if the configuration contains a very high number of nested references | |
| 752994-2 | 3-Major | Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod | |
| 751581-2 | 3-Major | REST API Timeout while queriying large number of persistence profiles | |
| 751409-2 | 3-Major | MCP Validation does not detect when virtual servers differ only by overlapping VLANs | |
| 751024-3 | 3-Major | i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd | |
| 751021-2 | 3-Major | One or more TMM instances may be left without dynamic routes. | |
| 751011-2 | 3-Major | ihealth.sh script and qkview locking mechanism not working | |
| 750447-2 | 3-Major | GUI VLAN list page loading slowly with 50 records per screen | |
| 750318-2 | 3-Major | HTTPS monitor does not appear to be using cert from server-ssl profile | |
| 748295 | 3-Major | TMM crashes on shutdown when using virtio NICs for dataplane | |
| 747799-1 | 3-Major | 'Unable to load the certificate file' error and configuration-load failure upgrading from 11.5.4-HF2 to a later version, due to empty cert/key in client SSL profile | |
| 747676-2 | 3-Major | Remote logging needs 'localip' to set source IP properly | |
| 746657-2 | 3-Major | tmsh help for FQDN node or pool member shows incorrect default for fqdn interval | |
| 746266-2 | 3-Major | Vcmp guest vlan mac mismatch across blades. | |
| 745825-2 | 3-Major | The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading | |
| 744520-2 | 3-Major | virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface | |
| 744252-1 | 3-Major | BGP route map community value: either component cannot be set to 65535 | |
| 743132-5 | 3-Major | mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile | |
| 742753-3 | 3-Major | Accessing the BIG-IP system's WebUI via special proxy solutions may fail | |
| 742170-1 | 3-Major | REST PUT command fails for data-group internal | |
| 741902-2 | 3-Major | sod does not validate message length vs. received packet length | |
| 740746-1 | 3-Major | RSA key creation fails for generating key/csr pair when using gen-csr challenge-password | |
| 740589-2 | 3-Major | mcpd crash with core after 'tmsh edit /sys syslog-all-properties' | |
| 740517-2 | 3-Major | Application Editor users are unable to edit HTTPS Monitors via the Web UI | |
| 740413-2 | 3-Major | Sod not logging Failover Condition messages | |
| 740135-2 | 3-Major | Traffic Group ha-order list does not load correctly after reset to default configuration | |
| 739872-1 | 3-Major | The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover | |
| 739820-2 | 3-Major | Validation does not reject IPv6 address for TACACS auth configuration | |
| 739533-5 | 3-Major | In rare circumstances, config sync may fail to delete files in /config/filestore/.snapshots_d/, filling up /config | |
| 739118-2 | 3-Major | Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration | |
| 738943-4 | 3-Major | imish command hangs when ospfd is enabled | |
| 738330-2 | 3-Major | /mgmt/toc endpoint issue after configuring remote authentication | |
| 737901-3 | 3-Major | Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode | |
| 737346-2 | 3-Major | After entering username and before password, the logging on user's failure count is incremented. | |
| 734846-2 | 3-Major | Redirection to logon summary page does not occur after session timeout | |
| 734836 | 3-Major | Network Map summary counts pool members more than once if they are shared across pools | |
| 733585-4 | 3-Major | Merged can use %100 of CPU if all stats snapshot files are in the future | |
| 727297-2 | 3-Major | GUI TACACS+ remote server list should accept hostname | |
| 727191-2 | 3-Major | Invalid arguments to run sys failover do not return an error | |
| 725950-3 | 3-Major | Regcomp() leaks memory if passed an invalid regex. | |
| 725791-5 | 3-Major | Potential HW/HSB issue detected | |
| 724109-3 | 3-Major | Manual config-sync fails after pool with FQDN pool members is deleted | |
| 722380-1 | 3-Major | The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core. | |
| 721020-2 | 3-Major | Changes to the master key are reverted after full sync | |
| 720819-3 | 3-Major | Certain platforms may take longer than expected to detect and recover from HSB lock-ups | |
| 720610-1 | 3-Major | Updatecheck logs bogus 'Update Server unavailable' on every run | |
| 720461-1 | 3-Major | qkview prompts for password on chassis | |
| 718800-1 | 3-Major | Cannot set a password to the current value of its encrypted password | |
| 718405-3 | 3-Major | RSA signature PAYLOAD_AUTH mismatch with certificates | |
| 718291-1 | 3-Major | iHealth upload error doesn't clear | |
| 718108-2 | 3-Major | It is not possible to core the icrd_child process if iControl REST requests were sent to the BIG-IP system using non-admin accounts | |
| 715379-2 | 3-Major | IKEv2 accepts asn1dn for peers-id only as file path of certificate file | |
| 714986-4 | 3-Major | Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot | |
| 714974-1 | 3-Major | Platform-migrate of UCS containing QinQ fails on VE★ | |
| 714654-1 | 3-Major | Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM | |
| 714216-1 | 3-Major | Folder in a partition may result in load sys config error | |
| 713793 | 3-Major | Loading sys config using merge does not work for client SSL profiles with passphrase-protected key | |
| 713708-6 | 3-Major | Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI | |
| 712102-1 | 3-Major | K11430165 | customizing or changing the HTTP Profile's IPv6 field hides the field or the row |
| 712033-3 | 3-Major | When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name | |
| 710666-2 | 3-Major | VE with interface(s) marked down may report high cpu usage | |
| 709559-1 | 3-Major | LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name | |
| 709444-1 | 3-Major | "NTP not configured on device" warning seen when NTP symmetric key authentication is configured | |
| 708063 | 3-Major | In older RAID BIG-IP systems, storage provisioning is not possible when a drive is missing. | |
| 707445-4 | 3-Major | K47025244 | Nitrox 3 compression hangs/unable to recover |
| 706804-2 | 3-Major | SNMP trap destination configuration of network option is missing "default" keyword | |
| 705651-2 | 3-Major | Async transaction may ignore polling requests | |
| 705442 | 3-Major | GUI Network Map objects search on Virtual Server IP Address and Port does not work | |
| 704449-1 | 3-Major | Orphaned tmsh processes might eventually lead to an out-of-memory condition | |
| 703090-3 | 3-Major | With many iApps configured, scriptd may fail to start | |
| 701341-3 | 3-Major | K52941103 | If /config/BigDB.dat is empty, mcpd continuously restarts |
| 698619-3 | 3-Major | Disable port bridging on HSB ports for non-vCMP systems | |
| 698432-1 | 3-Major | Invalid error messages: warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10 | |
| 696731-4 | 3-Major | K94062594 | The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled |
| 688399-3 | 3-Major | HSB failure results in continuous TMM restarts | |
| 684096-3 | 3-Major | stats self-link might include the oid twice | |
| 683135-3 | 3-Major | Hardware syncookies number for virtual server stats is unrealistically high | |
| 680917-4 | 3-Major | Invalid monitor rule instance identifier | |
| 679901-6 | 3-Major | The iControl-REST timeout value is not configurable. | |
| 673018-1 | 3-Major | Parsed text violates expected format error encountered while upgrading or loading UCS★ | |
| 667618-5 | 3-Major | Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts | |
| 641450-6 | 3-Major | K30053855 | A transaction that deletes and recreates a virtual may result in an invalid configuration |
| 606032-4 | 3-Major | Network Failover-based high availability (HA) in AWS may fail | |
| 601220-4 | 3-Major | Multi-blade trunks seem to leak packets ingressed via one blade to a different blade | |
| 591305-2 | 3-Major | Audit log messages with "user unknown" appear on install | |
| 587821-7 | 3-Major | vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor. | |
| 569859-4 | 3-Major | Password policy enforcement for root user when mcpd is not available | |
| 499348-8 | 3-Major | System statistics may fail to update, or report negative deltas due to delayed stats merging | |
| 486712-4 | 3-Major | GUI PVA connection maximum statistic is always zero | |
| 291256-3 | 3-Major | Changing 'Minimum Length' and 'Required Characters' might result in an error | |
| 819429-2 | 4-Minor | Unable to scp to device after upgrade: path not allowed | |
| 819421-2 | 4-Minor | Unable to scp/sftp to device after upgrade★ | |
| 815425-2 | 4-Minor | RAID status is shown <undefined> after upgrade from 12.1.3.5 to 13.1.1.5★ | |
| 795429-2 | 4-Minor | Unrelated iControl REST transaction error message is returned when committing a transaction without any tasks. | |
| 761084-1 | 4-Minor | Custom monitor fields appear editable for Auditor, Operator, or Guest | |
| 755018-3 | 4-Minor | Traffic processing may be stopped on VE trunk after tmm restart | |
| 746152-2 | 4-Minor | Bogus numbers in hsbe2_internal_pde_ring table's rqm_dma_drp_pkts column | |
| 743815-1 | 4-Minor | vCMP guest observes connflow reset when a CMP state change occurs. | |
| 726317-5 | 4-Minor | Improved debugging output for mcpd | |
| 724994-3 | 4-Minor | API requests with 'expandSubcollections=true' are very slow | |
| 723988-1 | 4-Minor | IKEv1 phase2 key length can be changed during SA negotiation | |
| 723711-2 | 4-Minor | IPsec keys are once again logged when db variable ipsec.debug.logkeys equals 1 | |
| 722647-3 | 4-Minor | The configuration of some of the Nokia alerts is incorrect | |
| 715331-2 | 4-Minor | IKEv2 logs peers_id comparisons and cert verfication failures | |
| 713138-3 | 4-Minor | TMUI ILX Editor inserts an unnecessary linefeed | |
| 713134-1 | 4-Minor | Small tmctl memory leak when viewing stats for snapshot files | |
| 708415-3 | 4-Minor | Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled | |
| 707631-3 | 4-Minor | The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI | |
| 706685-4 | 4-Minor | The web UI becomes unresponsive after certain commands | |
| 704336-5 | 4-Minor | Updating 3rd party device cert not copied correctly to trusted certificate store | |
| 703509-3 | 4-Minor | Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled | |
| 689491-2 | 4-Minor | cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled | |
| 685582-8 | 4-Minor | Incorrect output of b64 unit key hash by command f5mku -f | |
| 673573-4 | 4-Minor | tmsh logs boost assertion when running child process and reaches idle-timeout | |
| 648917-2 | 4-Minor | Need to re-provision vCMP after upgrading to 13.1.x or later on the BIG-IP 10350F platform★ | |
| 627506-2 | 4-Minor | Unable to change management-ip address | |
| 591732-4 | 4-Minor | Local password policy not enforced when auth source is set to a remote type. | |
| 394873 | 4-Minor | Upgrade process does not update Tcl scripts★ | |
| 761621-3 | 5-Cosmetic | Ephemeral FQDN pool members in Partition shown as Common under Local Traffic > Pools > "Members" | |
| 720669-1 | 5-Cosmetic | Within the GUI, the 'MQTT-TLS' service port is incorrectly reported as 'common.all.MQTT-TLS'. | |
| 713519-1 | 5-Cosmetic | Enabling MCP Audit logging does not produce log entry for audit logging change | |
| 662725 | 5-Cosmetic | tmsh kernel default log levels does not match documentation |
Local Traffic Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 816273-3 | 1-Blocking | L7 Policies may execute CONTAINS operands incorrectly. | |
| 759968-2 | 1-Blocking | Distinct vCMP guests are able to cluster with each other. | |
| 837617-4 | 2-Critical | Tmm may crash while processing a compression context | |
| 824437-3 | 2-Critical | Chaining a standard virtual server and an ipother virtual server together can crash TMM. | |
| 813561-2 | 2-Critical | MCPD crashes when assigning an iRule that uses a proc | |
| 760078-2 | 2-Critical | Incorrect source MAC used when the BIG-IP in L2 transparent mode generates a TCP RST packet. | |
| 758714-2 | 2-Critical | Virtual wire on a BIG-IP does not pass traffic when configured over two terminating link aggregation/trunk ports. | |
| 757578-3 | 2-Critical | RAM cache is not compatible with verify-accept | |
| 756356-1 | 2-Critical | External datagroups of type string cannot use iRule command 'class match equals' for entries > 32 characters long | |
| 755585-2 | 2-Critical | mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction | |
| 747858-1 | 2-Critical | OSPF packets are duplicated in the BIG-IP in L2 transparent mode using virtual wires | |
| 745589-5 | 2-Critical | In very rare situations, some filters may cause data-corruption. | |
| 743950-1 | 2-Critical | TMM crashes due to memory leak found during SSL OCSP with C3D feature enabled | |
| 742184-2 | 2-Critical | TMM memory leak | |
| 741814-1 | 2-Critical | Auto Last Hop for management connections cannot be disabled/enabled | |
| 739927-2 | 2-Critical | Bigd crashes after a specific combination of logging operations | |
| 737985-1 | 2-Critical | BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode. | |
| 734551-1 | 2-Critical | L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server | |
| 726900 | 2-Critical | Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters | |
| 663925-4 | 2-Critical | Virtual server state not updated with pool- or node-based connection limiting | |
| 474797-5 | 2-Critical | Nitrox crypto hardware may attempt soft reset while currently resetting | |
| 431480-6 | 2-Critical | K17297 | Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message |
| 832133-4 | 3-Major | In-TMM monitors fail to match certain binary data in the response from the server. | |
| 827441-2 | 3-Major | Changing a UDP virtual server with an immediate timeout to a TCP virtual server can cause connections to fail | |
| 825245-5 | 3-Major | SSL::enable does not work for server side ssl | |
| 823825-4 | 3-Major | Renaming high availability (HA) VLAN can disrupt state-mirror connection | |
| 820333-4 | 3-Major | LACP working member state may be inconsistent when blade is forced offline | |
| 818853-4 | 3-Major | Duplicate MAC entries in FDB | |
| 818789-4 | 3-Major | Setting ssl profile to none in https monitor, not setting Ciphers to DEFAULT as in serverssl Profile | |
| 818097-3 | 3-Major | Plane CPU stats too high after primary blade failover in multi-blade chassis | |
| 815825-3 | 3-Major | BIG-IP may not create a listener object after TMM restarts or the system reboots | |
| 815089-4 | 3-Major | On a system with no VLANs, you can create virtual servers or SNATs that have identical address/port combinations | |
| 810533 | 3-Major | SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile | |
| 809597-2 | 3-Major | Memory leak observed when running ICRD child | |
| 808017-3 | 3-Major | When using a variable as the only parameter to the iRule persist command, the iRule validation fails | |
| 803629-3 | 3-Major | SQL monitor fails with 'Analyze Response failure' message even if recv string is correct | |
| 796993-4 | 3-Major | Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs | |
| 795933-3 | 3-Major | A pool member's cur_sessions stat may incorrectly not decrease for certain configurations | |
| 795501-2 | 3-Major | Possible SSL crash during config sync | |
| 795261-3 | 3-Major | LTM policy does not properly evaluate condition when an operand is missing | |
| 788753-5 | 3-Major | GATEWAY_ICMP monitor marks node down with wrong error code | |
| 787853-3 | 3-Major | BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps. | |
| 787433-1 | 3-Major | SSL forward proxy: OCSP signer certificate isn't refreshed or regenerated when forward proxy CA key/cert is changed | |
| 786517-2 | 3-Major | Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address | |
| 785481-3 | 3-Major | A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached | |
| 784713-1 | 3-Major | When SSL forward proxy is enabled, AKID extension of the OCSP signer certificate on the clientside is not correct | |
| 784565-3 | 3-Major | VLAN groups are incompatible with fast-forwarded flows | |
| 783617-3 | 3-Major | Virtual Server resets connections when all pool members are marked disabled | |
| 783145-3 | 3-Major | Pool gets disabled when one of its pool member with monitor session is disabled | |
| 779137-3 | 3-Major | Using a source address list for a virtual server does not preserve the destination address prefix | |
| 778517-4 | 3-Major | Large number of in-TMM monitors results in delayed processing | |
| 776229-3 | 3-Major | iRule 'pool' command no longer accepts pool members with ports that have a value of zero | |
| 773821-3 | 3-Major | Certain plaintext traffic may cause SSLO to hang | |
| 773421-3 | 3-Major | Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied | |
| 772545-2 | 3-Major | Tmm core in SSLO environment | |
| 763093-2 | 3-Major | LRO packets are not taken into account for ifc_stats (VLAN stats) | |
| 761385-2 | 3-Major | Without a virtual server, responses from server to client are dropped in a BIG-IP system when the latter is deployed in L2 transparent mode using virtual wire. | |
| 760771-2 | 3-Major | FastL4-steered traffic might cause SSL resume handshake delay | |
| 760050-3 | 3-Major | cwnd warning message in log | |
| 758437-5 | 3-Major | SYN w/ data disrupts stat collection in Fast L4 | |
| 758436-3 | 3-Major | Optimistic ACKs degrade Fast L4 statistics | |
| 757827-2 | 3-Major | Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution | |
| 757502 | 3-Major | Deleting policies using select all feature on non-Common partition attempts to delete all policies across all partitions | |
| 757029-3 | 3-Major | Ephemeral pool members may not be created after config load or reboot | |
| 756647-2 | 3-Major | Global SNAT connections do not reset upon timeout. | |
| 756313-3 | 3-Major | SSL monitor continues to mark pool member down after restoring services | |
| 756270-3 | 3-Major | SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle | |
| 755791-3 | 3-Major | UDP monitor not behaving properly on different ICMP reject codes. | |
| 755727-5 | 3-Major | Ephemeral pool members not created after DNS flap and address record changes | |
| 755631-2 | 3-Major | UDP / DNS monitor marking node down | |
| 753805-4 | 3-Major | BIG-IP system failed to advertise virtual address even after the virtual address was in Available state. | |
| 753594-4 | 3-Major | In-TMM monitors may have duplicate instances or stop monitoring | |
| 753526-2 | 3-Major | IP::addr iRule command does not allow single digit mask | |
| 753159-2 | 3-Major | Pool IP ToS/QoS settings are not preserved on mirrored FastL4 connections | |
| 752530-2 | 3-Major | TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput. | |
| 752334-2 | 3-Major | Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation | |
| 751036-2 | 3-Major | Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone | |
| 749689-3 | 3-Major | HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart | |
| 748891-1 | 3-Major | Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system. | |
| 748252-1 | 3-Major | Connection reset seen with SSL bypass on a L2 wire setup | |
| 747077 | 3-Major | Potential crash in TMM when updating pool members | |
| 746078-2 | 3-Major | Upgrades break existing iRulesLX workspaces that use node version 6 | |
| 745923-1 | 3-Major | Virtual server may reset a connection with port zero when client sends ACK after a 4-way close | |
| 744686-1 | 3-Major | Wrong certificate can be chosen during SSL handshake | |
| 743900-2 | 3-Major | Custom DIAMETER monitor requests do not have their 'request' flag set | |
| 742838-2 | 3-Major | A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition | |
| 742237-3 | 3-Major | CPU spikes appear wider than actual in graphs | |
| 740959-3 | 3-Major | User with manager rights cannot delete FQDN node on non-Common partition | |
| 738450-2 | 3-Major | Parsing pool members as variables with IP tuple syntax | |
| 737147-1 | 3-Major | Key creation on Thales fails with thales 12.40 on tmm interface | |
| 726734-3 | 3-Major | DAGv2 port lookup stringent may fail | |
| 726176-3 | 3-Major | platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve | |
| 723306-2 | 3-Major | Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition | |
| 722751-2 | 3-Major | VLAN group does not pass OSPF traffic till first unicast packet is passed | |
| 722707-3 | 3-Major | mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall | |
| 720460-3 | 3-Major | Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly | |
| 720440-2 | 3-Major | Radius monitor marks pool members down after 6 seconds | |
| 719304-3 | 3-Major | Inconsistent node ICMP monitor operation for IPv6 nodes | |
| 719300-1 | 3-Major | ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address | |
| 718867-1 | 3-Major | tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades★ | |
| 718790-2 | 3-Major | Traffic does not forward to fallback host when all pool members are marked down | |
| 716952-1 | 3-Major | With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete. | |
| 716492-3 | 3-Major | K59332523 | Rateshaper stalls when TSO packet length exceeds max ceiling. |
| 715756-1 | 3-Major | Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only | |
| 714559-4 | 3-Major | Removal of HTTP hash persistence cookie when a pool member goes down. | |
| 714503-1 | 3-Major | When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl | |
| 714495-1 | 3-Major | When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl" | |
| 714372-1 | 3-Major | Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari | |
| 713585-2 | 3-Major | K31544054 | When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long |
| 712489-1 | 3-Major | TMM crashes with message 'bad transition' | |
| 710930-2 | 3-Major | Enabling BigDB key bigd.tmm may cause SSL monitors to fail | |
| 709963-1 | 3-Major | Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members. | |
| 709837-1 | 3-Major | Cookie persistence profile may be configured with invalid parameter combination. | |
| 709381-1 | 3-Major | iRules LX plugin imported from a system with a different version does not properly run, and the associated iRule times out. | |
| 706505-3 | 3-Major | iRule table lookup command may crash tmm when used in FLOW_INIT | |
| 705112-3 | 3-Major | DHCP server flows are not re-established after expiration | |
| 704450-4 | 3-Major | bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration | |
| 703266-1 | 3-Major | Potential MCP memory leak in LTM policy compile code | |
| 702439-4 | 3-Major | K04964898 | Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset |
| 689361-5 | 3-Major | Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor) | |
| 687887-2 | 3-Major | Unexpected result from multiple changes to a monitor-related object in a single transaction | |
| 686059-3 | 3-Major | FDB entries for existing VLANs may be flushed when creating a new VLAN. | |
| 679687-2 | 3-Major | LTM Policy applied to large number of virtual servers causes mcpd restart | |
| 677709 | 3-Major | pkcs11d daemon can generate a very large number of log messages | |
| 674591-4 | 3-Major | K37975308 | Packets with payload smaller than MSS are being marked to be TSOed |
| 672410 | 3-Major | K58551820 | High CPU load when HTTP/2 gateway is configured with source-persistence. |
| 655383-4 | 3-Major | Failure to extend database continues to execute rather than halting because of fragmented state. | |
| 646440-2 | 3-Major | TMSH allows mirror for persistence even when no mirroring configuration exists | |
| 620053-3 | 3-Major | Gratuitous ARPs may be transmitted by active unit being forced offline | |
| 505037-4 | 3-Major | K01993279 | Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop |
| 473787 | 3-Major | System might fail to unchunk server response when compression is enabled | |
| 838305-3 | 4-Minor | BIG-IP may create multiple connections for packets that should belong to a single flow. | |
| 834217-4 | 4-Minor | Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window. | |
| 824365-2 | 4-Minor | Need informative messages for HTTP iRule runtime validation errors | |
| 822025-3 | 4-Minor | HTTP response not forwarded to client during an early response | |
| 802721-1 | 4-Minor | Virtual Server iRule does not match an External Data Group key that's 128 characters long | |
| 801705-3 | 4-Minor | When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC | |
| 787905-3 | 4-Minor | Improve initializing TCP analytics for FastL4 | |
| 769309-6 | 4-Minor | DB monitor reconnects to server on every probe when count = 0 | |
| 747628-2 | 4-Minor | BIG-IP sends spurious ICMP PMTU message to server | |
| 746077-3 | 4-Minor | If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified | |
| 744210-3 | 4-Minor | DHCPv6 does not have the ability to override the hop limit from the client. | |
| 743116-3 | 4-Minor | Chunked responses may be incorrectly handled by HTTP/2 | |
| 738045-4 | 4-Minor | HTTP filter complains about invalid action in the LTM log file. | |
| 722534-2 | 4-Minor | load sys config merge not supported for iRulesLX | |
| 693901-5 | 4-Minor | Active FTP data connection may change source port on client-side | |
| 688005-1 | 4-Minor | The maximum-connection count doubles pva traffic counts for virtuals | |
| 675911-5 | 4-Minor | K13272442 | Different sections of the WebUI can report incorrect CPU utilization |
| 594064-6 | 4-Minor | K57004151 | tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows. |
| 544958-2 | 4-Minor | Monitors packets are sent even when pool member is 'Forced Offline'. | |
| 666378-2 | 5-Cosmetic | A virtual server's connections per second (precision.last_value) is confusingly named. |
Performance Issues
| ID Number | Severity | Solution Article(s) | Description |
| 746620-2 | 3-Major | "source-port preserve" does not work on BIG-IP Virtual Edition |
Global Traffic Manager (DNS) Issues
| ID Number | Severity | Solution Article(s) | Description |
| 788465-3 | 2-Critical | DNS cache idx synced across HA group could cause tmm crash | |
| 783125-3 | 2-Critical | iRule drop command on DNS traffic without Datagram-LB may cause TMM crash | |
| 737726-1 | 2-Critical | If named is restarted and zrd is not restarted, ZoneRunner can lose contact with the DNS server daemon | |
| 722741-2 | 2-Critical | Damaged tmm dns db file causes zxfrd/tmm core | |
| 821589-3 | 3-Major | DNSSEC does not insert NSEC3 records for NXDOMAIN responses | |
| 813221-3 | 3-Major | Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync | |
| 803645-2 | 3-Major | GTMD daemon crashes | |
| 800265-1 | 3-Major | Undefined subroutine in bigip_add_appliance_helper message | |
| 774481-4 | 3-Major | DNS Virtual Server creation problem with Dependency List | |
| 774225-2 | 3-Major | mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting | |
| 760615-3 | 3-Major | Virtual Server discovery may not work after a GTM device is removed from the sync group | |
| 756177-4 | 3-Major | GTM marks pool members down across datacenters | |
| 754901-2 | 3-Major | Frequent zone update notifications may cause TMM to restart | |
| 751540-2 | 3-Major | GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server | |
| 750213-3 | 3-Major | K25351434 | DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records. |
| 746719-2 | 3-Major | SERVFAIL when attempting to view or edit NS resource records in zonerunner | |
| 745035-3 | 3-Major | gtmd crash | |
| 744787-3 | 3-Major | Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias | |
| 739553-2 | 3-Major | Setting large number for Wide IP Persistence TTL breaks Wide IP persistence | |
| 737529-3 | 3-Major | [GTM] load or save configs removes backslash \ from GTM pool member name | |
| 723095-3 | 3-Major | tmsh "modify gtm pool <type> all ... " commands fail | |
| 722734-2 | 3-Major | 'No Access' error when viewing properties page of a GTM Pool member whose name includes a partition that does not exist on that BIG-IP system. | |
| 714507-1 | 3-Major | [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server | |
| 701232-3 | 3-Major | Two-way iQuery connections fail to get established between GTM devices with the same address on different networks connected through address translation | |
| 699512-4 | 3-Major | DNS request can be dropped when queued in parallel with another request | |
| 698211-4 | 3-Major | K35504512 | DNS express response to non-existent record is NOERROR instead of NXDOMAIN. |
| 688335-6 | 3-Major | K00502202 | Big3d may restart in a loop on secondary blades of a chassis system |
| 688266-6 | 3-Major | big3d and big3d_install use different logics to determine which version of big3d is newer | |
| 679316-6 | 3-Major | iQuery connections reset during SSL renegotiation | |
| 665117-8 | 3-Major | K33318158 | DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping |
| 222220-3 | 3-Major | Distributed application statistics | |
| 839361-3 | 4-Minor | iRule 'drop' command does not drop packets when used in DNS_RESPONSE | |
| 790113-4 | 4-Minor | Cannot remove all wide IPs from GTM distributed application via iControl REST | |
| 775801-3 | 4-Minor | [GTM] [GUI] 'Route Advertisement' checked but not saved when creating GTM listener | |
| 755282-2 | 4-Minor | [GTM] bigip_add password prompt for IPv4-mapped IPv6 address | |
| 752216-5 | 4-Minor | K33587043 | DNS queries without the RD bit set may generate responses with the RD bit set |
| 748177-2 | 4-Minor | Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character | |
| 747968-1 | 4-Minor | DNS64 stats not increasing when requests go through DNS cache resolver | |
| 740284-1 | 4-Minor | Virtual servers 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM' | |
| 712335-2 | 4-Minor | GTMD may intermittently crash under unusual conditions. | |
| 699733-1 | 4-Minor | DNS NOTIFY not sent to mgmt IP under Zone Transfer Clients list after DNS Express zone update |
Application Security Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 813945-2 | 2-Critical | PB core dump while processing many entities | |
| 756108-2 | 2-Critical | BD crash on specific cases | |
| 831661-3 | 3-Major | ASMConfig Handler undergoes frequent restarts | |
| 800453-2 | 3-Major | False positive virus violations | |
| 792341-3 | 3-Major | Google Analytics shows incorrect stats. | |
| 785529-2 | 3-Major | ASM unable to handle ICAP responses which length is greater then 10K | |
| 781069-3 | 3-Major | Bot Defense challenge blocks requests with long Referer headers | |
| 761565-2 | 3-Major | ASM BD core when custom captcha page configured size more than 45K with %ASM.captcha.support_id% placeholder is at the end | |
| 761194-1 | 3-Major | param data type violation on an Integer parameter, if an integer value is sent via websocket JSON | |
| 750686-2 | 3-Major | ASE user cannot create or modify a bot signature. | |
| 748851-2 | 3-Major | Bot Detection injection include tags which may cause faulty display of application | |
| 739900-2 | 3-Major | All Policies are created with 3 new Signature Sets After Creation of a Policy using Application Ready Templates | |
| 739373 | 3-Major | ASM restart loop after sync from non-ASM to ASM device | |
| 722862 | 3-Major | ASM CAPTCHA sends non url-encoded payload when captcha is submitted by pressing 'Enter' | |
| 721399-1 | 3-Major | Signature Set cannot be modified to Accuracy = 'All' after another value | |
| 718232-3 | 3-Major | Some FTP servers may cause false positive for ftp_security | |
| 716324-1 | 3-Major | CSRF protection fails when the total size of the configured URL list is more than 2 KB | |
| 711818-4 | 3-Major | Connection might get reset when coming to virtual server with offload iRule | |
| 706184 | 3-Major | Disabling l7dos using LTM policy, and original DoS on the virtual server has no features enabled, connection hangs | |
| 701025-3 | 3-Major | BD restart on a device where 'provision.tmmcountactual' is set to a non-default value | |
| 640842-2 | 3-Major | ASM end user using mobile might be blocked when CSRF is enabled | |
| 795769-2 | 4-Minor | Incorrect value of Systems in system-supplied signature sets | |
| 754109-2 | 4-Minor | ASM content-security-policy header modification violates Content Security Policy directive | |
| 752797-2 | 4-Minor | BD is not correctly closing a shared memory segment | |
| 750682 | 4-Minor | Trying to remove a user-created 'Bot Signature' on IE11 fails | |
| 747560-4 | 4-Minor | ASM REST: Unable to download Whitehat vulnerabilities | |
| 722294-1 | 4-Minor | Reported session ID keeps changing for the same user session when ASM does not track sessions | |
| 720581-1 | 4-Minor | Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files | |
| 652793 | 4-Minor | "Signature Update Available" message is not cleared by UCS load/sync | |
| 620301-2 | 4-Minor | Policy import fails due to missing signature System in associated Signature Set |
Application Visibility and Reporting Issues
| ID Number | Severity | Solution Article(s) | Description |
| 739446-1 | 2-Critical | Resetting SSL-socket correctly for AVR connection | |
| 833113-2 | 3-Major | Avrd core when sending large messages via https | |
| 781581-1 | 3-Major | Monpd uses excessive memory on requests for network_log data | |
| 746837-1 | 3-Major | AVR JS injection can cause error on page if the JS was not injected |
Access Policy Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 789085-1 | 2-Critical | When executing the ACCESS::session iRule command under a serverside event, tmm may crash | |
| 760130-2 | 2-Critical | [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK | |
| 755447-2 | 2-Critical | SSLO does not deliver content generated/originated from inline device | |
| 747192-1 | 2-Critical | Small memory leak while creating Access Policy items | |
| 745600-2 | 2-Critical | Removal of timer object from tmm timer-ring when a tcl context is released. | |
| 739674-2 | 2-Critical | TMM might core in SWG scenario with per-request policy. | |
| 723402-1 | 2-Critical | Apmd crashes running command: tmsh restart sys service all | |
| 713820-2 | 2-Critical | Pass in IP address to urldb categorization engine | |
| 660913-2 | 2-Critical | For ActiveSync client type, browscap info provided is incorrect.★ | |
| 803825-4 | 3-Major | WebSSO does not support large NTLM target info length | |
| 799149-1 | 3-Major | Authentication fails with empty password | |
| 798261-3 | 3-Major | APMD fails to create session variables if spanning is enabled on SWG transparent virtual server | |
| 786173-3 | 3-Major | UI becomes unresponsive when accessing Access active session information | |
| 775621-3 | 3-Major | urldb memory grows past the expected ~3.5GB | |
| 774301-3 | 3-Major | Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList | |
| 768025-2 | 3-Major | SAML requests/responses fail with "failed to find certificate" | |
| 761303-3 | 3-Major | Upgrade of standby BIG-IP system results in empty Local Database | |
| 760410-2 | 3-Major | Connection reset is seen when Category lookup agent is used in per-req policy | |
| 759392-3 | 3-Major | HTTP_REQUEST iRule event triggered for internal APM request | |
| 758542-2 | 3-Major | OAuth database instance appears empty after upgrade from v13.x★ | |
| 754542-3 | 3-Major | TMM may crash when using RADIUS Accounting agent | |
| 750823-2 | 3-Major | Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD | |
| 749036-1 | 3-Major | Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM | |
| 748944-2 | 3-Major | Import is failing for APM SSO Config object | |
| 748451-2 | 3-Major | Manager users cannot perform changes in per-request policy properties | |
| 746771-4 | 3-Major | APMD recreates config snapshots for all access profiles every minute | |
| 746768-3 | 3-Major | APMD leaks memory if access policy policy contains variable/resource assign policy items | |
| 744532-1 | 3-Major | Websso fails to decrypt secured session variables | |
| 744407-4 | 3-Major | While the client has been closed, iRule function should not try to check on a closed session | |
| 744316-2 | 3-Major | Config sync of APM policy fails with Cannot update_indexes validation error. | |
| 739432-1 | 3-Major | F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems | |
| 738547-2 | 3-Major | SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII | |
| 737355-2 | 3-Major | HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files | |
| 737064-1 | 3-Major | ACCESS::session iRule commands may not work in serverside events | |
| 734316-1 | 3-Major | Per-Request Policy may require enabling SSL Forward Proxy Bypass | |
| 727468-1 | 3-Major | iSession hudfilter initialization fails when apm-forwarding-server-tcp profile is used. | |
| 725840-1 | 3-Major | Customization group object is not deleted when SAML resource object is deleted | |
| 720030-5 | 3-Major | Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U) | |
| 710044-4 | 3-Major | Portal Access: same-origin AJAX request may fail in some case. | |
| 707953-3 | 3-Major | Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page | |
| 706797-2 | 3-Major | Portal Access: some multibyte characters in JavaScript code may not be handled correctly | |
| 706374-5 | 3-Major | Heavy use of APM Kerberos SSO can sometimes lead to memory corruption | |
| 705502-1 | 3-Major | Create download URL for APM CLI client rpm/deb packages for x86_64 for armhf and Linux platforms | |
| 704524-5 | 3-Major | [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries | |
| 703984-8 | 3-Major | Machine Cert agent improperly matches hostname with CN and SAN | |
| 698836-1 | 3-Major | Increased APM session capacity is not available after installing an APM session count License | |
| 697590-3 | 3-Major | APM iRule ACCESS::session remove fails outside of Access events | |
| 673357-2 | 3-Major | SWG puts flow in intercept mode when session is not found | |
| 660654 | 3-Major | The APM 'epsec refresh' CLI command works incorrectly if install package is deleted | |
| 600985-2 | 3-Major | Network access tunnel data stalls | |
| 534187-4 | 3-Major | Passphrase protected signing keys are not supported by SAML IDP/SP | |
| 819233-2 | 4-Minor | Ldbutil utility ignores '--instance' option if '--list' option is specified | |
| 778333-2 | 4-Minor | GUI/CLI max-in-progress discrepancy occurs after upgrade from v11.x to v13.x or later | |
| 766761-3 | 4-Minor | Ant-server does not log requests that are excluded from scanning |
WebAccelerator Issues
| ID Number | Severity | Solution Article(s) | Description |
| 833213-4 | 3-Major | Conditional requests are served incorrectly with AAM policy in webacceleration profile | |
| 701977-6 | 3-Major | Non-URL encoded links to CSS files are not stripped from the response during concatenation | |
| 748031-2 | 4-Minor | Invalidation trigger parameter containing reserved XML characters does not create invalidation rule |
Service Provider Issues
| ID Number | Severity | Solution Article(s) | Description |
| 814097-3 | 2-Critical | Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event. | |
| 811105-4 | 2-Critical | MRF SIP-ALG drops SIP 183 and 200 OK messages | |
| 781725-3 | 2-Critical | BIG-IP systems might not complete a short ICAP request with a body beyond the preview | |
| 766405-4 | 2-Critical | MRF SIP ALG with SNAT: Fix for potential crash on next-active device | |
| 745397-2 | 2-Critical | Virtual server configured with FIX profile can leak memory. | |
| 824149-2 | 3-Major | SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured | |
| 815529-3 | 3-Major | MRF outbound messages are dropped in per-peer mode | |
| 811745-3 | 3-Major | Failover between clustered DIAMETER devices can cause mirror connections to be disconnected | |
| 804313-3 | 3-Major | MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded. | |
| 790949-3 | 3-Major | MRF Router Profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' Do Not Match Behavior. | |
| 782353-7 | 3-Major | SIP MRF via header shows TCP Transport when TLS is enabled | |
| 755311-2 | 3-Major | No DIAMETER Disconnect-Peer-Request message sent when TMM is shutting down | |
| 753501-2 | 3-Major | iRule commands (such as relate_server) do not work with MRP SIP | |
| 751179-2 | 3-Major | MRF: Race condition may create to many outgoing connections to a peer | |
| 749528-2 | 3-Major | IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap | |
| 749041-1 | 3-Major | MRSIP log of subscriber deletion outputs '(null)" for subscriber URI | |
| 748355-1 | 3-Major | MRF SIP curr_pending_calls statistic can show negative values. | |
| 748253-2 | 3-Major | Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection | |
| 746731-2 | 3-Major | BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set | |
| 744275-2 | 3-Major | BIG-IP system sends Product-Name AVP in CER with Mandatory bit set | |
| 738070-1 | 3-Major | Persist value for the RADIUS Framed-IP-Address attribute is not correct | |
| 727288-2 | 3-Major | Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC | |
| 709383-1 | 3-Major | DIAMETER::persist reset non-functional | |
| 788513-3 | 4-Minor | Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log | |
| 786981-2 | 4-Minor | Pending GTP iRule operation maybe aborted when connection is expired | |
| 753790-1 | 4-Minor | Allow 'DIAMETER::persist reset' command in EGRESS events |
Advanced Firewall Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 802421-3 | 2-Critical | The /var partition may become 100% full requiring manual intervention to clear space | |
| 763121-2 | 2-Critical | Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM. | |
| 761173-2 | 2-Critical | tmm crash after extended whitelist modification | |
| 757359-2 | 2-Critical | pccd crashes when deleting a nested Address List | |
| 752363-3 | 2-Critical | Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled | |
| 751869-1 | 2-Critical | Possible tmm crash when using manual mode mitigation in DoS Profile | |
| 749402 | 2-Critical | AFM ACL Rule with Redirect to Virtual action can on rare occasions cause TMM restart | |
| 749331-2 | 2-Critical | Global DNS DoS vector does not work in certain cases | |
| 747922-4 | 2-Critical | With AFM enabled, during bootup, there is a small possibility of a tmm crash | |
| 724532-3 | 2-Critical | SIG SEGV during IP intelligence category match in TMM | |
| 812481-3 | 3-Major | HSL logging may work unreliably for Management-IP firewall rules | |
| 811157-3 | 3-Major | Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself | |
| 808893-3 | 3-Major | DNS DoS profile vectors do not function correctly★ | |
| 808889-3 | 3-Major | DoS vector or signature stays hardware-accelerated even when traffic rate is lower than mitigation threshold | |
| 793217-3 | 3-Major | HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation | |
| 771173-2 | 3-Major | FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.★ | |
| 761345-2 | 3-Major | Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode | |
| 757555 | 3-Major | Network DoS Logging Profile does not work with other logging profiles together | |
| 755721-2 | 3-Major | A UDP DNS packet may incorrectly match a BDoS signature if such a packet was queued up due to ingress shaper | |
| 751116-2 | 3-Major | DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring | |
| 749761-2 | 3-Major | AFM Policy with Send to Virtual and TMM crash in a specific scenario | |
| 748176 | 3-Major | BDoS Signature can wrongly match a DNS packet | |
| 748081-3 | 3-Major | Memory leak in Behavioral DoS module | |
| 747926-1 | 3-Major | Rare TMM restart due to NULL pointer access during AFM ACL logging | |
| 738284-3 | 3-Major | Creating or deleting rule list results in warning message: Schema object encode failed | |
| 726154-3 | 3-Major | TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies | |
| 724679-1 | 3-Major | Non-attacking IP addresses could be logged along with attacking IP addresses when DoS detects an attack | |
| 720242-1 | 3-Major | GUI for AFM rules shows protocol value IPENCAP for rules under rule-list | |
| 703165-3 | 3-Major | shared memory leakage | |
| 663946-5 | 3-Major | VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments | |
| 756457 | 4-Minor | tmsh command 'show security' returning a parsing error | |
| 707054-2 | 4-Minor | SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162 | |
| 756477-1 | 5-Cosmetic | Drop Redirect tab incorrectly named as 'Redirect Drop' |
Policy Enforcement Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 760518-3 | 2-Critical | PEM flow filter with DSCP attribute optimizes traffic resulting in some PEM action enforcement | |
| 750491-3 | 2-Critical | PEM Once-Every content insertion action may insert more than once during an interval | |
| 814941-5 | 3-Major | PEM drops new subscriber creation if historical aggregate creation count reaches the max limit | |
| 783289-2 | 3-Major | PEM actions not applied in VE bigTCP. | |
| 781485-3 | 3-Major | PEM with traffic group can lead to local cache leaks on STANDBY if there is an ACTIVE-ACTIVE transition | |
| 764901-3 | 3-Major | PEM policy filters rules memory gets leaked if policy is deleted before deleting the rules | |
| 760438-2 | 3-Major | PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions | |
| 753163-3 | 3-Major | PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days | |
| 753014-3 | 3-Major | PEM iRule action with RULE_INIT event fails to attach to PEM policy | |
| 747065-4 | 3-Major | PEM iRule burst of session ADDs leads to missing sessions | |
| 737374-2 | 3-Major | local-db PEM Subscriber Activity log missing | |
| 726011-3 | 3-Major | PEM transaction-enabled policy action lookup optimization to be controlled by a sys db | |
| 721704-2 | 3-Major | UDP flows are not deleted after subscriber deletion | |
| 670994-4 | 3-Major | There is no validation for IP address on the ip-address-list for static subscriber | |
| 663874-1 | 3-Major | K77173309 | Off-box HSL logging does not work with PEM in SPAN mode. |
| 719107-1 | 4-Minor | Message type is not displayed in CLI and incorrect message type is displayed in GUI for Subscriber Management diameter protocol profile message type CCA-T. |
Carrier-Grade NAT Issues
| ID Number | Severity | Solution Article(s) | Description |
| 744516-3 | 2-Critical | TMM panics after a large number of LSN remote picks | |
| 669645-4 | 2-Critical | tmm crashes after LSN pool member change | |
| 721579-2 | 4-Minor | LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing |
Fraud Protection Services Issues
| ID Number | Severity | Solution Article(s) | Description |
| 775013-3 | 3-Major | TIME EXCEEDED alert has insufficient data for analysis | |
| 745783-2 | 3-Major | Anti-fraud: remote logging of login attempts | |
| 738669-1 | 3-Major | Login validation may fail for a large request with early server response | |
| 660759-2 | 3-Major | Cookie hash persistence sends alerts to application server. | |
| 738677-2 | 4-Minor | Configured name of wildcard parameter is not sent in data integrity alerts |
Anomaly Detection Services Issues
| ID Number | Severity | Solution Article(s) | Description |
| 767045-1 | 4-Minor | TMM cores while applying policy |
Traffic Classification Engine Issues
| ID Number | Severity | Solution Article(s) | Description |
| 754257-3 | 3-Major | URL lookup queries not working | |
| 744914-1 | 3-Major | Traffic Intelligence system-generated presets are not saved to config file, and GUI allows them to be deleted | |
| 737379-1 | 3-Major | URL not classified when uppercase characters exist in the feedlist | |
| 726303-2 | 3-Major | Unlock 10 million custom db entry limit | |
| 741435-1 | 4-Minor | Using local traffic policies with type 'CE Profile', a new rule does not have the option to classify traffic |
Device Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 718796-2 | 2-Critical | IControl REST token issue after upgrade★ | |
| 710809-3 | 2-Critical | Restjavad hangs and causes GUI page timeouts | |
| 718033-3 | 3-Major | REST calls fail after installing BIG-IP software or changing admin passwords |
iApp Technology Issues
| ID Number | Severity | Solution Article(s) | Description |
| 818069-3 | 3-Major | GUI hangs when iApp produces error message |
Protocol Inspection Issues
| ID Number | Severity | Solution Article(s) | Description |
| 825501 | 3-Major | IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.★ | |
| 778225-1 | 3-Major | vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host |
Known Issue details for BIG-IP v14.0.x
839361-3 : iRule 'drop' command does not drop packets when used in DNS_RESPONSE
Component: Global Traffic Manager (DNS)
Symptoms:
The iRule 'drop' command may not drop a DNS response when called under DNS_RESPONSE event.
Conditions:
iRule drop is used under DNS_RESPONSE event.
Impact:
DNS response may be improperly forwarded to the client.
Workaround:
Use DNS::drop instead.
838337-4 : The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.
Component: TMOS
Symptoms:
In 2019, Brazil cancelled DST (Daylight Saving Time) and is now on standard time indefinitely. The BIG-IP system's time zone database needs to be updated to reflect this change.
Conditions:
None.
Impact:
BIG-IP systems configured to use "America/Sao_Paul" (or other applicable Brazilian localities) will still apply DST. Hence time will spring forward and backward on previously designated dates.
This will have no impact to application traffic handled by the BIG-IP system. However, logs, alerts, reports, cron jobs, etc. will use incorrect time.
Note: You can inspect the time changes your system is due to apply by running the following command from the BIG-IP system's advanced shell (bash):
zdump -v <timezone>
For example:
zdump -v America/Sao_Paulo
Workaround:
As a workaround, you can set the BIG-IP system's time zone to that of a different country with the same UTC offset and already not observing DST.
For example, instead of using "America/Sao_Paul", you could use "America/Buenos_Aires" to obtain the same result.
838305-3 : BIG-IP may create multiple connections for packets that should belong to a single flow.
Component: Local Traffic Manager
Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.
Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.
Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.
837637-3 : Orphaned bigip_gtm.conf can cause config load failure after upgrading★
Component: TMOS
Symptoms:
Configuration fails to load after upgrade with a message like
01420006:3: Can't find specified cli schema data for 13.1.1.4
Conditions:
Orphaned bigip_gtm.conf from an older-version.
This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade leaving behind a bigip_gtm.conf with the old schema.
Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.
Impact:
Configuration fails to load after upgrade.
Workaround:
After deprovisioning DNS, before upgrading run
rm -f /config bigip_gtm.conf
tmsh load sys config gtm-only
837617-4 : Tmm may crash while processing a compression context
Component: Local Traffic Manager
Symptoms:
Tmm crashes on segfault.
Conditions:
Conditions are unknown.
Impact:
Traffic disrupted while tmm restarts.
837481-4 : SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID
Component: TMOS
Symptoms:
SNMPv3 fails to read authenticated or encrypted messages to all but one of the members of a Config Sync group.
Conditions:
Using SNMPv3 to read or receive Traps from high availability (HA) pairs.
Impact:
SNMPv3 can only work for one member of a configsync group.
Configuring passwords on one device, makes that device work, but other members of the config sync group will now fail.
Workaround:
- check "Authoritative (security) engineID for SNMPv3" is not synced (mostly code released since 2019)
engineID needs to be unique per device
- Modify /defaults/config_base.conf to set sync to "no" and check that these do not sync
We must NOT sync these parameters as they need to match the individual device engineID
display-name "Authoritative (security) engineID for SNMPv3"
display-name "Authentication pass phrase for SNMPv3 messages"
display-name "Privacy pass phrase used for encrypted SNMPV3 messages"
display-name "User's passphrase"
display-name "Privacy passphrase"
### Mount usr as rw see see K11302
mount -o remount,rw /usr
pico /defaults/config_base.conf
# use Control-w to search for the display names above
# change "configsyncd yes" to "configsyncd no" if necessary in each location
# use Control-x y to exit with saving
# Restore usr as ro
mount -o remount,ro /usr
tmsh load sys config
Then once they are not syncing over, you can create v3 on each device using the same pass phrase as your SNMPv3 manager is using
tmsh modify sys snmp users add { v3snmp { auth-protocol sha privacy-protocol aes username mikev3 auth-password password3 privacy-password password3} }
tmsh modify sys snmp users modify { v3snmp { security-level auth-privacy access rw } }
Then each device should respond OK to query for that same pass phrase
snmpwalk -v 3 localhost -a sha -x aes -A password3 -X password3 -u mikev3 -l authpriv
For more information about SNMP, see the following articles.
K15681: Customizing the SNMP v3 engineID
K6821: SNMP v3 fails if the SNMP engine ID is not unique
K3727: Configuring custom SNMP traps
834217-4 : Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.
Component: Local Traffic Manager
Symptoms:
Due to a known issue BIG-IP may advertise sub-optimal window size.
Conditions:
Result of (init-rwnd * client-mss) is greater than maximum window size (65,535).
Impact:
Degraded TCP performance.
Workaround:
Do not use init-rwnd values that might result in values higher than maximum window size (65,535).
Assuming MSS of 1480, the maximum value of init-rwnd is:
65535/1480 = 44.
833213-4 : Conditional requests are served incorrectly with AAM policy in webacceleration profile
Component: WebAccelerator
Symptoms:
HTTP 1.1 allows a conditional request with header If-Modified-Since or If-Unmodified-Since to determine whether a resource changed since a specified date and time. If AAM is provisioned and its policy is assigned to a virtual server, it may incorrectly respond with 304 Not Modified, even after the resource was updated.
Conditions:
-- AAM is provisioned and webacceleration policy is attached to a virtual server.
-- Client sends a conditional request with If-Modified-Since or If-Unmodified-Since header.
-- The BIG-IP system responds from AAM cache.
Impact:
Client does not receive an updated resource.
Workaround:
Use webacceleration profile without AAM policy for resources that require conditional checks falling back into Ramcache.
833113-2 : Avrd core when sending large messages via https
Component: Application Visibility and Reporting
Symptoms:
When sending large messages (>4KB) via HTTPs may cause avrd to core.
Conditions:
This typically happens when BIG-IP is managed by BIG-IQ and configuration is large and complex or traffic capturing is enabled.
Impact:
Messages to BIG-IQ are lost. In severe cases, analytics functionality may be unavailable due contiguous AVRD cores.
Workaround:
None.
832133-4 : In-TMM monitors fail to match certain binary data in the response from the server.
Component: Local Traffic Manager
Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system still marks them DOWN.
Conditions:
This issue occurs when all of the following conditions are met:
-- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).
-- One (or more) of your TCP or HTTP monitors specifies a receive string using HEX encoding, in order to match binary data in the server's response.
-- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.
Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.
Workaround:
You can use either of the following workarounds:
-- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.
-- Do not monitor the application through a binary response (if the application allows it).
831821-4 : Corrupted DAG packets causes bcm56xxd core on VCMP host
Component: TMOS
Symptoms:
On VCMP host, bcm56xxd crashes when it receives a corrupted DAG packets.
Conditions:
Unknown.
Impact:
Device goes offline, traffic disruption.
831661-3 : ASMConfig Handler undergoes frequent restarts
Component: Application Security Manager
Symptoms:
Under some settings and load the RPC handler for the Policy Builder process restarts frequently, causing unnecessary churn and slower learning performance.
Conditions:
Configure one or more policies with automatic policy building enabled and learn traffic with violations
Impact:
Control Plane instability and poor learning performance on the device.
829317-2 : Memory leak observed when running ICRD child
Component: TMOS
Symptoms:
When ICRD child process is running and users are switching rapidly, memory may leak slowly in tms and APM.
Conditions:
[1] ICRD child process is running
[2] There are multiple users on the device
[3] The multiple users are fetching a web-page using curl, repeatedly and concurrently
Impact:
Memory slowly leaks in tmsh and APM.
827441-2 : Changing a UDP virtual server with an immediate timeout to a TCP virtual server can cause connections to fail
Component: Local Traffic Manager
Symptoms:
The BIG-IP system sends a TCP SYN to the back-end server, but ignores the server's SYN-ACK response.
Conditions:
A virtual server that contains a UDP profile with idle-timeout immediate is modified to replace the UDP profiles with TCP profiles.
Impact:
Connections from the BIG-IP system to backend servers fails.
Workaround:
Delete and recreate the virtual server.
827021-3 : MCP update message may be lost when primary blade changes in chassis
Component: TMOS
Symptoms:
In a VIPRION chassis, when the Primary blade is disabled (intentionally or due to an unexpected loss of functionality) and a new Primary blade is selected, there is a brief window of time during which status messages forwarded from MCPD on a Secondary blade to MCPD on the Primary blade might be dropped, possibly resulting in an incorrect view of the state of configured objects.
Conditions:
This problem may occur under the following conditions:
-- The state of a blade-local object/resources (such as a network interface or trunk) changes.
-- There is a high load on MCPD (for example, due to configuration reload on the new Primary blade) which delays processing of some MCPD actions.
Impact:
This problem may result in the state of blade-local objects (such as interfaces or trunks) being seen and reported incorrectly across the blades in the chassis, or on one or more specific blades (Primary, Secondary) in the chassis.
For example, if loss of the Primary blade results in one or more interfaces in a trunk being marked down by LACPD on a specific blade, resulting changes in trunk/member status may not be propagated correctly to the Primary blade, and from there to other Secondary blades.
Workaround:
None.
826313-3 : Error: Media type is incompatible with other trunk members★
Component: TMOS
Symptoms:
Loading system configuration is failing after upgrade with an error message
01070619:3: Interface 5.0 media type is incompatible with other trunk members
Conditions:
-- Trunk interface created in BIG-IP version 12.3.4.
-- Trunk interfaces have different speeds (e.g. 100Mb interfaces and 1Gb interfaces)
-- Load the configuration after upgrading from v12.1.3.4 to v12.1.3.5.
Impact:
The system configuration is failing to load.
Workaround:
If you encounter this error, manually fix all trunks to only use interfaces of the same speed, and then load the configuration.
825501 : IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.★
Component: Protocol Inspection
Symptoms:
If the IPS IM package is installed on a multi-slot device, and one slot is offline, the IM package version might be different on the offline slot when it comes back online.
It also shows different versions of the Active IM package on different slots.
Conditions:
-- Multi-bladed clustered system.
-- One of the blades is offline.
-- The IPS IM package is installed to the primary blade.
Impact:
The primary blade syncs the IM package to all of the secondary blades that are online; however, when the offline blade comes back online, it does not have the updated IM package.
As a result, traffic being processed by different blades will be using different IPS libraries and might cause inconsistency in the functionality
Workaround:
Although there is no workaround, you can prevent the issue by ensuring that all blades are online when you install an IPS IM package.
825245-5 : SSL::enable does not work for server side ssl
Component: Local Traffic Manager
Symptoms:
When SSL::enable is issued in an iRule, for example in the HTTP Request event, it will not enable the server side profile if the server side profile is disabled.
Conditions:
An HTTP profile is configured on a virtual, and the server-ssl profile on the same virtual is disabled.
Impact:
The connection will close instead of completing.
Workaround:
Do not use a disabled server-ssl profile in this situation.
824809-3 : bcm56xxd watchdog restart
Component: TMOS
Symptoms:
During initialization of very large configurations it is possible that the watchdog timer will fire and reset the bcm56xxd driver.
Conditions:
System configuration with very large number of objects being loaded.
Impact:
The driver restarts.
824437-3 : Chaining a standard virtual server and an ipother virtual server together can crash TMM.
Component: Local Traffic Manager
Symptoms:
TMM crashes with a SIGFPE and restarts. The TMM logs contain the following panic message:
Assertion "xbuf_delete_until successful" failed.
Conditions:
This issue occurs when the following conditions are met:
-- The system has been configured with a standard virtual server and an Any IP (ipother) virtual server chained together. This can be done explicitly using an iRule that features the 'virtual' command to connect the two virtual servers, or implicitly with certain APM configurations.
-- The pool member on the server-side asks this specific virtual server configuration on the BIG-IP system to retransmit data.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure the target virtual server in the chain configuration does not use the ipother profile.
824365-2 : Need informative messages for HTTP iRule runtime validation errors
Component: Local Traffic Manager
Symptoms:
For HTTP iRule runtime validation errors, an ERR_NOT_SUPPORTED error message is appended (with rule name and event) to /var/log/ltm, but the message is not informative about the cause of the validation error:
err tmm1[20445]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri".
The system should post a more informative message, in this case:
err tmm[10662]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - can't call after responding - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri"
Conditions:
-- HTTP filter and HTTP iRules are used by a virtual server.
-- An HTTP iRule runtime validation error happens. For example, HTTP::uri is called after HTTP::respond () which is not supported.
Impact:
With no informative error messages, it is difficult to identify the validation error.
Workaround:
There is no workaround at this time.
824149-2 : SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured
Component: Service Provider
Symptoms:
In SIP ALG virtual with source-nat-policy assigned, if traffic processed by the virtual server does not match source-nat-policy, or if it matches source-nat-policy that does not have source-translation configured, tmm cores and restarts.
Conditions:
-- SIP ALG virtual server with an assigned source-nat-policy.
-- Traffic does not match the source-nat-policy, or traffic matches a source-nat-policy that has no source-translation configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure SIP ALG virtual so that the condition never happens. For example, apply a source attribute to the virtual server that filters out traffic that will not match the source-nat-policy. Never use a source-nat-policy that has no source-translation.
823825-4 : Renaming high availability (HA) VLAN can disrupt state-mirror connection
Component: Local Traffic Manager
Symptoms:
If the VLAN that services the state mirror connection between BIG-IP systems is renamed, it can cause a disruption of the state mirror connection. It can also lead to an eventual crash.
Conditions:
Renaming the VLAN that services the state mirror connection between BIG-IP systems in an high availability (HA) configuration.
Impact:
System might crash eventually.
Workaround:
Do not rename the VLAN that services the state mirror connection between BIG-IP systems in an high availability (HA) configuration.
822025-3 : HTTP response not forwarded to client during an early response
Component: Local Traffic Manager
Symptoms:
In early server responses, the client does not receive the intended response from the HTTP::respond iRule. The client instead receives an unexpected 500 internal server error.
Conditions:
-- A slow client.
-- early server response with the HTTP::respond iRule.
Impact:
A client does not receive the redirect from the HTTP::respond iRule.
Workaround:
None.
821589-3 : DNSSEC does not insert NSEC3 records for NXDOMAIN responses
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC does not insert NSEC3 records for NXDOMAIN responses.
Conditions:
-- "process-xfr yes" is set for the dns profile associated with the listener;
And
-- There is no "Zone Transfer Clients" nameserver configured for that zone.
And
-- There is no wideip configured.
Impact:
DNSSEC does not respond NSEC3 for non-existent domain.
Workaround:
1. Change this setting for dns profile from "process-xfr yes" to "process-xfr no";
Or
2. Add a nameserver for "Zone Transfer Clients" of that zone.
Or
3. Add a wideip.
820333-4 : LACP working member state may be inconsistent when blade is forced offline
Component: Local Traffic Manager
Symptoms:
Inconsistent (out-of-sync) LACP working member state.
Incorrect trunk high availability (HA) score.
Conditions:
LACP updates while blade is going offline.
Impact:
Incorrect high availability (HA) score may prevent the unit from automatically failing over.
820213-1 : 'Application Service List' empty after UCS restore
Component: TMOS
Symptoms:
The iApps :: Applications LX list does not display anything after restoring a UCS that was taken from a different device.
Conditions:
-- Restoring a UCS from a different device.
-- UCS includes the gtpFwConfigurationWizard iApp.
Impact:
Cannot see anything on 'Application Service List', and you are unable to configure the application.
Workaround:
Run the following command before restoring the UCS file:
clear-rest-storage
819457-4 : LTM high availability (HA) sync should not sync GTM zone configuration
Component: TMOS
Symptoms:
LTM high availability (HA) sync group are syncing GTM zone configuration changes.
Conditions:
1. BIG-IPs has both LTM and GTM provisioned.
2. The two BIG-IPs are inside one LTM sync group.
Impact:
GTM zone files are accidentally modified.
819429-2 : Unable to scp to device after upgrade: path not allowed
Component: TMOS
Symptoms:
You cannot copy files to symlinks of locations present under whitelist.
Conditions:
Issue occurs when scp is performed on symlink to location present under whitelist.
Impact:
Cannot copy files to symlinks present under whitelist.
Workaround:
None.
819421-2 : Unable to scp/sftp to device after upgrade★
Component: TMOS
Symptoms:
Users with numeric usernames are unable to log in via scp.
Conditions:
-- Logging in via scp/sftp.
-- User account with a numeric username.
Impact:
Unable to log in via scp.
Workaround:
Include alpha characters in username.
819233-2 : Ldbutil utility ignores '--instance' option if '--list' option is specified
Component: Access Policy Manager
Symptoms:
When running ldbutil utility, if the '--list' option is specified, then the '--instance' option has no effect. All the local users will be listed.
Conditions:
When both '--list' and '--instance' options are specified.
Impact:
The output lists all the local users and not limiting to the '--instance' option given.
Workaround:
None.
818853-4 : Duplicate MAC entries in FDB
Component: Local Traffic Manager
Symptoms:
Forwarding DataBase (FDB) not updated when a MAC moves among interfaces.
Conditions:
-- Having multiple paths to a MAC in a given configuration.
Impact:
There are duplicate MAC address entries which come from multiple interfaces.
Workaround:
None.
818789-4 : Setting ssl profile to none in https monitor, not setting Ciphers to DEFAULT as in serverssl Profile
Component: Local Traffic Manager
Symptoms:
With in-tmm monitoring enabled (or sys db bigd tmm set to enable) and with https monitor's ssl-profile set to none, the expected behavior is to send ciphers in ClientHello based on default serverssl profile as mentioned in GUI help for https monitor.
Conditions:
Configure HTTPS Monitor with ssl-profile "None".
Impact:
Ciphers are not exchanged as expected in the ClientHello Packets
Workaround:
Configure HTTPS Monitor without ssl-profile option, default serverssl profile will be used
818505-4 : Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Component: TMOS
Symptoms:
Using an iControl PUT command to modify a virtual address will change that address's netmask to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
Conditions:
Modifying a virtual address using an iControl PUT command.
Impact:
An unintentional change to the virtual address's netmask.
Workaround:
Two options:
-- Use a PATCH command instead of a PUT command.
-- Always specify the netmask explicitly when making changes.
818097-3 : Plane CPU stats too high after primary blade failover in multi-blade chassis
Component: Local Traffic Manager
Symptoms:
The data, control, and analysis plane stats are too high as reported by tmsh show sys performance system detail.
Conditions:
The primary blade in a multi-blade chassis fails over to another blade.
Impact:
The plane CPU stats are too high.
Workaround:
Remove the /var/tmstat/blade/statsd file on the previous primary blade and restart merged on that blade.
818069-3 : GUI hangs when iApp produces error message
Component: iApp Technology
Symptoms:
If lengthy Tcl errors are displayed in the GUI while creating an iApp, the GUI can hang.
Conditions:
-- Creating an iApp that contains a syntax error.
-- A large error message is emitted.
Impact:
GUI hangs.
Workaround:
Restart the tomcat process:
tmsh restart sys service tomcat
817085-3 : Multicast Flood Can Cause the Host TMM to Restart
Component: TMOS
Symptoms:
A vCMP host tmm is restarted.
Conditions:
The vCMP host is processing heavy multicast traffic.
Impact:
The host TMM restarts and traffic stops for the guests.
Workaround:
An adjustment to the scheduling can be made by this setting of the vCMP Host configuration:
# echo "realtime yield 90" > /config/tmm_init.tcl
# bigstart restart tmm
The bigstart restart tmm must be performed individually on all blades on the vCMP host. These changes also must be done on all vCMP hosts with guests in a high availability (HA) setup.
816273-3 : L7 Policies may execute CONTAINS operands incorrectly.
Component: Local Traffic Manager
Symptoms:
L7 Policies involving CONTAINS operands may execute incorrectly in some cases.
The policy compiler may incorrectly combine some internal states, 'forgetting' degrees of partial evaluation of a CONTAINS operation.
Conditions:
Multiple CONTAINS conditions are used on the same virtual server.
Impact:
The wrong policy actions may be triggered.
Workaround:
It may be possible to reorder the rules in a policy to restore correct operation. However, the more complex the policy, the less likely this is.
815825-3 : BIG-IP may not create a listener object after TMM restarts or the system reboots
Component: Local Traffic Manager
Symptoms:
After a reboot or TMM restart, system may fail to create a listener object for configured virtual servers. Depending on the configuration:
-- The BIG-IP system may stop responding to ARP requests for configured virtual servers.
-- The BIG-IP system may reject traffic for configured virtual servers with [F5RST: No local listener], or drop it silently if tm.rejectunmatched is set to false.
Conditions:
-- LTM policy with external datagroup configured on virtual server.
-- Reboot or TMM restart.
Impact:
Unable to establish connections to the affected virtual server.
Workaround:
Delete and re-add the affected virtual-server.
815529-3 : MRF outbound messages are dropped in per-peer mode
Component: Service Provider
Symptoms:
When a Message Routing profile is configured with a peer consisting of an outbound virtual server, transport config, no pool, and per-peer mode, messages may be dropped when the outgoing connection is persisted to a different tmm than the message was received on.
Conditions:
-- Message Routing Profile.
-- A peer configured for outbound traffic with a virtual server and transport config in per-peer mode, no pool.
-- Persistence is enabled.
-- Multiple outbound messages with the same destination address.
Impact:
Outbound traffic with the same destination address may be dropped at random.
Workaround:
Change the peer connection mode to 'Per TMM'.
815425-2 : RAID status is shown <undefined> after upgrade from 12.1.3.5 to 13.1.1.5★
Component: TMOS
Symptoms:
On RAID supported BIG-IP platforms, upgrade from BIG-IP v12.1.3.5 to BIG-IP v13.1.1.5, RAID array member state is shown as 'undefined' in below commands, though actual RAID status is 'up'.
- array
- tmsh show sys raid
Conditions:
On RAID supported platforms, clean install of BIG-IP 12.1.x version followed by upgrade to BIG-IP 13.1.x version.
Impact:
RAID information is reported wrongly.
815089-4 : On a system with no VLANs, you can create virtual servers or SNATs that have identical address/port combinations
Component: Local Traffic Manager
Symptoms:
If you have a system with no VLANs configured, and you attempt to create virtual servers or SNATs that have the same address/port combinations, you will be able to do so without validation errors.
Conditions:
-- A BIG-IP system with no VLANs configured.
-- Creating virtual servers or SNATs that have identical address/port combinations.
Impact:
An invalid configuration is allowed.
Workaround:
None.
814941-5 : PEM drops new subscriber creation if historical aggregate creation count reaches the max limit
Component: Policy Enforcement Manager
Symptoms:
PEM subscriber create fails, usually seen across multiple high availability (HA) failover events
Conditions:
When the aggregate subscriber create reaches the maximum subscriber limit per tmm which is configured using sys db, sys db statemirror.mirrorsessions
Impact:
Unable to bringup any more subscribers
Workaround:
Restart tmm when the limits are reached
814585-4 : PPTP profile option not available when creating or modifying virtual servers in GUI
Component: TMOS
Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.
Conditions:
Creating or modifying a virtual server in the GUI.
Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.
Workaround:
Use TMSH to add a PPTP profile to the virtual server.
814353-4 : Pool member silently changed to user-disabled from monitor-disabled
Component: TMOS
Symptoms:
When a node (Disabled by Monitor) is updated via the member screen (no change to configuration required), the status changes from:
'Available (Disabled) pool members is available, monitor disabled'.
To:
'Available (Disabled), pool member is available, user disabled'.
Conditions:
-- A node disabled by Monitor.
-- Go to GUI LTM pool member and navigate into the monitor disabled member, then update without any configuration change.
Impact:
Pool member goes to 'user-disabled'.
Workaround:
To recover, re-enable the pool member.
814097-3 : Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.
Component: Service Provider
Symptoms:
When using the Generic Message router to convert SIP messages from TCP to UDP, BIG-IP fails to raise the SERVER_CONNECTED iRule event.
Conditions:
Converting the transport of SIP messages with the Generic Message router.
Impact:
Any code that waits for the SERVER_CONNECTED event will not run.
813945-2 : PB core dump while processing many entities
Component: Application Security Manager
Symptoms:
PB core dump.
Conditions:
This may happen when the system is strained and PB is processing large policies (updating many entities may happen during periodic processing, response analysis).
This is a very rarely occurring scenario.
Impact:
PB core dump and restart.
Workaround:
None.
813561-2 : MCPD crashes when assigning an iRule that uses a proc
Component: Local Traffic Manager
Symptoms:
MCPD crashes when assigning an iRule to a Virtual Server or loading a config with an iRule assigned.
Conditions:
The iRule must uses a proc that contains three statements associated with different feature flags.
Impact:
MCPD will crash, unable to use a desired iRule.
Workaround:
None
813221-3 : Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync
Component: Global Traffic Manager (DNS)
Symptoms:
The virtual server for an LTM redundant peer is continually updated with its IP/Port changing back and forth between two values, leading to perpetual GTM configuration syncs.
Conditions:
The destination IP:port of the virtual server on the LTM is not in sync between the LTM devices in the device-group.
Impact:
The virtual server is flapping status between "blue" and 'green', and its destination IP:port is changing between a correct value and an incorrect one. Traffic will be impacted.
Workaround:
Perform a configsync on the LTM device-group that owns the virtual server.
812981-3 : MCPD: memory leak on standby BIG-IP device
Component: TMOS
Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.
Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically
Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.
812929-3 : mcpd may core when resetting a DSC connection
Component: TMOS
Symptoms:
In rare circumstances mcpd may core when resetting its DSC connection.
Conditions:
The exact conditions are not known for this to occur. The BIG-IP system must be in a Device Service Cluster, and must have configuration sync enabled. It might be related to when an Administrative BIG-IP user makes manual changes to the device trust group that would cause the trust to be broken (and optionally, re-established).
Impact:
mcpd cores and restarts. This results in a failover to the next active peer.
Workaround:
None.
812493-1 : When engineID is reconfigured, snmp and alert daemons must be restarted★
Component: TMOS
Symptoms:
The engineID, engineBoots, engineTime values in SNMPv3 traps are shared by both the SNMP and the Alert daemons and are included in traps raised by both daemons. When the engineID is reconfigured then both daemons must be restarted in order to resynchronize the new values.
Conditions:
Traps issued by the SNMP and Alert daemons may not have engine values that are in sync when the EngineID is first reconfigured. This can happen both with a configuration change and an upgrade.
Impact:
This may confuse the SNMP client receiving the trap.
Workaround:
Restart the snmp daemon and then the alert daemon when the engine ID is reconfigured for the first time and the first time after a software upgrade
tmsh restart sys service snmpd alertd
812481-3 : HSL logging may work unreliably for Management-IP firewall rules
Component: Advanced Firewall Manager
Symptoms:
HSL logging related to Management-IP firewall rules can periodically freeze and corresponding log messages can be lost.
Conditions:
No special conditions, this can happen intermittently on any setup.
Impact:
HSL log messages related to Management-IP firewall rules are missed.
Workaround:
None.
811745-3 : Failover between clustered DIAMETER devices can cause mirror connections to be disconnected
Component: Service Provider
Symptoms:
When using DIAMETER with certain settings, a failover might cause mirror connections to get disconnected.
Conditions:
-- Two or more BIG-IP systems in a high availability (HA) configuration.
-- Aggressive settings for the DIAMETER watchdog timeout and max failures.
Impact:
Loss of mirroring between BIG-IP systems.
Workaround:
None.
811157-3 : Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself
Component: Advanced Firewall Manager
Symptoms:
"Global Staged Default Action" message is logged into the firewall log for ICMP traffic targeted to Self-IP or Virtual Server destination address, even though this traffic can never be affected by Global Default Actions.
The "Global Staged Default Action" counter is also incremented.
Conditions:
Logging is enabled for Global Staged Default Action by setting the sys db tm.fw.stagedglobaldefaultrule.log to value "enabled" (this sys db has value "disabled" by default).
There are no special conditions for the "Global Staged Default Action" counter increment.
Impact:
Misleading messages are logged into the firewall log.
The "Global Staged Default Action" counter is incorrectly incremented.
The traffic itself is not affected and there are no other negative effects except the incorrect log message and counter update.
Workaround:
There is no workaround regarding the "Global Staged Default Action" counter increment.
For preventing the misleading log message disable logging of Global Staged Default Action by setting the sys db tm.fw.stagedglobaldefaultrule.log to value "disabled".
811105-4 : MRF SIP-ALG drops SIP 183 and 200 OK messages
Component: Service Provider
Symptoms:
SIP 183 and 200 OK messages are dropped after an INVITE in MRF SIP-ALG when media info is present in the Session Description Protocol.
Conditions:
- MRF SIP-ALG default configuration
- INVITE sent with media info in SDP
- Media info contains an rtcp without an IP address
Impact:
SIP calls are unable to establish media connections.
Workaround:
Ensure all RTCP attributes in the SDP have IP addresses.
Example: Change "a=rtcp:29974\r\n" to "a=rtcp:29974 IN IP4 10.10.10.10\r\n"
811053-3 : REBOOT REQUIRED prompt appears after failover and clsh reboot
Component: TMOS
Symptoms:
In rare circumstances, when a reboot immediately follows a VIPRION blade failover, a REBOOT REQUIRED prompt will appear on one blade after the system starts up again.
Conditions:
This issue can be created by doing the following:
- using a VIPRION system with at least 2 blades running
- AAM is not provisioned
- reset the primary blade
- immediately following the blade reset, run 'clsh reboot' on a secondary blade.
Impact:
Following the clsh reboot, the REBOOT REQUIRED prompt appears on one blade:
[root@vip4480-r44-s18:/S2-yellow-S::REBOOT REQUIRED:Standalone] config #
Any blade with this prompt must be rebooted again.
Workaround:
None currently known.
811041-4 : Out of shmem, increment amount in /etc/ha_table/ha_table.conf
Component: TMOS
Symptoms:
System logs error:
err sod[8444]: 01140003:3: Out of shmem, increment amount in /etc/ha_table/ha_table.conf.
Conditions:
-- Large number of traffic groups.
-- A number of devices in the device cluster.
-- Heavy traffic resulting in numerous configsync or config save operations.
Impact:
Memory leak. Future changes to the high availability (HA) table may fail or be ignored. This could result in HA events not being tracked correctly.
Workaround:
None.
810957-3 : Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core
Component: TMOS
Symptoms:
When using dynamic routing, changing a virtual server's address from IPv6 to IPv4 can cause tmrouted to core.
Conditions:
-- Using dynamic routing.
-- Changing a virtual server's destination address from IPv6 to IPv4.
-- The virtual server's state changes.
Impact:
Tmrouted cores and restarts, which causes a temporary interruption of dynamic routing services.
Workaround:
Use TMSH to modify both the destination address and the netmask at the same time, e.g.:
tmsh modify ltm virtual <virtual server name> destination <destination address> mask <netmask>
810613-3 : GUI Login History hides informative message about max number of lines exceeded
Component: TMOS
Symptoms:
When there are more than 10000 lines in /var/log/secure* files, visiting System :: Logins :: [History|Summary] in the GUI shows 'No Entries' instead of the actual error message about the large number of lines.
Conditions:
If there are more than 10000 lines in /var/log/secure* files.
Impact:
GUI displays 'No Entries' instead of the actual error message.
Workaround:
-- Via the CLI by specifying the number of lines:
tmsh show sys log security lines 15000 | less
-- Delete the large amount of secure files from /var/log/.
810593-3 : Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade★
Component: TMOS
Symptoms:
VCMP guests go to 'INOPERATIVE' after upgrade.
Conditions:
-- Upgrading the host from v12.1.4.1.
-- Upgrading the host from v13.1.1.5 and all intervening versions up to, but not including, v13.1.3, to any higher version
Impact:
VCMP guests at state 'INOPERATIVE' and do not pass traffic.
Workaround:
None.
810533 : SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile
Component: Local Traffic Manager
Symptoms:
When the client attempts to connect, even when sending the proper SNI extension, the BIG-IP system resets the connection after the client hello.
Conditions:
-- SNI Required set to true.
-- No Server Name configured in the client SSL profile.
Impact:
SSL connections with valid SNI are closed, and the client cannot connect. With generic alerts enabled, you will see 'SSL alert number 40'. This is because the system does not read the server names from the SAN extension within the certificate.
Workaround:
Specify a valid server name in the server name field of the client SSL profile.
809657-3 : HA Group score not computed correctly for an unmonitored pool when mcpd starts
Component: TMOS
Symptoms:
When mcpd starts up, unmonitored pools in an high availability (HA) froup do not contribute to the high availability (HA) froup's score.
Conditions:
- high availability (HA) froup configured with at least one pool.
- At least one of the pools assigned to the high availability (HA) group is not using monitoring.
- mcpd is starting up (due to bigstart restart, or a reboot, etc.).
Impact:
Incorrect high availability (HA) Group score.
Workaround:
Remove the unmonitored pools from the high availability (HA) froup and re-add them.
809597-2 : Memory leak observed when running ICRD child
Component: Local Traffic Manager
Symptoms:
When ICRD child process is running and users are switching rapidly, memory may leak.
Conditions:
[1] ICRD child process is running
[2] There are multiple users on the device
[3] The multiple users are fetching a web-page using curl, repeatedly and concurrently
Impact:
The memory leak is very progressive. Eventually ICRD's child process will run out of memory.
808893-3 : DNS DoS profile vectors do not function correctly★
Component: Advanced Firewall Manager
Symptoms:
Clients report that DNS TXT queries are not working. In /var/log/ltm, you see the following error:
DOS attack start was detected for vector TXT query DOS.
Conditions:
This can occur when DNS profile DoS vectors are enabled. It can be encountered after upgrading.
Impact:
DNS DoS detection and mitigation is not functioning correctly.
Workaround:
None.
808889-3 : DoS vector or signature stays hardware-accelerated even when traffic rate is lower than mitigation threshold
Component: Advanced Firewall Manager
Symptoms:
Incorrect hw_offload status for DoS vector or signature in tmctl dos_stat after the attack has stopped.
Conditions:
BIG-IP system with DoS-accelerated vectors support (SPVA support).
Impact:
DoS vector/signature stays hardware-accelerated.
Workaround:
After attack, change the state for DoS vector/signature to detect-only. Then return vector state to mitigate.
808277-3 : Root's crontab file may become empty
Component: TMOS
Symptoms:
Under low-disk conditions for the /var/ filesystem, BIG-IP system processes may incorrectly update root's crontab file (/var/spool/cron/root). This results in the file contents being removed; i.e., the file is empty.
Conditions:
Low disk space on the /var filesystem.
Impact:
System and user entries in root's crontab file stop executing.
Workaround:
None.
808017-3 : When using a variable as the only parameter to the iRule persist command, the iRule validation fails
Component: Local Traffic Manager
Symptoms:
When using a variable as the only parameter to the iRule persist command, for example:
when HTTP_REQUEST {
set persistence none
persist $persistence
}
The iRule validation fails with the message:
Persistence mode (Cookie) called out in rule <rule name> requires a corresponding persistence profile for virtual server
Conditions:
Using a variable as the only parameter to the iRule persist command.
Impact:
Validation fails and hence the system config cannot be loaded.
Workaround:
The first parameter is one of pre-defined action keywords, so use plain text.
807337-2 : Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.
Component: TMOS
Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction will attempt to 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.
Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object, such as (delete, create, modify).
Impact:
Web UI shows misleading info about pool monitor.The monitor-related object may be unchanged; or monitoring may stop for that object.
Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').
806073-4 : MySQL monitor fails to connect to MySQL Server v8.0
Component: TMOS
Symptoms:
The LTM MySQL health monitor fails to connect to a MySQL server running MySQL Server v8.0.
A pool member configured for a MySQL server running MySQL Server v8.0 and using the MySQL health monitor will be marked DOWN.
Conditions:
This occurs when using the LTM MySQL health monitor to monitor a MySQL server running MySQL Server v8.0.
Impact:
BIG-IP cannot monitor the health of a MySQL server running MySQL Server v8.0 using the MySQL health monitor.
804477-3 : Log HSB registers when parts of the device becomes unresponsive
Component: TMOS
Symptoms:
Part of the HSB becomes unresponsive and there is no logging of additional registers to assist in diagnosing the failure.
Conditions:
It is unknown under what conditions the HSB becomes unresponsive.
Impact:
Limited visibility into the HSB state when it becomes unresponsive.
Workaround:
None.
804313-3 : MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.
Component: Service Provider
Symptoms:
The mirrored-message-sweeper-interval configuration option has no effect on the BIG-IP.
Conditions:
MRF in use, high availability configured, and a SIP profile is configured to use a specific Mirrored Message Sweeper Interval setting.
Impact:
On a system under high load, the next active device in a high availability (HA) pair could run out of memory.
Workaround:
None
803833-3 : On Upgrade or UCS Restore Decryption of the vCMP Guest sym-unit-key Field Fails on the Host★
Component: TMOS
Symptoms:
An upgrade or UCS restore fails on the host with an error message:
err mcpd[1001]: 01071769:3: Decryption of the field (sym_unit_key) for object (<guest name>) failed.
Conditions:
-- An upgrade or UCS restore of the vCMP host.
-- Having a vCMP guest's sym-unit-key field populated.
-- Having changed the host's master key.
Impact:
The upgrade or UCS restore fails with an MCPD error.
Workaround:
Comment out the sym-unit-key field and load the configuration.
803825-4 : WebSSO does not support large NTLM target info length
Component: Access Policy Manager
Symptoms:
WebSSO crashes.
Conditions:
When the optional field of the target info is about 1000 bytes or larger.
Impact:
WebSSO crashes and loss of service.
Workaround:
Config NTLM not to have large target info, recommend < 800.
803645-2 : GTMD daemon crashes
Component: Global Traffic Manager (DNS)
Symptoms:
The gtmd process crashes in response to a call triggered by its own timer event.
Conditions:
The conditions under which this causes this intermittent issue are difficult to reproduce, but it might occur when the system is under heavy load when gtmd is starved of CPU cycles.
Impact:
The gtmd process restarts and produces a core file.
Workaround:
None.
803629-3 : SQL monitor fails with 'Analyze Response failure' message even if recv string is correct
Component: Local Traffic Manager
Symptoms:
For a database (mssql, mysql, postgresql or oracle) monitor type, with a 'recv' string configured, a pool member configured to use the DB monitor may be marked down even if the server is working and includes the configured response string among the response data.
Debug logging of the SQL monitor indicates the following:
... [DBPinger-3778] - Response from server: Database: 'db1'Database: 'information_schema'
... [DBPinger-3778] - Checking for recv string: information_schema
... [DBPinger-3778] - Analyze Response failure
The log shows 'Analyze Response failure' error message even when the configured 'recv' string appears within the response message from the DB server.
Conditions:
This occurs when the string matching the configured 'recv' string value does not appear in the response from the DB server in the row indicated by the 'recv-row' value configured for the monitor.
The default value of 'none' for the 'recv-row' monitor configuration value is actually interpreted as 'row 1' by the DB monitor core implementation.
Therefore, with the default configuration, any 'recv' string configured must appear in the first row of the DB server response in order to be recognized as a match.
Impact:
The DB monitor fails, and the DB server (node) is marked as down even though it is reachable and responding correctly per the configured 'recv' string.
Workaround:
You may use one of the following methods to work around this issue:
1. Configure the DB monitor's 'recv' string to match on the first row in the server response message.
2. Configure the 'recv-row' value in the DB monitor to match the row of the DB server's response which contains the configured 'recv' string.
3. Do not configure 'send' or 'recv' string for the DB monitor.
803237-1 : PVA does not validate interface MTU when setting MSS
Component: TMOS
Symptoms:
An incorrect MSS value might be used when hardware (HW) syncookies are used, and the MTU is smaller than the MSS.
Conditions:
Packets with MSS exceeding the MTU with HW syncookies.
Impact:
Oversized frames sent towards the client.
Workaround:
Increase MTU size.
802721-1 : Virtual Server iRule does not match an External Data Group key that's 128 characters long
Component: Local Traffic Manager
Symptoms:
Virtual server iRule does not match an External Data Group key that is 128 characters long.
Conditions:
-- A string type External Data Group with a key/value pair whose key is 128 characters long.
-- An iRule using [class match] to get the value from the Data Group.
Impact:
The call to [class match] returns an empty string ("").
Workaround:
None.
802421-3 : The /var partition may become 100% full requiring manual intervention to clear space
Component: Advanced Firewall Manager
Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.
Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.
Conditions:
Process traffic while DoS Dashboard is open
Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.
Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.
Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.
Run the following commands, in sequence:
bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad
Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.
801705-3 : When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC
Component: Local Traffic Manager
Symptoms:
The 'HTTP::cookie attribute' irule command allows manipulation of Cookie or Set-Cookie headers in HTTP requests or responses. When this command is used to insert a cookie attribute, it appends the attribute (and a possible value) to the header without a leading space character. A leading space character is a requirement per RFC 6265. When such a header is formed with iRule command 'HTTP::cookie insert' or 'HTTP::cookie attribute insert', the leading space is not provided, violating the RFC.
Conditions:
-- A virtual server with HTTP profile is configured.
-- There is an iRule generating or updating a cookie header with 'HTTP::cookie insert' or 'HTTP::cookie attribute insert' command.
Impact:
There is no space preceding the attribute. RFC is violated.
Workaround:
When inserting a cookie attribute with iRule command, add a leading space to the name of attribute to be inserted.
800453-2 : False positive virus violations
Component: Application Security Manager
Symptoms:
False positive ASM virus violations.
Conditions:
Specific connection characteristics between ASM and the antivirus server may cause replies from the antivirus server to be missed by the ASM. ASM reports a virus when the antivirus reply is timed out.
Impact:
False positive blocking or violation reporting.
Workaround:
The EnableASMByPass internal parameter setting can be configured to allow the antivirus server to not reply, so it won't issue a violation when it occurs.
/usr/share/ts/bin/add_del_internal add EnableASMByPass 1
bigstart restart asm
Notes:
When the internal is enabled, asm will also bypass huge HTTP requests (when they come on multiple connections) instead of reseting them.
800265-1 : Undefined subroutine in bigip_add_appliance_helper message
Component: Global Traffic Manager (DNS)
Symptoms:
When using the -a switch with bigip_add (which instructs bigip_add to use bigip_add_appliance_helper), the script terminates with an error:
Undefined subroutine >m_env::get_unique_certs called at /usr/local/bin/bigip_add_appliance_helper line 113.
Conditions:
Use the bigip_add script with the -a switch in appliance mode.
Impact:
BIG-IP_add fails in appliance mode, reporting an error message.
Workaround:
None.
800185-3 : Saving a large encrypted UCS archive may fail and might trigger failover
Component: TMOS
Symptoms:
-- When saving a very large encrypted UCS file, you encounter an error:
# tmsh save /sys ucs my_ucs passphrase <mysecret>
Saving active configuration...
Can't fork at /usr/local/bin/im line 305.
/var/tmp/configsync.spec: Error creating package
-- If saving UCS is automated you may find related errors in /var/log/audit:
err scriptd[45342]: 014f0013:3: Script (/Common/f5.automated_backup__backup) generated this Tcl error: (script did not successfully complete: (UCS saving process failed. while executing "tmsh::save /sys ucs $fname ))
-- Other services might be restarted due to lack of memory, which might result in failover.
Conditions:
Large encrypted UCS files and low free host memory.
UCS file sizes in hundreds of MB are much more likely to encounter this issue, along with free memory less than 1 GB.
Impact:
The operation might consume as much as twice the UCS file size in RAM. The UCS may not get saved correctly, and if not enough memory is available, low free memory symptoms will be apparent.
The latter may result in services being killed to free memory, resulting in service impact and failover, though it is quite typical for the overly large process saving the UCS to be terminated with no other impact.
Workaround:
A mitigation is to minimise UCS file size. UCS files large enough to encounter this issue typically contain very large files, some of which may not be needed or are no longer necessary.
Remove unnecessary large files from directories that contribute to UCS archives, for example, stray, large files such as packet captures in /config or its subdirectories. (For help understanding what is in UCS archives, see K12278: Removing non-essential files from a UCS when disk space errors are encountered :: https://support.f5.com/csp/article/K12278.)
If using APM, remove unnecessary EPSEC ISO files. (For more information, see K21175584: Removing unnecessary OPSWAT EPSEC packages from the BIG-IP APM system :: https://support.f5.com/csp/article/K21175584.
799149-1 : Authentication fails with empty password
Component: Access Policy Manager
Symptoms:
Per-req policy authentication fails when an empty password is detected. Following errors are seen in apm logs:
-- err apmd[13930]: 01490301:3: /Common/test_sp::abcdef78/Common/test_auth/XXXXXXX==: Empty session variable value received from tmm.
-- err apmd[13930]: 01490302:3: /Common/test_sp::abcdef78/Common/test_auth/XXXXXXX==: Failed to decrypt session variable 'subsession.logon.last.password' from tmm with error code: 3.
Conditions:
-- APM is licensed and provisioned.
-- Per-req policy is created with at least one Auth agent.
Impact:
APM end users cannot change a password/token or access backend resources.
Workaround:
None.
799001-4 : Sflow agent does not handle disconnect from SNMPD manager correctly
Component: TMOS
Symptoms:
If Sflow agent loses the connection with the SNMPD Manager, it tries to connect multiple times but fails to reconnect.
Conditions:
Sflow agent loses connection with the SNMPD Manager. The conditions that may trigger this are unknown.
Impact:
Snmpd service restarts repeatedly
Workaround:
Run 'tmsh restart sys service sflow_agent' to clear the session data in the sflow agent which results in successful re-connection with snmpd.
798261-3 : APMD fails to create session variables if spanning is enabled on SWG transparent virtual server
Component: Access Policy Manager
Symptoms:
The following logs showed up in APM log and user session was terminated.
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_finish_set_pipeline()" line: 720 Msg: Error: Set pipeline: While receiving response to 0 cmd set /.*/tmm.session.6833364e.session.assigned.uuid 0 0 32 s
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_server_disconnect()" line: 2533 Msg: Error: bad memcache connection (tmm:1), (fd:205)
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.
The SET command failed because it incorrectly attempted to create session variable in all traffic groups.
Conditions:
1. Virtual address for SWG transparent is 0.0.0.0
2. Spanning on the virtual address is enabled.
Impact:
User sessions will be terminated
Workaround:
Disable virtual address spanning.
796993-4 : Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs
Component: Local Traffic Manager
Symptoms:
When a pool contains FQDN nodes as pool members, pool member state changes messages are not logged in /var/log/ltm.
Conditions:
-- Create a pool with fqdn node as it pool members
-- Apply monitor to it
-- Monitor marks the pool member up/down based on reachability
Impact:
-- Status message is not updated in /var/log/ltm logs.
-- There is no functional impact.
796601-5 : Invalid parameter in errdefsd while processing hostname db_variable
Component: TMOS
Symptoms:
Errdefsd crashes, creates a core file, and restarts.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Possible loss of some logged messages.
Workaround:
None.
795933-3 : A pool member's cur_sessions stat may incorrectly not decrease for certain configurations
Component: Local Traffic Manager
Symptoms:
Under certain conditions, a pool member's cur_sessions stat may increase, but not decrease when it should.
Conditions:
- The virtual server using the pool has an iRule attached that references global variables.
- The virtual server using the pool has an ASM security policy attached to it.
- Traffic flows to the pool member.
Impact:
Incorrect stats.
795769-2 : Incorrect value of Systems in system-supplied signature sets
Component: Application Security Manager
Symptoms:
In properties of system-supplied Attack Signature Sets, the field "Systems" is always displayed with value All.
For example, for Generic Detection Signatures the "Systems" field should be: System Independent, General Database, Various systems
Instead, "Systems" is set to "All".
Conditions:
Only for system-supplied signature sets, while user-defined signatures sets are displayed with correctly assigned Systems.
Impact:
Misleading value of Systems
Workaround:
N/A
795501-2 : Possible SSL crash during config sync
Component: Local Traffic Manager
Symptoms:
During config sync, it's possible that cipher group processing will crash.
Conditions:
-- SSL is configured.
-- Config sync is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
795429-2 : Unrelated iControl REST transaction error message is returned when committing a transaction without any tasks.
Component: TMOS
Symptoms:
An unrelated iControl REST transaction error message is returned when committing an iControl REST transaction that does not contain any tasks:
Error: Missing transaction ID for this call.
Conditions:
-- Committing an iControl REST transaction.
-- The task does not contain any tasks within 120 seconds of creating the transaction.
Impact:
Unrelated error message can be confusing and increase troubleshooting time.
Workaround:
None.
795261-3 : LTM policy does not properly evaluate condition when an operand is missing
Component: Local Traffic Manager
Symptoms:
The BIG-IP system provides an LTM policies mechanism to process traffic based on a set of rules. A rule may include a number of conditions and a number of actions to execute when the conditions are satisfied. Conditions use operands to evaluate. When an operand is missing, the BIG-IP system may fail to properly evaluate the condition.
Conditions:
-- A virtual server is configured with an LTM policy.
-- The policy contains a rule with a condition which has an operand and a negative matching type like 'not equals' or 'not starts-with', etc. (e.g., http-referer host not contains { www.example.com }).
-- A processing entity (like HTTP request, etc.) is missing an operand or has an empty value (e.g., header 'Referer' is missing from the request).
Impact:
The policy is improperly evaluated on the processing entity and may produce incorrect results when load balancing a request and/or serving a response.
Workaround:
You can use either workaround:
-- Convert rules into a 'positive' (lacking of negative matching type) whenever possible.
-- Use iRules instead of a policy (might impact performance).
794501-3 : Duplicate if_indexes and OIDs between interfaces and tunnels
Component: TMOS
Symptoms:
In certain instances, having a configuration with both tunnels and interfaces can result in duplicate if_indexes between a tunnel and an interface, which also results in duplicate OIDs for SNMP.
Conditions:
There is no completely predictable trigger, but at a minimum, a configuration with at least one interface and at least one tunnel is needed.
Impact:
Duplicate if_indexes and duplicate OIDs. SNMP logs error messages:
# tmsh list net interface all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net vlan all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net tunnel all-properties | egrep "(^net)|(if-index)"
net interface 0.10 {
if-index 64 <-------------------------------
net interface mgmt {
if-index 32
net vlan external {
if-index 96
net vlan internal {
if-index 112
net vlan test {
if-index 128
net vlan tmm_bp {
if-index 48
net tunnels tunnel http-tunnel {
if-index 64 <-------------------------------
net tunnels tunnel socks-tunnel {
if-index 80
# snmpwalk -c public -v 2c localhost >/dev/null; tail /var/log/ltm
-- notice sod[4258]: 010c0044:5: Command: running disable zrd bigstart.
-- notice zxfrd[6556]: 01530007:5: /usr/bin/zxfrd started
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID ZXFRD_Publisher and filterType 1024
-- info bigd[11158]: 0114002b:6: high availability (HA) daemon_heartbeat bigd enabled.
-- info cbrd[6106]: 0114002b:6: high availability (HA) daemon_heartbeat cbrd enabled.
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID cbrd and filterType 1152921504606846976
-- info runsm1_named[6104]: 0114002b:6: high availability (HA) proc_running named enabled.
=========================
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if_x.c:289
Workaround:
No workaround currently known.
793217-3 : HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation
Component: Advanced Firewall Manager
Symptoms:
Depending on traffic patterns, when HW DoS on BIG-IP i2800/i4800 is configured, HW DoS might mitigate up to 10% more aggressively. If the rate-limit configured is 1000pps, the device might allow only 900pps.
Conditions:
-- HW DoS on BIG-IP i2800/i4800 platforms.
-- Attack pattern is distributed evenly on all tmm threads.
Impact:
HW DoS mitigates more aggressively, which might result in seeing fewer packets than what is configured.
Workaround:
Configure the rate-limit to be 10% more than what is desired.
793121-2 : Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication
Component: TMOS
Symptoms:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, high availability (HA) status, provisioning, and installed software information.
Conditions:
The TMUI redirect-http-to-https is enabled.
Impact:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, HA status, provisioning, and installed software information.
Workaround:
On the vCMP guest, disable sys httpd redirect-http-to-https.
792341-3 : Google Analytics shows incorrect stats.
Component: Application Security Manager
Symptoms:
ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.
Conditions:
Scenario 1:
-- ASM provisioned.
-- ASM policy attached to a virtual server with challenge mitigation enabled (as part of brute force protection, for example).
Scenario 2:
-- Bot defense profile attached to a virtual server with challenge mitigation enabled.
Scenario 3:
-- DoS Application profile attached to a virtual server with challenge mitigation enabled.
Impact:
Incorrect data is displayed in the Google Analytics dashboard.
Workaround:
Have an iRule that injects google-analytics.js into the challenge white page at the HTTP_RESPONSE_SENT time event.
790949-3 : MRF Router Profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' Do Not Match Behavior.
Component: Service Provider
Symptoms:
Default values differ between tmsh and GUI documentation, and actual behavior. The special value 0 is documented to either disable the respective limit or apply a default value. Actual behavior for 0 is to silently apply internal default values of 32768 bytes and 256 messages, regardless of the protocol. These defaults might not match the profile default values for a given MRF protocol such as Diameter, SIP, or MQTT.
For some protocols such as Diameter, there is no validation of whether the maximum pending messages value falls within the acceptable range of 1-65535, and values outside that range are silently truncated to 16-bits and then 0 is treated according to the actual behavior described above.
Some documented and actual default values have changed across releases.
Conditions:
An MRF router profile is configured with the 'Maximum Pending Bytes' or 'Maximum Pending Messages' parameter set to a non-default value or 0.
Affected MRF router profiles are: 'diameter', 'sip', 'mqtt' and 'generic'.
Impact:
Depending on the protocol, the limits might not take effect as configured.
Incorrect documentation and/or lack of validation could lead to configuring an invalid value.
Workaround:
None.
790113-4 : Cannot remove all wide IPs from GTM distributed application via iControl REST
Component: Global Traffic Manager (DNS)
Symptoms:
The following tmsh command allows you to delete all wide IPs using an 'all' specifier:
modify gtm distributed-app da1 wideips delete { all }
There is no equivalent iControl REST operation to do this.
Conditions:
This can be encountered while trying to delete all wide IPs from a distributed application via iControl REST.
Impact:
iControl REST calls that should allow you to remove all wide IPs from a GTM distribution application return an error, leaving you unable to complete the task via iControl REST.
Workaround:
You can use one of the following workarounds:
-- Use the WebUI.
-- Use the tmsh utility, for example:
tmsh modify gtm distributed-app da1 wideips delete { all }
-- Invoke tmsh from within the bash iControl REST endpoint, for exmaple:
curl -u username:password -s -H 'Content-Type: application/json' -X POST -d "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'tmsh modify gtm distributed-app da1 wideips delete { all }'\"}" https://<IP>/mgmt/tm/util/bash
789085-1 : When executing the ACCESS::session iRule command under a serverside event, tmm may crash
Component: Access Policy Manager
Symptoms:
Executing the ACCESS::session iRule command inside a serverside event, e.g., SERVER_CONNECTED, may cause tmm to crash.
Conditions:
ACCESS::session iRule command invoked under a serverside event, for example:
when SERVER_CONNECTED {
log local0. "[ACCESS::session data get session.user.sessionid]"
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
788949-1 : MySQL Password Initialization Loses Already Written Password
Component: TMOS
Symptoms:
In some cases, the MySQL root password initialization is not complete. A re-attempt to restart MySQL fails.
Conditions:
-- MySQL startup script is interrupted.
-- Setting the root password fails.
Impact:
Processes may fail to connect to MySQL server.
Workaround:
None.
788753-5 : GATEWAY_ICMP monitor marks node down with wrong error code
Component: Local Traffic Manager
Symptoms:
Pool state shows down when there is no route configured to node.
Conditions:
-- In-tmm gateway_icmp monitor configured for a node or pool member.
-- There is no route to the node or pool member.
Impact:
The pool member or node is marked down and the reason listed is 'timeout', instead of 'no route to host'.
Workaround:
None.
788557-4 : BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior
Component: TMOS
Symptoms:
GRST - BGP graceful reset.
The problem occurs when the routing daemon bgpd restarts/starts (e.g., by terminating the bgpd daemon) its distribution of a process and is not supported. Another way we've found is to call "bigstart restart" command on a primary blade on chassis with more than one blade.
After the new primary blade takes over, BGP and BFD sessions are recreated at around the 'graceful restart' timeout interval.
Conditions:
-- BGP and BFD are configured.
-- BGP router's 'graceful restart' option is configured, enabled (set to 120 by default).
-- The bgpd daemon is terminated.
Another way to trigger the issue is to run 'bigstart restart' on a primary blade on a chassis with more than one blade.
Impact:
If BGP peering is reset, it causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocol from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.
In most cases, unexpected routing decisions come from networks learnt by affected routing protocol when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system, typically, the routing convergence period, which includes setting the peering and exchanging routing information and routes.
Workaround:
None.
788513-3 : Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log
Component: Service Provider
Symptoms:
A configuration warning is produced when the RADIUS avp command is used with a variable instead of a constant, for example:
warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:integer"102 45][RADIUS::avp replace USER-NAME $custom_name]
This appears to be benign, as the configuration loads successfully, and the script works as expected.
Conditions:
Using:
RADIUS::avp replace USER-NAME $custom_name
Instead of:
RADIUS::avp replace USER-NAME "static value"
Impact:
Incorrect warning in log. You can ignore these messages, as the configuration loads successfully, and the script works as expected.
Workaround:
This warning is benign, as the configuration loads successfully, and script works as expected.
788465-3 : DNS cache idx synced across HA group could cause tmm crash
Component: Global Traffic Manager (DNS)
Symptoms:
DNS cache idx conflicts and tmm crash.
Conditions:
-- High availability (HA) configuration.
-- DNS cache is configured and synced to the peer twice
-- A second DNS cache is configured on the peer.
Impact:
The idx conflicts will be observed. If the second DNS cache is of another type and is added to a virtual server, accessing that virtual server might cause a tmm core. Traffic disrupted while tmm restarts.
Workaround:
On the BIG-IP system that has the DNS cache idx conflicts, restart tmm:
# bigstart restart tmm
787905-3 : Improve initializing TCP analytics for FastL4
Component: Local Traffic Manager
Symptoms:
TCP analytics for FastL4 might stay uninitialized under specific circumstances.
Conditions:
System clock advances while initializing TCP analytics for FastL4.
Impact:
TCP analytics for FastL4 might stay uninitialized for a while and miss some analytics data.
Workaround:
N/A
787853-3 : BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system unexpectedly responds to ICMP echo requests to a virtual-address that is unavailable, or unexpectedly does not respond to ICMP echo requests to a virtual-address that is available.
The BIG-IP system fails to remove a dynamic route for a virtual-address that is unavailable or fails to add a dynamic route for a virtual-address that is available.
Conditions:
1. Create two virtual servers with multiple nodes. Set ICMP echo as all or selective/all.
2. Ping from client to virtual address.
3. Bring down nodes.
4. ping fails from client to virtual address as expected
5. Bring up nodes and make sure all virtual servers are online.
6. Start ping from client to virtual address.
Impact:
The BIG-IP system might respond incorrectly to ICMP echo requests sent to a virtual-address.
-- If the virtual-address icmp-echo is set to 'all' or 'any', the BIG-IP system may not respond correctly after a virtual-address availability change.
-- If the virtual-address route-advertisement is set to 'all' or 'any', the route for the virtual-address may not advertise properly after a virtual-address availability change.
The BIG-IP system might fail to insert or remove a dynamic route for a virtual-address. This might cause the network to direct traffic to a down virtual-address or alternatively, not direct traffic to an up virtual-address.
Workaround:
Update virtual address ICMP setting to any or selective/any.
787433-1 : SSL forward proxy: OCSP signer certificate isn't refreshed or regenerated when forward proxy CA key/cert is changed
Component: Local Traffic Manager
Symptoms:
When stapling the OCSP response (and hence OCSP certificate) to the SSL client, the issuer that appears on the OCSP certificate mismatches with what is configured in the client SSL profile as the forward proxy CA cert.
Conditions:
The issue is seen when all the below conditions are met.
-- The BIG-IP system is using SSLO or SSL forward proxy.
-- The client hello sent from the SSL client includes the status request extension. This means that it requests BIG-IP system to staple the OCSP response.
-- The forward proxy CA cert in the client SSL profile is modified.
Impact:
In SSLO or SSL forward proxy mode, the server cert and the OCSP response the BIG-IP system sends to the SSL client should be both signed (issued) by the forward proxy CA cert configured at the client SSL profile. If they are signed by different issuers, it may not pass some of the validation check performed by the SSL client and might lead to SSL client's terminating the SSL handshake.
Workaround:
To updates and regenerates the OCSP signer information, after modifying the forward proxy CA cert, run the command:
bigstart restart tmm
786981-2 : Pending GTP iRule operation maybe aborted when connection is expired
Component: Service Provider
Symptoms:
When there is a suspended iRule operation (such as the table or after command) in GTP iRule event, the operation may be intermittently aborted when the connection is expired.
Conditions:
This occurs when a connection times out while there is still a pending iRule operation. For example, in one use case, there is a table command in GTP_SIGNALLING_INGRESS event, and the immediate idle timeout is configured in the UDP profile.
Impact:
GTP iRule may not be completely executed.
Workaround:
For the specific use case when immediate idle timeout is used, change idle timeout to some positive value. Then use the iRule to expire the connection after the GTP iRule event is done, for example, by setting 'IP::idle_timeout 0' in SERVER_CONNECTED event.
786517-2 : Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address
Component: Local Traffic Manager
Symptoms:
- Monitors are firing and are being sent to a pool-member or node address rather than a monitor's alias address.
- Running the command 'tmsh load /sys config' reports an error:
01070038:3: Monitor /Common/a-tcp address type requires a port.
Conditions:
-- Create a monitor without an alias address.
-- Modify the monitor later in the TMUI to specify an alias address.
Impact:
Monitors are sent to an incorrect IP address.
tmsh load /sys config will fail to load the configuration.
Workaround:
There are two workarounds:
-- Delete and recreate the monitor and specify the correct alias address at creation time.
-- Fix the monitor definition using tmsh.
786173-3 : UI becomes unresponsive when accessing Access active session information
Component: Access Policy Manager
Symptoms:
When accessing Admin UI Access :: Overview :: Active Sessions page, the page status is stuck in 'Receiving configuration data from your device'. TMSH command 'show apm access-info' also hangs.
Conditions:
-- Two vCMP guests or two chassis are set up in high availability mode.
-- If Network Mirroring is toggled between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.
Impact:
Some session variables may be lost, which results in the GUI becoming unresponsive. The Access :: Overview :: Active Sessions page in the Admin UI becomes unusable.
Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.
785529-2 : ASM unable to handle ICAP responses which length is greater then 10K
Component: Application Security Manager
Symptoms:
ASM drops ICAP and HTTP connections when a multipart request arrives to the ASM enforcer and then forwarded to the ICAP server for virus inspection, and the ICAP server replies with a large (greater then 10 KB) response.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Antivirus service IP and port defined in the BIG-IP GUI under Options :: Integrated Services.
-- Antivirus protection enabled in the ASM policy.
Impact:
ASM drops ICAP and HTTP connections.
Workaround:
Configure the ICAP server to send back responses smaller than 10 KB.
785481-3 : A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached
Component: Local Traffic Manager
Symptoms:
Setting the DB variable tm.rejectunmatched to 'false' causes the BIG-IP system to not send RSTs when there is a match but the connection is rejected due to connection limits.
Conditions:
- tm.rejectunmatched is set to 'false'.
- A packet is matching a BIG-IP object.
- The packet is to be rejected because of connection limits.
Impact:
Reset packets are not sent back to clients when they should be.
Workaround:
None.
784733-2 : GUI LTM Stats page freezes for large number of pools
Component: TMOS
Symptoms:
When a configuration has approximately 5400 pools and 40,000 pool members, navigating to the GUI page to look at stats for all or one pool, the GUI page may freeze indefinitely.
Conditions:
Configurations with large number of pools and pool members, e.g., 5400 pools and/or 40,000 pool members.
Impact:
Cannot view pool or pool member stats in GUI.
Workaround:
Use iControl REST or TMSH to retrieve stats for such a large number of pools or pool members.
784713-1 : When SSL forward proxy is enabled, AKID extension of the OCSP signer certificate on the clientside is not correct
Component: Local Traffic Manager
Symptoms:
When SSL forward proxy is configured, or for SSLO, if OCSP or CRL is set on the serverside, the certificate that signs the OCSP response on the clientside does not have the correct Authority Key Identifier (AKID).
Conditions:
Configure SSL forward proxy or enable SSLO and enable OCSP or CRL on serverside/server SSL profiles.
Impact:
Incorrect AKID X509 extension for the OCSP signer certificate on the clientside. Depending on browsers/clients, this may result in the browsers/clients to not be able to use the stapled OCSP response.
Workaround:
None.
784565-3 : VLAN groups are incompatible with fast-forwarded flows
Component: Local Traffic Manager
Symptoms:
Traffic flowing through VLAN groups may get fast-forwarded to another TMM, which might cause that connection to be reset with reason 'Unable to select local port'.
Conditions:
-- Using VLAN groups.
-- Flows are fast-forwarded to other TMMs.
Impact:
Some connections may fail.
Workaround:
None.
783617-3 : Virtual Server resets connections when all pool members are marked disabled
Component: Local Traffic Manager
Symptoms:
The BIG-IP system immediately responds with a RST against a SYN when all pool members are marked disabled by a monitor.
Conditions:
All the pool members are marked disabled by a monitor or administratively.
Impact:
Cannot use iRules to respond with an HTTP 503 error to incoming traffic.
Workaround:
None.
783293-3 : Special chars < > & displayed incorrectly in BIG-IP GUI logon banner window
Component: TMOS
Symptoms:
If you try to enter any of these three characters: < > & (greater than, less than, ampersand) into GUI Preference page or TMSH sys global-settings configuration, they are displayed as escape chars in the GUI window correspondingly as: < > &.
Conditions:
Entering one of these three characters into GUI banner text settings: < > &.
Impact:
At GUI Logon page, the page displays with the following characters: < > & instead of the specified characters: < > &.
Workaround:
None.
783289-2 : PEM actions not applied in VE bigTCP.
Component: Policy Enforcement Manager
Symptoms:
If PEM virtual server is configured using bigTCP, the return traffic from the server may not return to the same TMM. PEM policies do not get applied.
Conditions:
-- BIG-IP Virtual Edition.
-- bigTCP is configured (FastL4 with PEM/GPA hudfilters).
-- Virtual server uses Source-NAT.
Impact:
PEM policies do not get applied.
Workaround:
To work around this, do the following:
-- Configure bigTCP virtual server not to use source-NAT.
-- Configure destination-IP for hashing in server-vlan (the external VLAN that has the virtual server).
783145-3 : Pool gets disabled when one of its pool member with monitor session is disabled
Component: Local Traffic Manager
Symptoms:
A pool which has at least two pool members and one of its pool members associated with a monitor is disabled, the entire pool gets marked disabled-by-parent.
Conditions:
-- Monitor assigned to a single pool member.
-- That member is manually disabled.
Impact:
The pool status for the entire pool is marked disabled-by-parent.
Workaround:
None.
783125-3 : iRule drop command on DNS traffic without Datagram-LB may cause TMM crash
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM may crash and restart when an iRule on a DNS virtual server performs the 'drop' command while the BIG-IP system is handling both a DNS request and DNS response at the same time for the same DNS client IP and port without UDP Datagram-LB.
Conditions:
-- The BIG-IP instance has two or more TMM processes as a result of having two or more physical cores or virtual CPUs.
-- A virtual server with both DNS and UDP profiles and one or more iRules.
-- The UDP profile has Datagram LB disabled.
-- The iRules have a 'drop' command.
-- The iRules have a DNS_REQUEST and/or DNS_RESPONSE event with an iRule command that require coordinating data with another TMM on the system, such as the 'table' command.
Impact:
TMM crash or restart. Traffic impacted. Traffic disrupted while tmm restarts.
Workaround:
F5 strongly recommends using a UDP profile with Datagram-LB enabled for DNS UDP virtual servers.
Alternatively, replace the 'drop' command with DNS::drop in DNS_REQUEST and DNS_RESPONSE events, or with UDP::drop in other iRule events.
See the respective references pages for DNS::drop and UDP::drop for the Valid Events each iRule command is available in:
https://clouddocs.f5.com/api/irules/DNS__drop.html
https://clouddocs.f5.com/api/irules/UDP__drop.html
783113-3 : BGP sessions remain down upon new primary slot election
Component: TMOS
Symptoms:
BGP flapping after new primary slot election.
Conditions:
--- A BFD session is processed on a secondary blade. (It can be identified by running tcpdump.)
-- After a primary blade reset/reboot, the BFD session should be processed by the same tmm on the same blade, which was secondary before the primary blade reset/reboot.
-- The BFD session creation should happens approximately in 30 seconds after the reset/reboot.
Impact:
BGP goes down. BGP flaps cause route-dampening to kick-in on the BGP neighbors.
Workaround:
There is no workaround, but you can stabilize the BIG-IP system after the issue occurs by restarting the tmrouted daemon. To do so, issue the following command:
bigstart restart tmrouted
782613-4 : Security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp
Component: TMOS
Symptoms:
If a security firewall policy is part of an iApp inside a folder created by that iApp, then when the iApp is deleted, any config sync peer will not delete the policy when it deletes the rest of the iApp.
Conditions:
-- iApp with folder and security firewall policy is deleted.
-- High availability (HA) config sync configuration.
Impact:
The security policy is gone on the system where the iApp was initially deleted, but the peer still has that object, and it can't be deleted because it's part of an iApp.
Workaround:
None.
782353-7 : SIP MRF via header shows TCP Transport when TLS is enabled
Component: Service Provider
Symptoms:
When an SSL Client Profile (TLS) is enabled on a SIP Message-Routing Virtual Server, the via header shows an incorrect transport protocol when SIP messages are sent out the client side of MRF. For example, the via header contains 'SIP/2.0/TCP' or 'SIP/2.0/UDP', when it should read 'SIP/2.0/TLS'.
Conditions:
Sending SIP messages from the client side of the SIP MRF when an SSL client profile is enabled on the SIP Message-Routing virtual server.
Impact:
The via header is not correct and violates the SIP RFC.
Workaround:
Create an iRule that replaces the incorrect via header with a correct one, for example:
when SIP_REQUEST_SEND {
if { [clientside] } {
SIP::header replace Via [string map [list "SIP/2.0/TCP " "SIP/2.0/TLS " "SIP/2.0/UDP " "SIP/2.0/TLS "] [SIP::header Via 0]] 0
}
}
781733-3 : SNMPv3 user name configuration allows illegal names to be entered
Component: TMOS
Symptoms:
The validation of SNMPv3 user names is not strict, and allows users of both the GUI and TMSH to enter badly formed user names. When the SNMP daemon reads these user names from the snmpd.conf file, validation rejects the names.
Conditions:
Poorly formed SNMPv3 user names can be entered into configuration, for example, names with embedded spaces.
Impact:
The user names are not accepted by the SNMP daemon when it reads the configuration from the snmpd.conf file.
Workaround:
Use alphanumeric characters for SNMPv3 user names, and do not include embedded spaces in the names.
781725-3 : BIG-IP systems might not complete a short ICAP request with a body beyond the preview
Component: Service Provider
Symptoms:
An ICAP request (REQMOD or RESPMOD) body goes out to the ICAP server as far as a preview. If the server responds 100-continue, only a single chunk of the remaining payload might be sent to the server. Eventually the connection times out.
Conditions:
-- An ICAP profile is configured with a preview.
-- The HTTP request or response to be modified has a body that is more than one chunk longer than the preview length, yet short enough to be completely buffered in BIG-IP system before the preview is sent to the ICAP server.
-- The ICAP server responds with 100-continue.
Impact:
Only the first chunk of payload is sent after the preview, and eventually the connection times out.
Workaround:
None.
781581-1 : Monpd uses excessive memory on requests for network_log data
Component: Application Visibility and Reporting
Symptoms:
Monpd allocates excessive memory on multi-blade devices, and in some cases the kernel may kill monpd. The following log signature may be encountered in /var/log/kern.log:
err kernel: : [1537424.588160] Out of memory: Kill process 28371 (monpd) score 117 or sacrifice child
Conditions:
This can occur in a multi-blade BIG-IP environment when you are displaying pages that query for network_log data, for example Bot Defense requests in the event log, or realtime AVR data.
Impact:
Large fluctuations in host memory usage, occasionally leading to OOM events.
Workaround:
None.
781485-3 : PEM with traffic group can lead to local cache leaks on STANDBY if there is an ACTIVE-ACTIVE transition
Component: Policy Enforcement Manager
Symptoms:
PEM spm_local_cache could get leaked on the STANDBY chassis.
Conditions:
-- If the high availability (HA) cluster switches to ACTIVE-ACTIVE mode during its lifetime.
-- PEM running in a Traffic-group configuration.
Impact:
Memory on the STANDBY chassis get leaked.
Workaround:
None.
781069-3 : Bot Defense challenge blocks requests with long Referer headers
Component: Application Security Manager
Symptoms:
The Bot Defense challenge may block the client if the Referer header is between about 1400 characters and 3072 characters long.
This client may get blocked by TCP RST, or suffer from a challenge loop.
Conditions:
-- Bot Defense with Verify before Access, or Proactive Bot Defense are configured
-- Request has a Referer header that is between ~1400 and 3072 characters long
Impact:
Legitimate browsers may get blocked or suffer from a challenge loop
Workaround:
Use an iRule to override the Referer header from the HTTP_REQUEST event, to make it shorter.
780817-4 : TMM can crash on certain vCMP hosts after modifications to VLANs and guests.
Component: TMOS
Symptoms:
TMM crashes and produces a core file. TMM logs show the crash was of type SIGFPE, with the following panic message:
notice panic: ../base/vcmp.c:608: Assertion "guest has vlan ref" failed.
Conditions:
-- The vCMP host is a platform with more than one tmm process per blade or appliance.
+ VIPRION B4300, B4340, and B44xx blades.
+ BIG-IP iSeries i15x00 platforms
-- A VLAN is assigned to a vCMP guest.
-- The TAG of the VLAN is modified.
-- The VLAN is removed from the vCMP guest.
Impact:
While TMM crashes and restarts on the host, traffic is disrupted on all the guests running on that system.
Guests part of a redundant pair may fail over.
Workaround:
None.
780437-3 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
Component: TMOS
Symptoms:
It is possible, although unlikely, for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.
As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.
The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.
Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.
Symptoms for this issue include:
-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.
-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.
-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):
qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img
qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img
-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]
Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.
-- Large configuration with many guests.
-- The VIPRION chassis is rebooted.
-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is Bug ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.
Impact:
-- Loss of entire configuration on previously working vCMP guests.
-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.
-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.
Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.
If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.
779137-3 : Using a source address list for a virtual server does not preserve the destination address prefix
Component: Local Traffic Manager
Symptoms:
Configuring a network virtual server with a source address list causes the system to treat the virtual server as a host.
Conditions:
-- Configure a source address list on the virtual server.
-- Configure a network address for the destination of the virtual server (not an address list).
Impact:
Traffic does not flow to the virtual server as expected.
Workaround:
None.
778517-4 : Large number of in-TMM monitors results in delayed processing
Component: Local Traffic Manager
Symptoms:
A monitor may continue to probe for a while after it has been removed from pool / member / node. Duplicate monitor instances may get created after associating a monitor to a server.
Conditions:
Device has a large number of in-TMM monitors.
Impact:
Monitor target may appear down when responding correctly.
Monitor may continue to run after removed from pool / member / node.
Increased monitoring load on server.
Workaround:
Disable in-tmm monitors.
778333-2 : GUI/CLI max-in-progress discrepancy occurs after upgrade from v11.x to v13.x or later
Component: Access Policy Manager
Symptoms:
If there is an access profile that was created using BIG-IP v11.x or earlier, with a default value of max-in-progress(0), when the configuration is upgraded to v13.x or later, the GUI shows max-in-progress as 128, but at the CLI and in the database, the actual value is 0.
Conditions:
In versions earlier than v13.x, the field 'Max In Progress Sessions Per Client IP' was set to 0 by default; from v13.x, the value is 128.
Impact:
There is a max-in-progress discrepancy between the GUI and the CLI.
Workaround:
During upgrade validation, manually add 'Max In Progress Sessions Per Client IP' to user_spec if it was set to the default value.
The upgrade then treats the field as a customized value, so the discrepancy disappears.
778225-1 : vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host
Component: Protocol Inspection
Symptoms:
Automatic hitless upgrade for protocol inspection fails on vCMP guests. This occurs because vCMP guest don't install f5_api_com key and certificates.
Conditions:
After licensing a vCMP guest, there is no f5_api_com key or certificate (you can run key_cache_path and crt_cache_path to determine that).
Impact:
Hitless upgrade fails for protocol inspection and traffic classification on vCMP guests.
Workaround:
Install the hitless upgrade IM package manually.
777993-5 : Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same
Component: TMOS
Symptoms:
Egress TCP/UDP traffic with same L4 source port and destination port to an external trunk is pinned to one link only.
Conditions:
This happens on BIG-IP hardware platforms with broadcom switch chip, so BIG-IP 2000/4000 and i2000/i4000 series are not impacted.
Impact:
Performance degradation as only a portion of the trunk bandwidth is utilized.
Workaround:
None.
777389-3 : In a corner case, for PostgreSQL monitor MCP process restarts
Component: TMOS
Symptoms:
MCP expects a monitoring response from SQL server and starts polling for data continuously, resulting in infinite loop.
Conditions:
In one of the corner cases of SQL monitoring, MCP expects to read monitoring data from the PostgreSQL server, but there is no data available to read
Impact:
The system goes into an infinite loop and skips the heartbeat report, resulting in its restart. During MCP restart (typically, fewer than 10 seconds), the BIG-IP administrator will not be able to make CRUD operations on the BIG-IP system.
Workaround:
None.
776489-3 : Remote authentication attempts to resolve only LDAP host against the first three name servers configured.
Component: TMOS
Symptoms:
'Login failed' is displayed on the BIG-IP system's login screen.
Conditions:
-- Remote authentication is enabled.
-- There are more than three name servers configured.
Impact:
Admins may not be able to log into the BIG-IP GUI with their admin user account if the first 3 configured DNS name servers are not reachable.
Workaround:
None.
776229-3 : iRule 'pool' command no longer accepts pool members with ports that have a value of zero
Component: Local Traffic Manager
Symptoms:
Values of 0 (zero) are no longer accepted for pool member ports in iRule 'pool' commands. The system reports an error similar to the following in /var/log/ltm:
err tmm3[12179]: 01220001:3: TCL error: /Common/_user_script_member <CLIENT_ACCEPTED> - bad port in 'pool member <addr> <port>' cmd while executing "pool test_pool member 10.1.30.10 0"
Conditions:
-- Configure an iRule to use the 'pool' command to go to the pool member using a zero port in the CLIENT_ACCEPTED event.
-- Attach the iRule to the virtual server.
-- Run traffic through it.
Impact:
The iRule rejects traffic when the pool member's port number is 0.
Workaround:
Configure any iRule using the 'pool' command to go to apool member using a non-0 port in the CLIENT_ACCEPTED event.
775801-3 : [GTM] [GUI] 'Route Advertisement' checked but not saved when creating GTM listener
Component: Global Traffic Manager (DNS)
Symptoms:
'Route Advertisement' is not enabled even if you check the checkbox.
Conditions:
Creating GTM listener using the GUI.
Impact:
'Route Advertisement' is not enabled.
Workaround:
After the listener is created, modify the listener in the GUI and check the checkbox for 'Route Advertisement', and save.
775621-3 : urldb memory grows past the expected ~3.5GB
Component: Access Policy Manager
Symptoms:
When using the categorization engine (urldb), memory may increase when real-time update databases are downloaded (once every ten minutes, as available).
Conditions:
-- SWG provisioned.
-- Using urldb.
-- Real-time database updates occurring.
Impact:
Memory increases, and if there is not enough room on the BIG-IP system, urldb can core.
Workaround:
None.
775013-3 : TIME EXCEEDED alert has insufficient data for analysis
Component: Fraud Protection Services
Symptoms:
The time-exceeded alert does not include sufficient alert details to troubleshoot the process. It is difficult to determine whether or not the alert is valid, or how long past the request time the alert occurred.
Conditions:
Viewing alert logs for time-exceeded messages.
Impact:
Makes troubleshooting and/or analysis difficult.
Workaround:
None.
774481-4 : DNS Virtual Server creation problem with Dependency List
Component: Global Traffic Manager (DNS)
Symptoms:
Cannot use the GUI to create virtual servers with dependent virtual server.
Conditions:
This occurs when creating a virtual server that contains a dependent virtual server.
Impact:
Cannot use the GUI to create the virtual server that contains a dependent virtual server in one step.
Workaround:
You can use either of the following workarounds:
-- Use tmsh;
-- Create the virtual server through GUI without dependent virtual server first and then edit the virtual server to add dependency.
774301-3 : Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList
Component: Access Policy Manager
Symptoms:
When the BIG-IP system is configured as SAML IdP or SAML SP processes SAML Requests/Responses, the verification of digital signature fails in certain cases:
err apmd[19684]: 01490000:3: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 5321 Msg: ERROR: verifying the digest of SAML Response
Conditions:
-- BIG-IP system is configured as SAML IdP or SAML SP.
-- SAML sends the "ArtifactResponse" message with both "ArtifactResponse" and "Assertion" signed.
-- This is also applicable to any SAML requests/responses that are signed:
a) SAML Authentication Request
b) SAML Assertion
c) SAML Artifact Response
e) SAML SLO Request/Response
Impact:
Output does not match the 'Canonicalized element without Signature' calculated by APM. BIG-IP SAML IdP or SAM SP fails to process SAML Requests/Responses resulting in errors. Cannot deploy APM as SAML SP with Assertion Artifact binding.
Workaround:
None.
774225-2 : mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting
Component: Global Traffic Manager (DNS)
Symptoms:
mcpd is in a restart loop after creating an internal DNSSEC FIPS key on a secondary GTM while rebooting the primary DNSSEC key generator GTM (gtm.peerinfolocalid==0).
Conditions:
New DNSSEC internal FIPS key is created and assigned to DNSSEC zone when BIG-IP system with gtm.peerinfolocalid==0 is down.
Impact:
mcpd is in a restart loop.
Workaround:
For maintenance window operations, set DNSSEC peer leader to the unit that will remain UP while rebooting the primary key generator in sync group (gtm.peerinfolocalid==0).
# tmsh modify gtm global-settings general peer-leader <gtm-server-name>
After the reboot is complete, all devices are back up, and everything looks good in the configs, clear the peer-leader setting:
# tmsh modify gtm global-settings general peer-leader none
If there are two GTM units: GTM1 (having gtm.peerinfolocalid == 0), GTM2, and you are going to reboot GTM1, then before rebooting, run the following command to configure the DNSSEC peer-leader setting:
# tmsh modify gtm global-settings general peer-leader GTM2
After reboot, clear the peer-leader setting:
# tmsh modify gtm global-settings general peer-leader none
773821-3 : Certain plaintext traffic may cause SSLO to hang
Component: Local Traffic Manager
Symptoms:
SSLO relies on SSL hudfilter to detect non-SSL traffic; but certain plaintext can be mistaken as SSL traffic, which can cause a hang.
Conditions:
Initial plaintext traffic resembles SSLv2 hello message or has less than enough bytes for SSL to process.
Impact:
SSLO hangs, unable to bypass traffic.
Workaround:
None.
773421-3 : Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied
Component: Local Traffic Manager
Symptoms:
When OneConnect is applied to a virtual server, the server-side packets larger than the client-side MTU may be dropped.
Conditions:
-- If the client-side MTU is smaller than server-side (either via Path MTU Discovery (PMTUD), or by manually configuring the client-side VLAN).
-- OneConnect is applied.
-- proxy-mss is enabled (the default value starting in v12.0.0).
Impact:
The BIG-IP system rejects server-side ingress packets larger than the client-side MTU, with an ICMP fragmentation needed message. Connections could hang if the server ignores ICMP fragmentation needed and still sends TCP packets with larger size.
Workaround:
Disable proxy-mss in the configured TCP profile.
772545-2 : Tmm core in SSLO environment
Component: Local Traffic Manager
Symptoms:
Unexpected SSL events can occur in SSLO configuration, possibly resulting in tmm core.
Conditions:
SSLO environment which can cause serverside ssl to become enabled during clientside handshake causing unexpected events.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Enabling SSL forward proxy verified-handshake setting available in 14.0.
772497-4 : When BIG-IP is configured to use a proxy server, updatecheck fails
Component: TMOS
Symptoms:
Executing Update Check fails when run on a BIG-IP system that is behind a proxy server.
Conditions:
-- A proxy server is configured on the BIG-IP system using proxy.host db variable (and associated port, protocol, etc.).
-- You run Update Check.
Impact:
The Update Check fails to connect because the script resolves the IP address prior to sending the request to the proxy server.
Workaround:
You can use either of the following workarounds:
I
=======
Modify the /usr/bin/updatecheck script to not resolve the service ip for callhome.f5.com. To do so, remove the script text 'PeerAddr => $service_ip,' from lines 336,337:
1. Locate the following section in the script:
@LWP::Protocol::http::EXTRA_SOCK_OPTS = ( PeerAddr => $service_ip,
SSL_hostname => $service_name,
2. Update the script to remove the content 'PeerAddr => $service_ip,', so that it looks like the following example:
@LWP::Protocol::http::EXTRA_SOCK_OPTS = ( SSL_hostname => $service_name,
II
=======
As an alternative, use a sed command, as follows:
1. Remount /usr as rw.
2. Run the following command:
# sed -e "s/PeerAddr => $service_ip,//" -i /usr/bin/updatecheck
771173-2 : FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.★
Component: Advanced Firewall Manager
Symptoms:
The system does not roll forward the FastL4 profile syn-cookie-enable attribute after upgrading from 12.x to 13.x and beyond.
Conditions:
This happens when upgrading from 12.x to 13.x and beyond.
Impact:
If syn cookies are explicitly disabled on a FastL4 profile prior to upgrading, they may be enabled.
Workaround:
You can fix the configuration by modifying it manually after upgrading.
In tmsh:
tmsh modify ltm profile fastl4 <profile_name> syn-cookie-enable <enabled|disabled>
770953-3 : 'smbclient' executable does not work
Component: TMOS
Symptoms:
Service Message Block (SMB) monitor is not functional.
Conditions:
This occurs under all conditions.
Impact:
SMB monitors fail. This occurs because the 'smbclient' executable is not functional.
Workaround:
None.
769817-4 : BFD fails to propagate sessions state change during blade restart
Component: TMOS
Symptoms:
BFD fails to propagate sessions state change during blade restart.
Conditions:
-- On a chassis with multiple blades, several routing protocol sessions are established, (e.g., BGP sessions).
-- BFD sessions are configured for each BGP session to sustain fast failover of BGP sessions.
-- There is a BGP session that can be established only via specific blade and the corresponding BFD session of this BGP session is processed on the same blade.
-- This blade is restarted (e.g., using the bladectl command) or experienced a blade failure.
Impact:
The BFD session remains in the BFD sessions table and remains there until BGP session is timed out by hold the timer (90 seconds, by default). Dynamic routes, which are learnt via affected BGP session, remain in the routing table until the hold time is reached.
Workaround:
Change BGP hold time to reasonable lower value.
769309-6 : DB monitor reconnects to server on every probe when count = 0
Component: Local Traffic Manager
Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.
Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).
Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.
Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.
768025-2 : SAML requests/responses fail with "failed to find certificate"
Component: Access Policy Manager
Symptoms:
BIG-IP as SP and BIG-IP as IdP fail to generate signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after the certificate that is used for signing is modified.
Conditions:
The certificate used for signing SAML requests/responses or SAML SLO requests/responses is modified or re-imported.
Impact:
When this issue occurs, SAML services are impacted when BIG-IP is configured as SP or IdP. Subsequent SAML/SAML SLO requests/responses fail with the error 'failed to find certificate'.
-- When BIG-IP is configured as IdP, then SAML Authentication fails and SAML/SAML SLO services do not work.
-- When BIG-IP is configured as SP, resources that need SAML Authentication cannot be accessed. Also, SAML SLO service does not work.
Workaround:
-- When BIG-IP as IdP is affected, configure a different certificate associated with SAML IdP configuration that is used for signing, change it back to the original certificate, and then the apply policy.
-- Similarly, when BIG-IP as SP is affected, configure a different certificate associated with SAML SP configuration that is used for signing, change it back to the original certificate, and then apply the policy.
767877-2 : TMM core with Bandwidth Control on flows egressing on a VLAN group
Component: TMOS
Symptoms:
TMM cores during operation.
Conditions:
Known condition:
1. BWC attached to serverside connflow
2. Serverside traffic traversing/egressing VLAN group
Impact:
Traffic disrupted while tmm restarts.
767341-4 : If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.
Component: TMOS
Symptoms:
Repeated TMM service crash SIGBUS with memory copy operation at the top of stack trace.
Conditions:
TMM loads filestore file and size of this file is smaller than the size reported by mcp or if this ifile store is not present at all.
This condition is possible due to
- filesystem errors/corruption or
- BIG-IP user intervention.
Filesystem error might be due to power loss, full disk or other reasons.
Impact:
TMM crash.
The program terminated with signal SIGBUS, Bus error.
Workaround:
Manual copy of the "good" ifile store and forceload on the previously bad unit. Usually trivial, but error prone.
Another workaround is clean install, if possible/acceptable
767045-1 : TMM cores while applying policy
Component: Anomaly Detection Services
Symptoms:
TMM core and possible cores of other daemons.
Conditions:
The exact conditions are unknown.
Occurrences have been seen during specialized internal testing and while applying a copied and edited ASM policy.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
766761-3 : Ant-server does not log requests that are excluded from scanning
Component: Access Policy Manager
Symptoms:
Based on Request/Response Analytics agent 'Exclude Types' settings, the requests that are excluded from scanning should log a message that states, 'Response content is in excluded content list'.
Conditions:
Response or Request Analytics agent in the Per-Request Policy.
Impact:
These particular logs are not available.
Workaround:
None.
766405-4 : MRF SIP ALG with SNAT: Fix for potential crash on next-active device
Component: Service Provider
Symptoms:
The next active device may crash with a core when attempting to create media flows.
Conditions:
The names for the LSN pool and router profile are longer than expected.
Impact:
The TMM on the next active device may core. Traffic disrupted while tmm restarts; If the next-active device was not carrying traffic for a traffic group, traffic is not disrupted.
Workaround:
None.
765969-2 : Not able to get HSB register dump from hsb_snapshot on B4450 blade
Component: TMOS
Symptoms:
Running hsb_snapshot tool fails on B4450 blades with the following message:
Too many rows in tmm/hsb_internal_pde_info table
Conditions:
When vCMP is provisioned on VIPRION B4450 blades.
Impact:
HSB register dump is not available in hsb_snapshot orQkview for diagnostic purpose.
Workaround:
None.
764901-3 : PEM policy filters rules memory gets leaked if policy is deleted before deleting the rules
Component: Policy Enforcement Manager
Symptoms:
There is a memory leak associated with deleting policies before rules.
Conditions:
If a policy is deleted before its rules are deleted.
Impact:
Memory leak.
Workaround:
Delete all rules in a policy prior to a policy delete operation.
764873-3 : An accelerated flow transmits packets to a dated, down pool member.
Component: TMOS
Symptoms:
Normally, when a pool member becomes unavailable, the flow is redirected towards another available pool member. However, an accelerated flow can continue to send traffic to the dated pool member rather than the updated one.
Conditions:
A flow changes the pool member it goes to while the flow is accelerated.
Impact:
The traffic continues to target the dated pool member that is not available.
Workaround:
Disable HW acceleration.
Or on BIG-IP v14.1.0 and later, if a pool member goes away, run the following command to flush all accelerated flow to be handled correctly by software:
tmsh modify sys conn flow-accel-type software-only
763121-2 : Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM.
Component: Advanced Firewall Manager
Symptoms:
TMM crashes and produces a core file. The crash is a SIGFPE accompanied by the following panic string:
Assertion "packet must already have an ethernet header" failed.
Conditions:
This issue occurs when all of the following conditions are met:
- The system is provisioned for AFM.
- A TCP Half Open attack to the system is underway.
- A BIG-IP Administrator attempts to use the AFM Packet Tester tool, and simulates sending a TCP segment with the SYN flag set.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use the AFM Packet Tester tool while a TCP Half Open attack is underway.
763093-2 : LRO packets are not taken into account for ifc_stats (VLAN stats)
Component: Local Traffic Manager
Symptoms:
The ifc_stats do not correctly reflect the number of incoming octets/packets. There is a discrepancy between octets/packets in/out in the ifc_stats table, which tracks per-VLAN stats.
Conditions:
LRO is enabled and used for incoming packets.
Impact:
ifc_stats are incorrect for incoming octets and packets.
Workaround:
Disable LRO using the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable
After modifying that variable, you must restart tmm for it to take effect (traffic disrupted while tmm restarts):
bigstart restart tmm
762205-4 : IKEv2 rekey fails to recognize VENDOR_ID payload when it appears
Component: TMOS
Symptoms:
Rekey with non BIG-IP systems can fail when a response contains a VENDOR_ID payload.
Conditions:
- IKEv2 Responder sends VENDOR_ID payload in rekey response.
- The ipsec.log misleadingly reports:
[I] [PROTO_ERR]: unexpected critical payload (type 43)
Note: This message may be correctly present under other conditions, with different type constants not equal to 43.
Impact:
BIG-IP as the initiator of rekey drops the rekey negotiation without making further progress when the responder included a VENDOR_ID payload in a response. This will result in deleting the SA for good when the hard lifetime expires, causing a tunnel outage.
Workaround:
No workaround is known at this time.
761993-3 : The nsm process may crash if it detects a nexthop mismatch
Component: TMOS
Symptoms:
If there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop, nsm may crash and restart.
Conditions:
-- Dynamic routing is in use.
-- A mismatch between tmrouted and nsm for the interface index or gateway of a nexthop exists.
Impact:
There is a temporary interruption to dynamic routing while nsm is restarted.
Workaround:
None.
761753-3 : BIG-IP system incorrectly flags UDP checksum as failed on x520 NICs
Component: TMOS
Symptoms:
When UDP checksum is 0 (zero), a BIG-IP device with an x520 NIC causes the packets to be marked as 'checksum failed'.
Conditions:
-- Using BIG-IP Virtual Edition (VE).
-- VE is using x520 VF.
Impact:
UDP Packets with 0 checksum are dropped.
Workaround:
None.
761621-3 : Ephemeral FQDN pool members in Partition shown as Common under Local Traffic > Pools > "Members"
Component: TMOS
Symptoms:
When Ephemeral FQDL pool members exist in non-Common partition, they are shown to be in the /Common partition on the Local Traffic : Pools : Members page. In the statistics view of the same object, they are shown appropriately with their non-Common partition.
Conditions:
-- Ephemeral FQDL pool members exist in a non-Common partition.
-- View the FQDL pool members on Local Traffic : Pools : Members page.
Impact:
No impact to configuration, however, the display is confusing and shows contradictory partition information.
Workaround:
None.
761565-2 : ASM BD core when custom captcha page configured size more than 45K with %ASM.captcha.support_id% placeholder is at the end
Component: Application Security Manager
Symptoms:
ASM BD crash when custom captcha page configured size is 45K
Conditions:
- ASM provisioned.
- ASM policy attached to a virtual server.
- CAPTCHA page size is bigger than 45 KB.
- CAPTCHA protection is enabled via brute force or ASM::captcha iRule.
Impact:
There is an ASM BD crash that occurs upon a request protection by CAPTCHA mitigation. If configured for high availability (HA), failover occurs.
Workaround:
Define CAPTCHA page sizes smaller than 45 KB.
761385-2 : Without a virtual server, responses from server to client are dropped in a BIG-IP system when the latter is deployed in L2 transparent mode using virtual wire.
Component: Local Traffic Manager
Symptoms:
Responses from a server are not received by the client.
Conditions:
-- BIG-IP system deployed in L2 transparent mode using virtual wire.
-- No virtual server is configured.
Impact:
Responses from server to client are dropped. Loss of service.
Workaround:
None.
761345-2 : Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode
Component: Advanced Firewall Manager
Symptoms:
When manual config-sync mode is enabled for a HA setup, additional config-sync may be required after firewall blob compilation.
Conditions:
Firewall rule configuration modified on a high availability (HA) setup with manual config-sync mode enabled.
Impact:
Additional config-sync may be required after compilation completion.
A warning may be given: "There is a possible change conflict between <device1> and <device2>.", and full sync may be forced.
Workaround:
Enable auto config-sync instead of manual config-sync.
761321-3 : 'Connection Rate Limit' is hidden, but 'Connection Rate Limit Mode' is not
Component: TMOS
Symptoms:
'Connection Rate Limit' setting is hidden when it is appropriate to do so. However, the 'Connection Rate Limit Mode' setting is still visible, even when 'Connection Rate Limit' is hidden.
Conditions:
1. Create a Virtual Server with type Standard.
2. Click Configuration 'Advanced'.
3. Enter values for 'Connection Rate Limit" and "Connection Rate Limit Mode'.
4. Save the configuration.
5. Change the virtual server type to Forwarding (Layer 2).
Impact:
'Connection Rate Limit' is hidden -- which it should be, but 'Connection Rate Limit Mode' is not -- which it should be as well. Although 'Connection Rate Limit Mode' is available, the system ignores any setting specified.
Workaround:
Do not configure 'Connection Rate Limit Mode', as it has no effect.
761303-3 : Upgrade of standby BIG-IP system results in empty Local Database
Component: Access Policy Manager
Symptoms:
Upgrade of standby BIG-IP system results in empty Local Database.
Conditions:
This happens on standby device in a high availability (HA) setup.
Impact:
All previously existing local users disappear from the standby device. If a failover happens, then none of the local users will be able to login now.
Workaround:
To trigger a full database dump from the active BIG-IP system that returns the standby device's database to its original state, on the standby device, do the following:
1. Reboot.
2. Switch to a new installation volume.
3. Force stop the localdbmgr process:
bigstart stop localdbmgr
4. Wait at least 15 minutes.
5. Restart the localdbmgr:
bigstart restart localdbmgr
761194-1 : param data type violation on an Integer parameter, if an integer value is sent via websocket JSON
Component: Application Security Manager
Symptoms:
A false positive occurs with 'Illegal parameter data type' violation on an integer parameter, on websocket messages
Conditions:
An explicit parameter with type integer is configured.
Impact:
A false positive can occur, 'Illegal parameter data type' is reported.
Workaround:
N/A
761173-2 : tmm crash after extended whitelist modification
Component: Advanced Firewall Manager
Symptoms:
tmm might crash and restart.
Conditions:
Modifying the whitelist extended entry in tmsh.
Impact:
Tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
761084-1 : Custom monitor fields appear editable for Auditor, Operator, or Guest
Component: TMOS
Symptoms:
Mozilla Firefox browser shows custom monitor fields editable for Auditor, Operator, or Guest role users.
Conditions:
You can experience this issue by following these steps:
1. Create custom monitor (e.g., http, mysql, tcp).
2. Use FireFox browser to logon to the BIG-IP system Configuration utility with a user role that is Auditor, Operator, or Guest.
3. Access the custom monitor. Note that Send String, Receive String, and Receive Disable String are all grayed out.
4. Click the browser Back button.
5. Click the browser Forward button.
Impact:
Send String, Receive String, and Receive Disable String are now editable fields. Although the Auditor, Operator, or Guest. user can edit the fields, the Update button is still grayed out, so any entry is not saved.
Workaround:
None.
760950-3 : Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment
Component: TMOS
Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.
Note: A previous bug had this same symptom, but was due to a different root cause.
Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.
Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.
Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.
760771-2 : FastL4-steered traffic might cause SSL resume handshake delay
Component: Local Traffic Manager
Symptoms:
When a FastL4 virtual server steers traffic to another SSL-enabled virtual server, there can be a delay on SSL session resumption because SSL is unable to identify the connection flow.
Additionally, it has been observed that if fallback persistence is configured, the BIG-IP system might fail to start the connection serverside.
Conditions:
-- FastL4 virtual server.
-- iRule is used to steer traffic to another virtual server with client SSL enabled.
-- Multiple tmm's.
Impact:
-- Potential impact to SSL performance.
-- Possible connection failure.
Workaround:
To workaround this issue:
-- Disable FastL4.
-- Enable OneConnect.
760615-3 : Virtual Server discovery may not work after a GTM device is removed from the sync group
Component: Global Traffic Manager (DNS)
Symptoms:
LTM configuration does not auto-discover GTM-configured virtual servers.
Conditions:
-- GTM is deprovisioned on one or more GTM sync group members, or the sync group is reconfigured on one or more members.
-- Those devices remain present in the GTM configuration as 'gtm server' objects.
-- iQuery is connected to those members.
Impact:
Virtual servers are not discovered or added automatically.
Workaround:
You can use either of the following workarounds:
-- Manually add the desired GTM server virtual servers.
-- Delete the 'gtm server' objects that represent the devices that are no longer part of the GTM sync group. These can then be recreated if the devices are operating as LTM-configured devices.
760518-3 : PEM flow filter with DSCP attribute optimizes traffic resulting in some PEM action enforcement
Component: Policy Enforcement Manager
Symptoms:
Some PEM action enforcement does not work with flow filter with PEM attribute set.
Conditions:
Flow filter has the Differentiated Services Code Point (DSCP) attribute set
Impact:
Some PEM actions such as http-redirect do not perform as expected.
Workaround:
Set the DSCP to the default value
760439-3 : After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status
Component: TMOS
Symptoms:
After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status (e.g., transitions to standby or active).
Conditions:
Installing UCS that was taken in forced-offline state on clean installed unit.
Impact:
Unit may become active/standby before intended (e.g., during maintenance).
Workaround:
After installing the UCS, ensure that the unit is in forced-offline state as intended. If not in forced-offline state, force the unit offline before proceeding.
760438-2 : PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions
Component: Policy Enforcement Manager
Symptoms:
tmm coredump
Conditions:
-- Using an iRule to apply a referential policy in a rigorous loop.
-- This is a rarely occurring timing issue.
Impact:
Traffic impact due to tmm coredump. Traffic disrupted while tmm restarts.
Workaround:
None.
760410-2 : Connection reset is seen when Category lookup agent is used in per-req policy
Component: Access Policy Manager
Symptoms:
The BIG-IP system sends reset to client when Category Lookup agent is used in per-req policy.
Conditions:
-- APM or SSLO is licensed and provisioned.
-- URLDB and SWG are not provisioned.
-- Category Lookup agent is used in the policy to process custom categories.
Impact:
Connection reset is seen on client from APM/SSLO box.
Workaround:
Modify Category Lookup agent 'lookup-type' property to 'custom-only' via TMSH, for example, by using a command similar to the following:
modify apm policy agent category-lookup example_prp_act_category_lookup_ag lookup-type custom-only
760234-7 : Configuring Advanced shell for Resource Administrator User has no effect
Component: TMOS
Symptoms:
Advanced shell is present in the Terminal Access dropdown list when creating a Resource Administrator User, but the functionality is not available.
Conditions:
Configuring Advanced shell for Resource Administrator User.
Impact:
There is no warning message, but the setting has no effect. Gives the false impression that you can configure a Resource Administrator User to have Advanced shell access when the role does not support it.
Workaround:
None.
760130-2 : [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK
Component: Access Policy Manager
Symptoms:
-- Increased overall TMM memory usage, which eventually forces TMM to start closing connections to reduce memory usage.
-- connflow memory usage keeps increasing. Memory usage can be observed with this command:
# tmctl -f /var/tmstat/blade/tmm0 memory_usage_stat -w200
Conditions:
1. Using PingAccess.
2. Errors are being logged in /var/log/paa.
Impact:
-- Memory leak.
-- Eventually TMM starts closing connections randomly.
Workaround:
None.
760078-2 : Incorrect source MAC used when the BIG-IP in L2 transparent mode generates a TCP RST packet.
Component: Local Traffic Manager
Symptoms:
Packet with unexpected source MAC seen on the adjacent node to the BIG-IP.
Conditions:
- BIG-IP configured in an L2 transparent mode using virtual wires
- Traffic forwarded between client and server in an asymmetric manner across virtual wires.
Impact:
Possible impacts to services on nodes adjacent to the BIG-IP if policy decisions on those nodes are made with the source MAC of the received packet as input.
760050-3 : cwnd warning message in log
Component: Local Traffic Manager
Symptoms:
The following benign message appears in the log: cwnd too low.
Conditions:
The TCP congestion window has dropped below one Maximum Segment Size, which should not happen.
Impact:
None. TCP resets the congestion window to 1 MSS.
Workaround:
This message does not indicate a functional issue, so you can safely ignore this message. There is no action to take, but the presence of the message can be useful information for debugging other TCP problems.
759968-2 : Distinct vCMP guests are able to cluster with each other.
Component: Local Traffic Manager
Symptoms:
--Distinct vCMP guests are able to cluster with each other.
--Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:
clsh tmctl -d blade tmm/vcmp -w 200 -s vcmp_name,tmid,rebroad_mac
Look at the "rebroad_mac" field.
Conditions:
--It is not yet clear under what circumstances the issue occurs.
--One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate "rebroad_mac" on one or more slots.
Impact:
Only the vCMP guest acting as primary will be operative.
Workaround:
--Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:
modify sys db clusterd.communicateovertmmbp value false.
Note: This command should be issued on the guest acting as primary since config changes are only allowed on cluster primary.
759392-3 : HTTP_REQUEST iRule event triggered for internal APM request
Component: Access Policy Manager
Symptoms:
Requests for the internal APM renderer for logo customization trigger the HTTP_REQUEST iRule event.
Conditions:
Customized logo in Access Profile
Impact:
HTTP_REQUEST event will be raised for requests for the customized logo in the Access Profile.
Workaround:
Inside the HTTP_REQUEST event, if it is necessary to not take a certain action on a customized logo, it is possible to check that the URL does not equal the URL for the logo (it should start with '/public/images/customization/' and contain the image name).
759258-3 : Instances shows incorrect pools if the same members are used in other pools
Component: TMOS
Symptoms:
Monitor 'Instances' tab shows incorrect pools if the same members are used in other pools.
Conditions:
Steps to Reproduce:
1. Create custom monitor or use system default.
2. Assign that monitor to a test pool.
3. Navigate to Local Traffic :: Monitors, click the test monitor, then select the Instances tab.
Impact:
The test pool is displayed, as well any other pools that use the same member or members (but with other monitors assigned).
Workaround:
None.
758929-3 : Bcm56xxd MIIM bus access failure after TMM crash
Component: TMOS
Symptoms:
Bcm56xxd daemon running on B4300 blade might experience MIIM bus access failure after a tmm crash. The system posts
a message similar to the following in the ltm log:
info bcm56xxd: 012c0016:6: MiimTimeOut:soc_miim_write, timeout (id=0xc9 addr=0x1f data=0x0000)
Conditions:
-- heavily stressed system
-- VIPRION b4300 blade.
Impact:
The affected B4300 blade fails to pass traffic. If configured for high availability (HA), failover occurs.
Workaround:
Reboot the affected B4300 blade.
758781-2 : iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates
Component: TMOS
Symptoms:
The following commands take a long time to complete when there are a large number of certificates:
get_certificate_list()
get_certificate_list_v2()
get_certificate_list_v3()
Conditions:
-- Using the get_certificate_list(), get_certificate_list_v2(), and get_certificate_list_v3() commands to get certificate information.
-- A large number of certificates (typically in the thousands) are installed on the BIG-IP system.
Impact:
Slowness might cause timeouts in applications that are calling these functions.
Workaround:
Use iControl REST API corresponding to sys/file/ssl-cert.
758714-2 : Virtual wire on a BIG-IP does not pass traffic when configured over two terminating link aggregation/trunk ports.
Component: Local Traffic Manager
Symptoms:
Traffic does not pass through the BIG-IP system.
Conditions:
- Configure two trunk/LAG ports on a BIG-IP system.
- Create a virtual wire across it.
Impact:
Loss of service across the virtual wire.
Workaround:
None.
758604-1 : Deleting a port from a single-port trunk does not work.
Component: TMOS
Symptoms:
Deleting a port from a single-port trunk does not work.
Conditions:
1. Disable all ports for a trunk, for example by disabling them on a directly connected switch. The last port is not deleted correctly.
2. Re enable some other ports, the trunk now also uses the disabled port.
Impact:
No user connectivity depending on which port is used.
Workaround:
None.
758542-2 : OAuth database instance appears empty after upgrade from v13.x★
Component: Access Policy Manager
Symptoms:
The database from a prior configuration does not seem to have any tokens. The tokens are being stored in a new database with a different name.
Conditions:
Upgrade from v13.x.
-- The name of one OAuth database instance is duplicated entirely in another instance name (for example, 'oauthdb' and 'oauthdbprod').
Impact:
Old database seems to have lost tokens. In the case of these two database instances:
oauthdb
oauthdbprod
Because the name 'oauthdb' is also present in the name 'oathdbprod', the system creates a new database instance of 'oauthdb' at upgrade, so oauthdb will have an empty database.
Workaround:
Before upgrading, do the following:
1) Copy database oauth to another database with a completely different name.
2) Copy tokens in new database to the old, empty database.
758437-5 : SYN w/ data disrupts stat collection in Fast L4
Component: Local Traffic Manager
Symptoms:
Fast L4 analytics reports very large integers for goodput.
Conditions:
BIG-IP receives SYNs with attached data.
Impact:
Goodput data is unreliable.
Workaround:
None.
758436-3 : Optimistic ACKs degrade Fast L4 statistics
Component: Local Traffic Manager
Symptoms:
Fast L4 Analytics reports very large integers for goodput.
Conditions:
Endpoints send ACKs for data that has not been sent.
Impact:
Goodput statistics are not usable in certain data sets.
Workaround:
None.
757827-2 : Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution
Component: Local Traffic Manager
Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP reboot operation.
Conditions:
This may occur on affected BIG-IP versions when:
1. Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
2. DNS queries to resolve these FQDN names occur almost simultaneously.
3. The BIG-IP version in use contains the fix for ID 726319.
The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.
Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.
As a result, some pools may not have any active pool members, and will not pass traffic.
This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default fqdn interval value of 3600 seconds, such downtime would last approximately one hour.
Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter fqdn interval value for the FQDN nodes:
tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.
757578-3 : RAM cache is not compatible with verify-accept
Component: Local Traffic Manager
Symptoms:
The TCP profile's verify-accept option is not compatible with the RAM cache feature
Conditions:
A TCP profile is used with the 'verify-accept' option enabled, together with a Web Acceleration via RAM cache.
Impact:
There may be a log message in /var/log/tmm# describing an 'Invalid Proxy Transition'. The RAM cache feature may not handle later pipelined requests due to the proxy shutting down the connection.
Workaround:
Do not use TCP's verify-accept option together with RAM cache.
757555 : Network DoS Logging Profile does not work with other logging profiles together
Component: Advanced Firewall Manager
Symptoms:
When the network DoS logging profile is configured with other logging profiles, such as AFM ACL logging profile, on the same virtual server, DoS logging does not occur.
Conditions:
Configure DoS logging profile on a virtual server with other logging profiles, such as AFM ACL logging profile.
Impact:
When DoS attack happens, no DoS attack is being logged.
Workaround:
Configure one general log profile for all DoS and AFM logging.
757502 : Deleting policies using select all feature on non-Common partition attempts to delete all policies across all partitions
Component: Local Traffic Manager
Symptoms:
Deleting policies using select all feature on non-Common partition attempts to delete all policies across all partitions, not just in the active partition.
Conditions:
-- Multiple partitions, each with at least one policy.
-- In one of the non-Common partitions, check the box next to 'Name' to select all the polices under that partition, and click delete.
Impact:
The system posts a confirmation message to deletes all policies across all partitions rather than all policies on that specific partition.
Workaround:
Do not click the 'Name' check box, select each policy individually to delete.
757359-2 : pccd crashes when deleting a nested Address List
Component: Advanced Firewall Manager
Symptoms:
When removing a nested Address List or Port List, the pccd process might crash.
Conditions:
This might occur under the following conditions:
-- Removing a nested Address List or Port List using a tmsh transaction with an incorrect tmsh command order consistently results in this crash.
-- A high availability (HA) setup with config-sync enabled and there are intermittent problems with HA-connections, or out-of-memory system state, might intermittently result in this crash.
Impact:
pccd crashes with core, restarts, and correctly compiles the new configuration. There is a resulting, small delay in applying the new configuration due to the pccd restart.
Workaround:
-- If the crash occurs as a result of incorrect tmsh commands in a transaction, reorder commands to the parent list is modified or deleted before deleting the nested list.
-- If the crash is an intermittent issue due to problems with HA-connections, or an out-of-memory system state, no action is necessary; pccd correctly compiles new configuration after it restarts.
757029-3 : Ephemeral pool members may not be created after config load or reboot
Component: Local Traffic Manager
Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP system reboot operation.
Conditions:
This may occur on affected BIG-IP versions when:
-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
-- DNS queries to resolve these FQDN names occur almost simultaneously.
The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.
Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.
As a result, some pools may not have any active pool members, and do not pass traffic.
This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.
Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes:
tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.
756830-2 : BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'
Component: TMOS
Symptoms:
The BIG-IP system may fail source translation for connections matching a virtual server that has connection mirroring enabled and source port selection set to 'preserve strict'.
Conditions:
Connections match a virtual server that has following settings:
- Connection mirroring is enabled.
- Source Port set to 'Preserve Strict'.
In addition, CMP hash selection (DAG mode) on the corresponding VLANs is set to 'Default DAG'.
Impact:
Source translation may fail on BIG-IP system, leading to client connection failures.
Workaround:
You can try either of the following:
-- Do not use the Source Port setting of 'Preserve Strict'.
-- Disable connection mirroring on the virtual server.
756820-3 : Non-UTF8 characters returned from /bin/createmanifest
Component: TMOS
Symptoms:
/bin/createmanifest reads from mcpd values stored for items that are obtained from firmware. These might contain non-UTF8 characters. This program is called in qkview, which then gets updated to iHealth. If any non-UTF8 character is present, the output is omitted (because XML cannot handle non-UTF8 characters).
Conditions:
Data stored in mcpd obtained from firmware contain non-UTF8 characters.
Impact:
The upload to iHealth will not contain any of the manifest data set obtained via createmanifest.
Workaround:
The values can be obtained from the qkview by reading the qkview_run.data, but the convenience of reading these in iHealth is not possible.
756647-2 : Global SNAT connections do not reset upon timeout.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system does not send reset packets when a connection times out.
Conditions:
BIG-IP configured with global SNAT.
Impact:
Client or server might unnecessarily keep the connection open.
Workaround:
You can use either of the following workarounds:
-- Use forwarding virtual server with snatpool instead of global SNAT.
-- Modify tmm_base.tcl as follows:
profile bigproto _bigproto {
reset_on_timeout enable
}
756477-1 : Drop Redirect tab incorrectly named as 'Redirect Drop'
Component: Advanced Firewall Manager
Symptoms:
Incorrect naming on navigation tabs Security :: Debug :: Drop Redirect.
Conditions:
Navigating to Security :: Debug :: Drop Redirect.
Impact:
The page name is Drop Redirect instead of Redirect Drop.
Workaround:
None.
756457 : tmsh command 'show security' returning a parsing error
Component: Advanced Firewall Manager
Symptoms:
Running the tmsh command 'tmsh -m show security' returns a parsing error similar to the following:
Unexpected Error: Chunked data did not start with start_message.
Conditions:
-- AFM is provisioned.
-- Running the command: 'tmsh -m show security'.
Impact:
-- the 'show security' commands return a parsing error.
-- Some show commands might not work.
Workaround:
None.
756356-1 : External datagroups of type string cannot use iRule command 'class match equals' for entries > 32 characters long
Component: Local Traffic Manager
Symptoms:
iRules using the command 'class match' with the 'equals' operator on long entries fail to return a positive match, even if they are in the datagroup, for example:
my_datagroup:
"abcdefghijklmnopqrstuvwxyz0123456" := "value1"
class match "abcdefghijklmnopqrstuvwxyz0123456" equals my_datagroup
Conditions:
This is encountered when all of the following conditions are met:
- Using an external datagroup of type string with keys longer than 32 characters.
- Using an iRule with the 'class match' command and the 'equals' operator on the external datagroup.
- Trying to match keys that are longer than 32 characters.
Impact:
iRules will act incorrectly
Workaround:
If none of the keys in the datagroup are prefixes of each other, the 'equals' operator can be changed to 'starts_with' or 'ends_with' (if none are suffixes of each other).
756313-3 : SSL monitor continues to mark pool member down after restoring services
Component: Local Traffic Manager
Symptoms:
After an HTTPS monitor fails, it never resumes probing. No ClientHello is sent, just 3WHS and then 4-way closure. The pool member remains down.
Conditions:
-- The cipherlist for the monitor is not using TLSv1 (e.g., contains -TLSv1 or !TLSv1).
-- The pool member is marked down.
Impact:
Services are not automatically restored by the health monitor.
Workaround:
To restore the state of the member, remove it, and add it back to the pool.
756270-3 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
Component: Local Traffic Manager
Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.
Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.
Impact:
Handshake failure.
Workaround:
None.
756177-4 : GTM marks pool members down across datacenters
Component: Global Traffic Manager (DNS)
Symptoms:
GTM pool members are marked down even though the monitored resource is available.
GTM debug logs indicate that each GTM is relying on the other GTM to conduct probing:
debug gtmd[13166]: 011ae039:7: Check probing of IP:Port in DC /Common/dc1.
debug gtmd[13166]: 011ae03a:7: Will not probe in DC /Common/dc1 because will be done by other GTM (/Common/gtm2).
---
debug gtmd[7991]: 011ae039:7: Check probing of IP:Port in DC /Common/dc2.
debug gtmd[7991]: 011ae03a:7: Will not probe in DC /Common/dc2 because will be done by other GTM (/Common/gtm1).
Conditions:
-- GTM configured in different data centers.
-- GTM pool configured with a single monitor, and the monitor uses an alias address that can be pinged from both data centers.
-- GTM pool members configured from different data centers.
Impact:
Pool members are marked down.
Workaround:
Instead of a single monitor, use a monitor created specifically for each data center.
756108-2 : BD crash on specific cases
Component: Application Security Manager
Symptoms:
BD crash on specific cases.
Conditions:
Have a feature that requires Captcha/ Client side Integrity in ASM.
Impact:
No traffic to app.
Workaround:
None.
756088-3 : The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address
Component: TMOS
Symptoms:
The BIG-IP system unexpectedly responds to ICMP echo requests to a virtual-address that is unavailable, or unexpectedly does not respond to ICMP echo requests to a virtual-address that is available.
The BIG-IP system fails to remove a dynamic route for a virtual-address that is unavailable or fails to add a dynamic route for a virtual-address that is available.
Conditions:
-- There are multiple virtual servers associated with a virtual address.
-- The virtual-address icmp-echo is set to 'all' or 'any'.
-- The virtual-address route-advertisement is set to 'all' or 'any'.
Impact:
The BIG-IP might respond incorrectly to ICMP echo requests sent to a virtual-address.
-- If the virtual-address icmp-echo is set to 'all' or 'any', the BIG-IP may not respond correctly after a virtual-address availability change.
-- If the virtual-address route-advertisement is set to 'all' or 'any', the route for the virtual-address may not advertise properly after a virtual-address availability change.
The BIG-IP might fail to insert or remove a dynamic route for a virtual-address. This might cause the network to direct traffic to a down virtual-address or alternatively, not direct traffic to an up virtual-address.
Workaround:
None.
755791-3 : UDP monitor not behaving properly on different ICMP reject codes.
Component: Local Traffic Manager
Symptoms:
Unexpected or improper pool/node member status.
Conditions:
The BIG-IP system receives the ICMP rejection code as icmp-net/host-unreachable.
Impact:
The monitor might consider a server available when some type of ICMP rejection has been received that is not port unreachable.
Workaround:
You can use either of the following workarounds:
-- Use UDP monitors configured with a receive string.
-- Do not use UDP monitors.
755727-5 : Ephemeral pool members not created after DNS flap and address record changes
Component: Local Traffic Manager
Symptoms:
When using FQDN node/pool members, ephemeral pool members may not be created for one or more pools after address records change on the DNS server.
Once this condition occurs, ephemeral pool members are no longer created for a given FQDN name in the affected pool.
Conditions:
This issue may occur under rare timing conditions when the following factors are present:
-- Using FQDN nodes/pool members.
-- Changes occur in the address records on the DNS server, causing new ephemeral nodes/pool members to be created and old ephemeral nodes/pool members to be deleted.
-- There is a temporary loss of connectivity to/responsiveness from the DNS server.
Impact:
When this issue occurs, the affected pool may be left with no active pool members. In that case, virtual servers targeting the affected pool become unavailable and stop passing traffic.
Workaround:
When this issue occurs, the ability to create ephemeral pool members can be restored by either of the following actions:
1. Restart the dynconfd daemon:
bigstart restart dynconfd
2. Delete and re-create the FQDN template pool member using the following two commands:
tmsh mod ltm pool affected_pool members del { fqdn_pool_member:port }
tmsh mod ltm pool affected_pool members add { fqdn_pool_member:port { additional field values } }
To ensure that a pool contains active members even if this issue occurs, populate each pool with more than one FQDN pool member, or with an additional non-FQDN pool member.
755721-2 : A UDP DNS packet may incorrectly match a BDoS signature if such a packet was queued up due to ingress shaper
Component: Advanced Firewall Manager
Symptoms:
A UDP DNS packet may incorrectly match a BDoS signature if such a packet was queued up due to ingress shaper. In the worst case, this incorrect signature match might drop the packet.
Conditions:
AFM is enabled and it receives multiple (back-to-back-to-back) UDP DNS packets, which (due to ingress shaper) might cause queueing for some of the packets in the same data path thread.
Impact:
In this case, when the queued packet is later picked up for further processing, it may incorrectly match a BDoS signature (that would not have otherwise matched if this packet was not queued). A UDP DNS packet may match an incorrect signature and thus might be incorrectly dropped by the BIG-IP system.
Workaround:
None.
755631-2 : UDP / DNS monitor marking node down
Component: Local Traffic Manager
Symptoms:
The UDP / DNS monitor marks nodes down.
Conditions:
-- UDP or DNS monitor configured.
-- Interval is multiple of timeout.
-- The response is delayed by over one interval.
Impact:
Pool member is marked down.
Workaround:
Increase the interval to be greater than the response time of the server.
755585-2 : mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction
Component: Local Traffic Manager
Symptoms:
On a VIPRION cluster, if a single transaction creates a policy with the name Drafts/NAME, publishes the policy, and attaches the policy to a virtual server, mcpd restarts on the secondary blades.
Conditions:
-- VIPRION chassis with more than one blade.
-- Single mcp transaction that:
* Creates a policy with 'Drafts/' as part of the policy name.
* Publishes that policy.
* Attaches that policy to a virtual server, either in the same transaction or a later transaction.
Impact:
mcpd restarts on all secondary blades of a cluster.
Workaround:
You can use either of the following workarounds:
-- Do not create policies with 'Drafts/' in the name.
-- Do not create and publish a policy in the same transaction.
755447-2 : SSLO does not deliver content generated/originated from inline device
Component: Access Policy Manager
Symptoms:
If any inline service acting as a proxy generates content for the client while resetting the server side connection, then the client might not see the content, and will instead see a reset.
Conditions:
-- F5 SSL Orchestrator (SSLO) with inline services intercepting requests and replying without letting the content go to back-end server.
-- Inline services resetting the back-end connection
Impact:
Client receives a reset instead of a redirect or error page.
Workaround:
None.
755311-2 : No DIAMETER Disconnect-Peer-Request message sent when TMM is shutting down
Component: Service Provider
Symptoms:
When TMM is shutting down with active DIAMETER connections, it does not send out any Disconnect-Peer-Request messages to its DIAMETER pool members.
Conditions:
- DIAMETER in use.
- Active connections from the BIG-IP system to its DIAMETER pool members.
- TMM is shutting down.
Impact:
The remote server is not notified of the change in DIAMETER peer status.
Workaround:
None.
755282-2 : [GTM] bigip_add password prompt for IPv4-mapped IPv6 address
Component: Global Traffic Manager (DNS)
Symptoms:
After running the big_ip add script without a specifying a server address, the host address posted in the ssh password prompt is an IPv4-mapped IPv6 address for IPv4 servers.
For example:
Enter root password for 0000:0000:0000:0000:0000:FFFF:0A3C:010A
Conditions:
Run bigip_add without a server address, when the host address is an IPv4-mapped IPv6 address.
Impact:
There is no way to tell what the actual server name is without converting the IPv4-mapped IPv6 addresses back to an IPv4 to find which password to enter, for example: 0A3C:010A to 10.60.1.10
Workaround:
To workaround this, edit the bigip_add script.
IMPORTANT: Make sure to back up the bigip_add script before making modifications.
1. Make /usr folder writable
# mount -o rw,remount /usr
2. Backup bigip_add:
# cp /usr/local/bin/bigip_add /shared/tmp/bigip_add.backup
3. Edit bigip_add by adding different 'print' output for IPv4 servers.
Replace this:
< print "Enter $ruser password for $ip if prompted\n";
With something similar to this:
> if ($ip =~ /0000:0000:0000:0000:0000:FFFF:/) {
> my $display_ipv4 = ipv6_to_ipv4($ip);
> print "Enter $ruser password for $display_ipv4 if prompted\n";
> } else {
> print "Enter $ruser password for $ip if prompted\n";
> }
NOTE: Do not modify the actual value for $ip.
Below is an example diff:
# diff /shared/tmp/bigip_add.backup /usr/local/bin/bigip_add
18a19
>
43a45,51
> sub ipv6_to_ipv4
> {
> my $in_addr = $_[0];
> my @ipv6 = split /:/, $in_addr;
>
> my $ipv6_part1 = hex ($ipv6[6]);
> my $ipv6_part2 = hex($ipv6[7]);
44a53,60
> my $ipv4_1=scalar($ipv6_part1>>8);
> my $ipv4_2=scalar($ipv6_part1&0xff);
> my $ipv4_3=scalar($ipv6_part2>>8);
> my $ipv4_4=scalar($ipv6_part2&0xff);
>
> my $ipv4 = "${ipv4_1}.${ipv4_2}.${ipv4_3}.${ipv4_4}";
> return $ipv4;
> }
75d90
<
152c167,173
< print "Enter $ruser password for $ip if prompted\n";
---
>
> if ($ip =~ /0000:0000:0000:0000:0000:FFFF:/) {
> my $display_ipv4 = ipv6_to_ipv4($ip);
> print "Enter $ruser password for $display_ipv4 if prompted\n";
> } else {
> print "Enter $ruser password for $ip if prompted\n";
> }
179d199
<
755197-2 : UCS creation might fail during frequent config save transactions
Component: TMOS
Symptoms:
If 'tmsh save sys config' is run simultaneously with 'tmsh save sys ucs <file>', there is the possibility of a race condition where a file gets scheduled to be added to the UCS file, but gets deleted by the save-config before it actually gets saved.
Conditions:
-- Run 'save sys config' at the same time as 'save sys ucs <file>' in tmsh.
-- Files are getting added by one tmsh command, yet deleted by the other. For example, when deleting a file that has not been saved to the configuration, while the system tried to create a UCS that contains that to-be-deleted file.
Note: There are many operations in which 'save sys config' is performed internally, so running the 'save sys ucs <file>' operation might encounter the timing error any time, even when you are not manually running 'save sys config'.
Impact:
The UCS is not created, and system posts messages similar to the following:
-- config/bigip_base.conf/: Cannot stat: No such file or directory.
-- Exiting with failure status due to previous errors.
-- Operation aborted.
This is a rare, timing-related occurrence. Even though the 'save sys ucs <file>' aborts and logs errors, simply re-running the command is likely to succeed.
Workaround:
Re-run the 'save sys ucs <file>' after it aborts. Nothing else needs to be changed or restored.
755018-3 : Traffic processing may be stopped on VE trunk after tmm restart
Component: TMOS
Symptoms:
Trunk interface members might be missing from tmm after tmm restart on BIG-IP Virtual Edition (VE).
Conditions:
-- Using trunks on VE.
-- tmm restarts.
Impact:
No traffic processing after tmm restart.
Workaround:
Remove the interfaces from the trunk and re-add them:
# tmsh modify net trunk <trunk name> interfaces none
# tmsh modify net trunk <trunk name> interfaces add { <interface1> <interface2> }
754901-2 : Frequent zone update notifications may cause TMM to restart
Component: Global Traffic Manager (DNS)
Symptoms:
When there are frequent zone update notifications, the watchdog for TMM may trip and TMM crash/restarts. There may also be 'clock advanced' messages in /var/log/ltm.
Conditions:
- Using DNS express.
- DNS zone with allow notify.
- Frequent zone NOTIFY messages resulting in zone transfers.
Impact:
TMM restart potentially resulting in failing or impacting services. Traffic disrupted while tmm restarts.
Workaround:
None.
754542-3 : TMM may crash when using RADIUS Accounting agent
Component: Access Policy Manager
Symptoms:
TMM may crash when using RADIUS Accounting agent in either per-session or per-request policy.
Conditions:
- APM is provisioned and licensed.
- RADIUS Accounting agent is used in either per-session or per-request policy.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
754257-3 : URL lookup queries not working
Component: Traffic Classification Engine
Symptoms:
Occasionally, there is no response to a url-categorization query.
Conditions:
This might occur under the following conditions:
-- When there are duplicate requests using tmsh.
-- When the connection is partially closed by the server.
Impact:
URL does not get classified. Cannot take any actions against those URLs.
Workaround:
None.
754109-2 : ASM content-security-policy header modification violates Content Security Policy directive
Component: Application Security Manager
Symptoms:
When the backend server sends a content-security-policy header where source-src and default-src directives are missing, ASM will modify the header when it does its own JavaScript injection, which might cause a csp policy violation for inline JavaScript code.
Conditions:
-- ASM provisioned.
-- ASM policy attached on a virtual server.
-- ASM policy has CSRF or AJAX Blocking page enabled.
Impact:
Inline JavaScript does not run. The Browser reports a content-security-policy violation.
Workaround:
Disable csp in ASM by running the following commands:
-- /usr/share/ts/bin/add_del_internal add csp_enabled 0
-- bigstart restart asm
753860-5 : Virtual server config changes causing incorrect route injection.
Component: TMOS
Symptoms:
Updating the virtual server to use a different virtual address (VADDR) does not work as expected. The old VADDR route should remove and inject the new route for the new virtual address. Instead, it injects incorrect routes into the routing protocols.
Conditions:
-- Change the VADDR on a virtual server.
-- Set route-advertisement on both VADDRs.
Impact:
Incorrect routes are injected into routing protocols.
Workaround:
None.
753805-4 : BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.
Component: Local Traffic Manager
Symptoms:
After failover, a longer time than expected for the virtual server to become available.
Conditions:
-- There is a configuration difference in the pool members before and after the configuration synchronization.
-- Probe status is also different.
Impact:
Virtual server takes longer than expected to become available.
Workaround:
Run full sync (force-full-load-push) from the active BIG-IP system to solve this issue.
753790-1 : Allow 'DIAMETER::persist reset' command in EGRESS events
Component: Service Provider
Symptoms:
The 'DIAMETER::persist reset' command is not allowed in EGRESS events; it is blocked by validation.
Conditions:
In an iRule, attempt to use 'DIAMETER::persist reset' in an EGRESS event for DIAMETER.
Impact:
Unable to reset persistence records on an EGRESS event in DIAMETER through iRules.
Workaround:
None.
753594-4 : In-TMM monitors may have duplicate instances or stop monitoring
Component: Local Traffic Manager
Symptoms:
Most monitored resources (such as pools) report messages similar to the following:
Availability : unknown
Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet.
A fraction of the monitored resources report the correct status based on the state of the resource.
Enabling bigdlog may show instances of messaging containing 'tmm_mid=x:0' (where x can be values like 0, 1, 2 etc.), for example, it is tmm_mid=1:0 in the following example:
[0][11288] 2019-03-08 10:03:04.608: ID 10859 :(_do_ping): post ping, status=UNKNOWN [ tmm?=true td=true tr=false tmm_mid=1:0 addr=::ffff:1.2.37.44:443 mon=/Common/https fd=-1 pend=0 #conn=0 up_intvl=5 dn_intvl=5 timeout=16 time_until_up=0 immed=0 next_ping=[1552068189.684126][2019-03-08 10:03:09] last_ping=[1552068184.684909][2019-03-08 10:03:04] deadline=[1552067610.048558][2019-03-08 09:53:30] on_service_list=True snd_cnt=119 rcv_cnt=0 ]
The following error might appear in /var/log/ltm:
-- failed to handle TMA_MSG_DELETE message: MID 0, error TMA_ERR_INVALID_MID(Monitor ID is invalid or unused)
Conditions:
-- Configure In-TMM monitoring with a sufficiently large number of monitored objects.
-- Modify monitors while pool members are in an offline state or perform rapid modification of In-TMM monitors.
Impact:
Some monitors may be executed multiple times per configured interval on a resource, and some monitors may not be executed at all against resources.
Workaround:
Switch to traditional bigd monitoring instead of In-TMM:
tmsh modify sys db bigd.tmm value disable
753526-2 : IP::addr iRule command does not allow single digit mask
Component: Local Traffic Manager
Symptoms:
When plain literal IP address and mask are used in IP::addr command, the validation fails if the mask is single digit.
Conditions:
The address mask is single digit.
Impact:
Validation fails.
Workaround:
Assign address/mask to a variable and use the variable in the command.
753501-2 : iRule commands (such as relate_server) do not work with MRP SIP
Component: Service Provider
Symptoms:
Some iRule commands (such as relate_server) fail when used in conjunction with Message Routing Protocol (MRP) SIP configurations using message routing transport.
Conditions:
-- MRP SIP configuration uses transport-config.
-- iRule command 'relate_server' is configured on the corresponding virtual server.
Impact:
iRule commands such as relate_server cannot be used with MRF SIP.
Workaround:
None.
753423-5 : Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation
Component: TMOS
Symptoms:
Working-mbr-count not showing correct number of interfaces.
Conditions:
Slot got disabled and re-enabled immediately.
Impact:
Interfaces may be removed from an aggregation permanently.
Workaround:
Disable and re-enable the slot with time gap of one second.
753163-3 : PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days
Component: Policy Enforcement Manager
Symptoms:
No connection request with PCRF/OCS if high availability (HA) failover occurs after 26 days. tmm crash
Conditions:
-- Using PEM.
-- high availability (HA) failover occurs after 26 days.
Impact:
PEM does send the reconnect request within the configured reconnect, so there is no connection initiated with PCRF/OCS.
Workaround:
To restart the connection, restart tmm restart using the following command:
tmm restart
Note: Traffic disrupted while tmm restarts.
753159-2 : Pool IP ToS/QoS settings are not preserved on mirrored FastL4 connections
Component: Local Traffic Manager
Symptoms:
Mirrored serverside FastL4 connections do not inherit the IP ToS/QoS values from the selected pool or values set via iRule IP::tos/LINK::qos commands.
Conditions:
-- FastL4 virtual server with mirroring.
-- Pool with non-zero IP ToS/QoS values.
or
-- iRule with IP::tos/LINK::qos serverside commands
Impact:
IP ToS/QoS values are not set on mirrored connection after failover.
Workaround:
Configure desired IP ToS/QoS values in FastL4 profile
753014-3 : PEM iRule action with RULE_INIT event fails to attach to PEM policy
Component: Policy Enforcement Manager
Symptoms:
PEM iRule action with RULE_INIT event fails to attach to PEM policy.
Conditions:
Attaching PEM policy with PEM iRule action that contains a RULE_INIT event.
Impact:
PEM fails to update the new iRule action.
Workaround:
Force mcpd to reload the BIG-IP configuration.
To do so, follow the steps in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.
753001-2 : mcpd can be killed if the configuration contains a very high number of nested references
Component: TMOS
Symptoms:
mcpd can be killed by sod if the configuration contains a very high number of nested references. This results in a core file due to a SIGABRT signal.
Conditions:
A very high number of nested configuration references (such as SSL certificate file objects).
Impact:
Failover or outage (if not HA). The system sends no traffic or status while mcpd restarts.
Workaround:
None.
752994-2 : Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod
Component: TMOS
Symptoms:
With a large number of client SSL profiles, combined with shallow nesting of these profiles, all referring to a single SSL certificate file object, mcpd can take a lot of time to process an update to that certificate. It is possible this amount of time will be longer than sod's threshold, and cause it to kill mcpd.
Conditions:
- A large number (hundreds or thousands) of client SSL profiles that have a shallow nesting structure and all point back to a single SSL certificate file object.
- Happens when the SSL certificate is updated.
Impact:
sod kills mcpd, which causes a failover (when high availability (HA) is configured) or an outage (when there is no high availability (HA) configured).
Workaround:
None.
752797-2 : BD is not correctly closing a shared memory segment
Component: Application Security Manager
Symptoms:
Number shared memory segments is increasing.
Conditions:
There are many ASM restarts.
Impact:
Memory increases on the system.
Workaround:
None.
752530-2 : TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.
Component: Local Traffic Manager
Symptoms:
Fast L4 TCP Analytics reports incorrect goodput when server sequence number and the TMM generated sequence number are different.
Conditions:
This occurs when either of the following conditions are met:
-- tcp-generate-isn is set in the Fast L4 profile.
-- SYN cookie is active.
Impact:
The GUI page Statistics :: Analytics :: TCP :: Goodput page displays incorrect goodput values.
Workaround:
None.
752363-3 : Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled
Component: Advanced Firewall Manager
Symptoms:
Client request fails, due to being dropped on the BIG-IP system.
Conditions:
-- The BIG-IP AFM L4 BDoS feature is enabled.
-- Virtual server setup is such that the client-facing virtual server's destination is forwarded through another virtual server, which is an internally forwarded flow.
Impact:
Client request gets dropped due to BIG-IP AFM dropping the flow.
Workaround:
Disable BDoS feature. The feature can be disabled using the following commands:
-- To disable BDoS globally, run the following command:
modify security dos device-config dos-device-config dynamic-signatures { network { detection disabled mitigation none }}
To disable BDoS globally per-profile, run the following command:
modify security dos profile <profile-name> dos-network modify { test { dynamic-signatures { detection disabled mitigation none } } }
modify security dos profile test protocol-dns modify { test { dynamic-signatures { detection disabled mitigation none } } }
752334-2 : Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation
Component: Local Traffic Manager
Symptoms:
When Fast L4 receives out of order TCP packets, TCP analytics may compute wrong goodput value.
Conditions:
When FAST L4 receives out-of-order packets.
Impact:
Fast L4 reports an incorrect goodput value for the connection.
Workaround:
None.
752216-5 : DNS queries without the RD bit set may generate responses with the RD bit set
Solution Article: K33587043
Component: Global Traffic Manager (DNS)
Symptoms:
If the BIG-IP system is configured to use forward zones, responses to DNS queries may include the RD bit, even if RD bit is not set on the query.
Conditions:
-- Forward zone is configured.
-- Processing a query without the RD bit.
Impact:
Some responses to DNS queries may include the RD bit, even thought the RD bit is not set on the query. This is cosmetic, but some DNS tools may report this as an RFC violation.
Workaround:
None.
751924-3 : TSO packet bit fails IPsec during ESP encryption
Component: TMOS
Symptoms:
Internal error when an unexpected packet bit for TCP segment offload manages to reach crypto code for ESP in IPsec, when this is not expected.
Conditions:
Traffic passing through ESP encapsulation for an IPsec tunnel when the TSO bit (for TcpSegmentationOffload) is set on the packet involved.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
751869-1 : Possible tmm crash when using manual mode mitigation in DoS Profile
Component: Advanced Firewall Manager
Symptoms:
tmm crash and restart is possible when using manual mode mitigation in DoS Profile.
Conditions:
When manual mode mitigation is used for any vector that is enabled in the DoS Profile that is attached to a Protected Object.
Impact:
tmm crash and restart is possible. Traffic disrupted while tmm restarts.
Workaround:
None.
751581-2 : REST API Timeout while queriying large number of persistence profiles
Component: TMOS
Symptoms:
When you have a large number of collections in BIG-IP, REST API seems to be timed out without any response from BIG-IP
Conditions:
When BIG-IP has large number of persistence profiles.
Impact:
REST API gets timed out when REST API queries the BIG-IP for persistence profiles. There is no response sent for given REST API.
Workaround:
When you have a large number of collections, you are recommended to use paging mechanism.
Please refer https://devcentral.f5.com/d/icontrol-rest-user-guide-version-131-246.
"iControl ® REST supports pagination options for large collections.
751540-2 : GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server
Component: Global Traffic Manager (DNS)
Symptoms:
GTM changes in some devices are not synced to other GTM-configured devices in the same syncgroup.
Conditions:
-- There are multiple self IP addresses configured on one VLAN.
-- Some, but not all, self IP addresses are configured for GTM server.
Impact:
GTM Sync group not syncing properly.
Workaround:
Configure all self IP addresses in the syncgroup for GTM server.
751409-2 : MCP Validation does not detect when virtual servers differ only by overlapping VLANs
Component: TMOS
Symptoms:
It is possible to configure two virtual servers with the same address, port, and route domain, and have them overlap only in VLANs. MCP does not detect the overlap.
Errors like this may be seen in the ltm log:
err tmm1[29243]: 01010009:3: Failed to bind to address
Conditions:
Two (or more) virtual servers with the same address, port, and route domain, and have them overlap only in VLANs
Impact:
Traffic does not get routed properly.
Workaround:
There is no workaround other than ensuring that virtual servers that have the same address, port, and route domain have no overlap of VLANs.
751179-2 : MRF: Race condition may create to many outgoing connections to a peer
Component: Service Provider
Symptoms:
If two different connections attempt to create an outgoing connection to a peer at the same time, multiple connections may be created, even if the peer object is configured for one connection per peer. This is due to a race condition in message routing framework during connection creation.
Conditions:
-- Two different connections attempt to create an outgoing connection to a peer at the same time.
-- The peer is configured for one connection per peer.
Impact:
More than one connection to a peer is created.
Workaround:
None.
751116-2 : DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring
Component: Advanced Firewall Manager
Symptoms:
The DoS visibility screens (Monitoring :: Security :: Reporting : DoS) may display DNS and Network protocol DoS attacks with the incorrect mitigation details.
Conditions:
An attacked object assigned to a DoS profile with either DNS or Network security protocols that are configured to have detect-only or learn-only states for DoS attacks.
Impact:
Network or DNS DoS attacks, detected by a DoS profile with detect-only or learn-only protection, display mitigation as Blocking instead of the configured Transparent protection. This does not affect the reported traffic data found in the DoS visibility dimensions and charts.
Workaround:
None.
751036-2 : Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone
Component: Local Traffic Manager
Symptoms:
Virtual server status becomes unavailable when the connections are over the rate limit, and stays unavailable when the number of connections fall below the limit.
Conditions:
-- The connections are over the rate limit, making the virtual server status unavailable.
-- The number of connections fall below the limit.
Impact:
Virtual server status reports unavailable, even though it should be available.
Workaround:
This problem does not impact virtual server processing traffic. It simply reports the wrong status.
751024-3 : i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd
Component: TMOS
Symptoms:
Messages similar to the following appear in /var/log/ltm:
info bcm56xxd: 012c0012:6: I2C muxes are not cleared. Problem with mux 224:
Conditions:
-- i5000/i7000/i10000 platforms.
-- May be caused by a defective optic, rebooting/upgrading BIG-IP, removing and reinserting optics.
Impact:
Changes in optic state may be ignored while I2C bus is unavailable.
Workaround:
For each SFP, perform the following procedure:
1. Unplug the optic.
2. Wait 10 seconds.
3. Plug optic back in.
Note: This message might be caused by a defective optic. If error messages stop when one optic is removed, and error messages resume when the optic is inserted, replace that optic.
751021-2 : One or more TMM instances may be left without dynamic routes.
Component: TMOS
Symptoms:
Inspecting the BIG-IP's routing table (for instance, using tmsh or ZebOS commands) shows that dynamic routes have been learnt correctly and should be in effect.
However, while passing traffic through the system, you experience intermittent failures. Further investigation reveals that the failures are limited to one or more TMM instances (all other TMM instances are processing traffic correctly). The situation does not self-recover and the system remains in this state indefinitely.
An example of a traffic failure can be a client connection reset with cause 'No route to host'. If the client retries the same request, and this hits a different TMM instance, the request might succeed.
Conditions:
This issue is known to occur when all of the following conditions are met:
- The system is a multi-blade VIPRION or vCMP cluster.
- The system just underwent an event such as a software upgrade, a reboot of one or more blades, a restart of the services on one or more blades, etc.
Impact:
Traffic fails intermittently, with errors that point to lack of routes to certain destinations.
Workaround:
You can try to temporarily resolve the issue by restarting the tmrouted daemon on all blades. To do so, run the following command:
# clsh "bigstart restart tmrouted"
However, there is no strict guarantee this will resolve the issue, given the nature of the issue.
Alternatively, you could temporarily replace the dynamic routes with static routes.
751011-2 : ihealth.sh script and qkview locking mechanism not working
Component: TMOS
Symptoms:
Two qkviews can be started up on a system at the same time, which results in conflicts for each.
Conditions:
Running qkview on one terminal and then ihealth.sh in another.
Impact:
Running of two qkviews at the same time breaks both qkviews since they compete for the same files.
Workaround:
Run either qkview or ihealth.sh, not both simultaneously.
750823-2 : Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD
Component: Access Policy Manager
Symptoms:
Memory usage in TMM keeps going up.
Conditions:
Access::policy evaluate command fails with error message in /var/log/ltm:
TCL error: ... - Failed to forward request to apmd.
Impact:
Memory leaks in TMM, which cause a TMM crash eventually.
Workaround:
Limit the amount of data that will be forwarded to APMD.
750686-2 : ASE user cannot create or modify a bot signature.
Component: Application Security Manager
Symptoms:
Application Security Editor user role gets a validation exception while trying to create or modify bot defense signature either via GUI, tmsh, or REST.
Conditions:
The logged on user account is configured with an Application Security Editor role.
Impact:
Application Security Editor unable to define user-defined signatures for bot defense module.
Workaround:
Change user role to Administrator or Web Application Security Administrator to create or modify bot defense signatures.
750682 : Trying to remove a user-created 'Bot Signature' on IE11 fails
Component: Application Security Manager
Symptoms:
Trying to remove a user-created 'Bot Signature' on Microsoft Internet Explorer v11 (IE11) fails with the following message:
To continue, please select one or more items from the list!
Conditions:
-- Using IE11.
-- Attempting to remove a user-created 'Bot Signature'.
Impact:
The operation fails.
Workaround:
Use Google Chrome or Mozilla Firefox browsers.
750491-3 : PEM Once-Every content insertion action may insert more than once during an interval
Component: Policy Enforcement Manager
Symptoms:
Successful PEM content insertion accounting is lost during re-evaluation, resulting in more insertions per insertion interval.
Conditions:
During re-evaluation to update the existing flow.
Impact:
More than expected Insert content action with Once-Every method of insert content action
Workaround:
None.
750447-2 : GUI VLAN list page loading slowly with 50 records per screen
Component: TMOS
Symptoms:
GUI VLAN list page is loading slowly with there are 3200+ VLANs with the Records Per Screen Preference set to 50.
Conditions:
-- Using a VIPRION system.
-- Configuration containing 3200 or more VLANs.
-- System Preferences Records Per Screen set to 50.
Impact:
Cannot use the page.
Workaround:
Use tmsh or guishell tool to see the VLANs.
You can also try using a smaller value for the Records Per Screen option in System :: Preferences.
750318-2 : HTTPS monitor does not appear to be using cert from server-ssl profile
Component: TMOS
Symptoms:
An HTTPS monitor using a client certificate configured in the server-ssl profile fails to send the certificate during the SSL handshake.
A tcpdump shows a 0-byte certificate being sent.
Conditions:
-- In-tmm monitoring is disabled (default).
-- The server-ssl profile has been modified but without changing the configured certificate or key.
The resulting message passed from mcpd to bigd will contain only the incremental modification to the profile, which bigd treats as a complete profile, meaning that it is possible for the certificate and key parameters to be lost.
Impact:
SSL handshake might fail to complete and the HTTPS monitor fails.
Workaround:
Restart bigd process by running the following command:
bigstart restart bigd
750213-3 : DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.
Solution Article: K25351434
Component: Global Traffic Manager (DNS)
Symptoms:
FPGA hardware-accelerated DNS Cache can respond improperly to DNS queries that contain EDNS OPT Records. This improper response can take several forms, ranging from not responding with an OPT record, to a query timeout, to a badvers response.
Conditions:
-- Using VIPRION B2250 blades.
-- This may occur if a client sends a query with an EDNS OPT record that has an unknown version or other values that the Hardware-accelerated Cache does not understand. These errors only occur when matching the query to a hardware cached response.
Note: If the response is not in the hardware cache, then the query should be properly handled.
Impact:
Hardware-accelerated DNS Cache drops the request. Clients will experience a timeout for that query.
This is occurring now because of the changes coming to software from certain DNS software vendors that remove specific workarounds on February 1st, 2019. This is known as DNS Flag Day.
Workaround:
None.
749761-2 : AFM Policy with Send to Virtual and TMM crash in a specific scenario
Component: Advanced Firewall Manager
Symptoms:
TMM restart in a specific scenario when AFM Policy is configured in multiple contexts (Global, Route Domain, Virtual Server), with Log Translations enabled, and Send-To-VS feature configured in at least one of the rules in the Security Policy.
Conditions:
-- When using Firewall ACL Policy in more than one context, i.e., more than one of the following context has ACL Security Policy applied:
+ Global Context
+ Route Domain
+ Virtual Server Context
-- Send To Virtual Server is configured on any Rule on the Security policy.
-- Traffic matching a Rule (with logging enabled) in more than one context.
-- AFM Security Logging Profile has log Translation Field Enabled.
Impact:
TMM restart causes service disruption. Traffic disrupted while tmm restarts.
Workaround:
Disable Logging of Translation Fields in Security Logging Profile.
749689-3 : HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart
Component: Local Traffic Manager
Symptoms:
HTTPS monitor sends different amount of cipher suites in client hello during SSL handshake and sometimes back end server fails to find a desired cipher suite from client hello. As a result, sometimes SSL handshake fails and monitor wrongly marks pool member down.
Conditions:
-- Have an SSL profile to be used by an HTTPS monitor.
-- Load the same config more than once.
Impact:
HTTPS monitor might incorrectly mark pool member down because of a failed SSL handshake.
Workaround:
Restart bigd using the following command:
bigstart restart bigd
749528-2 : IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap
Component: Service Provider
Symptoms:
Under certain conditions the wrong self-IP can be selected as a source address for connections from an Internal Virtual Server to remote servers.
Conditions:
- Using an Internal Virtual Server (IVS).
- The VLAN being used to connect from the IVS to the server does not have a floating self-IP configured.
- At least one other VLAN has a floating self-IP configured.
- The primary virtual server that connects to the IVS is using SNAT automap.
Impact:
IVS traffic might not be routed properly.
Workaround:
- Configure a floating self-IP on the IVS server side VLAN.
or
- Use a SNAT pool instead of automap.
749402 : AFM ACL Rule with Redirect to Virtual action can on rare occasions cause TMM restart
Component: Advanced Firewall Manager
Symptoms:
TMM restart when Traffic hits AFM Policy Rule having Redirect to Virtual Action, and when the Redirected to Virtual is being modified or when traffic hits the box immediately on TMM service being up.
During the time when the TMM has just started, some of the Virtual Server could be in the process of being Ready. When traffic hits the TMM right after TMM startup, and if the Redirect to Virtual is not yet Ready is when this crash is likely.
Virtual Server can also be in a not yet Ready state during configuration change of the Virtual Server.
Conditions:
AFM Rule with Redirect to Virtual configured
Traffic Matching the Redirect to Virtual rule
The Redirect to Virtual Server is not Ready. When a Virtual Server goes through configuration change, or when TMM has just started and not all Virtual Servers are in Ready state yet, this problem can be hit.
Impact:
TMM restart and service disruption.
Since the issue can happen when TMM is just up after initialization, when the Virtual Servers are in the process of being initialized one by one, a restart of TMM could cause repeated such TMM crash and restarts.
749331-2 : Global DNS DoS vector does not work in certain cases
Component: Advanced Firewall Manager
Symptoms:
Global DNS DoS vector stops working under certain conditions.
Conditions:
Packets are not made to go through its entirety.
Impact:
Global DNS data structures are overwritten by subsequent incoming packets. Global DNS DoS vector does not rate-limit the packets.
Workaround:
None.
749249-4 : IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP
Component: TMOS
Symptoms:
IPsec tunnels fail to establish and CPUs go to 100%.
Conditions:
- IPsec tunnels configured.
- System has multiple blades.
Impact:
The CPU exhaustion may cause system instability.
The tmm logs may contain large numbers of messages similar to the following:
-- notice SA is not in LARVAL state when receives PFKEY UPDATE: src=50.1.1.53 dst=40.1.1.50 spi=0xc9cd688 proto=0x32 dir=0x1:IN reqid=0.0:0:0x10c81 state=1
Workaround:
For vCMP systems, provision the Guest on one blade only. There is no workaround for bare-metal systems.
749041-1 : MRSIP log of subscriber deletion outputs '(null)" for subscriber URI
Component: Service Provider
Symptoms:
New logging was added for SIP subscriber registration and deletion. The deletion log MRSIPERR_SUBSCRIBER_DELETION_LOG() fails to show the subscriber URI, and instead, /var/log/ltm shows messages similar to the following:
MR_SIP: Subscriber registration deleted (xxx.xxx.xxx.xxx:5060 -> yyy.yyy.yyy.yyy:5060) subscriber URI: (null)
Conditions:
-- A SIP subscriber registration is deleted.
-- The log level DB variable log.mrsip.level is 'notice' or above.
Impact:
Prevents correlation of the deletion with the corresponding registration of the subscriber URI.
Workaround:
None.
749036-1 : Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM
Component: Access Policy Manager
Symptoms:
Some tmsh list commands may fail while SSLO is provisioned but no urldb or APM modules are provisioned with the following message: 'Password could not be retrieved'.
Conditions:
-- SSLO is provisioned.
-- Neither APM or URLDB are provisioned.
-- Run the generic tmsh list command.
Impact:
tmsh command fails and posts the error: Unexpected Error: Password could not be retrieved.
Note: Some 'tmsh list' commands with arguments do run. For example, 'tmsh list net vlan' provides correct output, but 'tmsh list' does not.
Workaround:
There is no workaround other than provisioning APM or URLDB.
Note: You can provision APM or URLDB even if they are not licensed. Although the full feature set is not available without a license, provisioning loads the daemons needed to support the generic 'tmsh list' command.
748944-2 : Import is failing for APM SSO Config object
Component: Access Policy Manager
Symptoms:
Import of policy is failing with Syntax Error:
'[api-status-warning]' unexpected argument.
Conditions:
Imported policy has APM SSO Config object.
Impact:
Unable to import policy.
Workaround:
To workaround this issue, follow this procedure:
1. Unpack conf.tar.gz.
2. Edit the ng-export.conf file to find and remove the line containing [api-status-warning].
3. Packup conf.tar.gz again.
748891-1 : Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system.
Component: Local Traffic Manager
Symptoms:
Potential MAC relearning at the switches the BIG-IP system is connected to.
Conditions:
-- DB variable connection.vlankeyed set to disabled.
-- Multiple virtual-wires configured on the BIG-IP system.
-- Client to server and server to client traffic using different virtual wires on the BIG-IP system.
Impact:
Packets reach their L3 destination using an unexpected L2 path.
Workaround:
None.
748851-2 : Bot Detection injection include tags which may cause faulty display of application
Component: Application Security Manager
Symptoms:
The Bot Detection feature / Bot Defense profile includes JavaScript which is injected within <APM_DO_NOT_TOUCH> tags. Some web applications may be displayed incorrectly due to these tags.
Conditions:
- Your application includes JavaScript which dynamically adds HTML elements and expects a certain set of tags in the <head> section of the HTML.
- Bot Detection / Bot Defense are enabled.
Impact:
Some web applications may be displayed incorrectly.
Workaround:
None
748451-2 : Manager users cannot perform changes in per-request policy properties
Component: Access Policy Manager
Symptoms:
Users with Admin role can edit and administer per-request policy properties. Users with Manager role, which can manage most APM objects, cannot manage this specific one.
Conditions:
User with Manager role tries to modify or change per-request policies properties.
Impact:
Cannot manage per-request policy properties if user role is Manager.
Workaround:
There is no workaround other than having an Admin user manage these objects.
748355-1 : MRF SIP curr_pending_calls statistic can show negative values.
Component: Service Provider
Symptoms:
Certain irregular SIP message patterns may produce an erroneous curr_pending_calls value that can drop below zero and underflow.
Conditions:
Uncommon message flows like re-transmitted INVITE or OK responses can trigger the issue, which may be brought about at times by lost packets when using UDP.
Impact:
SIP curr_pending_calls may show incorrect values.
748295 : TMM crashes on shutdown when using virtio NICs for dataplane
Component: TMOS
Symptoms:
TMM crash on stop or restart.
Conditions:
1. Put the virtio NIC in a bad state while TMM is running (for example, detach the NIC from the host).
2. Run the following command: bigstart stop tmm
Impact:
TMM crash generates a core file. However, there is no impact on traffic as the device is already in a bad state before the crash.
Workaround:
None.
748253-2 : Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection
Component: Service Provider
Symptoms:
Depending on the DIAMETER settings of the BIG-IP system, there can be a race condition in a mirrored device cluster where the standby BIG-IP system resets its mirror connection to the active device.
Conditions:
-- MRF DIAMETER in use.
-- The DIAMETER session profile on the BIG-IP system is configured to use a non-zero watchdog timeout.
-- The DIAMETER session profile on the BIG-IP system is configured to use Reset on Timeout.
-- This is more likely to happen if (in the DIAMETER session profile) the Maximum Watchdog Failures is set to 1, and the Watchdog Timeout is configured to be the same value as the remote DIAMETER system.
Impact:
The standby is no longer mirroring the active system, and gets out of sync with it. There may be connections lost if a failover occurs.
Workaround:
To mitigate this issue:
1. Configure the Maximum Watchdog Failures to a value greater than 1.
2. Configure the Watchdog Timeout as something different from the same timeout on the remote peer, preferably to something that will have little overlap (i.e., the two timers should fire at the exact same time very infrequently).
748252-1 : Connection reset seen with SSL bypass on a L2 wire setup
Component: Local Traffic Manager
Symptoms:
A connection reset occurs when trying to bypass SSL forward proxy on a L2 Wire setup.
Conditions:
-- configure an SSL policy to bypass the SSL forward proxy in an L2 Wire setup.
-- Attempt to pass traffic that matches the policy.
Impact:
Traffic that matches the policy experiences a reset when attempting to do the bypass. Cannot bypass SSL forward proxy on a L2 wire setup
Workaround:
None.
748177-2 : Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character
Component: Global Traffic Manager (DNS)
Symptoms:
Multiple wildcards not matched to the most specific WideIP.
Conditions:
Two wildcard WideIPs differ on a '?' and a non-wildcard character.
Impact:
DNS request gets wrong answer.
Workaround:
There is no workaround at this time.
748176 : BDoS Signature can wrongly match a DNS packet
Component: Advanced Firewall Manager
Symptoms:
When using BDoS feature for DNS protocol, and when there are auto-generated DNS Signatures or if Custom DNS signatures are configured manually, it is found that at times, a valid DNS request is dropped because it wrongly matches the configured/dynamically generated DNS Signature when the box is under load, and BDoS mitigation is ongoing.
Conditions:
Configured DNS Signature (Or) there exists a Dynamically generated DNS Signature.
Such a DNS signature is found to match a DNS packet wrongly, even though the signature match criteria is different from the matched DNS packet.
Impact:
When box is under load, the configured DNS signature gets into Attack Mitigation mode (which is normal), but may wrongly drop a DNS packet that does not match the signature.
Workaround:
Disable BDoS for protocol DNS. Also, do not use Manually configured DNS Signatures.
748081-3 : Memory leak in Behavioral DoS module
Component: Advanced Firewall Manager
Symptoms:
TMM runs out of memory and restarts.
The memory usage as shown in "tmctl memory_usage_stat", under module line tag "session" is noticed to be high, and keeps growing.
Conditions:
The issue is seen when BDoS feature is configured, and if there exits Custom or Auto Generated BDoS Signatures. When such signatures exist, the BDoS one second timer callback leaks memory.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
1. Disable BDoS feature.
2. Disable all configured and auto generated BDoS signatures using TMSH command:
# cd dos-common
# modify security dos dos-signature all { state disabled }
748031-2 : Invalidation trigger parameter containing reserved XML characters does not create invalidation rule
Component: WebAccelerator
Symptoms:
If a parameter value for an invalidation trigger contains reserved XML characters, compilation of the resulting invalidation rule fails due to the reserved characters not being escaped.
Conditions:
- AAM policy with invalidation trigger defined
- trigger request with parameter value(s) containing reserved XML characters
Impact:
The invalidation rule requested by the trigger request is not created. Content is not invalidated as expected.
Workaround:
No workaround exists.
747968-1 : DNS64 stats not increasing when requests go through DNS cache resolver
Component: Global Traffic Manager (DNS)
Symptoms:
DNS64 stats are not incrementing when running the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands if responses are coming from DNS cache resolver.
Conditions:
-- DNS responses are coming from DNS cache resolver.
-- Viewing statistics using the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands.
Impact:
DNS64 stats are not correct.
Workaround:
There is no workaround at this time.
747926-1 : Rare TMM restart due to NULL pointer access during AFM ACL logging
Component: Advanced Firewall Manager
Symptoms:
Tmm crashes while performing log ACL match logging.
Conditions:
The problem can happen only with the following configuration:
1) AFM Logging for ACLs enabled.
2) Security Network Logging profile has the property "log-translation-fields enabled"
The problem happens under extremely rare circumstances.
Impact:
Traffic disrupted while tmm restarts.
747922-4 : With AFM enabled, during bootup, there is a small possibility of a tmm crash
Component: Advanced Firewall Manager
Symptoms:
During bootup, with AFM enabled, there is a small possibility of a tmm crash. The tmm process generates a core file and then automatically restart.
Conditions:
-- AFM enabled.
-- sPVA-capable hardware platform.
-- Boot up the system.
Impact:
tmm crashes, coredumps, and then restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
747858-1 : OSPF packets are duplicated in the BIG-IP in L2 transparent mode using virtual wires
Component: Local Traffic Manager
Symptoms:
OSPF packets are duplicated while traversing a virtual wire.
Conditions:
BIG-IP configured in L2 transparent mode using a virtual wire.
Impact:
OSPF unreliability can impact the overall routing domain and in turn impact services dependent on it.
Workaround:
None.
747799-1 : 'Unable to load the certificate file' error and configuration-load failure upgrading from 11.5.4-HF2 to a later version, due to empty cert/key in client SSL profile
Component: TMOS
Symptoms:
During upgrade, the configuration fails to load due to an invalid client SSL profile cert/key configuration. The system posts an error: Unable to load the certificate file.
This occurs as a result of an invalid configuration that can be created as a result of a bug (614675) that exists in 11.5.4-HF2 (and only in 11.5.4-HF2). Because of the bug, it is possible to create a client SSL profile with an empty cert-key-chain, as shown in the following example:
ltm profile client-ssl /Common/cssl {
app-service none
cert none
cert-key-chain {
"" { } <=============== empty cert-key-chain
defualt_rsa_ckc { <==== typo: 'defualt'
cert /Common/default.crt
key /Common/default.key
}
}
key none
}
Note: This upgrade failure has an unique symptom: the typo 'defualt_rsa_ckc'. However, the name has no specific negative impact; the issue is with the empty cert-key-chain.
After upgrading such a configuration from 11.5.4-HF2 to any later version of the software, the system posts a validation error, and the configuration fails to load.
Conditions:
The issue occurs when all the following conditions are met:
-- You are using 11.5.4-HF2.
-- The 11.5.4-HF2 configuration contains an invalid client SSL profile (i.e., a client SSL profile containing an empty cert-key-chain).
-- You upgrade to any software version later than 11.5.4-HF2.
Impact:
After upgrade, the configuration fails to load. The system posts an error message similar to the following:
-- "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- Loading schema version: 11.5.4 Loading schema version: 13.1.0.8 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file. Unexpected Error: Loading configuration process failed.
Workaround:
You can fix the profile configuration in /config/bigip.conf either before the upgrade (in 11.5.4-HF2), or after the upgrade failure.
To do so:
1. Replace 'cert none' with a cert name, such as /Common/default.crt.
2. Replace 'key none' with a key name, such as /Common/default.key.
3. Remove the entire line containing the following: "" { }.
4. Correct the spelling of 'defualt' to 'default'. Although there are no negative consequences of this typo, it is still a good idea.
The new profile should appear similar to the following:
ltm profile client-ssl /Common/cssl {
app-service none
cert /Common/default.crt
chain none
cert-key-chain {
default_rsa_ckc {
cert /Common/default.crt
key /Common/default.key
}
}
key /Common/default.key
}
747676-2 : Remote logging needs 'localip' to set source IP properly
Component: TMOS
Symptoms:
Source ip of log entries sometimes use self-ip.
Conditions:
It happens when configuring mgmt IP and route is slower than syslog-ng start.
This issue happens in case of the HA scenario also.
Impact:
Remote log entry has wrong source IP address.
Workaround:
Use localip keyword to force specific IP address.
udp("1.1.1.9" port (514) localip("100.100.100.101"));
In case of the HA configuration, use persist-name key word or syslog-ng may fail to start.
# setting for device A
udp("1.1.1.9" port (514) localip("100.100.100.101") persist-name(devA) );
# setting for device B
udp("1.1.1.9" port (514) localip("100.100.100.102") persist-name(devB));
747628-2 : BIG-IP sends spurious ICMP PMTU message to server
Component: Local Traffic Manager
Symptoms:
After negotiating an MSS in the TCP handshake, the BIG-IP system then sends an ICMP PMTU message because the packet is too large.
Conditions:
-- The server side allows timestamps and the client side does not negotiate them.
-- The client-side MTU is lower than the server-side MTU.
-- There is no ICMP message on the client-side connection.
Impact:
Unnecessary retransmission by server; suboptimal xfrag sizes (and possibly packet sizes).
Workaround:
Disable timestamps or proxy-mss on the server-side TCP profile.
747560-4 : ASM REST: Unable to download Whitehat vulnerabilities
Component: Application Security Manager
Symptoms:
When using the Whitehat Sentinel scanner, the REST endpoint for importing vulnerabilities (/mgmt/tm/asm/tasks/import-vulnerabilities) does not download the vulnerabilities from the server automatically when no file is provided.
Conditions:
The ASM REST API (/mgmt/tm/asm/tasks/import-vulnerabilities) is used to download vulnerabilities from the server when a Whitehat Sentinel Scanner is configured.
Impact:
Vulnerabilities from the Whitehat server are not automatically downloaded when no file is provided, and it must be downloaded manually, or the GUI must be used.
Workaround:
The ASM GUI can be used to download the vulnerabilities from the Whitehat Server, or the file can be downloaded separately, and provided to the REST endpoint directly.
747203-3 : Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding
Component: TMOS
Symptoms:
-- SYN/ACK packets arriving on a tunnel fail to be matched to an existing flow followed by a RST issued by the BIG-IP system.
-- The BIG-IP system reports 'no flow found'.
-- MAC addresses can contain random values, or fe:fe:fe:fe:fe:fe.
Conditions:
-- Using IKEv2 with both NAT-T and interface mode.
-- The BIG-IP is configured to use several tmm instances.
-- The combination of IP addresses and port numbers result in distributing legs of processing one flow across several tmm instances.
Impact:
NATT/ESP tunnel flows can end with a RST reset.
Workaround:
None.
747192-1 : Small memory leak while creating Access Policy items
Component: Access Policy Manager
Symptoms:
Memory slowly leaks for every access policy item added: 32 + 80 bytes for each item.
Conditions:
The leak occurs while creating new policy items in Access.
Impact:
After a long uptime interval, mcpd may crash due to lack of memory.
Workaround:
Restart mcpd periodically if you modify Access policies frequently by adding or deleting policy items.
747077 : Potential crash in TMM when updating pool members
Component: Local Traffic Manager
Symptoms:
In very rare cases, TMM can crash while updating pool members.
Conditions:
The conditions that lead to this are not known.
Impact:
TMM crashes, which can cause a failover or outage.
Workaround:
There is no workaround.
747065-4 : PEM iRule burst of session ADDs leads to missing sessions
Component: Policy Enforcement Manager
Symptoms:
Some PEM sessions that were originally added, later disappear and cannot be added back.
Conditions:
-- Subscriber addition is done by iRule on UDP virtual servers.
-- The sessions are added in a burst.
-- A small fraction of such sessions cannot be added back after delete.
Impact:
Policies available in the missing session cannot be accessed.
Workaround:
Add a delay of at least a few milliseconds between adding multiple session with same subscriber-id and IP address.
746837-1 : AVR JS injection can cause error on page if the JS was not injected
Component: Application Visibility and Reporting
Symptoms:
If page-load-time is enabled in the AVR profile, and the response is small enough to not be chunked, AVR 'promises' to the client a JS injection in the response by adding the expected length of the JS to the Content-length header.
If later, it is identified that the response contains no HTML tag, AVR does not inject the JS; instead it wraps the response with spaces.
This can lead to errors in cases where the change in response size is not supported.
Conditions:
AVR is configured to collect 'Page Load Time' and the response from the web server has these conditions:
-- The response is uncompressed.
-- The context-type header is text/html.
-- The response is not chunked (Context-length header exists).
-- The payload does not include the HTML head tag.
Impact:
White Spaces at the end of the page can cause it to be invalid for some applications.
Workaround:
To avoid trying to inject to pages where the JS does not fit, use iRules to control which pages should get the JS injection.
For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.
746771-4 : APMD recreates config snapshots for all access profiles every minute
Component: Access Policy Manager
Symptoms:
When the access profile configurations in APMD and MCPD are out of sync, APMD detects that the config snapshot for one access profile is missing. This triggers AMPD to recreates the config snapshots for all access profiles. The detect-recreate cycle repeats every minute, posting log messages:
-- err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...
-- notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
...
-- err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...
-- notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
Conditions:
The conditions under which the access profile configurations in APMD and MCPD become out of sync is unknown.
Impact:
TMM memory usage increases due to excessive config snapshots being created.
Workaround:
Restart APMD to clear the APMD and MCPD out-of-sync condition.
746768-3 : APMD leaks memory if access policy policy contains variable/resource assign policy items
Component: Access Policy Manager
Symptoms:
If an access policy contains variable/resource assign policy items, APMD will leak memory every time the policy is modified and applied.
Conditions:
1. Access policy has variable/resource assign policy items.
2. The access policy is modified and applied.
Impact:
APMD's memory footprint will increase whenever the access policy is applied.
Workaround:
There is no workaround.
746731-2 : BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set
Component: Service Provider
Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Firmware-Revision AVPs in DIAMETER Capabilities Exchange Request messages.
Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Firmware-Revision AVP.
Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.
Workaround:
Configure an iRule in the MRF transport-config, for example:
ltm rule workaround {
when DIAMETER_EGRESS {
if {[serverside] && [DIAMETER::command] == "257" } {
DIAMETER::avp flags set 267 0
}
}
}
746719-2 : SERVFAIL when attempting to view or edit NS resource records in zonerunner
Component: Global Traffic Manager (DNS)
Symptoms:
While attempting to use ZoneRunner to edit NS resource records, getting error:
01150b21:3: RCODE returned from query: 'SERVFAIL'.
Conditions:
- An NS resource record is selected using the zonerunner GUI
- The NS record points to a zone that bind is not authoritative for.
- Recursion is enabled on the zone in question
- The bind process is not able to reach the nameserver referenced in the NS record.
Impact:
Administrator is unable to use ZoneRunner to edit NS records.
Workaround:
Set recursion to no for the appropriate zone, perform the change, set recursion back to yes.
Note: This will be impacting to any clients expecting recursion for the duration of the change.
746657-2 : tmsh help for FQDN node or pool member shows incorrect default for fqdn interval
Component: TMOS
Symptoms:
The tmsh help text for LTM nodes and pools shows the incorrect default for the FQDN 'interval' value.
The default is indicated as the TTL, whereas the actual default value is 3600 seconds (1 hour).
The configured value is displayed correctly if the node or pool is displayed using the 'all-properties' keyword.
Conditions:
This occurs when viewing tmsh help text.
Impact:
FQDN nodes and pool members may be created with a different FQDN refresh interval than intended.
Workaround:
When creating an FQDN node or pool member, specify the desired FQDN 'interval' value (either TTL, or the desired number of seconds).
746620-2 : "source-port preserve" does not work on BIG-IP Virtual Edition
Component: Performance
Symptoms:
BIG-IP Virtual Edition uses RSS hashing for selecting TMMs which has the side effect of causing "source-port preserve" to reuse ports aggressively. This can ultimately lead to connection failures.
Conditions:
BIG-IP virtual edition with "source-port preserve" configured on a fastl4 virtual server and VE configures RSS hash. VE will configure RSS hash if both the below conditions are met
1. VE supports RSS hash on the NIC. Currently, RSS is supported on ixlv and vmxnet3 NICs
2. The number of TMMs <= maximum number of queues supported by the NIC. For ixlv this is 4 and for vmxnet3 this is 8
Impact:
Connections may fail due to reusing ports too quickly.
Workaround:
On the Virtual Server, set source-port to "change".
746464-2 : MCPD sync errors and restart after multiple modifications to file object in chassis
Component: TMOS
Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:
1. Errors are logged to /var/log/ltm similar to the following:
-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..
2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.
Conditions:
This can be encountered when rapidly making changes to files such as creating and then deleting them while the config sync of the file creation is still in progress.
Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.
Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.
746266-2 : Vcmp guest vlan mac mismatch across blades.
Component: TMOS
Symptoms:
Guests running on blades in a single chassis report different MAC addresses on a single vlan upon host reboot for vcmp guest.
Conditions:
This issue may be seen when all of the following conditions are met:
- One (or more) blade(s) are turned off completely via AOM.
- Create two vlans.
- Deploy a multi-slot guest with the higher lexicographic vlan.
- Now, assign the smaller vlan to the guest.
- Reboot the host
Impact:
Incorrect MAC addresses are reported by some blades.
Workaround:
There is no workaround at this time.
746152-2 : Bogus numbers in hsbe2_internal_pde_ring table's rqm_dma_drp_pkts column
Component: TMOS
Symptoms:
The DMA drop packet and bytes registers (rqm_dma_drp_pkts and rqm_dma_drp_bytes in tmm/hsbe2_internal_pde_ring
table) can have huge numbers, which appear to be close to multiples of 4G (2^32). The count reported in the register from hsb_snapshot shows very small number:
from tmm/hsbe2_internal_pde_ring
name active bus rqm_dma_drp_pkts rqm_dma_drp_bytes
---------------- ------ --- ---------------- -----------------
lbb0_pde1_ring2 1 2 17179869185 4398046511186
lbb0_pde1_ring3 1 2 8589934597 2199023256108
lbb0_pde2_ring0 1 2 0 0
lbb0_pde2_ring1 1 2 0 0
lbb0_pde2_ring2 1 2 8589934592 2199023255552
lbb0_pde2_ring3 1 2 0 0
lbb0_pde3_ring0 1 2 0 0
lbb0_pde3_ring1 1 2 0 0
lbb0_pde3_ring2 1 2 8589934592 2199023255552
lbb0_pde3_ring3 1 2 0 0
lbb0_pde4_ring0 1 2 0 0
lbb0_pde4_ring1 1 2 0 0
lbb0_pde4_ring2 1 2 8589934592 2199023255552
lbb0_pde4_ring3 1 2 0 0
lbb1_pde1_ring1 1 3 0 0
lbb1_pde1_ring2 1 3 4294967298 1099511627952
From hsb_snapshot for pde1's ring 0 to ring 3:
50430: 00000000 rqm_dma_drp_pkt_cnt_4
50530: 00000000 rqm_dma_drp_pkt_cnt_5
50630: 00000001 rqm_dma_drp_pkt_cnt_6
50730: 00000005 rqm_dma_drp_pkt_cnt_7
Conditions:
The register reads sometimes return a 0 value.
Impact:
The DMA drop stats are not accurate
Workaround:
Restart tmm can reset the stats, but it will disrupt traffic.
746078-2 : Upgrades break existing iRulesLX workspaces that use node version 6
Component: Local Traffic Manager
Symptoms:
When upgrading a BIG-IP with iRulesLX plugins, if those plugins are based on workspaces that use node version 6 (instead of version 0.12) they will fail to work properly after the upgrade once the plugin is reloaded from the workspace.
Errors like this will be seen in /var/log/ltm:
Oct 5 06:37:12 B7200-R14-S36 info sdmd[17582]: 018e0017:6: pid[26853] plugin[/Common/test-jt-plugin.test-jt-extension] Starting the server.....jt...after upgrade...
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: Resuming log processing at this invocation; held 233 messages.
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] /var/sdm/plugin_store/plugins/:Common:test-jt-plugin_62858_3/extensions/test-jt-extension/node_modules/f5-nodejs/lib/ilx_server.js:30
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] ILXServerWrap = process.binding('ILXServerWrap').ILXServerWrap;
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] ^
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] Error: No such module: ILXServerWrap
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] at Error (native)
Conditions:
Upgrading a version of BIG-IP that is using iRulesLX that has a workspace based on node version 6. Later reloading the iRulesLX plugin from the workspace.
Impact:
The iRulesLX plugin no longer works.
Workaround:
- Navigate to the workspace folder on the BIG-IP (/var/ilx/workspaces/<partition>/<workspace name>.
- Make the file "node_version" writable (chmod +w node_version).
- Edit the node_version file: change "0.12" to "6"
- Save the node_version file.
- Make the file "node_version" read-only (chmod -w node_version).
- Reload the iRulesLX plugin from the workspace.
746077-3 : If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified
Component: Local Traffic Manager
Symptoms:
DHCP-RELAY overwrites the 'giaddr' field containing a non-zero value. This violates RFC 1542.
Conditions:
DHCP-RELAY processing a message with the 'giaddr' field containing a non-zero value,
Impact:
RFC 1542 violation
Workaround:
None.
745923-1 : Virtual server may reset a connection with port zero when client sends ACK after a 4-way close
Component: Local Traffic Manager
Symptoms:
Virtual sends a reset of port zero.
Conditions:
Here is an observed sequence for the problem to happen:
1. Three way handshake initiated by client to VIP.
2. Client actively closing the connection - 4 way close
3. Client continues to send ACK after 4 way close
Impact:
Virtual does a wrong reset.
Workaround:
There is no workaround at this time.
745825-2 : The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading
Component: TMOS
Symptoms:
This message may be logged while the audit_forwarder is loading the configuration:
audit_forwarder is disabled as the configuration is incomplete. Please define the following db variables: config.auditing.forward.sharedsecret, config.auditing.forward.destination and config.auditing.forward.type. And make sure config.auditing.forward.destination is not set to "::".
These DB variables may all be actually configured correctly, but since the configuration has not loaded yet this message may be logged multiple times.
Conditions:
The audit_forwarder process is starting up and loading the configuration.
Impact:
Confusing error messages in /var/log/ltm. Logging will still work as configured.
Workaround:
There is no workaround.
745783-2 : Anti-fraud: remote logging of login attempts
Component: Fraud Protection Services
Symptoms:
There is no support for logging of login attempts to a remote service.
Conditions:
Using high speed logging (HSL) to log login attempts.
Impact:
There is no support for logging of login attempts.
Workaround:
None.
745600-2 : Removal of timer object from tmm timer-ring when a tcl context is released.
Component: Access Policy Manager
Symptoms:
If a tcl context is associated with a tmm-timer (while creating access session) using iRule, the timer object is removed during tcl context release but its association remains. When the timer fires, it tries to access a memory which is already freed, causing tmm to crash and generate a core.
Conditions:
Creating access session using iRule.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
745589-5 : In very rare situations, some filters may cause data-corruption.
Component: Local Traffic Manager
Symptoms:
In very rare situations, an internal data-moving function may cause corruption.
Filters that use the affected functionality are:
HTTP2, Sip, Sipmsg, MQTTsession, serdes_diameter, FTP.
Conditions:
The affected filters are used, and some very rare situation occurs.
Impact:
This may cause silent data corruption, or a TMM crash.
Workaround:
There is no workaround at this time.
745397-2 : Virtual server configured with FIX profile can leak memory.
Component: Service Provider
Symptoms:
System memory increases with each transmitted FIX message. tmm crash.
Conditions:
-- Virtual server configured with a FIX profile.
-- FIX profile specifies a message-log-publisher.
Impact:
Memory leak. Specifically, in the xdata cache. Potential traffic disruption while tmm restarts.
Workaround:
If possible, discontinue use of message logging functionality. Removing the message-log-publisher from the FIX profile stops xdata growth.
745035-3 : gtmd crash
Component: Global Traffic Manager (DNS)
Symptoms:
gtmd crashes
Conditions:
This rarely occurs when an iQuery connection is abnormally terminated.
Impact:
Under rare circumstances, gtmd may crash and restart.
Workaround:
None
744914-1 : Traffic Intelligence system-generated presets are not saved to config file, and GUI allows them to be deleted
Component: Traffic Classification Engine
Symptoms:
Traffic Intelligence system-generated presets (those with name ce_*) are not saved to the config file. As a result, changes are lost on mcpd restart. In addition, the GUI allows them to be deleted.
Conditions:
-- AFM license with Traffic Classification feature flag enabled.
--Create ltm policy and attach system preset, save sys config and run the command: bigstart restart.
-- Use the GUI to try to delete system-generated presets.
Impact:
GUI allows system-generated presets to be deleted. Changes made to those presets are lost upon bigstart restart.
Workaround:
None.
Or use custom profile.
744787-3 : Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias
Component: Global Traffic Manager (DNS)
Symptoms:
WideIP alias will be replaced.
Conditions:
There is an existing alias for a WideIP and adding the same alias for another WideIP.
Impact:
The previous WideIP will be replaced.
Workaround:
Avoid adding existing WideIP for other WideIP.
744686-1 : Wrong certificate can be chosen during SSL handshake
Component: Local Traffic Manager
Symptoms:
If two certificates of the same type are configured in an SSL profile, one marked `usage CA' and the other not, the wrong one could be chosen during the handshake.
Conditions:
Two certificates of the same type are configured in an SSL profile.
Impact:
The wrong certificate could be chosen during the handshake.
Workaround:
Do not configure two certificates of the same type on an SSL profile.
744532-1 : Websso fails to decrypt secured session variables
Component: Access Policy Manager
Symptoms:
Whenever websso tries to decrypt secure session variables, the following error is seen /var/log/apm:
Aug 15 21:36:25 abcd err websso.0[20421]: 014d0028:3: /Common/Test_PRP:Common:2b8e7abc: Master Decrypt failed for user test with error 'ckDecrypt: invalid ciphertext'
Aug 15 21:36:25 abcd info websso.0[20421]: 014d0009:6: /Common/Test_PRP:Common:2b8e7abc: Websso basic authentication for user 'test' using config '/Common/sso_test_obj'
Conditions:
- Per-req policy is attached to virtual server.
- Secure subsession variables are assigned to session variables using Variable Assign Agent in per-req policy.
- SSO Configuration Select agent is used in per-req policy.
Impact:
Single Sign-On (SSO) won't work correctly.
Workaround:
There is no workaround at this time.
744520-2 : virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface
Component: TMOS
Symptoms:
virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface.
Conditions:
Virtual server with pem profile and Vxlan-GRE tunnel interface.
Impact:
Traffic drop.
Workaround:
There is no workaround.
744516-3 : TMM panics after a large number of LSN remote picks
Component: Carrier-Grade NAT
Symptoms:
TMM panics with the assertion 'nexthop ref valid' failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.
Conditions:
An LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.
Impact:
TMM restarts. Traffic is interrupted.
Workaround:
There is no workaround.
744407-4 : While the client has been closed, iRule function should not try to check on a closed session
Component: Access Policy Manager
Symptoms:
tmm cores. System posts a message:
access::session exists is used during CLIENT_CLOSED iRule event.
Conditions:
-- Client has closed the connection.
-- iRule function tries to check on a closed session.
-- An 'access session::exists' command is used inside the iRule event CLIENT_CLOSED.
Impact:
tmm may core. Traffic disrupted while tmm restarts.
Workaround:
Do not use the iRule command 'access session::exists' inside CLIENT_CLOSED.
744316-2 : Config sync of APM policy fails with Cannot update_indexes validation error.
Component: Access Policy Manager
Symptoms:
Config sync operation fails for APM policy when policy item of same name points to different agent on source and target
The system posts errors similar to the following:
Sync error on rfang-vemgmt.lab.labnet.com: Load failed from /Common/rfang-ve-3mgmt.lab.labnet.com 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (access_policy_item_agent) object ID (/Common/resm_act_message_box_1 /Common/resm_act_message_box_ag_1). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:access_policy_item_agent status:13)"
Conditions:
This occurs in the following scenario:
1. Configure a failover device group containing two BIG-IP systems.
2. Create an APM access profile on one unit.
+ Launch VPE for the policy.
+ Add a macro.
+ In macro add an agent, e.g., Message box.
+ Add macro to the main policy.
3. Initiate config sync to another device.
4. On one BIG-IP system, add another Message box agent using the same macro. On the other BIG-IP system, make a copy of the access profile.
5. On either BIG-IP system, initiate another config sync operation.
Impact:
Unable to sync configuration in a failover device group.
Workaround:
You can work around this using the following procedure:
1. On the device receiving the config sync, delete the APM policies that contain the referenced APM policy items.
2. Perform an overwrite-config-sync operation from the sending device to this device.
744275-2 : BIG-IP system sends Product-Name AVP in CER with Mandatory bit set
Component: Service Provider
Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.
Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Product-Name AVP.
Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.
Workaround:
Configure an iRule in the MRF transport-config, for example:
ltm rule workaround {
when DIAMETER_EGRESS {
if {[serverside] && [DIAMETER::command] == "257" } {
DIAMETER::avp flags set 269 0
}
}
}
744252-1 : BGP route map community value: either component cannot be set to 65535
Component: TMOS
Symptoms:
The community value for BGP route map entries should allow values of 1-65535 for both components, but it is not allowing 65535 for either component.
Conditions:
-- Using BGP route map community values.
-- Attempting to set one or both components to 65535.
Impact:
Unable to use the full range of BGP route map community values
Workaround:
There is no workaround at this time.
744210-3 : DHCPv6 does not have the ability to override the hop limit from the client.
Component: Local Traffic Manager
Symptoms:
DHCPv6 packet may be dropped by a device after the DHCP relay if the client provided hop limit is 1.
Conditions:
DHCPv6 Relay configured on the BIG-IP.
Impact:
Loss of DHCPv6 service.
Workaround:
There is no workaround at this time.
743950-1 : TMM crashes due to memory leak found during SSL OCSP with C3D feature enabled
Component: Local Traffic Manager
Symptoms:
TMM raises a segmentation violation and restarts.
Conditions:
-- Set up client-side and server-side SSL with:
+ Client Certificate Constrained Delegation (C3D) enabled.
+ OCSP enabled.
-- Supply SSL traffic.
Impact:
Memory leaks when traffic is supplied. When traffic intensifies, more memory leaks occur, and eventually, tmm raises a segmentation fault, crashes, and restarts itself. All SSL connections get terminated. Traffic disrupted while tmm restarts.
Workaround:
Disable C3D.
743900-2 : Custom DIAMETER monitor requests do not have their 'request' flag set
Component: Local Traffic Manager
Symptoms:
Using the technique detailed in the Article: K14536: Customizing the BIG-IP Diameter monitor https://support.f5.com/csp/article/K14536 to create custom DIAMETER monitor requests fails for any request that uses the numeric form of a DIAMETER command code, because the 'request' flag is not set in the DIAMETER packet.
Conditions:
-- Using custom DIAMETER monitor requests.
-- Using numeric DIAMETER command codes.
Impact:
The monitor probes fail because the BIG-IP system does not set the DIAMETER 'request' flag for requests it sends when using a numeric value for the command code, so the DIAMETER server thinks it is a response
Workaround:
None.
743815-1 : vCMP guest observes connflow reset when a CMP state change occurs.
Component: TMOS
Symptoms:
There is a connflow reset when a CMP state change occurs on a vCMP guest. The system posts log messages similar to the following: CMP Forwarder expiration.
Conditions:
-- vCMP configured.
-- Associated virtual server has a FastL4 profile with loose init and loose close enabled.
Impact:
This might interrupt a long-lived flow and eventually cause an outage.
Workaround:
None.
743810-2 : AWS: Disk resizing in m5/c5 instances fails silently.
Component: TMOS
Symptoms:
Resizing the disk in an m5/c5 instance in AWS has no impact on the disk size, and this operation fails silently.
Conditions:
BIG-IP system deployed in AWS with m5/c5 instance type that uses NVME disks instead of the usual native paravirt disks.
Impact:
Disk resizing fails; administrators cannot grow the instance disk in response to their requirements and instance utilization post-deployment.
Workaround:
There is no workaround.
743790-2 : BIG-IP system should trigger a high availability (HA) failover event when expected HSB device is missing from PCI bus
Component: TMOS
Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might drop off the PCI bus, resulting in the BIG-IP system not being able to pass traffic. However, no high availability (HA) failover condition is triggered, so the BIG-IP system stays active.
Conditions:
HSB drops off the PCI bus. This is caused in response to certain traffic patterns (FPGA issue) that are yet to be determined.
Impact:
No failover to standby unit after this error condition, causing site outage.
Workaround:
None.
743271 : Querying vCMP Health Status May Show Stale Statistics
Component: TMOS
Symptoms:
Stale statistics collected while the guest was running a pre-13.1.0 version may periodically be seen when querying vCMP health status in the Configuration Utility or via tmsh show vcmp health commands.
Conditions:
This issue may be seen when all of the following conditions are met:
- the vCMP guest is deployed on more than one blade
- the vCMP guest is upgraded from a pre-13.1.0 release to 13.1.0 or above
Impact:
Health status is not always accurately reported
Workaround:
The issue may be resolved by setting the guest status temporarily to configured and then back to deployed.
743132-5 : mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile
Component: TMOS
Symptoms:
On a chassis platform, if 'tmsh modify sys httpd ssl-certificate' is run immediately after creating a new certificate file, it's possible for mcpd to restart on the secondary blades. This happens when it takes longer for csyncd to copy the new certificate file to the other blades than it takes mcpd to send the modify message to the other blades.
Conditions:
Chassis platform with multiple blades.
Setting the httpd ssl-certificate to a new file.
Impact:
mcpd stops on secondary blades, causing those blades to go offline for a short time while mcpd and other daemons restart.
Workaround:
When setting the httpd ssl-certificate to a new file, wait a few seconds after creating the file before issuing the tmsh modify command.
743116-3 : Chunked responses may be incorrectly handled by HTTP/2
Component: Local Traffic Manager
Symptoms:
When a chunked HTTP response is serialized by HTTP/2, the chunking headers should be removed. This does not occur in some cases.
Conditions:
The HTTP/2 filter is used. Some other profiles are used on the same virtual. (In particular, the request logging profile triggers this issue.)
Impact:
The HTTP/2 payload will include chunking headers, corrupting it.
Workaround:
An iRule may be used to detect a HTTP/2 client, and forcibly turn on unchunking in the HTTP_RESPONSE event.
Example:
ltm rule unchunk_http2 {
when HTTP_REQUEST {
set is_http2 [HTTP2::active]
}
when HTTP_RESPONSE {
if { $is_http2 } {
HTTP::payload unchunk
}
}
}
742838-2 : A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition
Component: Local Traffic Manager
Symptoms:
If you have a published policy in /Common that is in use by a virtual server in a different partition, if you try to create and modify a draft of the existing policy, you will get an error like this:
"01070726:3: Policy /Common/Drafts/test-policy in partition Common cannot reference policy reference /Common/Drafts/test-policy /test/test-vs in partition test"
This happens in both the GUI and TMSH.
Conditions:
-- A published policy exists in /Common.
-- The published policy is attached to a virtual server in a different partition.
-- Attempt to create and modify a draft of the policy.
Impact:
Inability to edit the published policy.
Workaround:
None.
742753-3 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail
Component: TMOS
Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.
Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:
- Remove the Referer header.
- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.
Impact:
Users cannot log on to the BIG-IP system's WebUI.
Workaround:
As a workaround, you can do any of the following things:
- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).
- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).
- Modify the proxy solution so that it inserts compatible Referer and Host headers.
742419-2 : BIG-IP NIC teaming of SR-IOV interfaces does not work under VMware ESXi
Component: TMOS
Symptoms:
Configuring multiple SR-IOV interfaces into a trunk does not function correctly when running BIG-IP as a guest under VMware ESXi. The interface will show as uninitialized.
Conditions:
A system that passes SR-IOV virtual functions directly to a BIG-IP guest when running on VMware ESXi.
Impact:
The trunk will fail to initialize.
Workaround:
None.
742237-3 : CPU spikes appear wider than actual in graphs
Component: Local Traffic Manager
Symptoms:
Graphs of CPU usage show spikes that are wider than actual CPU usage.
Conditions:
CPU usage has spikes.
Impact:
Graphs of CPU spikes appear to last longer than they actually last.
Workaround:
Perform the following procedure:
1. Run the following command to record the 5-second average rather than the 1-second average:
sed -i.bak 's/TMCOLNAME "ratio"/TMCOLNAME "five_sec_avg.ratio"/;s/TMCOLNAME "cpu_ratio_curr"/TMCOLNAME "cpu_ratio_5sec"/g' /config/statsd.conf
2. Restart statsd to load the new configuration:
bigstart restart statsd
742184-2 : TMM memory leak
Component: Local Traffic Manager
Symptoms:
-- High TMM memory utilization;
-- Aggressive sweeper activated;
-- the 'packet', 'xdata' and 'xhead' caches in the memory_usage_stat tmstat table have high 'allocated' and 'curr_allocs' numbers with a steadily increasing profile.
Conditions:
A fastL4 and a L7 profile (e.g. HTTP) are assigned to a virtual server.
Impact:
Degraded performance, possible TMM crash due to out-of-memory condition.
Workaround:
Do not add a L7 profile to a fastL4 virtual server.
742170-1 : REST PUT command fails for data-group internal
Component: TMOS
Symptoms:
Cannot change content of existing data-group internal using REST PUT command.
Conditions:
-- Using REST API.
-- Creating and updating data-group in a single transaction.
Impact:
Cannot modify data-group internal via the REST API.
Workaround:
Add 'type' in the content.
Note: This change in behavior occurred as the result of a different change in the software. Previously, you could not create and update data-group in a single transaction. Now you can, but you must also specify 'type'.
741902-2 : sod does not validate message length vs. received packet length
Component: TMOS
Symptoms:
sod may crash or produce unexpected behavior.
Conditions:
If a malformed network failover packet is received by sod, it may cause an invalid memory access.
Impact:
sod may crash, causing a failover.
Workaround:
None.
741814-1 : Auto Last Hop for management connections cannot be disabled/enabled
Component: Local Traffic Manager
Symptoms:
Disabling/Enabling Auto Last Hop for management connections does not take effect. By default, it is enabled and stays enabled after a change.
Conditions:
-- Manual BIG-IP Management Port Configuration is configured. IP address and Network Mask is set, but Management Route is empty.
-- Auto Last Hop for management connections is disabled.
# tmsh mod ltm global-settings general mgmt-auto-last-hop disable
-- BIG-IP system is rebooted.
# full_box_reboot
Impact:
Auto Last Hop for management connections is still enabled on management interface and the BIG-IP system is still accessible outside local management network.
Workaround:
To work around this issue, use the following commands to move the lasthop.modules script to the /etc/sysconfig/sysinit directory:
# mv -v /etc/sysconfig/modules/lasthop.modules
/etc/sysconfig/sysinit/00activate-early-lasthop.sysinit
2. Reboot the BIG-IP system.
# full_box_reboot
741435-1 : Using local traffic policies with type 'CE Profile', a new rule does not have the option to classify traffic
Component: Traffic Classification Engine
Symptoms:
In a local traffic policy with type 'CE Profile', a new rule does not have the option to classify traffic.
Conditions:
-- PEM, AFM, APM, or SWG is provisioned.
-- Local traffic policy with type 'CE Profile'.
-- Create a new rule.
Impact:
No GUI option to classify traffic. Cannot use the GUI reclassify traffic using LTM Policies.
Workaround:
Use TMSH to configure the policies and rules for classifying traffic.
740959-3 : User with manager rights cannot delete FQDN node on non-Common partition
Component: Local Traffic Manager
Symptoms:
A user that has manager rights for a non-Common partition, but not for the /Common partition, may be denied delete privileges for an FQDN template node that is created on the non-Common partition for which the user does have manager rights.
This occurs because ephemeral nodes created from the FQDN template node are 'shared' in the /Common partition, so the delete transaction fails because the user has insufficient permissions to delete the dependent ephemeral nodes on the /Common partition.
Conditions:
-- A user is created with manager rights for a non-Common partition.
-- That user does not have manager rights for the /Common partition;
-- At least one ephemeral node is created from that FQDN template node (due to DNS lookup), which is not also shared by other FQDN template nodes.
-- That user attempts to delete an FQDN template node on the non-Common partition for which the user has manager rights.
Impact:
The transaction to delete the FQDN template node fails due to insufficient permissions. No configuration changes occur as a result of the FQDN template node-delete attempt.
Workaround:
You can use either of the following workarounds:
-- Perform the FQDN template node-delete operation with a user that has manager rights to the /Common partition.
-- Create the FQDN template node on the /Common partition.
740746-1 : RSA key creation fails for generating key/csr pair when using gen-csr challenge-password
Component: TMOS
Symptoms:
Failed to generate RSA key in pair with CSR via TMSH command when using key password options.
Response from create sys crypto key command when using challenge-password option:
Syntax Error: Key creation doesn't support challenge-password option.
Response from create sys crypto key command when using prompt-for-password option:
Syntax Error: Key creation doesn't support prompt-for-password option.
Conditions:
This issue happens while using either of the key password protect options while generating CSR and RSA key via tmsh command: create sys crypto key.
Impact:
Cannot generate password-protected RSA key via tmsh command.
Workaround:
There is no workaround.
740589-2 : mcpd crash with core after 'tmsh edit /sys syslog-all-properties'
Component: TMOS
Symptoms:
Syslog-ng consumes more than 95% CPU starving other processes of CPU time. This leads to eventual mcpd crash with core.
Conditions:
Configuring nonexistent local IP addresses and remote log server.
Impact:
Abnormal CPU usage. Potential eventual mcpd crash with core.
Workaround:
To mitigate the issue, you can use either of the following:
-- Follow these two steps:
1. Remove the remote log server from the configuration.
2. Replace the nonexistent local IP addresses with self IP addresses.
-- Configure the remote destination host with a unique parameter in the configuration so that syslog does not get confused if there are multiple entries:
udp(190.45.32.51 port(514) localip(190.46.2.221) persist-name(r1));
udp(190.45.32.51 port(514) localip(190.46.2.222) persist-name(r2));
udp(190.200.60.1 port(514) localip(190.46.2.221) persist-name(r3));
udp(190.200.60.1 port(514) localip(190.46.2.222) persist-name(r4));
740517-2 : Application Editor users are unable to edit HTTPS Monitors via the Web UI
Component: TMOS
Symptoms:
A user with Application Editor role cannot modify an HTTPS Monitor via the GUI. The user is sent the the following, misleading and incorrect error message: Access Denied: user does not have delete access to object (ssl_cert_monitor_param)
Conditions:
The logged in GUI user must be an Application Editor role for the partition containing the HTTPS Monitor
Impact:
The user must use TMSH to modify an HTTPS Monitor.
Workaround:
Run the following tmsh command: modify ltm monitor https"\
740413-2 : Sod not logging Failover Condition messages
Component: TMOS
Symptoms:
When a failsafe fault occurs, sod does not log a message indicating that the device is unable to become Active.
Conditions:
Failsafe fault.
Impact:
No 'Failover Condition'messages logged in /var/log/ltm.
Workaround:
None.
740284-1 : Virtual servers 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM'
Component: Global Traffic Manager (DNS)
Symptoms:
Virtual servers on generic-hosts may be marked as Yellow, with a message of 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM'.
Conditions:
The conditions under which this occurs are not known.
Impact:
Virtual server is marked Yellow erroneously 'In Maintenance Mode'.
Workaround:
Use any of the following to reset the condition:
-- Restart gtmd by issuing the following command:
bigstart restart gtmd
-- Restart the system.
-- Remove any monitors from the affected server, save the configuration, and then add any required monitors.
-- Delete the affected server from the configuration and recreate it.
740135-2 : Traffic Group ha-order list does not load correctly after reset to default configuration
Component: TMOS
Symptoms:
After resetting the BIG-IP configuration to default (i.e., 'tmsh load sys config default'), if a configuration is loaded where the name of the self-device changes, this may cause the self-device to be removed from any traffic group high availability (HA) Order lists.
Conditions:
-- Must be loading a configuration after resetting to default.
-- Must have at least one traffic group using the 'HA Order' Failover Method.
Impact:
Incorrect high availability (HA) configuration.
Workaround:
Reload the configuration a second time.
739927-2 : Bigd crashes after a specific combination of logging operations
Component: Local Traffic Manager
Symptoms:
Bigd crashes. Bigd core will be generated.
Conditions:
1. Boot the system and set up any monitor.
2. Enable and disable bigd.debug:
-- tmsh modify sys db bigd.debug value enable
-- tmsh modify sys db bigd.debug value disable
3. Enable monitor logging.
Impact:
Bigd crashes.
Workaround:
None.
739900-2 : All Policies are created with 3 new Signature Sets After Creation of a Policy using Application Ready Templates
Component: Application Security Manager
Symptoms:
When a Security Policy is created using new versions of some Application Ready Templates, three new Signature Sets are created that are set to automatically be added to policies subsequently created.
Conditions:
A Security Policy is created using one of the following updated Application Ready Templates:
* Drupal
* Joomla
* SAP Netweaver
* Sharepoint
* Wordpress
Impact:
Three new Signature Sets are created with the option 'Assign To Policy By Default' enabled. As a result, the system adds these Signature Sets to subsequently created policies. This may provide enforcement for unexpected or undesired Attack Signatures.
Workaround:
To prevent the newly created signature being added to subsequently created policies, disable 'Assign To Policy By Default'.
You can also remove the signatures from new policies after they have been created.
739872-1 : The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover
Component: TMOS
Symptoms:
Running the 'load sys config verify' command for a configuration that would alter the high availability (HA) Group score for a Traffic Group can cause the HA group score to be updated.
Conditions:
Run 'load sys config verify' with configuration data that affects a Traffic Group's HA Group score.
Impact:
Unintended failover.
Workaround:
None.
739820-2 : Validation does not reject IPv6 address for TACACS auth configuration
Component: TMOS
Symptoms:
TACACS authentication does not support IPv6 address for the authentication server, but both GUI and TMSH allow IPv6 addresses to be configured for TACACS. Such configurations may result in failed logins with messages in /var/log/secure like
Aug 8 10:47:39 gtm-13108-174 err httpd[5948]: pam_tacplus: skip invalid server: 2001::1001:1001 (invalid port: no digits)
Conditions:
Use the GUI or TMSH to create or modify a TACACS server
Impact:
Remote authentication will fail unless a second server is configured with IPv4 address.
Workaround:
Do not configure IPv6 address for TACACS server
739674-2 : TMM might core in SWG scenario with per-request policy.
Component: Access Policy Manager
Symptoms:
TMM can core when Secure Web Gateway (SWG) is configured, and SSL is resumed through per-request policy.
Conditions:
-- SWG is configured.
-- SSL is resumed through per-request policy.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
739553-2 : Setting large number for Wide IP Persistence TTL breaks Wide IP persistence
Component: Global Traffic Manager (DNS)
Symptoms:
Wide IP persistence is not working. Previous Wide IP persistence records are cleared.
Conditions:
This occurs when the Wide IP Persistence TTL plus the persist-record creation time is greater than 4294967295.
Impact:
Wide IP persistence does not work.
Workaround:
There is no workaround other than not setting Wide IP Persistence TTL to a number greater than 4294967295.
739533-5 : In rare circumstances, config sync may fail to delete files in /config/filestore/.snapshots_d/, filling up /config
Component: TMOS
Symptoms:
If mcpd loses connection with a peer in the middle of a config sync operation when a large file is being transferred, the temporary copy of that file in /config/filestore/.snapshots_d/ might not be deleted. If this happens enough times with large enough files, those temporary files might fill the /config filesystem.
Conditions:
-- A config sync of a large file is happening.
-- The mcp connection between peers is lost.
Impact:
When that happens, the temporary files that should be deleted, might not be. This is not a problem until the issue has occurred many times, leaving many temporary files, at which point /config can run out of space. /config may get to 100% full. Having /config at 100% full might cause config sync to fail, prevent configuration changes, and other issues.
Workaround:
Delete all files in /config/filestore/.snapshots_d that are more than an hour old.
739446-1 : Resetting SSL-socket correctly for AVR connection
Component: Application Visibility and Reporting
Symptoms:
SSL socket is being corrupted.
Conditions:
The conditions under which this occurs have not been fully identified.
Impact:
AVR fails to make an SSL connection and report externally correctly.
Workaround:
None.
739432-1 : F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems
Component: Access Policy Manager
Symptoms:
F5 Adaptive Auth Configuration is a configuration required on BIG-IP systems. This allows access to F5 Adaptive Authentication Service hosted on the cloud. As the reporting feature is deprecated, the Reports associated with feature are removed from the BIG-IP system. The associated reports are now shown in the F5 Adaptive Auth Service instead.
Conditions:
Admin attempts to view F5 Adaptive Auth reports on the BIG-IP system.
Impact:
Admin cannot use F5 Adaptive Auth Reports on the BIG-IP system. This is because F5 Adaptive Auth Reports functionality has been removed from BIG-IP systems, and is no longer supported.
Workaround:
View the associated reports in the F5 Adaptive Auth Service instead.
739373 : ASM restart loop after sync from non-ASM to ASM device
Component: Application Security Manager
Symptoms:
When two or more device are configured with Configuration Management interface in a sync-failover device group: if one of the devices does not have ASM provisioned while another one does, performing a config sync of the sync-failover device group from the non-ASM device will cause the /Common/asm-hidden folder to be deleted along with its content.
The next time ASM is restarted (for any reason) on one of the ASM devices, ASM keeps restarting in a loop. Messages similar to the following appear in /var/log/ltm :
-- err mcpd[6550]: 01070734:3: Configuration error: Can't associate Bot Signature Category (/Common/asm-hidden/ASM-search-engines) folder does not exist.
Similarly messages similar to the following appear in /var/log/ts/ts_debug.log:
asm|INFO|Jul 30 12:03:02.481|5282|,,01070734:3: Configuration error: Can't associate Bot Signature Category (/Common/asm-hidden/ASM-search-engines) folder does not exist.
Conditions:
- Two or more devices are connected with a sync-failover device group.
- One device has ASM provisioned, while another device does not have ASM provisioned.
- Performing a sync from the non-ASM device to the ASM device.
Impact:
-- Search Engines are not applied on JavaScript challenges.
-- Upon an ASM restart, ASM restarts in a loop, and the device will remain offline.
Workaround:
Reload the configuration by running the following command:
tmsh save sys config && tmsh load sys config
As an alternative, re-provision ASM by running the following command:
tmsh modify sys provision asm level nominal
739118-2 : Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration
Component: TMOS
Symptoms:
Changing existing self IP addresses in bigip_base.conf file directly. After uploading the changed configuration file, BIG-IP routing service provides out of date Self IP route information to dependent services.
Conditions:
- Self IP address is configured on the BIG-IP system.
- Manually change the IP address of a self IP in bigip_base.conf file.
- Load changed configuration via tmsh.
Impact:
Different services have different route information:
-- tmsh table - has the old route.
-- Dynamic routing - hHas the old and new routes.
-- Kernel table - has the new route.
Workaround:
There are two workarounds, preventive and corrective.
Preventive:
Do not manually change self IP addresses in bigip_base.conf file. It is not recommended way to add/change BIG-IP configuration. Use GUI or tmsh instead.
Corrective:
If changed configuration is uploaded. In GUI or tmsh, delete changed self IP address, and then create a self IP address with old IP address and delete it as well. Now, all affected routes are removed.
738943-4 : imish command hangs when ospfd is enabled
Component: TMOS
Symptoms:
- dynamic routing enabled
- ospfd protocol enabled
- imish hangs
Conditions:
- running imish command
Impact:
ability to show dynamic routing state using imish
Workaround:
restart ospfd daemon
738677-2 : Configured name of wildcard parameter is not sent in data integrity alerts
Component: Fraud Protection Services
Symptoms:
FPS sends a data integrity alert when a parameter is configured with 'Check Data Manipulation' enabled.
the alert includes parameter's actual-name, actual-val-crc, and expected-val-crc.
For wildcard parameters, it is difficult to tell which parameter was found and triggered the data integrity alert, since FPS sends only the actual name that was found in the request.
Conditions:
Wildcard parameter defined for integrity check.
Impact:
Alert analysis is more difficult, as the actual matched parameter is not obvious.
Workaround:
None.
738669-1 : Login validation may fail for a large request with early server response
Component: Fraud Protection Services
Symptoms:
in case of large request/response, if FPS needs to store ingress and ingress chunks in buffer for additional processing (ingress :: for parameter parsing, egress :: for login validation's banned/mandatory strings check or scripts injection), if the server responds fast enough, the buffer may contain mixed parts of request/response. This may have several effects, from incorrectly performing login-validation to generating a tmm core file.
Conditions:
-- Login validation is enabled and configured to check for banned/mandatory string.
-- A username parameter is configured.
-- There are no parameters configured for encrypt/HTML Field Obfuscation (HFO), and no decoy parameters.
-- There is a large request and response.
-- The system response very quickly.
Impact:
This results in one or more of the following:
-- Login validation failure/skip.
-- Bad response/script injection.
-- tmm core. In this case, traffic is disrupted while tmm restarts.
Workaround:
None.
738547-2 : SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII
Component: Access Policy Manager
Symptoms:
When SAML metadata file that contains certain UTF-8 characters other than ASCII is imported, SAML SAX Parser returns error
Conditions:
When SAML metadata file contains certain UTF-8 characters other than the ASCII set,
Impact:
SAML metadata file is not imported, and the system reports an error. SAML configuration on BIG-IP systems is impacted.
Workaround:
Remove the non-ASCII UTF-8 characters, and try the import operation again.
738450-2 : Parsing pool members as variables with IP tuple syntax
Component: Local Traffic Manager
Symptoms:
There is a config loading warning at tmsh similar to the following: unexpected end of arguments;expected argument spec:PORT.
Conditions:
Tcl variable is used for the IP tuple instead of a plain value.
Impact:
iRule LB::reselect command may not recognize an IP tuple when it is a variable. tmsh warning shows.
Note: There is no warning in the GUI.
Workaround:
Use plain value instead of variable.
738330-2 : /mgmt/toc endpoint issue after configuring remote authentication
Component: TMOS
Symptoms:
'Invalid username or password.' error on the /mgmt/toc page after configuring remote authentication.
Conditions:
When remote auth is configured.
Impact:
Cannot configure remote authentication.
After configuring remote authentication, you can login to the mgmt/toc area with the admin user, but using a remote auth user ended up with 'You are not authorized to use this resource'.
Workaround:
Enable 'Fallback to Local' in the remote auth config section on the BIG-IP system:
tmsh modify auth source fallback true.
Both local BIG-IP user 'admin' and LDAP user are now able to authenticate and access https://XX.XX.XX.XX/mgmt/toc.
738284-3 : Creating or deleting rule list results in warning message: Schema object encode failed
Component: Advanced Firewall Manager
Symptoms:
"Schema object encode failed: No foreign keys found for nested object" warning message is logged into /var/log/ltm while creating or deleting the rule list.
Jul 25 05:44:49 localhost.localdomain warning icr_eventd[4778]: 01a10008:4: Schema object encode failed: No foreign keys found for nested object with tag 17547
Conditions:
Observed when creating or deleting rule list in /var/log/ltm
tmsh create security firewall rule-list rule-list1
tmsh delete security firewall rule-list rule-list1
Impact:
The warning message has no impact on functionality and can be ignored.
738070-1 : Persist value for the RADIUS Framed-IP-Address attribute is not correct
Component: Service Provider
Symptoms:
Using the RADIUS Framed-IP-Address attribute as a persistence value does not work correctly.
Conditions:
Using RADIUS and persisting on the Framed-IP Address attribute (RADIUS AVP 8).
Impact:
RADIUS requests may not get persisted to the servers they should be.
Workaround:
Use an iRule to persist instead, e.g.:
ltm rule radius-persistence {
when CLIENT_DATA {
persist uie [RADIUS::avp 8]
}
}
738045-4 : HTTP filter complains about invalid action in the LTM log file.
Component: Local Traffic Manager
Symptoms:
Payload data is collected at the HTTP_REQUEST event and finishes collecting (HTTP::release) when the NAME_RESOLVED event occurs. On releasing, data is forwarded to the serverside, triggering the HTTP_REQUEST_SEND event.
When trying to raise HTTP_REQUEST_SEND, the iRule queues it and returns IN_PROGRESS, because the system is already in the process of running TCLRULE_NAME_RESOLVED. (Nested iRules: TCLRULE_NAME_RESOLVED -> TCLRULE_HTTP_REQUEST_SEND)
Due to the IN_PROGRESS status, tcp_proxy skips forwarding HUDCTL_REQUEST to the serverside, but not the subsequent payload. So the HTTP filter considers this an invalid action.
Conditions:
-- Standard virtual server with iRules attached (for example, using the following configuration for a virtual server):
when HTTP_REQUEST {
HTTP::collect
NAME::lookup @10.0.66.222 'f5.com'
}
when NAME_RESOLVED {
HTTP::release
}
when HTTP_REQUEST_SEND {
log local0. "Entering HTTP_REQUEST_SEND"
}
-- Client sends two HTTP Post requests.
-- After the first request, the second connection is kept alive (for example, by using HTTP header Connection) so that the second request can reuse the same connection.
Impact:
The second request gets reset, and the system logs errors in the LTM log file.
Workaround:
To avoid nested iRules in this instance, simply remove the HTTP_REQUEST_SEND from the iRule.
737985-1 : BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode.
Component: Local Traffic Manager
Symptoms:
Services that require Standard Proxy mode cannot be availed of.
Conditions:
A BIG-IP system deployed in an L2 transparent mode using VLAN groups.
Impact:
Prevents services that require Standard Proxy mode from being leveraged in an L2 transparent deployment.
Workaround:
None.
737901-3 : Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode
Component: TMOS
Symptoms:
On iSeries platforms, when a VLAN is attached to a vCMP guest, the management MAC address and the host VLAN MAC address will be the same.
Conditions:
-- Creating a VLAN on the host and attaching it to a vCMP guest.
-- iSeries platforms.
Impact:
The management MAC address is the same as the Host VLAN MAC address, resulting in the same MAC being used for the VLAN traffic originating from the vCMP Host along with the Host's mgmt Interface traffic, potentially resulting in issues relating to the inability to differentiate traffic to mgmt port or traffic ports.
Workaround:
There is no workaround at this time.
737900-1 : mcpd might crash on an unlicensed system
Component: TMOS
Symptoms:
On an unlicensed system with a built-in iRule attached to a virtual server, mcpd might crash.
Conditions:
-- Unlicensed system (including as a result of the service agreement check date validation treating a license as invalid).
-- At least one built-in, system-supplied iRule is attached to a virtual server.
-- mcpd loads from the config files, such as when having just upgraded.
Impact:
On an unlicensed system, mcpd might crash repeatedly.
Workaround:
Perform the following procedure:
1. Reactivate the license on the system from the command-line, following the instructions in K2595: Activating and installing a license file from the command line :: https://support.f5.com/csp/article/K2595.
2. License the system.
Note: Running commands (e.g., tmsh show /sys hardware) on VIPRION systems while mcpd is down might fail or otherwise not work as expected.
737726-1 : If named is restarted and zrd is not restarted, ZoneRunner can lose contact with the DNS server daemon
Component: Global Traffic Manager (DNS)
Symptoms:
ZoneRunner displays the following error message when attempting to list resource records: No route to host.
Conditions:
-- named is restarted outside of the normal start up procedure.
-- zrd is not restarted.
Impact:
ZoneRunner cannot communicate with named, and thus cannot display resource records.
There are temporary addresses created on the loopback address to facilitate communication between the zrd and named processes. When named is restarted, these temporary address are inadvertently removed.
Workaround:
Restart the zrd process using the following command:
bigstart restart zrd
737692-2 : Handle x520 PF DOWN/UP sequence automatically by VE
Component: TMOS
Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that is passed to the BIG-IP-VE). If an x520 device's PF is set down and then up, tmm does not recover traffic on that interface.
Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.
Impact:
VE does not process any traffic on that VF.
Workaround:
Reboot VE.
737529-3 : [GTM] load or save configs removes backslash \ from GTM pool member name
Component: Global Traffic Manager (DNS)
Symptoms:
GTM config fails to load, and posts an error similar to the following:
Syntax Error:(/config/bigip_gtm.conf at line: 47) the "create" command does not accept wildcard configuration identifiers
Conditions:
GTM server virtual server name contains a backslash (\) character.
Impact:
GTM config fails to load.
Workaround:
Edit bigip_gtm.conf manually and add the \ character.
Important: The system removes the \ (which results in further validation failures) in response to any of the following actions:
-- Load the GTM config.
-- Make changes to the GTM config, and you or the system saves it.
-- cpcfg operation.
-- Upgrade the system.
737379-1 : URL not classified when uppercase characters exist in the feedlist
Component: Traffic Classification Engine
Symptoms:
A URL does not get classified when there are uppercase characters in the feedlist.
Conditions:
Using uppercase characters in the feedlist.
Impact:
URL is not classified as expected.
Workaround:
There is no workaround at this time.
737374-2 : local-db PEM Subscriber Activity log missing
Component: Policy Enforcement Manager
Symptoms:
PEM subscriber activity log is empty when published to local database.
Conditions:
-- PEM subscriber activity log is configured.
-- The endpoint is local-db.
Impact:
Missing activity logs for external server.
Workaround:
Configure the destination as local-syslog publisher.
737355-2 : HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files
Component: Access Policy Manager
Symptoms:
HTTP Strict-Transport-Security (HSTS) headers are missing for some APM-generated files.
Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS enabled.
-- HTTP GET requests for APM renderer files, including CSS, JS, and image files from the webtop.
Impact:
Without these headers, the user agent (browser) may switch to non-secure communication.
Workaround:
None.
737346-2 : After entering username and before password, the logging on user's failure count is incremented.
Component: TMOS
Symptoms:
Listing login failures (i.e., using the following command: 'tmsh show auth login-failures') shows a failed login for the user who is currently logging in via console or SSH.
Conditions:
-- A user is logging in via console or SSH.
-- Between the time the system presents the password prompt and the user enters the password.
Note: This does not apply to GUI or iControl REST logins.
Impact:
If many logins for the same user get to this state simultaneously, it may be enough to exceed a specified lockout threshold, locking the user out.
Workaround:
There is no workaround other than using the GUI or iControl REST to log in to the system.
737147-1 : Key creation on Thales fails with thales 12.40 on tmm interface
Component: Local Traffic Manager
Symptoms:
The key creation is failing for Thales 12.40 installed on tmm interface on BIG-IP.
Conditions:
This occurs when creating keys using tmsh on Thales 12.40 via the tmm interface on BIG-IP
Impact:
You cannot create any keys/certs on Thales.
Workaround:
No workaround.
737064-1 : ACCESS::session iRule commands may not work in serverside events
Component: Access Policy Manager
Symptoms:
-- 'ACCESS::session sid' will returns empty.
-- 'ACCESS::session data get <varname>' returns empty.
Conditions:
-- Using IP-based sessions
-- ACCESS::session iRule commands in a serverside iRule event, such as HTTP_PROXY_CONNECT.
-- Using SSL Bypass. Note: This issue is known to occur when using SSL Bypass, but this is not the only configuration that exhibits the problem.
Impact:
iRules may not work as expected.
Workaround:
There is no workaround at this time.
737055-1 : Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy
Component: TMOS
Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you cannot login to the Configuration Utility. Instead the system presents a blank page, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP system.
Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.
Impact:
You are unable to login to the Configuration Utility.
Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP system in the Referer header.
734846-2 : Redirection to logon summary page does not occur after session timeout
Component: TMOS
Symptoms:
After a BIG-IP Administrator user session times out, the user is not automatically redirected to the logon summary page, despite being configured to do so.
Conditions:
-- The BIG-IP system is configured to redirect to the logon summary page immediately after logging in, using the following db variable:
ui.users.redirectsuperuserstoauthsummary = true
-- The BIG-IP Administrator users' session automatically times out.
Impact:
The system does not comply with government security requirements that BIG-IP Administrator users be sent automatically to the logon summary. BIG-IP Administrator users must manually navigate to the logon summary page
Workaround:
Manually navigate to the logon summary page.
734836 : Network Map summary counts pool members more than once if they are shared across pools
Component: TMOS
Symptoms:
On the page at Local Traffic :: Network Map, in the summary view, the total number of pool members shows a larger number if there are pool members referenced by multiple pools.
Conditions:
-- Network Map summary view.
-- Pool members referenced by multiple pools.
Impact:
The number of pools value is higher than the actual number of pools because of how the system tracks a single pool member referenced in multiple pools.
Workaround:
There is no workaround at this time.
734551-1 : L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server
Component: Local Traffic Manager
Symptoms:
Configuration overhead that requires configuration of a virtual server per VLAN group.
Conditions:
A BIG-IP system deployed in an L2 transparent mode using VLAN groups.
Impact:
Configuration overhead to configure virtual server per VLAN group.
Workaround:
None.
734316-1 : Per-Request Policy may require enabling SSL Forward Proxy Bypass
Component: Access Policy Manager
Symptoms:
For some SSL/TLS traffic, the per-request policy does not complete, leading to hanging connections and/or connection resets.
Conditions:
Reproducible with any forward proxy configuration involving per-request policies. This includes Secure Web Gateway (SWG) and SSL Orchestrator (SSLO).
To reproduce, the SSL Forward Proxy Bypass feature must be disabled in the client and server SSL profiles. This is equivalent to 'always intercept'.
Impact:
Policy execution may stall. Clients may experience hanging connections and/or connection resets.
Workaround:
Perform the following procedure:
1. Enable the SSL Forward Proxy Bypass feature in the client and server SSL profiles.
2. Set the default action to 'Intercept'.
733585-4 : Merged can use %100 of CPU if all stats snapshot files are in the future
Component: TMOS
Symptoms:
Merged uses %100 of CPU if it cannot remove the oldest snapshot file, due to all snapshot files having timestamps in the future.
Conditions:
All stats snapshot file having timestamps in the future, release has the fix for issue 721740, but not this issue.
Impact:
Merged using %100 of the CPU.
Workaround:
Remove snapshot stats files that have timestamps in the future and restart merged.
727468-1 : iSession hudfilter initialization fails when apm-forwarding-server-tcp profile is used.
Component: Access Policy Manager
Symptoms:
When either apm-forwarding-client-tcp or apm-forwarding-server-tcp profile is used on virtual server, which includes connectivity profile, traffic hitting the virtual server may be reset.
Conditions:
-- Using apm-forwarding-client-tcp or apm-forwarding-server-tcp profiles.
-- Virtual server that also includes connectivity profile.
Impact:
When the virtual server processes traffic, the traffic is reset.
Workaround:
Do not use the these TCP profiles on virtual servers that also include a connectivity profile.
In general using these profiles is not recommended, since these are intended to be used on APM internal virtual servers.
727297-2 : GUI TACACS+ remote server list should accept hostname
Component: TMOS
Symptoms:
Cannot add hostnames to the Remote - TACACS+ server list in the GUI.
Conditions:
-- On the System :: Users : Authentication page with Remote - TACACS+ specified.
-- Add hostname to the server list.
Impact:
Validation does not accept a hostname. Cannot add hostname as a server.
Workaround:
Use tmsh to add a hostname.
727288-2 : Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC
Component: Service Provider
Symptoms:
Diameter message routing framework sends Capabilities-Exchange-Request (CER)/Device-Watchdog-Request (DWR) with hop-by-hop (h2h) ID and end-to-end (e2e) ID set to 0 as the server.
Conditions:
Diameter Message Routing Framework (MRF) in use
Impact:
The BIG-IP system sends CER and DWR to remote peers.
However, the BIG-IP system sends e2e=0 and h2h=0 as the server ID in the CER and DWR requests. This does not comply with RFC 6733 (https://tools.ietf.org/html/rfc6733).
Workaround:
Use an DIAMETER_EGRESS iRule event to change the hop-by-hop ID and end-to-end server ID.
727191-2 : Invalid arguments to run sys failover do not return an error
Component: TMOS
Symptoms:
If an invalid device name is used in the sys failover command, the device name reject is logged in /var/log/ltm and failover does not occur. No error or failure message is displayed on the command line.
Note: In prior versions, the system incorrectly performed a force-to-standby operation (no 'device' specified), rather than a directed failover operation (failover to specified 'device'). Although this resulted in the active device becoming standby, it did not cause the system to choose the (nonexistent) device specified.
Conditions:
Run a tmsh command similar to the following:
sys failover standby traffic-group traffic-group-1 device invalid_name
Impact:
Since no failover occurs and no error/warning is returned, this may result in some confusion.
Workaround:
There is no workaround.
726900 : Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters
Component: Local Traffic Manager
Symptoms:
Virtual server may attempt to use syncookies on first SYN packet rather than allowing the connection to pass through to the real server.
Conditions:
Modifying a virtual server (CLI/iControl/GUI) to switch from FastL4 or TCP profiles to an 'ip-other' profile.
Impact:
The configured 'ip-other' virtual server will fail to accept all traffic. For example, a TCP or a UDP flow which should have been accepted and processed by the 'ip-other' virtual server will be dropped incorrectly, trying to enforce 'Syn Cookie' validation.
Workaround:
When switching a virtual server profile from FastL4/TCP to the 'ip-other' profile, delete the virtual server and then re-add it with the 'ip-other' profile.
726734-3 : DAGv2 port lookup stringent may fail
Component: Local Traffic Manager
Symptoms:
Under certain circumstances tmm might not be able to find a local port, and the connection may fail. This happens, for example, for active FTP with mirroring enabled.
Conditions:
Active FTP with mirroring enabled.
Impact:
Connection cannot get established.
Workaround:
There is no workaround other than to disable mirroring.
726317-5 : Improved debugging output for mcpd
Component: TMOS
Symptoms:
In some cases, mcpd debugging output is insufficient for diagnosing a problem.
Conditions:
Using debugging in mcpd, specifically, setting log.mcpd.level to debug.
Impact:
None. Has no effect without log.mcpd.level set to debug.
Workaround:
None.
726303-2 : Unlock 10 million custom db entry limit
Component: Traffic Classification Engine
Symptoms:
Cannot add more than 10 million custom db entries.
Conditions:
This happens when you try to add more than 10 million custom db entries.
Impact:
Not able to add more than 10 million entries.
Workaround:
There is no workaround at this time.
726176-3 : platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
Component: Local Traffic Manager
Symptoms:
The BIG-IP system running RSS DAG hash attempts to reuse ports while pool members remain in a TIME_WAIT state and are unable to process new connections.
Conditions:
This issue occurs when all of the following conditions are met:
-- You are running on a BIG-IP platform using RSS DAG hash, for instance, z100 and 2000 or 4000 series hardware platform.
-- You have the FastL4 profile associated with a virtual server.
-- The virtual server is configured with source-port preserve.
Impact:
Traffic throughput may be degraded.
Workaround:
Set source-port to change.
726154-3 : TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies
Component: Advanced Firewall Manager
Symptoms:
TMM might restart when changing firewall or NAT configurations on a virtual server with the same name as a route-domain.
Conditions:
- There is a virtual server and a route-domain that have the same name in the configuration.
- A firewall or NAT policy is being attached or removed from one or both of the virtual server or route-domain.
Impact:
TMM might halt and traffic processing temporarily ceases. TMM restarts and traffic processing resumes.
Workaround:
There is no workaround other than not to use the same name for virtual server and route-domain objects.
726011-3 : PEM transaction-enabled policy action lookup optimization to be controlled by a sys db
Component: Policy Enforcement Manager
Symptoms:
There is no way to disable optimization if time-based actions are enabled in the PEM policy and a statistical transaction-based action enforcement is desired.
Conditions:
If the PEM classification tokens do not change.
Impact:
Time-based actions such as insert content may not get applied to such flows.
Workaround:
None.
725950-3 : Regcomp() leaks memory if passed an invalid regex.
Component: TMOS
Symptoms:
Because of memory leak, big3d's memory usage increased over time
Conditions:
Pass invalid expression to regcomp.
Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory.
Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}
725840-1 : Customization group object is not deleted when SAML resource object is deleted
Component: Access Policy Manager
Symptoms:
Customization group object for the corresponding SAMLResource object is in the configuration store, even after SAMLResource is deleted in GUI/TMSH.
Conditions:
-- Customization Object is in the configuration store.
-- Delete the SAMLResource.
Impact:
There is no functional impact, but additional configuration objects exist in the configuration store.
Workaround:
Delete the customization group object manually in TMSH.
The BIG-IP system administrator can delete those customization groups if the corresponding SAML resources are deleted or do not exist in the configuration.
The command 'list apm policy customization-group' lists all the customization groups. The SAML-specific customization groups end with '_resource_saml_customization' and are prefixed with the SAML resource name (SAML resource name concatenated with literal 'resource_saml_customization').
725791-5 : Potential HW/HSB issue detected
Component: TMOS
Symptoms:
There are a number of High-Speed Bridge (HSB) stats registers that monitor the errors in HSB SRAM that are critical for passing traffic, for example, RQM_CRC_ERROR Count 0, RQM_CRC_ERROR count 1, RQM_CRC_ERROR Count 2, etc. Any errors in any of these registers may indicate a hardware error in the HSB SRAM that impedes traffic through embedded Packet Velocity Acceleration (ePVA). In that case, ePVA-accelerated flow might fail.
With a burst of CRC errors in the SRAM for ePVA transformation cache, it does not trigger a failover and causes a silent traffic outage on the FastL4 VIP with hardware traffic acceleration. This occurs because the health check watchdog packets are still functioning correctly, and the current TMOS software primarily monitors watchdog packets tx/rx failures to trigger failover.
In these cases, there might be the following messages in /var/log/tmm*:
Device error: hsb_lbb* tre2_crc_errs count *
Conditions:
Traffic is offloaded to HSB hardware for acceleration.
Impact:
Hardware accelerated traffic drop.
Workaround:
Switch traffic to software acceleration.
724994-3 : API requests with 'expandSubcollections=true' are very slow
Component: TMOS
Symptoms:
Submitting an iControl REST query using the option 'expandedSubcollections=true' takes significantly longer to return than one without that option. For example, the command 'https://localhost/mgmt/tm/ltm/virtual?expandSubcollections=true' takes significantly longer than the command 'https://localhost/mgmt/tm/ltm/virtual'.
Conditions:
Submitting a query using expandedSubcollections=true.
Impact:
The response takes significantly longer to return
Workaround:
The additional processing time occurs because the 'expandedSubCollections' parameter fetches all the related associated elements. You can use the following alternative to retrieve the virtual configuration:
1. Run the following query:
GET mgmt/tm/ltm/virtual
2. Obtain the list of virtual servers by:
2a. parsing either the selfLink or the fullPath properties in the response items array, where the response is from step 1.
2b. writing an iControlLX worker that does this.
Note: Writing a worker abstracts the parsing logic into a user-defined endpoint. It provides API access to the data.
3. Iterate over the virtual servers querying each with the option 'expandSubcollections=true'.
724679-1 : Non-attacking IP addresses could be logged along with attacking IP addresses when DoS detects an attack
Component: Advanced Firewall Manager
Symptoms:
During an attack, MySQL might log IP addresses that are not part of an attack along with the IP addresses that are part of the attack.
Conditions:
This occurs when the system detects a BadEndpoint attack.
Impact:
The system might log messages related to IP addresses that are not part of the attack. These IP addresses are not part of the attack and may be ignored.
Workaround:
None.
724532-3 : SIG SEGV during IP intelligence category match in TMM
Component: Advanced Firewall Manager
Symptoms:
TMM restart while matching traffic from source IP to IP Intelligence category.
Conditions:
Multiple configuration changes that include deleting the custom IP intelligence categories.
Impact:
TMM restart. Traffic disrupted while tmm restarts.
Workaround:
None.
724109-3 : Manual config-sync fails after pool with FQDN pool members is deleted
Component: TMOS
Symptoms:
If a user, deletes a fqdn pool on one BIG-IP in a cluster and then run a manual config sync with another BIG-IP, the change fails to sync with the other BIG-IPs in the cluster.
Conditions:
- Create fqdn pool in one BIG-IP
- Save sys config
- Run config sync
- Delete fqdn pool
- Save sys config
- Run config sync manually
Result: After deleting fqdn pool in BIG-IP and config sync with another BIG-IP, Manual config sync failed. Still, we can see the deleted fqdn pool in another BIG-IP
Impact:
FQDN pool delete failed in another BIG-IP and manual config sync operation is failed.
Workaround:
The workaround for this issue is to use auto-sync.
723988-1 : IKEv1 phase2 key length can be changed during SA negotiation
Component: TMOS
Symptoms:
Using IKEv1, if phase2 key length does not agree on both sides, a responder accepts whatever the initiator proposes as key length, but only after an initiator is authenticated. This results in key length downgrade or upgrade at a trusted peer's request, because the IKEv1 daemon was configured to obey the other peer's key length request.
Conditions:
The value of the ike-phase2-encrypt-algorithm on both sides agree on the encryption algorithm, but differ in key length. For example, if the initiator picks AES128 when the responder expects AES256.
Impact:
The responder accepts AES128 anyway. Although phase1 key length must be an exact match, when phase2 key length does not match, this allows an initiating peer to change the key length a responder uses, thus changing the strength configured by that responder.
Workaround:
No workaround is known at this time.
723711-2 : IPsec keys are once again logged when db variable ipsec.debug.logkeys equals 1
Component: TMOS
Symptoms:
Logging of keys when debug mode was "debug" or higher in IKEv1's /var/log/racoon.log was disabled in an earlier release. IKEv2's logging of keys in other log files was disabled as well.
Conditions:
-- When negotiating any IKEv1 security association.
-- When negotiating any IKEv2 security association when ikedaemon log level has been set to debug or debug2.
Impact:
Keys, nonces, and several other "sensitive" values are no longer logged for either IKEv1 or IKEv2, making it hard to decrypt test traffic when debugging in the aftermath of problems.
Workaround:
There is no work around on the BIG-IP. However, debug logs on the remote peer, if not a BIG-IP, may provide the desired key information.
723402-1 : Apmd crashes running command: tmsh restart sys service all
Component: Access Policy Manager
Symptoms:
Rarely occurring apmd crash.
Conditions:
-- APM is licensed and provisioned.
-- Running the command: tmsh restart sys service all.
Impact:
Apmd crashes and cenerates a core file. Traffic may be disrupted while apmd restarts.
Workaround:
None.
723306-2 : Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
Component: Local Traffic Manager
Symptoms:
Loading correct configuration with 'tmsh load /sys config' fails. The error message appears similar to the following:
01070726:3: Virtual Address /test/0.0.0.0 in partition test cannot be referenced by Virtual Server /Common/test-internal in partition Common.
Unexpected Error: Loading configuration process failed.
Conditions:
Creating internal virtual server, when 0.0.0.0 address exists on another partition.
Impact:
Inability to load config, with created internal virtual server.
Workaround:
Create internal virtual server first; then create the 0.0.0.0 address on a different partition.
723095-3 : tmsh "modify gtm pool <type> all ... " commands fail
Component: Global Traffic Manager (DNS)
Symptoms:
tmsh command returns an error similar to the following message:
01070227:3: Pool Member references a nonexistent Pool (/Common/poolname of type NAPTR)
or
01020036:3: The requested Pool (<type> /Common/poolname) was not found.
Conditions:
Changing the record type on GTM pool members by running the following command: tmsh modify gtm pool type all members add.
or
Attempting to use the command "tmsh modify gtm pool <type> all <attribute>", for example "tmsh modify gtm pool a all enabled"
Impact:
Unable to apply a single tmsh command to all pools of a given type
Workaround:
There is no workaround at this time, other than that to apply the command individually to each pool.
722862 : ASM CAPTCHA sends non url-encoded payload when captcha is submitted by pressing 'Enter'
Component: Application Security Manager
Symptoms:
When an APM end-user gets the ASM CAPTCHA page, types the correct CAPTCHA letters and presses the 'Enter' key, rather than clicking the Submit button. The CAPTCHA letters are sent to the BIG-IP system along with other request parameters, these additional parameters are forwarded to the backend server incorrectly as non-url-encoded, they should be url-encoded.
Conditions:
This occurs when the following conditions are met:
-- ASM provisioned.
-- DoS application or ASM policy attached to a virtual server.
-- DoS application or ASM policy has CAPTCHA enabled.
-- User submits the CAPTCHA form using the 'Enter' key.
Impact:
Application receives unexpected content, which might cause the backend server's application business logic to not work as expected.
Workaround:
Disable CAPTCHA within the DoS application or ASM policy.
722751-2 : VLAN group does not pass OSPF traffic till first unicast packet is passed
Component: Local Traffic Manager
Symptoms:
Vlan group does not pass OSPF traffic till first unicast packet is passed.
Conditions:
-- VLAN group configured on the BIG-IP system.
-- Routers are attached to BIG-IP interfaces.
Impact:
OSPF traffic is interrupted. OSPF router adjacency is not set.
Workaround:
None.
722741-2 : Damaged tmm dns db file causes zxfrd/tmm core
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd/tmm cores on startup.
Conditions:
Damaged tmm dns db file.
Impact:
System remains in a tmm-restart loop caused by tmm opening a corrupted tmmdns.bin on startup and segfaulting. Traffic disrupted while tmm restarts.
Workaround:
Delete the damaged db files.
722734-2 : 'No Access' error when viewing properties page of a GTM Pool member whose name includes a partition that does not exist on that BIG-IP system.
Component: Global Traffic Manager (DNS)
Symptoms:
The BIG-IP system posts a 'No Access' error message instead of the GTM Pool member's properties.
Conditions:
-- At least two BIG-IP systems in a sync group.
-- One of the BIG-IP systems has a partition that does not exist on the other, with a GTM Pool member on that partition.
-- The issue occurs when a GSLB Server discovers that GTM Pool member and displays it on its properties page.
Note: This same error message displays for GSLB Server's virtual server properties accessed by navigating to GSLB :: servers :: [server] :: virtual servers :: [virtual server]. The differing issues have been fixed in differing releases. You can find information about the similar issue in the AskF5 Bug Tracker article for 710032.
Impact:
It makes the GSLB pool member's properties page unavailable in this case.
Workaround:
Use either of the following workaroudns:
-- Use TMSH to view or edit the properties of that GTM Pool member.
-- Create partitions on the GTM device to match those appearing to be referenced in the object names.
722707-3 : mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall
Component: Local Traffic Manager
Symptoms:
The 'debug' log for a 'mysql' monitor may incorrectly report data being received from the database when network routing is configured to drop packets from that database, causing confusion when diagnosing packet traffic. This might be stimulated by configuring the firewall to enable traffic to/from the 'mysql' database, and then (after the 'mysql' monitor successfully connecting with the database) changing firewall rules to drop packets returned *from* the database.
Conditions:
-- A 'mysql' monitor successfully connects to the 'MySql' database.
2. Once connection is established, firewall rules are changed to 'DROP' packets returned from the 'MySQL' database, resulting in several entries in the 'mysql' monitor 'debug' log that incorrectly suggest packets were received from the 'MySQL' database.
Impact:
Several log entries may be made in the 'mysql' debug log suggesting packets were received from the 'MySQL' database (after a previous successful database probe connection), when in fact those packets were dropped due to changes in the firewall rules. These log entries may confuse debugging scenarios, but will typically self-correct (such as after three log message entries).
Workaround:
When configuring network traffic for 'MySQL' database resources, ensure symmetry for traffic handling (either bi-directional packet routing between 'bigd' and the 'MySQL' database is supported, or neither 'send' nor 'receive' packet routing to the 'MySQL' database is supported).
722647-3 : The configuration of some of the Nokia alerts is incorrect
Component: TMOS
Symptoms:
The categories for perceived severity in the alert_nokia.conf file are 0-4, 10-11, but there is an entry in the file with a value of 6.
Conditions:
-- Traps are enabled to support SNMP alerts in the Nokia NetAct format, e.g., using the following command:
tmsh modify sys db alertd.nokia.alarm value enable
-- The values in the alert_nokia.conf file are applied.
Impact:
Some of the values are incorrect. Handling of the trap/clear for the mislabeled trap is incorrect.
Workaround:
Edit the alert_nokia.conf file and restart the alert daemon.
722534-2 : load sys config merge not supported for iRulesLX
Component: Local Traffic Manager
Symptoms:
iRulesLX configurations are (for the most part) contained in the file system, rather than the 'traditional' BIG-IP config files. An attempt to merge configurations containing iRulesLX using the tmsh command 'load sys config merge' options fails with an error similar to the following:
# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ilx plugin test-plugin {
from-workspace test-ws
}
Validating configuration...
Unexpected Error: "basic_string::at"
Conditions:
The configuration being merged contains iRulesLX.
Impact:
The merge will fail with the error: Unexpected Error: "basic_string::at". The previous configuration will continue to work.
Workaround:
There is no workaround at this time for merging iRulesLX configuration. If the iRulesLX configuration is removed from the configuration to be merged, the merge will work.
722380-1 : The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.
Component: TMOS
Symptoms:
On platforms with HSB, if an HSB lockup occurs, then TMM panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. In certain cases, the reboot occurs before the core file is fully written, resulting in a truncated core.
Conditions:
-- Any platform with HSB.
-- An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.
Impact:
The reboot happens after the core dump begins before it completes, resulting in a truncated core dump, which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.
Workaround:
None.
722294-1 : Reported session ID keeps changing for the same user session when ASM does not track sessions
Component: Application Security Manager
Symptoms:
A reported session ID is not maintained for the same user session.
Conditions:
-- Simple, feature-less policy (i.e., policy contains only attack signatures).
-- There are no cookies coming in from the server.
Impact:
The TS cookie is not created since there is no cookie-enforcing feature that is turned on (such as session tracking). Although this is correct behavior, it might result in confusion when there is a different, random session ID on each request.
Workaround:
Turn on a cookie-related feature (such as session tracking).
721704-2 : UDP flows are not deleted after subscriber deletion
Component: Policy Enforcement Manager
Symptoms:
UDP flows continue to live till UDP idle time occurs, even after the subscriber is gone and the option for immediate deletion of the flow is enabled.
Conditions:
-- The option to delete flows upon subscriber deletion is enabled.
-- The UDP flow is established with an idle time greater than the re-evaluate timeout.
Impact:
The UDP flows continue to be alive after the required time, but only act to drop the traffic.
Workaround:
To work around this issue:
1. Modify the UDP idle timer to a suitable value.
2. Force delete the UDP flow from CLI.
721579-2 : LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing
Component: Carrier-Grade NAT
Symptoms:
When checking persistence TTL by using 'lsndb list all', TTL for 'LSN Persistence Entries' and Age for 'LSN Inbound Mapping Entries' are reset once at around the halfway point of the persistence timeout, even though there is no traffic.
Conditions:
-- LSN with persistence timeout configured.
-- Using the following command: lsndb list all.
Impact:
lsndb shows misleading stats.
Workaround:
There is no workaround at this time.
721399-1 : Signature Set cannot be modified to Accuracy = 'All' after another value
Component: Application Security Manager
Symptoms:
ASM Signature Set cannot be modified to Accuracy = 'All' after another value was used previously.
Conditions:
-- ASM Signature Set has a value set for Accuracy filter.
-- Accuracy is subsequently set to 'All'.
Impact:
The change to Accuracy = 'All' does not take effect. ASM Signature Set cannot be modified to Accuracy = 'All'.
Workaround:
You can use either of the following workarounds:
-- Delete and re-create the Signature Set with the desired value.
-- Modify the filter to a value that will match all results (such as Accuracy is greater than or equal to 'Low').
721350-3 : The size of the icrd_child process is steadily growing
Component: TMOS
Symptoms:
The resident segment size (rss) for the icrd_child process continues to increase on issuing iCR GET requests. This increase is permanent and the rss does not drop back to its original size.
Conditions:
The following is an example config under which this issue occurs. Note this is an illustrative example; the actual issue might occur for various config objects.
GET tm/ltm/virtual?expandSubcollections=true wherein the virtual has some profiles associated with it.
ltm pool p-http { }
ltm virtual novel-1000 {
...
pool p-http
profiles {
analytics { }
http { }
tcp { }
}
....
}
# tmctl proc_pid_stat 'proc_name=icrd_child' -s proc_name,ppid,vsize,rss
On subsequent GET requests the rss size continues to increase.
Impact:
Increase in the rss of the icrd_child process. This increase could lead to icrd_child core or swapping of processes into the rss due to limited memory left for other processes.
Workaround:
There is no workaround.
721020-2 : Changes to the master key are reverted after full sync
Component: TMOS
Symptoms:
Changing the master key on a device that is in a device cluster are reverted when performing a full sync of any device-group. The master key is reset to its previous value.
Conditions:
-- The BIG-IP system is in a device cluster.
-- You change the master key from within TMSH.
Impact:
Subsequent configuration loads fail on the device.
Workaround:
There is no workaround.
720819-3 : Certain platforms may take longer than expected to detect and recover from HSB lock-ups
Component: TMOS
Symptoms:
In the unlikely event of a HSB lock-up, certain BIG-IP platforms may take longer than expected to detect and recover from the condition.
For instance, it may take several minutes for an affected unit to detect the condition and initiate the predefined failsafe action.
Instead, the recovery mechanism should trigger almost instantaneously.
Conditions:
This issue occurs when all of the following conditions are met:
-- The BIG-IP system is an i56xx/i58xx, i76xx/i78xx, or i106xx/i108xx platform.
-- The HSB locks-up due to a different issue.
Impact:
Traffic is negatively impacted until the BIG-IP system detects and remedies the condition. This might take up to 15 minutes before remedied by a reboot, depending on other traffic being processed.
Workaround:
None.
720669-1 : Within the GUI, the 'MQTT-TLS' service port is incorrectly reported as 'common.all.MQTT-TLS'.
Component: TMOS
Symptoms:
In some sections of the GUI, the 'MQTT-TLS' service port may be incorrectly reported as 'common.all.MQTT-TLS'.
Conditions:
This is currently known to happen in the 'Virtual Server List' screen when a virtual server is configured to listen on port 8883 (a.k.a. MQTT-TLS).
Impact:
None. The issue is cosmetic and has no effect on traffic.
Workaround:
None.
720610-1 : Updatecheck logs bogus 'Update Server unavailable' on every run
Component: TMOS
Symptoms:
The updatecheck operation erroneously logs that the Update Server is unavailable on every run, successful or not.
Conditions:
The BIG-IP system is configured to run the Automatic Update Check feature.
Impact:
Misleading messages in the log file, implying that the update server is not available.
Workaround:
None.
720581-1 : Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files
Component: Application Security Manager
Symptoms:
When using Policy Merge to add an XML Profile from policy A to policy B, if there are any Schema files (such as xsd or wsdl) associated with the profile, then the XML Profile added to policy B erroneously points to the file that is in policy A and does not create a new reference within policy B.
Conditions:
Policy Merge is used to add an XML Policy that contains a schema file from one policy to another.
Impact:
-- The reference to an object in another policy breaks BIG-IQ discovery.
-- The policy is not consistent after export/import.
Workaround:
None.
720461-1 : qkview prompts for password on chassis
Component: TMOS
Symptoms:
Qkview prompts for a password when executing getnodedates from the chassis module.
Conditions:
SSH auth keys are missing or corrupted.
Impact:
This blocks collecting qkview.
Workaround:
Edit the /user/bin/getnodedates script and add -oBatchMode=yes for the SSH command as shown in the following example:
$date = `/usr/bin/ssh -q -oBatchMode=yes -oStrictHostKeyChecking=no $ip /bin/date`;
720460-3 : Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly
Component: Local Traffic Manager
Symptoms:
The sys db compression.strategy is used to control the compression-provider selection. When it is set to 'softwareonly', compression somehow still selects a hardware accelerator.
Conditions:
This always happens when compression.strategy is set to 'softwareonly'.
Impact:
Compression.strategy set to 'softwareonly' does not work, and if there is a problem in a hardware accelerator, compression will still select the hardware accelerator, even though software compression is desired.
Workaround:
There is no workaround.
720440-2 : Radius monitor marks pool members down after 6 seconds
Component: Local Traffic Manager
Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.
Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.
Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.
Workaround:
There is no workaround at this time.
720242-1 : GUI for AFM rules shows protocol value IPENCAP for rules under rule-list
Component: Advanced Firewall Manager
Symptoms:
When you set the protocol field to 'IPv4', it is displayed as 'IPENCAP' after saving.
Conditions:
This occurs only for rules under RuleList.
Impact:
Protocol value is displayed as 'IPENCAP' as opposed to 'IPv4'.
Workaround:
None.
720030-5 : Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)
Component: Access Policy Manager
Symptoms:
Kerberos DNS SRV requests are generated without enabling EDNS0. Without this, internal DNS server (dnscached) truncates the UDP response if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in a lot of TIME_WAIT connections on the socket using dnscached.
Conditions:
APM end users using Kerberos SSO to access backend resources.
Impact:
Ability to create new DNS requests is affected, if there are numerous sockets in TIME_WAIT. This can result in scalability issues.
Workaround:
For BIG-IP software v12.x and later,
Edit the /etc/resolv.conf file to add an EDNS0 option.
There is no workaround if you are running a version earlier than 12.x.
719304-3 : Inconsistent node ICMP monitor operation for IPv6 nodes
Component: Local Traffic Manager
Symptoms:
While running ping from different blades in a multi-blade environment, pings fail from blades that do not have the tmm that is responsible for pinging the node.
Conditions:
The blade that does not contain the owning tmm is responsible for the node monitors.
Impact:
The node will be incorrectly marked as being unavailable/down.
Workaround:
You can use the following workarounds:
-- Statically assign the NDP entries.
-- Set the route to a gateway that has a non-zero host portion in the address.
719300-1 : ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address
Component: Local Traffic Manager
Symptoms:
ICMP unreachable packets sent by a server may be received by a client with the BIG-IP system's MAC address as the source MAC address.
Conditions:
BIG-IP deployed in an L2 transparent mode using VLAN groups.
Impact:
May impact services on the client that rely on source MAC address of incoming packets.
Workaround:
None.
719107-1 : Message type is not displayed in CLI and incorrect message type is displayed in GUI for Subscriber Management diameter protocol profile message type CCA-T.
Component: Policy Enforcement Manager
Symptoms:
If versions earlier than v13.1.0 have Subscriber Management diameter protocol message type CCA-T, their message type is not displayed on the command-line interface (CLI) and is incorrectly displayed as CCR-I in the GUI when upgraded to later versions.
Conditions:
-- Upgrade to v13.1.0 or later.
-- Configuration has Subscriber Management diameter protocol message type CCA-T.
Impact:
incorrectly displayed as CCR-I in the GUI.
Note: This configuration has no effect.
Workaround:
Delete the Subscriber Management diameter protocol message that has no message-type when viewed from CLI.
718867-1 : tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades★
Component: Local Traffic Manager
Symptoms:
The db variable 'tmm.umem_reap_aggrlevel' (to set the memory-usage level at which aggressive connection-reaping begins) does not persist across upgrades; on upgrade it will be reset to its default value (80%).
Conditions:
-- The db variable 'tmm.umem_reap_aggrlevel' is set to a custom value (specifically, not '80').
-- The BIG-IP system is upgraded.
Impact:
The value for 'tmm.umem_reap_aggrlevel' has reset to '80', its default value.
Workaround:
Reset the variable's custom value after upgrade.
718800-1 : Cannot set a password to the current value of its encrypted password
Component: TMOS
Symptoms:
Attempting to set a password to the current value of its encrypted password silently fails without changing the password. For example, running the following tmsh command sets the encrypted password to the value 'password':
modify auth user <username> encrypted-password password
Attempting to set the password to 'password' using the command does not report an error, but does not change the password (meaning that encrypted password remains 'password'):
modify auth user <username> password password
Conditions:
Changing a password to the value of encrypted-password.
Impact:
Difficult to recover from this situation because trying to simply change the password to the correct value doesnot work.
(It is likely this initially happened by accident: attempting to set 'password', but setting 'encrypted-password' instead.)
Workaround:
First, change the password to something else. Then, change it back to the correct value.
718796-2 : IControl REST token issue after upgrade★
Component: Device Management
Symptoms:
When upgrading to version 13.1.0.x, sometimes a user who previously had permissions to make calls to iControl REST loses the ability to make those calls.
Conditions:
-- Upgrading to version 13.1.0.x.
-- iControl REST.
Impact:
A previously privileged user can no longer query iControl REST. Also, some remotely authenticated users may loose access to the Network Map and Analytics view after the upgrade.
Workaround:
You can repair the current users permissions with the following process:
1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process:
# restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator"
# bigstart restart restjavad.
2) Update shared/authz/roles/iControl_REST_API_User userReference list to add repro user account using PUT:
# restcurl shared/authz/roles/iControl_REST_API_User > role.json
# vim role.json and add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list
# curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User
Now, when you create a new user, the permissions should start in a healthy state.
718790-2 : Traffic does not forward to fallback host when all pool members are marked down
Component: Local Traffic Manager
Symptoms:
Traffic does not get forwarded to fallback hosts.
Conditions:
-- HTTP Profile configured with Fallback Host.
-- All the pool members are marked administrative down.
Impact:
Traffic does not get forwarded.
Workaround:
Pick a monitor working properly for the pool.
718405-3 : RSA signature PAYLOAD_AUTH mismatch with certificates
Component: TMOS
Symptoms:
IPsec IKEv2 negotiation with other vendors may fail to establish tunnels when certificate authentication is configured, using either RSA signature or DSS.
The value of PAYLOAD_AUTH does not match when the BIG-IP system compares it with what the remote peer sends. The same certificate works when the BIG-IP system is the initiator, but not when another vendor is the initiator.
Conditions:
Interoperating with other vendors under IKEv2 while using certificates.
Impact:
IKEv2 tunnels fail to establish, failing the second IKE_AUTH exchange in the protocol.
Workaround:
Use pre-shared key authentication.
718291-1 : iHealth upload error doesn't clear
Component: TMOS
Symptoms:
If an error occurs that sets the iHealth error string, then this string is never cleared.
Conditions:
Setting an invalid hostname for db variable proxy.host.
Impact:
The system reports the following error string: curl: (56) Recv failure: Connection reset by peer. This error message is never cleared, despite running a successful upload. The bogus error message could result in unnecessary confusion after a successful upload.
Workaround:
To clear the error message, run the following command:
/usr/bin/guishell -c "update diags_ihealth_request set error_str='';"
718232-3 : Some FTP servers may cause false positive for ftp_security
Component: Application Security Manager
Symptoms:
A login might get rejected after a lower number of failed logins than is configured for 'Maximum Username Login Retries'. BIG-IP system posts the following error message: 530 Too many failed login attempts by the user.
Conditions:
-- The server sends unexpected ingresses that are rejected.
-- There is a value specified for 'Maximum Username Login Retries'.
Impact:
A legitimate user might be rejected and have to wait until the configured 'Re-enable login' time.
Workaround:
There is no workaround at this time.
718108-2 : It is not possible to core the icrd_child process if iControl REST requests were sent to the BIG-IP system using non-admin accounts
Component: TMOS
Symptoms:
When trying to create a diagnostic core file of the icrd_child process (for example, using the command: kill -6 <PID>), the process restarts but does not create a core file.
Conditions:
iControl REST requests are sent to the BIG-IP system using non-administrative (or resource admin) user accounts.
Impact:
This issue may hinder F5 Support efforts to diagnose memory leaks or other issues affecting the icrd_child process.
Workaround:
There are two workarounds for this issue.
Workaround #1:
The problem can be avoided by making calls to iControl REST using only User IDs that have the 'Admin' or 'Resource Admin' roles.
Note: If iControl REST calls have already been made with User IDs that have a role other than 'Admin' or 'Resource Admin', the 'restjavad' process must be restarted before core files can be created for icrd_child processes.
Workaround #2:
If iControl REST calls have already been made with User IDs that have a role other than 'Admin' or 'Resource Admin', and a core file is needed for a currently running icrd_child process, running the following two commands in the Advanced Shell (aka bash) creates the core file.
1: "echo 2 > /proc/sys/fs/suid_dumpable"
2: "pkill -6 icrd_child"
Note: The commands are shown inside quotation marks but do not include the quotations marks.
718033-3 : REST calls fail after installing BIG-IP software or changing admin passwords
Component: Device Management
Symptoms:
After installing the latest BIG-IP software, or changing the BIG-IP admin passwords once or twice, REST calls might fail with the following error: 400 - Bad Request.
Conditions:
The conditions under which this occurs are not well understood. The issue occurs randomly, and is likely the result of a timing issue.
Impact:
REST calls or GUI operations fail to work. Get errors on screen.
Workaround:
Run the following command on the BIG-IP system:
$ bigstart restart restjavad
717785-4 : Interface-cos shows no egress stats for CoS configurations
Component: TMOS
Symptoms:
No egress packet counts per CoS queue are reported on B21x0 and 5x00/7x00 platforms. The issue affects the egress packet statistics reporting per CoS queue only. The operation of the CoS feature is not affected and the egress packets statistics reporting per external interface is also not affected.
Conditions:
-- Valid 8 HW CoS feature configuration has been enabled and passing traffic.
-- BIG-IP 5x00/7x00 platforms and VIPRION 21x0 blades.
-- Running the show net interface-cos command.
Impact:
Egress packet statistics reported per CoS queue shows no counts.
Workaround:
None.
716952-1 : With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete.
Component: Local Traffic Manager
Symptoms:
When TCP Nagle enabled, the data sent from server is handled by the SSL filter to offload data processing. The SSL filter forwards the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message to TCP4 filter. Because Nagle is enabled, this leaves the last offloaded packet 'stuck' in the TCP4 filter.
Conditions:
-- Nagle is enabled.
-- SSL filter is in the chain.
Impact:
The last data packet waits until all other packets have been ACKd.
Workaround:
None.
716492-3 : Rateshaper stalls when TSO packet length exceeds max ceiling.
Solution Article: K59332523
Component: Local Traffic Manager
Symptoms:
If a TCP Segmentation Offload (TSO) packet length exceeds the rateshaper's max ceiling, it causes the flow to stall.
Conditions:
TSO packet length exceeds the rateshaper's configured max ceiling.
Impact:
The flow stalls. Subsequent flows cannot go to the rateshaper from that particular tmm.
Workaround:
If you are running BIG-IP software v12.1.3.2 (or later) or v13.1.0(.x), you can use the following workaround:
There is a sys db variable called 'rateshaper.cmpdivide', which is enabled by default. When enabled, the system internally divides the bandwidth (rate/ceiling/burst) between the available tmm cores. If this issue occurs, set 'rateshaper.cmpdivide' to enabled.
There is no workaround for other versions.
716324-1 : CSRF protection fails when the total size of the configured URL list is more than 2 KB
Component: Application Security Manager
Symptoms:
When the cross-site request forgery (CSRF) protection URL list is of a total size that is greater than 2 KB. As a result, CSRF injection fails.
Conditions:
- CSRF protection is enabled.
- The total length of the defined CSRF URL list is more than 2 KB.
- A protected URL is accessed.
Impact:
CSRF false-positive violation.
Workaround:
Use wildcards to minimize total CSRF URL size.
715756-1 : Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only
Component: Local Traffic Manager
Symptoms:
When filesystems critical to TMOS functional operation are mounted read-only, clusterd on that blade should trigger a primary election if it was primary. Either way, the cluster should be informed of this critical error state.
Conditions:
A critical filesystem (e.g., '/', '/var', '/var/run', '/config', '/shared') has been mounted read-only.
Impact:
The blade with read-only filesystems and degraded functionality might stay primary and claim to be passing traffic.
Workaround:
There is no workaround other than to avoid mounting filesystems read-only on a BIG-IP system.
715511-3 : Span-port IFP rule shouldn't be created if no span port is configured
Component: TMOS
Symptoms:
Due to a known issue, unnecessary traffic handling rules may be pushed to internal switch, causing error messages.
Conditions:
Provisioning a vCMP guest.
Impact:
Similar logs may be seen on vCMP host when provisioning a vCMP guest:
info bcm56xxd[15052]: 012c0012:6: FFP HDAG installed for default (cmp state 0x7)
err bcm56xxd[15052]: 012c0011:3: action Redirect Trunk failed: SDK error Invalid port bs_field.cpp(916)
err bcm56xxd[15052]: 012c0011:3: program DP based dest trunk rule failed: SDK error Invalid port bs_vtrunk.cpp(5346)
info bcm56xxd[14949]: 012c0016:6: FP(unit 0) Error: Policy _value_ 61705552 > 524287 (max) mem (2405)field (82320).
info bcm56xxd[14949]: 012c0016:6: FP(unit 0) Error: action=RedirectTrunk parameters check failed (-4)
715379-2 : IKEv2 accepts asn1dn for peers-id only as file path of certificate file
Component: TMOS
Symptoms:
IKEv2 only has a very inconvenient way to specify ID for an ike-peer when using peers-id-type asn1dn. The string value of peers-id-value was understood only as a file path, and not as a representation of the asn1dn value itself. The file had to be a certificate, whose subject happened to be the ID of the remote peer as a distinguished name (DN), so this could be extracted as binary DER for asn1dn. This was both awkward and error prone, requiring what amounts to a copy of a peer's certificate before it is sent during negotiation.
Conditions:
-- Using certificate based authentication in IPsec IKEv2.
-- Configuring an ike-peer with peers-id-type as asn1dn.
Impact:
Very difficult to use asn1dn as the ID of a peer, impeding inter-operation with other vendors.
Workaround:
If you can install a local copy of the peer's certificate, with an asn1dn value inside matching what that peer will actually send in an IKE_AUTH exchange, IKEv2 can extract the asn1dn provided the value of peers-id-value is an absolute file system path to this local certificate copy.
715331-2 : IKEv2 logs peers_id comparisons and cert verfication failures
Component: TMOS
Symptoms:
Insufficient information is logged when a certificate fails verification, or when ID_I in an IKE_AUTH request does not match configuration for peers_id in the ike-peer description.
Conditions:
When IKE_AUTH fails due to either certificate verification failure or mismatch of ID_I and peers_id.
Impact:
Hard to diagnose proximate cause of IKE negotiation failure during IKE_AUTH exchange.
Workaround:
There is no workaround at this time.
714986-4 : Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot
Component: TMOS
Symptoms:
On an iSeries platform, when the console baud rate is changed through TMSH, new terminal sessions revert back to the previous baud rate instead of adopting the new setting unless the unit is rebooted.
Conditions:
1. Modify the console baud rate in BIG-IP through TMSH on an iSeries platform (i2xxx, i4xxx, i5xxx, i7xxx, i10xxx, i15xxx), for example: tmsh modify sys console baud-rate 9600.
2. Exit from the login prompt in the current terminal session, or kill it and start a new session.
Impact:
The BIG-IP system reverts to the previous baud rate instead of the new setting. Inability to create any new serial console connections with the modified baud-rate without a reboot.
Workaround:
The problem can be mitigated by manually reprogramming the TTY device and restarting the agetty process and bash login sessions. This closes any existing console connections, but newly established connections will connect at the modified baud rate.
1. Use TMSH to modify the baud rate to the desired speed by running a command similar to the following:
tmsh modify sys console baud-rate 9600
2. Re-program the TTY device with the desired speed by running a command similar to the following:
stty -F /dev/ttyS0 9600
3. Kill the existing agetty process so it will re-start at the new baud rate by running the following command:
/usr/bin/killall -q agetty
4. Restart bash logins by running the following command:
/bin/kill -HUP `/bin/ps -A | /bin/grep ttyS0 | /bin/grep -v grep | /bin/grep bash | /bin/awk '{print $1}'` >/dev/null 2>&1
714974-1 : Platform-migrate of UCS containing QinQ fails on VE★
Component: TMOS
Symptoms:
If you are doing platform-migrate from a hardware device to a Virtual Edition (VE) guest, and the UCS that came from the hardware device has a QinQ VLAN configuration, then the upgrade will fail.
Conditions:
-- VLAN with a QinQ configuration exists on the hardware configuration.
-- UCS file is saved on the hardware device.
-- UCS is copied to a VE guest.
-- Attempt to load the configuration using the following command: load sys ucs <UCS filename> no-license platform-migrate.
Impact:
The UCS load will fail and generate an error:
01071bd8:3: The tag-mode for requested member <VLAN name> has to be 'none' on platforms that do not support QinQ. Unexpected Error: Loading configuration process failed.
Workaround:
None.
714795-1 : ospfd cores when configured with 'area 0 range 0.0.0.0/0'
Component: TMOS
Symptoms:
ospfd core. Loss of dynamic routing functionality.
Conditions:
- Enable dynamic routing with OSPFv2.
- Configure OSPF with the following value: area 0 range 0.0.0.0/0.
Impact:
Loss of dynamic routing functionality.
Workaround:
None.
714654-1 : Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM
Component: TMOS
Symptoms:
While creating a static route, tmrouted disconnects with error: existing entry is not a dynamic.
Conditions:
Creating a static route for a network that already has an advertised dynamic route.
Impact:
TMM's connection to tmrouted goes down, which results in loss of the dynamic route for TMM.
Workaround:
There is no workaround other than not creating a static route for routes received through dynamic routing.
714559-4 : Removal of HTTP hash persistence cookie when a pool member goes down.
Component: Local Traffic Manager
Symptoms:
When HTTP cookie hash persistence is configured the cookie is removed when a pool member goes down. This is incorrect if pool members are using session replication.
Conditions:
- Cookie hash persistence is configured.
- A pool member that the persistence record points to goes down.
- Pool members are using session replication.
Impact:
Connected clients must establish a new session.
Workaround:
To configure HTTP cookie hash persistence, use an iRule similar to the following:
when CLIENT_ACCEPTED {
persist cookie hash JSESSIONID
}
714507-1 : [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server
Component: Global Traffic Manager (DNS)
Symptoms:
GTM pool member dependency cannot be listed correctly using the following command:
# tmsh list gtm pool
Conditions:
-- Virtual server dependency in GTM server.
-- Running the command: tmsh list gtm pool.
Impact:
1. Pool member dependencies are not listed.
2. Pool member dependency information is missing when saving config:
# tmsh save sys config gtm-only
Workaround:
List specific gtm pools instead by running a command similar to the following:
# tmsh list gtm pool a p1
714503-1 : When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl
Component: Local Traffic Manager
Symptoms:
When using the GUI to create a new iRulesLX rule with the extension .tcl as part of the rule name, the GUI will append another .tcl at the end of the file. This is problematic when attempting to view the iRule in the iRulesLX workspace (at Local Traffic :: iRules : LX Workspaces :: <workspace name>).
Conditions:
-- Creating a new iRulesLX iRule in the GUI.
-- Adding the extension .tcl.
Impact:
Cannot view or delete the iRule from the iRulesLX GUI.
Workaround:
Do not name rules with the .tcl extension. The system will do that for you.
714495-1 : When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl"
Component: Local Traffic Manager
Symptoms:
When using TMSH to create a new iRulesLX rule with the extension '.tcl' as part of the rule name, TMSH will append another '.tcl' at the end of the file. This is problematic when attempting to view the iRule in the GUI (in the iRulesLX workspace at Local Traffic :: iRules : LX Workspaces :: <workspace name>).
Conditions:
Creating a new iRulesLX iRule in TMSH.
Impact:
Cannot view or delete the iRule from the iRulesLX GUI.
Workaround:
Do not name rules with the '.tcl' extension.
714372-1 : Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari
Component: Local Traffic Manager
Symptoms:
If the BIG-IP system has a web-acceleration which provides a number of caching and optimization options suitable for HTTP/1.1. It uses 'Connection: Keep-Alive' header on a server side, which results in appearance of 'Keep-Alive' header in a response. Such a HTTP header was adopted by the industry but not standardized. When a web-acceleration profile is configured and provides a response, Safari clients do not accept responses with a such header and reject those with a RST_STREAM message.
Conditions:
-- BIG-IP has a virtual server with HTTP/2 profile and a web-acceleration profile.
-- A pool member responds with 'Keep-Alive' header in the following format: Keep-Alive: timeout=<number>, max=<number>.
Impact:
A response to a request is rejected, which might cause incorrect rendering of HTTP page.
Workaround:
Use an iRule to remove the Keep-Alive header:
when HTTP_RESPONSE_RELEASE {
HTTP::header remove keep-alive
}
Alternatively use an LTM Policy where this header is removed from a server's response.
714216-1 : Folder in a partition may result in load sys config error
Component: TMOS
Symptoms:
If you run the command 'tmsh load sys config current_partition' in a partition that includes a folder, the command may return an error.
Conditions:
This occurs in the following scenario:
-- Create a partition.
-- Create a folder in that partition.
-- In the newly-created partition.
-- Save the configuration with the command 'save sys conf'.
-- In the same partition, run the following command to load the configuration: 'tmsh load sys config current_partition'.
Impact:
The load configuration process fails with an error that the folder does not exist.
Workaround:
There is no workaround at this time.
713820-2 : Pass in IP address to urldb categorization engine
Component: Access Policy Manager
Symptoms:
Category lookup results might be inaccurate. In some cases, the system returns 'uncategorized' when the reference (Forcepoint) returns a specific category.
Conditions:
Category Lookup agent is in per-request policy using the categorization engine to lookup up a website's classification.
Impact:
Actions leveraging categorization results are applied incorrectly.
Workaround:
None.
713793 : Loading sys config using merge does not work for client SSL profiles with passphrase-protected key
Component: TMOS
Symptoms:
BIG-IP system posts an error similar to the following when merging configuration of a client SSL profile: 010717e7:3: Client SSL profile (/Common/test): cert-key-chain and profile cert, key or chain options cannot be specified together.
Conditions:
This occurs when the SSL key of the client SSL profile is passphrase-protected.
Impact:
Unable to merge configuration.
Workaround:
To work around this issue, remove the cert/key/chain/passprase outside of the cert-key-chain block before issuing the following command: load sys config from-terminal merge.
In particular, use the following text as the configuration:
root@(big4)(cfg-sync Standalone)(Active)(/Common)(tmos)# load sys config from-terminal merge
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ltm profile client-ssl test {
app-service none
cert-key-chain {
test12345 {
cert test12345
key test12345
passphrase $M$SIwDQYJKoZIhvcNAQEBBQABOC==
}
}
inherit-certkeychain false
}
In this example, this is the text to replace::
root@(big4)(cfg-sync Standalone)(Active)(/Common)(tmos)# load sys config from-terminal merge
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ltm profile client-ssl test {
app-service none
cert test12345
cert-key-chain {
test12345 {
cert test12345
key test12345
passphrase $M$EAAaOBsTCBrjAzBggrBgEFBQc==
}
}
chain none
inherit-certkeychain false
key test12345
passphrase $M$S/4S5uRf8leryRGv5MX9DAAvK==
}
Loading configuration...
010717e7:3: Client SSL profile (/Common/test): cert-key-chain and profile cert, key or chain options cannot be specified together.
Unexpected Error: Loading configuration process failed.
713708-6 : Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI
Component: TMOS
Symptoms:
On the BIG-IP GUI, under System :: Software Management :: Update Check, after pressing 'Check now', the 'Available Update' shows a long string 'OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install' instead of the EPSEC version, e.g.: epsec-1.0.0-679.0.
Conditions:
-- Under System :: Software Management :: Update Check.
-- Press 'Check now'.
Impact:
Cannot determine what version is available by viewing 'Available Update'. Although this is how all the other updates work, it can result in a confusing BIG-IP user experience.
Workaround:
To have the browser show the link's destination address, view the browser's status fields while hovering the cursor over the following link text: OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install.
713585-2 : When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long
Solution Article: K31544054
Component: Local Traffic Manager
Symptoms:
Config load could be very long and CPU usage very high.
Conditions:
There are many iRule and they are installed on many virtual servers.
Impact:
BIG-IP system performance could be degraded during the load and may cause system lock up.
Workaround:
Run "tmsh modify sys db rule.validation value syntax", this causes iRule validation to check iRule syntax only; the semantic checks will not be performed.
713519-1 : Enabling MCP Audit logging does not produce log entry for audit logging change
Component: TMOS
Symptoms:
When you enable MCP audit logging, the action of changing the audit logging entry is not logged. All actions after the configuration change are logged.
Conditions:
This occurs when enabling MCP audit logging.
Impact:
The audit logging change itself is not logged in the audit logs.
Workaround:
None.
713138-3 : TMUI ILX Editor inserts an unnecessary linefeed
Component: TMOS
Symptoms:
If you use the TMUI edit for ILX, the system will append a linefeed character every time you save. This is not usually apparent, but if you edit the file, then delete your changes, and then save it, it will still register as changed.
A message indicates the need to refresh the workspace, and the actual content of the file will change, but not the functionality.
Conditions:
Edit a workspace file in ILX via the TMUI editor (i.e., the GUI).
Impact:
File contents can change unexpectedly and have needless characters at the end.
Workaround:
Use TMSH or a different editor, that is not TMUI, to change those files.
713134-1 : Small tmctl memory leak when viewing stats for snapshot files
Component: TMOS
Symptoms:
When viewing statistics for snapshot files, tmctl leaks a small amount of memory and displays the message:
tmctl: BUG: tmstat_dealloc invoked on a handle with rows outstanding; release all rows before calling tmstat_dealloc at <address>
Conditions:
Using tmctl to view statistics of snapshot files, for example:
tmctl -D /shared/tmstat/snapshots memory_usage_stat -s time,name,allocated,max_allocated name=access
Impact:
Errors written to output when running tmctl. The leak itself is very small and is only for tmctl (i.e., it does not have a cumulative, detrimental effect on the system that a TMM or MCP leak might).
Workaround:
None.
712489-1 : TMM crashes with message 'bad transition'
Component: Local Traffic Manager
Symptoms:
TMM crashes under a set of conditions in which the system detects an internal inconsistency. The system posts an error similar to the following in the LTM and TMM logs:
crit tmm[18755]: 01010289:2: Oops @ 0x2285e10:5157: bad transition
Conditions:
Conditions that cause this to happen are not predictable, but these might make it more likely:
-- FastL4 virtual server and HTTP are configured
-- db variable tmm.oops set to 'panic'.
-- Client sends three GET requests at once, and then closes the connection after a few seconds.
-- The server sends a partial 'Connection: close' response.
Impact:
TMM crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
712335-2 : GTMD may intermittently crash under unusual conditions.
Component: Global Traffic Manager (DNS)
Symptoms:
GTMD may intermittently crash when an unexpected error occurs while creating a statistics row for a resource added to the configuration.
Conditions:
-- A pool member is added to the system.
-- There is an unexpected failure to create the associated statistics row.
Impact:
GTMD restarts. Global traffic functionality is not available while GTMD is restarting.
Workaround:
There is no workaround at this time.
712102-1 : customizing or changing the HTTP Profile's IPv6 field hides the field or the row
Solution Article: K11430165
Component: TMOS
Symptoms:
Customizing or changing the HTTP Profile's IPv6 field hides the field or the row.
Conditions:
Customizing or changing the HTTP Profile's IPv6 field.
Impact:
The HTTP Profile's IPv6 field cannot be customized or changed.
Workaround:
Use tmsh to set the HTTP Profile's IPv6 field.
712033-3 : When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name
Component: TMOS
Symptoms:
When you make a REST request to association list in /stats you get a duplicate name in the selfLink after members in both the entries and the selfLink, e.g.:
# restcurl -X GET -u admin /tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats
{
"kind": "tm:ltm:pool:members:membersstats",
"generation": 3,
"selfLink": "https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats?ver\u003d14.0.0",
"entries": {
"https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/~Common~node1:8105/stats": {
Conditions:
When making a REST request to an object in /stats that is an association list.
Impact:
The selfLink has a duplicate name. SelfLinks for associations do not work.
Workaround:
None.
711818-4 : Connection might get reset when coming to virtual server with offload iRule
Component: Application Security Manager
Symptoms:
When IN_DOSL7_ATTACK event is triggered, and iRule has an async command in it, events might be released out of order, causing connection RST.
Conditions:
1. Have DoS profile with iRule turned on.
2. iRule is async (such as wait, DNS resolving, etc.).
3. Send POST request.
Impact:
Connection receives a RST.
Workaround:
There is no workaround at this time.
711683-1 : bcm56xxd crash with empty trunk in QinQ VLAN
Component: TMOS
Symptoms:
When an empty trunk (no members) is configured 'tagged' in a QinQ VLAN, bcm56xxd will continuously crash.
Conditions:
Trunk with no members, configured as 'tagged' in a QinQ VLAN.
Impact:
bcm56xxd continuously crashes.
Workaround:
Use either of the following workarounds:
-- Add members to the trunk.
-- Remove the trunk from the QinQ VLAN.
710930-2 : Enabling BigDB key bigd.tmm may cause SSL monitors to fail
Component: Local Traffic Manager
Symptoms:
When bigd.tmm is enabled, SSL monitors may begin to fail.
Conditions:
-- The in-tmm monitoring feature is enabled via the bigd.tmm db variable (it is disabled by default)
-- The cipher string of the attached SSL profile uses keywords that are invalid with TMM.
Impact:
The cipher string will no longer be valid when bigd.tmm is enabled and the keywords will need to be modified or removed. SSL monitors begin to fail after modifying bigd.tmm.
Workaround:
Modify or remove incompatible keywords from the ciphers string; the in-tmm monitoring feature only allows ciphers that are allowed by SSL profiles.
710809-3 : Restjavad hangs and causes GUI page timeouts
Component: Device Management
Symptoms:
Restjavad stops responding, causing GUI page timeouts.
Conditions:
The conditions behind this issue are not known.
Impact:
restjavad is active, but all endpoints are nonresponsive.
Workaround:
Restart restjavad.
710666-2 : VE with interface(s) marked down may report high cpu usage
Component: TMOS
Symptoms:
The "tmm" process may appear to be running at 90% or above in linux cpu reporting utilities such as "top" or "ps", even if the system is not handling a large amount of traffic.
In this case, "tmsh show sys tmm-info" continues to report tmm's cpu usage accurately.
Conditions:
- BIG-IP Virtual Edition
- One or more interfaces configured and used in the BIG-IP configuration is marked down
Impact:
tmm consumes cpu cycles even when idle. This may impact other guests running on the same hardware if the hypervisor has oversubscribed its cpu resources.
Workaround:
Disable any interface that is currently marked down.
For example:
tmsh modify net interface 1.1 disabled
and then restart tmm:
bigstart restart tmm
710044-4 : Portal Access: same-origin AJAX request may fail in some case.
Component: Access Policy Manager
Symptoms:
If base URL for current HTML page contains default port number, same-origin AJAX request from this page may fail via Portal Access.
Conditions:
- HTML page with explicit default port in base URL, for example:
<base href='https://some.com:443/path/'>
- Same-origin AJAX request from this page, for example:
var xhr = new XMLHttpRequest;
xhr.open('GET', 'some.file');
Impact:
Web application may not work correctly.
Workaround:
It is possible to use iRule to remove default port number from encoded back-end host definition in Portal Access requests, for example:
when RULE_INIT {
# hex-encoded string for 'https://some.com'
set ::encoded_backend {68747470733a2f2f736f6d652e636f6d}
# '3a343433' is hex-encoded form for ':443'
set ::pattern "/f5-w-${encoded_backend}3a343433\$"
set ::remove_end [ expr { [ string length $::pattern ] - 2 } ]
set ::remove_start [ expr {$::remove_end - 7} ]
}
when HTTP_REQUEST {
if { [HTTP::path] starts_with "$::pattern" } {
set path [ string replace [HTTP::path] $::remove_start $::remove_end "" ]
HTTP::path "$path"
}
}
709963-1 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
Component: Local Traffic Manager
Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.
Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.
Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.
Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.
709837-1 : Cookie persistence profile may be configured with invalid parameter combination.
Component: Local Traffic Manager
Symptoms:
Configuring Cookie persistence profile via TMSH or iControl REST allows invalid parameter combinations.
Conditions:
Cookie persistence profile is configured via TMSH or iControl REST. TMUI is not affected.
Impact:
Invalid parameters for any method type of a Cookie persistence profile are ignored by TMM, no functional impact.
Workaround:
Use only the allowed parameters of each method type when Cookie persistence is configured via TMSH or iControl REST.
709559-1 : LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name
Component: TMOS
Symptoms:
Loading configuration fails on upgrade
Conditions:
Must have a profile named "/Common/ssh" and must be upgrading to v12.1.2
Impact:
The system won't be functional
Workaround:
Delete or rename "/Common/ssh"
709444-1 : "NTP not configured on device" warning seen when NTP symmetric key authentication is configured
Component: TMOS
Symptoms:
When NTP symmetric key authentication is configured, as per https://support.f5.com/csp/article/K14120, and the BIG-IP is part of a device service cluster, then a warning similar to this will be seen periodically in /var/log/ltm:
warning mcpd[6317]: 01071af0:4: NTP not configured on device 1.2.3.4 - within a trust
Conditions:
- NTP symmetric key authentication must be configured.
- The BIG-IP must be part of a device service cluster.
- Non-authenticated NTP servers must not be in-use.
Impact:
Incorrect NTP warnings are seen periodically in /var/log/ltm.
Workaround:
There is no workaround at this time.
709383-1 : DIAMETER::persist reset non-functional
Component: Service Provider
Symptoms:
When the iRule DIAMETER::persist reset is called, it is meant to remove existing persistence records from diadb. Without this bug fix, calling DIAMETER::persist reset has no effect and the persistence record remains.
Conditions:
Diameter session profile has persistence enabled and an iRule attempts to remove a persistence record.
Impact:
You are unable to remove diameter persistence entries.
Workaround:
none
709381-1 : iRules LX plugin imported from a system with a different version does not properly run, and the associated iRule times out.
Component: Local Traffic Manager
Symptoms:
An iRules LX plugin does not properly run and messages similar to the following example are logged to the /var/log/ltm file:
err tmm[17616]: 01220001:3: TCL error: /Common/my-plugin/my-rule <HTTP_REQUEST> - ILX timeout. invoked from within "ILX::call $ilx_handle -timeout 3000 my-function"
Conditions:
An iRules LX workspace archive is imported to BIG-IP version 13.1.0 or later from a previous software version.
It should be noted this is what happens during a regular software upgrade. Therefore, you might encounter this issue when upgrading a system to BIG-IP version 13.1.0 or later.
Impact:
The affected iRules LX are not functional under the new software version, and the virtual servers utilizing them will experience various failures.
Workaround:
Change the node version from 0.12.15 to 6.9.1 and back.
708415-3 : Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled
Component: TMOS
Symptoms:
When setting the flow control value of an interface with a copper SFP to any value other than 'none' and the link partner has flow control disabled on their end, the interface stats will not reflect the configured flow control setting. This is because the interface stats reflect the negotiated link state rather than the advertised capabilities.
Conditions:
BIG-IP device is using copper SFPs.
-- Flow control is enabled on an interface.
-- That interface is connected to another device where flow control has not been enabled.
For example, an administrator might perform the following on a BIG-IP system with a copper SFP on interface 1.1:
# modify net interface 1.1 flow-control tx-rx
# show net interface 1.1 all-properties
Under the 'Flow Ctrl' column of the interface properties, the value will indicate 'none' even though the interface was configured to enable transmit and receive flow control. This is because the column does not indicate the advertised capabilities but rather the negotiated property of the link.
Impact:
There is no functional impact, as flow control cannot be performed until both link partners agree to support it.
Workaround:
Flow control must be enabled on the remote device and the link must be re-negotiated, in order for the flow control configuration to take effect and be reflected in the interface properties of the link.
708063 : In older RAID BIG-IP systems, storage provisioning is not possible when a drive is missing.
Component: TMOS
Symptoms:
Any task requiring modification of application storage volumes does not succeed. This includes re-provisioning, which occurs automatically during software upgrades.
Conditions:
-- When a drive is not present in a drive bay on the following platforms:
+ BIG-IP 6900
+ BIG-IP 8900
+ BIG-IP 10000
+ BIG-IP 11050
-- An application that requires storage volumes is provisioned, such as ASM.
Impact:
Tasks requiring modification of application storage volumes such as software upgrades or re-provisioning fails.
Workaround:
Check RAID status before software upgrades or re-provisioning. Address any degraded RAID issues, such as a missing drive, before upgrades and/or re-provisioning.
707953-3 : Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page
Component: Access Policy Manager
Symptoms:
APM and APM Lite licenses are not distinguishable from the Provisioning UI: they both show as Licensed but APM lite only includes licenses for 10 sessions.
Conditions:
Viewing APM and APM Lite licenses in the GUI.
Impact:
Cannot distinguish the difference in types of licenses.
Workaround:
Check license file and verify what type of apm license is enabled: mod_apm (Full APM) or mod_apml (APM Lite).
707631-3 : The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI
Component: TMOS
Symptoms:
The 'SYN Challenge Handling' setting of a TCP profile can be reverted to defaults when a TCP profile is updated using the BIG-IP management GUI.
Conditions:
The SYN Challenge Handling settings of a TCP profile have previously been set to non-default values, and a configuration change is later made to the same TCP profile using the GUI.
Impact:
Loss of TCP profile syn challenge configuration settings
Workaround:
In the GUI, specifically set the SYN Challenge Handling fields after making an update to other TCP profile fields, or use tmsh to make the changes instead
SYN Challenge
GUI Setting: Nominal
TMSH:
syn-cookie-enable enabled
syn-cookie-whitelist disabled
GUI Setting: Challenge and Remember
TMSH:
syn-cookie-enable enabled
syn-cookie-whitelist enabled
GUI Setting: Disable Challenges:
syn-cookie-enable disabled
syn-cookie-whitelist disabled
707445-4 : Nitrox 3 compression hangs/unable to recover
Solution Article: K47025244
Component: TMOS
Symptoms:
LTM logs show the following message:
Nitrox 3, Hang Detected: compression device was reset
When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.
Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.
Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.
Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.
Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.
There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:
A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).
Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.
707054-2 : SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162
Component: Advanced Firewall Manager
Symptoms:
User cannot configure SYN Cookie MSS values for Fast L4 Profiles outside of 256-9162.
Conditions:
Under syncookie activated condition, SYN Cookie MSS value is set to < 256.
Impact:
Under syncookie activated condition, server side MSS lower than SYN Cookie MSS lower limit cannot be honored on client side. As a result, server side MSS discards data segment if larger than SYN Cookie MSS lower limit.
706804-2 : SNMP trap destination configuration of network option is missing "default" keyword
Component: TMOS
Symptoms:
When SNMP trap destinations are configured, the user can specify the network that the traps are transmitted out from. By default, the routing table is consulted. Use the network keyword to overwrite this with either "management" or "other". There is also a "default" keyword, which was removed since it was confusing. However, this broke backward compatibility of the REST API; so, it was put back.
Conditions:
Including the "network default" keywords in trap configuration reports an error with version 13.0.0 where the "default" keyword was removed.
Impact:
Existing scripts may encounter errors if they used this keyword.
Workaround:
Don't use the "default" keyword with the snmp trap destination network configuration.
706797-2 : Portal Access: some multibyte characters in JavaScript code may not be handled correctly
Component: Access Policy Manager
Symptoms:
If JavaScript code contains multi-byte character which contains 0x0A in the last byte after conversion to UTF-32 form, then this character is handled as NEW LINE by Portal Access server-side JavaScript parser. If NEW LINE is not valid in this place, JavaScript code cannot be parsed.
Conditions:
JavaScript code with multi-byte character which contains 0x0A in the last byte after conversion to UTF-32 form, for example:
//上 aa bb
(上) gives (4E 0A) in UTF32 form. So this line is processed as the following TWO lines:
//
aa bb
The second line is not a valid JavaScript code.
Impact:
Web application may not work correctly.
Workaround:
There is no workaround at this time.
706685-4 : The web UI becomes unresponsive after certain commands
Component: TMOS
Symptoms:
The web UI becomes unresponsive after certain commands
Conditions:
Running certain commands
Impact:
The web UI becomes unresponsive
Workaround:
Reload the page
706505-3 : iRule table lookup command may crash tmm when used in FLOW_INIT
Component: Local Traffic Manager
Symptoms:
iRule table lookup command may crash tmm when used in FLOW_INIT.
Conditions:
iRule table lookup command is used in FLOW_INIT.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use table lookup in the events after the flow is constructed.
706374-5 : Heavy use of APM Kerberos SSO can sometimes lead to memory corruption
Component: Access Policy Manager
Symptoms:
Kerberos SSO under high load can sometimes lead to system instability.
Conditions:
APM users using Kerberos SSO to access backend resources.
Impact:
This might result in unpredictable behavior such as memory corruption or core. However, the occurrence is rare since it only impacts concurrent DNS SRV requests to resolve different KDCs.
Workaround:
There is no workaround.
706184 : Disabling l7dos using LTM policy, and original DoS on the virtual server has no features enabled, connection hangs
Component: Application Security Manager
Symptoms:
Using an LTM policy rule to disable l7dos when the DoS profile on the virtual server contains an application profile with no feature enabled, causes the transaction to hang instead of forwarding the request to server.
Conditions:
-- LTM policy with 'disable l7dos' rule.
-- DoS profile on a virtual server contains an application profile without any features enabled.
Impact:
The connection hangs. Requests are not forwarded to server.
Workaround:
Enable any DoS application feature in the DoS profile attached to the virtual server (e.g., bot signatures, proactive bot defense, TPS-based DoS Detection, etc.).
The profile can be disabled by default using the LTM rules.
705651-2 : Async transaction may ignore polling requests
Component: TMOS
Symptoms:
Querying for the status of an asynchronous transaction by making a GET request may cause the query to block. The transaction will complete, even though the query may return an error status (400) to indicate that the GET request timed out.
Conditions:
A typical asynchronous transaction that returns a 202 status to indicate that you successfully created a transaction.
Impact:
The query returns an error.
Workaround:
To avoid having the query request block, refrain from querying the transaction for status.
705502-1 : Create download URL for APM CLI client rpm/deb packages for x86_64 for armhf and Linux platforms
Component: Access Policy Manager
Symptoms:
APM CLI client rpm/deb packages are not available for download on the BIG-IP admin portal.
Conditions:
APM Client ISO v7181 includes APM CLI client rpm/deb packages, but they are not available for download on BIG-IP v14.0.x and v13.1.x,
Impact:
APM CLI client rpm/deb packages are not available for download/install.
Workaround:
Use SSH to download the packages from BIG-IP.
705442 : GUI Network Map objects search on Virtual Server IP Address and Port does not work
Component: TMOS
Symptoms:
Searching for a Virtual Server using the IP Address and Port of the Virtual Server does not work.
Conditions:
Create a Virtual Server with name vs1 and address.
Impact:
Users are unable to search using an IP Address to filter Virtual Server results.
Workaround:
There is no workaround at this time.
705112-3 : DHCP server flows are not re-established after expiration
Component: Local Traffic Manager
Symptoms:
DHCP relay agent does not have server flows connecting to all active DHCP servers after a while.
Conditions:
- More than one DHCP servers configured for a DHCP virtual.
- Server flows timeout in 60 seconds
Impact:
DHCP server traffic not load balanced.
Workaround:
None.
704681 : Kernel panic with mcpd or system shutdown
Component: TMOS
Symptoms:
Kernel panic possible when mcpd shutdown occurs. The mcpd shutdown may be explicit (bigstart stop), or as a side-effect of system shutdown.
Conditions:
Conditions are rare, and requires encountering a small timing window.
-- vCMP on bare-metal systems. .
-- Multiple admin domains defined.
-- At least two admin domains have a default route interface called 'tmm'.
-- The problem occurs when route-domains are cleaned up (via mcpd exit) and the kernel sees two interfaces with the same name (tmm) being moved back to the system default route domain.
Impact:
The system crashes when running the following command: bigstart stop. Otherwise, there is a kernel panic when the system shuts down.
Workaround:
None.
704524-5 : [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries
Component: Access Policy Manager
Symptoms:
Kerberos DNS SRV requests do not contain EDNS headers. Without this header, DNS server truncates the UDP responses if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in unnecessary round trips in order to resolve DNS SRV queries.
Conditions:
APM users using Kerberos SSO to access backend resources.
Impact:
Increased latency of HTTP request processing. If the number of APM users is large, then this issue is magnified.
Workaround:
There is no workaround at this time.
704450-4 : bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
Component: Local Traffic Manager
Symptoms:
A rarely seen scenario exists where 'bigd' crashes when the BIG-IP system is under extremely heavy load, due to 'bigd' running with an incomplete configuration and attempting to interact with 'mcpd' prior to being fully configured by 'mcpd'. This may occur when 'mcpd' is sufficiently delayed in configuring 'bigd' upon 'bigd' process start (at system-start, or upon 'bigd' process re-start), such that 'bigd' attempts to report monitoring results to 'mcpd' prior to fully receiving its configuration (from 'mcpd').
Conditions:
BIG-IP is under heavy load; and 'bigd' process is (re-)started; and 'mcpd' is delayed in relaying the full configuration to 'bigd'; and 'bigd' attempts to report monitoring results to 'mcpd'.
Impact:
Monitoring is delayed while bigd is restarting. If the load lasts for a long enough period of time, bigd might repeatedly fail to start and monitoring will not resume. In some cases 'bigd' may run with an incomplete configuration.
Workaround:
Reduce the load on the system.
704449-1 : Orphaned tmsh processes might eventually lead to an out-of-memory condition
Component: TMOS
Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.
An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:
/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh
If this issue occurs often enough, it might cause the BIG-IP system to run out of memory.
Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.
Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.
Workaround:
There are several workarounds for this issue:
-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Halt orphaned tmsh processes.
704336-5 : Updating 3rd party device cert not copied correctly to trusted certificate store
Component: TMOS
Symptoms:
When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.
Conditions:
Updating Device certificate which also includes multiple intermediate and root certificates.
Impact:
The Trusted Device and Trusted server Certificates do not include intermediate CA and root certificates.
Workaround:
Manually copy/append the missing intermediate and root certificate to /config/big3d/client.crt and /config/gtm/server.crt.
703984-8 : Machine Cert agent improperly matches hostname with CN and SAN
Component: Access Policy Manager
Symptoms:
MacOS Machine certificate agent matches the configured hostname with the actual hostname upon a beginning partial string match.
Conditions:
MacOS APM client using Machine Certificate Check agent.
Impact:
Hostname match may be incorrect in these cases.
Workaround:
There is no workaround at this time.
703509-3 : Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled
Component: TMOS
Symptoms:
Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled.
...notice tmsh[32418]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.
...notice tmsh[32418]: 01420003:5: The current session has been terminated.
...err tmsh[32417]: 01420006:3: Project-Id-Version: f5_tmsh 9.7.0 POT-Creation-Date: 2008-05-13 16:18-0700 PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE Last-Translator: F5 Networks <support@f5.com> Language-Team: LANGUAGE <en@li.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit
...err tmsh[32415]: 01420006:3: UCS saving process failed.
Conditions:
The default admin account is disabled, using an alternate user that has the administrator role.
Impact:
User is unable to save the configuration.
Workaround:
A user with the administrator role can save the config.
The root user can save the config.
703266-1 : Potential MCP memory leak in LTM policy compile code
Component: Local Traffic Manager
Symptoms:
Failure in processing LTM policy may result in MCP memory leak
Conditions:
When Centralized Policy Management (CPM) fails to process LTM policy
Impact:
MCP memory leak
Workaround:
There is no workaround at this time.
703165-3 : shared memory leakage
Component: Advanced Firewall Manager
Symptoms:
Processes that require shared memory to operate are failing (e.g. pabnagd).
Conditions:
Many shmem segments allocated and used by tmm.
Impact:
Potential failures in any process that requires shared memory segments, causing lack of services such as learning (bd+pabnagd), request logging (pabnagd+asm-config), etc.
Workaround:
There is no workaround at this time.
703090-3 : With many iApps configured, scriptd may fail to start
Component: TMOS
Symptoms:
If many iApp instances are installed, scriptd may have issues starting up, including the log message:
"script has exceeded its time to live, terminating the script"
Conditions:
This occurs when many iApp instances exist. F5's internal testing has been able to show that it occurs with 70 instances.
Impact:
The error message will show up, and some instances of the script will not run.
Workaround:
Restarting scriptd will resolve the issue.
702439-4 : Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset
Solution Article: K04964898
Component: Local Traffic Manager
Symptoms:
If the HTTP/2 configuration header_table_size is changed from the default value of 4096, then streams will be reset with a RST_STREAM error.
Conditions:
The header_table_size field in the HTTP/2 profile is changed from the default.
Impact:
HTTP/2 connections will be unusable.
Workaround:
Set the header table size argument back to its default.
701977-6 : Non-URL encoded links to CSS files are not stripped from the response during concatenation
Component: WebAccelerator
Symptoms:
Non-URL encoded links to CSS files are not stripped from the response during concatenation.
Conditions:
White space in the URLs.
Impact:
As above.
Workaround:
No workaround at this time.
701341-3 : If /config/BigDB.dat is empty, mcpd continuously restarts
Solution Article: K52941103
Component: TMOS
Symptoms:
If another issue causes /config/BigDB.dat to be empty, mcpd will fail to start up.
Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.
Impact:
The system will fail to start up, and mcpd will continually restart.
Workaround:
Remove this empty file. (If BigDB.dat is nonexistent, the issue will not occur.)
701232-3 : Two-way iQuery connections fail to get established between GTM devices with the same address on different networks connected through address translation
Component: Global Traffic Manager (DNS)
Symptoms:
Two GTM devices that have the same local IP address are not able to establish an iQuery connection, even when a translated address is configured.
Conditions:
This condition may occur if two GTM servers have the same self IP address on separate networks that are attempting to use address translation to establish a connection.
Impact:
When one or more GTM devices attempt to establish an iQuery connection to another device, it actually establishes a connection with itself instead of the other device.
Workaround:
To resolve the issue,
1. Configure the devices to have different self IP addresses.
2. Change the addresses and translated addresses of the corresponding GTM servers to match the new configuration using the following example command:
tmsh modify gtm server <server_name> addresses ...
701025-3 : BD restart on a device where 'provision.tmmcountactual' is set to a non-default value
Component: Application Security Manager
Symptoms:
BD restarts with this error:
Plugin configuration load timeout. Exiting.
Conditions:
The db variable 'provision.tmmcountactual' is set to a number lower than the actual CPU count.
Impact:
BD restarts continuously.
Workaround:
You can use any of these workarounds:
-- In the GUI, set 'RWThreads' under Security :: Options : Application Security : Advanced Configuration : System Variables.
-- Use the 'add_del_internal' utility:
----------------------
# /usr/share/ts/bin/add_del_internal
USAGE:
/usr/share/ts/bin/add_del_internal add <param_name> <param_value> [--default <default_value>]
/usr/share/ts/bin/add_del_internal update <param_name> <param_value> [--default <default_value>]
/usr/share/ts/bin/add_del_internal delete <param_name>
----------------------
-- Set the bd internal parameter num_rw_threads to the amount of plugin channels that TMM expects.
-- Revert 'provision.tmmcountactual' sys db to the default value.
699733-1 : DNS NOTIFY not sent to mgmt IP under Zone Transfer Clients list after DNS Express zone update
Component: Global Traffic Manager (DNS)
Symptoms:
When a DNS Express zone gets some zone entries updated, the BIG-IP system does not send DNS NOTIFY to nameserver with IP addresses from the mgmt subnet listed under Zone Transfer Clients.
Conditions:
* nameserver has IP address from mgmt subnet.
* nameserver id listed under Zone Transfer Clients of DNS Express zone.
* DNS Express zone gets entries updated.
Impact:
BIG-IP system does not send NOTIFY request to the nameserver.
Workaround:
There is no workaround at this time.
699512-4 : DNS request can be dropped when queued in parallel with another request
Component: Global Traffic Manager (DNS)
Symptoms:
DNS requests can be dropped.
Conditions:
1. When two DNS requests are received in quick succession with matching IP/Port pairs.
2. The UDP DNS virtual does not use datagram LB mode.
Impact:
DNS requests may be dropped.
Workaround:
Configure the virtual server for UDP profile with datagram LB mode enabled.
698836-1 : Increased APM session capacity is not available after installing an APM session count License
Component: Access Policy Manager
Symptoms:
Unable to use extra capacity after installing an APM add-on license with a larger session count.
Conditions:
This occurs when the add-on License generated lacks the mod_apm license, meaning that no full APM license was previously installed, only the APM Light license (which constrains connections to a 10-session maximum).
To determine whether this condition exists, check the bigip.license file, or execute the following command: tmsh show sys license details. If only mod_apml is present and session counts are higher than 10, then the system is in the condition that triggers the problem.
Impact:
Unable to use extra session capability; can use only the 10-session maximum provided by the APM Light license.
Workaround:
Contact your F5 sales representative to get the correct APM add-on license with mod_apm, as well as the additional session count capability.
698619-3 : Disable port bridging on HSB ports for non-vCMP systems
Component: TMOS
Symptoms:
Internal packets flooded on internal switch interfaces by the HSB can be bridged back to the HSB on BIG-IP 5000/7000 and VIPRION B2100 blades configured to enable port bridging by the switch.
Conditions:
-- Packets being flooded from the HSB to VLAN members when adding/deleting VLANs.
-- Non-vCMP systems.
-- Virtual server configured for Direct Server Return (DSR or nPath Routing).
Impact:
This can result in packet flooding back to the HSB and potential network saturation.
Workaround:
None.
698432-1 : Invalid error messages: warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Component: TMOS
Symptoms:
Loading a UCS in a vCMP guest which was taken from a different guest or a hardware device can produce the following error messages:
warning mcpd[5953]: 012a0004:4: halStorageRead: unable to read storage on this platform.
warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
This is a cosmetic issue that occurs when the encrypted master key on a VCMP guest cannot be decrypted with the unit key of that system. This most often occurs when a UCS taken on a different guest is loaded.
Conditions:
Taking a UCS from one vCMP guest or hardware device and loading it onto a different vCMP guest.
Note: F5 does not support this configuration.
Impact:
Although there is no adverse effect on the system, error messages will be logged.
Workaround:
None.
698211-4 : DNS express response to non-existent record is NOERROR instead of NXDOMAIN.
Solution Article: K35504512
Component: Global Traffic Manager (DNS)
Symptoms:
The DNS express response to a non-existent record is NOERROR instead of NXDOMAIN.
Conditions:
Delete a wildcard resource record to the related DNS express zone.
Impact:
DNS returns the incorrect response.
Workaround:
Delete the old db files: /var/db/tmmdns.bin and /var/db/zxfrd.bin, and then restart zxfrd.
697590-3 : APM iRule ACCESS::session remove fails outside of Access events
Component: Access Policy Manager
Symptoms:
ACCESS::session remove fails
Conditions:
iRule calling ACCESS::session remove outside of Access events.
Impact:
APM iRule ACCESS::session remove fails to remove session
Workaround:
Use "ACCESS::session modify" and set the timeout/lifetime to something small, like 1 second. This should cause the session to be deleted due to timeout almost immediately, but note that it will show up in logs as timeout.
696731-4 : The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled
Solution Article: K94062594
Component: TMOS
Symptoms:
The standard LinkUp/LinkDown traps are issued when a port's status changes; that is, the link goes up or down. Additionally, the network manager can administratively enable and disable ports. For some platforms, there is no reliably issued standard LinkUp/LinkDown trap when a port is administratively enabled/disabled.
Conditions:
Administrative disabling an interface on BIG-IP
Impact:
May issue only the F5 Link change trap and not the additional standard MIB trap. The standard LinkUp/LinkDown traps may not be issued.
Workaround:
Use the F5-proprietary MIB: 1.3.6.1.4.1.3375.2.4.0.37 F5-BIG-IP-COMMON-MIB::BIG-IPExternalLinkChange trap to track administrative changes to links.
693901-5 : Active FTP data connection may change source port on client-side
Component: Local Traffic Manager
Symptoms:
The active FTP data connection on the client-side may use source port other than what was configured in the 'Data Port' parameter of the FTP profile.
Conditions:
FTP profile is attached to a virtual server and the 'Data Port' parameter is either left as default (20) or defined as a specific value.
Impact:
Active FTP data connection may be blocked by firewalls that expect a pre-defined source port.
Workaround:
None.
689491-2 : cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled
Component: TMOS
Symptoms:
CPU usage stats are incorrect and system looks idle when it's actually busy
Conditions:
vcmp guests with 1-core or htsplit disabled
Impact:
CPU stats are incorrect and it might make it difficult to trouble shoot problems.
689361-5 : Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)
Component: Local Traffic Manager
Symptoms:
It is possible for an overwrite-configsync to change an 'unchecked' monitor to 'up', when that unchecked monitor references a node that does not respond to ICMP requests. This may occur when a node does not respond to ICMP requests for exactly one of two paired devices, but a configuration change made to one device causes the 'up' status to be propagated to the 'unchecked' device.
Conditions:
Two pool members are monitored; and one references a node not responding to ICMP requests; and a gateway_icmp monitor is on both nodes; and an overwrite-configsync is initiated from a paired device, where the node does respond to ICMP requests from that paired device.
Impact:
The overwrite-configsync causes the 'unchecked' monitor to transition to 'up', when it should remain 'unchecked' for the device to which the node does not respond to ICMP requests.
Workaround:
Ensure network configuration such that a monitored node responds to ICMP requests from both (or neither) of each paired-device. Alternatively, initiate configuration changes only from the device to which the node will not respond to ICMP requests.
688399-3 : HSB failure results in continuous TMM restarts
Component: TMOS
Symptoms:
The TMM is continually restarted due to lack of HSB PDE device. When this issue occurs, HSB errors may be present in the TMM log files, prior to a TMM core (SIGSEGV).
Conditions:
It's unknown how this issue occurs.
Impact:
TMM continually restarts until the unit is rebooted. Traffic disrupted while tmm restarts. The reboot appears to clear the condition.
Workaround:
Manually reboot the unit.
688335-6 : Big3d may restart in a loop on secondary blades of a chassis system
Solution Article: K00502202
Component: Global Traffic Manager (DNS)
Symptoms:
After big3d_install is run against a target system, and this target system is a multi-blade chassis, the big3d utility may begin restarting in a loop on all secondary blades of the target system. The primary blade is not affected, where big3d continues to run stable.
Conditions:
The following conditions are required to encounter this issue:
-- The big3d_install utility is used against a target system.
-- The target system is a multi-blade chassis.
-- The big3d_install utility picks the iQuery installation method (and not the SSH one).
-- The big3d_install utility incorrectly determines that the local version of the big3d utility should be copied to the remote system. (in other words, can incorrectly overwrite big3d on the remote system with an older version of big3d)
Impact:
Big3d does not typically do anything on secondary blades, so this issue should have no immediate material impact.
However, should the cluster elect a new primary blade, and should big3d still be restarting on that blade, this could cause iQuery communication failures between that system and remote BIG-IP systems.
Workaround:
To stop secondary blades from restarting, manually restart big3d on the primary blade using the following command:
bigstart restart big3d
To prevent this issue from happening, you can run the big3d_install by specifying that the SSH installation method be used using the following command:
big3d_install -use_ssh <target IP>
688266-6 : big3d and big3d_install use different logics to determine which version of big3d is newer
Component: Global Traffic Manager (DNS)
Symptoms:
The big3d_install utility includes logic to determine whether the local system should copy its version of the big3d daemon to the remote system specified by the user.
This logic is incorrect and may result in the local copy of the big3d daemon being unnecessarily copied to the remote system or not copied when actually necessary.
Conditions:
A user runs the big3d_install utility.
Impact:
If the local big3d daemon was unnecessarily copied over to the remote system, there is no tangible impact (other than the fact big3d restarts on the remote system, which is expected). Eventually, the remote system restores and uses its version of the big3d daemon.
If the local big3d daemon was not copied over when it should have been, then the remote system may continue to run an older version of the big3d daemon, which may impede iQuery communication.
Workaround:
If the local big3d daemon was unnecessarily copied over to the remote system, you do not need to perform any remedial action. The remote system will automatically resolve this situation by restoring the intended (i.e., newer) big3d version.
If the local big3d daemon was not copied over when it should have been, you can invoke the big3d_install utility using the -f argument, which forces an install of the big3d daemon regardless of the local and remote versions.
688005-1 : The maximum-connection count doubles pva traffic counts for virtuals
Component: Local Traffic Manager
Symptoms:
The counters maintaining virtual server statistics double count packets processed by the pva hardware. This makes maximum connection counts for pva unreliable.
Conditions:
Connections utilizing PVA incorrectly report PVA counts.
Impact:
Fast L4 virtuals may report unreliable maximum connection counts.
687887-2 : Unexpected result from multiple changes to a monitor-related object in a single transaction
Component: Local Traffic Manager
Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction will attempt to 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.
Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object, such as (delete, create, modify).
Impact:
The monitor-related object may be unchanged; or monitoring may stop for that object.
Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').
686059-3 : FDB entries for existing VLANs may be flushed when creating a new VLAN.
Component: Local Traffic Manager
Symptoms:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN.
Conditions:
- Creating a new VLAN with existing VLANs using trunk members. - STP is enabled on its trunk member.
Impact:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN. This will result in potential network saturation.
Workaround:
To avoid the FDB flushing on trunk member interfaces of existing, unrelated VLANs, ensure that STP is disabled on its trunk member.
685582-8 : Incorrect output of b64 unit key hash by command f5mku -f
Component: TMOS
Symptoms:
The output of the b64 unit key hash is inconsistent upon each 'f5mku -f' command, whereas the hex version of the unit key hash was always correct/consistent.
Conditions:
Viewing output of 'f5mku -f' command.
Impact:
Inconsistent output of the b64 unit key.
Workaround:
Adding the verbose option (v) to the f5mku command will print additional information. The following command prints the hex version of the unit key header hash, which will be stable and can be used to detect changes to the unit key:
f5mku -vf
For example:
# f5mku -vf
...
-- hdr.hash = c9:0d:13:2a:74:d4:7e:31:a4:78:5e:c8:3e:9c:b5:3d:7b:65:9c:7d
...
684096-3 : stats self-link might include the oid twice
Component: TMOS
Symptoms:
The object ID might be erroneously embedded in the self-link twice.
Conditions:
query for stats such as https://<host>/mgmt/tm/ltm/pool/p1/stats
Impact:
incorrect self-link returned
Workaround:
be mindful when parsing the self-link
683135-3 : Hardware syncookies number for virtual server stats is unrealistically high
Component: TMOS
Symptoms:
In some situations 'tmsh show ltm virtual' shows unrealistically high hardware (HW) syncookie numbers.
These unrealistically high HW syncookie stats cause AFM DoS TCP synflood vector to have high numbers, and that can cause TCP synflood vector to drop packets in HW based on the configured rate-limit for that vector.
Conditions:
Virtual server with hardware syncookie protection enabled.
Impact:
Stats issue. Can have impact to traffic if AFM TCP Synflood vector is enabled in mitigation mode.
Workaround:
Disable the TCP Synflood vector in mitigate mode.
Since Syncookie is already providing protection, the TCP Synflood option should be enabled only in detect-only mode, if at all.
680917-4 : Invalid monitor rule instance identifier
Component: TMOS
Symptoms:
iApp triggers an error while attempting to change server properties for pool members. The error reads "Invalid monitor rule instance identifier"
Conditions:
While changing the server properties associated with the pool members through iApp.
Impact:
Will not be able to change the server properties using iApp.
679901-6 : The iControl-REST timeout value is not configurable.
Component: TMOS
Symptoms:
Updating a large (75 KB or more records) data-group results in errors. This occurs because the communication between icrd_child and restjavad times out, and consequently the system raises errors. The default timeout is set to 60 seconds.
Conditions:
Using iControl Rest to update a data-group that contains 75 KB or more records.
Impact:
The operation times out and there is no way to configure the iControl Rest timeout value.
Workaround:
None.
679687-2 : LTM Policy applied to large number of virtual servers causes mcpd restart
Component: Local Traffic Manager
Symptoms:
When a large policy (on the order of several dozen rules), is applied to a large number of virtual servers (on the order of hundreds), the mcpd process compiles the policy to an optimized, intermediate form for each virtual server. The compilation occurs in the mcpd process, and because it becomes so busy/non-responsive, a watchdog process intervenes and restarts the mcpd process.
Conditions:
-- Relatively large policy (~30 or more rules) applied to large number of virtual servers (~100 or more).
-- Creating a draft of the policy that is currently applied to those virtual servers, when a similarly attached policy is published.
Impact:
The mcpd process becomes unresponsive and is reset by a watchdog process.
Workaround:
Two possible workarounds:
-- Make copies of the policy and apply a different copy of policy to different subsets of virtual servers.
-- Implement the policy using iRules.
679316-6 : iQuery connections reset during SSL renegotiation
Component: Global Traffic Manager (DNS)
Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
Conditions:
This occurs when a system tries to send data over the iQuery connection while the two endpoints are performing SSL renegotiation.
Note: iQuery connections automatically perform SSL renegotiation every 24 hours.
Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.
Note: This is a subtly different issue from the one (with a very similar error, 140940F5 vs 140940E5) described in Bug ID 477240: iQuery connection resets every 24 hours :: https://cdn.f5.com/product/bugtracker/ID477240.html (K16185: BIG-IP GTM iQuery connections may be reset during SSL key renegotiation :: https://support.f5.com/csp/article/K16185).
This issue occurs even in versions where ID477240 is fixed. There is no fix for this specific trigger of the same message.
Workaround:
There is no workaround at this time.
677709 : pkcs11d daemon can generate a very large number of log messages
Component: Local Traffic Manager
Symptoms:
If communication between a BIG-IP instance and the Hardware Security Module (HSM) is interrupted, during its attempts to re-establish a connection, the TMOS pkcs11d daemon will log many error messages in the /var/log/ltm log file (or in daemon.log for earlier versions).
Messages appear similar to the following:
-- err pkcs11d[21325]: 01680002:3: Session initialization error.
-- err pkcs11d[21325]: 01680032:3: netHSM: PKCS11d stopped. Verify password, and restart PKCS11d.
-- err pkcs11d[21325]: 01680029:3: netHSM: Failed login: password[incorrect]. Error[160].
Conditions:
-- Configurations employing an external HSM.
-- communication between the BIG-IP instance and the HSM is interrupted
Impact:
A sufficiently large amount of log-message handling may consume processor time and I/O resources, to the detriment of other processing.
Workaround:
None.
675911-5 : Different sections of the WebUI can report incorrect CPU utilization
Solution Article: K13272442
Component: Local Traffic Manager
Symptoms:
The following sections of the WebUI can report incorrect (i.e. higher than expected) CPU utilization:
- The "download history" option found in the Flash dashboard
- Statistics › Performance › Traffic Report (section introduced in version 12.1.0)
Values such as 33%, 66% and 99% may appear in these sections despite the system being potentially completely idle.
Conditions:
HT-Split is enabled (this is the default for platforms that support it).
Impact:
Incorrect CPU utilization is reported by multiple sections of the WebUI, which can confuse BIG-IP Administrators and cause unnecessary alarm.
Workaround:
You can obtain CPU history through various other means. One way is to use the sar utility.
In 12.x and 13.x:
sar -f /var/log/sa6/sa
or for older data
sar -f /var/log/sa6/sa.1
The oldest data is found compressed in /var/log/sa6 and must be gunzipped before use.
In 11.x:
sar -f /var/log/sa/sa
or for older data
sar -f /var/log/sa/sa.1
The oldest data is found compressed in /var/log/sa and must be gunzipped before use.
Live CPU utilization also can be obtained through various other means. Including: the Performance Graphs, SNMP polling, iControl polling, various command-line utilities such as top, etc.
674591-4 : Packets with payload smaller than MSS are being marked to be TSOed
Solution Article: K37975308
Component: Local Traffic Manager
Symptoms:
Packets with length less than the specified MSS are sent as TSO packets, and the Broadcom NIC drops those to degrade performance.
Conditions:
When TM.TcpSegmentationOffload is enabled, Packets with length less than MSS are sent as TSO packets.
Impact:
TCP Packets are dropped.
Workaround:
Disable TSO option by setting the following SYS DB variable to disable: TM.TcpSegmentationOffload.
673573-4 : tmsh logs boost assertion when running child process and reaches idle-timeout
Component: TMOS
Symptoms:
An idle-timeout occurs while running a sub-process in interactive mode, resulting in a log message. tmsh logs a benign but ominous-looking critical error to the console and to /var/log/ltm if a tmsh command reaches idle timeout and a spawned sub-process is still running.
The errors in /var/log/ltm begin with the following text:
'boost assertion failed'
Conditions:
-- tmsh command reaches idle timeout.
-- Spawned sub-process is still running.
Impact:
Although the wording indicates a failure, the message is benign and you can safely ignore it.
Workaround:
None.
673357-2 : SWG puts flow in intercept mode when session is not found
Component: Access Policy Manager
Symptoms:
In SWG, flows that should be getting bypassed are placed in intercept mode.
Conditions:
This occurs when the per-request policy receives an https request and a session is not established.
Impact:
In some cases, the client sees certificate warning.
Workaround:
If the access policy is "start->allow"; following iRule can be used for workaround:
when CLIENT_ACCEPTED {
if { [ACCESS::session exists] } {
log local0. "Found Access Session"
log local0. [ACCESS::session exists]
} else {
set sid [ACCESS::session create -lifetime 300 -timeout 300 -flow]
log local0. "No Access Session found, creating $sid"
ACCESS::session data set session.ui.mode "0"
ACCESS::session data set session.policy.result "allow"
}
}
673018-1 : Parsed text violates expected format error encountered while upgrading or loading UCS★
Component: TMOS
Symptoms:
During a configuration roll-forward on an upgrade, the UCS load fails and reports the following error:
Parsed text violates expected format.
Conditions:
This can occur under the following conditions:
-- When loading a configuration that contains iFiles.
-- During an upgrade process, when the source-path for an iFile contain a URL with a space or other invalid URL character in it, for example: http://myfiles.com/get this file.txt.
Impact:
Configuration fails to load, and the system reports the following error: Parsed text violates expected format.
Workaround:
You can use either of the following workarounds:
-- Modify the URL to the iFile to remove any spaces, and then reload the configuration.
-- Use the HTTP specification for specifying spaces (and other characters) in URLs. For example, represent a space using the string %20 in the URL: http://myfiles.com/get%20this%20file.txt.
672410 : High CPU load when HTTP/2 gateway is configured with source-persistence.
Solution Article: K58551820
Component: Local Traffic Manager
Symptoms:
High CPU load when HTTP/2 gateway is configured with source-persistence.
Conditions:
-- HTTP/2 gateway is configured on the virtual server.
-- Source-persistence is turned on.
Impact:
High CPU load may lead to performance degradation.
Workaround:
Setting 'match-across-services' might help improve performance.
670994-4 : There is no validation for IP address on the ip-address-list for static subscriber
Component: Policy Enforcement Manager
Symptoms:
You can add IP address for a static subscriber with a subnet mask, and the system creates a subscriber by discarding the subnet mask without any error message.
Conditions:
This occurs when you add a ip address with a subnet mask to the ip address list for a static subscriber.
Impact:
An invalid ip address is added without warning or error.
669645-4 : tmm crashes after LSN pool member change
Component: Carrier-Grade NAT
Symptoms:
Changing LSN pool members while processing traffic may cause tmm to crash.
Conditions:
-- Changing, using, or removing an LSN pool.
-- Traffic is being processed.
Impact:
When tmm crashes, traffic processing will stop until tmm restarts. Note that this can occur, even if the change was on a high-availability peer unit and config-sync has taken place.
Workaround:
Recommend to change LSN pool members during a maintainence window with low traffic or ideally to use an HA pair with a standby unit for implementing configuration changes on live traffic.
667618-5 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
Component: TMOS
Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection will continue to be unsupported until the machine exit hardware SYN cookies.
Conditions:
A SYN flood attack or similar SYN attack where SYNs are flooded into the BIG-IP system.
Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.
Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options will not be taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.
Note that if no good traffic hits the virtual server, syncookies will also fail to deactivate, but will do so once both good traffic has been seen, and the attack has ended.
Workaround:
There is no workaround at this time.
666378-2 : A virtual server's connections per second (precision.last_value) is confusingly named.
Component: Local Traffic Manager
Symptoms:
A virtual server's current connections-per-second statistic has a confusing name. The statistic is maintained when rate limiting is configured for a virtual server. The statistic is updated when the virtual hits a rate-limiting condition, and it stays at the last value it held when the limit was hit.
Conditions:
If the rate limit is never configured then the value is 0. If the rate limit is configured and is hit, then the value is the active count when the limit was hit. The value stays at that count until the limit is hit again.
Impact:
There is no functional impact, but the statistic's meaning is confusing.
Workaround:
The MIB description should clarify the meaning of this statistic.
665117-8 : DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping
Solution Article: K33318158
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Server status flapping from red-green-red.
Conditions:
-- Two generic hosts in two different DataCenters;
-- Two generic hosts are not available through DNS;
-- Same monitor with available alias IP/port configured.
Impact:
Server status flaps from red to green and back.
Workaround:
Check Transparent for these monitors.
663946-5 : VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments
Component: Advanced Firewall Manager
Symptoms:
When DNS is under load greater than the AFM-configured rate limit, certain IPv4 packets are categorized as IPv6 atomic fragments and may be dropped due to rate limits.
Conditions:
-- AFM enabled.
-- DNS load greater than AFM-configured rate limit for IPv6 atomic fragments (default 10 KB).
Impact:
May result in lower than expected DNS load test results.
Workaround:
Use either of the following workarounds:
-- Disable AFM.
-- Increase detection limit for IPv6 atomic fragments under AFM.
Note: For AFM HW DoS protection, the host and vCMP guest must be the same version, disable hardware DoS checking on the vCMP guest to prevent this issue. To do so, set sys db dos.forceswdos to 'true'.
663925-4 : Virtual server state not updated with pool- or node-based connection limiting
Component: Local Traffic Manager
Symptoms:
Rate- or connection-limited pool members and nodes do not immediately affect virtual server status.
Conditions:
The connection count reaches the configured connection limit.
Impact:
Virtual server is automatically disabled when connection limit is reached and returns from the unavailable state after connections decrease.
The actual functionality of connection-limiting is occuring at the tmm level (you can see connections rejection after reaching the max limit in logs). The system is just not logging status in mcp as update_status is not being called automatically.
Workaround:
None.
663874-1 : Off-box HSL logging does not work with PEM in SPAN mode.
Solution Article: K77173309
Component: Policy Enforcement Manager
Symptoms:
While on-box HSL logging works, off-box HSL logging does not work with PEM in SPAN mode.
Conditions:
-- PEM in SPAN mode.
-- Off-box HSL logging is configured.
Impact:
Cannot use off-box HSL logging with PEM in SPAN mode; must use on-box HSL logging instead.
Workaround:
There is no workaround at this time.
662725 : tmsh kernel default log levels does not match documentation
Component: TMOS
Symptoms:
Actual tmsh default was 'notice', but changed to 'debug'
so that kern.log files in qkviews are complete.
This was done so that diagnosing issues, support
has all the information in terms of kernel output.
This documentation discrepancy is a non-functional
change that should have been done in 11.5.0 when
the actual default value was changed.
Conditions:
None.
Impact:
None.
Workaround:
None.
660913-2 : For ActiveSync client type, browscap info provided is incorrect.★
Component: Access Policy Manager
Symptoms:
Clients using Microsoft ActiveSync are failing access policy evaluation.
Conditions:
-- This occurs with clients using Microsoft ActiveSync.
-- It can be encountered on upgrade if you are upgrading to version 12.1.2 - 14.1.0 from an earlier version.
Impact:
ActiveSync "Client UI" expression will fail and a wrong branch will be selected. As a result Clients using ActiveSync may not be authenticated.
Workaround:
In the VPE change the ActiveSync "Client UI" expression to:
expr { [mcget {session.server.landinguri}] starts_with "/Microsoft-Server-ActiveSync" || [mcget {session.ui.mode}] == 8 }
660759-2 : Cookie hash persistence sends alerts to application server.
Component: Fraud Protection Services
Symptoms:
When Persistence cookie insert is enabled with a non-default cookie name, the cookie might be overwritten after an alert is handled.
Conditions:
-- Persistence profile in their virtual server.
-- Profile relies on cookie hash persistence.
-- Non-default Cookie name used for cookie persistence.
(Default cookie naming strategy appends Pool Name, which results in two cookies set with different names and different values, leaving the application pool persistence cookie unmodified.)
Impact:
Sends alerts to application server. Traffic might be sent to wrong pool member.
Workaround:
Use an iRule similar to the following to remove persistence cookie in case of alerts:
ltm rule /Common/cookie_persist_exclude_alerts {
when HTTP_REQUEST {
#enable the usual persistence cookie profile.
if { [HTTP::path] eq "/<alert-path>/" } {
persist none
}
}
}
660654 : The APM 'epsec refresh' CLI command works incorrectly if install package is deleted
Component: Access Policy Manager
Symptoms:
If the install EPSEC package is deleted before running the 'epsec refresh' command, the existing EPSEC version is refreshed instead of the new version.
Conditions:
-- Upload and install EPSEC package with a later version than is on the system.
-- Delete the install package.
-- Run the command: epsec refresh.
Impact:
System package will be installed (essentially, a rollback to the previous version).
Workaround:
Leave the install package on the system until after you run the epsec refresh command.
655383-4 : Failure to extend database continues to execute rather than halting because of fragmented state.
Component: Local Traffic Manager
Symptoms:
Rarely occurring failure to extend database results in operations continuing to execute rather than halting because of fragmented state. Various behavior might occur, for example: unexpected traffic to disabled pool members, intermittent updated cert usage, receipt of messages such as 'MCP message handling failed' or 'Memory allocation failed: can't allocate memory to extend db size', and others.
Conditions:
TMM heap is fragmented such that memory allocation fails when extending the database.
Impact:
Operations continues to execute rather than halting, as might be expected. The system might report a variety of unexpected log messages and/or behaviors due to subsequent inconsistent state.
Note: This is an extremely rare condition that occurs only when TMM is left in an inconsistent state. Although it is possible that this might eventually lead to bad behavior downstream, the event itself does not cause memory issues.
Workaround:
None.
652793 : "Signature Update Available" message is not cleared by UCS load/sync
Component: Application Security Manager
Symptoms:
If the most recent Signature Update was loaded by device group sync or UCS load, the "Signature Update Available" message is never cleared out.
Conditions:
ASM provisioned and "Signature Update Available" was indicated prior to loading the most recent Signature Update by device group sync or UCS load.
Impact:
The "Signature Update Available" message is never cleared out.
Workaround:
Restart ASM, or kill asmcrond ("pkill -f asmcrond").
648917-2 : Need to re-provision vCMP after upgrading to 13.1.x or later on the BIG-IP 10350F platform★
Component: TMOS
Symptoms:
With vCMP provisioned, upgrading to 13.1.x or later release will not enable IOMMU support after the upgrade.
Conditions:
-- Upgrading to 13.1.x or later.
-- vCMP already provisioned.
-- Running on the BIG-IP 10350F platform.
Impact:
Guests configured with FIPS functionality will fail to start until IOMMU is enabled.
Workaround:
You can use either of the following workarounds:
-- Re-provision vCMP after the upgrade to enable IOMMU support.
1. Modify the value of the DB variable kernel.iommu to 'enable'.
2. Restart the BIG-IP system.
646440-2 : TMSH allows mirror for persistence even when no mirroring configuration exists
Component: Local Traffic Manager
Symptoms:
When Mirroring is not configured in a high-availability (HA) configuration, the Configuration Utility (GUI) correctly hides the 'mirror' option for Persistence profile. However, Persistence Mirroring can still be enabled via TMSH.
Conditions:
-- Mirroring is configured in an HA configuration.
-- Persistence profile.
-- Using TMSH.
Impact:
A memory leak and degraded performance can occur when:
-- The Mirroring option of a Persistence profile is enabled.
-- Mirroring in the HA environment is not configured.
Workaround:
Always use the Configuration Utility (GUI) to configure Persistence profiles.
If you encounter this issue, complete the following procedure to locate Persistence profiles with Mirroring enabled, and then disable Mirroring for those profiles:
1. Access the BIG-IP Bash prompt.
2. List the Persistence profiles with the following command:
tmsh list ltm persistence
3. Examine the Persistence profiles to identify the ones with 'mirror enabled'.
4. Disable Mirroring for each Persistence profile, using a command similar to the following:
tmsh modify ltm persistence <persistence_type> <profile_name> mirror disabled
5. Save the changes to the Persistence profiles:
tmsh save sys config
641450-6 : A transaction that deletes and recreates a virtual may result in an invalid configuration
Solution Article: K30053855
Component: TMOS
Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.
Config load error:
01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.
Configuration-change-time error in /var/log/ltm:
err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>
Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).
Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.
Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
1. Delete virtual server.
2. Create virtual server (with an empty profile list).
3. Modify the virtual server's profile list.
640842-2 : ASM end user using mobile might be blocked when CSRF is enabled
Component: Application Security Manager
Symptoms:
Users report their access is blocked; when you look at the error log, you see CSRF errors.
Conditions:
-- CSRF enabled on ASM.
-- ASM client is using a mobile device.
Impact:
Client is blocked.
Workaround:
None.
627506-2 : Unable to change management-ip address
Component: TMOS
Symptoms:
After the management-ip address is changed, the BIG-IP system continues to use the old management-ip address. You might see the following error in /var/log/ltm:
-- warning chmand[6584]: 012a0004:4: mcp_admin_ip_remove, delMgmtAddr() catch exception: Network Socket: Open Error [No such device], possibly nonexistent.
Conditions:
Running on platforms that use eth0 interface for management traffic.
To determine whether the platform you have uses the eth0 interface for management traffic, run following command: ifconfig eth0.
Impact:
Unable to change management-ip address. After changing the management-ip, the old address will continue to be listed.
Workaround:
Save the change and reboot the system. After the changes have been saved, they will be applied after the unit is rebooted.
620301-2 : Policy import fails due to missing signature System in associated Signature Set
Component: Application Security Manager
Symptoms:
ASM policy import fails due to a missing System, used in an associated Signature Set.
Conditions:
ASM policy is imported using an export file from a device with a more recent ASM Signature Update.
Impact:
The ASM policy import fails.
Workaround:
Update the ASM Signature on the target device before importing the policy.
620053-3 : Gratuitous ARPs may be transmitted by active unit being forced offline
Component: Local Traffic Manager
Symptoms:
When cluster's active is forced offline, the non-primary blades may send gratuitous ARPs.
Conditions:
Cluster's active blade is forced offline.
Impact:
Potential impact to traffic if the gratuitous ARPs of the blade which goes offline is received before the unit taking over as primary, or if gratuitous ARPs are rate-limited on upstream or downstream devices.
Workaround:
Failover the cluster before forcing offline or configuring MAC masquerading.
606032-4 : Network Failover-based high availability (HA) in AWS may fail
Component: TMOS
Symptoms:
MCPD posts an error that network failover is not configurable:
01071ac2:3: Device-group (/Common/autoscale-group): network-failover property must be disabled in VE-1NIC.
Conditions:
Attempting to setup high availability (HA) in Amazon Web Services (AWS) with only 1 network interface.
Impact:
Configuration of high availability (HA) in AWS cannot be completed.
Workaround:
The current workaround is to configure high availability (HA) in AWS with at least 2 network interfaces.
601220-4 : Multi-blade trunks seem to leak packets ingressed via one blade to a different blade
Component: TMOS
Symptoms:
When a multi-blade VIPRION deployment first starts up or recovers from a chassis-wide force-offline/release-offline event, multi-blade trunks seem to leak packets that ingressed on one blade, out the same trunk's member interfaces on other blades.
Conditions:
-- Multi-blade VIPRION deployment.
-- Chassis-wide reboot or force-offline/release-offline event occurs.
Impact:
This is a very intermittent issue that is not reproducible and happens for only a few milliseconds. This may temporarily impact the upstream switch L2 FDB and cause slight traffic redirection as the upstream switch will learn the source MAC of the gratuitous ARPing host from the same trunk the traffic was broadcast to.
Note: This is not an F5-specific problem. It occurs on every stack switch hardware under these conditions.
Workaround:
There is no workaround.
600985-2 : Network access tunnel data stalls
Component: Access Policy Manager
Symptoms:
In certain scenarios, the network access tunnel stays up; however, no data transfer occurs on the tunnel. This issue occurs intermittently.
Conditions:
The cause of this issue is not yet known.
Impact:
Data stalls on the tunnel and hence wont be able to access any applications. However, Edge Client shows the VPN tunnel as 'Connected'.
Workaround:
Manually re-establish the tunnel.
594064-6 : tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.
Solution Article: K57004151
Component: Local Traffic Manager
Symptoms:
When the tcpdump utility is used with the ':p' modifier, it appears that the first few serverside packets are not captured.
Conditions:
-- Using the ':p' modifier with the tcpdump utility to capture serverside flows associated with clientside flows that match a tcpdump filter.
-- FastL4 or standard virtual server UDP flows are being captured.
Impact:
Typically, the peer flow will not be captured until the second packet is processed on the original flow that is captured by the tcpdump filter. Although there is no operational impact, it might cause confusion when looking for serverside traffic when capturing using a command similar to the following: tcpdump -i <vlan>:p host <client-ip>
Typical examples of missing packets include:
-- Serverside syn and syn-ack from FastL4 TCP traffic.
-- All serverside packets for single packet request/reply traffic, e.g., dns request/reply.
Workaround:
Specify filter that includes serverside traffic (e.g., include pool member addresses as 'host <addr>').
591732-4 : Local password policy not enforced when auth source is set to a remote type.
Component: TMOS
Symptoms:
Local password policy not enforced when auth source is set to a remote type. Any non-default password policy change is not enforced for local users.
Conditions:
1) Some part of the local password policy has been changed from the default values, for example, changing the password minimum-length to 12 where the default is 6.
2) The auth source is set to a remote source, such as LDAP, AD, TACACS.
Impact:
The system does not enforce any of the non-default local password policy options.
For example, even if the minimum-length is set to 12, a local user's password can be set to something less than 12.
Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default).
Workaround:
None.
591305-2 : Audit log messages with "user unknown" appear on install
Component: TMOS
Symptoms:
Multiple log entries in /var/log/audit similar to
May 4 11:37:35 localhost notice mcpd[5488]: 01070417:5: AUDIT - client Unknown, user Unknown - transaction #33-1 - object 0 - create_if { db_variable { db_variable_name "version.edition" db_variable_value "<none>" db_variable_sync_type "private_internal" db_variable_data_type "string" db_variable_display_name "Version.Edition" } } [Status=Command OK]
Conditions:
This happens on initial install, it is not yet known what triggers it.
Impact:
This is the result of a daemon on the system not properly identifying itself to mcpd. The log messages can be safely ignored.
587821-7 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
Component: TMOS
Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.
In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.
Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.
Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.
Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.
Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.
569859-4 : Password policy enforcement for root user when mcpd is not available
Component: TMOS
Symptoms:
When the mcpd configuration database is not available password policy is not enforced when changing passwords for the user 'root' using the command-line utility 'passwd' utility.
Conditions:
-- Advanced shell access
-- mcpd is not available.
-- Change root password with the 'passwd' utility.
Impact:
Root password may be set to a string that does not comply with the current password policy.
Workaround:
None.
544958-2 : Monitors packets are sent even when pool member is 'Forced Offline'.
Component: Local Traffic Manager
Symptoms:
If you have a pool member associated with more than one virtual server and the pool member is marked Forced-Offline, the pool monitor will continue to function if the monitor is assigned to both pools.
Conditions:
-- Pools containing identical members.
-- Pool monitoring configured.
-- Pool members are Forced Offline.
Impact:
Monitors packets are sent even when pool member is 'Forced Offline'.
Workaround:
None.
534187-4 : Passphrase protected signing keys are not supported by SAML IDP/SP
Component: Access Policy Manager
Symptoms:
Signing operation may fail if the BIG-IP system is used as a SAML Identity Provider or Service Provider and is configured to use passphrase-protected signing keys.
Conditions:
Private key used to perform digital signing operations is passphrase protected.
Impact:
SAML protocol will not function properly due to inability to sign messages.
Workaround:
To work around the problem, remove the passphrase from the signing key.
505037-4 : Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop
Solution Article: K01993279
Component: Local Traffic Manager
Symptoms:
Modifying a monitored pool with a gateway failsafe device might put secondary into restart loop.
Conditions:
Only occurs in clustered environments, when modifying a monitored pool to set the gateway failsafe device while the secondary is down. Symptom occurs when the secondary comes back up and attempts to update the health status of a pool.
Impact:
Secondary in a restart loop.
Workaround:
Remove the gateway failsafe device. Re-apply when the blade is up.
499348-8 : System statistics may fail to update, or report negative deltas due to delayed stats merging
Component: TMOS
Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.
The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.
Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This might occur under the following conditions:
-- The system is spawning/reaping processes on a frequent basis (e.g., when there is a large number of external monitors).
-- iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server (this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis).
Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.
Workaround:
This issue has two workarounds:
1. Reduce the frequency of changes in the statistics data structures. The specific action to take depends on what is triggering them. To do so, use any or all of the following:
-- Reduce the frequency of configuration changes.
-- Reduce the use of 'SSL::profile' in iRules.
-- Reduce the number/frequency of processes being spawned by the system.
2. Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. To do so, set the 'merged.method' DB key to 'slow_merge' using the following command:
tmsh modify sys db merged.method value slow_merge.
486712-4 : GUI PVA connection maximum statistic is always zero
Component: TMOS
Symptoms:
The GUI PVA connection maximum statistic is always zero, regardless of the number of PVA connections established.
Conditions:
This occurs when fastL4 connections are used.
Impact:
The customer cannot determine the maximum number of PVA connections because the stat is always zero.
474797-5 : Nitrox crypto hardware may attempt soft reset while currently resetting
Component: Local Traffic Manager
Symptoms:
Nitrox crypto hardware may attempt soft reset to clear a stuck condition while already engaged in a soft reset attempt.
Conditions:
Soft reset is needed to clear a stuck condition occurring in the timeframe during which another soft reset is occurring.
Impact:
The initial soft reset attempt does not complete as the process is restarted by the new attempt.
Workaround:
Correct the condition resulting in the need for the soft reset to clear the stuck condition or disable hardware-based crypto acceleration by setting db variable 'tmm.ssl.cn.shunt' to disable.
To disable hardware-based crypto acceleration issue the following command:
tmsh modify sys db tmm.ssl.cn.shunt value disable
Note: Disabling hardware-based crypto acceleration results in all crypto actions being processed in software, which might result in higher CPU and memory usage based on traffic patterns.
473787 : System might fail to unchunk server response when compression is enabled
Component: Local Traffic Manager
Symptoms:
If a BIG-IP virtual server is configured with a compression profile and either:
- an NTLM profile
- or an APM access policy
When a pool member sends a chunked (and uncompressed) HTTP response to the BIG-IP system (Transfer-Encoding: chunked), if the BIG-IP system compresses the payload, it does so without unchunking it.
This results in the BIG-IP system sending the client a malformed response that contains chunked encoding markers in the compressed content.
Conditions:
This issue occurs when the following conditions are met:
-- The NTLM and OneConnect profiles are applied to a virtual server. This can also be triggered when replacing the NTLM profile with an APM access policy configuration on the virtual server.
-- HTTP compression is enabled on the virtual server.
Impact:
HTTP responses to the client are malformed. When decompressed, the HTTP response payload incorrectly contains HTTP chunked encoding markers.
Workaround:
To work around this issue, you can either modify the type of response chunking or disable compression. For information on how to do so, see K14030: The BIG-IP system may fail to unchunk server responses when compression is enabled, available here: https://support.f5.com/csp/article/K14030.
431480-6 : Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message
Solution Article: K17297
Component: Local Traffic Manager
Symptoms:
Occasionally, you might encounter a situation in which tmm dumps a core, and the system writes to the logs a message similar to the following: notice panic: ../base/listener.c:1116: Assertion 'laddr is not NULL' failed.
Conditions:
The exact conditions that result in this error are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time, but the system recovers without any user action.
394873 : Upgrade process does not update Tcl scripts★
Component: TMOS
Symptoms:
The upgrade process does not update Tcl scripts (such as iRules) in the configuration.
Conditions:
Upgrading Tcl scripts (such as iRules).
Impact:
This might cause issues when iRule syntax changes between releases. After upgrading, you might need to modify iRules to reflect any changes in iRule syntax.
Workaround:
None.
291256-3 : Changing 'Minimum Length' and 'Required Characters' might result in an error
Component: TMOS
Symptoms:
When setting a value for the password policy attribute 'Minimum Length', and setting 'Required Characters' 'Numeric', 'Uppercase', 'Lowercase', and 'Other' to values whose sum is greater than 'Minimum Length' the system does not save changes, and instead reports an error:
err mcpd[1647]: 01070903:3: Constraint 'min length must be greater than or equal to the sum of all "required" types of characters' failed for 'password_policy'
Conditions:
-- Change the value of 'Minimum Length'.
-- Change the values in 'Required Characters' ('Numeric', 'Uppercase', 'Lowercase', and 'Other').
-- The sum of the values from 'Required Characters' is a greater than 'Minimum Length' value before you changed it.
Here is an example:
1. From the default of '6', change 'Minimum Length' to 10.
2. At the same time, change each of the 'Required Characters' options ('Numeric', 'Uppercase', 'Lowercase', and 'Other') to '2', for a total of 8.
3. Click Update.
(These values should be work because the value in 'Minimum Length' (10) is greater than the sum of the values in 'Required Characters' (8).)
Impact:
The changes are not saved, and an error is posted:
Constraint 'min length must be greater than or equal to the sum of all "required" types of characters' failed for 'password_policy'.
Workaround:
You can use either of the following workarounds:
-- To workaround this using the GUI, set 'Minimum Length' and 'Required Characters' separately (i.e., specify 'Minimum Length' and click Update, and then specify 'Required Characters' and click Update).
-- Use tmsh instead of the GUI.
222220-3 : Distributed application statistics
Component: Global Traffic Manager (DNS)
Symptoms:
Distributed application statistics shows only requests passed to its first wide IP.
Conditions:
Using Distributed application statistics and multiple wide-IP-members.
Impact:
The system does not include statistics for requests passed to other wide-IP-members of the distributed application.
Workaround:
None.
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/
