Supplemental Document : BIG-IP 14.1.0.5 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP FPS

  • 14.1.0

BIG-IP DNS

  • 14.1.0

BIG-IP AFM

  • 14.1.0

BIG-IP Analytics

  • 14.1.0

BIG-IP PEM

  • 14.1.0

BIG-IP ASM

  • 14.1.0

BIG-IP Link Controller

  • 14.1.0

BIG-IP APM

  • 14.1.0

BIG-IP LTM

  • 14.1.0
Original Publication Date: 03/27/2019

BIG-IP Release Information

Version: 14.1.0.5
Build: 5.0

NOTE: This release includes fixes for the Spectre Variant 1 and Meltdown vulnerabilities (CVE-2017-5753, CVE-2017-5754).
In some configurations, installing software containing these fixes might impact performance. You can disable these fixes to recover performance. Please see K91229003 for additional Spectre and Meltdown information.

Cumulative fixes from BIG-IP v14.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release
Known Issues in BIG-IP v14.1.x

Functional Change Fixes

ID Number Severity Solution Article(s) Description
755817 3-Major   v14.1.0.5 includes Guided Configuration 4.1
751824-1 3-Major   Restore old 'merge' functionally with new tmsh verb 'replace'


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
663819-1 3-Major   APM NTLM Authentication for RDP Client Gateway and Microsoft Exchange Proxy are incompatible with Microsoft workaround for MS17-010 (Wannacry / Eternalblue)


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
761173-1 2-Critical   tmm crash after extended whitelist modification
751869-2 2-Critical   Possible tmm crash when using manual mode mitigation in DoS Profile
750477-1 3-Major   LTM NAT does not forward ICMP traffic
737035-2 3-Major   New and improved infrastructure for BDoS to share learned traffic characteristics within the device group/cluster setup.


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
757088-1 2-Critical   TMM clock advances and cluster failover happens during webroot db nightly updates
758536 3-Major   Traffic Intelligence IM pkg for 14.1.0 fails to install on base build version 14.1.0.x


Protocol Inspection Fixes

ID Number Severity Solution Article(s) Description
737558-1 2-Critical   Protocol Inspection user interface elements are active but do not work
774881 3-Major   Protocol Inspection profiles can be added to a virtual server without Protocol Inspection being licensed.



Cumulative fixes from BIG-IP v14.1.0.4 that are included in this release


Functional Change Fixes

None



Cumulative fixes from BIG-IP v14.1.0.3 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
745783-1 3-Major   Anti-fraud: remote logging of login attempts


TMOS Fixes

ID Number Severity Solution Article(s) Description
754541-2 2-Critical   Reconfiguring an iApp that uses a client SSL profile fails
760222 3-Major   SCP fails unexpected when FIPS mode is enabled
725625-1 3-Major   BIG-IP VE Cryptographic Offload updated to Intel QAT 1.7 v4.4.0 SDK



Cumulative fixes from BIG-IP v14.1.0.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
757025-1 CVE-2018-5744 K00040234 BIND Update
756774-6 CVE-2019-6612 K24401914 Aborted DNS queries to a cache may cause a TMM crash
750292-2 CVE-2019-6592 K54167061 TMM may crash when processing TLS traffic
749879-2 CVE-2019-6611 K47527163 Possible interruption while processing VPN traffic
744035-6 CVE-2018-15332 K12130880 APM Client Vulnerability: CVE-2018-15332
757027-1 CVE-2019-6465 K01713115 BIND Update
745713-4 CVE-2019-6619 K94563344 TMM may crash when processing HTTP/2 traffic
745387-1 CVE-2019-6618 K07702240 Resource-admin user roles can no longer get bash access
745165-1 CVE-2019-6617 K38941195 Users without Advanced Shell Access are not allowed SFTP access
737910-4 CVE-2019-6609 K18535734 Security hardening on the following platforms
703835-5 CVE-2019-6616 K82814400 When using SCP into BIG-IP systems, you must specify the target filename
702472-7 CVE-2019-6615 K87659521 Appliance Mode Security Hardening
698376-5 CVE-2019-6614 K46524395 Non-admin users have limited bash commands and can only write to certain directories
713806-8 CVE-2018-0739 K08044291 CVE-2018-0739: OpenSSL Vulnerability
699977-3 CVE-2016-7055 K43570545 CVE-2016-7055: OpenSSL Vulnerability in NodeJS ILX


Functional Change Fixes

ID Number Severity Solution Article(s) Description
755641-1 2-Critical   Unstable asm_config_server after upgrade, 'Event dispatcher aborted'
744685-2 2-Critical   BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension
744188-1 2-Critical   First successful auth iControl REST requests will now be logged in audit and secure log files
739432 3-Major   F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems
738108-1 3-Major   SCTP multi-homing INIT address parameter doesn't include association's primary address


TMOS Fixes

ID Number Severity Solution Article(s) Description
753642-1 2-Critical   iHealth may report false positive for Critical Malware
752835-2 2-Critical   Mitigate mcpd out of memory error with auto-sync enabled.
750580-1 2-Critical   Installation using image2disk --format may fail after TMOS v14.1.0 is installed
724680-6 2-Critical   OpenSSL Vulnerability: CVE-2018-0732
707013-3 2-Critical   vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest
668041-4 2-Critical K27535157 Config load fails when an iRule comment ends with backslash in a config where there is also a policy.
621260-2 2-Critical   mcpd core on iControl REST reference to non-existing pool
757026-1 3-Major   BIND Update
753564-1 3-Major   Attempt to change password using /bin/passwd fails
751011-3 3-Major   ihealth.sh script and qkview locking mechanism not working
751009-3 3-Major   Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out
750661 3-Major   URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied.
750447-3 3-Major   GUI VLAN list page loading slowly with 50 records per screen
749382-1 3-Major   Bare-metal installs via 'image2disk' may fail in v14.1.0 or greater
746873-1 3-Major   Non-admin users are not able to run the tmsh list command due to permissions error for LTM message-routing
745825-1 3-Major   The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading
737536-2 3-Major   Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
721585-1 3-Major   mcpd core processing ltm monitors with deep level of inheritance
639619-7 3-Major   UCS may fail to load due to Master key decryption failure on EEPROM-less systems
751636-1 4-Minor   Downgrading from v14.1.0 to a previous release leaves two directories with improper ownership
737423-2 4-Minor   Binutils vulnerabilities: CVE-2018-7569 CVE-2018-10373 CVE-2018-13033


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
754143-1 2-Critical   TCP connection may hang after finished
747617-2 2-Critical   TMM core when processing invalid timer
742184-3 2-Critical   TMM memory leak
738945-4 2-Critical   SSL persistence does not work when there are multiple handshakes present in a single record
716714-4 2-Critical   OCSP should be configured to avoid TMM crash.
750200-3 3-Major   DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode
749294-4 3-Major   TMM cores when query session index is out of boundary
746131-4 3-Major   OpenSSL Vulnerability: CVE-2018-0732
744686-2 3-Major   Wrong certificate can be chosen during SSL handshake
743900-1 3-Major   Custom DIAMETER monitor requests do not have their 'request' flag set
739963-4 3-Major   TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
739349-3 3-Major   LRO segments might be erroneously VLAN-tagged.
724327-2 3-Major   Changes to a cipher rule do not immediately have an effect
720219-3 3-Major K13109068 HSL::log command can fail to pick new pool member if last picked member is 'checking'
717896-4 3-Major   Monitor instances deleted in peer unit after sync
717100-1 3-Major   FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member
716167-2 3-Major   The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp
704450-5 3-Major   bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
703593-1 3-Major   TMSH tab completion for adding profiles to virtual servers is not working as expected


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
756094-2 2-Critical   DNS express in restart loop, 'Error writing scratch database' in ltm log


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
752942-1 2-Critical   Live Update cannot be used by Administrator users other than 'admin' and 'root'
750922-1 2-Critical   BD crash when content profile used for login page has no parse parameters set
749136-1 2-Critical   Disk partition /var/log is low on free disk space
748321-1 2-Critical   bd crash with specific scenario
744347-4 2-Critical   Protocol Security logging profiles cause slow ASM upgrade and apply policy
721741-4 2-Critical   BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
754420-1 3-Major   Missing policy name in exported ASM request details
754066-1 3-Major   Newly added Systems are not added as part of installing a Server Technologies update file
753295-1 3-Major   ASM REST: All signatures being returned for policy Signatures regardless of signature sets
750973-1 3-Major   Import XML policy error
750793-2 3-Major   Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition
750686-1 3-Major   ASE user cannot create or modify a bot signature.
750683-1 3-Major   REST Backwards Compatibility: Cannot modify enforcementMode of host-name
750668-1 3-Major   Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition
750666-1 3-Major   Impossible to create Bot Signature/Bot Category Signature in user partition different from 'Common'
750356-2 3-Major   Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted
749500-1 3-Major   Improved visibility for Accept on Microservice action in Traffic Learning
749109-3 3-Major   CSRF situation on BIGIP-ASM GUI
748999-3 3-Major   invalid inactivity timeout suggestion for cookies
748848-2 3-Major   Anti-Bot Mobile SDK cookie name change to support identical cookies for multiple virtual servers
748409-2 3-Major   Illegal parameter violation when json parsing a parameter on a case-insensitive policy
747977-1 3-Major   File manually uploaded information is not synced correctly between blades
747777-3 3-Major   Extractions are learned in manual learning mode
747550-3 3-Major   Error 'This Logout URL already exists!' when updating logout page via GUI
746750-1 3-Major   Search Engine get Device ID challenge when using the predefined profiles
746298-1 3-Major   Server Technologies logos all appear as default icon
745813-1 3-Major   Requests are reported to local log even if only Bot Defense remote log is configured
745624-1 3-Major   Tooltips for OWASP Bot Categories and Anomalies were added
745607-1 3-Major   Bot Defense : Bot Traffic - 3 month/last year filter not displayed correctly
745531-2 3-Major   Puffin Browser gets blocked by Bot Defense
742852-1 3-Major   Bot Defense protection blocks Safari browser requests while using cross site redirect protection by 'Location' header
739945-4 3-Major   JavaScript challenge on POST with 307 breaks application
738676-1 3-Major   Errors when trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests
737866-2 3-Major   Rare condition memory corruption
754365-5 4-Minor   Updated flags for countries that changed their flags since 2010
721724-1 4-Minor   LONG_REQUEST notice print incorrect in BD log


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
746941-2 2-Critical   avrd memory leak when BIG-IQ fails to receive stats information
753446-2 3-Major   avrd process crash during shutdown if connected to BIG-IQ
749464-2 3-Major   Race condition while BIG-IQ updates common file
749461-2 3-Major   Race condition while modifying analytics global-settings
745027-2 3-Major   AVR is doing extra activity of DNS data collection even when it should not
744595-3 3-Major   DoS-related reports might not contain some of the activity that took place
744589-3 3-Major   Missing data for Firewall Events Statistics
715110-1 3-Major   AVR should report 'resolutions' in module GtmWideip


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
752592-1 2-Critical   VMware Horizon PCoIP clients may fail to connect shortly after logout
754346-2 3-Major   Access policy was not found while creating configuration snapshot.
746771-3 3-Major   APMD recreates config snapshots for all access profiles every minute
745654-4 3-Major   Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
743437-3 3-Major   Portal Access: Issue with long 'data:' URL


Service Provider Fixes

ID Number Severity Solution Article(s) Description
749603-1 3-Major   MRF SIP ALG: Potential to end wrong call when BYE received
749227-1 3-Major   MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE
748043-2 3-Major   MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP
747187-2 3-Major   SIP falsely detects media flow collision when SDP is in both 183 and 200 response
745715-2 3-Major   MRF SIP ALG now supports reading SDP from a mime multipart payload
745628-1 3-Major   MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message
745514-1 3-Major   MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message
745404-4 3-Major   MRF SIP ALG does not reparse SDP payload if replaced
744949-1 3-Major   MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix
744275-1 3-Major   BIG-IP system sends Product-Name AVP in CER with Mandatory bit set
742829-1 3-Major   SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
747104-1 1-Blocking K52868493 LibSSH Vulnerability: CVE-2018-10933
752363-2 2-Critical   Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled
749331-3 2-Critical   Global DNS DoS vector does not work in certain cases
747922-3 2-Critical   With AFM enabled, during bootup, there is a small possibility of a tmm crash
748176-1 3-Major   BDoS Signature can wrongly match a DNS packet
748081-1 3-Major   Memory leak in BDoS module
747926-2 3-Major   Rare TMM restart due to NULL pointer access during AFM ACL logging


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
726647-5 3-Major   PEM content insertion in a compressed response may truncate some data


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
752782-1 3-Major   'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'
741449-3 4-Minor   alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts
738677-1 4-Minor   Configured name of wildcard parameter is not sent in data integrity alerts


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
755378-1 2-Critical   HTTPS connection error from Chrome when BADOS TLS signatures configured
727136-1 3-Major   One dataset contains large number of variations of TLS hello messages on Chrome



Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
745629 2-Critical   Ordering Symantec and Comodo certificates from BIG-IP
713817-1 3-Major   BIG-IP images are available in Alibaba Cloud
738891-1 4-Minor   TLS 1.3: Server SSL fails to increment key exchange method statistics


TMOS Fixes

ID Number Severity Solution Article(s) Description
746424 2-Critical   Patched Cloud-Init to support AliYun Datasource
745851 3-Major   Changed Default Cloud-Init log level to INFO from DEBUG
742251-1 4-Minor   Add Alibaba Cloud support to Qkview


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
749774-5 3-Major   EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
749675-5 3-Major   DNS cache resolver may return a malformed truncated response with multiple OPT records

 

Cumulative fix details for BIG-IP v14.1.0.5 that are included in this release

774881 : Protocol Inspection profiles can be added to a virtual server without Protocol Inspection being licensed.

Component: Protocol Inspection

Symptoms:
Protocol Inspection profiles can be added to a virtual server but are not applied to traffic.

To add a Protocol Inspection profile now it is required to have an AFM standalone license or to have an add-on AFM license, which includes Protocol Inspection module. Otherwise a error message is shown.

Conditions:
-- AFM is licensed as an add-on module without Protocol Inspection feature.

-- Protocol Inspection profile is configured and added to a virtual server or referenced in a firewall rule.

Impact:
It might appear that the configured Protocol Inspection profile attached to a virtual server or referenced in a firewall rule should work, but in fact, it is not applied to the actual traffic.

Workaround:
None.

Fix:
An error message is shown when trying to apply a Protocol Inspection profile to a virtual server or to a firewall rule having no Protocol Inspection license.


761173-1 : tmm crash after extended whitelist modification

Component: Advanced Firewall Manager

Symptoms:
tmm might crash and restart.

Conditions:
Modifying the whitelist extended entry in tmsh.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The tmm process no longer crashes when modifying the whitelist extended entry in tmsh.


760222 : SCP fails unexpected when FIPS mode is enabled

Component: TMOS

Symptoms:
Secure Copy (scp) to some locations fails with the following message:
Path not allowed.

Conditions:
-- FIPS mode is enabled.
-- Copying a file to a restricted location using SCP.

Impact:
Cannot use SCP to copy to restricted locations on the BIG-IP system.

Workaround:
None.

Fix:
This scp issue no longer occurs when FIPS cards are installed.


758536 : Traffic Intelligence IM pkg for 14.1.0 fails to install on base build version 14.1.0.x

Component: Traffic Classification Engine

Symptoms:
Traffic Intelligence IM pkg for v14.1.0 fails to install on base build version v14.1.0.1 through v14.1.0.4. This is due to strict version check in upgrade scripts.

Conditions:
When hitless upgrade for traffic intelligence with version 14.1.0 is used on base build v14.1.0.1 through v14.1.0.4,l.

Impact:
The process it fails to load/instal. The system does not receive the latest traffic intelligence signatures.

Workaround:
There is no workaround other than requesting a purpose-built traffic intelligence IM for that particular build.

Fix:
You can now install 14.1.0 IM on any other 14.1.0.x with minor version update.


757088-1 : TMM clock advances and cluster failover happens during webroot db nightly updates

Component: Traffic Classification Engine

Symptoms:
Webroot database mapping and unmapping takes a very long amount of time on TMM, so you might see clock advances occur. The long interval might result in a failover/state-transition in clustered environment.

Conditions:
-- Webroot database is downloaded.
-- TMM needs to swap to the new instance.

Impact:
TMM does not process traffic because of the long delay in mapping and unmapping, and failover might happen in a clustered environment.

Workaround:
You can avoid this issue by disabling BrightCloud updates, however, your environments will miss the latest updates as a result.

#vi /etc/wr_urldbd/bcsdk.cfg
  DoBcap=true
  DoRtu=false
  DownloadDatabase=false

Fix:
Mapping/Unmapping the database is done asynchronously and the delay is reduced so that the CDP failover doesn't happen.


757027-1 : BIND Update

Solution Article: K01713115


757026-1 : BIND Update

Component: TMOS

Symptoms:
Upgrade BIND to 9.11.5-P4 per recommendation from ISC

Conditions:
GTM provisioned.

Impact:
BIND not up-to-date

Workaround:
None.

Fix:
Upgrade to BIND 9.11.5-P4


757025-1 : BIND Update

Solution Article: K00040234


756774-6 : Aborted DNS queries to a cache may cause a TMM crash

Solution Article: K24401914


756094-2 : DNS express in restart loop, 'Error writing scratch database' in ltm log

Component: Global Traffic Manager (DNS)

Symptoms:
DNS express (zxfrd) daemon gets stuck in a restart loop with the messages:
-- In /var/log/ltm:
Error writing scratch database (no error information available), serving database is unchanged. zxfrd will exit and restart.
-- The system posts the following message on the command line every few seconds:
emerg logger: Re-starting zxfrd

Conditions:
An update to an SOA record (and only an SOA) is received through a incremental zone transfer update (IXFR).

Impact:
Zone updates from the DNS master servers are not processed.

Workaround:
As a partial workaround, the DNS express cache files can be removed, forcing zxfrd to pull the entire zone using an AXFR request. To do so, use the following commands, in sequence:

   bigstart stop zxfrd
   rm /shared/zxfrd/*
   bigstart start zxfrd

Note: DNS express will not be able to service DNS responses until the zone transfers have completed. For this reason, this procedure should be carried out on the standby device, if possible.

Fix:
The system now properly handles IXFRs that contain only starting and ending SOA RRs, and no other RRs.


755817 : v14.1.0.5 includes Guided Configuration 4.1

Component: Access Policy Manager

Symptoms:
Guided Configuration is not upgraded automatically with each release; it must be manually upgraded between versions. It should be bundled into the release.

Version 14.1.0.5 includes Guided Configuration 4.1.

Conditions:
Upgrading Guided Configuration.

Impact:
Have to manually upgrade Guided Configuration.

Workaround:
Manually upgrade Guided Configuration.

Fix:
Guided Configuration v4.1 is bundled into BIG-IP software v14.1.0.5 and no longer requires manual upgrade.

Behavior Change:
Guided Configuration v4.1 is bundled into BIG-IP software v14.1.0.5. For versions earlier than 14.1.0.5 (e.g., 14.1.0.0), you had to upgrade Guided Configuration manually. That is no longer necessary.


755641-1 : Unstable asm_config_server after upgrade, 'Event dispatcher aborted'

Component: Application Security Manager

Symptoms:
Ignored suggestions for Multiple decoding or HTTP Protocol Settings present after upgrading a unit to 14.1.0 can cause the asm_config_server and pabnagd processes to enter restart loops.

Conditions:
1) On a 13.1.x system send traffic that will generate suggestions for Max Decoding Passes, Maximum Headers, and/or Maximum Parameters.
2) Set those Suggestions to be Ignored.
3) Upgrade to 14.1.0.

Impact:
-- Multiple asm_config_server restarts.
-- System instability, including inability to manage ASM settings or use traffic learning.
-- No local logging.

Workaround:
You can use either of the following workarounds:

A) Delete any such ignored suggestions using the following SQL command:
 > DELETE FROM PL_SUGGESTIONS WHERE element_type IN (7,193,75);

B) Delete any such ignored suggestions before upgrade using the GUI/REST/SQL.

Fix:
The system now handles removed Entity types during upgrade for Ignored Suggestions: Ignored suggestions for Multiple decoding or HTTP Protocol Settings are removed during upgrade. You must reconfigure the Ignore settings after upgrade.

Behavior Change:
Refactoring in 14.1.0 modified the functionality of the following Entity types: Max Decoding Passes, Maximum Headers, and/or Maximum Parameters. Ignored suggestions for Multiple decoding or HTTP Protocol Settings are removed during upgrade, so you must reconfigure the Ignore settings after upgrade.


755378-1 : HTTPS connection error from Chrome when BADOS TLS signatures configured

Component: Anomaly Detection Services

Symptoms:
HTTPS connection error occurs. The system posts the following ltm.log warnings:

-- warning tmm1[25112]: 01260009:4: Connection error: ssl_basic_crypto_cb:694: Decryption error (20)
-- warning tmm1[25112]: 01260009:4: Connection error: hud_ssl_handler:1941: codec alert (20)

Conditions:
-- BADOS TLS signatures configured.
-- DoS profile is attached to a virtual server.
-- Using Google Chrome browser.

Impact:
HTTPS virtual server is not responsive.

Workaround:
Turn off TLS signatures flag.

Fix:
HTTPS connection error no longer occurs when connecting from Chrome to virtual server with TLS signature BADOS protection.


754541-2 : Reconfiguring an iApp that uses a client SSL profile fails

Component: TMOS

Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:

-- A virtual server is created but no client SSL profile is applied.
-- In the /var/log/ltm file, the system logs messages similar to the following example:

err mcpd[6434]: 01b4002b:3: Client SSL profile (/Common/Example.app/Example_client-ssl): the profile has no RSA cert/key pair that can be modified. To add RSA cert/key, please use [cert-key-chain add]

Conditions:
This issue occurs when the following conditions are met:

-- Attempting to reconfigure an iApp.
-- The iApp contains a client SSL profile.

Impact:
The system fails to create and apply the client SSL profile to the virtual server.

Workaround:
To work around this issue, you can temporarily disable SSL in the iApp, and then enable it again.

Impact of workaround:
Reconfiguring your iApp reconfigures all BIG-IP objects associated with the iApp. This might cause service disruptions to the application the iApp has been deployed for.

1. Navigate to the impacted iApp in GUI:
iApps :: Application Services : Applications :: Example.
 
2. Find the setting associated with the client SSL profile, often titled "How should the BIG-IP system handle SSL traffic?"

3. Change the associated setting to one that does not imply the use of SSL, for example: "Plain text to and from both clients and servers."

4. Press the Reconfigure button.

5. Return to the same question and change the field back to its original setting.

6. Press the Reconfigure button once more.

Fix:
Reconfiguring an iApp that uses a client SSL profile now succeeds as expected.


754420-1 : Missing policy name in exported ASM request details

Component: Application Security Manager

Symptoms:
No Policy name in exported ASM Request details.

Conditions:
This is encountered when viewing the Security Events Report.

Impact:
Missing policy name in request details.

Workaround:
None.

Fix:
Policy name is now displayed in exported ASM request details.


754365-5 : Updated flags for countries that changed their flags since 2010

Component: Application Security Manager

Symptoms:
Old flags for countries that changed their flags since 2010.

Conditions:
Requests from one of the following counties:
-- Myanmar
-- Iraq
-- Libya

Impact:
Old flag is shown.

Workaround:
None.

Fix:
The three flags are now updated in ASM.


754346-2 : Access policy was not found while creating configuration snapshot.

Component: Access Policy Manager

Symptoms:
APMD fails to create configuration snapshot with the following error:

--err apmd[16675]: 01490000:3: AccessPolicyProcessor/AccessPolicyProcessor.cpp func: "dispatchEvent()" line: 1195 Msg: EXCEPTION AccessPolicyProcessor/ProfileAccess.cpp line:234 function: snapshotConfigVariables - AccessPolicy ("/Common/myPolicy") not found while creating configuration snapshot!!!!

If you attempt to modify the policy in question, the system reports a second error:

-- err apmd[16675]: 01490089:3: 00000000: Configuration change notification received for an unknown access profile: /Common/myPolicy

Conditions:
If TMM restarts and new access policy is added before TMM is fully up and running.

Impact:
Configuration snapshot is not created, and users cannot log on.

Workaround:
Recreate the access profile when TMM is stable.


754143-1 : TCP connection may hang after finished

Component: Local Traffic Manager

Symptoms:
TCP connections hang. Memory usage increases. TMM restarts.

Numerous hanging connections reported similar to the following:
-- config # tmsh show sys conn protocol tcp
Sys::Connections
165.160.21.1:5854 195.245.21.252:443 any6.any any6.any tcp 449 (tmm: 0) none none
165.160.21.1:5847 195.245.21.252:443 any6.any any6.any tcp 449 (tmm: 0) none none
165.160.21.1:5890 195.245.21.252:443 any6.any any6.any tcp 449 (tmm: 0) none none
165.160.21.1:5855 195.245.21.252:443 any6.any any6.any tcp 449 (tmm: 0) none none
165.160.21.1:5891 195.245.21.252:443 any6.any any6.any tcp 449 (tmm: 0) none none

Conditions:
Pool member fails to respond with an ACK to BIG-IP system serverside FIN. The BIG-IP system serverside connection eventually times out, and the clientside connection is orphaned.

Impact:
Those connections hang indefinitely (even past the idle timeout). Memory increases, eventually leading to a possible TMM out-of-memory condition, requiring a TMM restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TCP connections no longer hang under these conditions.


754066-1 : Newly added Systems are not added as part of installing a Server Technologies update file

Component: Application Security Manager

Symptoms:
Newly added Systems are not added as part of installing a Server Technologies update file, which prevents acceptance of Server Technology suggestion.

Conditions:
A Server Technology update file contained newly added Systems is installed.

Impact:
A suggestion to add a Server Technology using a newly added System cannot be accepted.

Workaround:
The corresponding ASM Signature update file must be loaded first.

Fix:
Newly added Systems are added correctly after installing Server Technology update file.


753642-1 : iHealth may report false positive for Critical Malware

Component: TMOS

Symptoms:
A minor change in the way qkview reports executable filenames may cause iHealth to interpret the presence of malware.

Conditions:
qkview files produced by 14.1.0 when uploaded to ihealth.f5.com

Impact:
iHealth may report a false positive for malware.

Workaround:
Ignore critical errors for malware reported by iHealth for version 14.1.0 only.

Fix:
This is fixed in 14.1.0.1


753564-1 : Attempt to change password using /bin/passwd fails

Component: TMOS

Symptoms:
When we run /bin/passwd as root:
passwd.bin: unable to start pam: Critical error - immediate abort
 Failed to change user's password. Exiting.

If we then do /bin/ausearch -m avc -ts recent, we see a lot of selinux denials for passwd.bin.

Conditions:
No special conditions needed

Impact:
Root/admin user cannot change password using the standard /bin/passwd executable.

Workaround:
The workaround would be to disable selinux, change the password and re-enable selinux:

# setenforce Permissive
# passwd
# setenforce Enforcing


Alternatively, one can use the tmsh commands to change the passwords: tmsh modify auth password root

Lastly, if one wishes to modify the selinux policy, there is the standard way of doing this

# ausearch -c passwd.bin --raw | audit2allow -M mypasswd
# semoduile -i mypasswd.pp

Fix:
With fix, we have no issues with /bin/passwd.bin being denied by selinux and /bin/passwd works as expected.


753446-2 : avrd process crash during shutdown if connected to BIG-IQ

Component: Application Visibility and Reporting

Symptoms:
During shutdown of BIG-IP, if it is connected to BIG-IQ then avrd might crash.

Conditions:
BIG-IP is set to shutdown and configured to send statistics to BIG-IQ.

Impact:
No serious impact, since the BIG-IP is already instructed to shutdown, so the process crash is not causing any damage.

Workaround:
N/A

Fix:
Issue is fixed, avrd does not crash during shutdown


753295-1 : ASM REST: All signatures being returned for policy Signatures regardless of signature sets

Component: Application Security Manager

Symptoms:
By default, only signatures that are included in the Security Policy enforcement via the Policy's Signature Sets are included in the response to /tm/asm/policies/<ID>/signatures.

Additionally, there should be the capability to $filter for either signatures that are in the policy or not in the policy.

These filters are not working

Conditions:
ASM REST/GUI is used to determine the number of signatures enabled on a Security Policy

Impact:
More data that expected will be returned to REST clients which may cause confusion.
Learning statistics/graphs may have confusing/incorrect numbers.

Workaround:
None

Fix:
inPolicy $filter works again, and the default behavior only returns the signatures that are in the policy.


752942-1 : Live Update cannot be used by Administrator users other than 'admin' and 'root'

Component: Application Security Manager

Symptoms:
When users configured with the Administrator role log into the system, they are not allowed to install security update files on the new live-update page:
System :: Software Management : Live Update

Conditions:
Logged in BIG-IP user is not 'admin' (the built-in Administrator account for the TMUI) or 'root' (the built-in Administrator account for the TMSH).

Impact:
Cannot apply security updates.

Workaround:
To install the security updates, log in as 'admin' or a BIG-IP user configured as a web-application-security-administrator or web-application-security-editor (role must be configured on all partitions or at least on the Common partition).

Fix:
Any BIG-IP user configured as Administrator can now apply security updates.


752835-2 : Mitigate mcpd out of memory error with auto-sync enabled.

Component: TMOS

Symptoms:
If auto-sync is enabled and many configuration changes are sent quickly, it is possible for a peer system to fall behind in syncs. Once it does, it will exponentially get further behind due to extra sync data, leading to the sending mcpd running out of memory and core dumping.

Conditions:
-- Auto-sync enabled in an HA pair.
-- High volume of configuration changes made in rapid succession. Typically, this requires hundreds or thousands of changes per minute for several minutes to encounter this condition.

Impact:
mcpd crashes.

Workaround:
There are no workarounds other than not using auto-sync, or reducing the frequency of system configuration changes.

Fix:
This is not a complete fix. It is still possible for mcpd to run out of memory due to a peer not processing sync messages quickly enough. It does, however, make it more difficult for this scenario to happen, so configuration changes with auto-sync on can be sent somewhat more quickly without crashing mcpd as often.


752782-1 : 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'

Component: Fraud Protection Services

Symptoms:
The 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'.

Conditions:
FPS Provisioning and a DataSafe license.

Impact:
The menu name has changed in this release.

Workaround:
None.

Fix:
'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'.


752592-1 : VMware Horizon PCoIP clients may fail to connect shortly after logout

Component: Access Policy Manager

Symptoms:
Sometimes if user closes opened PCoIP desktop and logs out and then logs in again, he can't launch the same desktop anymore.

Conditions:
PCoIP UDP VS has "vdi" profile assigned.

Impact:
User can't open PCoIP remote desktop during short time period (1 minute).

Workaround:
Remove "vdi" profile and assign "remotedesktop" profile to the PCoIP UDP VS:
# tmsh modify ltm virtual <PCoIP UDP VS> profiles delete { vdi }
# tmsh modify ltm virtual <PCoIP UDP VS> profiles add { remotedesktop }

In admin UI the assignment of "remotedesktop" profile can be controlled via "Application Tunnels (Java & Per-App VPN)" checkbox (right under "VDI Profile" dropdown).

Fix:
Assignment of "vdi" profile to PCoIP UDP VS does not cause intermittent connection problems anymore.


752363-2 : Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled

Component: Advanced Firewall Manager

Symptoms:
Client request fails, due to being dropped on the BIG-IP system.

Conditions:
-- The BIG-IP AFM L4 BDoS feature is enabled.
-- Virtual server setup is such that the client-facing virtual server's destination is forwarded through another virtual server, which is an internally forwarded flow.

Impact:
Client request gets dropped due to BIG-IP AFM dropping the flow.

Workaround:
Disable BDoS feature. The feature can be disabled using the following commands:

-- To disable BDoS globally, run the following command:
modify security dos device-config dos-device-config dynamic-signatures { network { detection disabled mitigation none }}

To disable BDoS globally per-profile, run the following command:
modify security dos profile <profile-name> dos-network modify { test { dynamic-signatures { detection disabled mitigation none } } }
modify security dos profile test protocol-dns modify { test { dynamic-signatures { detection disabled mitigation none } } }

Fix:
The system now handles the looped flows properly, so the BDoS module does not incorrectly cause the packet to be dropped.


751869-2 : Possible tmm crash when using manual mode mitigation in DoS Profile

Component: Advanced Firewall Manager

Symptoms:
tmm crash and restart is possible when using manual mode mitigation in DoS Profile.

Conditions:
When manual mode mitigation is used for any vector that is enabled in the DoS Profile that is attached to a Protected Object.

Impact:
tmm crash and restart is possible. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm crash and restart no longer occurs when using manual mode mitigation in DoS Profile.


751824-1 : Restore old 'merge' functionally with new tmsh verb 'replace'

Component: TMOS

Symptoms:
Prior to v12.1.3.4, the 'merge' command merged a specified config with the existing config, replacing certain conflicting values. In this release, the merge command operates differently, so there is a new command, 'replace', to now perform the operation previously accomplished with 'merge'.

Conditions:
Running the following command:
tmsh load /sys config file <scf-filename> merge

Impact:
Operation does not work like it did in previous releases.

Workaround:
None.

Fix:
This release restores the merge functionally from v12.x and earlier with a new tmsh verb: replace. The new TMSH command is as follows:
tmsh load sys config file <filepath> replace

Behavior Change:
This release restores the merge functionally from v12.x and earlier with a new tmsh verb: replace. The new TMSH command is as follows:
tmsh load sys config file <filepath> replace

The merge command now operates as follows:
-- Previously: if a top-level object (virtual server) existed in the config and also in the merge file, the top-level object was replaced.
-- Now: if a top-level object (virtual server) exists in both, the top-level object is recursively merged. (Pool members are merged together. LTM virtual server profiles are merged together (appended vs. replace-all-with)).


751636-1 : Downgrading from v14.1.0 to a previous release leaves two directories with improper ownership

Component: TMOS

Symptoms:
Downgrading from BIG-IP version 14.1.0 to an earlier version, the group ID of /var/lock and /var/spool/mail are incorrect. This can be encountered after you boot into the earlier-versioned software image. /var/log/liveinstall.log contains the following messages:

-- info: RPM: filesystem-2.4.30-3.el6.0.0.10.i686
-- info: RPM: warning: group lock does not exist - using root
-- info: RPM: warning: group mail does not exist - using root

When running the following command:
config # rpm -V filesystem
......G.. /var/lock
......G.. /var/spool/mail

The expected results are as follows:
config # rpm -V filesystem
config # stat -c %G /var/lock
lock
config # stat -c %G /var/spool/mail
mail

In this version, the results are as follows:
config # rpm -V filesystem
config # stat -c %G /var/lock
root
config # stat -c %G /var/spool/mail
root

Conditions:
-- BIG-IP version 14.1.0 is running.
-- An earlier software version is installed.
-- The system is then booted into that earlier version.

Impact:
There is no known impact to the system if this occurs; however, running rpm -V will report these two discrepancies.

This occurs because rpm versions 4.8 and earlier have built-in recognition of exactly three group names; 'root', 'mail', and 'lock'. In v4.8, these special names appear in <src>/lib/misc.c:gnameToGid. To use the group names 'mail' and 'lock' as intended, all BIG-IP releases earlier than BIG-IP v14.1.0 rely on this special feature of rpm.

BIG-IP v14.1.0 moved to rpm version 4.11, in which the function no longer exists.

Workaround:
Using a shell command, correct the group ID of the two directories that are incorrect using the following two commands:

config # chgrp lock /var/lock
config # chgrp mail /var/spool/mail


751011-3 : ihealth.sh script and qkview locking mechanism not working

Component: TMOS

Symptoms:
Two qkviews can be started up on a system at the same time, which results in conflicts for each.

Conditions:
Running qkview on one terminal and then ihealth.sh in another.

Impact:
Running of two qkviews at the same time breaks both qkviews since they compete for the same files.

Workaround:
Run either qkview or ihealth.sh, not both simultaneously.

Fix:
Starting a qkview and then running ihealth.sh halts immediately as the system detects that qkview is running.


751009-3 : Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out

Component: TMOS

Symptoms:
After generating a Qkview or collecting a tcpdump via the BIG-IP GUI, or using the 'tmsh run util ihealth' command to do the equivalent, the /var/tmp/mcpd.out file is missing.

Conditions:
-- Generating a Qkview or collecting a tcpdump via the BIG-IP GUI.
-- Using the 'tmsh run util ihealth' command to do the equivalent operation.

Impact:
The file /var/tmp/mpcd.out is a debug file used by mcpd, primarily for collecting debug-level log information from MCPD.

The file being deleted causes challenges with trying to collect diagnostic information from a BIG-IP system (turning on mcpd debug logging), because it now requires a service impact (restarting mcpd).

Additionally, may cause challenges in managing disk space on /shared filesystem, as mcpd keeps writing to a deleted file, and it cannot be truncated.

Workaround:
Generating Qkviews by invoking the 'qkview' command directly avoids this issue.

Edit the /usr/bin/ihealth.sh script to remove the corresponding line.

From a bash shell:
1. mount -o remount,rw /usr
2. /bin/cp /usr/bin/ihealth.sh{,751009.bak}
3. sed -i '/\/bin\/rm -f \/var\/tmp\/mcpd.out/d' /usr/bin/ihealth.sh
4. mount -o remount,ro /usr

Note: This workaround does not persist across software installs/upgrades, nor does it ConfigSync or replicate across blades in a VIPRION chassis.

Fix:
The problem line has been removed from the script, so this mcpd debug file is left alone (not deleted) after running ihealth.sh. Note that the GUI version of running qkview uses ihealth.sh script.


750973-1 : Import XML policy error

Component: Application Security Manager

Symptoms:
Import XML policy fails with errors:
--------
The security policy file does not conform to the schema and cannot be imported
element attack_type: Schemas validity error : Element
'attack_type': 'Web Scraping' is not a valid value
--------

Conditions:
-- A user-defined Signature Set having Attack Type 'Web Scraping' defined.

-- This Signature Set is included in an exported XML policy.

Impact:
Schema validation on XML policy import fails. Import XML policy fails with errors.

Workaround:
Use binary policy export/import.

Fix:
This release fixes the XML policy export/import process to not fail or produce Attack Type 'Web Scraping'-related errors.


750922-1 : BD crash when content profile used for login page has no parse parameters set

Component: Application Security Manager

Symptoms:
Bd crashes. No traffic goes through ASM.

Conditions:
-- A Json Login page is configured.
-- The content profile used for the login page does not have parse parameters set.

Impact:
No traffic goes through ASM. Bd crashes.

Workaround:
Set the parse parameters setting.

Fix:
BD no longer crashes when the content profile used for login page has no parse parameters set.


750793-2 : Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition

Component: Application Security Manager

Symptoms:
Removing Bot/Logging/Security Service profiles that were created in a user-defined partition fails via GUI.

Conditions:
Attempting to delete Bot/Logging/Security Service profiles that were created in a user-defined partition.

Impact:
The Bot/Logging/Security Service Profile cannot be deleted via GUI.

Workaround:
Remove Bot/Logging/Cloud Security Service profiles via TMSH.

Fix:
You can now remove Bot profiles, Logging profiles, and Cloud Security Service profiles from user-defined partition.


750686-1 : ASE user cannot create or modify a bot signature.

Component: Application Security Manager

Symptoms:
Application Security Editor user role gets a validation exception while trying to create or modify bot defense signature either via GUI, tmsh, or REST.

Conditions:
The logged on user account is configured with an Application Security Editor role.

Impact:
Application Security Editor unable to define user-defined signatures for bot defense module.

Workaround:
Change user role to Administrator or Web Application Security Administrator to create or modify bot defense signatures.

Fix:
User accounts configured for Application Security Editor can now create/modify bot defense signatures.


750683-1 : REST Backwards Compatibility: Cannot modify enforcementMode of host-name

Component: Application Security Manager

Symptoms:
Modifying the enforcementMode value fails with the following message: Valid Host Name already exists in this policy.

In 14.1.0, the capability to treat specific domains as Transparent while the rest of the policy is in Blocking moved from Host Names to the new Microservices feature. The REST endpoint for Host Names (/mgmt/tm/asm/policies/<ID>/host-names) is meant to still support setting and modifying this attribute. However, this is not happening successfully.

Conditions:
-- Running version 14.1.0 software.
-- Using a pre-14.1.0 REST API to modify the enforcementMode of a host name (/mgmt/tm/asm/policies/<ID>/host-names).

Impact:
The value change fails.

Workaround:
You can use either workaround:

-- Change the value using the GUI.

-- Use the newer endpoint: (/mgmt/tm/asm/policies/<ID>/microservices).

Fix:
Using the backwards compatible REST to update the enforcementMode of a host name now succeeds.


750668-1 : Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition

Component: Application Security Manager

Symptoms:
Removing Bot/Logging/Security Service profiles that were created in a user-defined partition fails via GUI.

Conditions:
Attempting to delete Bot/Logging/Security Service profiles that were created in a user-defined partition.

Impact:
The Bot/Logging/Security Service Profile cannot be deleted via GUI.

Workaround:
Remove Bot/Logging/Cloud Security Service profiles via TMSH.

Fix:
You can now remove Bot profiles, Logging profiles, and Cloud Security Service profiles from user-defined partition.


750666-1 : Impossible to create Bot Signature/Bot Category Signature in user partition different from 'Common'

Component: Application Security Manager

Symptoms:
For any partition other than 'Common'(i.e., a user-defined partition), cannot create a new Bot Signature or Bot Category Signature via GUI, because the form fields and buttons are disabled (grayed out).

Conditions:
-- Creating Bot Signature/Bot Category Signature.
-- The partition is set to a user-defined partition.

Impact:
No creation of Bot Signature/Bot Category Signature can be completed through GUI in a user-defined partition.

Workaround:
Create Bot Signature/Bot Category Signature in TMSH.

Fix:
Can now create Bot Signature/Bot Category Signature in user partition different from 'Common'.


750661 : URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied.

Component: TMOS

Symptoms:
A regression in configuration processing causes LTM Rewrite profile to ignore configured URI translation rules.

Conditions:
Using LTM Rewrite profiles to ignore configured URI translation rules.

Impact:
URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied.

Workaround:
None.

Fix:
Restored functionality of LTM Rewrite URI translation rules.


750580-1 : Installation using image2disk --format may fail after TMOS v14.1.0 is installed

Component: TMOS

Symptoms:
When v14.1.0 is installed, subsequent installations of software performed using image2disk with the --format=volumes option from within a TMOS installation slot.

The failure occurs after the disks have been formatted, but before the TMOS installation slot is bootable, and the system is left without a TMOS installation slot.

While performing the installation, the system posts messages similar to the following in the serial console:

-- info: tm_install::RPM::rpm_db_find_by_namearch -- not found : MySQL-shared/i686
   ...
-- info: tm_install::VolumeSet::VolumeSet_install_packages -- installing package MySQL-shared (i686)
-- info: tm_install::RPM::rpm_db_find_by_namearch -- not found : openssl/x86_64
    ...
-- info: tm_install::VolumeSet::VolumeSet_install_packages -- installing package openssl (x86_64)
-- info: capture: status 32512 returned by command: chroot /mnt/tm_install/1258.DHwcwN rpm --rebuilddb
    ...
-- info: chroot: failed to run command 'rpm': No such file or directory

Conditions:
This issue occurs when all of the following conditions are met:
-- Version 14.1.0 is installed on the system, even if the system never boots into the 14.1.0 installation slot.
-- Using image2disk with the --format=volumes option specified from TMOS.
-- Installing another version of the software.


In particular, this issue affects MOS version 2.12.0-140.0, which can be checked by running this command from a bash shell on the BIG-IP system:

     grub_default -d | grep -A6 'TMOS maintenance' | grep 'TIC_STATIC_VERSION'

Impact:
The installation fails, and the system is left in a state where it is not accessible on the network and has no configuration. You must use the console to access the system.

Workaround:
You can use the following workarounds:

-- Use the Software Management screens in the GUI to perform installations
-- Use the tmsh 'sys software' commands to perform software installations.
-- Do not use the image2disk --format command to install software.


750477-1 : LTM NAT does not forward ICMP traffic

Component: Advanced Firewall Manager

Symptoms:
ICMP traffic that matches LTM NAT object on a BIG-IP system, is not forwarded through but instead is dropped on the BIG-IP system.

Conditions:
-- LTM NAT object is configured on the BIG-IP system.
-- The BIG-IP system receives ICMP traffic matching the LTM NAT object.

Impact:
Client ICMP traffic (matching LTM NAT) is not forwarded to the destination causing traffic disruption.

Workaround:
None.

Fix:
ICMP traffic matching an LTM NAT object is now forwarded to the destination as expected.


750447-3 : GUI VLAN list page loading slowly with 50 records per screen

Component: TMOS

Symptoms:
GUI VLAN list page is loading slowly with there are 3200+ VLANs with the Records Per Screen Preference set to 50.

Conditions:
-- Using a VIPRION system.
-- Configuration containing 3200 or more VLANs.
-- System Preferences Records Per Screen set to 50.

Impact:
Cannot use the page.

Workaround:
Use tmsh or guishell tool to see the VLANs.

You can also try using a smaller value for the Records Per Screen option in System :: Preferences.

Fix:
Improved data retrieval and rendering for the VLAN list page.


750356-2 : Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted

Component: Application Security Manager

Symptoms:
In any Split View page (Request Log, Learning, etc.): All user-defined filters are removed if you delete a newly created filter without reloading the page first.

Conditions:
-- Create a new filter.
-- Remove the new filter.

Impact:
The system removes all user-defined filters.

Workaround:
Before you delete a newly created filter, reload the page.

Fix:
Filter removal now completes successfully for all scenarios.


750292-2 : TMM may crash when processing TLS traffic

Solution Article: K54167061


750200-3 : DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode

Component: Local Traffic Manager

Symptoms:
DHCP requests from the client are sent only to the first member in the DHCP server pool.

Conditions:
- BIG-IP system configured as a DHCP Relay.
- DHCP server pool contains more than one DHCP server.

Impact:
- DHCP server load balancing is not achieved.
- If the first DHCP server in the DHCP server pool does not respond or is unreachable, the DHCP client will not be assigned an IP address.

Workaround:
None.


749879-2 : Possible interruption while processing VPN traffic

Solution Article: K47527163


749774-5 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled

Component: Global Traffic Manager (DNS)

Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.

Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.

Impact:
Inconsistent behavior.

Workaround:
None.

Fix:
In this release, responses are now consistent when caching is enabled.


749675-5 : DNS cache resolver may return a malformed truncated response with multiple OPT records

Component: Global Traffic Manager (DNS)

Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.

Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).

Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.

Workaround:
A second query will return the cached record, which will only have one OPT record.

Fix:
DNS cache resolver now returns the correct response under these conditions.


749603-1 : MRF SIP ALG: Potential to end wrong call when BYE received

Component: Service Provider

Symptoms:
When a BYE is received, the media flows for a different call might be closed in error.

Conditions:
If the hash of the call-id (masked to 12 bits) matches the hash of another's call-id.

Impact:
The media flows for both calls will be closed when one receives a BYE command. A call may be incorrectly terminated early.

Workaround:
None.

Fix:
Entire call-id checked before terminating media flows.


749500-1 : Improved visibility for Accept on Microservice action in Traffic Learning

Component: Application Security Manager

Symptoms:
Low visibility for accepted on microservice action.

Conditions:
There are suggestions that can be accepted on microservice.

Impact:
The system does not show Accept on Microservice in a suggestion.

Workaround:
None.

Fix:
Improved visibility for Accept on Microservice action and microservice-related details of suggestions.


749464-2 : Race condition while BIG-IQ updates common file

Component: Application Visibility and Reporting

Symptoms:
The file /var/config/rest/downloads/app_mapping.json is being used by two processes: BIG-IQ and avrd.
This can cause a race-condition between the two and in some rare cases can cause avrd to crash.

Conditions:
BIG-IQ updating /var/config/rest/downloads/app_mapping.json while avrd is reading it.

Impact:
avrd might read incomplete data, and can even core in some rare cases.

Workaround:
None.

Fix:
This race condition no longer occurs.


749461-2 : Race condition while modifying analytics global-settings

Component: Application Visibility and Reporting

Symptoms:
Updating the analytics global-settings might cause a core for avrd.

The avrd.log contains the following record:
AVRD_CONFIG|NOTICE... 13931|lib/avrpublisher/infrastructure/avr_mcp_msg_parser.cpp:2985| Modified Analytics Global Settings, added "0" offbox TCP addresses

Conditions:
Analytics global-settings are updated either explicitly, using a tmsh command, or implicitly, by internal process script.

Impact:
Might cause a core for avrd. After coring once, avrd is expected to start normally without any additional cores. The configuration change is expected to be applied correctly after restart is complete.

Workaround:
None.

Fix:
Race condition no longer occurs while modifying analytics global-settings.


749382-1 : Bare-metal installs via 'image2disk' may fail in v14.1.0 or greater

Component: TMOS

Symptoms:
Running a bare-metal installation via image2disk (IE, 'image2disk --format=volumes <ISO>') may fail due to a missing command in the maintenance OS.

Conditions:
The version of MOS installed on the system is from a v14.1.0 or newer ISO, and a user attempts a bare-metal installation via the 'image2disk' command.

Impact:
Unable to perform bare-metal installations/installations from MOS in affected versions.

Workaround:
The installed version of MOS can be removed with the command '/usr/lib/bpdiag -a mos'. After doing this, installing a version older than 14.1.0 will re-install an older version of MOS without this issue. You can then reboot to MOS and manually run the installation using 'image2disk' from there.

Fix:
Fix issues with bare-metal installations via 'image2disk' failing.


749331-3 : Global DNS DoS vector does not work in certain cases

Component: Advanced Firewall Manager

Symptoms:
Global DNS DoS vector stops working under certain conditions.

Conditions:
Packets are not made to go through its entirety.

Impact:
Global DNS data structures are overwritten by subsequent incoming packets. Global DNS DoS vector does not rate-limit the packets.

Workaround:
None.

Fix:
Global DNS DoS vector checks now prevent this issue, so rate-limiting works as expected.


749294-4 : TMM cores when query session index is out of boundary

Component: Local Traffic Manager

Symptoms:
TMM cores when the queried session index is out of boundary. This is not a usual case. It is most likely caused by the memory corrupted issue.

Conditions:
When session index equals the size of session caches.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The index boundary check now operates correctly in this situation, so tmm no longer cores.


749227-1 : MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE

Component: Service Provider

Symptoms:
INVITE message being processed operation creates a temporary registration entry for a unregistered subscriber, this registration entry is not extended if a subsequent invite occurs. This could cause the registration to expire during a call, thus allowing the reserved translated addresses to be provided to a different subscriber.

Conditions:
An INVITE message is received when unregistered-subscriber-callout attribute in the siprouter-alg profile

Impact:
The system adds a temporary registration entry to the registration table. The lifetime for this entry is the max-session-timeout value from the siprouter-alg profile. Subsequent INVITES will not extend the lifetime.

This could cause the registration to expire during a call, allowing the reserved translated addresses to be provided to a different subscriber.

Workaround:
None.

Fix:
Subsequent INVITEs now extend the lifetime by another max-session-timeout value.


749136-1 : Disk partition /var/log is low on free disk space

Component: Application Security Manager

Symptoms:
Warning messages, such as these on system CLI:
--------------
Broadcast message from root@bigip1.test.net (Wed Nov 7 09:01:01 2018):

011d0004:3: Disk partition /var/log (slot 1) has only 0% free
--------------

Conditions:
ASM or DoS is provisioned.

Impact:
Disk partition /var/log is low on free disk space.

Workaround:
Manually delete nsyncd logs from /var/log.

Fix:
There is now stricter log rotation for nsyncd.


749109-3 : CSRF situation on BIGIP-ASM GUI

Component: Application Security Manager

Symptoms:
CSRF situation on the BIG-IP ASM GUI that might potentially lead to resource exhaustion on the device for the moment it is being run.

Conditions:
The following URL accepts a wildcard in the parameter id, making it a heavy URL:

https://BIG-IP/dms/policy/pl_negsig.php?id=*

Impact:
Once multiple requests are sent to the target GUI, it is possible to see httpd process spiking even in core 0 (VMWare).

Workaround:
None.

Fix:
If the query string parameter has a string value the query is not executed.


748999-3 : invalid inactivity timeout suggestion for cookies

Component: Application Security Manager

Symptoms:
ASM will report "invalid inactivity timeout" suggestions to delete a cookie, even though the cookies are being sent and are valid.

Conditions:
- Inactivity timeout feature is configured in Policy Builder
- Cookie entity is configured in the policy
- Valid, non-violating traffic containing cookies is passed

Impact:
Since non-violating traffic is not sent to the policy engine, the inactivity timeout timer is never reset, which will eventually lead to suggestions to delete the inactive cookie entities. These suggestions are erroneous because valid cookies are being sent in the traffic.

Workaround:
Ignore the inactive entity suggestions for cookies

Fix:
Inactivity learning for cookies has been deprecated, the feature does not cover cookies anymore.


748848-2 : Anti-Bot Mobile SDK cookie name change to support identical cookies for multiple virtual servers

Component: Application Security Manager

Symptoms:
Multiple virtual servers are each using different cookie names for cookies 72, 74, and 76. This occurred because these cookie names are dependent on virtual server properties.

Conditions:
-- Multiple subdomains are configured to resolve to different virtual servers with different ASM policies.

-- Anti-Bot Mobile SDK attempts to connect to these virtual servers.

Impact:
Anti-Bot Mobile SDK is not able to connect to multiple virtual servers using the same cookie.

Workaround:
None.

Fix:
The relevant cookie names were changed.

The format TS00000000_7x (prefix/suffix may change according to configuration) is now used for cookies 72, 74, and 76, which results in identical cookie names for all configured virtual servers.

This will allow Anti-Bot Mobile SDK to connect to multiple virtual servers using the same cookie.


748409-2 : Illegal parameter violation when json parsing a parameter on a case-insensitive policy

Component: Application Security Manager

Symptoms:
An illegal parameter violation is raised although the parameter is configured

Conditions:
The policy is configured as case insensitive, and a parameter is configured with capital letters

Impact:
False positive illegal parameter violation

Workaround:
Configure violation as case sensitive


748321-1 : bd crash with specific scenario

Component: Application Security Manager

Symptoms:
BD crash

Conditions:
A specific scenario may cause bd crash.

Impact:
Failover, traffic disturbance.

Workaround:
N/A


748176-1 : BDoS Signature can wrongly match a DNS packet

Component: Advanced Firewall Manager

Symptoms:
When using BDoS feature for DNS protocol, and when there are auto-generated DNS Signatures or if Custom DNS signatures are configured manually, it is found that at times, a valid DNS request is dropped because it wrongly matches the configured/dynamically generated DNS Signature when the box is under load, and BDoS mitigation is ongoing.

Conditions:
Configured DNS Signature (Or) there exists a Dynamically generated DNS Signature.

Such a DNS signature is found to match a DNS packet wrongly, even though the signature match criteria is different from the matched DNS packet.

Impact:
When box is under load, the configured DNS signature gets into Attack Mitigation mode (which is normal), but may wrongly drop a DNS packet that does not match the signature.

Workaround:
Disable BDoS for protocol DNS. Also, do not use Manually configured DNS Signatures.

Fix:
The parsed DNS information is cached and re-used wrongly as a performance optimization, which is corrected.


748081-1 : Memory leak in BDoS module

Component: Advanced Firewall Manager

Symptoms:
TMM runs out of memory and restarts.
The memory usage as shown in "tmctl memory_usage_stat", under module line tag "session" is noticed to be high, and keeps growing.

Conditions:
The issue is seen when BDoS feature is configured, and if there exits Custom or Auto Generated BDoS Signatures. When such signatures exist, the BDoS one second timer callback leaks memory.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable BDoS feature.
Disable all configured and auto generated BDoS signatures using TMSH command:
modify security dos dos-signature all { state disabled }


748043-2 : MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP

Component: Service Provider

Symptoms:
SIP Server sends SIP Request to the client.
The SIP Server inserts a different port, so that response are received on a different port.
The Client sends the response on the new requested port.
BIG-IP drops the packet

Conditions:
SIP Server wants the SIP Response to be coming on a different port.

Impact:
SIP Request will not receive the SIP Response

Workaround:
There is no workaround.

Fix:
Fix BIG-IP to process the SIP Response and send it to the SIP Server


747977-1 : File manually uploaded information is not synced correctly between blades

Component: Application Security Manager

Symptoms:
When you upload a file, the file is marked internally as manually uploaded. When the system downloads a file, it is marked as not being manually uploaded. This information is not passed and handled correctly on chassis.

Conditions:
-- Configuration is deployed on multiple blades
-- Fail over has occurred.
-- New update file is downloaded from ESDM on the primary blade.

Impact:
Security updates are not automatically installed on the new primary blade after failover.

Workaround:
Manually install security updates on new primary blade.

Fix:
Corrected sync/handle information about file files, whether they are manually uploaded or downloaded from ESDM.


747926-2 : Rare TMM restart due to NULL pointer access during AFM ACL logging

Component: Advanced Firewall Manager

Symptoms:
Tmm crashes while performing log ACL match logging.

Conditions:
The problem can happen only with the following configuration:
1) AFM Logging for ACLs enabled.
2) Security Network Logging profile has the property "log-translation-fields enabled"

The problem happens under extremely rare circumstances.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Defensive error handling to avoid the scenario of NULL pointer access.


747922-3 : With AFM enabled, during bootup, there is a small possibility of a tmm crash

Component: Advanced Firewall Manager

Symptoms:
During bootup, with AFM enabled, there is a small possibility of a tmm crash. The tmm process generates a core file and then automatically restart.

Conditions:
-- AFM enabled.
-- sPVA-capable hardware platform.
-- Boot up the system.

Impact:
tmm crashes, coredumps, and then restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The race-condition has been fixed, so this issue no longer occurs.


747777-3 : Extractions are learned in manual learning mode

Component: Application Security Manager

Symptoms:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"

Conditions:
Direct cause: Policy contains parameters with dynamic type

Indirect cause: Policy Builder is configured to classify parameters as dynamic (related to bug 717525)

Impact:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"

Workaround:
- Change all dynamic parameters value types to User Input with Alpha Numeric data type

- Unset parameters' dynamic value type (or uncheck all parameters' dynamic classification options in 'Learning And Blocking Settings').

Fix:
Policy Builder does not set extractions for dynamic parameters in manual mode


747617-2 : TMM core when processing invalid timer

Component: Local Traffic Manager

Symptoms:
TMM crashes while processing an SSLO iRules that enables the SSL filter on an aborted flow.

Conditions:
SSLO is configured and passing traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround

Fix:
SSL filter will no longer be enabled after connection close.


747550-3 : Error 'This Logout URL already exists!' when updating logout page via GUI

Component: Application Security Manager

Symptoms:
When you try to update the Logout Page, you get an error about the URL existence: Error 'This Logout URL already exists!'

Conditions:
1. Create any Logout page.
2. Try to update it.

Impact:
The properties of the Logout Page cannot be updated.

Workaround:
Delete the logout page and create a new one.

Fix:
This release addresses the issue, so that no error is reported when updating the Logout Page.


747187-2 : SIP falsely detects media flow collision when SDP is in both 183 and 200 response

Component: Service Provider

Symptoms:
A spurious error message is logged ("MR SIP: Media flow creation (...) failed due to collision") and media does not flow.

Conditions:
A SIP server responds to an INVITE with both a 183 "Session Progress" and later a "200 OK" for a single SIP call, and both responses contain an SDP with the same media info.

Impact:
Media does not flow on pinholes for which a collision was detected and reported.

Workaround:
None

Fix:
No collision is detected or logged when multiple messages with SDP recreate the same flows in the same call.


747104-1 : LibSSH Vulnerability: CVE-2018-10933

Solution Article: K52868493

Component: Advanced Firewall Manager

Symptoms:
For more information see: https://support.f5.com/csp/article/K52868493

Conditions:
For more information see: https://support.f5.com/csp/article/K52868493

Impact:
For more information see: https://support.f5.com/csp/article/K52868493

Fix:
For more information see: https://support.f5.com/csp/article/K52868493


746941-2 : avrd memory leak when BIG-IQ fails to receive stats information

Component: Application Visibility and Reporting

Symptoms:
AVRD has memory leak when it is failing to send statistical information to BIG-IQ.

Conditions:
BIG-IP is used by BIG-IQ version 6.0.0 or higher, and stats collection is enabled.
Plus, BIG-IQ has some malfunction that prevents it from receiving the statistical information that BIG-IP is sending (for example: all DCDs are down, or not network connection between BIG-IP and BIG-IQ).

Impact:
avrd memory is increased over time, leading to avrd restart when it is getting too large

Workaround:
Connectivity issue between BIG-IP and BIG-IQ should be fixed, not just in order to prevent this memory leak, but for more important functionality such as visibility and alerts features in BIG-IQ.

Fix:
Memory leak is fixed.


746873-1 : Non-admin users are not able to run the tmsh list command due to permissions error for LTM message-routing

Component: TMOS

Symptoms:
Any non-admin cannot use tmsh list commands. Running the command gives the following error:

Unexpected Error: Can't display all items, can't get object count from mcpd.

Conditions:
Run a tmsh list command when logged in as non-admin user.

Impact:
Error is posted. Non-admin users cannot use the tmsh list commands.

Workaround:
Log in as admin to execute the tmsh list command.

Fix:
Non-admin users can now run tmsh list commands, as appropriate for the Role associated with the type of user account.


746771-3 : APMD recreates config snapshots for all access profiles every minute

Component: Access Policy Manager

Symptoms:
When the access profile configurations in APMD and MCPD are out of sync, APMD will detect the config snapshot for one access profile is missing. This triggers AMPD to recreates the config snapshots for all access profiles. The detect-recreate cycle will repeat every minute.

Sep 11 17:57:39 BIG-IP err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...

Sep 11 17:57:59 BIG-IP notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
...

Sep 11 17:58:39 BIG-IP err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...

Sep 11 17:59:00 BIG-IP notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.

Conditions:
The condition under which the access profile configurations in APMD and MCPD become out of sync is unknown.

Impact:
TMM memory usage will increase due to excessive config snapshots created.

Workaround:
Restart APMD to clear the APMD and MCPD out of sync condition.

Fix:
N/A


746750-1 : Search Engine get Device ID challenge when using the predefined profiles

Component: Application Security Manager

Symptoms:
When using one of the pre-defined profiles, "bot-defense-device-id-generate-after-access" and "bot-defense-device-id-generate-after-access", Search Engines might get Device ID challenges (and will most likely get blocked since cannot run JS)

Conditions:
One of the pre-defined profiles ("bot-defense-device-id-generate-after-access" or "bot-defense-device-id-generate-after-access") are attached to vs, and a valid search engine sends requests.

Impact:
Search Engines may be blocked.

Workaround:
Change mitigation of "Trusted Bot" in the attached profile to "Alarm":
1. Go to
Security ›› Bot Defense : Bot Defense Profiles ›› bot-defense-device-id-generate-after-access
or
Security ›› Bot Defense : Bot Defense Profiles ›› bot-defense-device-id-generate-before-access
2. Go to tab "Mitigation Settings"
3. For "Trusted Bot" choose "Alarm".
4. Save profile.


746424 : Patched Cloud-Init to support AliYun Datasource

Component: TMOS

Symptoms:
Shipped Cloud-Init in this version of VE has no support of Alibaba Cloud metadata service for having no support of AliYun Datasource.

Conditions:
VE for Alibaba Cloud

Impact:
Provisioning VE through Cloud-Init won't work on Alibaba cloud

Workaround:
N/A

Fix:
Patched Cloud-Init to support AliYun Datasource


746298-1 : Server Technologies logos all appear as default icon

Component: Application Security Manager

Symptoms:
Server Technologies logos all appear as the default icon.

Conditions:
Browsing the list of available Server Technologies in an ASM policy.

Impact:
Server Technologies logos all appear as the default icon.

Workaround:
Install the most recent Server Technologies update file.

Fix:
Server Technology-specific logos appear correctly.


746131-4 : OpenSSL Vulnerability: CVE-2018-0732

Component: Local Traffic Manager

Symptoms:
OpenSSL RSA key generation was found to be vulnerable to cache side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover parts of the private key.

Conditions:
Advanced shell access.

Impact:
OpenSSL RSA key generation was found to be vulnerable to cache side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover parts of the private key.

Workaround:
None.

Fix:
Updated to OpenSSL 1.0.2p


745851 : Changed Default Cloud-Init log level to INFO from DEBUG

Component: TMOS

Symptoms:
Cloud-Init services generate too many debug log lines that populate their systemd journal.

Conditions:
Any BIG-IP VE release with Cloud-Init enabled and using "systemd".

Impact:
There're too many debug log lines that might make VE admin miss any more important information and severe errors when reading it.

Workaround:
Manually change all Cloud-Init's log levels to INFO from DEBUG.

Fix:
Cloud-Init's log default levels have been changed to INFO from DEBUG.


745825-1 : The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading

Component: TMOS

Symptoms:
This message may be logged while the audit_forwarder is loading the configuration:

audit_forwarder is disabled as the configuration is incomplete. Please define the following db variables: config.auditing.forward.sharedsecret, config.auditing.forward.destination and config.auditing.forward.type. And make sure config.auditing.forward.destination is not set to "::".

These DB variables may all be actually configured correctly, but since the configuration has not loaded yet this message may be logged multiple times.

Conditions:
The audit_forwarder process is starting up and loading the configuration.

Impact:
Confusing error messages in /var/log/ltm. Logging will still work as configured.

Workaround:
There is no workaround.

Fix:
Message has been modified to indicate the possibility of loading the configuration. Message is now logged only once. A new messages is logged indicating when audit_forwarder is enabled.


745813-1 : Requests are reported to local log even if only Bot Defense remote log is configured

Component: Application Security Manager

Symptoms:
Requests are logged locally on the BIG-IP system while they supposed to be sent only to the remote logger.

Conditions:
- Bot Defense profile attached to a virtual server.
- Bot Defense remote logger profile attached to a virtual server.

Impact:
Requests logged locally on the BIG-IP system when they are not supposed to be.

Workaround:
None.

Fix:
Logging profile filter mechanism now honors remote and local logging configurations.


745783-1 : Anti-fraud: remote logging of login attempts

Component: Fraud Protection Services

Symptoms:
There is no support for logging of login attempts to a remote service.

Conditions:
Using high speed logging (HSL) to log login attempts.

Impact:
There is no support for logging of login attempts.

Workaround:
None.

Fix:
FPS now uses HSL to report login attempts using configured templates, rate-limit, and publisher to a remote service.

To enable this feature:

# via tmsh only
tmsh modify sys db antifraud.riskengine.reportlogins value enable
 
# via tmsh or GUI
tmsh modify sys db antifraud.internalconfig.string1 value "<login attempt log template>"
tmsh modify sys db antifraud.internalconfig.string2 value "<log-rate-exceeded log template>"
tmsh modify sys db antifraud.internalconfig.number1 value "<log-rate-exceeded threshold>"
tmsh modify security anti-fraud profile <fps profile> risk-engine-publisher <publisher>
 
 
It is recommended that you use encoding when composing an HTTP template. The default encoding level is 0, meaning 'never encode'.

To change encoding level:

tmsh modify sys db antifraud.internalconfig.number2 value <0/1/2>

Behavior Change:
FPS now includes the ability to perform High Speed Logging (HSL) of all login attempts to specific protected URLs. These events can be forwarded to remote services (e.g. SIEM Server), and, when enabled, can help indicate whether applications are under attack.


745715-2 : MRF SIP ALG now supports reading SDP from a mime multipart payload

Component: Service Provider

Symptoms:
Previously all non-SDP SIP payloads were ignored. This would cause media pinhole flows to not be created.

Conditions:
An INVITE message or its response contained a SDP section in a mime multipart payload.

Impact:
Media pinhole flows were not created

Workaround:
None.

Fix:
The SIP ALG functions can now extract and process the SDP section of a mime multipart payload.


745713-4 : TMM may crash when processing HTTP/2 traffic

Solution Article: K94563344


745654-4 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server

Component: Access Policy Manager

Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.

Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.

Impact:
Low throughput and slow responses from Virtual server.

Workaround:
There is no workaround at this time.

Fix:
Increase the size of websso worker queue, so that tmm and websso process can communicate effectively. This eliminates VS slowness and hence increase throughput.


745629 : Ordering Symantec and Comodo certificates from BIG-IP

Component: TMOS

Symptoms:
This new feature enables ordering Symantec and Comodo certificates from the BIG-IP system.

Conditions:
You must have a Symantec or Comodo CA account to make certificate orders from the BIG-IP system.

Impact:
This new feature enables ordering of certificates from CAs Symantec and Comodo. CA-Approved certificates are automatically fetched and installed on the BIG-IP system.

Workaround:
None. This is a new feature.

Fix:
This release adds the capability to order/fetch and install certificates from CAs Symantec and Comodo.

Behavior Change:
You can now order/fetch and install certificates from the Symantec and Comodo Certificate Authorities.


745628-1 : MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message

Component: Service Provider

Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a NOTIFY message has been processed.

Conditions:
This occurs because the NOTIFY message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.

Impact:
Media addresses in the SDP payload are not translated.

Workaround:
There is no workaround.

Fix:
Hairpin mode is not entered when processing NOTIFY messages


745624-1 : Tooltips for OWASP Bot Categories and Anomalies were added

Component: Application Security Manager

Symptoms:
Tooltips for some OWASP Bot Categories and Anomalies are 'N/A' in GUI/REST.

Conditions:
- GUI page: Event Logs:: Bot Defense :: Bot Traffic.
- Bot classification is 'OWASP Automated Threat'.

Impact:
Tooltip shows 'N/A' instead of detailed description. You cannot see detailed description of Bot classification of traffic.

Workaround:
None.

Fix:
Tooltips for OWASP Bot Categories and Anomalies were added.


745607-1 : Bot Defense : Bot Traffic - 3 month/last year filter not displayed correctly

Component: Application Security Manager

Symptoms:
3 month/last year filters are not displayed correctly in the applied filter.

Conditions:
3 month/last year filter applied in Bot Defense : Bot Traffic.

Impact:
You cannot see which filter is currently applied.

Workaround:
None.

Fix:
3 month/last year filter is now displayed correctly in applied filter.


745531-2 : Puffin Browser gets blocked by Bot Defense

Component: Application Security Manager

Symptoms:
Users using the Puffin Browser are blocked when accessing the Virtual Server when it is protected with either Proactive Bot Defense (within DoSL7 profile) or with the Bot Defense profile.
This applies to all version of the Puffin Browsers: Desktop, Android, iOS.

Conditions:
- Users using the Puffin Browser on Desktop, Android, iOS
- Bot Defense Profile, or: DoSL7 profile with Proactive Bot Defense is used while the "Block Suspicious Browsers" checkbox is enabled

Impact:
Users of the Puffin Browser cannot access the website

Workaround:
None

Fix:
Users of the Puffin Browser can now access the website that is protected by Bot Defense without getting blocked.
For the fix to be applied, both BIG-IP Release and ASU must be installed which contain the fix. Also, it is recommended to enable the following DB variables:
tmsh modify sys db dosl7.proactive_defense_validate_ip value disable
tmsh modify sys db dosl7.cs_validate_ip value disable


745514-1 : MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message

Component: Service Provider

Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a SUBSCRIBE message has been processed.

Conditions:
This occurs because the SUBSCRIBE message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.

Impact:
Media addresses in the SDP payload are not translated.

Workaround:
There is no workaround.

Fix:
Hairpin mode is not entered when processing SUBSCRIBE messages


745404-4 : MRF SIP ALG does not reparse SDP payload if replaced

Component: Service Provider

Symptoms:
When a SIP message is loaded, the SDP is parsed. If modified or replaced, the system does not reparse the modified payload.

Conditions:
This occurs internally while processing SDP in a SIP message.

Impact:
Changes to the SDP are ignored when creating media pinhole flows

Workaround:
None.

Fix:
The SDP payload is now reparsed if modified or replaced.


745387-1 : Resource-admin user roles can no longer get bash access

Solution Article: K07702240


745165-1 : Users without Advanced Shell Access are not allowed SFTP access

Solution Article: K38941195


745027-2 : AVR is doing extra activity of DNS data collection even when it should not

Component: Application Visibility and Reporting

Symptoms:
When collecting DNS data, AVR generates data that is used only for BIG-IQ, even if not connected to BIG-IQ.

Conditions:
DNS Statistics collection or DNS-DoS is configured.

Impact:
avrd process is taking more CPU cycles for activity that is not needed. There is no impact to functionality.

Workaround:
None.

Fix:
The system no longer performs extra computation that is not needed in this case.


744949-1 : MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix

Component: Service Provider

Symptoms:
SIP response messages have the wrong IP address in the FROM header when using NAT64.

Conditions:
If the client's IPv6 address does not match the virtual server's configured IPv6 prefix, the FROM header on a response message will have a different IP address that the request message.

Impact:
The SIP ALG with SNAT system will be unable to establish a call for the client.

Workaround:
There is no workaround at this time.

Fix:
The FROM header will now contain the client's IP address.


744686-2 : Wrong certificate can be chosen during SSL handshake

Component: Local Traffic Manager

Symptoms:
If two certificates of the same type are configured in an SSL profile, one marked `usage CA' and the other not, the wrong one could be chosen during the handshake.

Conditions:
Two certificates of the same type are configured in an SSL profile.

Impact:
The wrong certificate could be chosen during the handshake.

Workaround:
Do not configure two certificates of the same type on an SSL profile.


744685-2 : BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension

Component: Local Traffic Manager

Symptoms:
An intermediate CA certificate should be considered invalid if the certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension. The BIG-IP system does not enforce this.

Conditions:
The SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop.

Impact:
The system might unexpectedly accept the SSL connection while the peer is using an inappropriate certificate.

Workaround:
None.

Fix:
With this fix, if the SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the SSL handshake if the peer's CA certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension.

Behavior Change:
When authenticating a peer's SSL certificate, the system requires a CA certificate to have the 'Basic Constraints' and 'CA:True' in its extension, like this:

            X509v3 Basic Constraints: critical
                CA:TRUE

If an SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the handshake if the peer's CA certificate does not satisfy this requirement.


744595-3 : DoS-related reports might not contain some of the activity that took place

Component: Application Visibility and Reporting

Symptoms:
Occasionally, some telemetry data of DoS related activity is lost.

Conditions:
No specific condition other than using the BIG-IP system anti-DDoS feature.

Impact:
DoS related reports might not contain some of the activity that takes place.

Workaround:
None.

Fix:
Issue was fixed, all telemetry data is collected without errors.


744589-3 : Missing data for Firewall Events Statistics

Component: Application Visibility and Reporting

Symptoms:
Statistical information that is collected for Firewall event, has some data that is getting lost and not reported.

When this is taking place, the following message appears at avrd log:
Some rows of load_stat_firewall_events_<some number> not loaded

Conditions:
AFM is used, no particular condition that leads to this situation of losing some of the stats, usually takes place under heavy activity.

Impact:
Statistical reports of Firewall Events are missing some the the activity that actually took place.

Workaround:
There is no workaround at this time.

Fix:
Issue with missing data was fixed.


744347-4 : Protocol Security logging profiles cause slow ASM upgrade and apply policy

Component: Application Security Manager

Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.

Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.

Impact:
ASM upgrade and apply policy are delayed.

Workaround:
There is no workaround at this time.


744275-1 : BIG-IP system sends Product-Name AVP in CER with Mandatory bit set

Component: Service Provider

Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.

Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Product-Name AVP.

Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.

Workaround:
Configure an iRule in the MRF transport-config, for example:

ltm rule workaround {
    when DIAMETER_EGRESS {
        if {[serverside] && [DIAMETER::command] == "257" } {
            DIAMETER::avp flags set 269 0
        }
    }
}

Fix:
This release always clears the Mandatory bit for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.


744188-1 : First successful auth iControl REST requests will now be logged in audit and secure log files

Component: TMOS

Symptoms:
Previously, when making a REST request from a client for the first time and it is successful, this action was not logged.

Just subsequent REST calls were logged or initial failed REST calls from a client were logged.

Conditions:
Making a successfully auth-ed initial REST request from a new client to BIG-IP.

Impact:
BIG-IP admins would not know when a new client first made a successful REST call to BIG-IP.

Workaround:
None.

Fix:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.

Here's an example of what shows in audit log:

-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user bart2 - RAW: httpd(pam_audit): user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".

Here's an example of what shows in secure log:

-- info httpd(pam_audit)[26561]: user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user usr2 - RAW: httpd(pam_audit): user=usr2(usr2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".

Subsequent REST calls will continue to be logged normally.

Behavior Change:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.

Subsequent REST calls will continue to be logged normally.


744035-6 : APM Client Vulnerability: CVE-2018-15332

Solution Article: K12130880


743900-1 : Custom DIAMETER monitor requests do not have their 'request' flag set

Component: Local Traffic Manager

Symptoms:
Using the technique detailed in the Article: K14536: Customizing the BIG-IP Diameter monitor https://support.f5.com/csp/article/K14536 to create custom DIAMETER monitor requests fails for any request that uses the numeric form of a DIAMETER command code, because the 'request' flag is not set in the DIAMETER packet.

Conditions:
-- Using custom DIAMETER monitor requests.
-- Using numeric DIAMETER command codes.

Impact:
The monitor probes fail because the BIG-IP system does not set the DIAMETER 'request' flag for requests it sends when using a numeric value for the command code, so the DIAMETER server thinks it is a response

Workaround:
None.

Fix:
Ensured that the 'request' flag is set for all DIAMETER monitor requests.


743437-3 : Portal Access: Issue with long 'data:' URL

Component: Access Policy Manager

Symptoms:
HTML page may contain a very long 'data:' URL. Portal Access cannot handle such URLs correctly.

Conditions:
HTML page with very long 'data:' similar to the following example:

    data:image/png;base64,...

Such URLs might be several megabytes long.

Impact:
The rewrite plugin cannot process HTML pages with very long URLs and restarts. The page is not sent to the end user client; web application may not work correctly.

Workaround:
There is no workaround at this time.

Fix:
Now Portal Access handles very long 'data:' URLs correctly.


742852-1 : Bot Defense protection blocks Safari browser requests while using cross site redirect protection by 'Location' header

Component: Application Security Manager

Symptoms:
Bot defense blocks a request containing a TSPD101 cookie in query string. TSPD101 is sent when using the Safari browser, and cross-site redirect protection is applied on a request.

Conditions:
- ASM provisioned.
- Bot Defense profile attached to a virtual server.
- Cross-site redirection is applied on a request.
- Using the Safari browser.

Impact:
Cross-site requests are blocked during the grace period configured on the bot defense profile.

Workaround:
Disable browser verification in the bot defense profile.

Fix:
Cross-site redirect protection now works as expected when cookie is sent via query string.


742829-1 : SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0

Component: Service Provider

Symptoms:
The BIG-IP system incorrectly handles SDP media ports. UAC sends SDP message body publishing capable of handling voice, text, and video. UAS responds, publishing voice, text and video not desired by setting video port to '0'. The BIG-IP system does not honor the fact that UAS does not want video, and translates video port '0' to an ephemeral port, causing the UAC to believe it must open a video channel. When the UAC sends a video connection request, the BIG-IP system sends the request to the wrong port, i.e., to the media port for text, which causes the connection to fail.

Conditions:
RTP media port defined in the SIP message is set to 0.

Impact:
Improper media channel creation.

Workaround:
You can use an iRule workaround to remove the media attributes with ports set to 0 at the ingress, and update the message body size accordingly.


742251-1 : Add Alibaba Cloud support to Qkview

Component: TMOS

Symptoms:
Qkview has been updated to support obtaining files relevant to the Alibaba Cloud.

Conditions:
Run Qkview.

Impact:
Files related to the Alibaba Cloud were not collected.

Workaround:
None

Fix:
Files related to Alibaba Cloud are now collected.


742184-3 : TMM memory leak

Component: Local Traffic Manager

Symptoms:
-- High TMM memory utilization;
-- Aggressive sweeper activated;
-- the 'packet', 'xdata' and 'xhead' caches in the memory_usage_stat tmstat table have high 'allocated' and 'curr_allocs' numbers with a steadily increasing profile.

Conditions:
A fastL4 and a L7 profile (e.g. HTTP) are assigned to a virtual server.

Impact:
Degraded performance, possible TMM crash due to out-of-memory condition.

Workaround:
Do not add a L7 profile to a fastL4 virtual server.

Fix:
No memory leak in the TMM.


741449-3 : alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts

Component: Fraud Protection Services

Symptoms:
JAVASCRIPT_THRESHOLD alert should contain 2 timestamps:
1. component-validation cookie timestamp (set on cookie creation)
2. current BIG-IP timestamp

currently, these timestamps are not available in the alert details

Conditions:
JAVASCRIPT_THRESHOLD alert is triggered

Impact:
it is impossible to analyze the alert

Workaround:
There is no workaround at this time.

Fix:
FPS should always include both timestamps when triggering the JAVASCRIPT_THRESHOLD alert


739963-4 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup

Component: Local Traffic Manager

Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.

Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.

Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.

Workaround:
To restore the state of the member, remove it and add it back to the pool.


739945-4 : JavaScript challenge on POST with 307 breaks application

Component: Application Security Manager

Symptoms:
A JavaScript whitepage challenge does not reconstruct when the challenge is on a POST request and the response from the back-end server is 307 Redirect. This happens only if the challenged URL is on a different path than the redirected URL. This prevents the application flow from completing.

Conditions:
- JavaScript challenge / CAPTCHA is enabled from either Bot Defense, Proactive Bot Defense, Web Scraping, DoSL7 Mitigation or Brute Force Mitigation.
- The challenge is happening on a POST request on which the response from the server is a 307 Redirect to a different path.

Impact:
Server is not able to parse the request payload and application does not work. This issue occurs because the TS*75 cookie is set on the path of the challenged URL, so the redirected URL does not contain the cookie, and the payload is not reconstructed properly to the server.

Workaround:
As a workaround, you can construct an iRule to identify that the response from the server is 307 Redirect, retrieve the TS*75 cookie from the request, and add to the response a Set-Cookie header, setting the TS*75 cookie on the '/' path.

Fix:
Having a JavaScript challenge on a POST request with 307 Response no longer prevents the application from working.


739432 : F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems

Component: Access Policy Manager

Symptoms:
F5 Adaptive Auth Configuration is a configuration required on BIG-IP systems. This allows access to F5 Adaptive Authentication Service hosted on the cloud. As the reporting feature is deprecated, the Reports associated with feature are removed from the BIG-IP system. The associated reports are now shown in the F5 Adaptive Auth Service instead.

Conditions:
Admin attempts to view F5 Adaptive Auth reports on the BIG-IP system.

Impact:
Admin cannot use F5 Adaptive Auth Reports on the BIG-IP system. This is because F5 Adaptive Auth Reports functionality has been removed from BIG-IP systems, and is no longer supported.

Workaround:
View the associated reports in the F5 Adaptive Auth Service instead.

Fix:
F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems.

Behavior Change:
The reporting feature of the F5 Adaptive Auth Configuration, which allows access to F5 Adaptive Authentication Service hosted on the cloud, is deprecated with this release, so the Reports associated with feature are removed from the BIG-IP system. The associated reports are now shown in the F5 Adaptive Auth Service instead.


739349-3 : LRO segments might be erroneously VLAN-tagged.

Component: Local Traffic Manager

Symptoms:
Segments being processed for large receive offload (LRO) (the action the system performs to aggregate multiple incoming packets within a buffer before passing them up)
might be erroneously VLAN-tagged when LRO is enabled.

Conditions:
-- TCP LRO enabled.
-- Egress VLAN untagged.

Impact:
Egress traffic might sometimes be tagged.

Workaround:
Disable TCP LRO. To enable or disable LRO functionality, you can use the following command syntax:

tmsh modify sys db tm.tcplargereceiveoffload value <enable | disable>

Fix:
The system now ensures that fragment packet flags are correctly set.


738945-4 : SSL persistence does not work when there are multiple handshakes present in a single record

Component: Local Traffic Manager

Symptoms:
SSL persistence hangs while parsing SSL records comprising multiple handshake messages.

Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.

Impact:
SSL persistence parser fails to parse such messages correctly. The start of the record may be forwarded on to server but then connection will stall and eventually idle timeout.

Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.

After changing or disabling persistence, the transaction succeeds and no longer hangs.


738891-1 : TLS 1.3: Server SSL fails to increment key exchange method statistics

Component: Local Traffic Manager

Symptoms:
When TLS 1.3 is negotiated with a server SSL profile, the key exchange method statistics do not increment.

Conditions:
-- TLS 1.3 is configured on a server SSL profile.
-- TLS 1.3 is the protocol version negotiated.

Impact:
Missing statistics.

Workaround:
None.

Fix:
The key exchange method statistics are now correctly incremented.

Behavior Change:
When TLS 1.3 is now supported for configuration on server SSL profiles, so these statistics are now present.


738677-1 : Configured name of wildcard parameter is not sent in data integrity alerts

Component: Fraud Protection Services

Symptoms:
FPS sends a data integrity alert when a parameter is configured with 'Check Data Manipulation' enabled.
the alert includes parameter's actual-name, actual-val-crc, and expected-val-crc.

For wildcard parameters, it is difficult to tell which parameter was found and triggered the data integrity alert, since FPS sends only the actual name that was found in the request.

Conditions:
Wildcard parameter defined for integrity check.

Impact:
Alert analysis is more difficult, as the actual matched parameter is not obvious.

Workaround:
None.

Fix:
FPS now includes wildcard parameter's configured-name in the data integrity alert.


738676-1 : Errors when trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests

Component: Application Security Manager

Symptoms:
When trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests

Delete fails with error and exceptions in restjavad.log:

[WARNING][593][30 Jul 2018 14:42:26 UTC][8100/mgmt ForwarderPassThroughWorker] URI:http://localhost:8100/mgmt/tm/asm/events/bot-defense-events?$top=200000, Referrer:https://<local_IP>/dms/bot_defense/bot_requests.php, Method:DELETE, Exception:java.util.concurrent.TimeoutException: remoteSender:<remote_IP>, method:DELETE

Conditions:
This can be encountered when deleting all bot requests while traffic is passing.

Impact:
Delete fails, and there is significant memory consumption in asm_config_server.

Workaround:
None.

Fix:
This release fixes the bot-requests deletion process to not fail with errors and not cause substantial memory consumption in asm_config_server.


738108-1 : SCTP multi-homing INIT address parameter doesn't include association's primary address

Component: TMOS

Symptoms:
When multihoming is enabled in an SCTP profile, the source-address of the INIT chunk was not added as an Address parameter in that INIT chunk.

Conditions:
Any SCTP profile where multi-homing is enabled.

Impact:
No impact for peers that implement SCTP in accordance with RFC 4960.

RFC does not require that the address either should or should not be included in the INIT chunk, but does require that an entity receiving an INIT chunk include the source-address in its list regardless of whether that is included in the INIT chunk.

Workaround:
No known workaround.

Fix:
BIG-IP now includes all relevant addresses in the INIT chunk.

Behavior Change:
When multihoming is enabled, the local address will now be added to the INIT chunk. Previously the local address (that is, the address that the datagram is sent from) was not listed as an Address parameter. This is permitted, but not required, by RFC 4960 section 3.3.2.1.


737910-4 : Security hardening on the following platforms

Solution Article: K18535734


737866-2 : Rare condition memory corruption

Component: Application Security Manager

Symptoms:
BD dameon core

Conditions:
Slow server and slow offload services.

Impact:
A bd crash, traffic distrubance

Workaround:
None.

Fix:
A memory corruption condition was solved.


737558-1 : Protocol Inspection user interface elements are active but do not work

Component: Protocol Inspection

Symptoms:
Protocol Inspection (PI) user interface options are present, but are not applied to traffic.

Protocol Inspection (PI) now requires the presence of either an add-on subscription or an AFM standalone license for any of the features to work. A 'Good' or 'Better' license does not activate the PI features. The Configuration Utility still allows you to configure inspection profiles, compliance checks, and signatures, but they are not applied to traffic. There is no feedback that they are not applied.

Conditions:
-- AFM licensed and provisioned through 'Good' or 'Better' license, but no add-on subscription license for Protocol Inspection. Alternately, AFM licensed as an add-on module to another module (typically LTM).

-- PI profile configured and applied to a virtual server or referenced in a firewall rule in an active firewall policy.

Impact:
If you previously had Protocol Inspection configured without the add-on license installed, the features are no longer applied to traffic until the add-on license is obtained. However, the GUI options remain active.

Workaround:
None.


737536-2 : Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.

Component: TMOS

Symptoms:
The use case is the following:
|OSPF 1|---|Network1|------[|OSPF process 1|---BIG-IP system---|OSPF process 2|]-----|Network2|---|OSPF 2|

Attempting to redistribute default route received from OSPF process that is peering with the Internet to OSPF process 2. However, if that route is removed (e.g., an Internet link goes down), OSPF process 2 removes the associated route and the 'default-information originate' command is the ideal choice, because as long as the OSPF process 1 default route is in the routing table, the default route is redistributed into OSPF process 2. If that route is gone, OSPF process 2 immediately removes it from routing table. Enabling 'default-information originate' on OSPF process 2 does not affect the outcome, and a default route is not injected like it should be.

Conditions:
-- On the BIG-IP system, OSPF routing protocol is enabled on a route-domain.
-- Routing configuration example:

OSPF router config examples:
***
OSPF 1:
!router ospf 1
 ospf router-id 10.13.0.7
 redistribute ospf
 network 10.13.0.0/16 area 0.0.0.1
 default-information originate

OSPF 2:
router ospf 1
 ospf router-id 10.14.0.5
 redistribute ospf
 network 10.14.0.0/16 area 0.0.0.1

BIG-IP system:
router ospf 1
 ospf router-id 10.13.0.2
 network 10.13.0.0/16 area 0.0.0.1
router ospf 2
 ospf router-id 10.14.0.9
 network 10.14.0.0/16 area 0.0.0.1
***

-- Enable 'default-information originate' on BIG-IP OSPF process 2 should allow OSPF process 2 to receive advertised default route from BIG-IP OSPF process 1 if such exists.

# expected OSPF routers configuration on the BIG-IP system:
router ospf 1
 ospf router-id 10.13.0.2
 network 10.13.0.0/16 area 0.0.0.1
router ospf 2
 ospf router-id 10.14.0.9
 network 10.14.0.0/16 area 0.0.0.1
 default-information originate

Impact:
A default route from OSPF process 1 is not advertised into OSPF process 2 routing table.

Workaround:
None.

Fix:
Enabling 'default-information originate' on OSPF process 2 forces OSPF process 2 to receive a default route from OSPF process 1 if such exists.


737423-2 : Binutils vulnerabilities: CVE-2018-7569 CVE-2018-10373 CVE-2018-13033

Component: TMOS

Symptoms:
An integer wraparound has been discovered in the Binary File Descriptor (BFD) library distributed in GNU Binutils up to version 2.30. An attacker could cause a crash by providing an ELF file with corrupted DWARF debug information.

concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by nm-new.

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file, as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc in libbfd.c. This can occur during execution of nm.

Conditions:
Command-line usage of binutils tools by users with Advanced Shell Access

Impact:
None in default, standard and recommended configurations.

Workaround:
None.

Fix:
Upgraded binutils to an unaffected version.


737035-2 : New and improved infrastructure for BDoS to share learned traffic characteristics within the device group/cluster setup.

Component: Advanced Firewall Manager

Symptoms:
BDoS feature (AFM/DHD) needs to share learned traffic characteristics across nodes (within a cluster) and across devices (within the device group).

Previous infrastructure used by BDOS could cause spikes in disk usage due to a large number of snapshot files being saved under /config/filestore/.trash_bin_d partition.

Conditions:
BDOS feature is enabled on at least 1 context (either at global context or at least 1 virtual server).

Impact:
The /config partition on the BIG-IP system consistently fills up with large numbers of directories/files under /config/filestore/.trash_bin_d, eventually causing system to run out of disk space under /config partition.

Workaround:
As a workaround, manually delete files/directories filling up under /config/filestore/.trash_bin_d partition to free up disk space.

Fix:
BDOS now uses a new (and improved) infrastructure for sharing data across nodes/devices (within device group/cluster setup) that does not require snapshot files to be maintained under /config/filestore/ partition.


727136-1 : One dataset contains large number of variations of TLS hello messages on Chrome

Component: Anomaly Detection Services

Symptoms:
Dataset of TLS fingerprints of clients of a site can consume significantly more space than needed.

Conditions:
-- BADOS with TLS signatures.
-- AFM end user clients using the Mozilla Chrome browser.

Impact:
Dataset is full, so it does not contain a full TLS fingerprints set. As result there is a risk of creating false-positive TLS signatures.

Workaround:
Turn off TLS signatures.

Fix:
Dataset of TLS fingerprints contains unique TLC fingerprints regardless GREASE ciphers.


726647-5 : PEM content insertion in a compressed response may truncate some data

Component: Policy Enforcement Manager

Symptoms:
HTTP compressed response with content insert action can truncate data.

Conditions:
PEM content insertion action with compressed HTTP response.

Impact:
Data might be truncated.

Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.

Fix:
HTTP compressed response with content insert action no longer truncates data.


725625-1 : BIG-IP VE Cryptographic Offload updated to Intel QAT 1.7 v4.4.0 SDK

Component: TMOS

Symptoms:
Data compression offload to QuickAssist devices is now enabled as part of BIG-IP Virtual Edition (VE) Cryptographic Offload feature.

BIG-IP VE Cryptographic Offload uses the Intel QAT 1.7 SDK. A newer QAT 1.7 SDK v4.4.0 provides code and firmware that fixes several known QAT defects, including a compression defect specific to Lewisburg/Lewis Hill QuickAssist devices.

Conditions:
-- BIG-IP VE SSL Offload is licensed
-- The BIG-IP VE VM has been assigned QAT Virtual Functions.

Impact:
BIG-IP VE Cryptographic and Compression offload are more reliable. The QAT 1.7 v4.4.0 SDK should be installed on the hypervisor host.

Workaround:
None.

Fix:
Several Intel QuickAssist defects have been fixed for
BIG-IP VE Cryptographic and Compression Offload by
upgrading BIG-IP VE to the Intel QAT 1.7 v4.4.0 SDK.

This newer QAT SDK introduces code and firmware support to fix several defects. A new Compress and Verify mode is introduced to work around a compression defect specific to Lewisburg/Lewis Hill QuickAssist devices.

See Intel's QuickAssist Release Notes for additional details:
https://01.org/sites/default/files/downloads//336211-009qatrelnotes.pdf.


724680-6 : OpenSSL Vulnerability: CVE-2018-0732

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K21665601

Conditions:
For more information see: https://support.f5.com/csp/article/K21665601

Impact:
For more information see: https://support.f5.com/csp/article/K21665601

Workaround:
None.

Fix:
For more information see: https://support.f5.com/csp/article/K21665601


724327-2 : Changes to a cipher rule do not immediately have an effect

Component: Local Traffic Manager

Symptoms:
If a cipher rule is changed, and a cipher group that uses the rule is attached to an SSL profile, the change does not take effect until something else on the SSL profile changes.

Conditions:
-- A cipher group is used by an SSL profile.
-- One of its cipher rules changes.

Impact:
Unexpected behavior occurs because the cipher rule change does not take effect immediately.

Workaround:
After changing the cipher rule that's used by a cipher group, make a change to any SSL profile that uses the associated cipher group.

Fix:
Any changes to a cipher rule or cipher group now takes immediate effect.


721741-4 : BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative

Component: Application Security Manager

Symptoms:
bd log spits this error.
-------
ECARD_POLICY|NOTICE|May 24 04:49:42.035|4143|table.h:2408|IPTableList::del_object key not found in table
ECARD|ERR |May 24 04:49:42.035|4143|table.h:0398|KEY_UPDATE: Failed to REMOVE data will continue to add
-------

Conditions:
Configuring IP Address Exceptions in certain order - w/ and w/o route domain.

Impact:
BD and BD_Agent out-of-sync for IP Address Exception, causes false positives / false negatives

Workaround:
There is no workaround at this time.

Fix:
System no longer generates these false positive/negative log entries.


721724-1 : LONG_REQUEST notice print incorrect in BD log

Component: Application Security Manager

Symptoms:
LONG_REQUEST notice print shows incorrect memory usage.

Conditions:
-- A long request is received.
-- View the LONG_REQUEST notice in the BD log.

Impact:
LONG_REQUEST notice is seen in BD logs containing an incorrect value for total memory used by long request buffers. Incorrect logging of total memory used by long request buffers.

Workaround:
None.

Fix:
LONG_REQUEST notice print in BD log now shows correct amount of memory used by long request buffers.


721585-1 : mcpd core processing ltm monitors with deep level of inheritance

Component: TMOS

Symptoms:
If the level of ltm monitor inheritance (defaults-from) is too large, i.e 9. then mcpd will fail to send sod a heartbeat within the heartbeat timeout; therefore sod will restart mcpd.

Conditions:
LTM monitors that have 9 levels of inheritance

i.e.

mon1 defaults from mon2, which defaults from mon3, which defaults from mon4 ... to mon10

Impact:
mcpd is restarted which will cause services to failover.

Workaround:
Rework the ltm monitors so that the level of inheritance is less than 9.


720219-3 : HSL::log command can fail to pick new pool member if last picked member is 'checking'

Solution Article: K13109068

Component: Local Traffic Manager

Symptoms:
This occurs in certain configurations where the HSL::log command is using a remote high speed log (HSL) pool with failing pool members. If a pool member goes into a 'checking' state and the command attempts to send the log via that pool member, it can fail to send and all future log commands from that iRule will also fail, if that pool member is actually unavailable.

Conditions:
-- Using HSL::log command.
-- iRule with a remote high speed logging configured.

Impact:
Failure to send log messages via HSL.

Workaround:
Follow this procedure:
1. Change the 'distribution' method of the remote high speed config to something else.
2. Save the configuration.
3. Change the method back.

Fix:
This issue no longer occurs. If a 'down' pool member is picked, it will eventually be bypassed to find an 'up' pool member, if possible.


717896-4 : Monitor instances deleted in peer unit after sync

Component: Local Traffic Manager

Symptoms:
An incremental-sync from a modified-node that was set to 'user-down' causes the target-node on the target-device to have only a single monitor instance, rather than the several monitor instances that were present on the from-node.

During the incremental sync, the system issues several messages similar to the following: err mcpd[6900]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 24913.

Conditions:
-- In high availability (HA) configurations.
-- A node is modified, and then manually set to 'user-down'.
-- That node has more than one associated monitor.
-- An incremental-sync occurs to the paired device.

Impact:
After incremental-sync, a single monitor instance exists for the node on a 'backup' unit in an HA configuration, rather than the several monitor instances that exist for that node on the 'active' unit; and that node session is 'enabled' (where the 'from-node' was 'disabled); and that node status may be 'up' (where the 'from-node' was 'user-down'), and later transition to 'down' from a monitor-fail.

Thus, after incremental-sync, the target-node may then be 'down', while the active unit in the HA configuration continues to function as expected.

Workaround:
There are several workarounds:
-- Perform a 'full-sync' (rather than an 'incremental-sync').
-- Ensure the node is 'user-up' (not 'user-down') before the incremental-sync.
-- Perform 'tmsh load sys config' on the target unit. In this case, the 'Invalid monitor rule instance identifier' messages will be seen, but the configuration will successfully load, and the target-unit will run correctly with the expected configuration.

Fix:
An incremental-sync from a modified-node that was set to 'user-down' successfully replicates the several monitor instances on that node to the target-node on the backup device in an HA configuration.


717100-1 : FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member

Component: Local Traffic Manager

Symptoms:
FQDN ephemeral pool members and corresponding FQDN ephemeral nodes may not be created if multiple FQDN template pool members are created rapidly, without the corresponding FQDN template nodes being created first.

The missing FQDN ephemeral pool members may be created an hour after initial operations.

Conditions:
This may occur when all of the following conditions are true:
-- Multiple FQDN template pool members are created rapidly, such as during config load or multiple FQDN template pool members created in a single tmsh cli transaction, without the corresponding FQDN template nodes being created first.
-- The FQDN names in the newly-created FQDN template nodes all resolve to the same IP address.

Impact:
One or more FQDN ephemeral pool members may not be created, which could result in a pool with no members, and any virtual servers using that pool to fail to pass traffic.

Workaround:
The following steps, alone or in combination, may help avoid this issue:

1. Avoid rapid creation of multiple FQDN template pool members (such as by creating multiple in a single tmsh CLI transaction).
2. Create the corresponding FQDN template nodes first, before creating the FQDN template pool members.

Once this issue occurs (such as, after a config load), you can recover from this condition by deleting and recreating the FQDN template pool members that have no corresponding FQDN ephemeral pool members.

In addition, creating the corresponding FQDN template nodes first, with an FQDN 'interval' value set to a shorter timeout than the default (3600 seconds) allows automatic recovery from this condition after the configured FQDN 'interval' period (instead of after the default period of one hour).

Fix:
Ephemeral pool members are now created for each pool under these conditions.


716714-4 : OCSP should be configured to avoid TMM crash.

Component: Local Traffic Manager

Symptoms:
TMM generates a core if OCSP is not configured in the SSL profile.

Conditions:
OCSP not configured in the SSL profile.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than configuring OCSP in SSL profiles.

Fix:
In this release, TMM skips processing OCSP if it is not enabled.


716167-2 : The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp

Component: Local Traffic Manager

Symptoms:
The MTU of the tmm_bp kernel interface may be out-of-sync with the value of sys db vlan.backplane.mtu as well as out-of-sync with the MTU displayed by the following command:
 tmsh show /net vlan all-properties -hidden.

Conditions:
This issue occurs on first-boot after upgrading to versions later than v12.1.1 HF1.

Impact:
From the data plane perspective, this issue can cause excessive IP fragmentation on tmm_bp VLAN and high CPU usage.

In some cases it also causes packet loss.

From the config perspective, this issue has a few smaller impacts:
-- Fragmented packets on the tmm_bp interface for those packets greater in length than the actual MTU of this interface as given by the kernel in response to the command:
 ip address list dev tmm_bp | egrep -i mtu or $ifconfig tmm_bp.

Note: This has no impact to the running system. Fragmented packets are reassembled in order for TCP clients of the tmm_bp interface.

-- The sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp as given by either of the following commands:
  ip address list dev tmm_bp
  ifconfig tmm_bp

-- Similarly, the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the Net::Vlan tmm_bp as returned by the command:
 tmsh show net vlan -hidden tmm_bp

Paraphrasing: The value of VLAN tmm_bp MTU (as found in vlan.backplane.MTU) is not applied to the corresponding kernel interface.

Workaround:
A series of subsequent restarts rolls the correct setting by issuing the following commands, in sequence:
  tmsh stop sys service all
  tmsh start sys service all

To verify the setting is correct, issue the command:
  ip addr show dev tmm_bp ; tmsh show net vlan -hidden tmm_bp \; list sys db vlan.backplane.mtu


715110-1 : AVR should report 'resolutions' in module GtmWideip

Component: Application Visibility and Reporting

Symptoms:
AVR does not report 'resolutions' in GtmWideip module.

Conditions:
One of the following modules is provisioned: AVR, AFM, or DNS/GTM.

Impact:
There are no statistics reported on 'resolutions' in GtmWideip module.

Workaround:
There is no workaround.

Fix:
AVR now reports 'resolutions' in GtmWideip module.


713817-1 : BIG-IP images are available in Alibaba Cloud

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) images are now available in the Alibaba International Cloud Marketplace.

Conditions:
Create virtual server instance within Alibaba International Cloud environment and select BIG-IP from the list of available images.

Impact:
New offerings for BYOL and PAYG for BIG-IP VE are now available in the Alibaba International Cloud Marketplace.

Workaround:
BIG-IP VE images are now available in Alibaba Cloud.

Fix:
BIG-IP VE images are now available in Alibaba Cloud.

Behavior Change:
BIG-IP VE now supports the Alibaba International Cloud Marketplace.


713806-8 : CVE-2018-0739: OpenSSL Vulnerability

Solution Article: K08044291


707013-3 : vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest

Component: TMOS

Symptoms:
-- clusterd restarts on secondary blade.

-- Messages similar to the following are logged in each secondary blade's /var/log/ltm file as clusterd restarts:

Management IP (<guest_management_ip>) already in use by (vcmp guest <guest_name>)

-- Messages similar to the following are logged in the primary blade's /var/log/ltm file when clusterd restarts on a secondary blade:

notice clusterd[3676]: 013a0006:5: Hello from slot 1.
notice clusterd[3676]: 013a0006:5: Informing MCP about slot ID 1 member status.
notice clusterd[3676]: 013a0006:5: Goodbye from slot 1.

Conditions:
-- Power-cycling a blade reproduces the issue most of the time.
-- Possibly specific to platform:
   + This issue has been seen multiple hardware platforms, including B2100, B2150, B2250, and PB300.
   + Issue does not reproduce under the same conditions on a VIPRION 4800.

Impact:
Secondary slot on VIPRION hypervisor is in 'INOPERATIVE' state.

Workaround:
On the vCMP Host, copy the file /shared/db/cluster.conf from the primary to each secondary cluster members. For each secondary blade's slot, use a command similar to the following:

scp /shared/db/cluster.conf slot<slot number>:/shared/db/cluster.conf

Note: Implementing the workaround does not prevent the issue from recurring. An upgrade to an unaffected version is recommended.


704450-5 : bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration

Component: Local Traffic Manager

Symptoms:
A rarely seen scenario exists where 'bigd' crashes when the BIG-IP system is under extremely heavy load, due to 'bigd' running with an incomplete configuration and attempting to interact with 'mcpd' prior to being fully configured by 'mcpd'. This may occur when 'mcpd' is sufficiently delayed in configuring 'bigd' upon 'bigd' process start (at system-start, or upon 'bigd' process re-start), such that 'bigd' attempts to report monitoring results to 'mcpd' prior to fully receiving its configuration (from 'mcpd').

Conditions:
BIG-IP is under heavy load; and 'bigd' process is (re-)started; and 'mcpd' is delayed in relaying the full configuration to 'bigd'; and 'bigd' attempts to report monitoring results to 'mcpd'.

Impact:
Monitoring is delayed while bigd is restarting. If the load lasts for a long enough period of time, bigd might repeatedly fail to start and monitoring will not resume. In some cases 'bigd' may run with an incomplete configuration.

Workaround:
Reduce the load on the system.

Fix:
'bigd' does not crash and runs with complete configuration when (re-)starting when BIG-IP runs under heavy configuration resulting in 'mcpd' delaying its configuration of 'bigd'.


703835-5 : When using SCP into BIG-IP systems, you must specify the target filename

Solution Article: K82814400


703593-1 : TMSH tab completion for adding profiles to virtual servers is not working as expected

Component: Local Traffic Manager

Symptoms:
TMSH tab completion for adding profiles to virtual servers does not work. The list of profiles is not displayed when tab is pressed.

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm virtual asdf profiles add {
Configuration Items:
  [enter profile name]

Conditions:
List of profiles is not displayed when trying to add profiles during creation of a virtual server.

Impact:
List of available profiles is not displayed.

Workaround:
None.

Fix:
TMSH tab completion for adding profiles to virtual servers now shows the list of profiles.


702472-7 : Appliance Mode Security Hardening

Solution Article: K87659521


699977-3 : CVE-2016-7055: OpenSSL Vulnerability in NodeJS ILX

Solution Article: K43570545


698376-5 : Non-admin users have limited bash commands and can only write to certain directories

Solution Article: K46524395


668041-4 : Config load fails when an iRule comment ends with backslash in a config where there is also a policy.

Solution Article: K27535157

Component: TMOS

Symptoms:
Config load fails when an iRule contains a commented line that ends with an escape character (backslash), and the config also contains an LTM policy. Depending on the iRule, you might also see the following error: Syntax Error:(/config/bigip.conf at line: 42078) double quotes are not balanced.

Conditions:
-- iRule contains commented line that ends with a backslash.
-- The config also contains a policy.

For example, an iRule similar to the first example, and a policy similar to the second:

ltm rule /Common/log_info {
  when HTTP_RESPONSE {
    #log local0. "Original Location header value: [HTTP::header value Location],\
     updated: [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]"
}
}

...

ltm policy /Common/Test_Policy {
    controls { forwarding }
    requires { http tcp }
    rules {
        TestPol_Rule1 {
            actions {
                0 {
                    forward
                    select
                    node 10.2.10.20
                }
            }
            conditions {
                0 {
                    tcp
                    address
                    matches
                    values { 10.1.10.20 }
                }
            }
        }
    }
    strategy /Common/first-match
}

Impact:
Config load fails.

Workaround:
You can use any of the following workarounds:
-- Delete the line of code with the comment.
-- Put the entire comment on one line of code.
-- Divide lengthy comments into a series of smaller ones, so that each comment fits within one line of code.
-- Move the iRule so that it is sequentially before the LTM policy in the config file.

Fix:
Config load no longer fails when an iRule comment ends with backslash in a config where there is also a policy.


663819-1 : APM NTLM Authentication for RDP Client Gateway and Microsoft Exchange Proxy are incompatible with Microsoft workaround for MS17-010 (Wannacry / Eternalblue)

Component: Access Policy Manager

Symptoms:
Microsoft recently released security bulletin MS17-010 (https://technet.microsoft.com/library/security/MS17-010). This bulletin announces a recommended software patch to fix multiple vulnerabilities in SMBv1. It suggests an alternate workaround to disable SMBv1. When this workaround is followed, NTLM Authentication does not work in the following APM configurations:

-- APM RDP Gateway and NTLM Auth.
-- APM Exchange (Outlook Anywhere/ActiveSync) and NTLM Auth.
-- SWG Explicit and NTLM Auth.

Conditions:
-- SMBv1 is disabled as described in the Microsoft workaround in MS17-010.

--Together with one or more of the following APM/SWG configurations, which can be configured to use NTLM Authentication:

   + APM RDP Gateway and NTLM Auth.
   + APM Exchange (Outlook Anywhere/ActiveSync) and NTLM Auth.
   + SWG Explicit and NTLM Auth.

Impact:
Authentication for connecting clients fails.

Workaround:
Do one of the following:

-- Do not follow the Microsoft workaround to disable SMBv1; instead install the recommended security patch.

-- For Exchange: Reconfigure Exchange CAS pool to use Kerberos Constrained Delegation SSO rather than NTLM. This will ensure that NTLM Passthrough is not used.

-- For RDP Proxy: Instead of RDP Proxy, use the Native RDP resource mode in BIG-IP APM v13.0.0 and later.

-- For SWG Explicit: Reconfigure to use Kerberos Authentication.


639619-7 : UCS may fail to load due to Master key decryption failure on EEPROM-less systems

Component: TMOS

Symptoms:
The following error:
'Symmetric Unit Key decrypt failure - decrypt failure'
is logged to /var/log/ltm when attempting to load a UCS.
Configuration fails then to load due to a secure attribute decryption failure.

Conditions:
1. UCS contains secure attributes.
2. UCS contains a '/config/bigip/kstore/.unitkey' file.
3. The current '/config/bigip/kstore/.unitkey' file does not match the '.unitkey' file within UCS.
4. System does not utilize an EEPROM for storing its unitkey. (For more information, see K73034260: Overview of the BIG-IP system Secure Vault feature :: https://support.f5.com/csp/article/K73034260.)

Impact:
The configuration fails to load.

Workaround:
Perform the following procedure:

1. Stop the system:
# bigstart stop
2. Replace the '/config/bigip/kstore/.unitkey' file with the '.unitkey' file from the UCS
3. Replace the '/config/bigip/kstore/master' file with the 'master' file from the UCS
4. Remove the mcp db to forcibly reload the keys:
# rm -f /var/db/mcpd.bin
# rm -f /var/db/mcpd.info

5. Restart the system and reload the configuration:
# bigstart start
# tmsh load sys config
or
# reboot

Fix:
The system now always reload the .unitkey from storage when loading other keys, so the UCS loads as expected.


621260-2 : mcpd core on iControl REST reference to non-existing pool

Component: TMOS

Symptoms:
MCPd cores when attempting to create a pool and a monitor reference by using a REST call such as:

curl -u admin:admin -H "Content-Type: application/json" -X POST http://localhost:8100/tm/ltm/pool -d'{"name":"test_pool","monitor":" "}'

Conditions:
The monitor reference in the REST call must be comprised of a single space character.

Impact:
MCPd restarts, causing many of the system daemons to restart as well.

Workaround:
Don't use spaces in the monitor reference name.



Known Issues in BIG-IP v14.1.x


TMOS Issues

ID Number Severity Solution Article(s) Description
778317-1 1-Blocking   IKEv2 HA after Standby restart has race condition with config startup
774445-1 1-Blocking K74921042 BIG-IP VE does not pass traffic on ESXi 6.7 Update 2
780437-2 2-Critical   Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
777993-2 2-Critical   Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same
775897-1 2-Critical   High Availability failover restarts tmipsecd when tmm connections are closed
774361-2 2-Critical   IPsec High Availability sync during multiple failover via RFC6311 messages
773677-1 2-Critical K72255850 BIG-IP 14.1.0 system-journald write to /run/log/journal cause SWAP usage increase
770989 2-Critical   Observed '/shared/lib/rpm' RPM database corruption on B4450 blades installing 14.1.x.
770953 2-Critical   'smbclient' executable does not work
769809-4 2-Critical   vCMP guests 'INOPERATIVE' after upgrade
769341-1 2-Critical   HA failover deletes outstanding IKEv2 SAs along with IKEv1 SAs
769169-3 2-Critical   BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring
767877-3 2-Critical   TMM core with Bandwidth Control on flows egressing on a VLAN group
767689-1 2-Critical   f5optics_install using different versions of RPM
767013-3 2-Critical   Reboot when B2150 and B2250 blades' HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch
765801 2-Critical   WCCP service info field corrupted in upgrade to 14.1.0 final
762385 2-Critical   After upgrade to 14.1 wrong remote-role assigned using LDAP authentication
762205-2 2-Critical   IKEv2 rekey fails to recognize VENDOR_ID payload when it appears
760573-1 2-Critical K00730586 TPM system integrity check may return invalid status when booting into BIG-IP 14.1.0
760508-1 2-Critical K91444000 On systems with multiple versions of BIG-IP in use, the 'invalid' System Integrity Status may persist
760475-1 2-Critical   Apache spawns more processes than the configured limit, causing system low memory condition
760408-3 2-Critical K23438711 System Integrity Status: Invalid after BIOS update
760164-1 2-Critical   BIG-IP VE Compression Offload HA action requires modification of db variable
758667-1 2-Critical   BIG-IP VE HA actions are not invoked when offload hardware hangs
758604-2 2-Critical   Deleting a port from a single-port trunk does not work.
757722-2 2-Critical   Unknown notify message types unsupported in IKEv2
757357-3 2-Critical   Tmm crashes when using virtio direct descriptors and packets 2 KB or larger
756830-1 2-Critical   BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'
756402-2 2-Critical   Re-transmitted IPsec packets can have garbled contents
756071-3 2-Critical   MCPD crash
755716-1 2-Critical   IPsec connection can fail if connflow expiration happens before IKE encryption
755575-1 2-Critical   In MOS, the 'image2disk' utility with the '-format' option does not function properly
755254-1 2-Critical   Remote auth: PAM_LDAP buffer too small errors
753650-2 2-Critical   The BIG-IP system reports frequent kernel page allocation failures.
751924-2 2-Critical   TSO packet bit fails IPsec during ESP encryption
750586-2 2-Critical   HSL may incorrectly handle pending TCP connections with elongated handshake time.
748205-3 2-Critical   SSD bay identification incorrect for RAID drive replacement
747203-2 2-Critical   Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding
746464-1 2-Critical   MCPD sync errors and restart after multiple modifications to file object in chassis
743803-1 2-Critical   IKEv2 potential double free of object when async request queueing fails
726487-4 2-Critical   MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
726240-1 2-Critical   Cannot find disk information.
724556-3 2-Critical   icrd_child spawns more than maximum allowed times (zombie processes)
719597-3 2-Critical   HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0
717785-2 2-Critical   Interface-cos shows no egress stats for CoS configurations
648270-1 2-Critical   mcpd can crash if viewing a fast-growing log file through the GUI
777261-4 3-Major   When SNMP cannot locate a file it logs messages repeatedly
776489-2 3-Major   Remote authentication attempts to resolve only LDAP host against the first three name servers configured.
775733-1 3-Major   /etc/qkview_obfuscate.conf not synced across blades
773577-2 3-Major   SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted
773333-2 3-Major   IPsec CLI help missing encryption algorithm descriptions
773173-1 3-Major   LTM Policy GUI is not working properly
772497-5 3-Major   When BIG-IP is configured to use a proxy server, updatecheck fails
769029-1 3-Major   Non-admin users fail to create tmp dir under /var/system/tmp/tmsh
767737-2 3-Major   Timing issues during startup may make an HA peer stay in the inoperative state
767305-2 3-Major   If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried
767009 3-Major   Halting the host does not power off the host
766873 3-Major   Omission of lower-layer types from sFlow packet samples
766329-2 3-Major   SCTP connections do not reflect some SCTP profile settings
765969-1 3-Major   Not able to get HSB register dump from hsb_snapshot on B4450 blade
765761 3-Major   URI Parsing is failing when certificate name contains "[", "]"
765033 3-Major   Upgrades to versions that restrict resource-admin users from accessing bash may fail under certain conditions
764873-2 3-Major   An accelerated flow transmits packets to a dated, down pool member.
762097 3-Major   BIG-IP v14.1.0.2, No buffer allocated to SWAP after upgrading to v14.1.0.2
762073-2 3-Major   Continuous TMM restarts when HSB drops off the PCI bus
761993-2 3-Major   The nsm process may crash if it detects a nexthop mismatch
761933-1 3-Major   Reboot with 'tmsh reboot' does not log message in /var/log/audit
761321-2 3-Major   'Connection Rate Limit' is hidden, but 'Connection Rate Limit Mode' is not
760950-4 3-Major   Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment
760597-1 3-Major   System integrity messages not logged
760594 3-Major   On BIG-IP VE, 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details.
760363-1 3-Major   Update Alias Address field with default placeholder text
760259-3 3-Major   Qkview silently fails to capture qkviews from other blades
759814-1 3-Major   Unable to view iApp component view
759654-1 3-Major   LDAP remote authentication with remote roles and user-template failing
759499-2 3-Major   Upgrade from version 12.1.3.7 to version 14.1.0 failing with error
758879 3-Major   BIG-IP VE with ixlv devices does not reliably pass some traffic after hard-boot
758387-2 3-Major   BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it
757572 3-Major   Virtual Edition doesn't support forging MAC addresses with Mellanox ConnectX-3 virtual functions
757519-1 3-Major   Unable to login using LDAP authentication
756820-2 3-Major   Non-UTF8 characters returned from /bin/createmanifest
756450-1 3-Major   Traffic using route entry that's more specific than existing blackhole route can cause core
756153-3 3-Major   Add diskmonitor support for MySQL /var/lib/mysql
756088-2 3-Major   The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address
755197-3 3-Major   UCS creation might fail during frequent config save transactions
754691-1 3-Major   During failover, an OSPF routing daemon may crash.
754336 3-Major   BIG-IP VE cannot use MOS for reimaging with 4 GB of memory or less
754335-1 3-Major   Install ISO does not boot on BIG-IP VE
753860-3 3-Major   Virtual server config changes causing incorrect route injection.
753423-6 3-Major   Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation
753001-1 3-Major   mcpd can be killed if the configuration contains a very high number of nested references
752994-1 3-Major   Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod
751581-3 3-Major   REST API Timeout while queriying large number of persistence profiles
751448-1 3-Major   TMM, ZebOS, and Linux routing table may lose dynamic routes on a tmm restart
751409-1 3-Major   MCP Validation does not detect when virtual servers differ only by overlapping VLANs
751024-4 3-Major   i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd
751021-1 3-Major   One or more TMM instances may be left without dynamic routes.
750318-3 3-Major   HTTPS monitor does not appear to be using cert from server-ssl profile
749785-2 3-Major   nsm can become unresponsive when processing recursive routes
748545-1 3-Major   Remove 'sys-unconfig' and 'rhel-configure' binaries and related systemd service
748295-1 3-Major   TMM crashes on shutdown when using virtio NICs for dataplane
748206-1 3-Major   Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position
748187-4 3-Major   'Transaction Not Found' Error on PATCH after Transaction has been Created
748044 3-Major   RAID status in tmsh is not updated when disk is removed or rebuild finishes
747676-3 3-Major   Remote logging needs 'localip' to set source IP properly
746657-1 3-Major   tmsh help for FQDN node or pool member shows incorrect default for fqdn interval
746266-3 3-Major   Vcmp guest vlan mac mismatch across blades.
744730-1 3-Major   Specifying a larger system disk during VE launch requires manual reboot for the increase to go into effect
744520-1 3-Major   virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface
744252-2 3-Major   BGP route map community value: either component cannot be set to 65535
743132-6 3-Major   mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile
742753-4 3-Major   Accessing the BIG-IP system's WebUI via special proxy solutions may fail
742170-2 3-Major   REST PUT command fails for data-group internal
740589-1 3-Major   mcpd crash with core after 'tmsh edit /sys syslog-all-properties'
740543-1 3-Major   System hostname not display in console
740517-1 3-Major   Application Editor users are unable to edit HTTPS Monitors via the Web UI
739820-1 3-Major   Validation does not reject IPv6 address for TACACS auth configuration
739118-1 3-Major   Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration
738943-3 3-Major   imish command hangs when ospfd is enabled
738330-3 3-Major   /mgmt/toc endpoint broken after configuring remote authentication
737739-1 3-Major   bash shell still accessible for admin even if disabled
737397-1 3-Major   User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP
737346-1 3-Major   After entering username and before password, the logging on user's failure count is incremented.
734846-1 3-Major   Redirection to logon summary page does not occur after session timeout
727297-1 3-Major   GUI TACACS+ remote server list should accept hostname
727191-1 3-Major   Invalid arguments to run sys failover do not return an error
726176-2 3-Major   platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
725791-6 3-Major   Potential HW/HSB issue detected
721020-1 3-Major   Changes to the master key are reverted after full sync
718405-2 3-Major   RSA signature PAYLOAD_AUTH mismatch with certificates
715379-3 3-Major   IKEv2 accepts asn1dn for peers-id only as file path of certificate file
703090-5 3-Major   With many iApps configured, scriptd may fail to start
701341-4 3-Major K52941103 If /config/BigDB.dat is empty, mcpd continuously restarts
698933-6 3-Major   Setting metric-type via ospf redistribute command may not work correctly
684096-4 3-Major   stats self-link might include the oid twice
683135-1 3-Major   Hardware syncookies number for virtual server stats is unrealistically high
657834-5 3-Major K45005512 Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent
648621-6 3-Major   SCTP: Multihome connections may not expire
641450-7 3-Major K30053855 A transaction that deletes and recreates a virtual may result in an invalid configuration
606032-5 3-Major   Network Failover-based HA in AWS may fail
601220-3 3-Major   Multi-blade trunks seem to leak packets ingressed via one blade to a different blade
591305-3 3-Major   Audit log messages with "user unknown" appear on install
581921-5 3-Major K22327083 Required files under /etc/ssh are not moved during a UCS restore
569859-5 3-Major   Password policy enforcement for root user when mcpd is not available
486712-5 3-Major   GUI PVA connection maximum statistic is always zero
779857-1 4-Minor   Misleading GUI error when installing a new version in another partition
776393-2 4-Minor   Memory leak in restjavad causing restjavad to restart frequently with OOM
776073-1 4-Minor   OOM killer killing tmmin system low memory condition as process OOM score is high
774617-1 4-Minor   SNMP daemon reports integer truncation error for values greater than 32 bits
761084-3 4-Minor   Custom monitor fields appear editable for Auditor, Operator, or Guest
760680-1 4-Minor   TMSH may utilize 100% CPU (single core) when set to be a process group leader and SSH session is closed.
760570 4-Minor   The BIG-IP installer fails to automatically detect installation media.
759852-1 4-Minor   SNMP configuration for trap destinations can cause a warning in the log
759606-2 4-Minor   REST error message is logged every five minutes on vCMP Guest
758348-1 4-Minor   Cannot access GUI via hostname when it contains _ (underscore character)
754500-2 4-Minor   GUI LTM Policy options disappearing
746152-1 4-Minor   Bogus numbers in hsbe2_internal_pde_ring table's rqm_dma_drp_pkts column
726317-6 4-Minor   Improved debugging output for mcpd
723833-2 4-Minor   IPsec related routing changes can misfire, like changing tunnel mode to interface mode
722647-4 4-Minor   The configuration of some of the Nokia alerts is incorrect
484683-2 4-Minor   Certificate_summary is not created at peer when the chain certificate is synced to HA peer.
769145-2 5-Cosmetic   Syncookie threshold warning is logged when the threshold is disabled
761621-2 5-Cosmetic   Ephemeral FQDN pool members in Partition shown as Common under Local Traffic > Pools > "Members"
679431-4 5-Cosmetic   In routing module the 'sh ipv6 interface <interface> brief' command may not show header


Local Traffic Manager Issues

ID Number Severity Solution Article(s) Description
759968-3 1-Blocking   Distinct vCMP guests are able to cluster with each other.
760078-1 2-Critical   Incorrect source MAC used when the BIG-IP in L2 transparent mode generates a TCP RST packet.
759723-1 2-Critical   Abnormally terminated connections on server side may cause client side streams to stall
758714-1 2-Critical   Virtual wire on a BIG-IP does not pass traffic when configured over two terminating link aggregation/trunk ports.
758465-1 2-Critical   TMM may crash or iRule processing might be incorrect
757441-4 2-Critical   Specific sequence of packets causes Fast Open to be effectively disabled
757391-2 2-Critical   Datagroup iRule command class can lead to memory corruption
756356-2 2-Critical   External datagroups of type string cannot use iRule command 'class match equals' for entries > 32 characters long
755585-1 2-Critical   mcpd can restart on secondary blades if a policy is created, published, and attached to a vs in a single transaction
753912-4 2-Critical   UDP flows may not be swept
752930-3 2-Critical   Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state
751589-1 2-Critical   In BIG-IP VE, some IP rules may not be created during the first boot up.
747727-1 2-Critical   HTTP Profile Request Header Insert Tcl error
747239-1 2-Critical   TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection
746710-1 2-Critical   Use of HTTP::cookie after HTTP:disable causes TMM core
745589-6 2-Critical   In very rare situations, some filters may cause data-corruption.
741048-1 2-Critical   iRule execution order could change after editing the scripts
739003-2 2-Critical   TMM may crash when fastl4 is used on epva-capable BIG-IP
738046-1 2-Critical   SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby
737985-2 2-Critical   BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode.
734551-3 2-Critical   L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server
734276-1 2-Critical   TMM may leak memory when SSL certificates with VDI or EAM in use
726900-1 2-Critical   Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters
712534 2-Critical   DNSSEC keys are not generated when configured to use an external FIPS device
632553-4 2-Critical   DHCP: OFFER packets from server are intermittently dropped
625807-1 2-Critical   tmm cored in bigproto_cookie_buffer_to_server
474797-4 2-Critical   Nitrox crypto hardware may attempt soft reset while currently resetting
781041-1 3-Major   SIP monitor in non default route domain is not working.
779137-2 3-Major   Using a source address list for a virtual server does not preserve the destination address prefix
778517-1 3-Major   Large number of in-TMM monitors results in delayed processing
777269-1 3-Major   Gratuitous ARP may be sent for self IPs from incorrect MAC address at startup
776229-2 3-Major   iRule 'pool' command no longer accepts pool members with ports that have a value of zero
773821-1 3-Major   Certain plaintext traffic may cause SSLO to hang
773421-1 3-Major   Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied
773229-2 3-Major   Replacing a virtual server's FastL4 profile can cause traffic to fail in specific circumstances
770477-2 3-Major   SSL aborted when client_hello includes both renegotiation info extension and SCSV
769801-1 3-Major   Internal tmm UDP filter does not set checksum
767217-2 3-Major   Under certain conditions when deleting an iRule, an incorrect dependency error is seen
766593-1 3-Major   RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20
766293-1 3-Major   Monitor logging fails on v14.1.0.x releases
764969 3-Major   ILX no longer supports symlinks in workspaces as of v14.1.0
763093-3 3-Major   LRO packets are not taken into account for ifc_stats (VLAN stats)
761385-1 3-Major   Without a virtual server, responses from server to client are dropped in a BIG-IP system when the latter is deployed in L2 transparent mode using virtual wire.
760771-1 3-Major   FastL4-steered traffic might cause SSL resume handshake delay
760550-5 3-Major   Retransmitted TCP packet has FIN bit set
760050-2 3-Major   cwnd warning message in log
758992-2 3-Major   The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address
758631-4 3-Major   ec_point_formats extension might be included in the server hello even if not specified in the client hello
758437-6 3-Major   SYN w/ data disrupts stat collection in Fast L4
758436-4 3-Major   Optimistic ACKs degrade Fast L4 statistics
758311-1 3-Major   Policy Compilation may cause MCPD to crash
757985-1 3-Major K79562045 TMM memory leak
757505-3 3-Major   peer-cert-mode set to 'always' does not work when client-ssl is enabled with session-ticket
757431-1 3-Major   mcpd process killed after upgrade from 12.1.3
757029-2 3-Major   Ephemeral pool members may not be created after config load or reboot
756270-4 3-Major   SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
755997-2 3-Major   Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address
755791-2 3-Major   UDP monitor not behaving properly on different ICMP reject codes.
755727-2 3-Major   Ephemeral pool members not created after DNS flap and address record changes
755631-1 3-Major   UDP / DNS monitor marking node down
754985-1 3-Major   Standby TMM my crash while processing mirrored TLS traffic
754604-2 3-Major   iRule : [string first] returns incorrect results when string2 contains null
754525-1 3-Major   Disabled virtual server accepts and serves traffic after restart
753594-2 3-Major   In-TMM monitors may have duplicate instances or stop monitoring
753526-1 3-Major   IP::addr iRule command does not allow single digit mask
753514-3 3-Major   Large configurations containing LTM Policies load slowly
753159-1 3-Major   Pool IP ToS/QoS settings are not preserved on mirrored FastL4 connections
752530-1 3-Major   TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.
752334-1 3-Major   Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation
752078-2 3-Major   Header Field Value String Corruption
751036-1 3-Major   Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone
750473-4 3-Major   VA status change while 'disabled' are not taken into account after being 'enabled' again
749689-2 3-Major   HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart
749414-4 3-Major   Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects
748891-2 3-Major   Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system.
748529-1 3-Major   BIG-IP Virtual Edition with cloudhsm integration needs to restart tmm after a fresh install
747907-2 3-Major   Persistence records leak while the HA mirror connection is down
746922-6 3-Major   When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
746078-1 3-Major   Upgrades break existing iRulesLX workspaces that use node version 6
745923-2 3-Major   Virtual server may reset a connection with port zero when client sends ACK after a 4-way close
745545-1 3-Major   CMP forwarded LRO host packets do not restore LRO flag
745285 3-Major   Virtual server configured with destination address list may not respond to ARP and ICMP echo
742838-1 3-Major   A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition
742237-4 3-Major   CPU spikes appear wider than actual in graphs
742078-6 3-Major   Incoming SYNs are dropped and the connection does not time out.
740959-4 3-Major   User with manager rights cannot delete FQDN node on non-Common partition
740345-3 3-Major   TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled.
738450-1 3-Major   Parsing pool members as variables with IP tuple syntax
723306-1 3-Major   Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
722707-2 3-Major   mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall
719304-1 3-Major   Inconsistent node ICMP monitor operation for IPv6 nodes
719300-3 3-Major   ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address
718790-1 3-Major   Traffic does not forward to fallback host when all pool members are marked down
714372 3-Major   Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari
714292-3 3-Major   Transparent forwarding mode across multiple VLAN groups or virtual-wire
712919-2 3-Major   Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server.
710930-3 3-Major   Enabling BigDB key bigd.tmm may cause SSL monitors to fail
709381-2 3-Major   iRules LX plugin imported from a system with a different version does not properly run, and the associated iRule times out.
696755-3 3-Major   HTTP/2 may truncate a response body when served from cache
689361-4 3-Major   Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)
686059-4 3-Major   FDB entries for existing VLANs may be flushed when creating a new VLAN.
646440-1 3-Major   TMSH allows mirror for persistence even when no mirroring configuration exists
544958-1 3-Major   Monitors packets are sent even when pool member is 'Forced Offline'.
505037-5 3-Major K01993279 Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop
504522-4 3-Major   Trailing space present after 'tmsh ltm pool members monitor' attribute value
774261-1 4-Minor   PVA client-side current connections stat does not decrease properly
773253-3 4-Minor   The BIG-IP may send VLAN failsafe probes from a disabled blade
772297-2 4-Minor   LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade
769309-2 4-Minor   DB monitor reconnects to server on every probe when count = 0
760683-1 4-Minor   RST from non-floating self-ip may use floating self-ip source mac-address
758704 4-Minor   Excessive 'GuestInfoAddNicEntry: NIC limit (16) reached' logging
757777-3 4-Minor   bigtcp does not issue a RST in all circumstances
747968-3 4-Minor   DNS64 stats not increasing when requests go through dns cache resolver
747628-1 4-Minor   BIG-IP sends spurious ICMP PMTU message to server
747585-3 4-Minor   TCP Analytics supports ANY protocol number
744210-2 4-Minor   DHCPv6 does not have the ability to override the hop limit from the client.
738045-5 4-Minor   HTTP filter complains about invalid action in the LTM log file.
722534-1 4-Minor   load sys config merge not supported for iRulesLX
666378-1 5-Cosmetic   A virtual server's connections per second (precision.last_value) is confusingly named.


Performance Issues

ID Number Severity Solution Article(s) Description
777937-3 1-Blocking   AWS ena: packet drops due to bad checksum
746620-3 3-Major   "source-port preserve" does not work on BIG-IP Virtual Edition
747960-2 4-Minor   BIG-IP VE with 1nic does not handle fragmented traffic to webui or ssh properly


Global Traffic Manager (DNS) Issues

ID Number Severity Solution Article(s) Description
722741-1 2-Critical   Damaged tmm dns db file causes zxfrd/tmm core
264701-3 2-Critical   GTM: zrd exits on error from bind about .jnl file error (Formerly CR 68608)
779793-2 3-Major   [LC] Error Message "Cannot modify the destination address of monitor" for destination * bigip_link monitor
779769-2 3-Major   [LC] [GUI] destination cannot be modified for bigip-link monitors
778365-2 3-Major   dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service
774481-2 3-Major   DNS Virtual Server creation problem with Dependency List
774225-3 3-Major   mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting
772233-3 3-Major   IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.
769385-1 3-Major   GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message
760615-2 3-Major   Virtual Server discovery may not work after a GTM device is removed from the sync group
756177-2 3-Major   GTM marks pool members down across datacenters
754901-1 3-Major   Frequent zone update notifications may cause TMM to restart
751540-3 3-Major   GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server
750213-4 3-Major K25351434 DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.
749508-1 3-Major   LDNS and DNSSEC: Various OOM conditions need to be handled properly
749222-1 3-Major   dname compression offset overflow causes bad compression pointer
748902-1 3-Major   Incorrect handling of memory allocations while processing DNSSEC queries
746877-1 3-Major   Omitted check for success of memory allocation for DNSsec resource record
746719-1 3-Major   SERVFAIL when attempting to view or edit NS resource records in zonerunner
746137-1 3-Major   DNSSEC: Creating a new DNSSEC Zone can result in gtmd attempting to sync every 10 seconds
745035-2 3-Major   gtmd crash
744787-4 3-Major   Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias
744707-2 3-Major   Fixed crash related to DNSSEC key rollover
739553-1 3-Major   Setting large number for Wide IP Persistence TTL breaks Wide IP persistence
723288-4 3-Major   DNS cache replication between TMMs does not always work for net dns-resolver
679316-7 3-Major   iQuery connections reset during SSL renegotiation
222220-4 3-Major   Distributed application statistics
775801-2 4-Minor   [GTM] [GUI] 'Route Advertisement' checked but not saved when creating GTM listener
760117-1 4-Minor   Duplicate error messages in log when updating a zone through ZoneRunner GUI
755282-1 4-Minor   [GTM] bigip_add password prompt for IPv4-mapped IPv6 address
752216-6 4-Minor K33587043 DNS queries without the RD bit set may generate responses with the RD bit set
748177-1 4-Minor   Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character
744280-2 4-Minor   Enabling or disabling a Distributed Application results in a small memory leak
712335-3 4-Minor   GTMD may intermittently crash under unusual conditions.


Application Security Manager Issues

ID Number Severity Solution Article(s) Description
759360-2 2-Critical   Apply Policy fails due to policy corruption from previously enforced signature
756108-1 2-Critical   BD crash on specific cases
723790-3 2-Critical   Idle asm_config_server handlers consumes a lot of memory
781637-2 3-Major   ASM brute force counts unnecessary failed logins for NTLM
781069-2 3-Major   Bot Defense challenge blocks requests with long Referer headers
781021-2 3-Major   ASM modifies cookie header causing it to be non-compliant with RFC6265
773553-2 3-Major   ASM JSON parser false positive.
772165-1 3-Major   Sync Failed due to Bot Defense profile not found
769997-1 3-Major   ASM removes double quotation characters on cookies
769981-2 3-Major   bd crashes in a specific scenario
764373-3 3-Major   'Modified domain cookie' violation with multiple enforced domain cookies with different paths
761941-1 3-Major   ASM does not remove CSRT token query parameter before forwarding a request to the backend server
761565-1 3-Major   ASM BD core when custom captcha page configured size more than 45K with %ASM.captcha.support_id% placeholder is at the end
761194-2 3-Major   param data type violation on an Integer parameter, if an integer value is sent via websocket JSON
760878-3 3-Major   Incorrect enforcement of explicit global parameters
759840-1 3-Major   False positive 'Null in request' violation or bare byte subviolations
758085-1 3-Major   CAPTCHA Custom Response fails when using certain characters
756418-1 3-Major   Live Update does not authenticate remote users
751710-4 3-Major   False positive cookie hijacking violation
748851-3 3-Major   Bot Detection injection include tags which may cause faulty display of application
746394-1 3-Major   With ASM CORS set to 'Disabled' it strips all CORS headers in response.
745802-1 3-Major   Brute Force CAPTCHA response page truncates last digit in the support id
742558-1 3-Major   Request Log export document fails to show some UTF-8 characters
687759-3 3-Major   bd crash
774941-1 4-Minor   GUI misspelling in Bot Defense logging profile
772473-3 4-Minor   Request reconstruct issue after challenge
765413-1 4-Minor   ASM cluster syncs caused by PB ignored suggestions updates
761921-1 4-Minor   avrd high CPU utilization due to perpetual connection attempts
761088-1 4-Minor   Remove policy editing restriction in the GUI while auto-detect language is set
758615-1 4-Minor   Reconstructed POST request is dropped after DID cookies are deleted
756998-1 4-Minor   DoSL7 Record Traffic feature is not recording traffic
755005-1 4-Minor   Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations
754109-1 4-Minor   ASM content-security-policy header modification violates Content Security Policy directive
752797-1 4-Minor   BD is not correctly closing a shared memory segment
750689-3 4-Minor   Request Log: Accept Request button available when not needed
747560-5 4-Minor   ASM REST: Unable to download Whitehat vulnerabilities
695878-2 4-Minor   Signature enforcement issue on specific requests


Application Visibility and Reporting Issues

ID Number Severity Solution Article(s) Description
763349-3 2-Critical   AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out
756205-1 2-Critical   TMSTAT offbox statistics are not continuous
756102-2 2-Critical   TMM can crash with core on ABORT signal due to non-responsive AVR code
753485-1 2-Critical   AVR global settings are being overridden by HA peers
773925-2 3-Major   Sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB tables files
771025-3 3-Major   AVR send domain names as an aggregate
764665-2 3-Major   AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change
763005-3 3-Major   Aggregated Domain Names in DNS statistics are shown as random domain name
760356-2 3-Major   Users with Application Security Administrator role cannot delete Scheduled Reports
746837-2 3-Major   AVR JS injection can cause error on page if the JS was not injected
758996-3 4-Minor   Data in the 'Last 4 hours' view have a 1-hour delay


Access Policy Manager Issues

ID Number Severity Solution Article(s) Description
760130-3 2-Critical   [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK
755447-1 2-Critical   SSLO does not deliver content generated/originated from inline device
748572-2 2-Critical   Occasionally ramcache might crash when data is sent without the corresponding event.
725505-1 2-Critical   SNAT settings in network resource are not applied after FastL4 profile is updated
660913-3 2-Critical   For ActiveSync client type, browscap info provided is incorrect.
775621-2 3-Major   urldb memory grows past the expected ~3.5GB
774633-2 3-Major   Memory leak in tmm when session db variables are not cleaned up
774213-1 3-Major   SWG session limits on SSLO deployments
768025-4 3-Major   SAML requests/responses fail with "failed to find certificate"
761303-2 3-Major   Upgrade of standby BIG-IP system results in empty Local Database
760410-1 3-Major   Connection reset is seen when Category lookup agent is used in per-req policy
759868-1 3-Major   TMM crash observed while rendering internal pages (like blocked page) for per-request policy
759392-2 3-Major   HTTP_REQUEST iRule event triggered for internal APM request
758764-2 3-Major   APMD Core when CRLDP Auth fails to download revoked certificate
758542-3 3-Major   OAuth database instance appears empty after upgrade from v13.x
757992-3 3-Major   RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup
757822-1 3-Major   Subroutine name should use partition name and policy name
757782-1 3-Major   OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default
757781-3 3-Major   Portal Access: cookie exchange may be broken sometimes
757360-1 3-Major   Category lookup returns wrong category on subsequent traffic following initial HTTP CONNECT traffic through SSLO
755507-4 3-Major   [App Tunnel] 'URI sanitization' error
755475-1 3-Major   Corrupted customization group on target after updating logon page agent field on source device and config sync
755047-1 3-Major   Category lookup returns wrong category on CONNECT traffic through SSLO
754542-2 3-Major   TMM may crash when using RADIUS Accounting agent
752875-2 3-Major   tmm core while using service chaining for SSLO
751424-1 3-Major   HTTP Connect Category Lookup not working properly
750823-1 3-Major   Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD
750631-2 3-Major   There may be a latency between session termination and deletion of its associated IP address mapping
749057-1 3-Major   VMware Horizon idle timeout is ignored when connecting via APM
749036-2 3-Major   Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM
748451-3 3-Major   Manager users cannot perform changes in per-request policy properties
748070 3-Major   API Protection feature inadvertently allows editing of associated access policy
746768-4 3-Major   APMD leaks memory if access policy policy contains variable/resource assign policy items
745574-1 3-Major   URL is not removed from custom category when deleted
744532 3-Major   Websso fails to decrypt secured session variables
744316-4 3-Major   Config sync of APM policy fails with Cannot update_indexes validation error.
738547-3 3-Major   SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII
738430-3 3-Major   APM is not able to do compliance check on iOS devices running F5 Access VPN client
711056-1 3-Major   License check VPE expression fails when access profile name contains dots
695985-4 3-Major   Access HUD filter has URL length limit (4096 bytes)
673357-1 3-Major   SWG puts flow in intercept mode when session is not found
600985-1 3-Major   Network access tunnel data stalls
534187-5 3-Major   Passphrase protected signing keys are not supported by SAML IDP/SP
498926 5-Cosmetic   Client can fail to start a new session in multi-domain SSO.


WebAccelerator Issues

ID Number Severity Solution Article(s) Description
761027 3-Major   Web Browser Hang on Reading Compressed Data from BIG-IP
751383-1 4-Minor   Invalidation trigger parameter values are limited to 256 bytes
748031-1 4-Minor   Invalidation trigger parameter containing reserved XML characters does not create invalidation rule


Service Provider Issues

ID Number Severity Solution Article(s) Description
766405-2 2-Critical   MRF SIP ALG with SNAT: Fix for potential crash on next-active device
754615-2 2-Critical   Tmm crash (assert) during SIP message processing on MRF-SIP-ALG setup.
763157-2 3-Major   MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped
761685-3 3-Major   Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set
760370-2 3-Major   MRF SIP ALG with SNAT: Next active ingress queue filling
759370 3-Major   FIX protocol messages parsed incorrectly when fragmented between the body and the trailer.
759077-2 3-Major   MRF SIP filter queue sizes not configurable
755630-1 3-Major   MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes
755311-1 3-Major   No DIAMETER Disconnect-Peer-Request message sent when TMM is shutting down
754617-2 3-Major   iRule 'DIAMETER::avp read' command does not work with 'source' option
753501-1 3-Major   iRule commands (such as relate_server) do not work with MRP SIP
752822-1 3-Major   SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type
751179-1 3-Major   MRF: Race condition may create to many outgoing connections to a peer
749528-1 3-Major   IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap
749041-2 3-Major   MRSIP log of subscriber deletion outputs '(null)" for subscriber URI
748253-1 3-Major   Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection
746825-1 3-Major   MRF SIP ALG with SNAT: Ephemeral listeners not created for un-subscribed outgoing calls
746731-1 3-Major   BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set
760930-2 4-Minor   MRF SIP ALG with SNAT: Added additional details to log events
749704-2 4-Minor   GTPv2 Serving-Network field with mixed MNC digits
747909-5 4-Minor   GTPv2 MEI and Serving-Network fields decoded incorrectly


Advanced Firewall Manager Issues

ID Number Severity Solution Article(s) Description
763121-3 2-Critical   Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM.
757359-1 2-Critical   pccd crashes when deleting a nested Address List
754805 2-Critical   Possible tmm crash when AFM DoS badactor or attacked-dst or endpoint vector configured
781425 3-Major   Firewall rule list configuration causes config load failure
771173-3 3-Major   FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.
761345-3 3-Major   Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode
761234-2 3-Major   Changing a virtual server to use an address list should be prevented if the VS has a security policy with a logging profile attached
753028-2 3-Major   AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule
751116-1 3-Major   DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring
749761-3 3-Major   AFM Policy with Send to Virtual and TMM crash in a specific scenario
745809-2 3-Major   The /var partition may become 100% full requiring manual intervention to clear space
663946-6 3-Major   VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments
760355 4-Minor   Firewall rule to block ICMP/DHCP from 'required' to 'default'
756477-2 5-Cosmetic   Drop Redirect tab incorrectly named as 'Redirect Drop'


Policy Enforcement Manager Issues

ID Number Severity Solution Article(s) Description
760518-4 2-Critical   PEM flow filter with DSCP attribute optimizes traffic resulting in some PEM action enforcement
750491-4 2-Critical   PEM Once-Every content insertion action may insert more than once during an interval
764901-2 3-Major   PEM policy filters rules memory gets leaked if policy is deleted before deleting the rules
760438-3 3-Major   PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions
759192-3 3-Major   TMM core during display of PEM session under some specific conditions
756311-4 3-Major   High CPU during erroneous deletion
753163-4 3-Major   PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days
753014-4 3-Major   PEM iRule action with RULE_INIT event fails to attach to PEM policy
752163-1 3-Major   PEM::session info cannot set subscriber type and ID
747065-2 3-Major   PEM iRule burst of session ADDs leads to missing sessions
741213-2 3-Major   Modifying disabled PEM policy causes coredump
726011-4 3-Major   PEM transaction-enabled policy action lookup optimization to be controlled by a sys db
670994-5 3-Major   There is no validation for IP address on the ip-address-list for static subscriber


Carrier-Grade NAT Issues

ID Number Severity Solution Article(s) Description
744516-4 2-Critical   TMM panics after a large number of LSN remote picks
761517-1 4-Minor   nat64 and ltm pool conflict


Fraud Protection Services Issues

ID Number Severity Solution Article(s) Description
660759-1 3-Major   Cookie hash persistence sends alerts to application server.


Anomaly Detection Services Issues

ID Number Severity Solution Article(s) Description
748813-3 2-Critical   tmm cores under stress test on virtual server with DoS profile with admd enabled
748121-3 2-Critical   admd livelock under CPU starvation
653573-6 2-Critical   ADMd not cleaning up child rsync processes
756877-1 3-Major   Virtual server created with Guided Configuration is not visible in Grafana


Traffic Classification Engine Issues

ID Number Severity Solution Article(s) Description
752803-1 2-Critical   CLASSIFICATION_DETECTED running reject can lead to a tmm core
752047-1 2-Critical   iRule running reject in CLASSIFICATION_DETECTED event can cause core
754257-2 3-Major   URL lookup queries not working


Device Management Issues

ID Number Severity Solution Article(s) Description
720434-3 2-Critical   Multi-blade Chassis iAppLX Package upgrade sync is incomplete across blades
749383-1 3-Major   Audit Log: 'cmd_data=list cm device recursive' are being generated continuously even the command has not been executed
718033-4 3-Major   REST calls fail after installing BIG-IP software or changing admin passwords
710809 3-Major   Restjavad hangs and causes GUI page timeouts


Protocol Inspection Issues

ID Number Severity Solution Article(s) Description
778225-3 3-Major   vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host

 

Known Issue details for BIG-IP v14.1.x

781637-2 : ASM brute force counts unnecessary failed logins for NTLM

Component: Application Security Manager

Symptoms:
False positive brute force violation raised and login request is blocked

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM Brute force protection enabled for NTLM login type

Impact:
login request blocked by asm policy

Workaround:
Define higher thresholds in brute force protection settings


781425 : Firewall rule list configuration causes config load failure

Component: Advanced Firewall Manager

Symptoms:
'tmsh load sys config' has a syntax error.

The syntax error is reported on 'security firewall rule-list rule' configuration.

Conditions:
This occurs only if any of the rule-list rule ip-protocol contains one of the following protocols:

-- BBN-RCC-MON
-- NVP-II
-- DCN-MEAS
-- OSPFIGP
-- CRUDP

Impact:
The system fails to load the configuration.

Workaround:
Manually edit the configuration file: /config/bigip_base.conf

1. Replace the ip-protocol name from rule-list configuration:

-- Change BBN-RCC-MON to bbn-rcc.
-- Change NVP-II to nvp.
-- Change DCN-MEAS to dcn.
-- Change OSPFIGP to ospf.
-- Change CRUDP to crudp.

2. Save the file.
3. Issue the command:
 tmsh load sys config.

The configuration now loads without syntax errors.


781069-2 : Bot Defense challenge blocks requests with long Referer headers

Component: Application Security Manager

Symptoms:
The Bot Defense challenge may block the client if the Referer header is between about 1400 characters and 3072 characters long.
This client may get blocked by TCP RST, or suffer from a challenge loop.

Conditions:
-- Bot Defense with Verify before Access, or Proactive Bot Defense are configured
-- Request has a Referer header that is between ~1400 and 3072 characters long

Impact:
Legitimate browsers may get blocked or suffer from a challenge loop

Workaround:
Use an iRule to override the Referer header from the HTTP_REQUEST event, to make it shorter.


781041-1 : SIP monitor in non default route domain is not working.

Component: Local Traffic Manager

Symptoms:
SIP pool members in non-default route domain are being marked as unavailable even though they are available.

Conditions:
SIP pool members in non default route domain.

Impact:
SIP service unavailable.


781021-2 : ASM modifies cookie header causing it to be non-compliant with RFC6265

Component: Application Security Manager

Symptoms:
When ASM strips the cookie header from the ASM cookies, it leaves the cookie header in a way that is not compliant with RFC6265 on two aspects:
1. No space after the semicolon
2. A cookie with no value is sent without the equals sign

Conditions:
-- ASM Security Policy is used
-- Request includes an ASM cookie

Impact:
Some web servers may refuse to handle non-compliant Cookie headers, causing the application flow to break.

Workaround:
Disable the cookie stripping by modifying the DB variable as follows:
tmsh modify sys db asm.strip_asm_cookies value false


780437-2 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.

Component: TMOS

Symptoms:
It is possible, although unlikely, for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.

As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.

The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.

Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.

Symptoms for this issue include:

-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.

-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.

-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):

qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img

qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img

-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:

info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]

Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.

-- Large configuration with many guests.

-- The VIPRION chassis is rebooted.

-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is Bug ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.

Impact:
-- Loss of entire configuration on previously working vCMP guests.

-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.

-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.

Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.

If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.


779857-1 : Misleading GUI error when installing a new version in another partition

Component: TMOS

Symptoms:
While installing a new version in another partition, the GUI displays an error for a brief time:

'Install Status':Failed Troubleshooting

Conditions:
Install a new version in another partition.

Impact:
The GUI error is misleading. It is showing the install status as 'Failed Troubleshooting' even though the installation is proceeding normally. The installation process is proceeding normally; only the error is incorrect and does not indicate a problem with the installation.

Workaround:
If you click on the 'Troubleshooting' link on the GUI screen, the GUI indicates that it is actually installing properly without any error.


779793-2 : [LC] Error Message "Cannot modify the destination address of monitor" for destination * bigip_link monitor

Component: Global Traffic Manager (DNS)

Symptoms:
Using BIG-IP Link Controller (LC), every 10 seconds, the system logs messages similar to the following example:
-- err mcpd[5570]: 0107082c:3: Cannot modify the destination address of monitor /Common/_user_gslbMonitor_bigipLink_fast_60sec.
-- err mcpd[5570]: 01071488:3: Remote transaction for device group /Common/gtm to commit id 1 6681134264373087063 /Common/ELC002.kbn.mlit.go.jp 0 failed with error 0107082c:3: Cannot modify the destination address of monitor /Common/_user_gslbMonitor_bigipLink_fast_60sec..

Conditions:
-- A bigip_link monitor with destination * written in bigip_gtm.conf.
-- That monitor is associated with a link.
-- The following command is run on one of the sync group peers:
tmsh load /sys config gtm-only.

Impact:
LC system failing to load configuration.

Workaround:
Run this command on the LC system that is logging the error message:
tmsh load /sys config gtm-only


779769-2 : [LC] [GUI] destination cannot be modified for bigip-link monitors

Component: Global Traffic Manager (DNS)

Symptoms:
The 'destination' for BIG-IP Link Controller (LC) bigip_link monitor cannot be modified through GUI.

Conditions:
Using the LC bigip_link monitor in the GUI.

Impact:
Cannot change 'destination' for LC bigip_link monitor through GUI.

Workaround:
Use tmsh.


779137-2 : Using a source address list for a virtual server does not preserve the destination address prefix

Component: Local Traffic Manager

Symptoms:
Configuring a network virtual server with a source address list causes the system to treat the virtual server as a host.

Conditions:
-- Configure a source address list on the virtual server.
-- Configure a network address for the destination of the virtual server (not an address list).

Impact:
Traffic does not flow to the virtual server as expected.

Workaround:
None.


778517-1 : Large number of in-TMM monitors results in delayed processing

Component: Local Traffic Manager

Symptoms:
Delayed monitor update; e.g., monitor may continue to run after removed from pool / member / node. Duplicate monitor instances may be created to a server after associating a monitor.

Conditions:
A large number of in-TMM monitors.

Impact:
Monitor target may appear down when responding correctly.
Monitor may continue to run after removed from pool / member / node.
Increased monitoring load on server.

Workaround:
Disable in-tmm monitors.


778365-2 : dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service

Component: Global Traffic Manager (DNS)

Symptoms:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS. If there is DNS service running on the LDNS, RTT metrics should be collected successfully as expected. However if there is no DNS service on the LDNS, there should not be any RTT metrics collected. But BIG-IP still populates the RTT values giving users a "false positive" results.

Conditions:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS and there is no DNS service running on the LDNS.

Impact:
RTT metrics are collected even though no response from the DNS service is present giving users wrong impression that there is.


778317-1 : IKEv2 HA after Standby restart has race condition with config startup

Component: TMOS

Symptoms:
A restarted standby system can end up with missing SAs, if the high availability (HA) process that mirrors the SAs from persistent storage runs before the configuration of IPsec has completed.

Conditions:
The loss of mirrored SAs requires this sequence of events:
-- A system becomes standby after failover; then is restarted.
-- During restart, HA manages to run before IPsec configuration.
-- SAs unsupported by current config are lost despite mirroring.
-- After another failover, the newly active system is missing SAs.

Impact:
A tunnel outage can occur (until SAs are renegotiated) after failover, if the newly active system lost some mirrored SAs when it was restarted while still acting as the standby system.

The impact cannot be observed until standby becomes active, when the missing SAs require a new key negotiation.

Workaround:
None.


778225-3 : vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host

Component: Protocol Inspection

Symptoms:
Automatic hitless upgrade for protocol inspection fails on vCMP guests. This occurs because vCMP guest don't install f5_api_com key and certificates.

Conditions:
After licensing a vCMP guest, there is no f5_api_com key or certificate (you can run key_cache_path and crt_cache_path to determine that).

Impact:
Hitless upgrade fails for protocol inspection and traffic classification on vCMP guests.

Workaround:
Install the hitless upgrade IM package manually.


777993-2 : Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same

Component: TMOS

Symptoms:
Egress TCP/UDP traffic with same L4 source port and destination port to an external trunk is pinned to one link only.

Conditions:
This happens on BIG-IP hardware platforms with broadcom switch chip, so BIG-IP 2000/4000 and i2000/i4000 series are not impacted.

Impact:
Performance degradation as only a portion of the trunk bandwidth is utilized.

Workaround:
None.


777937-3 : AWS ena: packet drops due to bad checksum

Component: Performance

Symptoms:
1. Lower throughput and tps
2. HA heartbeat getting dropped resulting in active-active configuration

Conditions:
AWS ena NIC is in use

Impact:
Performance degradation and invalid HA configuration

Workaround:
In BIG-IP, turn off checksum offloading in on TX as follows:

modify sys db tm.tcpudptxchecksum value Software-only

Note that this work around will negatively affect NICs other than ena. Therefore, the work around is recommended if ena is the only dataplane NICs in use in the BIG-IP.


777269-1 : Gratuitous ARP may be sent for self IPs from incorrect MAC address at startup

Component: Local Traffic Manager

Symptoms:
The Address Resolution Protocol is used to allow IP endpoints to advertise their L2 (Ethernet MAC) addresses, and to query their network peers to request needed associations. Typically, TMM will immediately broadcast an ARP announcing its IP-MAC association (sometimes called a "gratuitous" ARP), so that switches can begin directing traffic to the self-ip immediately.

When BIGIP-VE starts with interfaces provided by some hypervisors, it may not immediately know the MAC address assigned to the interface until several milliseconds after the interface is created. In these cases, the gratuitous ARP will contain the MAC address 00:98:76:54:32:10, which is a valid but incorrect MAC address.

Normally, this is harmless, because the correct MAC address is immediately announced once it is known. However, it may be possible for a L2 switch upstream from multiple BIGIP-VE instances to believe a L2 loop has developed, and block one or both ports through which it saw the gratuitous ARPs.

Conditions:
BIG-IP VE, version 13.0.0 or later, running with the virtio driver on an OpenStack-compatible hypervisor.

Impact:
If an upstream switch sees gratuitous ARPs from multiple downstream BIG-IP instances on the same L2 LAN, it might block connectivity to one or more ports through which the gratuitous ARPs are seen. The self IP may appear to have connectivity for some time after it comes up, before connectivity is blocked at the upstream switch.


777261-4 : When SNMP cannot locate a file it logs messages repeatedly

Component: TMOS

Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.

Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.

Impact:
This can fill up the log with errors.


776489-2 : Remote authentication attempts to resolve only LDAP host against the first three name servers configured.

Component: TMOS

Symptoms:
'Login failed' is displayed on the BIG-IP system's login screen.

Conditions:
-- Remote authentication is enabled.
-- There are more than three name servers configured.

Impact:
Admins may not be able to log into the BIG-IP GUI with their admin user account if the first 3 configured DNS name servers are not reachable.

Workaround:
None.


776393-2 : Memory leak in restjavad causing restjavad to restart frequently with OOM

Component: TMOS

Symptoms:
restjavad frequently (approximately every 5 minutes) restarting due to OutOfMemory:Java heap space with no extra memory.

Conditions:
-- Dedicated SSLO deployed BIG-IP system.
-- No extra memory.
-- The configuration contains a large number of configuration items related to APM access-policies, APM policy-items, APM policy agents, LTM nodes, LTM rules, DNS Requests, sys application services, LTM data-groups, LTM profiles, security bot-defense profiles, and sys file ssl-certs.

Impact:
REST API intermittently unavailable.

Workaround:
Give restjavad extra memory. This is two-step process.

1. Update memory allocated to restjavad using TMUI. System :: Resource Provisioning. The line for Management has a drop-down box for Small, Medium, or Large. The resulting sizes for restjavad is 192, 352, and 592, respectively. Set this to Large.

2. Run the following two commands, in sequence:
   tmsh modify sys db restjavad.useextramb value true
   bigstart restart restjavad


776229-2 : iRule 'pool' command no longer accepts pool members with ports that have a value of zero

Component: Local Traffic Manager

Symptoms:
Values of 0 (zero) are no longer accepted for pool member ports in iRule 'pool' commands. The system reports an error similar to the following in /var/log/ltm:

err tmm3[12179]: 01220001:3: TCL error: /Common/_user_script_member <CLIENT_ACCEPTED> - bad port in 'pool member <addr> <port>' cmd while executing "pool test_pool member 10.1.30.10 0"

Conditions:
-- Configure an iRule to use the 'pool' command to go to the pool member using a zero port in the CLIENT_ACCEPTED event.
-- Attach the iRule to the virtual server.
-- Run traffic through it.

Impact:
The iRule rejects traffic when the pool member's port number is 0.

Workaround:
Configure any iRule using the 'pool' command to go to apool member using a non-0 port in the CLIENT_ACCEPTED event.


776073-1 : OOM killer killing tmmin system low memory condition as process OOM score is high

Component: TMOS

Symptoms:
When BIG-IP system running under low memory situation, Out-Of-Memory killer more likely selects tmm to kill and release the resources.

Conditions:
BIG-IP version 13.0.x or later installed and system running with low memory.
AFM provisioned makes the tmm process more likely to be selected by the oom killer

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Adjust OOM score of "tmm" process through oom_score_adj proc setting.

echo "-500" > /proc/<pid_of_tmm>/oom_score_adj


775897-1 : High Availability failover restarts tmipsecd when tmm connections are closed

Component: TMOS

Symptoms:
All security associations (SAs) can be deleted when tmipsecd restarts as a result of closing tmm connections during failover from active to standby.

Conditions:
When failover happens for high availability (HA), tmipsecd aims to close tmm connections when on standby, because tmm must connect instead to the daemon running in the active system. But a side effect of this restarts tmipsecd, resulting in deletion of all SAs when tmipsecd came back up.

Impact:
tmipsecd restarts. All IPsec tunnels experience an interruption of service until new SAs are negotiated.

Workaround:
None.


775801-2 : [GTM] [GUI] 'Route Advertisement' checked but not saved when creating GTM listener

Component: Global Traffic Manager (DNS)

Symptoms:
'Route Advertisement' is not enabled even if you check the checkbox.

Conditions:
Creating GTM listener using the GUI.

Impact:
'Route Advertisement' is not enabled.

Workaround:
After the listener is created, modify the listener in the GUI and check the checkbox for 'Route Advertisement', and save.


775733-1 : /etc/qkview_obfuscate.conf not synced across blades

Component: TMOS

Symptoms:
By default, sensitive data, such as SSL keys, are excluded from QKView files. However, in some cases you may want to include sensitive information in the QKView file, so it must be obfuscated it for security purposes. (Note: For information on how to configure this feature, see K55559493: Obfuscating sensitive data in a QKView file :: https://support.f5.com/csp/article/K55559493.)

In high availability (HA) configurations, the /etc/qkview_obfuscate.conf file is not copied to secondary blades on chassis platforms during sync operations.

Conditions:
-- Run qkview.
-- Upload qkview file to iHealth.

Impact:
Potentially sensitive information could be uploaded to iHealth or F5 Support. This occurs because qkview acts differently if there is an obfuscate.conf on the active by automatically gathering the same information on the blades, but not obfuscating that sensitive data.

Workaround:
Manually copy /etc/qkview_obfuscate.conf to all blades.

Note: Do not upload sensitive data to iHealth or F5 Support. If you are obfuscating data, make sure to complete this step for every blade.


775621-2 : urldb memory grows past the expected ~3.5GB

Component: Access Policy Manager

Symptoms:
When using the categorization engine (urldb), memory may increase when real-time update databases are downloaded (once every ten minutes, as available).

Conditions:
-- SWG provisioned.
-- Using urldb.
-- Real-time database updates occurring.

Impact:
Memory increases, and if there is not enough room on the BIG-IP system, urldb can core.

Workaround:
None.


774941-1 : GUI misspelling in Bot Defense logging profile

Component: Application Security Manager

Symptoms:
There is a misspelling in the logging profile for Bot Defense: Log Requests by Classificaiton.

Conditions:
Go to Security :: Event Logs : Logging Profiles :: Logging Profile :: Bot Defense :: Request Log.

Impact:
GUI shows misspelled word. There is no functional impact to this issue.

Workaround:
None needed. This is a cosmetic issue only.


774633-2 : Memory leak in tmm when session db variables are not cleaned up

Component: Access Policy Manager

Symptoms:
There are some session db variables created as part of the split session proxy that have an indefinite timeout. If there is an error path or a failure with an inline service, the delete never gets called and these session keys build up over time, causing memory to leak in tmm.

Conditions:
SSLO setup with a service connector that fails.

Impact:
tmm eventually runs out of memory and generates a core file.

Workaround:
None.


774617-1 : SNMP daemon reports integer truncation error for values greater than 32 bits

Component: TMOS

Symptoms:
Some values sent to SNMP can grow too large over time, causing an integer truncation error.

Conditions:
Values greater than 32 bits sent to SNMP.

Impact:
SNMP values are truncated. An error message is logged in var/log/daemon.log:

err snmpd[20680]: truncating integer value > 32 bits

Workaround:
No current workaround.


774481-2 : DNS Virtual Server creation problem with Dependency List

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use the GUI to create virtual servers with dependent virtual server.

Conditions:
This occurs when creating a virtual server that contains a dependent virtual server.

Impact:
Cannot use the GUI to create the virtual server that contains a dependent virtual server in one step.

Workaround:
You can use either of the following workarounds:

-- Use tmsh;
-- Create the virtual server through GUI without dependent virtual server first and then edit the virtual server to add dependency.


774445-1 : BIG-IP VE does not pass traffic on ESXi 6.7 Update 2

Solution Article: K74921042

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) does not pass traffic when deployed on ESXi 6.7 Update 2 hypervisors, when the VE is using VMXNET 3 network interfaces (VMXNET 3 interfaces are the default).

Conditions:
-- BIG-IP VE running on VMware ESXi 6.7 Update 2 (build number 13006603) hypervisor.
-- VMXNET 3 NICs.

Impact:
Traffic does not pass through non-mgmt interfaces.

Workaround:
You can use the following workarounds:

-- Until this issue is fixed in a Point-Release for your software branch, you can contact F5 Networks Technical Support to obtain an Engineering Hotfix to address the issue. This workaround allows TMM to continue to use the VMXNET3 driver, which is preferable.

-- On BIG-IP version 14.1.0, you can switch to the 'sock' driver.

-- On BIG-IP versions earlier than 14.1.0, you can switch to the 'unic' driver.

Note: The workarounds that switch driver must be applied individually to devices, as they do not synchronize via ConfigSync.

To switch driver:

1. Add a line to /config/tmm_init.tcl that reads 'device driver vendor_dev 15ad:07b0 DRIVER' (replacing DRIVER with 'unic' or 'sock', as appropriate). For example:

    echo "device driver vendor_dev 15ad:07b0 sock" >> /config/tmm_init.tcl

2. Restart tmm for the changes to take effect (restarting tmm disrupts traffic):

    bigstart restart tmm

3. After tmm restarts, confirm the driver in use by examining the output of:

    tmctl -d blade tmm/device_probed


774361-2 : IPsec High Availability sync during multiple failover via RFC6311 messages

Component: TMOS

Symptoms:
After multiple failover events, BIG-IP can fail to coordinate with a remote peer via RFC6311 protocol messages, whose content can present the wrong message IDs, which are also marshalled in host byte order instead of network byte order.

Conditions:
When active and standby systems failover multiple times, and a newly active system must sync IDs with the newly standby system before exchanging messages with a remote peer to synchronize expected ID sequences.

Impact:
IPsec tunnels experience a temporary outage until new security associations are negotiated.

Workaround:
No workaround is known at this time.


774261-1 : PVA client-side current connections stat does not decrease properly

Component: Local Traffic Manager

Symptoms:
When FTP is used with bigproto, the PVA client-side current connections stat does not decrease after connections are closed.

Conditions:
-- Use an FTP virtual server.
-- End user clients connect to the virtual server.

Impact:
An incorrect stat for client-side current connections will be reported for 'tmsh show sys pva-traffic global' and 'tmctl pva_stat'.

Example:

config # tmsh show sys pva-traffic global

-------------------------------------------------
Sys::PVA
-------------------------------------------------
PVA Traffic ClientSide ServerSide
  Bits In 23.6K 219.7K
  Bits Out 219.7K 23.6K
  Packets In 40 335
  Packets Out 335 40
  Current Connections 295 0 <-----
  Maximum Connections 296 8
  Total Connections 335 40

Miscellaneous
  Cur PVA Assist Conns 0
  Tot PVA Assist Conns 335
  HW Syncookies Generated 0
  HW Syncookies Detected 0

config # tmsh show sys conn all-properties

Really display 1000 connections? (y/n) y
Sys::Connections
Total records returned: 0 <--------- No connections; this is the correct state.

Workaround:
This issue does not occur when 'inherit parent profile' is enabled on the FTP profile used by the virtual server.


774225-3 : mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting

Component: Global Traffic Manager (DNS)

Symptoms:
mcpd is in a restart loop after creating an internal DNSSEC FIPS key on a secondary GTM while rebooting the primary DNSSEC key generator GTM (gtm.peerinfolocalid==0).

Conditions:
New DNSSEC internal FIPS key is created and assigned to DNSSEC zone when BIG-IP system with gtm.peerinfolocalid==0 is down.

Impact:
mcpd is in a restart loop.

Workaround:
For maintenance window operations, set DNSSEC peer leader to the unit that will remain UP while rebooting the primary key generator in sync group (gtm.peerinfolocalid==0).

# tmsh modify gtm global-settings general peer-leader <gtm-server-name>


After the reboot is complete, all devices are back up, and everything looks good in the configs, clear the peer-leader setting:

# tmsh modify gtm global-settings general peer-leader none


If there are two GTM units: GTM1 (having gtm.peerinfolocalid == 0), GTM2, and you are going to reboot GTM1, then before rebooting, run the following command to configure the DNSSEC peer-leader setting:

# tmsh modify gtm global-settings general peer-leader GTM2


After reboot, clear the peer-leader setting:

# tmsh modify gtm global-settings general peer-leader none


774213-1 : SWG session limits on SSLO deployments

Component: Access Policy Manager

Symptoms:
SWG session limits are enforced on SSLO deployments that enable Explicit proxy authentication.

Conditions:
-- SSLO with Explicit proxy authentication is deployed.
-- Many concurrent SSLO connections (beyond the SWG session limit).

Impact:
SSLO fails to connect when the SWG session limit is reached.

Workaround:
None.


773925-2 : Sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB tables files

Component: Application Visibility and Reporting

Symptoms:
For unknown reasons, sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB table files. MySQL starts reporting error 24 in its error log:

190228 8:21:17 [ERROR] mysqld: Can't open file: './AVR/AVR_STAT_FW_NAT_TRANS_DEST_H.frm' (errno: 24)
190228 8:45:36 [ERROR] mysqld: Can't open file: './AVR/AVR_STAT_ASM_NETWORK_T.frm' (errno: 24)
190228 9:12:22 [ERROR] mysqld: Can't open file: './AVR/AVR_STAT_ASM_NETWORK_T.frm' (errno: 24)

Conditions:
-- Statistics are collected locally on the BIG-IP system (that is, the BIG-IP system is not associated with a BIG-IQ device).
-- There is a considerable amount of traffic.

Impact:
Statistic reports stop working. In some cases DB becomes corrupted.

Workaround:
In /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter from 2500 to 5000.
2. Add the following parameter (right after 'open_files_limit'):
   table_open_cache=2000
3. Restart MySQL:
   bigstart restart mysql

Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.


773821-1 : Certain plaintext traffic may cause SSLO to hang

Component: Local Traffic Manager

Symptoms:
SSLO relies on SSL hudfilter to detect non-SSL traffic; but certain plaintext can be mistaken as SSL traffic, which can cause a hang.

Conditions:
Initial plaintext traffic resembles SSLv2 hello message or has less than enough bytes for SSL to process.

Impact:
SSLO hangs, unable to bypass traffic.

Workaround:
None.


773677-1 : BIG-IP 14.1.0 system-journald write to /run/log/journal cause SWAP usage increase

Solution Article: K72255850

Component: TMOS

Symptoms:
The system-journald process writes to temporary storage /run/log/journal when storage mode is set to 'auto'. The persistent directory /var/log/journal that controls where the log goes (temporary or persistent memory) is usually created during BIG-IP system reboot. In some cases, /var/log/journal is not created. In the absence of this, system-journald writes to temporary storage /run/log/journal.

Conditions:
BIG-IP upgraded from versions prior to v14.1.0 to version 14.1.0 or higher.

Impact:
As it writes to temporary memory, system SWAP memory usage increases, impacting overall system performance and may result in the kernel out-of-memory killer running and killing system processes.

Workaround:
1. Create system-journald persistent log directory manually:

mkdir /var/log/journal
chown root:systemd-journal /var/log/journal
chmod 2755 /var/log/journal
chcon system_u:object_r:var_log_t:s0 /var/log/journal

2. Reboot the system.


773577-2 : SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted

Component: TMOS

Symptoms:
On an SNMPv3 configuration, when a security-name and a username are the same but have different passwords, traps are not properly crafted.

Conditions:
security-name is the same as an SNMPv3 username.

Impact:
SNMP traps cannot be decoded

Workaround:
Delete or rename user.


773553-2 : ASM JSON parser false positive.

Component: Application Security Manager

Symptoms:
False positive JSON malformed violation.

Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.

Impact:
HTTP request is blocked or an alarm is raised.

Workaround:
There is no workaround other than disabling the JSON profile.


773421-1 : Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied

Component: Local Traffic Manager

Symptoms:
When OneConnect is applied to a virtual server, the server-side packets larger than the client-side MTU may be dropped.

Conditions:
-- If the client-side MTU is smaller than server-side (either via Path MTU Discovery (PMTUD), or by manually configuring the client-side VLAN).

-- OneConnect is applied.

-- proxy-mss is enabled (the default value starting in v12.0.0).

Impact:
The BIG-IP system rejects server-side ingress packets larger than the client-side MTU, with an ICMP fragmentation needed message. Connections could hang if the server ignores ICMP fragmentation needed and still sends TCP packets with larger size.

Workaround:
Disable proxy-mss in the configured TCP profile.


773333-2 : IPsec CLI help missing encryption algorithm descriptions

Component: TMOS

Symptoms:
Encryption algorithms against IPsec help are not listed in the CLI.

Conditions:
LTM licensed on the BIG-IP.

Impact:
Unable to view the help.

Workaround:
None. The actual command line help should be:

(/Common)(tmos)# create net ipsec ike-peer test version add { v2 } phase1-encrypt-algorithm ?

Specifies the encryption algorithm used for the isakmp phase 1 negotiation. This directive must be defined. Possible value is one of following:
3des, aes128, aes192, aes256, blowfish, camellia, cast128, des

Note: The values blowfish, cast128, and camellia are v1 only.


773253-3 : The BIG-IP may send VLAN failsafe probes from a disabled blade

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends multicast ping from a disabled blade. tmm core

Conditions:
-- There is one or more blades disabled on the VIPRION platform.
-- VLAN failsafe is enabled on one or more VLANs.
-- the VLAN failsafe-action is set to 'failover'.
-- There is more than one blade installed in the chassis or vCMP guest.

Impact:
The BIG-IP system sends unexpected multicast ping requests from a disabled blade.

Workaround:
To mitigate this issue, restart tmm on the disabled blade. This causes tmm to stop sending the multicast traffic.

Impact of workaround: Traffic disrupted while tmm restarts.


773229-2 : Replacing a virtual server's FastL4 profile can cause traffic to fail in specific circumstances

Component: Local Traffic Manager

Symptoms:
If a virtual server starts with a FastL4 profile with an idle_timeout of zero, and this profile is then replaced with one that has a non-zero idle_timeout, it can cause traffic to fail with a 'No flow found for ACK' error in the RST packet (if DB variable tm.rstcause.pkt is enabled) or logged (if DB variable tm.rstcause.log is enabled).

Conditions:
-- There is a virtual server configured with a FastL4 profile with an idle-timeout setting of zero ('immediate').
-- The FastL4 profile is replaced with one that has a non-zero idle-timeout setting.

Impact:
Traffic no longer passes through the virtual server properly.

Workaround:
To avoid this issue, if you need to change the FastL4 profile in this manner, delete and recreate the entire virtual server rather than replace the profile.

Impact of workaround: This results in a traffic disruption for that virtual server.

If the issue has already occurred, the only way to recover is to restart TMM

Impact of workaround: This also results in a traffic disruption, this time a general one.


773173-1 : LTM Policy GUI is not working properly

Component: TMOS

Symptoms:
The GUI, is not displaying LTM policies created with a rule in which log criteria is 'action when the traffic is matched'.

Also, some of the Actions disappear while adding multiple actions in a rule.

Using tmsh shows the polices created in the GUI.

Conditions:
From the GUI, create LTM policies with a rule in which log criteria is 'action when the traffic is matched'.

Impact:
GUI is not displaying LTM policies created with log as action in rule.

Workaround:
Use tmsh.


772497-5 : When BIG-IP is configured to use a proxy server, updatecheck fails

Component: TMOS

Symptoms:
Executing Update Check fails when run on a BIG-IP system that is behind a proxy server.

Conditions:
-- A proxy server is configured on the BIG-IP system using proxy.host db variable (and associated port, protocol, etc.).
-- You run Update Check.

Impact:
The Update Check fails to connect because the script resolves the IP address prior to sending the request to the proxy server.

Workaround:
You can use either of the following workarounds:

I
=======
Modify the /usr/bin/updatecheck script to not resolve the service ip for callhome.f5.com. To do so, remove the script text 'PeerAddr => $service_ip,' from lines 336,337:

1. Locate the following section in the script:
 @LWP::Protocol::http::EXTRA_SOCK_OPTS = ( PeerAddr => $service_ip,
     SSL_hostname => $service_name,

2. Update the script to remove the content 'PeerAddr => $service_ip,', so that it looks like the following example:
 @LWP::Protocol::http::EXTRA_SOCK_OPTS = ( SSL_hostname => $service_name,


II
=======
As an alternative, use a sed command, as follows:
1. Remount /usr as rw.
2. Run the following command:
 # sed -e "s/PeerAddr => $service_ip,//" -i /usr/bin/updatecheck


772473-3 : Request reconstruct issue after challenge

Component: Application Security Manager

Symptoms:
False positive on Content-Type header in GET request.

Conditions:
After challenge is completed, the server responds to the reconstructed request with a 302-redirect.

Impact:
The BIG-IP adds to the next request (GET request) a Content-Type header.

Workaround:
There is no workaround at this time.


772297-2 : LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade

Component: Local Traffic Manager

Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.

Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.

Impact:
LLDP-related options under 'tmsh net interface' for that secondary blade are reset to default.

Workaround:
Run 'tmsh load sys config' on the primary blade, and the LLDP-settings will reapply to the interfaces.


772233-3 : IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.

Component: Global Traffic Manager (DNS)

Symptoms:
When probing DNS Path, the metric round trip time (RTT) is not set correctly if the collection protocols used are NDS_DOT or DNS_REV.

The problem occurs only if the Path involves an IPv6 address; IPv4 address works fine.

Conditions:
-- Path involves IPv6 addresses.
-- Collection protocol used is either DNS_DOT or DNS_REV.

Impact:
RTT metric is not set at all.

Workaround:
Use collection protocols - ICMP instead.


772165-1 : Sync Failed due to Bot Defense profile not found

Component: Application Security Manager

Symptoms:
A sync failure might happen in a sync-failover device group after manually editing the /config/bigip.conf file and removing the Bot Defense profiles, and then performing a config sync.

The system reports a sync error message similar to this:
FODG (Sync Failed): A validation error occurred while syncing to a remote device.
 - Sync error on device-b: Load failed from /Common/device-a 01020036:3: The requested profile (/Common/bot-defense-device-id-generate-before-access) was not found.
 - Recommended action: Review the error message and determine corrective action on the device.

Conditions:
Manually editing the /config/bigip.conf file and removing the Bot Defense profile, then loading the config, and performing a config sync.

Impact:
Sync failure.

Workaround:
Reload the config from the receiving device, and then perform a force sync in the opposite direction, overriding the previous changes. This should bring the system back to in sync.


771173-3 : FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.

Component: Advanced Firewall Manager

Symptoms:
The system does not roll forward the FastL4 profile syn-cookie-enable attribute after upgrading from 12.x to 13.x and beyond.

Conditions:
This happens when upgrading from 12.x to 13.x and beyond.

Impact:
If syn cookies are explicitly disabled on a FastL4 profile prior to upgrading, they may be enabled.

Workaround:
You can fix the configuration by modifying it manually after upgrading.

In tmsh:
tmsh modify ltm profile fastl4 <profile_name> syn-cookie-enable <enabled|disabled>


771025-3 : AVR send domain names as an aggregate

Component: Application Visibility and Reporting

Symptoms:
AVR sends domain name as an aggregate of a number of domain names.

Conditions:
-- AVR receives more than the number of domain names it can handle.
-- After AVR gets DNS calls with different domain name, it no longer clears the domain name.
-- When AVR receives the maximum number of total domain names, it start to aggregate all the new domain names.

Impact:
Cannot see the correct domain name.

Workaround:
None.


770989 : Observed '/shared/lib/rpm' RPM database corruption on B4450 blades installing 14.1.x.

Component: TMOS

Symptoms:
f5optics installation can fail with RPM database corruption on B4450 blades when installing 14.1.x.

Conditions:
-- Using B4450 blades.

-- Clean install (i.e., a completely new installation) of 14.1.0 from either an external drive or PXE without taking over license:

image2disk --format=volumes --nosaveconfig --nosavelicense http://172.24.100.100/install/14.1.0/

Impact:
-- After 14.1.0 boots up, when you check /shared/lib/rpm RPM database (by running the command: /opt/bin/rpm --dbpath /shared/lib/rpm -qa), you see errors if the RPM database had already been corrupted.

   + rpmdb: /shared/lib/rpm/Name: unexpected file type or format.
   + error: cannot open Name index using db3 - Invalid argument (22).

-- No default f5optics package is reported when running the command: tmsh show net f5optics. No f5optics packages is present in the /shared/f5optics/images/ directory (even the /shared/f5optics/images/ directory is not created).

Due to corruption of '/shared/lib/rpm' RPM database, additional component 'f5optics' installation can fail with RPM error. Other components such as geoip or epsec might also be affected due to corrupted '/shared/lib/rpm' RPM database.

Workaround:
Remove the RPM database and manually install the f5_optics RPM package.

Steps
=====
1. Remove corrupted RPM database:
   # rm -rf /shared/lib/rpm/
2. Mount f5optics image for f5optics rpms:
   # mount -o ro,loop /var/f5optics/images/f5optics-1.0.0-51.0.im /mnt
3. Manually install f5optics rpms:
   # /opt/bin/rpm -ivh /mnt/f5optics-1.0.0-51.0.x86_64.rpm --root /shared --dbpath /lib/rpm
   # /opt/bin/rpm -ivh /mnt/f5optics-1.0.0-51.0.i686.rpm --root /shared --dbpath /lib/rpm
4. Unmount f5optics image:
   # umount /mnt/


770953 : 'smbclient' executable does not work

Component: TMOS

Symptoms:
Service Message Block (SMB) monitor is not functional.

Conditions:
This occurs under all conditions.

Impact:
SMB monitors fail. This occurs because the 'smbclient' executable is not functional.

Workaround:
None.


770477-2 : SSL aborted when client_hello includes both renegotiation info extension and SCSV

Component: Local Traffic Manager

Symptoms:
Client SSL reports an error and terminates handshake.

Conditions:
Initial client_hello message includes both signaling mechanism for secure renegotiation: empty renegotiation_info extension and TLS_EMPTY_RENEGOTIATION_INFO_SCSV.

Impact:
Unable to connect with SSL.

Workaround:
None.


769997-1 : ASM removes double quotation characters on cookies

Component: Application Security Manager

Symptoms:
ASM removes the double quotation characters on the cookie.

Conditions:
Cookie sent that contains double quotation marks.

Impact:
The server returns error as the cookie is changed by ASM.

Workaround:
Set asm.strip_asm_cookies to false using the following command:

tmsh modify sys db asm.strip_asm_cookies value false


769981-2 : bd crashes in a specific scenario

Component: Application Security Manager

Symptoms:
bd crash with a core file.

Conditions:
-- XML profile with schema validation is attached to a security policy.

-- The bd.log shows out-of-memory messages relating to XML.

Impact:
Failover; traffic disruption.

Workaround:
Increase the memory XML uses by using the internal parameters total_xml_memory and/or additional_xml_memory_in_mb. For more information, see K10803: Customizing the amount of memory allocated to the BIG-IP ASM XML processing engine available at https://support.f5.com/csp/article/K10803


769809-4 : vCMP guests 'INOPERATIVE' after upgrade

Component: TMOS

Symptoms:
After upgrading the host or creating new vCMP guests, the prompt in the vCMP guests report as INOPERATIVE.

Conditions:
-- The system truncates the unit key. (Note: This occurs because the unit key is designed to be a certain length, and the internally generated unit key for the guest has a NULL in it.)
-- Upgrading the host.
-- Creating new guests.

Impact:
vCMP guests are sent a truncated unit key and fail to decrypt the master key needed to load the config. vCMP Guests report 'INOPERATIVE' after upgrade.

Workaround:
None.


769801-1 : Internal tmm UDP filter does not set checksum

Component: Local Traffic Manager

Symptoms:
An internal tmm UDP filter does not set checksum for outgoing UDP packets.

Conditions:
-- An internal tmm UDP filter is in use.

Impact:
Even though a UDP packet with no checksum is permitted, it could cause some problems with some firewalls/servers.

Workaround:
For internal tmm udp filters, add the following to the UDP profile in use:

no_cksum 0


769385-1 : GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message

Component: Global Traffic Manager (DNS)

Symptoms:
GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message:

err mcpd[7649]: error: crypto codec New token is smaller with added values.

Conditions:
Two or more GTM devices with internal FIPS modules are configured with DNSSEC keys with 'use-fips internal' set, and GTM config sync between the devices is configured and enabled.

Impact:
DNSSEC keys are not imported into the FIPS cards of devices that receive the key via a synchronization from another device.

Workaround:
None.


769341-1 : HA failover deletes outstanding IKEv2 SAs along with IKEv1 SAs

Component: TMOS

Symptoms:
High availability (HA) failover from active to next-active device should delete existing IKEv1 SAs because the IKEv1 racoon daemon terminates on standby. But it should not also delete the IKEv2 SAs at the same time, and it does.

Conditions:
This occurs during failover.

Impact:
The deletes IKEv2 SAs mirrored for HA. In the event of rapid failover and failback, this issue might result in missing SAs on the active device.

Workaround:
None.


769309-2 : DB monitor reconnects to server on every probe when count = 0

Component: Local Traffic Manager

Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.

Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).

Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.

Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.


769169-3 : BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring

Component: TMOS

Symptoms:
BIG-IQ sends a lot of request to the BIG-IP system to collect the stats it makes the BIG-IP slow and eventually GUI goes unresponsive.

Conditions:
-- BIG-IQ monitoring a large BIG-IP configuration.
-- With a very large number of requests, and with resource-expensive requests.

Impact:
ICRD requests wait longer in the ICRD queue, which can make the BIG-IP system becomes unresponsive. Policy Creation, Device Overview, and stats pages take more time to respond, and eventually, the GUI becomes unresponsive on these three pages.

Lot of process terminated/re-created messages in restjavad logs.

Workaround:
Remove the BIG-IP device from the BIG-IQ and restart the mcpd.


769145-2 : Syncookie threshold warning is logged when the threshold is disabled

Component: TMOS

Symptoms:
Setting connection.syncookies.threshold to zero disables the threshold, but the system still reports log messages similar to:

warning tmm3[18189]: 01010055:4: Syncookie embryonic connection counter 38 exceeded sys threshold 0

Conditions:
Setting connection.syncookies.threshold to zero.

Impact:
Warnings that do not provide valid information. If the threshold value is a non-zero value, it does indicate an issue. However, this message is benign when the end of the message reads 'exceeded sys threshold 0'.

Workaround:
None.


769029-1 : Non-admin users fail to create tmp dir under /var/system/tmp/tmsh

Component: TMOS

Symptoms:
The cron.daily/tmpwatch script deletes the /var/system/tmp/tmsh directory. After some time, the tmsh directory is created again as part of another cron job.

During the interval, if a non-admin accesses tmsh, tmsh creates the /tmp/tmsh directory with that user's permissions, which creates issues for subsequently non-admin user logons.

Conditions:
Try to access the tmsh from non-admin users when /var/system/tmp/tmsh is deleted.

Impact:
The first non-admin user can access tmsh. Other, subsequent non-admin users receive the following error:

01420006:3: Can't create temp directory, /var/system/tmp/tmsh/SKrmSB, errno 13] Permission denied.

After some time this /var/system/tmp/tmsh permission is updated automatically.

Workaround:
So that the script does not remove tmsh directory, but deletes 1-day old tmp files under /var/system/tmp/tmsh, update the last line of /etc/cron.daily/tmpwatch as follows:

tmpwatch --nodirs 1d /var/system/tmp


768025-4 : SAML requests/responses fail with "failed to find certificate"

Component: Access Policy Manager

Symptoms:
BIG-IP as SP and BIG-IP as IdP fail to generate signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after the certificate that is used for signing is modified.

Conditions:
The certificate used for signing SAML requests/responses or SAML SLO requests/responses is modified or re-imported.

Impact:
When this issue occurs, SAML services are impacted when BIG-IP is configured as SP or IdP. Subsequent SAML/SAML SLO requests/responses fail with the error 'failed to find certificate'.

-- When BIG-IP is configured as IdP, then SAML Authentication fails and SAML/SAML SLO services do not work.

-- When BIG-IP is configured as SP, resources that need SAML Authentication cannot be accessed. Also, SAML SLO service does not work.

Workaround:
-- When BIG-IP as IdP is affected, configure a different certificate associated with SAML IdP configuration that is used for signing, change it back to the original certificate, and then the apply policy.

-- Similarly, when BIG-IP as SP is affected, configure a different certificate associated with SAML SP configuration that is used for signing, change it back to the original certificate, and then apply the policy.


767877-3 : TMM core with Bandwidth Control on flows egressing on a VLAN group

Component: TMOS

Symptoms:
TMM cores during operation.

Conditions:
Known condition:
1. BWC attached to serverside connflow
2. Serverside traffic traversing/egressing VLAN group

Impact:
Traffic disrupted while tmm restarts.


767737-2 : Timing issues during startup may make an HA peer stay in the inoperative state

Component: TMOS

Symptoms:
When two BIG-IP systems are paired, it is possible during startup for the network connection to be made too early during the boot sequence. This may leave a peer in the inoperative state.

Conditions:
This is a timing-related issue that might occur during boot up of high availability (HA) peers.

Impact:
An HA peer does not become ACTIVE when it should.

Workaround:
None.


767689-1 : f5optics_install using different versions of RPM

Component: TMOS

Symptoms:
Symptoms have only been observed in one case: A bare metal install to BIG-IP 14.1.0. In this case a messages indicating the RPM database under /shared is corrupted.

Conditions:
Bare metal installation via PXE boot or USB install.

Impact:
The /shared/lib/rpm database needs to be recreated and f5optics manually installed.

Workaround:
Recreate the /shared/lib/rpm database and manually install f5optics.


767305-2 : If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried

Component: TMOS

Symptoms:
Upon querying a sysTmmStat* SNMP OID (for example, sysTmmStatTmUsageRatio5s), you find your SNMP client returns an error message similar to the following example:

No Such Instance currently exists at this OID

The very next time you query that same SNMP OID (or any other sysTmmStat* SNMP OID), you find they all work as expected and return the correct result.

Conditions:
This issue occurs after restarting only the mcpd daemon, i.e., running bigstart restart mcpd.

Impact:
All sysTmmStat* SNMP OIDs do not work until one of them is queried at least once, and the query is allowed to fail. After that, all sysTmmStat* SNMP OIDs work as expected.

Workaround:
Restart all services together, i.e., running the command: bigstart restart.

Should the mcpd daemon happen to be restarted on its own, you can simply ignore the error message and allow your SNMP polling station to fail a single polling cycle.

If you want to ensure that this issue does not occur, for example, so that your SNMP polling station does not generate unnecessary alarms, do not restart the mcpd daemon on its own, but rather restart all services together by running the following command:

bigstart restart


767217-2 : Under certain conditions when deleting an iRule, an incorrect dependency error is seen

Component: Local Traffic Manager

Symptoms:
If an iRule is being referenced by another iRule, and the reference is then removed, attempts to delete the formerly referenced iRule will result in an error similar to the following:

01070265:3: The rule (/Common/irule1) cannot be deleted because it is in use by a rule (/Common/irule2).

Conditions:
-- An iRule referencing another iRule.
-- The referencing iRule is in use.

Impact:
Unable to delete the iRule.

Workaround:
Save and re-load the configuration.


767013-3 : Reboot when B2150 and B2250 blades' HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch

Component: TMOS

Symptoms:
In a rare scenario, the HSB sends a large amount and continuous pause frames to the Broadcom switch, which indicates that the HSB is in a bad state.

Conditions:
This happens when there is heavy traffic load on VIPRION B2150 and B2250 blades. The root cause of that is still under investigation. It happens extreme rarely.

Impact:
Reboot the BIG-IP system.

Workaround:
None.


767009 : Halting the host does not power off the host

Component: TMOS

Symptoms:
Beginning with versions v12.x, issuing a 'halt' command should halt the operating system of the BIG-IP host subsystem, and power the host subsystem off as well. However, v14.1.x seems to be an exception: v14.1.x are not powering off after the 'halt' command runs.

Conditions:
Issue the halt command:
#halt

Impact:
The host system does not power down.

Workaround:
To recover system after issuing the 'halt' command:

AOM Command Menu:
R --- Reset host subsystem


766873 : Omission of lower-layer types from sFlow packet samples

Component: TMOS

Symptoms:
The packet samples transmitted from BIG-IP to an sFlow receiver may contain only 'http' samples, with no 'vlan' or 'interface' FLOW samples appearing. sFlow will continue to transmit CNTR (counter) telemetry packets.

Conditions:
When the BIG-IP system is configured with one or more sFlow receivers, with non-zero sampling-rate configured for 'vlan' or 'interface' types.

Impact:
External network-monitoring or management systems, which may depend on sFlow packet samples from BIG-IP systems and from other equipment, are unable properly to characterize the flow of data throughout the network.

Workaround:
None.


766593-1 : RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20

Component: Local Traffic Manager

Symptoms:
RESOLVE::lookup returns empty string.

Conditions:
Input bytes array is at length of 4, 16, or 20.

For example:
[RESOLV::lookup @dnsserveraddress -a [binary format a* $host1.d1test.com]]

Impact:
RESOLVE::lookup returns empty string.

Workaround:
Use lindex 0 to get the first element of the array.

For example:
[RESOLV::lookup @dnsserveraddress -a [lindex [binary format a* $host1.d1test.com] 0]]


766405-2 : MRF SIP ALG with SNAT: Fix for potential crash on next-active device

Component: Service Provider

Symptoms:
The next active device may crash with a core when attempting to create media flows.

Conditions:
The names for the LSN pool and router profile are longer than expected.

Impact:
The TMM on the next active device may core. Traffic disrupted while tmm restarts; If the next-active device was not carrying traffic for a traffic group, traffic is not disrupted.

Workaround:
None.


766329-2 : SCTP connections do not reflect some SCTP profile settings

Component: TMOS

Symptoms:
The effective receive-chunks, transmit-chunks, in-streams, and out-streams parameters in SCTP traffic do not match the settings from the configured SCTP profile:
  -- receive-chunks alters the out-streams parameter.
  -- transmit-chunks alters the in-streams parameter.
  -- The receive-chunks parameter cannot be altered from the default.
  -- The transmit-chunks parameter cannot be altered from the default.

Conditions:
An SCTP virtual server is configured.

Impact:
Unexpected SCTP parameters are negotiated on SCTP connections.

Workaround:
None.


766293-1 : Monitor logging fails on v14.1.0.x releases

Component: Local Traffic Manager

Symptoms:
With a fresh install of v14.1.0.x, you attempt to enable monitor logging for a node or pool member, an error message appears in /var/log/ltm. Also the log file to be created fails to be created.

This behavior is due to SELinux changes. /var/log/auditd/audit.log show the SELinux violations logs.

System reports messages similar to the following in /var/log/ltm:

-- info bigd[12457]: Couldn't open logging file /var/log/monitors/Common_Splunk_HTTP_monitor-Common_node1-8088.log for monitor /Common/Splunk_HTTP_monitor on node /Common/node1.

Conditions:
-- Clean installation of v14.1.0.x software.
-- Enable monitor logging for a node or pool member.

Impact:
Monitor logging fails. Error messages logged.

Workaround:
None.


765969-1 : Not able to get HSB register dump from hsb_snapshot on B4450 blade

Component: TMOS

Symptoms:
Running hsb_snapshot tool fails on B4450 blades with the following message:
Too many rows in tmm/hsb_internal_pde_info table

Conditions:
When vCMP is provisioned on VIPRION B4450 blades.

Impact:
HSB register dump is not available in hsb_snapshot orQkview for diagnostic purpose.

Workaround:
None.


765801 : WCCP service info field corrupted in upgrade to 14.1.0 final

Component: TMOS

Symptoms:
WCCP 'Here I am' packets from BIG-IP to routers have corrupted service info. No 'I see you' response received from routers due to mismatched service flags information.

Conditions:
No specific condition other than WCCP configuration on BIG-IP 14.1.0.x version.

Impact:
Unable to deploy WCCP on BIG-IP in version 14.1.0.x.

Workaround:
None.


765761 : URI Parsing is failing when certificate name contains "[", "]"

Component: TMOS

Symptoms:
As per URI specification RFC 3986 "[" and "]" are reserved as IP literals.

When certificate name contains "[" , "]" parsing is failing.

Conditions:
running "tmsh load sys config" command when certificate name contains reserved character. (e.g. "[" , "]")

Impact:
"tmsh load sys config" is failing with invalid URI error

Workaround:
Do not use reserved characters in URI.


765413-1 : ASM cluster syncs caused by PB ignored suggestions updates

Component: Application Security Manager

Symptoms:
Frequent syncs occurring within an ASM device group.

Conditions:
Several (updating) suggestions are marked 'ignored'.

Impact:
Syncs appear in the logs (no actual performance degradation).

Workaround:
-- Remove the Ignored Suggestions. (Note: These might be re-added and you must refrain from clicking the Ignore button).

-- Remove the Ignored Suggestions and uncheck the Learn flag for the violation that causes it. (Note: The impact is that the system does not learn this violation anymore, so any future suggestions to amend the policy for that violation will not be created.)


765033 : Upgrades to versions that restrict resource-admin users from accessing bash may fail under certain conditions

Component: TMOS

Symptoms:
Some versions of BIG-IP software have removed the ability to access bash from users that have resource-admin roles. Upgrades to one of these versions may fail to load the configuration on the upgraded volume with a message in /var/log/ltm similar to:

err mcpd[14994]: 01070825:3: Access denied - Administrators only: Custom shells only available to administrators, not testuser.

Conditions:
-- Users with the resource-admin role also have bash access.

-- Upgrading to an affected version from certain versions.

Impact:
The upgraded volume's configuration does not load.

Workaround:
You can use either of the following workarounds:

-- Ensure that all users with the resource-admin role do not have bash access prior to upgrading.

-- Hand-edit the bigip_user.conf to remove bash from any users with the resource-admin role and reload the configuration using the following command:
tmsh load sys config


764969 : ILX no longer supports symlinks in workspaces as of v14.1.0

Component: Local Traffic Manager

Symptoms:
The GUI and TMSH report an error message if a symlink is present, and the workspace does not run. The error appears similar to the following:
General database error retrieving information.
General error: 01070711:3: boost::filesystem::status: Permission denied: "/var/ilx/workspaces/Common/test_links1/tmp_file" in statement [SELECT COUNT(*) FROM dev_workspace WHERE name LIKE '%'].

Conditions:
-- An ILX workspace is in the configuration.
-- The workspace contains a symlink.

Impact:
The ILX module is not accessible via the GUI, and the workspace with the symlink cannot be run.

Workaround:
1. Remove the symlink.
2. Copy the file into the workspace.


764901-2 : PEM policy filters rules memory gets leaked if policy is deleted before deleting the rules

Component: Policy Enforcement Manager

Symptoms:
There is a memory leak associated with deleting policies before rules.

Conditions:
If a policy is deleted before its rules are deleted.

Impact:
Memory leak.

Workaround:
Delete all rules in a policy prior to a policy delete operation.


764873-2 : An accelerated flow transmits packets to a dated, down pool member.

Component: TMOS

Symptoms:
Normally, when a pool member becomes unavailable, the flow is redirected towards another available pool member. However, an accelerated flow can continue to send traffic to the dated pool member rather than the updated one.

Conditions:
A flow changes the pool member it goes to while the flow is accelerated.

Impact:
The traffic continues to target the dated pool member that is not available.

Workaround:
Disable HW acceleration.

Or on BIG-IP v14.1.0 and later, if a pool member goes away, run the following command to flush all accelerated flow to be handled correctly by software:
tmsh modify sys conn flow-accel-type software-only


764665-2 : AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change

Component: Application Visibility and Reporting

Symptoms:
When BIG-IP is registered on BIG-IQ system, sometimes avrd crashes with core.

Conditions:
-- BIG-IP is registered at BIG-IQ.
-- BIG-IQ sends configuration update to BIG-IP.

Impact:
Avrd cores and restarts. Functionality is not impacted, stats data are sent to BIG-IQ.

Workaround:
None.


764373-3 : 'Modified domain cookie' violation with multiple enforced domain cookies with different paths

Component: Application Security Manager

Symptoms:
When the server sends enforced cookies with the same name for different paths, a false-positive 'Modified domain cookie' violation is reported.

Conditions:
Server sends enforced cookies with the same name but with different paths.

Impact:
A valid request might be rejected.

Workaround:
None.


763349-3 : AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out

Component: Application Visibility and Reporting

Symptoms:
avrd application on BIG-IP crashes; core is generated.

Conditions:
-- The BIG-IP is configured to send data to BIG-IQ DCD node via the HTTPS protocol.

-- Connection to DCD is established but response does not arrive within the timeout interval, so the connection times out.

Impact:
avrd crashes, and a core is generated.

Workaround:
None.


763157-2 : MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped

Component: Service Provider

Symptoms:
Processing the response to an outbound request at the same time as an inbound request message on the same connection could cause internal state generated to be confused and the inbound request to be dropped.

Conditions:
Processing the response to an outbound request at the same time as an inbound request message on the same connection.

Impact:
The inbound request will be dropped.

Workaround:
None.


763121-3 : Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM.

Component: Advanced Firewall Manager

Symptoms:
TMM crashes and produces a core file. The crash is a SIGFPE accompanied by the following panic string:

Assertion "packet must already have an ethernet header" failed.

Conditions:
This issue occurs when all of the following conditions are met:

- The system is provisioned for AFM.
- A TCP Half Open attack to the system is underway.
- A BIG-IP Administrator attempts to use the AFM Packet Tester tool, and simulates sending a TCP segment with the SYN flag set.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the AFM Packet Tester tool while a TCP Half Open attack is underway.


763093-3 : LRO packets are not taken into account for ifc_stats (VLAN stats)

Component: Local Traffic Manager

Symptoms:
The ifc_stats do not correctly reflect the number of incoming octets/packets. There is a discrepancy between octets/packets in/out in the ifc_stats table, which tracks per-VLAN stats.

Conditions:
LRO is enabled and used for incoming packets.

Impact:
ifc_stats are incorrect for incoming octets and packets.

Workaround:
Disable LRO using the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable

After modifying that variable, you must restart tmm for it to take effect (traffic disrupted while tmm restarts):
bigstart restart tmm


763005-3 : Aggregated Domain Names in DNS statistics are shown as random domain name

Component: Application Visibility and Reporting

Symptoms:
Many DNS queries (e.g., 50000) with different query domain names are sent and AVR aggregates data it shows aggregated names using a random name taken from the first lookup table record.

Conditions:
-- Run 50000 DNS queries, all with different domain names.
-- View Statistics :: Analytics :: DNS, and choose View By : Domain Names.

Impact:
There is one random domain name with a high counter value, other domains are shown with counter 1.

Workaround:
None.


762385 : After upgrade to 14.1 wrong remote-role assigned using LDAP authentication

Component: TMOS

Symptoms:
When multiple attributes in a list match multiple roles, the wrong role may be assigned. Alternatively, authentication may fail when check-roles-group is disabled.

Conditions:
LDAP server replies with a list of attributes (e.g., list of memberOf) where more than one match existing role.

Impact:
BIG-IP assigns the user to the last attribute in the list that matches a role yielding more restrictive set of permissions.
Authentication may fail when check-roles-group is disabled.


762205-2 : IKEv2 rekey fails to recognize VENDOR_ID payload when it appears

Component: TMOS

Symptoms:
Rekey with non BIG-IP systems can fail when a response contains a VENDOR_ID payload.

Conditions:
- IKEv2 Responder sends VENDOR_ID payload in rekey response.
- The ipsec.log misleadingly reports:
  [I] [PROTO_ERR]: unexpected critical payload (type 43)
  Note: This message may be correctly present under other conditions, with different type constants not equal to 43.

Impact:
BIG-IP as the initiator of rekey drops the rekey negotiation without making further progress when the responder included a VENDOR_ID payload in a response. This will result in deleting the SA for good when the hard lifetime expires, causing a tunnel outage.

Workaround:
No workaround is known at this time.


762097 : BIG-IP v14.1.0.2, No buffer allocated to SWAP after upgrading to v14.1.0.2

Component: TMOS

Symptoms:
After upgrading from version v14.0.0.1 to v14.1.0.2, no buffer is allocated to SWAP, so tmm restarts due to out of memory.

Conditions:
System is running BIG-IP version v14.0.0.1, and is installing v14.1.0.2.

Impact:
Unable to upgrade to v14.1.0.2.

Workaround:
Mount the swap volume with correct ID representing swap device.

Perform the following steps on the system after upgrade to v14.1.0.2 and booted into v14.1.0.2:

1. blkid | grep swap <==== This is the correct ID
2. Check the block ID representing swap in /etc/fstab.
3. If swap is not represented with the correct ID, modify the /etc/fstab swap entry to point to the correct device.
4. swapon -a
5. Check swap volume size using 'swapon -s'


762073-2 : Continuous TMM restarts when HSB drops off the PCI bus

Component: TMOS

Symptoms:
In the unlikely event that HSB drops off the PCI bus, TMM continuously restarts until the BIG-IP system is rebooted.

Conditions:
The conditions under which the issue occurs are unknown, but it is a rarely occurring issue.

Impact:
Repeated TMM restarts. Traffic disrupted until you reboot the BIG-IP system. The HSB reappears and is functional after reboot.

Workaround:
Manually reboot the BIG-IP system.


761993-2 : The nsm process may crash if it detects a nexthop mismatch

Component: TMOS

Symptoms:
If there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop, nsm may crash and restart.

Conditions:
-- Dynamic routing is in use.
-- A mismatch between tmrouted and nsm for the interface index or gateway of a nexthop exists.

Impact:
There is a temporary interruption to dynamic routing while nsm is restarted.

Workaround:
None.


761941-1 : ASM does not remove CSRT token query parameter before forwarding a request to the backend server

Component: Application Security Manager

Symptoms:
CSRT query parameter observed in tcpdump on the BIG-IP system's server side.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- CSRF enabled in ASM policy.

Impact:
Backend app gets CSRT parameter, which might impact its business logic.

Workaround:
You can remove a CSRT query parameter using a URI modification iRule on the server side.


761933-1 : Reboot with 'tmsh reboot' does not log message in /var/log/audit

Component: TMOS

Symptoms:
The tmsh reboot command is missing from /var/log/audit.

Conditions:
-- Reboot a system using the command 'tmsh reboot'.
-- View the /var/log/audit log.

Impact:
The system does not log the tmsh reboot operation in the /var/log/audit log. A message similar to the following should be reported:

notice tmsh[19115]: 01420002:5: AUDIT - pid=19115 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=reboot.

Workaround:
None.


761921-1 : avrd high CPU utilization due to perpetual connection attempts

Component: Application Security Manager

Symptoms:
avrd shows high CPU utilization. Repeated retries on auth token client failed connection attempts.

Conditions:
-- The BIG-IQ system is not available (even though it is configured).
-- Frequent connection retries.

Impact:
avrd consumes a large amount of CPU.

Workaround:
Correct BIG-IQ availability and restart avrd.


761685-3 : Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set

Component: Service Provider

Symptoms:
Systems desiring to create a unique connection per connection client may silently end up with clients sharing an outgoing connection if routing uses a virtual server as the outgoing connection transport definition, and the virtual server has the source-port attribute set to preserve-strict.

Conditions:
-- Routing using a virtual server as the transport definition for the outgoing connection.
-- The virtual server has the source-port attribute set to preserve-strict.

Impact:
Systems desiring to create a unique connection per connection client may silently end up sharing an outgoing connection.

Workaround:
None.


761621-2 : Ephemeral FQDN pool members in Partition shown as Common under Local Traffic > Pools > "Members"

Component: TMOS

Symptoms:
When Ephemeral FQDL pool members exist in non-Common partition, they are shown to be in the /Common partition on the Local Traffic : Pools : Members page. In the statistics view of the same object, they are shown appropriately with their non-Common partition.

Conditions:
-- Ephemeral FQDL pool members exist in a non-Common partition.
-- View the FQDL pool members on Local Traffic : Pools : Members page.

Impact:
No impact to configuration, however, the display is confusing and shows contradictory partition information.

Workaround:
None.


761565-1 : ASM BD core when custom captcha page configured size more than 45K with %ASM.captcha.support_id% placeholder is at the end

Component: Application Security Manager

Symptoms:
ASM BD crash when custom captcha page configured size is 45K

Conditions:
- ASM provisioned.
- ASM policy attached to a virtual server.
- CAPTCHA page size is bigger than 45 KB.
- CAPTCHA protection is enabled via brute force or ASM::captcha iRule.

Impact:
There is an ASM BD crash that occurs upon a request protection by CAPTCHA mitigation. If configured for high availability (HA), failover occurs.

Workaround:
Define CAPTCHA page sizes smaller than 45 KB.


761517-1 : nat64 and ltm pool conflict

Component: Carrier-Grade NAT

Symptoms:
When a pool is assigned to a virtual server with nat64, the destination address is changed to the one of the pool, regardless if address translation is enabled or not.

Conditions:
vs with nat64 and pool configured.

Impact:
nat64 does not happen, even if the translate-address option is set to disable.

Workaround:
none


761385-1 : Without a virtual server, responses from server to client are dropped in a BIG-IP system when the latter is deployed in L2 transparent mode using virtual wire.

Component: Local Traffic Manager

Symptoms:
Responses from a server are not received by the client.

Conditions:
-- BIG-IP system deployed in L2 transparent mode using virtual wire.
-- No virtual server is configured.

Impact:
Responses from server to client are dropped. Loss of service.

Workaround:
None.


761345-3 : Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode

Component: Advanced Firewall Manager

Symptoms:
When manual config-sync mode is enabled for a HA setup, additional config-sync may be required after firewall blob compilation.

Conditions:
Firewall rule configuration modified on a high availability (HA) setup with manual config-sync mode enabled.

Impact:
Additional config-sync may be required after compilation completion.
A warning may be given: "There is a possible change conflict between <device1> and <device2>.", and full sync may be forced.

Workaround:
Enable auto config-sync instead of manual config-sync.


761321-2 : 'Connection Rate Limit' is hidden, but 'Connection Rate Limit Mode' is not

Component: TMOS

Symptoms:
'Connection Rate Limit' setting is hidden when it is appropriate to do so. However, the 'Connection Rate Limit Mode' setting is still visible, even when 'Connection Rate Limit' is hidden.

Conditions:
1. Create a Virtual Server with type Standard.
2. Click Configuration 'Advanced'.
3. Enter values for 'Connection Rate Limit" and "Connection Rate Limit Mode'.
4. Save the configuration.
5. Change the virtual server type to Forwarding (Layer 2).

Impact:
'Connection Rate Limit' is hidden -- which it should be, but 'Connection Rate Limit Mode' is not -- which it should be as well. Although 'Connection Rate Limit Mode' is available, the system ignores any setting specified.

Workaround:
Do not configure 'Connection Rate Limit Mode', as it has no effect.


761303-2 : Upgrade of standby BIG-IP system results in empty Local Database

Component: Access Policy Manager

Symptoms:
Upgrade of standby BIG-IP system results in empty Local Database.

Conditions:
This happens on standby device in a high availability (HA) setup.

Impact:
All previously existing local users disappear from the standby device. If a failover happens, then none of the local users will be able to login now.

Workaround:
To trigger a full database dump from the active BIG-IP system that returns the standby device's database to its original state, on the standby device, do the following:

1. Reboot.
2. Switch to a new installation volume.
3. Force stop the localdbmgr process:
bigstart stop localdbmgr
4. Wait at least 15 minutes.
5. Restart the localdbmgr:
bigstart restart localdbmgr


761234-2 : Changing a virtual server to use an address list should be prevented if the VS has a security policy with a logging profile attached

Component: Advanced Firewall Manager

Symptoms:
If you create a virtual server with a single address ('Host' in the GUI) for both its source and destination, then configure the virtual server's security policy with a logging profile, and then (after creating the virtual server) modify the source or destination to use a traffic matching condition, the system reports no error when updating the configuration.

Conditions:
Attempting to use a virtual server with a security policy attached that uses a logging profile with an address list as the virtual server's source or destination.

Impact:
An invalid configuration is not caught. When later loading the configuration, the system reports a validation error, and the configuration does not load.

Workaround:
None.


761194-2 : param data type violation on an Integer parameter, if an integer value is sent via websocket JSON

Component: Application Security Manager

Symptoms:
A false positive occurs with 'Illegal parameter data type' violation on an integer parameter, on websocket messages

Conditions:
An explicit parameter with type integer is configured.

Impact:
A false positive can occur, 'Illegal parameter data type' is reported.

Workaround:
N/A


761088-1 : Remove policy editing restriction in the GUI while auto-detect language is set

Component: Application Security Manager

Symptoms:
While policy language was set to auto-detect, the policy editing was not allowed.

Conditions:
Create a new policy and set the language to auto-detect.

Impact:
While policy language was set to auto-detect, the policy editing was not allowed.

Workaround:
The policy language must be set to something other than auto-detect to allow user to edit the policy from GUI. However, policy editing is possible using REST API.


761084-3 : Custom monitor fields appear editable for Auditor, Operator, or Guest

Component: TMOS

Symptoms:
Mozilla Firefox browser shows custom monitor fields editable for Auditor, Operator, or Guest role users.

Conditions:
You can experience this issue by following these steps:

1. Create custom monitor (e.g., http, mysql, tcp).
2. Use FireFox browser to logon to the BIG-IP system Configuration utility with a user role that is Auditor, Operator, or Guest.
3. Access the custom monitor. Note that Send String, Receive String, and Receive Disable String are all grayed out.
4. Click the browser Back button.
5. Click the browser Forward button.

Impact:
Send String, Receive String, and Receive Disable String are now editable fields. Although the Auditor, Operator, or Guest. user can edit the fields, the Update button is still grayed out, so any entry is not saved.

Workaround:
None.


761027 : Web Browser Hang on Reading Compressed Data from BIG-IP

Component: WebAccelerator

Symptoms:
Reading an object from the BIG-IP system.

Conditions:
The virtual server has both a web acceleration profile with an active application and the HTTP compression filter on it.

When reading a compressible object from the web acceleration small object cache, the HTTP compression filter may compress the data, but not rewrite the Content-Length header.

Impact:
The client will wait for the BIG-IP to deliver the amount of data specified by the Content-Length header, but since the object was compressed, there isn't that much data to deliver.

Workaround:
You can use either of the following workarounds:

-- Remove the HTTP compression filter from the virtual server.

-- Mark objects smaller than 4,000 bytes as no-store.


760950-4 : Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment

Component: TMOS

Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.

Note: A previous bug had this same symptom, but was due to a different root cause.

Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.

Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.

Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.


760930-2 : MRF SIP ALG with SNAT: Added additional details to log events

Component: Service Provider

Symptoms:
Subscriber name is not included in debug log events for temporary subscriber registration creation and deletion.

Conditions:
debug log events for temporary subscriber registration creation and deletion.

Impact:
No functional impact, but the associated MRF SIP ALG with SNAT issue might be difficult to debug.

Workaround:
None.


760878-3 : Incorrect enforcement of explicit global parameters

Component: Application Security Manager

Symptoms:
A false positive or false negative enforcement of explicit global parameter.

Conditions:
-- A configuration with more than 255 security policies.
-- Policies configured with an explicit parameter that is unique (for example, 'static', a disabled signature, etc.).
-- Attempt to enforce that parameter.

Impact:
Wrong blocking/violations. The parameter is not found, and the wildcard * parameter is enforced instead.

Workaround:
Make the explicit parameters a wildcard parameter.


760771-1 : FastL4-steered traffic might cause SSL resume handshake delay

Component: Local Traffic Manager

Symptoms:
When a FastL4 virtual server steers traffic to another SSL-enabled virtual server, there can be a delay on SSL session resumption because SSL is unable to identify the connection flow.

Additionally, it has been observed that if fallback persistence is configured, the BIG-IP system might fail to start the connection serverside.

Conditions:
-- FastL4 virtual server.
-- iRule is used to steer traffic to another virtual server with client SSL enabled.
-- Multiple tmm's.

Impact:
-- Potential impact to SSL performance.
-- Possible connection failure.

Workaround:
To workaround this issue:
-- Disable FastL4.
-- Enable OneConnect.


760683-1 : RST from non-floating self-ip may use floating self-ip source mac-address

Component: Local Traffic Manager

Symptoms:
A RST from non-floating self-ip may use floating self-ip source mac-address when AFM or ASM is enabled.

Conditions:
-- AFM or ASM is enabled.
-- RST generated from non-floating self-ip address.

Impact:
An L2 switch may update the fwd table incorrectly.

Workaround:
None.


760680-1 : TMSH may utilize 100% CPU (single core) when set to be a process group leader and SSH session is closed.

Component: TMOS

Symptoms:
TMSH does not correctly handle absence of input stream after closing interactive SSH session and remains active in an infinite loop using 100% CPU.

Conditions:
If TMSH is a process group leader, it will not be killed when the parent shell is terminated upon SSH session close. It is a rare case as TMSH would have to be deliberately promoted to a process group leader e.g. with setsid command.
Usually the shell process is a group leader and, when it is terminated upon SSH session close, it will kill its child processes including TMSH.

Impact:
One CPU core is utilized in 100% by runaway TMSH process.

Workaround:
TMSH should not be intentionally promoted to a process group leader. Abandoned TMSH process can be safely killed with "killall tmsh" command.


760615-2 : Virtual Server discovery may not work after a GTM device is removed from the sync group

Component: Global Traffic Manager (DNS)

Symptoms:
LTM configuration does not auto-discover GTM-configured virtual servers.

Conditions:
-- GTM is deprovisioned on one or more GTM sync group members, or the sync group is reconfigured on one or more members.

-- Those devices remain present in the GTM configuration as 'gtm server' objects.

-- iQuery is connected to those members.

Impact:
Virtual servers are not discovered or added automatically.

Workaround:
You can use either of the following workarounds:

-- Manually add the desired GTM server virtual servers.

-- Delete the 'gtm server' objects that represent the devices that are no longer part of the GTM sync group. These can then be recreated if the devices are operating as LTM-configured devices.


760597-1 : System integrity messages not logged

Component: TMOS

Symptoms:
On TPM-equipped platforms, log messages indicating recovery from a very rarely triggered condition, where the TPM chip needs to be cleared, are not being recorded in the logs on boot.

Conditions:
-- TPM-equipped platforms.
-- Rarely triggered condition in which the TPM chip needs to be cleared.

Impact:
No message indicating the need to clear the TPM.

Note: The need to clear the TPM does not affect the subsequent operation of system integrity checks.

Workaround:
None. The TPM is automatically cleared on boot. Once cleared, it operates normally.

Using remote attestation by submitting a QKview file to iHealth and checking the System Integrity status in the resulting report will reliably indicate any tampering in the BIOS or system startup files.


760594 : On BIG-IP VE, 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details.

Component: TMOS

Symptoms:
Executing 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details.

Conditions:
BIG-IP Virtual Edition

Impact:
The snmpwalk command shows the details of all partitions on previous versions. It now shows only the '/appdata' details.

Workaround:
No workaround exists for this issue currently.


760573-1 : TPM system integrity check may return invalid status when booting into BIG-IP 14.1.0

Solution Article: K00730586

Component: TMOS

Symptoms:
The Trusted Platform Module (TPM) system integrity check may return an invalid status.

As a result of this issue, you may encounter one or more of the following symptoms:

-- While the system boots to BIG-IP 14.1.0, you observe an error message that appears similar to the following example:
tpm-status-check[5025]: System Integrity Status: Invalid

-- After rebooting the system to different volumes, you continue to observe the previous error message.

Conditions:
This issue occurs when the following condition is met:

You reboot a system running either BIG-IP 13.1.x or 14.0.0 (including their point releases) to BIG-IP 14.1.0.

Impact:
The BIG-IP system reports an invalid TPM status and TPM is non-functional.

Workaround:
To recover from this issue, you must delete the grub configuration file and reboot the system twice for an automatic repair to occur. To do so, perform the following procedure:

Impact of workaround: The system will not be available while performing multiple reboots. F5 recommends that you perform this procedure during an appropriate maintenance window.

1. Log in to the command line of the affected system.
2. Mount the boot partition by typing the following command:
mkdir -p /mnt/boot; mount $(ls /dev/mapper | grep boot) /mnt/boot

3. Delete the grub.multiboot.cfg file by typing the following command:
rm -f /mnt/boot/grub2/grub.multiboot.cfg

4. Reboot the system by typing the following command:
reboot

Note: The system software fixes the grub.multiboot.cfg file automatically upon booting.

5. When the system has completed booting, log in to the command line and reboot the system again by typing the following command:
reboot

This final step properly boots the system with TPM enabled.


760570 : The BIG-IP installer fails to automatically detect installation media.

Component: TMOS

Symptoms:
Image2disk command does not automatically detect repository. As a result, installation with image2disk command may not work. Here is an example of the affected image2disk command syntax.

  switch_root:/# image2disk --format=volumes --nosaveconfig --nosavelicense

Conditions:
-- 14.1.0 clean install using DVD-ROM or USB thumb drive.
-- Using a command that does not specify a repository.

Impact:
Installer cannot start unless you explicitly specify the repository.

Workaround:
You can use either of the following workarounds:

-- Manually specify repository while running image2disk command. For example, the following command successfully starts installation with DVD-ROM (/cdserver) or USB thumb drive (/mnt/thumb/<ISO>):

  switch_root:/# image2disk --format=volumes --nosaveconfig --nosavelicense /cdserver
  switch_root:/# image2disk --format=volumes --nosaveconfig --nosavelicense /mnt/thumb/<ISO>

-- At the command line, type 'start', and the interactive software installation starts.


760550-5 : Retransmitted TCP packet has FIN bit set

Component: Local Traffic Manager

Symptoms:
After TCP sends a packet with FIN, retransmitted data earlier in the sequence space might also have the FIN bit set.

Conditions:
-- Nagle is enabled.
-- TCP has already sent a FIN.
-- A packet is retransmitted with less than MSS bytes in the send queue.

Impact:
The retransmitted packet has the FIN bit set even if it does not contain the end of the data stream. This might cause the connection to stall near the end.

Workaround:
Set Nagle to disabled in the TCP profile.


760518-4 : PEM flow filter with DSCP attribute optimizes traffic resulting in some PEM action enforcement

Component: Policy Enforcement Manager

Symptoms:
Some PEM action enforcement does not work with flow filter with PEM attribute set.

Conditions:
Flow filter has the Differentiated Services Code Point (DSCP) attribute set

Impact:
Some PEM actions such as http-redirect do not perform as expected.

Workaround:
Set the DSCP to the default value


760508-1 : On systems with multiple versions of BIG-IP in use, the 'invalid' System Integrity Status may persist

Solution Article: K91444000

Component: TMOS

Symptoms:
The system security state reported by the shell utility 'tpm-state' may report 'Invalid'.

Conditions:
-- The system contains a volume running BIG-IP software version that does not support Trusted Platform Module (TPM).

-- You install a version that does support TPM.

-- The system is rebooted, from the old (non-TPM-capable) BIG-IP version to the new, TPM-capable version.

Impact:
The BIG-IP system reports an invalid TPM status upon the first boot of the upgraded BIG-IP 14.1.0 slot.

Workaround:
Rebooting the system again into 14.1.0 after initially booting into 14.1.0 resolves the issue.


760475-1 : Apache spawns more processes than the configured limit, causing system low memory condition

Component: TMOS

Symptoms:
Apache (httpd) process count MaxClients on BIG-IP systems is set to '10' in the configuration. When more requests are received, Apache spawns more processes than 10, consuming more memory.

Conditions:
Numerous clients trying to connect simultaneously to the BIG-IP GUI.

Impact:
System low memory condition can severely impact application/system performance, and sometimes triggers Out-Of-Memory (OOM) Killer, so critical applications might be terminated.

Workaround:
Complete the following procedure:

1. Modify /etc/httpd/conf/httpd.conf to have the following configuration outside of the prefork module (global):

MaxClients 10

2. Run the following command:
bigstart restart httpd


760438-3 : PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions

Component: Policy Enforcement Manager

Symptoms:
tmm coredump

Conditions:
-- Using an iRule to apply a referential policy in a rigorous loop.
-- This is a rarely occurring timing issue.

Impact:
Traffic impact due to tmm coredump. Traffic disrupted while tmm restarts.

Workaround:
None.


760410-1 : Connection reset is seen when Category lookup agent is used in per-req policy

Component: Access Policy Manager

Symptoms:
The BIG-IP system sends reset to client when Category Lookup agent is used in per-req policy.

Conditions:
-- APM or SSLO is licensed and provisioned.
-- URLDB and SWG are not provisioned.
-- Category Lookup agent is used in the policy to process custom categories.

Impact:
Connection reset is seen on client from APM/SSLO box.

Workaround:
Modify Category Lookup agent 'lookup-type' property to 'custom-only' via TMSH, for example, by using a command similar to the following:

modify apm policy agent category-lookup example_prp_act_category_lookup_ag lookup-type custom-only


760408-3 : System Integrity Status: Invalid after BIOS update

Solution Article: K23438711

Component: TMOS

Symptoms:
When BIG-IP system boots, it performs a System Integrity Check. The System Integrity Status may return one of three states: Valid, Unavailable, or Invalid.

This issue causes the System Integrity Status to return a value of 'Invalid'.

Conditions:
-- BIG-IP systems that have been manufactured using a earlier BIOS version.
-- Updating to a newer BIOS version.

Impact:
The System Integrity Status returns a status of Invalid, which may falsely indicate that the system BIOS or OS has been compromised.

Workaround:
Install the new BIOS, which fixes the issue that causes the 'Invalid' status to be reported, and, on systems where the BIOS and OS have not been compromised, returns a status of 'Valid'.


760370-2 : MRF SIP ALG with SNAT: Next active ingress queue filling

Component: Service Provider

Symptoms:
When running MRF SIP ALG with SNAT, the ingress queue may fill, causing messages to be dropped on the next-active device.

Conditions:
-- The active device determines that an operation can be skipped because the details are already discovered processing a previous message.
-- The next-active device has not yet processed the previous message and is not able to skip the operation.

Impact:
Mirroring state is lost for the connection.

Workaround:
None.


760363-1 : Update Alias Address field with default placeholder text

Component: TMOS

Symptoms:
Unable to update Alias Address field with the default value under Local Traffic :: Monitors :: [MonitorName] after removing everything from the input field and updating again with the placeholder text.

Conditions:
-- Using a system running software in which the GUI supports Chinese characters.
-- Remove content from the Alias Address field under Local Traffic :: Monitors:: [MonitorName].
-- Enter the default placeholder text.

Impact:
Unable to update the Alias Address input field with default placeholder text after replacing the said field with blank text or a valid value.

Workaround:
Pass empty value or ::


760356-2 : Users with Application Security Administrator role cannot delete Scheduled Reports

Component: Application Visibility and Reporting

Symptoms:
User accounts configured with the Application Security Administrator role cannot delete scheduled reports, while they can create/view/edit them.

Conditions:
-- Logged on with a user account configured as an Application Security Administrator.
-- Attempting to delete a scheduled report.

Impact:
Cannot complete the delete operation. Deleting scheduled reports requires root/admin intervention.

Workaround:
Use root or a user account configured as Administrator to delete scheduled reports.


760355 : Firewall rule to block ICMP/DHCP from 'required' to 'default'

Component: Advanced Firewall Manager

Symptoms:
If firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.

Conditions:
-- Firewall is configured on the management port.
-- Firewall is configured with an ICMP rule to block.

Impact:
ICMP packets cannot be blocked with a firewall rule to drop on management port. ICMP packets are allowed from the management port.

Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.

sbin # ./xtables-multi iptables -N inoue
sbin # ./xtables-multi iptables -A inoue -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP


760259-3 : Qkview silently fails to capture qkviews from other blades

Component: TMOS

Symptoms:
When capturing a qkview on a chassis, there are no warnings provided if the qkview utility is run to gather a qkview from other blades.

Conditions:
-- On a chassis system, rename/move the qkview binary from a given blade.

-- Execute qkview on another blade, verify that no warnings or errors are produced.

Impact:
There is no warning that the qkview failed for a given blade.

Workaround:
There is no workaround other than running the qkview on the actual blade.


760164-1 : BIG-IP VE Compression Offload HA action requires modification of db variable

Component: TMOS

Symptoms:
When TMM detects a compression offload device hang it does not invoke the configured high availability (HA) action.

Conditions:
This occurs when the following conditions exist:
-- BIG-IP Virtual Edition (VE) Cryptographic Offload is licensed.
-- BIG-IP VE VM has been assigned QuickAssist Virtual Functions (VFs).
-- A QuickAssist endpoint associated with one of the VFs hangs.
-- BIG-IP VE executes compression operations.

Impact:
The configured HA action does not occur when a compression offload device hangs. Clients compression requests eventually time out.

Workaround:
Disable the pfmand by running the following commands:
    tmsh modify sys db pfmand.healthstatus value disable
    tmsh save sys config

The configured HA action will now occur when a compression offload device hangs.

Note: The pfmand daemon is not needed for BIG-IP VE, so disabling the db variable has no impact for BIG-IP VE configurations.


760130-3 : [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK

Component: Access Policy Manager

Symptoms:
-- Increased overall TMM memory usage, which eventually forces TMM to start closing connections to reduce memory usage.
-- connflow memory usage keeps increasing. Memory usage can be observed with this command:
# tmctl -f /var/tmstat/blade/tmm0 memory_usage_stat -w200

Conditions:
1. Using PingAccess.
2. Errors are being logged in /var/log/paa.

Impact:
-- Memory leak.
-- Eventually TMM starts closing connections randomly.

Workaround:
None.


760117-1 : Duplicate error messages in log when updating a zone through ZoneRunner GUI

Component: Global Traffic Manager (DNS)

Symptoms:
Duplicate error messages in log when updating a zone through ZoneRunner GUI.

Conditions:
This occurs upon every update to a zone in the GUI.

Impact:
The BIG-IP system logs the multiple occurrences of the following error in the /var/log/daemon.log file:

err named[17053]: 18-Feb-2019 15:22:51.011 general: error: zone siterequest.com/IN/external: zone serial (2019021807) unchanged. zone may fail to transfer to slaves.

Workaround:
None.


760078-1 : Incorrect source MAC used when the BIG-IP in L2 transparent mode generates a TCP RST packet.

Component: Local Traffic Manager

Symptoms:
Packet with unexpected source MAC seen on the adjacent node to the BIG-IP.

Conditions:
- BIG-IP configured in an L2 transparent mode using virtual wires
- Traffic forwarded between client and server in an asymmetric manner across virtual wires.

Impact:
Possible impacts to services on nodes adjacent to the BIG-IP if policy decisions on those nodes are made with the source MAC of the received packet as input.


760050-2 : cwnd warning message in log

Component: Local Traffic Manager

Symptoms:
The following benign message appears in the log: cwnd too low.

Conditions:
The TCP congestion window has dropped below one Maximum Segment Size, which should not happen.

Impact:
None. TCP resets the congestion window to 1 MSS.

Workaround:
This message does not indicate a functional issue, so you can safely ignore this message. There is no action to take, but the presence of the message can be useful information for debugging other TCP problems.


759968-3 : Distinct vCMP guests are able to cluster with each other.

Component: Local Traffic Manager

Symptoms:
--Distinct vCMP guests are able to cluster with each other.

--Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:

clsh tmctl -d blade tmm/vcmp -w 200

Look at the "rebroad_mac" field.

Conditions:
--It is not yet clear under what circumstances the issue occurs.

--One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate "rebroad_mac" on one or more slots.

Impact:
Only the vCMP guest acting as primary will be operative.

Workaround:
--Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:

modify sys db clusterd.communicateovertmmbp value false.

Note: This command should be issued on the guest acting as primary since config changes are only allowed on cluster primary.


759868-1 : TMM crash observed while rendering internal pages (like blocked page) for per-request policy

Component: Access Policy Manager

Symptoms:
TMM crashes.

Conditions:
-- SSLO/SWG configured.
-- Rendering internal pages (like a blocked page).
-- Per-request policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


759852-1 : SNMP configuration for trap destinations can cause a warning in the log

Component: TMOS

Symptoms:
The snmpd configuration parameters can cause net-snmp to issue a warning about deprecated syntax.

Conditions:
The use of a sys snmp command similar to the following to modify the snmpd.conf file:
sys snmp v2-traps { TRAP1 { host 1.2.3.4 community somestring } }

Impact:
net-snmp issues a warning that the syntax has been deprecated and reports a warning message in the log.

Workaround:
None.


759840-1 : False positive 'Null in request' violation or bare byte subviolations

Component: Application Security Manager

Symptoms:
'Null in request' violation or bare byte subviolations detected when there is no null in request.

Conditions:
Brute force attack mitigated by captcha or challenge.

Impact:
Traffic blocking or false positive alarm

Workaround:
None.


759814-1 : Unable to view iApp component view

Component: TMOS

Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:
An error has occurred while trying to process your request.

Conditions:
-- Upgrade to v14.1.x.
-- Create a new iApp with an SSL, ASM, or Traffic policy profile.
-- Or, attempt to view an iApp containing ASM information

Impact:
Unable to access the iApp Component view. Cannot reconfigure the iApp directly (iApp : Application Services : application : any app).

Workaround:
To reconfigure the iApp, do the following:

1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List.
2. Click the Application Link :: Reconfigure.

Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.


759723-1 : Abnormally terminated connections on server side may cause client side streams to stall

Component: Local Traffic Manager

Symptoms:
The BIG-IP system provides HTTP/2 Gateway configuration when an HTTP/2 client is served by HTTP/1.x pool members. When a server-side connection terminates abnormally, TMM may crash.

Conditions:
-- A virtual server with HTTP/2 Gateway configuration is configured on the BIG-IP system.
-- Traffic on the server side has some abnormalities, resulting in aborted or unclosed connections.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


759654-1 : LDAP remote authentication with remote roles and user-template failing

Component: TMOS

Symptoms:
The directory server that performs authentication requests refuses a query for authorization (user attributes), which prevents the user from logging on with remote authentication.

Conditions:
In version 14.1, configure LDAP remote authentication with remote roles and a user template. As a remote user, attempt to logon.

Impact:
The query request sent to the directory server is refused because the password is not included in the request and the server will not accept an anonymous bind request. The refused request prevents a lookup of the user attributes on the directory server. As a result, the user cannot logon.

Workaround:
Use bind-dn to authenticate against LDAP server.


759606-2 : REST error message is logged every five minutes on vCMP Guest

Component: TMOS

Symptoms:
Guestagentd periodically logs the following REST error message for each secondary slot in /var/log/ltm:

Rest request failed{"code":502."message":"This is a non-primary slot on the Viprion. Please access this device through the cluster address.","restOperationId":6410038,"kind":":resterrorresponse"}

Conditions:
Upgrade a vCMP guest from pre-13.1.x to a 13.1.x or later version.

Impact:
There is stale stat information for vCMP guests running on secondary slots.

Workaround:
Create a Log Filter with no publisher on the vCMP guest to discard the specific error message:

sys log-config filter Filter_RestError {
    level info
    message-id 01810007
    source guestagentd
}


759499-2 : Upgrade from version 12.1.3.7 to version 14.1.0 failing with error

Component: TMOS

Symptoms:
Upgrade from version 12.1.3.7 to version 14.1.0 fails. Running 'tmsh show sys software' shows the following message:
 failed (Could not access configuration source; sda,n)

Conditions:
1. Install BIG-IP version 12.1.3.7 in new volume.
2. From 12.1.3.7, try to install 14.1.0 in new volume.

Impact:
Upgrade fails.

Workaround:
To work around this issue, delete the 14.1.0 volume and try the installation again.

The second installation of 14.1.0 succeeds in this scenario.


759392-2 : HTTP_REQUEST iRule event triggered for internal APM request

Component: Access Policy Manager

Symptoms:
Requests for the internal APM renderer for logo customization trigger the HTTP_REQUEST iRule event.

Conditions:
Customized logo in Access Profile

Impact:
HTTP_REQUEST event will be raised for requests for the customized logo in the Access Profile.

Workaround:
Inside the HTTP_REQUEST event, if it is necessary to not take a certain action on a customized logo, it is possible to check that the URL does not equal the URL for the logo (it should start with '/public/images/customization/' and contain the image name).


759370 : FIX protocol messages parsed incorrectly when fragmented between the body and the trailer.

Component: Service Provider

Symptoms:
FIX message has successfully parsed header part (iRule event FIX_HEADER triggered), but is eventually discarded as incomplete (no iRule event FIX_MESSAGE).

Conditions:
FIX message fragmented between body part and the trailer (tag 10).

Impact:
FIX protocol messages are not forwarded.

Workaround:
Assure FIX protocol packet size does not exceed MTU value.


759360-2 : Apply Policy fails due to policy corruption from previously enforced signature

Component: Application Security Manager

Symptoms:
Apply Policy fails due to policy corruption in PLC database from a previously enforced signature.

Conditions:
1. Export a policy containing a signature with an enforced rule.
2. Update ASM Signatures (ASU).
3. Import that previously exported policy.
4. Apply the newly imported policy.

Impact:
Apply policy fails.

Workaround:
As a workaround, run the following SQL, and then apply the policy:

----------------------------------------------------------------------
UPDATE PLC.PL_POLICY_NEGSIG_SIGNATURES SET previous_enforced_rule_md5 = '' WHERE previous_enforced_rule = '' and previous_enforced_rule_md5 != ''
----------------------------------------------------------------------


759192-3 : TMM core during display of PEM session under some specific conditions

Component: Policy Enforcement Manager

Symptoms:
TMM crashes during display of PEM session if the session has multiple IP addresses added under certain conditions.

Conditions:
-- Session has multiple IP addresses added.
-- When the session was created, addition of multiple IP addresses was not allowed.

Impact:
TMM restart. Traffic disrupted while tmm restarts.

Workaround:
Do not change the value of sys db variable tmm.pem.session.ip.addr.max while some sessions are already created.


759077-2 : MRF SIP filter queue sizes not configurable

Component: Service Provider

Symptoms:
The ingress and egress queues of the MRF SIP filter have fixed sizes that cannot be configured.

Conditions:
If the hard-coded queue size of 512 messages or 65535 bytes are exceeded, the filter enables its flow control logic.

Impact:
Messages may be dropped.

Workaround:
None.


758996-3 : Data in the 'Last 4 hours' view have a 1-hour delay

Component: Application Visibility and Reporting

Symptoms:
AVR aggregates data hourly, so data reported in the 'Last 4 hours' view are shown with a 1-hour delay.

Conditions:
Viewing data in the 'Last 4 hours' view.

Impact:
Some data in the 'Last 4 hours' view is reported after a 1-hour delay.

Workaround:
None.


758992-2 : The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address

Component: Local Traffic Manager

Symptoms:
tmm may use a combination of the traffic-group MAC address and the per-VLAN MAC address for traffic associated with the traffic-group.

Conditions:
All of the following:
-- The traffic-group has a MAC address set.
-- The sys db variable 'tm.macmasqaddr_per_vlan' is set to true.
-- There are multiple tmm processes running on the BIG-IP system.

Note: BIG-IP Virtual Edition is not affected since there is only one tmm process.

Impact:
Incorrect MAC address used for traffic associated with the traffic-group.

Workaround:
None.


758879 : BIG-IP VE with ixlv devices does not reliably pass some traffic after hard-boot

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) with ixlv devices (Intel X710/XL710/XXV710 family) might not reliably pass traffic after a hard boot of the host on which it runs.

The tmm log contains messages similar to the following:

ixlv[0:8.0]: Error: AQ returned error -1 to request 10!
ixlv[0:8.0]: Error: Error -1 waiting for PF to complete operation 4
ixlv[0:8.0]: Error: WARNING: Error adding VF mac filter!
ixlv[0:8.0]: Error: WARNING: Device may not receive traffic!


The host's kernel log might contain messages similar to the following:

i40e 0000:06:00.0: VF is not trusted, switch the VF to trusted to add more functionality

Conditions:
-- BIG-IP VE with one or more virtual functions that utilize the ixlv driver within tmm.
-- Hard reboot the host and observe traffic.

Note: This issue might be dependent upon the version of the PF driver in the host, and has been observed with at least 2.1.4 and 2.4.10, but this list is incomplete.

Impact:
IPv6 and other network traffic may be handled unreliably.

Workaround:
Reboot the guest. This problem has been observed only on the very first boot after a hard boot of the host.


758764-2 : APMD Core when CRLDP Auth fails to download revoked certificate

Component: Access Policy Manager

Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.

Conditions:
Empty revoked-certificate list handling.

Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.

Workaround:
None.


758714-1 : Virtual wire on a BIG-IP does not pass traffic when configured over two terminating link aggregation/trunk ports.

Component: Local Traffic Manager

Symptoms:
Traffic does not pass through the BIG-IP system.

Conditions:
- Configure two trunk/LAG ports on a BIG-IP system.
- Create a virtual wire across it.

Impact:
Loss of service across the virtual wire.

Workaround:
None.


758704 : Excessive 'GuestInfoAddNicEntry: NIC limit (16) reached' logging

Component: Local Traffic Manager

Symptoms:
BIG-IP logs 'GuestInfoAddNicEntry: NIC limit (16) reached' messages every 30 seconds.

Conditions:
Configuring more than 16 VLANs on VMware where the VLAN limit is 16.

Impact:
BIG-IP logs 'GuestInfoAddNicEntry: NIC limit (16) reached' every 30 Seconds, and it logs one entry for every limit above the maximum (for example if you configure 20 VLANs the message will be logged 4 times).


758667-1 : BIG-IP VE HA actions are not invoked when offload hardware hangs

Component: TMOS

Symptoms:
When TMM detects a crypto or compression offload device hang it does not invoke the configured high availability (HA) action.

Conditions:
This occurs when the following conditions exist:
-- BIG-IP Virtual Edition (VE) Cryptographic Offload is licensed.
-- BIG-IP VE VM has been assigned QuickAssist Virtual Functions (VFs).
-- A QuickAssist endpoint associated with one of the VFs hangs.
-- BIG-IP VE executes crypto or compression operations.

Impact:
Client requests eventually time out.

Workaround:
None.


758631-4 : ec_point_formats extension might be included in the server hello even if not specified in the client hello

Component: Local Traffic Manager

Symptoms:
RFC 5246 states that if an extension does not exist in the client hello, it must not exist in the server hello. When an EC cipher suite is selected, the server might send the ec_point_formats extension, even if none exists in the client hello.

Conditions:
-- An EC cipher suite is selected.
-- The client does not send an ec_point_formats extension.

Impact:
Some clients abort the connection in this case.

Workaround:
There is no workaround other than not configuring any EC cipher suites.


758615-1 : Reconstructed POST request is dropped after DID cookies are deleted

Component: Application Security Manager

Symptoms:
POST Request is dropped during DID challenge.

Conditions:
POST request is issued a DID challenge.

Impact:
Request is dropped.

Workaround:
None.


758604-2 : Deleting a port from a single-port trunk does not work.

Component: TMOS

Symptoms:
Deleting a port from a single-port trunk does notwork.

Conditions:
1. Disable all ports for a trunk, for example by disabling them on a directly connected switch. The last port is not deleted correctly.
2. Re enable some other ports, the trunk now also uses the disabled port.

Impact:
No user connectivity depending on which port is used.

Workaround:
None.


758542-3 : OAuth database instance appears empty after upgrade from v13.x

Component: Access Policy Manager

Symptoms:
The database from a prior configuration does not seem to have any tokens. The tokens are being stored in a new database with a different name.

Conditions:
Upgrade from v13.x.
-- The name of one OAuth database instance is duplicated entirely in another instance name (for example, 'oauthdb' and 'oauthdbprod').

Impact:
Old database seems to have lost tokens. In the case of these two database instances:

oauthdb
oauthdbprod

Because the name 'oauthdb' is also present in the name 'oathdbprod', the system creates a new database instance of 'oauthdb' at upgrade, so oauthdb will have an empty database.

Workaround:
Before upgrading, do the following:

1) Copy database oauth to another database with a completely different name.
2) Copy tokens in new database to the old, empty database.


758465-1 : TMM may crash or iRule processing might be incorrect

Component: Local Traffic Manager

Symptoms:
After modifying an iRule:
- The iRules on one or more virtual servers might fire in the wrong order.
- The iRules on one or more virtual servers might not fire at all.
- TMM might crash if the iRule event is modified again.
- TMM might crash if a virtual server is modified.

Conditions:
This occurs when all of the following conditions are met:

- An iRule is in use on more than one virtual server.
- The iRule occupies a different position in the iRule list on various virtual servers, and one or more of the other iRules define the same event.
- The iRule event is modified.

Impact:
Traffic interruption while TMM restarts.
Incorrect iRule processing.

Workaround:
None.


758437-6 : SYN w/ data disrupts stat collection in Fast L4

Component: Local Traffic Manager

Symptoms:
Fast L4 analytics reports very large integers for goodput.

Conditions:
BIG-IP receives SYNs with attached data.

Impact:
Goodput data is unreliable.

Workaround:
None.


758436-4 : Optimistic ACKs degrade Fast L4 statistics

Component: Local Traffic Manager

Symptoms:
Fast L4 Analytics reports very large integers for goodput.

Conditions:
Endpoints send ACKs for data that has not been sent.

Impact:
Goodput statistics are not usable in certain data sets.

Workaround:
None.


758387-2 : BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it

Component: TMOS

Symptoms:
In STP 'passthru' mode, any packet sent to the BIG-IP system with a destination MAC of 01-80-c2-00-00-00 is treated as an STP bridge protocol data unit (BPDU), and is flooded to the VLAN.

Conditions:
-- The BIG-IP system is configured for STP 'passthru' mode
-- The BIG-IP system receives a packet with MAC 01-80-c2-00-00-00.

Impact:
A packet that is not an STP BPDU, but is sent to the same destination MAC address may be flooded as if it was a BPDU.

Workaround:
None.


758348-1 : Cannot access GUI via hostname when it contains _ (underscore character)

Component: TMOS

Symptoms:
BIG-IP allows configuring hostname with embedded '_' (underscore). However the BIG-IP GUI is not accessible when hostname includes '_', and results in a 400 Bad Request.

Conditions:
BIG-IP hostname includes '_'

Impact:
BIG-IP GUI cannot be accessed.

Workaround:
No known work around if having '_' in hostname is a requirement.


758311-1 : Policy Compilation may cause MCPD to crash

Component: Local Traffic Manager

Symptoms:
If a policy has rules involving IPv6 addresses, and the addresses differ only on 32-bit boundaries, then the compilation of that policy may cause MPCD to crash.

Conditions:
-- A policy is attached to a virtual server.

-- That policy contains conditions that involve IPv6 addresses.

-- The addresses in different rules differ only on 32-bit boundaries.

Impact:
MCPD cores, and then restarts. The policy is not usable.

Workaround:
You can try either of the following:

-- It may be possible to create multiple rules from a given rule by altering the netmask.

-- Another possibility is to add a placeholder rule with no action that matches IP addresses differently.


758085-1 : CAPTCHA Custom Response fails when using certain characters

Component: Application Security Manager

Symptoms:
When setting the CAPTCHA Custom Response in the Bot Defense GUI, saving the profile fails when using certain characters.

For example, using the following response will return the error: 'black' unknown property

This question is for testing whether you are a human visitor and to prevent automated spam submission.

<p style="color: black; padding-right:20px">
<br>
%BOTDEFENSE.captcha.image% %BOTDEFENSE.captcha.change%
<br>
<b>What code is in the image\?</b>
%BOTDEFENSE.captcha.solution%
<br>
%BOTDEFENSE.captcha.submit%
<br>
<br>
Your support ID is: %BOTDEFENSE.captcha.support_id%.

Conditions:
Attempting to configure custom CAPTCHA response in the Bot Defense profile GUI.

Impact:
Cannot configure custom CAPTCHA response in the Bot Defense Profile GUI.

Workaround:
Use TMSH or REST API to configure the CAPTCHA Custom Response.


757992-3 : RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup

Component: Access Policy Manager

Symptoms:
RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup

Conditions:
-- Configure Floating IP with route domain.
-- Configure RADIUS accounting server with Pool Setup.
-- Configure the virtual server containing the access policy to use the RADIUS Accounting server.
-- Access the virtual server.

Impact:
-- START message is being sent through proper egress floating IP address.
-- STOP message is not sent, and the system logs the following error message:
-- err tmm1[11193]: 01490586:3: (null):Common:8a505e8c: Processing radius acct stop message failed, connection failure.
-- err tmm1[11193]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_RTE. File: ../modules/hudfilter/access/access_session.c, Function: access_session_final_callback, Line: 4439.

Workaround:
This issue is present only when the floating IP address is configured with a non-default route domain. It works fine with the default route domain. Use of default route domain is recommended.


757985-1 : TMM memory leak

Solution Article: K79562045

Component: Local Traffic Manager

Symptoms:
-- TMM memory utilization baseline is slowly increasing.
-- The 'allocated' column of the 'tcl' row in the memory_usage_stat tmctl table is high and is close to the 'max_allocated' value.

Conditions:
-- The header-insert option in a custom HTTP profile is configured.
-- The profile is attached to a virtual server.

Impact:
Degraded performance, and eventual out-of-memory condition that may trigger a TMM crash. Traffic disrupted while tmm restarts.

Workaround:
Instead of the profile header-insert, use HTTP::header iRule commands.


757822-1 : Subroutine name should use partition name and policy name

Component: Access Policy Manager

Symptoms:
When you create API per-request policy using the same name as a policy from another partition, BIG-IP generates an error similar to the following:

java.net.ProtocolException: status:400, body:{"code":400,"message":"transaction failed:01070734:3: Configuration error: DB validation exception, unique constraint violation on table (subroutine_properties) object ID (/TST/svc1-my_auth svc1-my_prp). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:subroutine_properties status:13)","errorStack":[],"apiError":2}.

Conditions:
-- Configure an API protection per-request policy in one partition with the same name as a policy in another partition.
-- Attempt to import or export the policy.

Impact:
Import / export functionality fails.

Workaround:
Ensure that names for API protection per-request policies are unique.


757782-1 : OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default

Component: Access Policy Manager

Symptoms:
Invalid 'sub' claim in JWT access token that is generated by OAuth Authorization Server.

Conditions:
-- OAuth Authorization Server is configured to return JWT access token.
-- Subject field is configured to be a session variable other than the default '%{session.assigned.uuid}'.

Impact:
Invalid value in 'sub' claim in JWT access token. If OAuth resource server depends on the value of 'sub' claim, then that functionality does not work.

Workaround:
Add Variable assign agent after OAuth Authorization agent, and assign session.assigned.oauth.authz.token.subject with the session variable name such as the following:
session.logon.last.logonname.


757781-3 : Portal Access: cookie exchange may be broken sometimes

Component: Access Policy Manager

Symptoms:
Portal Access uses special HTTP request with URL '/private/fm/volatile.html' to exchange cookie data between client and BIG-IP. Sometimes the BIG-IP system might send an invalid response to such a request. As a result, no cookie data can be sent from the backend server to the client.

Conditions:
Invalid response to HTTP requests with the following URL:
/private/fm/volatile.html.

Impact:
Portal Access client cannot see cookies set by the backend server. Backend server does not send cookie data to the client.

Workaround:
None.


757777-3 : bigtcp does not issue a RST in all circumstances

Component: Local Traffic Manager

Symptoms:
bigtcp does not issue a TCP reset, e.g. when using the iRule reject command on CLIENT_ACCEPTED

Conditions:
bigtcp in use, tcp connection, connection ungracefully shut down via a 'reject' command in an iRule

Impact:
TCP RST is not sent, and the SYN is silently dropped.

Workaround:
none


757722-2 : Unknown notify message types unsupported in IKEv2

Component: TMOS

Symptoms:
IKE negotiation fails when an unrecognized notify payload type is seen in a message processed by IKEv2.

Conditions:
Receiving an IKE message that contains a notify payload whose numeric type value is unrecognized by IKEv2.

Impact:
Negotiation fails with an aborted connection, preventing tunnel creation.

Workaround:
A peer can suppress notification payloads with advisory values that get rejected by IKEv2 within the BIG-IP system.


757572 : Virtual Edition doesn't support forging MAC addresses with Mellanox ConnectX-3 virtual functions

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) does not support forging MAC addresses when using virtual functions from Mellanox ConnectX-3 adapters. Without this, features like MAC Masquerading and VLAN groups do not function.

Conditions:
-- VE with a Mellanox ConnectX-3 virtual function.
-- Configuration requiring the use of non-default MAC addresses.

Impact:
Attempts to use these features with these NICs will not succeed, and traffic that relies on this configuration will not function.

Workaround:
None.


757519-1 : Unable to login using LDAP authentication

Component: TMOS

Symptoms:
User cannot login using remote LDAP authentication. This occurs because LDAP with user-template uses user-template username as DN for search.

Conditions:
LDAP authentication configuration includes user-template, which is not a valid DN.

Impact:
Remote LDAP authentication users are unable to login.

Workaround:
You can use either of the following workarounds:

-- Create a specific user for bind by configuring bind-dn and bind-pw and remove user-template.

-- Switch to local authentication.


757505-3 : peer-cert-mode set to 'always' does not work when client-ssl is enabled with session-ticket

Component: Local Traffic Manager

Symptoms:
When a session is restored using a session-ticket, the peer-cert-mode setting is not acknowledged.

Conditions:
-- Session tickets are enabled.
-- The peer-cert-mode in the client SSL profile is set to `always'.
-- A session is restored using a ticket.

Impact:
The SSL client is validated only once, instead of each time.

Workaround:
Disable session ticket.


757441-4 : Specific sequence of packets causes Fast Open to be effectively disabled

Component: Local Traffic Manager

Symptoms:
You see this warning in the logs:

warning tmm[21063]: 01010055:4: Syncookie embryonic connection counter -1 exceeded sys threshold 64000.

Conditions:
-- TCP Fast Open and ECN are both enabled.
-- There are multiple RST segments from the receive window received in SYN_RECEIVED state.

Impact:
TCP Fast open is disabled, as the pre_established_connections becomes very large (greater than a threshold).

Workaround:
TCP ECN option can be disabled.


757431-1 : mcpd process killed after upgrade from 12.1.3

Component: Local Traffic Manager

Symptoms:
The BIG-IP appliance fails to become available after upgrade, and the mcpd process keeps restarting.

Conditions:
A BIG-IP system is upgraded from 12.1.3 to 14.1.0, with a very large configuration. For example, this was encountered with more than 8,000 virtual servers and more than 600 monitor instances.

Impact:
The BIG-IP system fails to become operational.

Workaround:
If you are encountering this, you can disable the mcpd heartbeat with the following command to complete the upgrade:

tmsh modify sys daemon-ha mcpd heartbeat disable

Once the upgrade is complete, enable the heartbeat:

tmsh modify sys daemon-ha mcpd heartbeat enable


757391-2 : Datagroup iRule command class can lead to memory corruption

Component: Local Traffic Manager

Symptoms:
When using the iRule command to access datagroups within a foreach loop, memory can be corrupted and tmm can crash.

Conditions:
A [class] command used within a foreach loop.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround aside from removing that iRule.


757360-1 : Category lookup returns wrong category on subsequent traffic following initial HTTP CONNECT traffic through SSLO

Component: Access Policy Manager

Symptoms:
Category lookup returns the wrong category on subsequent traffic following initial HTTP CONNECT traffic through F5 SSL Orchestrator (SSLO).

Conditions:
-- Outbound deployment configured in SSLO, where SSLO behaves as a transparent proxy.
-- A policy has a branch to lookup category using HTTP Connect.
-- An HTTPS client generates HTTPS traffic via an explicit proxy on the local network with a private address through SSLO as the gateway.

Impact:
Category Match is not performed on subsequent requests, resulting in fallback branch to be taken.

Workaround:
None.


757359-1 : pccd crashes when deleting a nested Address List

Component: Advanced Firewall Manager

Symptoms:
When removing a nested Address List or Port List, the pccd process might crash.

Conditions:
This might occur under the following conditions:
-- Removing a nested Address List or Port List using a tmsh transaction with an incorrect tmsh command order consistently results in this crash.

-- A high availability (HA) setup with config-sync enabled and there are intermittent problems with HA-connections, or out-of-memory system state, might intermittently result in this crash.

Impact:
pccd crashes with core, restarts, and correctly compiles the new configuration. There is a resulting, small delay in applying the new configuration due to the pccd restart.

Workaround:
-- If the crash occurs as a result of incorrect tmsh commands in a transaction, reorder commands to the parent list is modified or deleted before deleting the nested list.

-- If the crash is an intermittent issue due to problems with HA-connections, or an out-of-memory system state, no action is necessary; pccd correctly compiles new configuration after it restarts.


757357-3 : Tmm crashes when using virtio direct descriptors and packets 2 KB or larger

Component: TMOS

Symptoms:
Some virtio backend implementations send large packets (2 KB or larger) even when LRO is disabled. If the backend uses direct descriptors, this combination might lead to a tmm core. The standard KVM implementation of virtio does not have this behavior.

Conditions:
-- BIG-IP Virtual Edition (VE) using virtio interfaces with direct descriptors.
-- A 2 KB or larger packet is delivered to the virtio interface.

Impact:
Tmm may restart. Traffic disrupted while tmm restarts.

Workaround:
To work around this issue, use this procedure:

1. Add the following line to /config/tmm_init.tcl:

device driver vendor_dev 1af4:1000 unic

2. Restart tmm using the following command:

bigstart restart tmm


757029-2 : Ephemeral pool members may not be created after config load or reboot

Component: Local Traffic Manager

Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP system reboot operation.

Conditions:
This may occur on affected BIG-IP versions when:

-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
-- DNS queries to resolve these FQDN names occur almost simultaneously.

The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.

Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.

As a result, some pools may not have any active pool members, and do not pass traffic.

This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.

Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes:

tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.


756998-1 : DoSL7 Record Traffic feature is not recording traffic

Component: Application Security Manager

Symptoms:
Enabling 'Record Traffic During Attacks' in the DoS Application Profile does not record traffic during attacks: TCP Dump files are not being created in the /shared/dosl7/tcpdumps/ directory as expected.

Conditions:
-- Enabling 'Record Traffic During Attacks' in the DoS Application Profile.
-- DoSL7 Attacks are detected.

Impact:
Attack traffic is not being recorded as expected.

Workaround:
None.


756877-1 : Virtual server created with Guided Configuration is not visible in Grafana

Component: Anomaly Detection Services

Symptoms:
The traffic of Virtual Server created with the Guided Configuration is not visible with Grafana monitoring tool.

Statistics of this virtual server are not included in the admdb part of qkview.

Conditions:
-- Create virtual server using Guided Configuration.
-- Use the Grafana monitoring tool to view virtual server statistics.
-- Create a qkview.

Impact:
Cannot view virtual server using the Grafana monitoring tool. The resulting qkview contains no statistics for this virtual server. Lack of information for debugging and troubleshooting

Workaround:
Configure virtual server manually, without the Guided Configuration


756830-1 : BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'

Component: TMOS

Symptoms:
The BIG-IP system may fail source translation for connections matching a virtual server that has connection mirroring enabled and source port selection set to 'preserve strict'.

Conditions:
Connections match a virtual server that has following settings:

- Connection mirroring is enabled.
- Source Port set to 'Preserve Strict'.

In addition, CMP hash selection (DAG mode) on the corresponding VLANs is set to 'Default DAG'.

Impact:
Source translation may fail on BIG-IP system, leading to client connection failures.

Workaround:
You can try either of the following:

-- Do not use the Source Port setting of 'Preserve Strict'.

-- Disable connection mirroring on the virtual server.


756820-2 : Non-UTF8 characters returned from /bin/createmanifest

Component: TMOS

Symptoms:
/bin/createmanifest reads from mcpd values stored for items that are obtained from firmware. These might contain non-UTF8 characters. This program is called in qkview, which then gets updated to iHealth. If any non-UTF8 character is present, the output is omitted (because XML cannot handle non-UTF8 characters).

Conditions:
Data stored in mcpd obtained from firmware contain non-UTF8 characters.

Impact:
The upload to iHealth will not contain any of the manifest data set obtained via createmanifest.

Workaround:
The values can be obtained from the qkview by reading the qkview_run.data, but the convenience of reading these in iHealth is not possible.


756477-2 : Drop Redirect tab incorrectly named as 'Redirect Drop'

Component: Advanced Firewall Manager

Symptoms:
Incorrect naming on navigation tabs Security :: Debug :: Drop Redirect.

Conditions:
Navigating to Security :: Debug :: Drop Redirect.

Impact:
The page name is Drop Redirect instead of Redirect Drop.

Workaround:
None.


756450-1 : Traffic using route entry that's more specific than existing blackhole route can cause core

Component: TMOS

Symptoms:
TMM asserts with 'Attempting to free loopback interface'message.

Conditions:
- Using blackhole routes.
- Have a route entry that is more specific than the existing blackhole route.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use /32 blackhole routes.


756418-1 : Live Update does not authenticate remote users

Component: Application Security Manager

Symptoms:
Remote users with Administrator or Application Security Administrator roles cannot run Live Update.

Conditions:
-- Remote user (LDAP/RADIUS).
-- Remote user logged in.
-- New installation is available.

Impact:
-- Remote users cannot manually check for updates.
-- Remote users cannot manually upload new files.
-- Remote users cannot install new update files.

Workaround:
Log in with a local user like admin, application security editor, or application security administrator.


756402-2 : Re-transmitted IPsec packets can have garbled contents

Component: TMOS

Symptoms:
Before re-transmitting a packet, it is discovered to be garbled, mainly in the form of having physical length that no longer matches the logical length recorded inside the packet.

Conditions:
Possibly rare condition that might cause packet freeing while still in use.

Impact:
Likely tunnel outage until re-established.

Workaround:
No workaround is known at this time.


756356-2 : External datagroups of type string cannot use iRule command 'class match equals' for entries > 32 characters long

Component: Local Traffic Manager

Symptoms:
iRules using the command 'class match' with the 'equals' operator on long entries fail to return a positive match, even if they are in the datagroup, for example:

my_datagroup:
"abcdefghijklmnopqrstuvwxyz0123456" := "value1"

class match "abcdefghijklmnopqrstuvwxyz0123456" equals my_datagroup

Conditions:
This is encountered when all of the following conditions are met:
- Using an external datagroup of type string with keys longer than 32 characters.
- Using an iRule with the 'class match' command and the 'equals' operator on the external datagroup.
- Trying to match keys that are longer than 32 characters.

Impact:
iRules will act incorrectly

Workaround:
If none of the keys in the datagroup are prefixes of each other, the 'equals' operator can be changed to 'starts_with' or 'ends_with' (if none are suffixes of each other).


756311-4 : High CPU during erroneous deletion

Component: Policy Enforcement Manager

Symptoms:
The utilization of some CPUs in the system starts going up and remains so for a long time. Might see messages similar tot he following in tmm logs:

-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.10.10%0-4a89723e; Instance ID mismatch ERR_OK for subscriber id 310012348494 with 10.1.10.10-0-4a8987ea.

-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.18.10%0-4a8b850c; Look up returned err ERR_OK for subscriber id 3101512411557

Conditions:
The exact conditions under which this occurs are unknown. One potential trigger is CDP flap.

Impact:
TMM may need to be restarted if the CPU usage does not subside. Traffic disrupted while tmm restarts.

Workaround:
Try deleting all subscribers from the CLI.


756270-4 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle

Component: Local Traffic Manager

Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.

Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.

Impact:
Handshake failure.

Workaround:
None.


756205-1 : TMSTAT offbox statistics are not continuous

Component: Application Visibility and Reporting

Symptoms:
When BIG-IP systems are manged by BIG-IQ, the device health statistics have gaps (missing samples).

Conditions:
BIG-IP systems managed by BIG-IQ,

Impact:
Missing data on device health, such as CPU load and memory occupancy.

Workaround:
None.


756177-2 : GTM marks pool members down across datacenters

Component: Global Traffic Manager (DNS)

Symptoms:
GTM pool members are marked down even though the monitored resource is available.

GTM debug logs indicate that each GTM is relying on the other GTM to conduct probing:

debug gtmd[13166]: 011ae039:7: Check probing of IP:Port in DC /Common/dc1.
debug gtmd[13166]: 011ae03a:7: Will not probe in DC /Common/dc1 because will be done by other GTM (/Common/gtm2).
---
debug gtmd[7991]: 011ae039:7: Check probing of IP:Port in DC /Common/dc2.
debug gtmd[7991]: 011ae03a:7: Will not probe in DC /Common/dc2 because will be done by other GTM (/Common/gtm1).

Conditions:
-- GTM configured in different data centers.
-- GTM pool configured with a single monitor, and the monitor uses an alias address that can be pinged from both data centers.
-- GTM pool members configured from different data centers.

Impact:
Pool members are marked down.

Workaround:
Instead of a single monitor, use a monitor created specifically for each data center.


756153-3 : Add diskmonitor support for MySQL /var/lib/mysql

Component: TMOS

Symptoms:
If the disk partition /var/lib/mysql is filled to 100%, diskmonitor does not notify that the partition is nearly exhausted.

Conditions:
The disk partition /var/lib/mysql is filled to 100%.

Impact:
diskmonitor does not notify that disk partition /var/lib/mysql is nearly exhausted.

Workaround:
None.


756108-1 : BD crash on specific cases

Component: Application Security Manager

Symptoms:
BD crash on specific cases.

Conditions:
Have a feature that requires Captcha/ Client side Integrity in ASM.

Impact:
No traffic to app.

Workaround:
None.


756102-2 : TMM can crash with core on ABORT signal due to non-responsive AVR code

Component: Application Visibility and Reporting

Symptoms:
ABORT signal is sent to TMM by SOD; TMM aborts with a core.

Conditions:
Non-responsive AVR code. No other special conditions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


756088-2 : The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address

Component: TMOS

Symptoms:
The BIG-IP system unexpectedly responds to ICMP echo requests to a virtual-address that is unavailable, or unexpectedly does not respond to ICMP echo requests to a virtual-address that is available.

The BIG-IP system fails to remove a dynamic route for a virtual-address that is unavailable or fails to add a dynamic route for a virtual-address that is available.

Conditions:
-- There are multiple virtual servers associated with a virtual address.

-- The virtual-address icmp-echo is set to 'all' or 'any'.

-- The virtual-address route-advertisement is set to 'all' or 'any'.

Impact:
The BIG-IP might respond incorrectly to ICMP echo requests sent to a virtual-address.

-- If the virtual-address icmp-echo is set to 'all' or 'any', the BIG-IP may not respond correctly after a virtual-address availability change.

-- If the virtual-address route-advertisement is set to 'all' or 'any', the route for the virtual-address may not advertise properly after a virtual-address availability change.

The BIG-IP might fail to insert or remove a dynamic route for a virtual-address. This might cause the network to direct traffic to a down virtual-address or alternatively, not direct traffic to an up virtual-address.

Workaround:
None.


756071-3 : MCPD crash

Component: TMOS

Symptoms:
mcpd crashes on out of memory.

Conditions:
A memory leak occurs when the following tmsh command is run:

tmsh reset-stats ltm virtual

Impact:
MCPD can run out of memory and crash. Traffic disrupted while mcpd restarts.

Workaround:
Try to use the reset-stats tmsh command sparingly.


755997-2 : Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address

Component: Local Traffic Manager

Symptoms:
When IPsec traffic is processed by a FastL4 profile, which is not related to an IPsec listener, and is send out via a gateway pool or a dynamic route, the source address of this traffic can be erroneously changed to 127.0.0.x.

Conditions:
-- IPsec traffic is processed by a FastL4 profile, which is not related to an IPSEC listener.
-- The traffic is sent out via a gateway pool or a dynamic route.

Impact:
The incorrect source address is used.

Workaround:
None.


755791-2 : UDP monitor not behaving properly on different ICMP reject codes.

Component: Local Traffic Manager

Symptoms:
Unexpected or improper pool/node member status.

Conditions:
The BIG-IP system receives the ICMP rejection code as icmp-net/host-unreachable.

Impact:
The monitor might consider a server available when some type of ICMP rejection has been received that is not port unreachable.

Workaround:
You can use either of the following workarounds:
-- Use UDP monitors configured with a receive string.
-- Do not use UDP monitors.


755727-2 : Ephemeral pool members not created after DNS flap and address record changes

Component: Local Traffic Manager

Symptoms:
When using FQDN node/pool members, ephemeral pool members may not be created for one or more pools after address records change on the DNS server.

Once this condition occurs, ephemeral pool members are no longer created for a given FQDN name in the affected pool.

Conditions:
This issue may occur under rare timing conditions when the following factors are present:

-- Using FQDN nodes/pool members.
-- Changes occur in the address records on the DNS server, causing new ephemeral nodes/pool members to be created and old ephemeral nodes/pool members to be deleted.
-- There is a temporary loss of connectivity to/responsiveness from the DNS server.

Impact:
When this issue occurs, the affected pool may be left with no active pool members. In that case, virtual servers targeting the affected pool become unavailable and stop passing traffic.

Workaround:
When this issue occurs, the ability to create ephemeral pool members can be restored by either of the following actions:

1. Restart the dynconfd daemon:
bigstart restart dynconfd

2. Delete and re-create the FQDN template pool member using the following two commands:
tmsh mod ltm pool affected_pool members del { fqdn_pool_member:port }
tmsh mod ltm pool affected_pool members add { fqdn_pool_member:port { additional field values } }


To ensure that a pool contains active members even if this issue occurs, populate each pool with more than one FQDN pool member, or with an additional non-FQDN pool member.


755716-1 : IPsec connection can fail if connflow expiration happens before IKE encryption

Component: TMOS

Symptoms:
IKEv2 negotiation fails, and tmm log shows the following error:

notice [INTERNAL_ERR]: ikev2....: Invalid BIG-IP flow context

Conditions:
Unusual timing that results in connflow expiration immediately preceding Diffie Hellman generation.

Impact:
IKE Negotiation fails, so an SA cannot be established.

Workaround:
None.


755631-1 : UDP / DNS monitor marking node down

Component: Local Traffic Manager

Symptoms:
The UDP / DNS monitor marks nodes down.

Conditions:
-- UDP or DNS monitor configured.
-- Interval is multiple of timeout.
-- The response is delayed by over one interval.

Impact:
Pool member is marked down.

Workaround:
Increase the interval to be greater than the response time of the server.


755630-1 : MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes

Component: Service Provider

Symptoms:
The media flows get terminated after the UDP idle timeout expires on a Standby device.

Conditions:
-- High availability (HA) configuration.
-- SIP media calls on a SIP-ALG with SNAT feature enabled.

Impact:
SIP calls fail to deliver media when HA failover occurs.

Workaround:
Partial mitigation is to set the UDP idle timeout to a higher value.


755585-1 : mcpd can restart on secondary blades if a policy is created, published, and attached to a vs in a single transaction

Component: Local Traffic Manager

Symptoms:
On a VIPRION cluster, if a single transaction creates a policy with the name Drafts/NAME, publishes the policy, and attaches the policy to a virtual server, mcpd restarts on the secondary blades.

Conditions:
-- VIPRION chassis with more than one blade.
-- Single mcp transaction that:
  * Creates a policy with 'Drafts/' as part of the policy name.
  * Publishes that policy.
  * Attaches that policy to a virtual server, either in the same transaction or a later transaction.

Impact:
mcpd restarts on all secondary blades of a cluster.

Workaround:
You can use either of the following workarounds:
-- Do not create policies with 'Drafts/' in the name.
-- Do not create and publish a policy in the same transaction.


755575-1 : In MOS, the 'image2disk' utility with the '-format' option does not function properly

Component: TMOS

Symptoms:
When the BIG-IP system boots, mcpd continually restarts.

Conditions:
This occurs if you issue the 'image2disk' command with the '-format' option in the MOS (Maintenance Operating System) shell.

Impact:
When the system boots, it cannot become active.

Workaround:
In the MOS shell, do not issue the 'image2disk' utility with the '-format' option. You can achieve the same result by following the shell guidance. To begin, type 'start<enter>'.

If the system is already in the defective state, use this shell command, and then reboot:

touch /.tmos.platform.init

The problem should be resolved.


755507-4 : [App Tunnel] 'URI sanitization' error

Component: Access Policy Manager

Symptoms:
URI sanitization error with app tunnel (application tunnel). The system posts messages similar to the following:
-- APM log: warning tmm[19703]: 01490586:4: /Common/AP-AD:Common:ff776e4a: Invalid Resource Access For RESOURCENAME. RST due to URI sanitization
-- LTM log: err tmm[19703]: 01230140:3: RST sent from 10.0.0.1:80 to 10.0.0.1:228, [0x2263e2c:7382] Unrecognized resource access (RESOURCENAME)

Conditions:
Access Policy that includes a 'Logon Page' and 'Advanced Resource Assign' (full webtop and app tunnel).

Impact:
APM does not send a response after receiving a request to 'GET /vdesk/resource_app_tunnels_info.xml'.

Workaround:
None.


755475-1 : Corrupted customization group on target after updating logon page agent field on source device and config sync

Component: Access Policy Manager

Symptoms:
After making changes to the logon page agent field, performing config sync to another device and opening the logon agent in VPE on the sync target device encounters an error.

Conditions:
1. Form a failover device group with two devices.

2. On one device, create an access policy with logon page agent. Initiate config sync to sync the policy to other devices. Verify everything is correct on target device (specifically: open VPE for the policy, Logon Page is in the policy, click on the agent, and edit box appears without issue).

3. On source device, launch VPE for the policy, click on Logon Page agent, make changes to Agent (e.g., choose 'password' type for field3. Save the change and make a config sync again.

4. Go to target device, open VPE for the policy, and click on Logon Page is in the policy.

Impact:
Config is not synced properly to another device in the device group.

Workaround:
In addition to changing the logon page field, also make a change in the 'Customization' section (e.g., update the text for Logon Page Input Field).


755447-1 : SSLO does not deliver content generated/originated from inline device

Component: Access Policy Manager

Symptoms:
If any inline service acting as a proxy generates content for the client while resetting the server side connection, then the client might not see the content, and will instead see a reset.

Conditions:
-- F5 SSL Orchestrator (SSLO) with inline services intercepting requests and replying without letting the content go to back-end server.
-- Inline services resetting the back-end connection

Impact:
Client receives a reset instead of a redirect or error page.

Workaround:
None.


755311-1 : No DIAMETER Disconnect-Peer-Request message sent when TMM is shutting down

Component: Service Provider

Symptoms:
When TMM is shutting down with active DIAMETER connections, it does not send out any Disconnect-Peer-Request messages to its DIAMETER pool members.

Conditions:
- DIAMETER in use.
- Active connections from the BIG-IP system to its DIAMETER pool members.
- TMM is shutting down.

Impact:
The remote server is not notified of the change in DIAMETER peer status.

Workaround:
None.


755282-1 : [GTM] bigip_add password prompt for IPv4-mapped IPv6 address

Component: Global Traffic Manager (DNS)

Symptoms:
After running the big_ip add script without a specifying a server address, the host address posted in the ssh password prompt is an IPv4-mapped IPv6 address for IPv4 servers.

For example:
Enter root password for 0000:0000:0000:0000:0000:FFFF:0A3C:010A

Conditions:
Run bigip_add without a server address, when the host address is an IPv4-mapped IPv6 address.

Impact:
There is no way to tell what the actual server name is without converting the IPv4-mapped IPv6 addresses back to an IPv4 to find which password to enter, for example: 0A3C:010A to 10.60.1.10

Workaround:
To workaround this, edit the bigip_add script.

IMPORTANT: Make sure to back up the bigip_add script before making modifications.

1. Make /usr folder writable
# mount -o rw,remount /usr
2. Backup bigip_add:
# cp /usr/local/bin/bigip_add /shared/tmp/bigip_add.backup
3. Edit bigip_add by adding different 'print' output for IPv4 servers.

Replace this:
< print "Enter $ruser password for $ip if prompted\n";

With something similar to this:
> if ($ip =~ /0000:0000:0000:0000:0000:FFFF:/) {
> my $display_ipv4 = ipv6_to_ipv4($ip);
> print "Enter $ruser password for $display_ipv4 if prompted\n";
> } else {
> print "Enter $ruser password for $ip if prompted\n";
> }

NOTE: Do not modify the actual value for $ip.

Below is an example diff:
# diff /shared/tmp/bigip_add.backup /usr/local/bin/bigip_add
18a19
>
43a45,51
> sub ipv6_to_ipv4
> {
> my $in_addr = $_[0];
> my @ipv6 = split /:/, $in_addr;
>
> my $ipv6_part1 = hex ($ipv6[6]);
> my $ipv6_part2 = hex($ipv6[7]);
44a53,60
> my $ipv4_1=scalar($ipv6_part1>>8);
> my $ipv4_2=scalar($ipv6_part1&0xff);
> my $ipv4_3=scalar($ipv6_part2>>8);
> my $ipv4_4=scalar($ipv6_part2&0xff);
>
> my $ipv4 = "${ipv4_1}.${ipv4_2}.${ipv4_3}.${ipv4_4}";
> return $ipv4;
> }
75d90
<
152c167,173
< print "Enter $ruser password for $ip if prompted\n";
---
>
> if ($ip =~ /0000:0000:0000:0000:0000:FFFF:/) {
> my $display_ipv4 = ipv6_to_ipv4($ip);
> print "Enter $ruser password for $display_ipv4 if prompted\n";
> } else {
> print "Enter $ruser password for $ip if prompted\n";
> }
179d199
<


755254-1 : Remote auth: PAM_LDAP buffer too small errors

Component: TMOS

Symptoms:
You are unable to log into the BIG-IP system using an LDAP account.

The system might log the following message in /var/log/secure:
-- crit httpd[28010]: pam_ldap(httpd:account): buffer 'buffer_size' too small.

Note: This message might not be logged for all occurrences of this issue.

Conditions:
This occurs when the following conditions are met:

-- Remote-LDAP authentication is configured.
-- There is a user account with attributes longer than 255 characters in length.
-- That user attempts a logon to the BIG-IP system.

Impact:
LDAP authentication not working properly.

Workaround:
Configure user accounts with attributes shorter than 255 characters.


755197-3 : UCS creation might fail during frequent config save transactions

Component: TMOS

Symptoms:
If 'tmsh save sys config' is run simultaneously with 'tmsh save sys ucs <file>', there is the possibility of a race condition where a file gets scheduled to be added to the UCS file, but gets deleted by the save-config before it actually gets saved.

Conditions:
-- Run 'save sys config' at the same time as 'save sys ucs <file>' in tmsh.
-- Files are getting added by one tmsh command, yet deleted by the other. For example, when deleting a file that has not been saved to the configuration, while the system tried to create a UCS that contains that to-be-deleted file.

Note: There are many operations in which 'save sys config' is performed internally, so running the 'save sys ucs <file>' operation might encounter the timing error any time, even when you are not manually running 'save sys config'.

Impact:
The UCS is not created, and system posts messages similar to the following:
-- config/bigip_base.conf/: Cannot stat: No such file or directory.
-- Exiting with failure status due to previous errors.
-- Operation aborted.

This is a rare, timing-related occurrence. Even though the 'save sys ucs <file>' aborts and logs errors, simply re-running the command is likely to succeed.

Workaround:
Re-run the 'save sys ucs <file>' after it aborts. Nothing else needs to be changed or restored.


755047-1 : Category lookup returns wrong category on CONNECT traffic through SSLO

Component: Access Policy Manager

Symptoms:
Category lookup returns wrong category on CONNECT traffic through F5 SSL Orchestrator (SSLO).

Conditions:
-- Outbound deployment configured in SSLO, where SSLO behaves as a transparent proxy.
-- A policy has a branch to lookup category using HTTP Connect.
-- An HTTPS client generates HTTPS traffic via an explicit proxy on local network with private address through SSLO as the gateway.

Impact:
Category Match is not performed, resulting in fallback branch to be taken.

Workaround:
None


755005-1 : Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations

Component: Application Security Manager

Symptoms:
Illegal Request Length uses Illegal Query String Length template and vice versa, so the incorrect titles are shown in violation details.

Conditions:
Open details of Illegal Request Length or Illegal Query String Length violation in request log.

Impact:
Illegal Request Length uses Illegal Query String Length template and vice versa. Only the titles are wrong. The actual requests are recorded correctly.

Workaround:
None.


754985-1 : Standby TMM my crash while processing mirrored TLS traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, the standby TMM may crash while processing mirrored TLS traffic.

Conditions:
-- Virtual server with server-side SSL
-- Connection mirroring enabled.

Impact:
High availability (HA) connection mirroring fails. Traffic disrupted while tmm restarts.

Workaround:
None.


754901-1 : Frequent zone update notifications may cause TMM to restart

Component: Global Traffic Manager (DNS)

Symptoms:
When there are frequent zone update notifications, the watchdog for TMM may trip and TMM crash/restarts. There may also be 'clock advanced' messages in /var/log/ltm.

Conditions:
- Using DNS express.
- DNS zone with allow notify.
- Frequent zone NOTIFY messages resulting in zone transfers.

Impact:
TMM restart potentially resulting in failing or impacting services. Traffic disrupted while tmm restarts.

Workaround:
None.


754805 : Possible tmm crash when AFM DoS badactor or attacked-dst or endpoint vector configured

Component: Advanced Firewall Manager

Symptoms:
tmm might crash and restart.

Conditions:
When AFM DoS badactor or attacked dst is configured on a vector, there is a race condition which can cause tmm to crash. The same race condition is present when single endpoint vectors are configured.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


754691-1 : During failover, an OSPF routing daemon may crash.

Component: TMOS

Symptoms:
With a specific OSPF configuration, during a failover, a peer which is changed from standby to active may experience an ospfd daemon crash.

Conditions:
High availability configuration with a routing configuration:
1) access-list with 0.0.0.0/0 filtering:
access-list 199 remark test
access-list 199 deny ip host 0.0.0.0 host 0.0.0.0
access-list 199 permit ip any any

2) OSPF router with this access-list:
router ospf 1
 ospf router-id 10.14.0.11
 bfd all-interfaces
 network 10.14.0.0/16 area 0.0.0.1
 distribute-list 199 in
!

-- The device with this configuration is in the standby state.
-- A failover occurs.

Impact:
An OSPF daemon crashes, losing routing information and OSPF dynamic routes for a moment while ospfd daemon restarts.

Workaround:
None.


754617-2 : iRule 'DIAMETER::avp read' command does not work with 'source' option

Component: Service Provider

Symptoms:
Configuring a 'source' option with the iRule 'DIAMETER::avp read' command does not work.

The operation posts a TCL error in /var/log/ltm logs:
err tmm3[11998]: 01220001:3: TCL error: /Common/part1 <MR_INGRESS> - Illegal value (line 1) error Illegal value invoked from within "DIAMETER::avp read 444 source [DIAMETER::avp data get 443 grouped]".

Conditions:
Using the 'DIAMETER::avp read' iRule command with a 'source' option.

Impact:
'DIAMETER::avp read' does not work with the 'source' option.

Workaround:
Use 'DIAMETER::avp get data' with the 'source' option, and re-create the header part when needed.


754615-2 : Tmm crash (assert) during SIP message processing on MRF-SIP-ALG setup.

Component: Service Provider

Symptoms:
tmm crashes.

Conditions:
-- SIP calls under load.
-- MRF-SIP-ALG setup.
-- Most of the calls re-use the conn flow.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.


754604-2 : iRule : [string first] returns incorrect results when string2 contains null

Component: Local Traffic Manager

Symptoms:
In an iRule such as 'string first $string1 $string2' returns incorrect results when $string2 contains a null byte and $string1 is not found within $string2. Performing the same search in tclsh, the expected -1 (not found) result is returned.

Conditions:
-- 'string first $string1 $string2' iRule.
-- string2 in an iRule contains a null byte.

Impact:
Operation does not return the expected -1 (not found) result, but instead returns an unexpected, random result.

Workaround:
None.


754542-2 : TMM may crash when using RADIUS Accounting agent

Component: Access Policy Manager

Symptoms:
TMM may crash when using RADIUS Accounting agent in either per-session or per-request policy.

Conditions:
- APM is provisioned and licensed.
- RADIUS Accounting agent is used in either per-session or per-request policy.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


754525-1 : Disabled virtual server accepts and serves traffic after restart

Component: Local Traffic Manager

Symptoms:
Disabled virtual servers accept traffic after being upgraded to an affected version, or after restarting.

Conditions:
1. A virtual server is configured on pre-v14.1.0.
2. Disable the virtual server.
3. Either upgrade to an affected version, or restart the system.

Impact:
The virtual server remains 'Disabled', but it accepts and processes traffic.

Workaround:
To correct the behavior, manually enable/disable the virtual server.


754500-2 : GUI LTM Policy options disappearing

Component: TMOS

Symptoms:
Listed policies disappear under 'Do the following when traffic is matched' in Local Traffic :: Policies : Policy List :: {Rule Name} when pressing Cancel or Save and opening the list again.

Conditions:
Click the Cancel or Save button on the Local Traffic :: Policies : Policy List :: /Common/policy1:rule1 properties page.

Here are some specific steps to reproduce this issue (this procedure assumes you have at least one policy with at least one rule defined):
1. Navigate to Local Traffic :: Policies : Policy List :: /Common/policy1:rule1 to open the rule1 properties page.
2. In the section 'Do the following when the traffic is matched', click to open the first dropdown menu.
  - The system lists all of the items.
3. Click Cancel.
4. Click to reopen the properties page, and click the first dropdown menu.
  - The system lists fewer of the options.
5. Repeat steps 3 and 4.

Impact:
Options disappear from the list each time you click Cancel or Save. Cannot select options because they are no longer visible in the list.

Workaround:
To return all options to the list, use the refresh button in the browser.

You can also use the following the tmsh command:
modify ltm policy Drafts/<policy name> modify { <rule name> { actions add { ...


754336 : BIG-IP VE cannot use MOS for reimaging with 4 GB of memory or less

Component: TMOS

Symptoms:
Attempting to perform a clean installation on a BIG-IP Virtual Edition (VE) using the Maintenance Operating system (MOS) may fail with 'no space left on device'.

Conditions:
This issue occurs when all of the following conditions are met:

-- The device is a BIG-IP VE with 4 GB of RAM or less.

-- You perform a clean installation of BIG-IP 14.1.0, or a clean installation of any earlier version after the system was previously upgraded to BIG-IP 14.1.0.

Note: An example of a clean installation is one initiated by the "image2disk --format=volumes" command.

Impact:
The installation fails. Once that has occurred, the system automatically reboots into the previously active boot location.

Workaround:
You can use either of the following workarounds:

-- Temporarily assign at least 5 GB of memory to the VE instance for the duration of the installation. You can then lower it after installation is complete.

-- Create a fresh image from one of the pre-populated images such as OVA or QCOW2 and migrate a previous configuration to it.


754335-1 : Install ISO does not boot on BIG-IP VE

Component: TMOS

Symptoms:
The install ISO does not boot on BIG-IP Virtual Edition (VE).

Conditions:
Attempting to boot a BIG-IP VE from a virtual DVD-ROM drive loaded with an affected ISO file.

Impact:
The system does not fully boot and hangs, preventing you from performing an installation or using the live environment for other recovery purposes.

Workaround:
To work around this issue, boot the BIG-IP VE from an ISO file earlier than 14.1.0. If necessary, install that version, and then upgrade to 14.1.0 using the live installer.


754257-2 : URL lookup queries not working

Component: Traffic Classification Engine

Symptoms:
Occasionally, there is no response to a url-categorization query.

Conditions:
This might occur under the following conditions:
-- When there are duplicate requests using tmsh.
-- When the connection is partially closed by the server.

Impact:
URL does not get classified. Cannot take any actions against those URLs.

Workaround:
None.


754109-1 : ASM content-security-policy header modification violates Content Security Policy directive

Component: Application Security Manager

Symptoms:
When the backend server sends a content-security-policy header where source-src and default-src directives are missing, ASM will modify the header when it does its own JavaScript injection, which might cause a csp policy violation for inline JavaScript code.

Conditions:
-- ASM provisioned.
-- ASM policy attached on a virtual server.
-- ASM policy has CSRF or AJAX Blocking page enabled.

Impact:
Inline JavaScript does not run. The Browser reports a content-security-policy violation.

Workaround:
Disable csp in ASM by running the following commands:
-- /usr/share/ts/bin/add_del_internal add csp_enabled 0
-- bigstart restart asm


753912-4 : UDP flows may not be swept

Component: Local Traffic Manager

Symptoms:
Some UDP connection flows do not show in connection table but do show up in stats. This might occur with datagram_lb mode is enabled on the UDP profile under heavy load.

Conditions:
-- UDP profile with datagram_lb mode enabled.
-- System under heavy load.

Impact:
Increased memory utilization of TMM.

Workaround:
None.


753860-3 : Virtual server config changes causing incorrect route injection.

Component: TMOS

Symptoms:
Updating the virtual server to use a different virtual address (VADDR) does not work as expected. The old VADDR route should remove and inject the new route for the new virtual address. Instead, it injects incorrect routes into the routing protocols.

Conditions:
-- Change the VADDR on a virtual server.
-- Set route-advertisement on both VADDRs.

Impact:
Incorrect routes are injected into routing protocols.

Workaround:
None.


753650-2 : The BIG-IP system reports frequent kernel page allocation failures.

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the following VIPRION blade models:

- B2250 (A112)
- B4450 (A114)

Please note the issue is known to occur regardless of whether the system is running in vCMP mode or not, and regardless of whether the system is Active or Standby.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this to either 64 MB (65536 KB) or 128 MB (131072 KB). You must do this on all blades installed in the system.

When instantiating this workaround, you must consider whether you want the workaround to only survive reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"


753594-2 : In-TMM monitors may have duplicate instances or stop monitoring

Component: Local Traffic Manager

Symptoms:
Most monitored resources (such as pools) report messages similar to the following:

Availability : unknown
Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet.
 
A fraction of the monitored resources report the correct status based on the state of the resource.
 
Enabling bigdlog may show instances of messaging containing 'tmm_mid=x:0' (where x can be values like 0, 1, 2 etc.), for example, it is tmm_mid=1:0 in the following example:

[0][11288] 2019-03-08 10:03:04.608: ID 10859 :(_do_ping): post ping, status=UNKNOWN [ tmm?=true td=true tr=false tmm_mid=1:0 addr=::ffff:1.2.37.44:443 mon=/Common/https fd=-1 pend=0 #conn=0 up_intvl=5 dn_intvl=5 timeout=16 time_until_up=0 immed=0 next_ping=[1552068189.684126][2019-03-08 10:03:09] last_ping=[1552068184.684909][2019-03-08 10:03:04] deadline=[1552067610.048558][2019-03-08 09:53:30] on_service_list=True snd_cnt=119 rcv_cnt=0 ]
 

The following error might appear in /var/log/ltm:

-- failed to handle TMA_MSG_DELETE message: MID 0, error TMA_ERR_INVALID_MID(Monitor ID is invalid or unused)

Conditions:
-- Configure In-TMM monitoring with a sufficiently large number of monitored objects.
-- Modify monitors while pool members are in an offline state or perform rapid modification of In-TMM monitors.

Impact:
Some monitors may be executed multiple times per configured interval on a resource, and some monitors may not be executed at all against resources.

Workaround:
Switch to traditional bigd monitoring instead of In-TMM:

tmsh modify sys db bigd.tmm value disable


753526-1 : IP::addr iRule command does not allow single digit mask

Component: Local Traffic Manager

Symptoms:
When plain literal IP address and mask are used in IP::addr command, the validation fails if the mask is single digit.

Conditions:
The address mask is single digit.

Impact:
Validation fails.

Workaround:
Assign address/mask to a variable and use the variable in the command.


753514-3 : Large configurations containing LTM Policies load slowly

Component: Local Traffic Manager

Symptoms:
Very slow performance when loading a configuration, for example, at system start up. During this time, the tmsh process shows high CPU usage.

Conditions:
Big IP 13.1.x, 14.x. Large configuration (1 MB or larger) and at least one, but more likely tens or hundreds of LTM policies defined in the configuration.

Impact:
Slow configuration loading, or in cases with very large configurations, full config load may fail after a long wait. Slowness increases with overall configuration size and number of LTM policies defined.

Workaround:
None.


753501-1 : iRule commands (such as relate_server) do not work with MRP SIP

Component: Service Provider

Symptoms:
Some iRule commands (such as relate_server) fail when used in conjunction with Message Routing Protocol (MRP) SIP configurations using message routing transport.

Conditions:
-- MRP SIP configuration uses transport-config.
-- iRule command 'relate_server' is configured on the corresponding virtual server.

Impact:
iRule commands such as relate_server cannot be used with MRF SIP.

Workaround:
None.


753485-1 : AVR global settings are being overridden by HA peers

Component: Application Visibility and Reporting

Symptoms:
Configuration of AVR global settings is being overridden by high availability (HA) peers, and thus report incorrectly to BIG-IQ Data Collection Devices (DCDs).

Conditions:
Configuring HA for systems connected to BIG-IQ.

Impact:
Configuration of BIG-IP systems in HA configuration can override each other. This might result in the following behavior:

-- They incorrectly identify themselves to BIG-IQ.
-- They report to the wrong DCD.
-- They report to DCD even if they are not configured to report at all.
-- The do not report at all even if they are configured to report.

Workaround:
None.


753423-6 : Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation

Component: TMOS

Symptoms:
working-mbr-count not showing correct number of interfaces.

Conditions:
Slot got disabled and re-enabled immediately.

Impact:
Interfaces may be removed from an aggregation permanently.

Workaround:
Disable and re-enable the slot with time gap of one second.


753163-4 : PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days

Component: Policy Enforcement Manager

Symptoms:
No connection request with PCRF/OCS if high availability (HA) failover occurs after 26 days. tmm crash

Conditions:
-- Using PEM.
-- HA failover occurs after 26 days.

Impact:
PEM does send the reconnect request within the configured reconnect, so there is no connection initiated with PCRF/OCS.

Workaround:
To restart the connection, restart tmm restart using the following command:
tmm restart

Note: Traffic disrupted while tmm restarts.


753159-1 : Pool IP ToS/QoS settings are not preserved on mirrored FastL4 connections

Component: Local Traffic Manager

Symptoms:
Mirrored serverside FastL4 connections do not inherit the IP ToS/QoS values from the selected pool or values set via iRule IP::tos/LINK::qos commands.

Conditions:
-- FastL4 virtual server with mirroring.
-- Pool with non-zero IP ToS/QoS values.
or
-- iRule with IP::tos/LINK::qos serverside commands

Impact:
IP ToS/QoS values are not set on mirrored connection after failover.

Workaround:
Configure desired IP ToS/QoS values in FastL4 profile


753028-2 : AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule

Component: Advanced Firewall Manager

Symptoms:
When Proxy ARP is enabled for destination addresses in an FW NAT rule performing destination NAT (static-nat/static-pat), forwarding ICMP traffic matching that rule is incorrectly dropped by AFM instead of being forwarded through the BIG-IP system.

Conditions:
-- Proxy ARP is enabled for destination addresses in an FW NAT rule.
-- The BIG-IP system (AFM) receives forwarding ICMP traffic for these (untranslated) destination addresses.

Impact:
Forwarding ICMP traffic is dropped by the BIG-IP system.

Workaround:
You can disable Proxy ARP functionality for FW NAT rules to cause the BIG-IP system (AFM) to handle forwarding ICMP traffic correctly and pass it through the system to the backend.

However, this causes the BIG-IP system to not respond to ARP requests anymore for destination addresses in such rules. As a further mitigation action, you can configure static ARP entries to handle this.


753014-4 : PEM iRule action with RULE_INIT event fails to attach to PEM policy

Component: Policy Enforcement Manager

Symptoms:
PEM iRule action with RULE_INIT event fails to attach to PEM policy.

Conditions:
Attaching PEM policy with PEM iRule action that contains a RULE_INIT event.

Impact:
PEM fails to update the new iRule action.

Workaround:
Force mcpd to reload the BIG-IP configuration.

To do so, follow the steps in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.


753001-1 : mcpd can be killed if the configuration contains a very high number of nested references

Component: TMOS

Symptoms:
mcpd can be killed by sod if the configuration contains a very high number of nested references. This results in a core file due to a SIGABRT signal.

Conditions:
A very high number of nested configuration references (such as SSL certificate file objects).

Impact:
Failover or outage (if not HA). The system sends no traffic or status while mcpd restarts.

Workaround:
None.


752994-1 : Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod

Component: TMOS

Symptoms:
With a large number of client SSL profiles, combined with shallow nesting of these profiles, all referring to a single SSL certificate file object, mcpd can take a lot of time to process an update to that certificate. It is possible this amount of time will be longer than sod's threshold, and cause it to kill mcpd.

Conditions:
- A large number (hundreds or thousands) of client SSL profiles that have a shallow nesting structure and all point back to a single SSL certificate file object.
- Happens when the SSL certificate is updated.

Impact:
sod kills mcpd, which causes a failover (when high availability (HA) is configured) or an outage (when there is no HA configured).

Workaround:
None.


752930-3 : Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state

Component: Local Traffic Manager

Symptoms:
Virtual Servers left in unknown state. Blade keeps restarting.

Conditions:
Change default route domain (RD) of partition with wildcard Virtual Servers.

Impact:
-- Cannot persist the wildcard virtual server RD configuration.
-- Changing virtual server description after moving route-domain fails.
-- Secondary blade in constant reboot loop.

Workaround:
1. Delete wildcard virtual servers before changing default route-domain on partition.

2. Execute the following commands, in sequence, substituting your values for the configuration-specific ones in this example:

# ssh slot2 bigstart stop

# modify auth partition pa-1098-blkbbsi0000csa21ad1142 default-route-domain 109

# save sys config

# clsh rm -f /var/db/mcpdb.bin

# ssh slot2 bigstart start

Note: This recovery method might have to be executed multiple times to restore a working setup.


752875-2 : tmm core while using service chaining for SSLO

Component: Access Policy Manager

Symptoms:
tmm cores when using security services (service connect agent in per-request policies) for SSLO deployment.

Conditions:
-- Service connect agent in per-request policy.
-- SSLO deployment.

Impact:
tmm cores. Traffic disrupted while tmm restarts.

Workaround:
None.


752822-1 : SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type

Component: Service Provider

Symptoms:
SIP ALG calls that fail translation during ingress are not cleaned up by the system, which might result in memory being leaked inside the TMM processes.

Conditions:
SIP ALG calls that fail translation during ingress.

Impact:
TMM leaks memory, which can slow down performance and eventually cause TMM to run out of memory and restart. Traffic disrupted while tmm restarts.

Workaround:
None.


752803-1 : CLASSIFICATION_DETECTED running reject can lead to a tmm core

Component: Traffic Classification Engine

Symptoms:
When the CLASSIFICATION_DETECTED event is run on a serverside flow, and then an iRule command (e.g., to reject a flow) is run, tmm crashes.

Conditions:
-- CLASSIFICATION_DETECTED event runs on a serverside flow.
-- An iRule command runs (e.g., reject a flow).

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


752797-1 : BD is not correctly closing a shared memory segment

Component: Application Security Manager

Symptoms:
Number shared memory segments is increasing.

Conditions:
There are many ASM restarts.

Impact:
Memory increases on the system.

Workaround:
None.


752530-1 : TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.

Component: Local Traffic Manager

Symptoms:
Fast L4 TCP Analytics reports incorrect goodput when server sequence number and the TMM generated sequence number are different.

Conditions:
This occurs when either of the following conditions are met:

-- tcp-generate-isn is set in the Fast L4 profile.
-- SYN cookie is active.

Impact:
The GUI page Statistics :: Analytics :: TCP :: Goodput page displays incorrect goodput values.

Workaround:
None.


752334-1 : Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation

Component: Local Traffic Manager

Symptoms:
When Fast L4 receives out of order TCP packets, TCP analytics may compute wrong goodput value.

Conditions:
When FAST L4 receives out-of-order packets.

Impact:
Fast L4 reports an incorrect goodput value for the connection.

Workaround:
None.


752216-6 : DNS queries without the RD bit set may generate responses with the RD bit set

Solution Article: K33587043

Component: Global Traffic Manager (DNS)

Symptoms:
If the BIG-IP system is configured to use forward zones, responses to DNS queries may include the RD bit, even if RD bit is not set on the query.

Conditions:
-- Forward zone is configured.
-- Processing a query without the RD bit.

Impact:
Some responses to DNS queries may include the RD bit, even thought the RD bit is not set on the query. This is cosmetic, but some DNS tools may report this as an RFC violation.

Workaround:
None.


752163-1 : PEM::session info cannot set subscriber type and ID

Component: Policy Enforcement Manager

Symptoms:
Cannot set the subscriber type and ID with iRule PEM::session info <subs-id | subs-type | subscriber-type | subscriber-id > <value>.

Conditions:
Trying to set a subscriber type and ID attributes using the following iRules returns error.

 PEM::session info <ip> subscriber-id <value>
 PEM::session info <ip> subscriber-type <value>
 PEM::session info <ip> subs-id <value>
 PEM::session info <ip> subs-type <value>

Impact:
Cannot set subscriber type and ID using PEM:session info iRule.

Workaround:
Set the subscriber type and ID together using the following iRule.

PEM::session info <ip addr> subscriber subscriber-id> <subscriber-type>


752078-2 : Header Field Value String Corruption

Component: Local Traffic Manager

Symptoms:
This is specific to HTTP/2.

In some rare cases, the header field value string can have one or more of its prefix characters removed by the BIG-IP.

Conditions:
If the header field value string is exceptionally long, and has embedded white space characters, this bug may occur.

Impact:
A header such as:

x-info: very_long_string that has white space characters

may be sent to the client thus:

x-info: ery_long_string that has white space characters


752047-1 : iRule running reject in CLASSIFICATION_DETECTED event can cause core

Component: Traffic Classification Engine

Symptoms:
The CLASSIFICATION_DETECTED iRule event can run very early when classification happens in the classification database (srdb). If the iRule then issues a reject command, tmm cores.

Conditions:
CLASSIFICATION_DETECTED on L4 executing reject command.

Impact:
tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
None.


751924-2 : TSO packet bit fails IPsec during ESP encryption

Component: TMOS

Symptoms:
Internal error when an unexpected packet bit for TCP segment offload manages to reach crypto code for ESP in IPsec, when this is not expected.

Conditions:
Traffic passing through ESP encapsulation for an IPsec tunnel when the TSO bit (for TcpSegmentationOffload) is set on the packet involved.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


751710-4 : False positive cookie hijacking violation

Component: Application Security Manager

Symptoms:
A false positive cookie hijacking violation.

Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.

Impact:
False positive violation / blocking.

Workaround:
N/A


751589-1 : In BIG-IP VE, some IP rules may not be created during the first boot up.

Component: Local Traffic Manager

Symptoms:
The BIG-IP Virtual Edition (VE) system might not be able to install some IP rules in the host during the first boot up. As a result, some types of traffic (e.g., ssh) destined for the BIG-IP system via the data path (not via the management interface) might not be able to respond back to a sender. This issue exists only during the first boot into a new BIG-IP partition after installation.

Conditions:
This issue exists if the following conditions are met:
-- The BIG-IP system is VE.
-- Before installing a new BIG-IP image, the sys db variables 'liveinstall.saveconfig' and 'liveinstall.moveconfig' are both set to 'disable'. By default, both variables are set to 'enable'.
-- First boot into a new BIG-IP partition after installation.

Impact:
Some types of traffic (e.g., ssh) destined for the BIG-IP system via the data path (not via the management interface) might not be able to respond back to a sender.

Workaround:
You can use either of the following workarounds:

-- Restart mcpd using the following command:
bigstart restart mcpd

-- After the first boot into a new BIG-IP partition, you can simply reboot the BIG-IP system again, and then the necessary IP rules are created correctly.


751581-3 : REST API Timeout while queriying large number of persistence profiles

Component: TMOS

Symptoms:
When you have a large number of collections in BIG-IP, REST API seems to be timed out without any response from BIG-IP

Conditions:
When BIG-IP has large number of persistence profiles.

Impact:
REST API gets timed out when REST API queries the BIG-IP for persistence profiles. There is no response sent for given REST API.

Workaround:
When you have a large number of collections, you are recommended to use paging mechanism.

Please refer https://devcentral.f5.com/d/icontrol-rest-user-guide-version-131-246.

"iControl ® REST supports pagination options for large collections.


751540-3 : GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server

Component: Global Traffic Manager (DNS)

Symptoms:
GTM changes in some devices are not synced to other GTM-configured devices in the same syncgroup.

Conditions:
-- There are multiple self IP addresses configured on one VLAN.
-- Some, but not all, self IP addresses are configured for GTM server.

Impact:
GTM Sync group not syncing properly.

Workaround:
Configure all self IP addresses in the syncgroup for GTM server.


751448-1 : TMM, ZebOS, and Linux routing table may lose dynamic routes on a tmm restart

Component: TMOS

Symptoms:
There are three major routing participants on a BIG-IP system: TMM, ZebOS, and Linux routing tables. Each of them replicates routes between the other. The 'bigstart restart tmm' command restarts tmm, and a part of the restart process is to mark VLAN interfaces DOWN and later UP. Another part the same process is to restart the ZebOS daemons.

There is a race condition between these two events, so the following might happen:
1) tmm marks interface named vlan1 as DOWN, and a bit later marks as UP, but not UP and RUNNING.
2) The ZebOS daemons are restarted and ready to update interface status. They request a current status and mark interface UP, not UP and RUNNING.
3) tmm is fully restarted and marks vlan1 UP and RUNNING.
4) The ZebOS daemons reject dynamic routes because interface vlan1 is UP, but not RUNNING.

Conditions:
- BIG-IP Virtual Edition (VE).
- Dynamic routing is configured and there is a decide with some dynamic routes.
- You run the 'bigstart restart tmm' command.

Impact:
Traffic which relays on dynamic routes is interrupted. Because this is a race condition, it depends on configuration and timing.

Workaround:
Restart tmrouted daemon using the following command:
bigstart restart tmrouted


751424-1 : HTTP Connect Category Lookup not working properly

Component: Access Policy Manager

Symptoms:
1. HTTP Connect Category Lookup does not return the correct category.
2. HTTP Connect Category Lookup cannot attach the service chain correctly.

Conditions:
-- Using SSLO iApp to configure a security policy.
-- Choose conditions 'Category Lookup (All)' and '"Category Lookup (HTTP Connect)'.

Impact:
Service chain is not correctly triggered based on the SSLO iApp policy selection when HTTP Connect traffic is passed.

Workaround:
There is no workaround at this time.


751409-1 : MCP Validation does not detect when virtual servers differ only by overlapping VLANs

Component: TMOS

Symptoms:
It is possible to configure two virtual servers with the same address, port, and route domain, and have them overlap only in VLANs. MCP does not detect the overlap.

Errors like this may be seen in the ltm log:

err tmm1[29243]: 01010009:3: Failed to bind to address

Conditions:
Two (or more) virtual servers with the same address, port, and route domain, and have them overlap only in VLANs

Impact:
Traffic does not get routed properly.

Workaround:
There is no workaround other than ensuring that virtual servers that have the same address, port, and route domain have no overlap of VLANs.


751383-1 : Invalidation trigger parameter values are limited to 256 bytes

Component: WebAccelerator

Symptoms:
Invalidation trigger parameter values are limited to a internal representation of 256 bytes. The values are escaped for regex matching, so the effective value size from the user perspective can be somewhat smaller than 256 bytes. Oversize values result in invalidation of all content on the target policy node.

Conditions:
- AAM policy with invalidation trigger.
- invalidation trigger request with parameter value larger than 256 bytes.

Impact:
All content on target policy node is invalidated rather than the specific content targeted.

Workaround:
None.


751179-1 : MRF: Race condition may create to many outgoing connections to a peer

Component: Service Provider

Symptoms:
If two different connections attempt to create an outgoing connection to a peer at the same time, multiple connections may be created, even if the peer object is configured for one connection per peer. This is due to a race condition in message routing framework during connection creation.

Conditions:
-- Two different connections attempt to create an outgoing connection to a peer at the same time.
-- The peer is configured for one connection per peer.

Impact:
More than one connection to a peer is created.

Workaround:
None.


751116-1 : DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring

Component: Advanced Firewall Manager

Symptoms:
The DoS visibility screens (Monitoring :: Security :: Reporting : DoS) may display DNS and Network protocol DoS attacks with the incorrect mitigation details.

Conditions:
An attacked object assigned to a DoS profile with either DNS or Network security protocols that are configured to have detect-only or learn-only states for DoS attacks.

Impact:
Network or DNS DoS attacks, detected by a DoS profile with detect-only or learn-only protection, display mitigation as Blocking instead of the configured Transparent protection. This does not affect the reported traffic data found in the DoS visibility dimensions and charts.

Workaround:
None.


751036-1 : Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone

Component: Local Traffic Manager

Symptoms:
Virtual server status becomes unavailable when the connections are over the rate limit, and stays unavailable when the number of connections fall below the limit.

Conditions:
-- The connections are over the rate limit, making the virtual server status unavailable.
-- The number of connections fall below the limit.

Impact:
Virtual server status reports unavailable, even though it should be available.

Workaround:
This problem does not impact virtual server processing traffic. It simply reports the wrong status.


751024-4 : i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd

Component: TMOS

Symptoms:
Messages similar to the following appear in /var/log/ltm:

info bcm56xxd: 012c0012:6: I2C muxes are not cleared. Problem with mux 224:

Conditions:
-- i5000/i7000/i10000 platforms.
-- May be caused by a defective optic, rebooting/upgrading BIG-IP, removing and reinserting optics.

Impact:
Changes in optic state may be ignored while I2C bus is unavailable.

Workaround:
For each SFP, perform the following procedure:

1. Unplug the optic.
2. Wait 10 seconds.
3. Plug optic back in.

Note: This message might be caused by a defective optic. If error messages stop when one optic is removed, and error messages resume when the optic is inserted, replace that optic.


751021-1 : One or more TMM instances may be left without dynamic routes.

Component: TMOS

Symptoms:
Inspecting the BIG-IP's routing table (for instance, using tmsh or ZebOS commands) shows that dynamic routes have been learnt correctly and should be in effect.

However, while passing traffic through the system, you experience intermittent failures. Further investigation reveals that the failures are limited to one or more TMM instances (all other TMM instances are processing traffic correctly). The situation does not self-recover and the system remains in this state indefinitely.

An example of a traffic failure can be a client connection reset with cause 'No route to host'. If the client retries the same request, and this hits a different TMM instance, the request might succeed.

Conditions:
This issue is known to occur when all of the following conditions are met:

- The system is a multi-blade VIPRION or vCMP cluster.

- The system just underwent an event such as a software upgrade, a reboot of one or more blades, a restart of the services on one or more blades, etc.

Impact:
Traffic fails intermittently, with errors that point to lack of routes to certain destinations.

Workaround:
You can try to temporarily resolve the issue by restarting the tmrouted daemon on all blades. To do so, run the following command:

# clsh "bigstart restart tmrouted"

However, there is no strict guarantee this will resolve the issue, given the nature of the issue.

Alternatively, you could temporarily replace the dynamic routes with static routes.


750823-1 : Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD

Component: Access Policy Manager

Symptoms:
Memory usage in TMM keeps going up.

Conditions:
Access::policy evaluate command fails with error message in /var/log/ltm:

TCL error: ... - Failed to forward request to apmd.

Impact:
Memory leaks in TMM, which cause a TMM crash eventually.

Workaround:
Limit the amount of data that will be forwarded to APMD.


750689-3 : Request Log: Accept Request button available when not needed

Component: Application Security Manager

Symptoms:
There are several violations that make request unlearnable, but the Accept Request Button is still enabled.

Conditions:
Request log has requests with following violations that make requests unlearnable:
 - Threat Campaign detected
 - Null character found in WebSocket text message
 - Access from disallowed User/Session/IP/Device ID
 - Failed to convert character
+ 2 subviolations of HTTP protocol compliance failed violation:
 - Unparsable request content
 - Null in request
 - Bad HTTP version

or only following violations were detected:
 - Access from malicious IP address
 - IP is blacklisted
 - CSRF attack detected
 - Brute Force: Maximum login attempts are exceeded

Impact:
Accept Request button is available, but pressing it doesn't change the policy


750631-2 : There may be a latency between session termination and deletion of its associated IP address mapping

Component: Access Policy Manager

Symptoms:
In SWG, if a new request from a client executes iRule command "ACCESS::session exists" when the session has expired previously, the command will return false. However, if command "ACCESS::session create" is executed following the exist command, the session ID of the previous session may be returned.

Conditions:
In SWG, if a new request from a client IP comes into the system right after its previous session has expired.

Impact:
The Access filter will determine that the session ID is stale and, therefore, will redirect the client to /my.policy


750586-2 : HSL may incorrectly handle pending TCP connections with elongated handshake time.

Component: TMOS

Symptoms:
HSL may incorrectly handle TCP connections that are pending 3-way handshake completion that exceed default handshake timeout.

Conditions:
-- HSL or ReqLog configured to send logging data to pool via TCP protocol.
-- TCP 3-way handshake takes longer than 20 seconds (the default handshake timeout) to complete.

Impact:
-- Service interruption while TMM restarts.
-- Failover event.

Workaround:
None.


750491-4 : PEM Once-Every content insertion action may insert more than once during an interval

Component: Policy Enforcement Manager

Symptoms:
Successful PEM content insertion accounting is lost during re-evaluation, resulting in more insertions per insertion interval.

Conditions:
During re-evaluation to update the existing flow.

Impact:
More than expected Insert content action with Once-Every method of insert content action

Workaround:
None.


750473-4 : VA status change while 'disabled' are not taken into account after being 'enabled' again

Component: Local Traffic Manager

Symptoms:
The virtual-address network is not advertised with route-advertisement enabled.

Conditions:
1. Using a virtual-address with route advertisement enabled.
2. Disable virtual-address while state is down.
3. Enable virtual-address after state comes up.

Impact:
No route-advertisement of the virtual-address.

Workaround:
Toggle the route-advertisement for virtual-address.


750318-3 : HTTPS monitor does not appear to be using cert from server-ssl profile

Component: TMOS

Symptoms:
An HTTPS monitor using a client certificate configured in the server-ssl profile fails to send the certificate during the SSL handshake.

A tcpdump shows a 0-byte certificate being sent.

Conditions:
-- In-tmm monitoring is disabled (default).
-- The server-ssl profile has been modified but without changing the configured certificate or key.

The resulting message passed from mcpd to bigd will contain only the incremental modification to the profile, which bigd treats as a complete profile, meaning that it is possible for the certificate and key parameters to be lost.

Impact:
SSL handshake might fail to complete and the HTTPS monitor fails.

Workaround:
Restart bigd process by running the following command:
bigstart restart bigd


750213-4 : DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.

Solution Article: K25351434

Component: Global Traffic Manager (DNS)

Symptoms:
FPGA hardware-accelerated DNS Cache can respond improperly to DNS queries that contain EDNS OPT Records. This improper response can take several forms, ranging from not responding with an OPT record, to a query timeout, to a badvers response.

Conditions:
-- Using VIPRION B2250 blades.
-- This may occur if a client sends a query with an EDNS OPT record that has an unknown version or other values that the Hardware-accelerated Cache does not understand. These errors only occur when matching the query to a hardware cached response.

Note: If the response is not in the hardware cache, then the query should be properly handled.

Impact:
Hardware-accelerated DNS Cache drops the request. Clients will experience a timeout for that query.

This is occurring now because of the changes coming to software from certain DNS software vendors that remove specific workarounds on February 1st, 2019. This is known as DNS Flag Day.

Workaround:
None.


749785-2 : nsm can become unresponsive when processing recursive routes

Component: TMOS

Symptoms:
imish hangs, and the BIG-IP Network Services Module (nsm) daemon consuming 100% CPU.

Conditions:
-- Dynamic routing enabled
-- Processing recursive routes from a BGP peer with different prefixlen values.

Impact:
Dynamic routing, and services using dynamic routes do not operate. nsm does not recover and must be restarted.

Workaround:
None.


749761-3 : AFM Policy with Send to Virtual and TMM crash in a specific scenario

Component: Advanced Firewall Manager

Symptoms:
TMM restart in a specific scenario when AFM Policy is configured in multiple contexts (Global, Route Domain, Virtual Server), with Log Translations enabled, and Send-To-VS feature configured in at least one of the rules in the Security Policy.

Conditions:
-- When using Firewall ACL Policy in more than one context, i.e., more than one of the following context has ACL Security Policy applied:
  + Global Context
  + Route Domain
  + Virtual Server Context

-- Send To Virtual Server is configured on any Rule on the Security policy.

-- Traffic matching a Rule (with logging enabled) in more than one context.

-- AFM Security Logging Profile has log Translation Field Enabled.

Impact:
TMM restart causes service disruption. Traffic disrupted while tmm restarts.

Workaround:
Disable Logging of Translation Fields in Security Logging Profile.


749704-2 : GTPv2 Serving-Network field with mixed MNC digits

Component: Service Provider

Symptoms:
iRules command 'GTP::ie get value' incorrectly decodes Serving-Network field, putting the least significant digit of mobile network codes (MNC) value before the other two.

Conditions:
Using the iRule command 'GTP::ie get value' to retrieve the Serving-Network field from a GTP message (the iRule construction: GTP::ie get value -message $gtp_message 83).

Impact:
The operation returns results in which the least significant digit is inserted before the other two, resulting in incorrect data being returned.

Workaround:
None.


749689-2 : HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart

Component: Local Traffic Manager

Symptoms:
HTTPS monitor sends different amount of cipher suites in client hello during SSL handshake and sometimes back end server fails to find a desired cipher suite from client hello. As a result, sometimes SSL handshake fails and monitor wrongly marks pool member down.

Conditions:
-- Have an SSL profile to be used by an HTTPS monitor.
-- Load the same config more than once.

Impact:
HTTPS monitor might incorrectly mark pool member down because of a failed SSL handshake.

Workaround:
Restart bigd using the following command:
bigstart restart bigd


749528-1 : IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap

Component: Service Provider

Symptoms:
Under certain conditions the wrong self-IP can be selected as a source address for connections from an Internal Virtual Server to remote servers.

Conditions:
- Using an Internal Virtual Server (IVS).
- The VLAN being used to connect from the IVS to the server does not have a floating self-IP configured.
- At least one other VLAN has a floating self-IP configured.
- The primary virtual server that connects to the IVS is using SNAT automap.

Impact:
IVS traffic might not be routed properly.

Workaround:
- Configure a floating self-IP on the IVS server side VLAN.
or
- Use a SNAT pool instead of automap.


749508-1 : LDNS and DNSSEC: Various OOM conditions need to be handled properly

Component: Global Traffic Manager (DNS)

Symptoms:
Some LDNS and DNSSEC out-of-memory (OOM) conditions are not handled properly.

Conditions:
LDNS and DNSSEC OOM conditions.

Impact:
Various traffic-processing issue, for example, TMM panic during processing of DNSSEC activity.

Workaround:
None.


749414-4 : Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects

Component: Local Traffic Manager

Symptoms:
There are two symptoms:

-- Modifying the monitor for a node or pool-member might remove monitor rule instances and monitor instances for other nodes/pool-members.
-- After those unrelated monitor rule instances and monitor instances are removed, if you try to alter the state of the pool-member/node, the system posts the following message: Invalid monitor rule instance identifier.

Conditions:
-- BIG-IP system is configured with nodes, pool-members, and pools with monitors.
-- Modify one of the nodes that is not in a pool.
-- Run the following command: tmsh load /sys config
-- Loading ucs/scf file can trigger the issue also.

Impact:
The system might delete monitor rule instances for unrelated nodes/pool-members. Pool members are incorrectly marked down.

Workaround:
Failover or failback traffic to the affected device.


749383-1 : Audit Log: 'cmd_data=list cm device recursive' are being generated continuously even the command has not been executed

Component: Device Management

Symptoms:
The system generates and logs the following message continuously, at the rate of 6 times a minute:

user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=list cm device recursive:.

Conditions:
This occurs in normal operation.

Impact:
Audit log file contains numerous 'cmd_data=list cm device recursive' messages.

Workaround:
None.


749222-1 : dname compression offset overflow causes bad compression pointer

Component: Global Traffic Manager (DNS)

Symptoms:
DNS requests receive error response:
- Got bad packet: bad compression pointer
- Got bad packet: bad label type

Conditions:
When dns response is large enough so that dname redirect to an offset larger than 0x3f ff.

Impact:
DNS response is malformed.


749057-1 : VMware Horizon idle timeout is ignored when connecting via APM

Component: Access Policy Manager

Symptoms:
VMware Horizon has an option to set idle timeout under "View Configuration\Global Settings\General\Client-dependent settings\For clients that support applications". When there is no keyboard or mouse activity for the given time, application sessions should be disconnected (desktop sessions are staying, though).
This settings has no effect when connecting via APM.

Conditions:
VMware Horizon idle timeout setting for applications is configured and remote application is launched via APM.

Impact:
VMware Horizon idle timeout setting for applications has no effect.

Workaround:
None.


749041-2 : MRSIP log of subscriber deletion outputs '(null)" for subscriber URI

Component: Service Provider

Symptoms:
New logging was added for SIP subscriber registration and deletion. The deletion log MRSIPERR_SUBSCRIBER_DELETION_LOG() fails to show the subscriber URI, and instead, /var/log/ltm shows messages similar to the following:
MR_SIP: Subscriber registration deleted (xxx.xxx.xxx.xxx:5060 -> yyy.yyy.yyy.yyy:5060) subscriber URI: (null)

Conditions:
-- A SIP subscriber registration is deleted.
-- The log level DB variable log.mrsip.level is 'notice' or above.

Impact:
Prevents correlation of the deletion with the corresponding registration of the subscriber URI.

Workaround:
None.


749036-2 : Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM

Component: Access Policy Manager

Symptoms:
Some tmsh list commands may fail while SSLO is provisioned but no urldb or APM modules are provisioned with the following message: 'Password could not be retrieved'.

Conditions:
-- SSLO is provisioned.
-- Neither APM or URLDB are provisioned.
-- Run the generic tmsh list command.

Impact:
tmsh command fails and posts the error: Unexpected Error: Password could not be retrieved.

Note: Some 'tmsh list' commands with arguments do run. For example, 'tmsh list net vlan' provides correct output, but 'tmsh list' does not.

Workaround:
There is no workaround other than provisioning APM or URLDB.

Note: You can provision APM or URLDB even if they are not licensed. Although the full feature set is not available without a license, provisioning loads the daemons needed to support the generic 'tmsh list' command.


748902-1 : Incorrect handling of memory allocations while processing DNSSEC queries

Component: Global Traffic Manager (DNS)

Symptoms:
tmm crashes.

Conditions:
-- Heavy DNS traffic using DNS security signatures.
-- Use of external HSM may aggravate the problem.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


748891-2 : Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system.

Component: Local Traffic Manager

Symptoms:
Potential MAC relearning at the switches the BIG-IP system is connected to.

Conditions:
-- DB variable connection.vlankeyed set to disabled.
-- Multiple virtual-wires configured on the BIG-IP system.
-- Client to server and server to client traffic using different virtual wires on the BIG-IP system.

Impact:
Packets reach their L3 destination using an unexpected L2 path.

Workaround:
None.


748851-3 : Bot Detection injection include tags which may cause faulty display of application

Component: Application Security Manager

Symptoms:
The Bot Detection feature / Bot Defense profile includes JavaScript which is injected within <APM_DO_NOT_TOUCH> tags. Some web applications may be displayed incorrectly due to these tags.

Conditions:
- Your application includes JavaScript which dynamically adds HTML elements and expects a certain set of tags in the <head> section of the HTML.
- Bot Detection / Bot Defense are enabled.

Impact:
Some web applications may be displayed incorrectly.

Workaround:
None


748813-3 : tmm cores under stress test on virtual server with DoS profile with admd enabled

Component: Anomaly Detection Services

Symptoms:
tmm cores

Conditions:
-- Systems under stress testing.
-- Virtual server with DoS profile with admd enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Turn off Behavioral DOS.


748572-2 : Occasionally ramcache might crash when data is sent without the corresponding event.

Component: Access Policy Manager

Symptoms:
Ramcache filter causes crash when sending data without HUDCTL_RESPONSE while in CACHE_COLLECT event.

Conditions:
When the access_policy_trace db variable is enabled, failure in insertion of policy path cookie in the header while sending a redirect to the client might cause the ramcache filter to SIGSEGV.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Turn off the access_policy_trace db variable.


748545-1 : Remove 'sys-unconfig' and 'rhel-configure' binaries and related systemd service

Component: TMOS

Symptoms:
The RHEL-related binaries 'sys-unconfig' and 'rhel-configure' are shipped with BIG-IP when they are not relevant.

Conditions:
Running a BIG-IP v14.1.x release

Impact:
Binaries with RHEL branding are installed on system which are not used in BIG-IP and generate superfluous files.

Workaround:
N/A


748529-1 : BIG-IP Virtual Edition with cloudhsm integration needs to restart tmm after a fresh install

Component: Local Traffic Manager

Symptoms:
Right after a fresh BIG-IP install to a BIG-IP VE with cloudhsm integration, a nethsm key/cert enabled SSL client profile cannot be applied to a virtual server. A warning will be generated:

warning tmm1[19027]: 01260009:4: Connection error: hud_ssl_handler:1149: invalid profile (40)

Conditions:
Apply an SSL client profile with cloudHSM key/cert at AWS cloud.

Impact:
Virtual server enabled with cloudHSM key/cert can't be configured.

Workaround:
"bigstart restart tmm" after the fresh install.


748451-3 : Manager users cannot perform changes in per-request policy properties

Component: Access Policy Manager

Symptoms:
Users with Admin role can edit and administer per-request policy properties. Users with Manager role, which can manage most APM objects, cannot manage this specific one.

Conditions:
User with Manager role tries to modify or change per-request policies properties.

Impact:
Cannot manage per-request policy properties if user role is Manager.

Workaround:
There is no workaround other than having an Admin user manage these objects.


748295-1 : TMM crashes on shutdown when using virtio NICs for dataplane

Component: TMOS

Symptoms:
TMM crash on stop or restart.

Conditions:
1. Put the virtio NIC in a bad state while TMM is running (for example, detach the NIC from the host).
2. Run the following command: bigstart stop tmm

Impact:
TMM crash generates a core file. However, there is no impact on traffic as the device is already in a bad state before the crash.

Workaround:
None.


748253-1 : Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection

Component: Service Provider

Symptoms:
Depending on the DIAMETER settings of the BIG-IP system, there can be a race condition in a mirrored device cluster where the standby BIG-IP system resets its mirror connection to the active device.

Conditions:
-- MRF DIAMETER in use.
-- The DIAMETER session profile on the BIG-IP system is configured to use a non-zero watchdog timeout.
-- The DIAMETER session profile on the BIG-IP system is configured to use Reset on Timeout.
-- This is more likely to happen if (in the DIAMETER session profile) the Maximum Watchdog Failures is set to 1, and the Watchdog Timeout is configured to be the same value as the remote DIAMETER system.

Impact:
The standby is no longer mirroring the active system, and gets out of sync with it. There may be connections lost if a failover occurs.

Workaround:
To mitigate this issue:

1. Configure the Maximum Watchdog Failures to a value greater than 1.
2. Configure the Watchdog Timeout as something different from the same timeout on the remote peer, preferably to something that will have little overlap (i.e., the two timers should fire at the exact same time very infrequently).


748206-1 : Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position

Component: TMOS

Symptoms:
Browser becomes unresponsive.

Conditions:
Loading the network map with a virtual server that contains a forwarding rule policy in the second position.

Impact:
Browser becomes unresponsive and must be restarted.

Workaround:
Change the position of the forwarding rule policy.


748205-3 : SSD bay identification incorrect for RAID drive replacement

Component: TMOS

Symptoms:
On iSeries platforms with dual SSDs, the 'bay' of a given SSD indicated in the 'tmsh show sys raid' command may be incorrect. If a drive fails, or for some other reason it is intended to be replaced, and you are using the bay number listed from the tmsh command, the wrong drive could be removed from the system resulting in system failure to operate or boot.

Conditions:
iSeries platform with dual SSDs.

Impact:
Removal of the one working drive could result in system failure and subsequent failure to boot

Workaround:
If you discover that you removed the incorrect drive, you can attempt to recover by re-inserting the drive into the bay that it was in, and powering on the device.

The following steps will help to avoid inadvertently removing the wrong drive:

As a rule for systems with this issue:
-- Power should be off when you remove a drive. This makes it possible to safely check the serial number of the removed drive.
-- Power should be on, and the system should be completely 'up' before you add a new drive.

Here are some steps to follow to prevent this issue from occurring.


1. Identify the failed drive, taking careful note of its serial number (SN). You can use any of the following commands to get the serial number:
     • tmsh show sys raid
     • tmsh show sys raid array
     • array
2. Logically remove the failed drive using the following command: tmsh modify sys raid array MD1 remove HD<>
3. Power down the unit.
4. Remove the fan tray and physically remove the failed drive.
5. Manually inspect the SN on the failed drive to ensure that the correct drive was removed.
6. Replace the fan tray.
7. Power on the unit with the remaining, single drive.
8. Once booted, wait for the system to identify the remaining (good) drive. You can confirm that this has happened when it appears in the 'array' command output.
9. Remove fan tray again (with the system running).
10. Install the new drive.
11. Use the 'array' command to determine that the new drive is recognized (Note: the tmsh commands do not show new drive at this stage.)
12. Logically add the new drive using the command command: tmsh modify sys raid array MD1 add HD<>
13. Monitor the rebuild using any of the commands shown in step 1.

Note: You must follow these steps exactly. If you insert the new drive while the system is off, and you then boot the system with the previously existing working drive and the new blank drive present, the system recognizes the blank drive as the working Array member, and you cannot add it to the array. That means system responds and replicates as if 'HD already exists'.


748187-4 : 'Transaction Not Found' Error on PATCH after Transaction has been Created

Component: TMOS

Symptoms:
In systems under heavy load of transactions with multiple icrd_child processes, the system might post an erroneous 'Transaction Not Found' response after the transaction has definitely been created.

Conditions:
Systems under heavy load of transactions with multiple icrd_child processes.

Impact:
Failure to provide PATCH to a transaction whose ID has been created and logged as created.

Workaround:
If transaction is not very large, configure icrd_child to only run single-threaded.


748177-1 : Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character

Component: Global Traffic Manager (DNS)

Symptoms:
Multiple wildcards not matched to the most specific WideIP.

Conditions:
Two wildcard WideIPs differ on a '?' and a non-wildcard character.

Impact:
DNS request will get wrong answer.

Workaround:
There is no workaround at this time.


748121-3 : admd livelock under CPU starvation

Component: Anomaly Detection Services

Symptoms:
Due to the resources starvation the worker thread of admd does not get CPU for more than two minutes. At the same time, the configuration thread does get CPU.

The admd heartbeat failure occurs at 120 seconds. The SOD daemon kills admd.

The system posts messages similar to the following:

-- notice sod[6783]: 01140041:5: Killing /usr/bin/admd pid 6732
-- warning sod[6783]: 01140029:4: HA daemon_heartbeat ADMD.Anomaly0 fails action is restart.
-- warning sod[6783]: 01140029:4: HA daemon_heartbeat ADMD.Publisher0 fails action is restart.

Conditions:
-- High CPU / memory utilization,
-- Very large configuration.

Note: There are no known special configuration requirements to have this occur.

Impact:
admd restarts.
Behavioral DoS does not work.

Workaround:
Reboot the BIG-IP system.


748070 : API Protection feature inadvertently allows editing of associated access policy

Component: Access Policy Manager

Symptoms:
This release contains a feature called API Protection. API Protection access policies are hidden from the user interface in most areas except the log settings area.

Conditions:
Modifying API Protection access policy from Access :: Overview :: Event Logs :: Settings.

Impact:
If the API protection policy / profile is modified outside of API Protection GUI, the 'Apply Access Policy' may become activated with no way to deactivate it.

Workaround:
Navigate to the API Protection area and modify any part of the API Protection profile. This causes it to re-deploy, at which time the system clears the 'Apply Access Policy' prompt.


748044 : RAID status in tmsh is not updated when disk is removed or rebuild finishes

Component: TMOS

Symptoms:
'tmsh show sys raid' shows stale information

When the RAID status changes because a disk fails, is pulled without being removed from the RAID, or when RAID rebuild completes, the new status is not updated to be visible in tmsh.

Log messages, SNMP traps and alerts associated with the change in RAID status do not appear.

Conditions:
-- Platforms that support RAID running 14.0.0 or later.
-- Running the command: tmsh show sys raid.

Impact:
'tmsh show sys raid' output might show disk as ok when it has actually failed, or may show the disk as rebuilding when it is actually ok.

Workaround:
From a bash shell run the command 'array' to see the correct state of the RAID.

If a disk has failed or been removed, the following tmsh commands remove the disk from the RAID:

tmsh mod sys raid array <arrayName> remove <DiskName>


748031-1 : Invalidation trigger parameter containing reserved XML characters does not create invalidation rule

Component: WebAccelerator

Symptoms:
If a parameter value for an invalidation trigger contains reserved XML characters, compilation of the resulting invalidation rule fails due to the reserved characters not being escaped.

Conditions:
- AAM policy with invalidation trigger defined
- trigger request with parameter value(s) containing reserved XML characters

Impact:
The invalidation rule requested by the trigger request is not created. Content is not invalidated as expected.

Workaround:
No workaround exists.


747968-3 : DNS64 stats not increasing when requests go through dns cache resolver

Component: Local Traffic Manager

Symptoms:
DNS64 stats are not incrementing when running the tmsh show ltm profile dns or in tmctl profile_dns_stat commands if responses are coming from dns cache resolver.

Conditions:
DNS responses are coming from dns cache resolver.

Impact:
DNS64 stats not correct.

Workaround:
There is no workaround at this time.


747960-2 : BIG-IP VE with 1nic does not handle fragmented traffic to webui or ssh properly

Component: Performance

Symptoms:
Attempts to send fragmented packets destined for SSH or the webui of BIG-IP VE running with 1 NIC will fail. This is a rare situation generally, but one noted area where we have seen it is when BIG-IQ attempts to discover the BIG-IP.

Conditions:
BIG-IP VE configured with 1 network interface. Send IP fragmented traffic to either SSH or the web interface (TCP/8443 for 1nic).

Impact:
The IP fragments will not be properly reassembled and the connection will ultimately fail. This is only an issue for IP fragmented traffic sent with 1nic destined for SSH or the webui.

Workaround:
Prevent IP fragmentation, or configure multiple network interfaces.


747909-5 : GTPv2 MEI and Serving-Network fields decoded incorrectly

Component: Service Provider

Symptoms:
MEI and Serving-Network vales obtained with GTP::ie get iRule command contains digits swapped in pairs, first digit missing and a random digit added at the back.

Conditions:
Processing GTP traffic with iRules.

Impact:
It is impossible to obtain correct value of MEI and Serving-Network fields of the GTPv2 packets when processing with iRules.

Workaround:
No workaround.


747907-2 : Persistence records leak while the HA mirror connection is down

Component: Local Traffic Manager

Symptoms:
Memory may leak on the active unit while the HA mirror connection is down.

Conditions:
Persistence configured which requires state stored on BIG-IP.
Mirroring configured on the persistence profile or the virtual server.
Mirror connection is down. For example, next active is down/offline/unavailable.

Impact:
Memory leak until the HA mirror connection is up. Once mirror connection is up, memory will be released.

Workaround:
- Disable persistence while HA mirror connection is down (e.g., performing maintenance).
- Disable session mirroring for iRules.
- Use persistence which does not requires state stored on BIG-IP.
- Restore HA connection.


747727-1 : HTTP Profile Request Header Insert Tcl error

Component: Local Traffic Manager

Symptoms:
A TMM crash.

Conditions:
When the HTTP profile Request Header Insert field contains a Tcl interpreted string, Tcl is executed to expand the string before the header is inserted into the request header block.

If a Tcl error occurs

Impact:
In some cases this can cause TMM to crash. Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following to mitigate this:

-- Verify that your Tcl executes correctly in all cases.
-- Use a static string.


747676-3 : Remote logging needs 'localip' to set source IP properly

Component: TMOS

Symptoms:
Source ip of log entries sometimes use self-ip.

Conditions:
It happens when configuring mgmt IP and route is slower than syslog-ng start.

This issue happens in case of the HA scenario also.

Impact:
Remote log entry has wrong source IP address.

Workaround:
Use localip keyword to force specific IP address.

udp("1.1.1.9" port (514) localip("100.100.100.101"));

In case of the HA configuration, use persist-name key word or syslog-ng may fail to start.

# setting for device A
udp("1.1.1.9" port (514) localip("100.100.100.101") persist-name(devA) );
# setting for device B
udp("1.1.1.9" port (514) localip("100.100.100.102") persist-name(devB));


747628-1 : BIG-IP sends spurious ICMP PMTU message to server

Component: Local Traffic Manager

Symptoms:
After negotiating an MSS in the TCP handshake, BIG-IP then sends an ICMP PMTU message because the packet is too large.

Conditions:
The serverside allows timestamps and the clientside doesn't negotiate them.

The clientside MTU is lower than the serverside's.

There is no ICMP message on the clientside connection.

Impact:
Unnecessary retransmission by server, suboptimal xfrag sizes (and possibly packet sizes)

Workaround:
Disable timestamps on the serverside TCP profile, or proxy-mss on the clientside profile.


747585-3 : TCP Analytics supports ANY protocol number

Component: Local Traffic Manager

Symptoms:
No TCP analytics data is collected for an ANY virtual server.

Conditions:
1. Provision AVR
2. Create a FastL4 server that accepts all protocols.
3. Attach a TCP Analytics profile
4. Try to run UDP traffic through it.

Impact:
No TCP analytics data is collected for TCP flows when a virtual server's protocol number is ANY.

Workaround:
There is no workaround this time.


747560-5 : ASM REST: Unable to download Whitehat vulnerabilities

Component: Application Security Manager

Symptoms:
When using the Whitehat Sentinel scanner, the REST endpoint for importing vulnerabilities (/mgmt/tm/asm/tasks/import-vulnerabilities) does not download the vulnerabilities from the server automatically when no file is provided.

Conditions:
The ASM REST API (/mgmt/tm/asm/tasks/import-vulnerabilities) is used to download vulnerabilities from the server when a Whitehat Sentinel Scanner is configured.

Impact:
Vulnerabilities from the Whitehat server are not automatically downloaded when no file is provided, and it must be downloaded manually, or the GUI must be used.

Workaround:
The ASM GUI can be used to download the vulnerabilities from the Whitehat Server, or the file can be downloaded separately, and provided to the REST endpoint directly.


747239-1 : TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection

Component: Local Traffic Manager

Symptoms:
TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection.

Conditions:
This might occur rarely when the HTTP/2 gateway is configured on a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.


747203-2 : Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding

Component: TMOS

Symptoms:
-- SYN/ACK packets arriving on a tunnel fail to be matched to an existing flow followed by a RST issued by the BIG-IP system.
-- The BIG-IP system reports 'no flow found'.
-- MAC addresses can contain random values, or fe:fe:fe:fe:fe:fe.

Conditions:
-- Using IKEv2 with both NAT-T and interface mode.
-- The BIG-IP is configured to use several tmm instances.
-- The combination of IP addresses and port numbers result in distributing legs of processing one flow across several tmm instances.

Impact:
NATT/ESP tunnel flows can end with a RST reset.

Workaround:
None.


747065-2 : PEM iRule burst of session ADDs leads to missing sessions

Component: Policy Enforcement Manager

Symptoms:
Some PEM sessions that were originally added, later disappear and cannot be added back.

Conditions:
-- Subscriber addition is done by iRule on UDP virtual servers.
-- The sessions are added in a burst.
-- A small fraction of such sessions cannot be added back after delete.

Impact:
Policies available in the missing session cannot be accessed.

Workaround:
Add a delay of at least a few milliseconds between adding multiple session with same subscriber-id and IP address.


746922-6 : When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.

Component: Local Traffic Manager

Symptoms:
In a situation when a routing entity belonging to the child route domain is searching for an egress point for a traffic flow, it's searching for a routing entry in the child domain first, then if nothing is found, it searches for it in the parent route domain and returns the best found routing entry.

If the best routing entry from the parent route domain is selected, then it is held by a routing entity and is used to forward a traffic flow. Later, a new route entry is added to the child route domain's routing table and this route entry might be better than the current, previously selected, routing entry. But the previously selected entry doesn't get invalidated, thus the routing entity that is holding this entry is forwarding traffic to a less-preferable egress point.

#Example:
RD0(parent) -> RD1(child)
routing table: default gw for RD0 is 0.0.0.0/0%0
pool member is 1.1.1.1/32%1
-
Pool member searches for the best egress point and finds nothing in the routing table for route domain 1, and then later finds a routing entry, but from the parent route domain - 0.0.0.0/0%0.

Later a new gw for RD1 was added - 0.0.0.0/0%1, it's preferable for the 1.1.1.1/32%1 pool member. 0.0.0.0/0%0 should be (but is not) invalidated to force the pool member to search for a new routing entry and find a better one if it exists, as in this case, with - 0.0.0.0/0%1.

Conditions:
1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. New routing entry for child route domain is added.

Impact:
If a new added route is preferable to an existing one in a different route domain, the new, preferable, route is not going to be used by a routing object that has previously selected a route. Thus, traffic flows through these routing objects to an unexpected/incorrect egress point. This might result in undesirable behavior:
-- The route might be unreachable, and all traffic for a specific pool member is dropped.
-- The virtual server cannot find an available SNAT address.
-- Simply, the wrong egress interface is being used.

Workaround:
Use either of these workaround after a new route in child domain is added.

-- Recreate a route.
Recreate a parent route domain's routes. Restart tmrouted daemon if routes are gathered via routing protocols.

-- Recreate a routing object.
  - If a pool member is affected, recreate the pool member.
  - If a SNAT pool list is affected, recreate it.
  - And so on.


746877-1 : Omitted check for success of memory allocation for DNSsec resource record

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may panic from SIGABRT while logging this message:
./rdata.c:25: ldns_rdf_size: Assertion `rd != ((void *)0)' failed.

Conditions:
During memory stress while handling DNSsec traffic.

Impact:
TMM panic and subsequent interruption of network traffic.

Workaround:
Keeping the workload within normal ranges reduces the probability of encounter.


746837-2 : AVR JS injection can cause error on page if the JS was not injected

Component: Application Visibility and Reporting

Symptoms:
If page-load-time is enabled in the AVR profile, and the response is small enough to not be chunked, AVR 'promises' to the client a JS injection in the response by adding the expected length of the JS to the Content-length header.

If later, it is identified that the response contains no HTML tag, AVR does not inject the JS; instead it wraps the response with spaces.

This can lead to errors in cases where the change in response size is not supported.

Conditions:
AVR is configured to collect 'Page Load Time' and the response from the web server has these conditions:
-- The response is uncompressed.
-- The context-type header is text/html.
-- The response is not chunked (Context-length header exists).
-- The payload does not include the HTML head tag.

Impact:
White Spaces at the end of the page can cause it to be invalid for some applications.

Workaround:
To avoid trying to inject to pages where the JS does not fit, use iRules to control which pages should get the JS injection.

For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.


746825-1 : MRF SIP ALG with SNAT: Ephemeral listeners not created for un-subscribed outgoing calls

Component: Service Provider

Symptoms:
When a temporary registration is created for an un-subscribed user making an outgoing call, an ephemeral listener to receive incoming messages is not created.

Conditions:
If nonregister-subscriber-callout attribute in the siprouter-alg profile is enabled, and an unregiatered client device places an outgoing call, a temporary registration is created. This temporary registration lives for the life of the call. During the lifetime of the temporary registration if the connection from the client is closed, it is not possible for an external device to reach the client.

Impact:
The callee of an outgoing call initiated by an un-registered sip device will not be able to end the call.

Workaround:
There is no workaround at this time.


746768-4 : APMD leaks memory if access policy policy contains variable/resource assign policy items

Component: Access Policy Manager

Symptoms:
If an access policy contains variable/resource assign policy items, APMD will leak memory every time the policy is modified and applied.

Conditions:
1. Access policy has variable/resource assign policy items.
2. The access policy is modified and applied.

Impact:
APMD's memory footprint will increase whenever the access policy is applied.

Workaround:
There is no workaround.


746731-1 : BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set

Component: Service Provider

Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Firmware-Revision AVPs in DIAMETER Capabilities Exchange Request messages.

Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Firmware-Revision AVP.

Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.

Workaround:
Configure an iRule in the MRF transport-config, for example:

ltm rule workaround {
    when DIAMETER_EGRESS {
        if {[serverside] && [DIAMETER::command] == "257" } {
            DIAMETER::avp flags set 267 0
        }
    }
}


746719-1 : SERVFAIL when attempting to view or edit NS resource records in zonerunner

Component: Global Traffic Manager (DNS)

Symptoms:
While attempting to use ZoneRunner to edit NS resource records, getting error:
01150b21:3: RCODE returned from query: 'SERVFAIL'.

Conditions:
- An NS resource record is selected using the zonerunner GUI
- The NS record points to a zone that bind is not authoritative for.
- Recursion is enabled on the zone in question
- The bind process is not able to reach the nameserver referenced in the NS record.

Impact:
Administrator is unable to use ZoneRunner to edit NS records.

Workaround:
Set recursion to no for the appropriate zone, perform the change, set recursion back to yes.

Note: This will be impacting to any clients expecting recursion for the duration of the change.


746710-1 : Use of HTTP::cookie after HTTP:disable causes TMM core

Component: Local Traffic Manager

Symptoms:
When an iRule disables HTTP with HTTP:disable, subsequent use of HTTP::cookie for that request will cause a TMM core dump.

Conditions:
1) HTTP profile is configured on the virtual.
2) HTTP:disable is called on request.
3) HTTP:cookie is then called on that request.

Impact:
Use of iRules in the above mentioned order will result in a TMM core. Traffic disrupted while tmm restarts.

Workaround:
Do not call HTTP:cookie on requests that have had HTTP disabled by HTTP:disable


746657-1 : tmsh help for FQDN node or pool member shows incorrect default for fqdn interval

Component: TMOS

Symptoms:
The tmsh help text for LTM nodes and pools shows the incorrect default for the fqdn 'interval' value.
The default is indicated as the TTL, whereas the actual default value is 3600 seconds (1 hour).
The configured value is displayed correctly if the node or pool is displayed using the 'all-properties' keyword.

Conditions:
Always.

Impact:
FQDN nodes and pool members may be created with a different fqdn refresh interval than intended.

Workaround:
When creating an FQDN node or pool member, specify the desired fqdn 'interval' value (either TTL, or the desired number of seconds).


746620-3 : "source-port preserve" does not work on BIG-IP Virtual Edition

Component: Performance

Symptoms:
BIG-IP Virtual Edition uses RSS hashing for selecting TMMs which has the side effect of causing "source-port preserve" to reuse ports aggressively. This can ultimately lead to connection failures.

Conditions:
BIG-IP virtual edition with "source-port preserve" configured on a fastl4 virtual server and VE configures RSS hash. VE will configure RSS hash if both the below conditions are met

1. VE supports RSS hash on the NIC. Currently, RSS is supported on ixlv and vmxnet3 NICs
2. The number of TMMs <= maximum number of queues supported by the NIC. For ixlv this is 4 and for vmxnet3 this is 8

Impact:
Connections may fail due to reusing ports too quickly.

Workaround:
On the Virtual Server, set source-port to "change".


746464-1 : MCPD sync errors and restart after multiple modifications to file object in chassis

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
This can be encountered when rapidly making changes to files such as creating and then deleting them while the config sync of the file creation is still in progress.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.


746394-1 : With ASM CORS set to 'Disabled' it strips all CORS headers in response.

Component: Application Security Manager

Symptoms:
All access-control-* headers are removed by ASM, including Cross-Origin Resource Sharing (CORS) headers. This causes CORS-related JavaScript errors on the browser console, and blocks cross-domain requests that should be allowed.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Backend server sends CORS headers access-control-*.

Impact:
Any webapp that sends cross origin AJAX requests might not work.

Workaround:
Set up an iRule on a virtual server, for example:

when HTTP_RESPONSE {
    array set header_list { }
    foreach header_name [HTTP::header names] {
        if { [string tolower $header_name] starts_with "access-control-" } {
            set header_list($header_name) [HTTP::header $header_name]
        }
    }
}
when HTTP_RESPONSE_RELEASE {
    foreach header_name [array names header_list] {
        if {!([HTTP::header exists $header_name])} {
            HTTP::header insert $header_name $header_list($header_name)
        }
    }
}


746266-3 : Vcmp guest vlan mac mismatch across blades.

Component: TMOS

Symptoms:
Guests running on blades in a single chassis report different MAC addresses on a single vlan upon host reboot for vcmp guest.

Conditions:
This issue may be seen when all of the following conditions are met:

- One (or more) blade(s) are turned off completely via AOM.
- Create two vlans.
- Deploy a multi-slot guest with the higher lexicographic vlan.
- Now, assign the smaller vlan to the guest.
- Reboot the host

Impact:
Incorrect MAC addresses are reported by some blades.

Workaround:
There is no workaround at this time.


746152-1 : Bogus numbers in hsbe2_internal_pde_ring table's rqm_dma_drp_pkts column

Component: TMOS

Symptoms:
The DMA drop packet and bytes registers (rqm_dma_drp_pkts and rqm_dma_drp_bytes in tmm/hsbe2_internal_pde_ring
table) can have huge numbers, which appear to be close to multiples of 4G (2^32). The count reported in the register from hsb_snapshot shows very small number:

from tmm/hsbe2_internal_pde_ring

name active bus rqm_dma_drp_pkts rqm_dma_drp_bytes
---------------- ------ --- ---------------- -----------------

lbb0_pde1_ring2 1 2 17179869185 4398046511186
lbb0_pde1_ring3 1 2 8589934597 2199023256108
lbb0_pde2_ring0 1 2 0 0
lbb0_pde2_ring1 1 2 0 0
lbb0_pde2_ring2 1 2 8589934592 2199023255552
lbb0_pde2_ring3 1 2 0 0
lbb0_pde3_ring0 1 2 0 0
lbb0_pde3_ring1 1 2 0 0
lbb0_pde3_ring2 1 2 8589934592 2199023255552
lbb0_pde3_ring3 1 2 0 0
lbb0_pde4_ring0 1 2 0 0
lbb0_pde4_ring1 1 2 0 0
lbb0_pde4_ring2 1 2 8589934592 2199023255552
lbb0_pde4_ring3 1 2 0 0

lbb1_pde1_ring1 1 3 0 0
lbb1_pde1_ring2 1 3 4294967298 1099511627952



From hsb_snapshot for pde1's ring 0 to ring 3:

50430: 00000000 rqm_dma_drp_pkt_cnt_4
50530: 00000000 rqm_dma_drp_pkt_cnt_5
50630: 00000001 rqm_dma_drp_pkt_cnt_6
50730: 00000005 rqm_dma_drp_pkt_cnt_7

Conditions:
The register reads sometimes return a 0 value.

Impact:
The DMA drop stats are not accurate

Workaround:
Restart tmm can reset the stats, but it will disrupt traffic.


746137-1 : DNSSEC: Creating a new DNSSEC Zone can result in gtmd attempting to sync every 10 seconds

Component: Global Traffic Manager (DNS)

Symptoms:
Creating a new DNSSEC Zone can result in gtmd attempting to sync every 10 seconds even though the configuration appears to be the same on each GTM in the sync group. This will last until another change is committed to the database (for example: create a new un-related object like a gtm wideip)

Conditions:
The user creates a new DNSSEC Zone.

Impact:
gtmd may attempt to sync every 10 seconds until another configuration change is made.

Workaround:
If the user makes another un-realted configuration change, like creating a gtm datacenter or wideip, the attempt to sync every 10 seconds will stop.


746078-1 : Upgrades break existing iRulesLX workspaces that use node version 6

Component: Local Traffic Manager

Symptoms:
When upgrading a BIG-IP with iRulesLX plugins, if those plugins are based on workspaces that use node version 6 (instead of version 0.12) they will fail to work properly after the upgrade once the plugin is reloaded from the workspace.

Errors like this will be seen in /var/log/ltm:

Oct 5 06:37:12 B7200-R14-S36 info sdmd[17582]: 018e0017:6: pid[26853] plugin[/Common/test-jt-plugin.test-jt-extension] Starting the server.....jt...after upgrade...
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: Resuming log processing at this invocation; held 233 messages.
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] /var/sdm/plugin_store/plugins/:Common:test-jt-plugin_62858_3/extensions/test-jt-extension/node_modules/f5-nodejs/lib/ilx_server.js:30
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] ILXServerWrap = process.binding('ILXServerWrap').ILXServerWrap;
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] ^
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] Error: No such module: ILXServerWrap
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] at Error (native)

Conditions:
Upgrading a version of BIG-IP that is using iRulesLX that has a workspace based on node version 6. Later reloading the iRulesLX plugin from the workspace.

Impact:
The iRulesLX plugin no longer works.

Workaround:
- Navigate to the workspace folder on the BIG-IP (/var/ilx/workspaces/<partition>/<workspace name>.
- Make the file "node_version" writable (chmod +w node_version).
- Edit the node_version file: change "0.12" to "6"
- Save the node_version file.
- Make the file "node_version" read-only (chmod -w node_version).
- Reload the iRulesLX plugin from the workspace.


745923-2 : Virtual server may reset a connection with port zero when client sends ACK after a 4-way close

Component: Local Traffic Manager

Symptoms:
Virtual sends a reset of port zero.

Conditions:
Here is an observed sequence for the problem to happen:
1. Three way handshake initiated by client to VIP.
2. Client actively closing the connection - 4 way close
3. Client continues to send ACK after 4 way close

Impact:
Virtual does a wrong reset.

Workaround:
There is no workaround at this time.


745809-2 : The /var partition may become 100% full requiring manual intervention to clear space

Component: Advanced Firewall Manager

Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free

Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open.

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition

Workaround:
This workaround is temporary in nature, should the conditions of this bug still be met, and may need to be periodically performed either manually or from a script. While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:
 bigstart stop restjavad
 rm -rf /var/config/rest/storage*.zip
 rm -rf /var/config/rest/*.tmp
 bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.


745802-1 : Brute Force CAPTCHA response page truncates last digit in the support id

Component: Application Security Manager

Symptoms:
Brute Force CAPTCHA response page shown to an end-user has a support id and the last digit is truncated.

Conditions:
- ASM Provisioned
- ASM policy attached to a virtual server
- ASM Brute Force Protection enabled in the asm policy
- ASM Brute Force sends captcha mitigation page when a website is under brute force attack.

Impact:
The support id presented to an end-user won't be matched to the one shown in the asm logs

Workaround:
There is no workaround at this time.


745589-6 : In very rare situations, some filters may cause data-corruption.

Component: Local Traffic Manager

Symptoms:
In very rare situations, an internal data-moving function may cause corruption.

Filters that use the affected functionality are:
HTTP2, Sip, Sipmsg, MQTTsession, serdes_diameter, FTP.

Conditions:
The affected filters are used, and some very rare situation occurs.

Impact:
This may cause silent data corruption, or a TMM crash.

Workaround:
There is no workaround at this time.


745574-1 : URL is not removed from custom category when deleted

Component: Access Policy Manager

Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.

Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.

Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.

Workaround:
"bigstart restart tmm" will resolve the issue.


745545-1 : CMP forwarded LRO host packets do not restore LRO flag

Component: Local Traffic Manager

Symptoms:
When packets are being CMP forwarded for the host (e.g., related connection), the LRO flag is not being restored. As a result, these packets do not go through TSO which results in PMTU response and the connection hangs.

Conditions:
This issue is particular to CMP forwarded host connections which are going over the TMM interface due to explicit LRO and large MTU.

Impact:
The connection hangs.

Workaround:
There is no workaround.


745285 : Virtual server configured with destination address list may not respond to ARP and ICMP echo

Component: Local Traffic Manager

Symptoms:
When a virtual server configured with destination address list, some of the address ranges within the list may be configured as a subnet virtual address. Subnet virtual addresses do not respond to ARP and ICMP echo. This is in line with the traditional subnet listeners.

Conditions:
A virtual server is configured with destination address list, that contains address ranges.

Impact:
Addresses may behave differently in a destination address list depending on whether the address is configured as a host or as part of a range.

Workaround:
If the addresses of a destination address list are desired to behave as hosts, then do not add address ranges to the list, but add them as a list of individual addresses.


745035-2 : gtmd crash

Component: Global Traffic Manager (DNS)

Symptoms:
gtmd crashes

Conditions:
This rarely occurs when an iQuery connection is abnormally terminated.

Impact:
Under rare circumstances, gtmd may crash and restart.

Workaround:
None


744787-4 : Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias

Component: Global Traffic Manager (DNS)

Symptoms:
WideIP alias will be replaced.

Conditions:
There is an existing alias for a WideIP and adding the same alias for another WideIP.

Impact:
The previous WideIP will be replaced.

Workaround:
Avoid adding existing WideIP for other WideIP.


744730-1 : Specifying a larger system disk during VE launch requires manual reboot for the increase to go into effect

Component: TMOS

Symptoms:
It is allowed to specify larger system disk size during VE launch. The larger disk will be allocated, but VE will not be able to use the extra space initially. Manual reboot will allow VE to use the extra space. Desired behavior for VE is to reboot by itself.

Conditions:
This occurs when you launch VE with a larger system disk in the initial version of 14.1

Impact:
BIG-IP cannot use the extra space

Workaround:
Reboot VE


744707-2 : Fixed crash related to DNSSEC key rollover

Component: Global Traffic Manager (DNS)

Symptoms:
When running out of memory, a DNSSKEY rollover event can cause a tmm core dump.

Conditions:
System low/out of memory.
DNSSKEY rollover event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.


744532 : Websso fails to decrypt secured session variables

Component: Access Policy Manager

Symptoms:
Whenever websso tries to decrypt secure session variables, the following error is seen /var/log/apm:

Aug 15 21:36:25 abcd err websso.0[20421]: 014d0028:3: /Common/Test_PRP:Common:2b8e7abc: Master Decrypt failed for user test with error 'ckDecrypt: invalid ciphertext'
Aug 15 21:36:25 abcd info websso.0[20421]: 014d0009:6: /Common/Test_PRP:Common:2b8e7abc: Websso basic authentication for user 'test' using config '/Common/sso_test_obj'

Conditions:
- Per-req policy is attached to virtual server.
- Secure subsession variables are assigned to session variables using Variable Assign Agent in per-req policy.
- SSO Configuration Select agent is used in per-req policy.

Impact:
Single Sign-On (SSO) won't work correctly.

Workaround:
There is no workaround at this time.


744520-1 : virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface

Component: TMOS

Symptoms:
virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface.

Conditions:
Virtual server with pem profile and Vxlan-GRE tunnel interface.

Impact:
Traffic drop.

Workaround:
There is no workaround.


744516-4 : TMM panics after a large number of LSN remote picks

Component: Carrier-Grade NAT

Symptoms:
TMM panics with the assertion "nexthop ref valid" failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.

Conditions:
A LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.

Impact:
TMM restarts. Traffic is interrupted.

Workaround:
There is no workaround.


744316-4 : Config sync of APM policy fails with Cannot update_indexes validation error.

Component: Access Policy Manager

Symptoms:
Config sync operation fails for APM policy when policy item of same name points to different agent on source and target

The system posts errors similar to the following:

Sync error on rfang-vemgmt.lab.labnet.com: Load failed from /Common/rfang-ve-3mgmt.lab.labnet.com 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (access_policy_item_agent) object ID (/Common/resm_act_message_box_1 /Common/resm_act_message_box_ag_1). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:access_policy_item_agent status:13)"

Conditions:
This occurs in the following scenario:

1. Configure a failover device group containing two BIG-IP systems.
2. Create an APM access profile on one unit.
  + Launch VPE for the policy.
  + Add a macro.
  + In macro add an agent, e.g., Message box.
  + Add macro to the main policy.
3. Initiate config sync to another device.
4. On one BIG-IP system, add another Message box agent using the same macro. On the other BIG-IP system, make a copy of the access profile.
5. On either BIG-IP system, initiate another config sync operation.

Impact:
Unable to sync configuration in a failover device group.

Workaround:
You can work around this using the following procedure:

1. On the device receiving the config sync, delete the APM policies that contain the referenced APM policy items.
2. Perform an overwrite-config-sync operation from the sending device to this device.


744280-2 : Enabling or disabling a Distributed Application results in a small memory leak

Component: Global Traffic Manager (DNS)

Symptoms:
Enabling or disabling a Distributed Application results in an 8 byte memory leak.

Conditions:
Enabling or disabling a Distributed Application.

Impact:
8 bytes of memory are leaked every time a Distributed Application is enabled or disabled. If Distributed Applications are repeatedly programmatically enabled and disabled, over time, the system might eventually exhaust all available memory.

Workaround:
None.


744252-2 : BGP route map community value: either component cannot be set to 65535

Component: TMOS

Symptoms:
The community value for BGP route map entries should allow values of 1-65535 for both components, but it is not allowing 65535 for either component.

Conditions:
-- Using BGP route map community values.
-- Attempting to set one or both components to 65535.

Impact:
Unable to use the full range of BGP route map community values

Workaround:
There is no workaround at this time.


744210-2 : DHCPv6 does not have the ability to override the hop limit from the client.

Component: Local Traffic Manager

Symptoms:
DHCPv6 packet may be dropped by a device after the DHCP relay if the client provided hop limit is 1.

Conditions:
DHCPv6 Relay configured on the BIG-IP.

Impact:
Loss of DHCPv6 service.

Workaround:
There is no workaround at this time.


743803-1 : IKEv2 potential double free of object when async request queueing fails

Component: TMOS

Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.

Conditions:
When an async IPsec crypto operation fails to queue.

Impact:
Restart of tmm. All tunnels lost must be re-established.

Workaround:
No workaround known at this time.


743132-6 : mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile

Component: TMOS

Symptoms:
On a chassis platform, if 'tmsh modify sys httpd ssl-certificate' is run immediately after creating a new certificate file, it's possible for mcpd to restart on the secondary blades. This happens when it takes longer for csyncd to copy the new certificate file to the other blades than it takes mcpd to send the modify message to the other blades.

Conditions:
Chassis platform with multiple blades.
Setting the httpd ssl-certificate to a new file.

Impact:
mcpd stops on secondary blades, causing those blades to go offline for a short time while mcpd and other daemons restart.

Workaround:
When setting the httpd ssl-certificate to a new file, wait a few seconds after creating the file before issuing the tmsh modify command.


742838-1 : A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition

Component: Local Traffic Manager

Symptoms:
If you have a published policy in /Common that is in use by a virtual server in a different partition, if you try to create and modify a draft of the existing policy, you will get an error like this:

"01070726:3: Policy /Common/Drafts/test-policy in partition Common cannot reference policy reference /Common/Drafts/test-policy /test/test-vs in partition test"

This happens in both the GUI and TMSH.

Conditions:
-- A published policy exists in /Common.
-- The published policy is attached to a virtual server in a different partition.
-- Attempt to create and modify a draft of the policy.

Impact:
Inability to edit the published policy.

Workaround:
None.


742753-4 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail

Component: TMOS

Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.

Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:

- Remove the Referer header.

- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.

Impact:
Users cannot log on to the BIG-IP system's WebUI.

Workaround:
As a workaround, you can do any of the following things:

- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).

- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).

- Modify the proxy solution so that it inserts compatible Referer and Host headers.


742558-1 : Request Log export document fails to show some UTF-8 characters

Component: Application Security Manager

Symptoms:
After exporting an ASM security event log, the log file exists but the characters are not visible.

Conditions:
Decoding of UTF-8 characters fails in Request Log export on small range of characters.

Impact:
The contents of the log are not human readable.

Workaround:
None.


742237-4 : CPU spikes appear wider than actual in graphs

Component: Local Traffic Manager

Symptoms:
Graphs of CPU usage show spikes that are wider than actual CPU usage.

Conditions:
CPU usage has spikes.

Impact:
Graphs of CPU spikes appear to last longer than they actually last.

Workaround:
Perform the following procedure:

1. Run the following command to record the 5-second average rather than the 1-second average:

sed -i.bak 's/TMCOLNAME "ratio"/TMCOLNAME "five_sec_avg.ratio"/;s/TMCOLNAME "cpu_ratio_curr"/TMCOLNAME "cpu_ratio_5sec"/g' /config/statsd.conf

2. Restart statsd to load the new configuration:

bigstart restart statsd


742170-2 : REST PUT command fails for data-group internal

Component: TMOS

Symptoms:
Cannot change content of existing data-group internal using REST PUT command.

Conditions:
Using REST API.

Impact:
Cannot modify data-group internal via the REST API.

Workaround:
Add 'type' in the content


742078-6 : Incoming SYNs are dropped and the connection does not time out.

Component: Local Traffic Manager

Symptoms:
There is a hard-coded limit on the number of SYNs forwarded on a FastL4 connection. This might cause a problem when a connection is reused, for example, if a connection is not correctly closed.

Conditions:
-- SYN forwarding on FastL4 connections.
-- The number of SYNs on a single connection reaches the hard-coded limit.

Impact:
If the number of SYNs on a single connection reaches this limit, subsequent incoming SYNs are dropped and the connection might not time out.

Workaround:
There is no workaround.


741213-2 : Modifying disabled PEM policy causes coredump

Component: Policy Enforcement Manager

Symptoms:
TMM undergoes core dump after a disabled policy has a new rule added.

Conditions:
-- Add a rule to disabled PEM policy.
-- Enable the PEM policy, and this policy is applied by PCRF.
-- Traffic is generated for this subscriber.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
Modify a PEM policy only when the policy is enabled.


741048-1 : iRule execution order could change after editing the scripts

Component: Local Traffic Manager

Symptoms:
iRule execution order might change. For example, you have the following iRules configured on a virtual server: rule1, rule2, rule3, and they all have CLIENT_ACCEPTED. If you do not specify their priority, or if you specify the same priority to each one, when you edit one, the execution order changes. For example, if you edit the rule2 script, the execution order changes to rule2, rule1, rule3.

Conditions:
Multiple events have the same priority.

Impact:
Execution order changes.

Workaround:
Specify different priorities for iRules containing the same event.


740959-4 : User with manager rights cannot delete FQDN node on non-Common partition

Component: Local Traffic Manager

Symptoms:
A user that has manager rights for a non-Common partition, but not for the /Common partition, may be denied delete privileges for an FQDN template node that is created on the non-Common partition for which the user does have manager rights.

This occurs because ephemeral nodes created from the FQDN template node are 'shared' in the /Common partition, so the delete transaction fails because the user has insufficient permissions to delete the dependent ephemeral nodes on the /Common partition.

Conditions:
-- A user is created with manager rights for a non-Common partition.

-- That user does not have manager rights for the /Common partition;

-- At least one ephemeral node is created from that FQDN template node (due to DNS lookup), which is not also shared by other FQDN template nodes.

-- That user attempts to delete an FQDN template node on the non-Common partition for which the user has manager rights.

Impact:
The transaction to delete the FQDN template node fails due to insufficient permissions. No configuration changes occur as a result of the FQDN template node-delete attempt.

Workaround:
You can use either of the following workarounds:

-- Perform the FQDN template node-delete operation with a user that has manager rights to the /Common partition.

-- Create the FQDN template node on the /Common partition.


740589-1 : mcpd crash with core after 'tmsh edit /sys syslog-all-properties'

Component: TMOS

Symptoms:
Syslog-ng consumes more than 95% CPU starving other processes of CPU time. This leads to eventual mcpd crash with core.

Conditions:
Configuring nonexistent local IP addresses and remote log server.

Impact:
Abnormal CPU usage. Potential eventual mcpd crash with core.

Workaround:
To mitigate the issue, you can use either of the following:

-- Follow these two steps:
 1. Remove the remote log server from the configuration.
 2. Replace the nonexistent local IP addresses with self IP addresses.

-- Configure the remote destination host with a unique parameter in the configuration so that syslog does not get confused if there are multiple entries:
udp(190.45.32.51 port(514) localip(190.46.2.221) persist-name(r1));
udp(190.45.32.51 port(514) localip(190.46.2.222) persist-name(r2));
udp(190.200.60.1 port(514) localip(190.46.2.221) persist-name(r3));
udp(190.200.60.1 port(514) localip(190.46.2.222) persist-name(r4));


740543-1 : System hostname not display in console

Component: TMOS

Symptoms:
Hostname is not displayed in the shell prompt in bash and tmsh.

Conditions:
After reboot or upgrade, login to the host console, shell, or tmsh.

Impact:
Hostname is not displayed in the shell prompt.

Workaround:
Update hostname from GUI/TMSH.


740517-1 : Application Editor users are unable to edit HTTPS Monitors via the Web UI

Component: TMOS

Symptoms:
A user with Application Editor role cannot modify an HTTPS Monitor via the GUI. The user is sent the the following, misleading and incorrect error message: Access Denied: user does not have delete access to object (ssl_cert_monitor_param)

Conditions:
The logged in GUI user must be an Application Editor role for the partition containing the HTTPS Monitor

Impact:
The user must use TMSH to modify an HTTPS Monitor.

Workaround:
Run the following tmsh command: modify ltm monitor https"\


740345-3 : TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled.

Component: Local Traffic Manager

Symptoms:
TMM generates cores files on the device.

Conditions:
Issue is seen when connection mirroring, session mirroring and OCSP stapling is enabled.

Impact:
If a failover happens when a SSL handshake is in progress,
TMM restarts and a core file is generated on the standby device. Traffic disrupted while tmm restarts.

Workaround:
None.


739820-1 : Validation does not reject IPv6 address for TACACS auth configuration

Component: TMOS

Symptoms:
TACACS authentication does not support IPv6 address for the authentication server, but both GUI and TMSH allow IPv6 addresses to be configured for TACACS. Such configurations may result in failed logins with messages in /var/log/secure like

Aug 8 10:47:39 gtm-13108-174 err httpd[5948]: pam_tacplus: skip invalid server: 2001::1001:1001 (invalid port: no digits)

Conditions:
Use the GUI or TMSH to create or modify a TACACS server

Impact:
Remote authentication will fail unless a second server is configured with IPv4 address.

Workaround:
Do not configure IPv6 address for TACACS server


739553-1 : Setting large number for Wide IP Persistence TTL breaks Wide IP persistence

Component: Global Traffic Manager (DNS)

Symptoms:
Wide IP persistence is not working. Previous Wide IP persistence records are cleared.

Conditions:
This occurs when the Wide IP Persistence TTL plus the persist-record creation time is greater than 4294967295.

Impact:
Wide IP persistence does not work.

Workaround:
There is no workaround other than not setting Wide IP Persistence TTL to a number greater than 4294967295.


739118-1 : Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration

Component: TMOS

Symptoms:
Changing existing self IP addresses in bigip_base.conf file directly. After uploading the changed configuration file, BIG-IP routing service provides out of date Self IP route information to dependent services.

Conditions:
- Self IP address is configured on the BIG-IP system.
- Manually change the IP address of a self IP in bigip_base.conf file.
- Load changed configuration via tmsh.

Impact:
Different services have different route information:
-- tmsh table - has the old route.
-- Dynamic routing - hHas the old and new routes.
-- Kernel table - has the new route.

Workaround:
There are two workarounds, preventive and corrective.
Preventive:
Do not manually change self IP addresses in bigip_base.conf file. It is not recommended way to add/change BIG-IP configuration. Use GUI or tmsh instead.

Corrective:
If changed configuration is uploaded. In GUI or tmsh, delete changed self IP address, and then create a self IP address with old IP address and delete it as well. Now, all affected routes are removed.


739003-2 : TMM may crash when fastl4 is used on epva-capable BIG-IP

Component: Local Traffic Manager

Symptoms:
TMM may crash when fastl4 is used on epva-capable BIG-IP.

Conditions:
The virtual server has fastl4 profile installed, has iRule installed and the iRule uses SERVER_CONNECTED event. The pool member is route-able but does not exist.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


738943-3 : imish command hangs when ospfd is enabled

Component: TMOS

Symptoms:
- dynamic routing enabled
- ospfd protocol enabled
- imish hangs

Conditions:
- running imish command

Impact:
ability to show dynamic routing state using imish

Workaround:
restart ospfd daemon


738547-3 : SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII

Component: Access Policy Manager

Symptoms:
When SAML metadata file that contains certain UTF-8 characters other than ASCII is imported, SAML SAX Parser returns error

Conditions:
When SAML metadata file contains certain UTF-8 characters other than the ASCII set,

Impact:
SAML metadata file is not imported, and the system reports an error. SAML configuration on BIG-IP systems is impacted.

Workaround:
Remove the non-ASCII UTF-8 characters, and try the import operation again.


738450-1 : Parsing pool members as variables with IP tuple syntax

Component: Local Traffic Manager

Symptoms:
There is a config loading warning at tmsh similar to the following: unexpected end of arguments;expected argument spec:PORT.

Conditions:
Tcl variable is used for the IP tuple instead of a plain value.

Impact:
iRule LB::reselect command may not recognize an IP tuple when it is a variable. tmsh warning shows.

Note: There is no warning in the GUI.

Workaround:
Use plain value instead of variable.


738430-3 : APM is not able to do compliance check on iOS devices running F5 Access VPN client

Component: Access Policy Manager

Symptoms:
Compliance check against Microsoft Intune fails when an APM end user attempts a VPN connection from a managed iOS device running the F5 Access VPN client.

Conditions:
-- APM policy is configured to use Microsoft Intune for device compliance check.
-- APM end user is attempting VPN connection using the F5 Access VPN client on an iOS device.

Impact:
APM is not able to do compliance checks on the device, and VPN connection fails.

Workaround:
None.


738330-3 : /mgmt/toc endpoint broken after configuring remote authentication

Component: TMOS

Symptoms:
'Invalid username or password.' error on the /mgmt/toc page after configuring remote authentication.

Conditions:
When remote auth is configured.

Impact:
Cannot configure remote authentication.

Workaround:
None.


738046-1 : SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby

Component: Local Traffic Manager

Symptoms:
For FastL4 connections, SERVER_CONNECTED currently doesn't fire on the standby device. If the standby device then becomes active, the first packet from the server on an existing FastL4 connection causes SERVER_CONNECTED to fire. Depending on what the iRule does in SERVER_CONNECTED, a variety of results can occur, including TMM coring due to commands being executed in unexpected states.

Conditions:
-- High availability configuration.
-- Mirrored FastL4 virtual server.
-- Attached iRule contains a SERVER_CONNECTED event.

Impact:
SERVER_CONNECTED does not fire when expected on standby device. When the standby device becomes active, the SERVER_CONNECTED iRule may cause TMM to core with traffic being disrupted while TMM restarts.

Workaround:
None.


738045-5 : HTTP filter complains about invalid action in the LTM log file.

Component: Local Traffic Manager

Symptoms:
Payload data is collected at the HTTP_REQUEST event and finishes collecting (HTTP::release) when the NAME_RESOLVED event occurs. On releasing, data is forwarded to the serverside, triggering the HTTP_REQUEST_SEND event.
 
When trying to raise HTTP_REQUEST_SEND, the iRule queues it and returns IN_PROGRESS, because the system is already in the process of running TCLRULE_NAME_RESOLVED. (Nested iRules: TCLRULE_NAME_RESOLVED -> TCLRULE_HTTP_REQUEST_SEND)

Due to the IN_PROGRESS status, tcp_proxy skips forwarding HUDCTL_REQUEST to the serverside, but not the subsequent payload. So the HTTP filter considers this an invalid action.

Conditions:
-- Standard virtual server with iRules attached (for example, using the following configuration for a virtual server):

when HTTP_REQUEST {
    HTTP::collect
    NAME::lookup @10.0.66.222 'f5.com'
}
when NAME_RESOLVED {
    HTTP::release
}
when HTTP_REQUEST_SEND {
        log local0. "Entering HTTP_REQUEST_SEND"
}

-- Client sends two HTTP Post requests.
-- After the first request, the second connection is kept alive (for example, by using HTTP header Connection) so that the second request can reuse the same connection.

Impact:
The second request gets reset, and the system logs errors in the LTM log file.

Workaround:
To avoid nested iRules in this instance, simply remove the HTTP_REQUEST_SEND from the iRule.


737985-2 : BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode.

Component: Local Traffic Manager

Symptoms:
Services that require Standard Proxy mode cannot be availed of.

Conditions:
A BIG-IP system deployed in an L2 transparent mode using VLAN groups.

Impact:
Prevents services that require Standard Proxy mode from being leveraged in an L2 transparent deployment.

Workaround:
None.


737739-1 : bash shell still accessible for admin even if disabled

Component: TMOS

Symptoms:
With the administrator role, you have an option in TMUI to disable or restrict terminal access. If you disable or restrict access, the corresponding REST endpoint is neither disabled nor restricted.

Conditions:
Use TMUI as the admin, or as a user with the administrator role, and either of the following:
-- Disable terminal access.
-- Restrict access to TMSH.

Impact:
Users with the Administrator role can obtain shell access via REST.

With terminal access disabled:
-- If you attempt to login using SSH, you will not be to do so.
-- If you make a POST request to the /mgmt/tm/util/bash endpoint with a body that includes a command to run, that command will be run.

With access to TMSH restricted:
-- A POST request to the /mgmt/tm/util/bash endpoint that includes a body with a command to run will be run.

Workaround:
None.


737397-1 : User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP

Component: TMOS

Symptoms:
Unable to archive certificates or keys using GUI and iControlSOAP.

Conditions:
When the user is in Certificate Manager role.

Impact:
Unable to backup certificates or keys.

Workaround:
The user in Certificate Manager role is still be able to export the key and see its PEM string. So you can manually create an archive file by copying the PEM string into a file.


737346-1 : After entering username and before password, the logging on user's failure count is incremented.

Component: TMOS

Symptoms:
Listing login failures (i.e., using the following command: 'tmsh show auth login-failures') shows a failed login for the user who is currently logging in via console or SSH.

Conditions:
-- A user is logging in via console or SSH.
-- Between the time the system presents the password prompt and the user enters the password.

Note: This does not apply to GUI or iControl REST logins.

Impact:
If many logins for the same user get to this state simultaneously, it may be enough to exceed a specified lockout threshold, locking the user out.

Workaround:
There is no workaround other than using the GUI or iControl REST to log in to the system.


734846-1 : Redirection to logon summary page does not occur after session timeout

Component: TMOS

Symptoms:
After a BIG-IP Administrator user session times out, the user is not automatically redirected to the logon summary page, despite being configured to do so.

Conditions:
-- The BIG-IP system is configured to redirect to the logon summary page immediately after logging in, using the following db variable:
ui.users.redirectsuperuserstoauthsummary = true

-- The BIG-IP Administrator users' session automatically times out.

Impact:
The system does not comply with government security requirements that BIG-IP Administrator users be sent automatically to the logon summary. BIG-IP Administrator users must manually navigate to the logon summary page

Workaround:
Manually navigate to the logon summary page.


734551-3 : L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server

Component: Local Traffic Manager

Symptoms:
Configuration overhead that requires configuration of a virtual server per VLAN group.

Conditions:
A BIG-IP system deployed in an L2 transparent mode using VLAN groups.

Impact:
Configuration overhead to configure virtual server per VLAN group.

Workaround:
None.


734276-1 : TMM may leak memory when SSL certificates with VDI or EAM in use

Component: Local Traffic Manager

Symptoms:
TMM 'method' memory usage grows over time when VDI and serverssl *or* EAM and clientssl are configured on the same VIP.

Conditions:
One or both of the following:

-- VDI and serverssl are configured on the same VIP
-- EAM and clientssl are configured on the same VIP

Impact:
TMM memory usage grows over time leading to eventual performance degradation and potential traffic outage if TMM cores.

Workaround:
No workaround short of not using these combinations of features.


727297-1 : GUI TACACS+ remote server list should accept hostname

Component: TMOS

Symptoms:
Cannot add hostnames to the Remote - TACACS+ server list in the GUI.

Conditions:
-- On the System :: Users : Authentication page with Remote - TACACS+ specified.
-- Add hostname to the server list.

Impact:
Validation does not accept a hostname. Cannot add hostname as a server.

Workaround:
Use tmsh to add a hostname.


727191-1 : Invalid arguments to run sys failover do not return an error

Component: TMOS

Symptoms:
If an invalid device name is used in the sys failover command, the device name reject is logged in /var/log/ltm and failover does not occur. No error or failure message is displayed on the command line.

Note: In prior versions, the system incorrectly performed a force-to-standby operation (no 'device' specified), rather than a directed failover operation (failover to specified 'device'). Although this resulted in the active device becoming standby, it did not cause the system to choose the (nonexistent) device specified.

Conditions:
Run a tmsh command similar to the following:
sys failover standby traffic-group traffic-group-1 device invalid_name

Impact:
Since no failover occurs and no error/warning is returned, this may result in some confusion.

Workaround:
There is no workaround.


726900-1 : Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters

Component: Local Traffic Manager

Symptoms:
Virtual server may attempt to use syncookies on first SYN packet rather than allowing the connection to pass through to the real server.

Conditions:
Modifying a virtual server (CLI/iControl/GUI) to switch from FastL4 or TCP profiles to an 'ip-other' profile.

Impact:
The configured 'ip-other' virtual server will fail to accept all traffic. For example, a TCP or a UDP flow which should have been accepted and processed by the 'ip-other' virtual server will be dropped incorrectly, trying to enforce 'Syn Cookie' validation.

Workaround:
When switching a virtual server profile from FastL4/TCP to the 'ip-other' profile, delete the virtual server and then re-add it with the 'ip-other' profile.


726487-4 : MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.

Component: TMOS

Symptoms:
The MCPD daemon on secondary VIPRION or vCMP blades exits and restarts, logging errors similar to the following:

-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.

-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.

Or:

--- err mcpd[8320]: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).

--- err mcpd[8320]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).... failed validation with error 17236027.

Conditions:
This issue occurs when all of the following conditions are met:

-- VIPRION or vCMP platform with more than one blade.
-- A partition with a non-default route domain.
-- Creating a pool member in the aforementioned partition while a configuration save is taking place at the same time (either system or user initiated).

Impact:
If the system is Active, traffic will be disrupted as the secondary blades restart. The capacity of the system will be reduced until all blades are on-line again. Additionally, depending on the system configuration, the system may fail over to its peer (if one exists).

Workaround:
There is no workaround other than not to create pool members from a different client while saving configuration changes in another client. However, this does not help if the configuration save operation was system-initiated.


726317-6 : Improved debugging output for mcpd

Component: TMOS

Symptoms:
In some cases, mcpd debugging output is insufficient for diagnosing a problem.

Conditions:
Using debugging in mcpd, specifically, setting log.mcpd.level to debug.

Impact:
None. Has no effect without log.mcpd.level set to debug.

Workaround:
None.


726240-1 : Cannot find disk information.

Component: TMOS

Symptoms:
When running the configuration utility in the GUI, after clicking Next on the License screen the GUI reports an error and you are unable to proceed: Cannot find disk information.

Conditions:
The conditions that trigger this are unknown; in one scenario, it was observed after running 'tmsh load sys config default', suspending the VE, and then restarting it and running the configuration utility.

Impact:
You are unable to proceed through the configuration utility.

Workaround:
If this occurs, reboot the machine and the error will fix itself.


726176-2 : platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve

Component: TMOS

Symptoms:
The BIG-IP system running RSS DAG hash attempts to reuse ports while pool members remain in a TIME_WAIT state and are unable to process new connections.

Conditions:
This issue occurs when all of the following conditions are met:

-- You are running on a BIG-IP platform using RSS DAG hash, for instance, z100 and 2000 or 4000 series hardware platform.
-- You have the FastL4 profile associated with a virtual server.
-- The virtual server is configured with source-port preserve.

Impact:
Traffic throughput may be degraded.

Workaround:
Set source-port to change.


726011-4 : PEM transaction-enabled policy action lookup optimization to be controlled by a sys db

Component: Policy Enforcement Manager

Symptoms:
There is no way to disable optimization if time-based actions are enabled in the PEM policy and a statistical transaction-based action enforcement is desired.

Conditions:
If the PEM classification tokens do not change.

Impact:
Time-based actions such as insert content may not get applied to such flows.

Workaround:
None.


725791-6 : Potential HW/HSB issue detected

Component: TMOS

Symptoms:
There are a number of High-Speed Bridge (HSB) stats registers that monitor the errors in HSB SRAM that are critical for passing traffic, for example, RQM_CRC_ERROR Count 0, RQM_CRC_ERROR count 1, RQM_CRC_ERROR Count 2, etc. Any errors in any of these registers may indicate a hardware error in the HSB SRAM that impedes traffic through embedded Packet Velocity Acceleration (ePVA). In that case, ePVA-accelerated flow might fail.

With a burst of CRC errors in the SRAM for ePVA transformation cache, it won't trigger a failover and causes a silent traffic outage on the FastL4 VIP with hardware traffic acceleration. This is because the health check watchdog packets are still functioning correctly, and the current TMOS software primarily monitors watchdog packets tx/rx failures to trigger failover.

In these cases, there might be the following messages in /var/log/tmm*:

  Device error: hsb_lbb* tre2_crc_errs count *

Conditions:
Traffic is offloaded to HSB hardware for acceleration.

Impact:
Hardware accelerated traffic drop.

Workaround:
Switch traffic to software acceleration.


725505-1 : SNAT settings in network resource are not applied after FastL4 profile is updated

Component: Access Policy Manager

Symptoms:
When the admin updates a FastL4 profile, the iRule associated with the internal virtual server (the APM forward virtual server) is removed.

This iRule sets up the SNAT setting, however, since the iRule is removed, the SNAT setting is not applied to new network access connections.

Conditions:
-- Using network access.
-- FastL4 profile is updated.

Impact:
When accessing the backend resource, the BIG-IP system uses the self IP address as the source IP address instead of the IP address configured under the network access resource. Traffic disrupted while tmm restarts.

Workaround:
Restart tmm.

Restarting tmm re-creates the forward virtual servers and attach the relevant iRule.


724556-3 : icrd_child spawns more than maximum allowed times (zombie processes)

Component: TMOS

Symptoms:
icrd_child is issued a SIGTERM. The SIGTERM might not succeed in destroying the process, especially if the system is under a lot of load. This leads to zombie processes.

Conditions:
-- The icrd_child process is issued a SIGTERM that does not successfully destroy the icrd_child process.
-- System under heavy load.

Impact:
There are zombie icrd_child processes consuming memory.

Workaround:
Restart the system.


723833-2 : IPsec related routing changes can misfire, like changing tunnel mode to interface mode

Component: TMOS

Symptoms:
IPsec config changes that rely upon interface mode tunnels, which are driven by routes with associated tunnel VLANs, can sometimes fail to pass traffic after a config change altering routes, or altering the number of tunnels involved.

Conditions:
- Changing tunnel mode to interface mode.
- Adding or removing routes for interface mode IPsec tunnels.
- Deleting an IPsec tunnel object.

Impact:
An IPsec tunnel outage may occur before a system restart, which looks like absence of proper routing config, but which is due to inconsistent update when changes affect routing used by IPsec tunnels in interface mode. In some cases, a tmm core can occur which interrupts service briefly until restarted.

Workaround:
Typically saving before bigstart restart gets routing config related to IPsec back into working order.


723790-3 : Idle asm_config_server handlers consumes a lot of memory

Component: Application Security Manager

Symptoms:
Idle asm_config_server handlers needlessly uses a large amount of memory.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a big XML ASM policy and then leaving the BIG-IP system idle. Relevant asm_config_server handler process increases its memory consumption and stays that way, holding on to the memory until it is released with a restart.

Impact:
Unnecessary memory consumption.

Workaround:
1) Lower the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server:
---------------
# perl -pi.bak -e 's/MaxMemorySize=471859200/MaxMemorySize=262144000/' /etc/ts/tools/asm_config_server.cfg
---------------

2) Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------

Notes:
-- The provided workaround does not permanently fix the issue. Instead it alleviates the symptoms of memory pressure, by (1) lowering the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server, and (2) freeing up all the memory that is currently taken by all asm_config_server processes.
-- This workaround does not cause any down time; the asm_config_server processes automatically start within ~30 seconds.


723306-1 : Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition

Component: Local Traffic Manager

Symptoms:
Loading correct configuration with 'tmsh load /sys config' fails. The error message appears similar to the following:

    01070726:3: Virtual Address /test/0.0.0.0 in partition test cannot be referenced by Virtual Server /Common/test-internal in partition Common.
Unexpected Error: Loading configuration process failed.

Conditions:
Creating internal virtual server, when 0.0.0.0 address exists on another partition.

Impact:
Inability to load config, with created internal virtual server.

Workaround:
Create internal virtual server first; then create the 0.0.0.0 address on different partition.


723288-4 : DNS cache replication between TMMs does not always work for net dns-resolver

Component: Global Traffic Manager (DNS)

Symptoms:
System DNS resolvers (net dns-resolver objects) do not share DNS reply information between the dns resolver instances across TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.

Conditions:
There are no LTM DNS *cache* objects present in the BIG-IP configuration.

Impact:
A performance impact resulting from each TMM having to perform unnecessary DNS lookups.

Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.

Note: This workaround is effective even without a DNS license (although in that case, the placeholder object must be created using tmsh, as the GUI menu would not be available without a DNS license.)


722741-1 : Damaged tmm dns db file causes zxfrd/tmm core

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd/tmm cores on startup.

Conditions:
Damaged tmm dns db file.

Impact:
System remains in a tmm-restart loop caused by tmm opening a corrupted tmmdns.bin on startup and segfaulting. Traffic disrupted while tmm restarts.

Workaround:
Delete the damaged db files.


722707-2 : mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall

Component: Local Traffic Manager

Symptoms:
The 'debug' log for a 'mysql' monitor may incorrectly report data being received from the database when network routing is configured to drop packets from that database, causing confusion when diagnosing packet traffic. This might be stimulated by configuring the firewall to enable traffic to/from the 'mysql' database, and then (after the 'mysql' monitor successfully connecting with the database) changing firewall rules to drop packets returned *from* the database.

Conditions:
-- A 'mysql' monitor successfully connects to the 'MySql' database.
2. Once connection is established, firewall rules are changed to 'DROP' packets returned from the 'MySQL' database, resulting in several entries in the 'mysql' monitor 'debug' log that incorrectly suggest packets were received from the 'MySQL' database.

Impact:
Several log entries may be made in the 'mysql' debug log suggesting packets were received from the 'MySQL' database (after a previous successful database probe connection), when in fact those packets were dropped due to changes in the firewall rules. These log entries may confuse debugging scenarios, but will typically self-correct (such as after three log message entries).

Workaround:
When configuring network traffic for 'MySQL' database resources, ensure symmetry for traffic handling (either bi-directional packet routing between 'bigd' and the 'MySQL' database is supported, or neither 'send' nor 'receive' packet routing to the 'MySQL' database is supported).


722647-4 : The configuration of some of the Nokia alerts is incorrect

Component: TMOS

Symptoms:
The categories for perceived severity in the alert_nokia.conf file are 0-4, 10-11, but there is an entry in the file with a value of 6.

Conditions:
-- Traps are enabled to support SNMP alerts in the Nokia NetAct format, e.g., using the following command:
tmsh modify sys db alertd.nokia.alarm value enable
-- The values in the alert_nokia.conf file are applied.

Impact:
Some of the values are incorrect. Handling of the trap/clear for the mislabeled trap is incorrect.

Workaround:
Edit the alert_nokia.conf file and restart the alert daemon.


722534-1 : load sys config merge not supported for iRulesLX

Component: Local Traffic Manager

Symptoms:
iRulesLX configurations are (for the most part) contained in the file system, rather than the 'traditional' BIG-IP config files. An attempt to merge configurations containing iRulesLX using the tmsh command 'load sys config merge' options fails with an error similar to the following:

# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ilx plugin test-plugin {
  from-workspace test-ws
}
Validating configuration...
Unexpected Error: "basic_string::at"

Conditions:
The configuration being merged contains iRulesLX.

Impact:
The merge will fail with the error: Unexpected Error: "basic_string::at". The previous configuration will continue to work.

Workaround:
There is no workaround at this time for merging iRulesLX configuration. If the iRulesLX configuration is removed from the configuration to be merged, the merge will work.


721020-1 : Changes to the master key are reverted after full sync

Component: TMOS

Symptoms:
Changing the master key on a device that is in a device cluster are reverted when performing a full sync of any device-group. The master key is reset to its previous value.

Conditions:
-- The BIG-IP system is in a device cluster.
-- You change the master key from within TMSH.

Impact:
Subsequent configuration loads fail on the device.

Workaround:
There is no workaround.


720434-3 : Multi-blade Chassis iAppLX Package upgrade sync is incomplete across blades

Component: Device Management

Symptoms:
Some iAppLX package files on primary blade do not exist on secondary blades.

Conditions:
After installing an iAppLX package on a multi-blade chassis the package files are synced to other blades. This process is not instantaneous and may take several minutes.

During this time if the same iAppLX package is upgraded, not all of the files will be synced across blades, and an incomplete iAppLX package will exist on secondary blades.

Impact:
When a failover occurs to a blade with an incomplete iAppLX package, parts of the iAppLX GUI may not work.

Workaround:
To trigger a resync of files from primary to secondary blades run the following command:

bigstart restart csyncd


719597-3 : HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0

Component: TMOS

Symptoms:
When two VIPRION chassis with B2250 blades try to form a high availability (HA) connection, with one running v12.1.1 and the other running v13.1.0, HA connections between TMMs on Active and TMMs on Standby might fail.

Conditions:
-- Two VIPRION chassis with B2250 blades.
-- One blade running v12.1.1 and the other running v13.1.0.
-- Try to configure HA connection.

Impact:
Fail to form HA connection.

Workaround:
There is no workaround other than installing the same software on both blades.


719304-1 : Inconsistent node ICMP monitor operation for IPv6 nodes

Component: Local Traffic Manager

Symptoms:
While running ping from different blades in a multi-blade environment, pings fail from blades that do not have the tmm that is responsible for pinging the node.

Conditions:
The blade that does not contain the owning tmm is responsible for the node monitors.

Impact:
The node will be incorrectly marked as being unavailable/down.

Workaround:
You can use the following workarounds:
-- Statically assign the NDP entries.
-- Set the route to a gateway that has a non-zero host portion in the address.


719300-3 : ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address

Component: Local Traffic Manager

Symptoms:
ICMP unreachable packets sent by a server may be received by a client with the BIG-IP system's MAC address as the source MAC address.

Conditions:
BIG-IP deployed in an L2 transparent mode using VLAN groups.

Impact:
May impact services on the client that rely on source MAC address of incoming packets.

Workaround:
None.


718790-1 : Traffic does not forward to fallback host when all pool members are marked down

Component: Local Traffic Manager

Symptoms:
Traffic does not get forwarded to fallback hosts.

Conditions:
-- HTTP Profile configured with Fallback Host.
-- All the pool members are marked administrative down.

Impact:
Traffic does not get forwarded.

Workaround:
Pick a monitor working properly for the pool.


718405-2 : RSA signature PAYLOAD_AUTH mismatch with certificates

Component: TMOS

Symptoms:
IPsec IKEv2 negotiation with other vendors may fail to establish tunnels when certificate authentication is configured, using either RSA signature or DSS.

The value of PAYLOAD_AUTH does not match when the BIG-IP system compares it with what the remote peer sends. The same certificate works when the BIG-IP system is the initiator, but not when another vendor is the initiator.

Conditions:
Interoperating with other vendors under IKEv2 while using certificates.

Impact:
IKEv2 tunnels fail to establish, failing the second IKE_AUTH exchange in the protocol.

Workaround:
Use pre-shared key authentication.


718033-4 : REST calls fail after installing BIG-IP software or changing admin passwords

Component: Device Management

Symptoms:
After installing the latest BIG-IP software, or changing the BIG-IP admin passwords once or twice, REST calls might fail with the following error: 400 - Bad Request.

Conditions:
The conditions under which this occurs are not well understood. The issue occurs randomly, and is likely the result of a timing issue.

Impact:
REST calls or GUI operations fail to work. Get errors on screen.

Workaround:
Run the following command on the BIG-IP system:
$ bigstart restart restjavad


717785-2 : Interface-cos shows no egress stats for CoS configurations

Component: TMOS

Symptoms:
No egress packet counts per CoS queue are reported on B21x0 and 5x00/7x00 platforms. The issue affects the egress packet statistics reporting per CoS queue only. The operation of the CoS feature is not affected and the egress packets statistics reporting per external interface is also not affected.

Conditions:
-- Valid 8 HW CoS feature configuration has been enabled and passing traffic.
-- BIG-IP 5x00/7x00 platforms and VIPRION 21x0 blades.
-- Running the show net interface-cos command.

Impact:
Egress packet statistics reported per CoS queue shows no counts.

Workaround:
None.


715379-3 : IKEv2 accepts asn1dn for peers-id only as file path of certificate file

Component: TMOS

Symptoms:
IKEv2 only has a very inconvenient way to specify ID for an ike-peer when using peers-id-type asn1dn. The string value of peers-id-value was understood only as a file path, and not as a representation of the asn1dn value itself. The file had to be a certificate, whose subject happened to be the ID of the remote peer as a distinguished name (DN), so this could be extracted as binary DER for asn1dn. This was both awkward and error prone, requiring what amounts to a copy of a peer's certificate before it is sent during negotiation.

Conditions:
-- Using certificate based authentication in IPsec IKEv2.
-- Configuring an ike-peer with peers-id-type as asn1dn.

Impact:
Very difficult to use asn1dn as the ID of a peer, impeding inter-operation with other vendors.

Workaround:
If you can install a local copy of the peer's certificate, with an asn1dn value inside matching what that peer will actually send in an IKE_AUTH exchange, IKEv2 can extract the asn1dn provided the value of peers-id-value is an absolute file system path to this local certificate copy.


714372 : Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari

Component: Local Traffic Manager

Symptoms:
If the BIG-IP system has a web-acceleration which provides a number of caching and optimization options suitable for HTTP/1.1. It uses 'Connection: Keep-Alive' header on a server side, which results in appearance of 'Keep-Alive' header in a response. Such a HTTP header was adopted by the industry but not standardized. When a web-acceleration profile is configured and provides a response, Safari clients do not accept responses with a such header and reject those with a RST_STREAM message.

Conditions:
-- BIG-IP has a virtual server with HTTP/2 profile and a web-acceleration profile.
-- A pool member responds with 'Keep-Alive' header in the following format: Keep-Alive: timeout=<number>, max=<number>.

Impact:
A response to a request is rejected, which might cause incorrect rendering of HTTP page.

Workaround:
Use an iRule to remove the Keep-Alive header:

when HTTP_RESPONSE_RELEASE {
    HTTP::header remove keep-alive
}

Alternatively use an LTM Policy where this header is removed from a server's response.


714292-3 : Transparent forwarding mode across multiple VLAN groups or virtual-wire

Component: Local Traffic Manager

Symptoms:
This is a virtual-wire or vlan-group deployment scenario in which there is a BIG-IP system connecting two networks with more than one link. This scenario is referred as 'asymmetric deployment'. In this case. the outgoing packet does not have the correct VLAN configured.

Conditions:
-- Virtual-wire or vlan-group configured.
-- BIG-IP system is connecting two networks with more than one link.
-- There is more than one virtual-wire/vlan-group to handle the traffic across multiple links.
-- Packets belonging to a flow arrive on any link with a valid VLAN.

Impact:
The connectivity between the endpoints fails.

Workaround:
None.


712919-2 : Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server.

Component: Local Traffic Manager

Symptoms:
When an iRule is removed from a Virtual Server, especially one with explicitly specified high priority (with "priority" keyword), other iRules on the same Virtual Server may become "invisible" i.e. they are present but some of them are no longer executed. It may affect all the events or only certain types of them. Under certain conditions the defect may even disappear upon removing another iRule, particularly if it has low priority and handles the same event as the one which introduced the problem.

Conditions:
Removing an iRule from a Virtual Server.

Impact:
Some or all iRules on given Virtual Servers stop being executed.

Workaround:
Restart or reload the configuration. If removing iRules needs to be performed in run-time and it triggers the problem, it can be prevented by having any iRule (even an empty one) for the same event, as the iRule which is going to be removed, but with higher priority e.g. with attribute "priority 1".


712534 : DNSSEC keys are not generated when configured to use an external FIPS device

Component: Local Traffic Manager

Symptoms:
DNSSEC keys that use an external FIPS device are not generated, and an SELinux denial is reported in /var/log/auditd/audit.log. The logged permission denial should indicate that a process running under the 'mcpd_t' SELinux context was denied the 'execmem' permission.

Conditions:
-- A device is configured with one or more DNSSEC keys that are configured to be generated by an external FIPS device (indicated by the 'use-fips' option being set to 'external').
-- An unpatched version of the Thales client software be in use on the device.

Impact:
DNSSEC keys will not be generated when configured to use the external FIPS device.

Workaround:
Update the version of the Thales client software that is in use on the device.


712335-3 : GTMD may intermittently crash under unusual conditions.

Component: Global Traffic Manager (DNS)

Symptoms:
GTMD may intermittently crash when an unexpected error occurs while creating a statistics row for a resource added to the configuration.

Conditions:
When a pool member is added to the system and there is an unexpected failure to create the associated statistics row.

Impact:
GTMD restarts.

Workaround:
There is no workaround at this time.


711056-1 : License check VPE expression fails when access profile name contains dots

Component: Access Policy Manager

Symptoms:
License Check Agent always flows down fallback branch. Logs show the following pattern:

-- err apmd[13738]: 01490190:3: /Common/my.profile.name:Common:2a392ccd: Key 'tmm.profilelicense./Common/my.profile.name#' was not found in MEMCACHED.

-- err apmd[13738]: 01490086:3: /Common/my.profile.name:Common:2a392ccd: Rule evaluation failed with error: can't use empty string as operand of "-"

Conditions:
-- Access profile contains '.' (dot) characters in its name.
-- License Check agent is used in the VPE to check against profile license.

Impact:
License check always fails, resulting in denied logon.

Workaround:
Use a different policy name without '.' characters.


710930-3 : Enabling BigDB key bigd.tmm may cause SSL monitors to fail

Component: Local Traffic Manager

Symptoms:
When bigd.tmm is enabled, SSL monitors may begin to fail.

Conditions:
-- The in-tmm monitoring feature is enabled via the bigd.tmm db variable (it is disabled by default)
-- The cipher string of the attached SSL profile uses keywords that are invalid with TMM.

Impact:
The cipher string will no longer be valid when bigd.tmm is enabled and the keywords will need to be modified or removed. SSL monitors begin to fail after modifying bigd.tmm.

Workaround:
Modify or remove incompatible keywords from the ciphers string; the in-tmm monitoring feature only allows ciphers that are allowed by SSL profiles.


710809 : Restjavad hangs and causes GUI page timeouts

Component: Device Management

Symptoms:
Restjavad stops responding, causing GUI page timeouts.

Conditions:
The conditions behind this issue are not known.

Impact:
restjavad is active, but all endpoints are nonresponsive.

Workaround:
Restart restjavad.


709381-2 : iRules LX plugin imported from a system with a different version does not properly run, and the associated iRule times out.

Component: Local Traffic Manager

Symptoms:
An iRules LX plugin does not properly run and messages similar to the following example are logged to the /var/log/ltm file:

err tmm[17616]: 01220001:3: TCL error: /Common/my-plugin/my-rule <HTTP_REQUEST> - ILX timeout. invoked from within "ILX::call $ilx_handle -timeout 3000 my-function"

Conditions:
An iRules LX workspace archive is imported to BIG-IP version 13.1.0 or later from a previous software version.

It should be noted this is what happens during a regular software upgrade. Therefore, you might encounter this issue when upgrading a system to BIG-IP version 13.1.0 or later.

Impact:
The affected iRules LX are not functional under the new software version, and the virtual servers utilizing them will experience various failures.

Workaround:
Change the node version from 0.12.15 to 6.9.1 and back.


703090-5 : With many iApps configured, scriptd may fail to start

Component: TMOS

Symptoms:
If many iApp instances are installed, scriptd may have issues starting up, including the log message:

"script has exceeded its time to live, terminating the script"

Conditions:
This occurs when many iApp instances exist. F5's internal testing has been able to show that it occurs with 70 instances.

Impact:
The error message will show up, and some instances of the script will not run.

Workaround:
Restarting scriptd will resolve the issue.


701341-4 : If /config/BigDB.dat is empty, mcpd continuously restarts

Solution Article: K52941103

Component: TMOS

Symptoms:
If another issue causes /config/BigDB.dat to be empty, mcpd will fail to start up.

Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.

Impact:
The system will fail to start up, and mcpd will continually restart.

Workaround:
Remove this empty file. (If BigDB.dat is nonexistent, the issue will not occur.)


698933-6 : Setting metric-type via ospf redistribute command may not work correctly

Component: TMOS

Symptoms:
When using a dynamic routing configuration, where an OSPF process redistributes routes setting a metric-type from another OSPF process the metric type is not changed.

Conditions:
Dynamic routing configuration with 2 or more OSPF processes redistributing routes using the "redistribute ospf <other process number> metric-type <type>"

Impact:
Metric type is not changed.

Workaround:
Change metric-type using a route-map applied to the redistribute command.


696755-3 : HTTP/2 may truncate a response body when served from cache

Component: Local Traffic Manager

Symptoms:
BIG-IP provides a client side HTTP/2 Gateway protocol implementation in conjunction with HTTP 1.x on a server side. A response can be cached in BIG-IP with a web acceleration profile. Sometimes a response served from cache is prematurely marked with END_STREAM flag causing the client to ignore the rest of the response body.

Conditions:
BIG-IP has a virtual where HTTP/2 and Web Acceleration profiles are configured.

Impact:
Some clients' browsers do not retry a resource causing incorrect rendering of an HTML page.

Workaround:
Adding the following iRule causes the body to be displayed:

when HTTP_RESPONSE_RELEASE {
    set con_len [string trim [HTTP::header value Content-Length]]
    HTTP::header remove Content-Length
    HTTP::header insert Content-Length "$con_len"
}


695985-4 : Access HUD filter has URL length limit (4096 bytes)

Component: Access Policy Manager

Symptoms:
Access HUD filter cannot process a URL if it is longer than 4096 bytes.

Conditions:
Any URL with a request consisting of more than 4096 bytes.

Impact:
The URL cannot be processed, and client gets a RST.

Workaround:
None.


695878-2 : Signature enforcement issue on specific requests

Component: Application Security Manager

Symptoms:
Request payload does not get enforced by attack signatures on a certain policy configuration with specific traffic.

Conditions:
-- The violation 'Request exceeds max buffer size' is turned off.

-- The request is longer than the max buffer size (i.e., a request is larger than the internal long_request_buffer_size).

Impact:
Attack signatures are not enforced on the payload of this request at all.

Workaround:
Turn on the violation in blocking 'Request exceed max buffer size'.


689361-4 : Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)

Component: Local Traffic Manager

Symptoms:
It is possible for an overwrite-configsync to change an 'unchecked' monitor to 'up', when that unchecked monitor references a node that does not respond to ICMP requests. This may occur when a node does not respond to ICMP requests for exactly one of two paired devices, but a configuration change made to one device causes the 'up' status to be propagated to the 'unchecked' device.

Conditions:
Two pool members are monitored; and one references a node not responding to ICMP requests; and a gateway_icmp monitor is on both nodes; and an overwrite-configsync is initiated from a paired device, where the node does respond to ICMP requests from that paired device.

Impact:
The overwrite-configsync causes the 'unchecked' monitor to transition to 'up', when it should remain 'unchecked' for the device to which the node does not respond to ICMP requests.

Workaround:
Ensure network configuration such that a monitored node responds to ICMP requests from both (or neither) of each paired-device. Alternatively, initiate configuration changes only from the device to which the node will not respond to ICMP requests.


687759-3 : bd crash

Component: Application Security Manager

Symptoms:
A bd crash.

Conditions:
-- A config change follows a bd crash.
-- There is a policy that is misconfigured, for example, a form-data parsing is applied on a non-form-data payload (such as XML or JSON).

Impact:
bd crashes; system fails over; traffic disturbance occurs.

Workaround:
Set the following internal parameter to 0: max_converted_length_to_cache


686059-4 : FDB entries for existing VLANs may be flushed when creating a new VLAN.

Component: Local Traffic Manager

Symptoms:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN.

Conditions:
- Creating a new VLAN with existing VLANs using trunk members. - STP is enabled on its trunk member.

Impact:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN. This will result in potential network saturation.

Workaround:
To avoid the FDB flushing on trunk member interfaces of existing, unrelated VLANs, ensure that STP is disabled on its trunk member.


684096-4 : stats self-link might include the oid twice

Component: TMOS

Symptoms:
The object ID might be erroneously embedded in the self-link twice.

Conditions:
query for stats such as https://<host>/mgmt/tm/ltm/pool/p1/stats

Impact:
incorrect self-link returned

Workaround:
be mindful when parsing the self-link


683135-1 : Hardware syncookies number for virtual server stats is unrealistically high

Component: TMOS

Symptoms:
In some situations 'tmsh show ltm virtual' shows unrealistically high hardware (HW) syncookie numbers.

These unrealistically high HW syncookie stats cause AFM DoS TCP synflood vector to have high numbers, and that can cause TCP synflood vector to drop packets in HW based on the configured rate-limit for that vector.

Conditions:
Virtual server with hardware syncookie protection enabled.

Impact:
Stats issue. Can have impact to traffic if AFM TCP Synflood vector is enabled in mitigation mode.

Workaround:
Disable the TCP Synflood vector in mitigate mode.

Since Syncookie is already providing protection, the TCP Synflood option should be enabled only in detect-only mode, if at all.


679431-4 : In routing module the 'sh ipv6 interface <interface> brief' command may not show header

Component: TMOS

Symptoms:
In the BIG-IP Advanced Routing module the 'sh ipv6 interface <interface> brief' command does not show header

Conditions:
- Advanced Routing module licensed and configured
- From within imish shell, run the command 'sh ipv6 interface <interface> brief'.

Impact:
The header is not shown.

Workaround:
Run the equivalent command without indicating the interface:
sh ipv6 interface brief


679316-7 : iQuery connections reset during SSL renegotiation

Component: Global Traffic Manager (DNS)

Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record

Conditions:
This occurs when a system tries to send data over the iQuery connection while the two endpoints are performing SSL renegotiation.

Note: iQuery connections automatically perform SSL renegotiation every 24 hours.

Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.

Note: This is a subtly different issue from the one (with a very similar error, 140940F5 vs 140940E5) described in Bug ID 477240: iQuery connection resets every 24 hours :: https://cdn.f5.com/product/bugtracker/ID477240.html (K16185: BIG-IP GTM iQuery connections may be reset during SSL key renegotiation :: https://support.f5.com/csp/article/K16185).

This issue occurs even in versions where ID477240 is fixed. There is no fix for this specific trigger of the same message.

Workaround:
There is no workaround at this time.


673357-1 : SWG puts flow in intercept mode when session is not found

Component: Access Policy Manager

Symptoms:
In SWG, flows that should be getting bypassed are placed in intercept mode.

Conditions:
This occurs when the per-request policy receives an https request and a session is not established.

Impact:
In some cases, the client sees certificate warning.

Workaround:
If the access policy is "start->allow"; following iRule can be used for workaround:

when CLIENT_ACCEPTED {
        if { [ACCESS::session exists] } {
            log local0. "Found Access Session"
            log local0. [ACCESS::session exists]
        } else {
          set sid [ACCESS::session create -lifetime 300 -timeout 300 -flow]
          log local0. "No Access Session found, creating $sid"
          ACCESS::session data set session.ui.mode "0"
          ACCESS::session data set session.policy.result "allow"
        }
}


670994-5 : There is no validation for IP address on the ip-address-list for static subscriber

Component: Policy Enforcement Manager

Symptoms:
You can add IP address for a static subscriber with a subnet mask, and the system creates a subscriber by discarding the subnet mask without any error message.

Conditions:
This occurs when you add a ip address with a subnet mask to the ip address list for a static subscriber.

Impact:
An invalid ip address is added without warning or error.


666378-1 : A virtual server's connections per second (precision.last_value) is confusingly named.

Component: Local Traffic Manager

Symptoms:
A virtual server's current connections-per-second statistic has a confusing name. The statistic is maintained when rate limiting is configured for a virtual server. The statistic is updated when the virtual hits a rate-limiting condition, and it stays at the last value it held when the limit was hit.

Conditions:
If the rate limit is never configured then the value is 0. If the rate limit is configured and is hit, then the value is the active count when the limit was hit. The value stays at that count until the limit is hit again.

Impact:
There is no functional impact, but the statistic's meaning is confusing.

Workaround:
The MIB description should clarify the meaning of this statistic.


663946-6 : VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments

Component: Advanced Firewall Manager

Symptoms:
When DNS is under load greater than the AFM-configured rate limit, certain IPv4 packets are categorized as IPv6 atomic fragments and may be dropped due to rate limits.

Conditions:
-- AFM enabled.
-- DNS load greater than AFM-configured rate limit for IPv6 atomic fragments (default 10 KB).

Impact:
May result in lower than expected DNS load test results.

Workaround:
Use either of the following workarounds:
-- Disable AFM.
-- Increase detection limit for IPv6 atomic fragments under AFM.

Note: For AFM HW DoS protection, the host and vCMP guest must be the same version, disable hardware DoS checking on the vCMP guest to prevent this issue. To do so, set sys db dos.forceswdos to 'true'.


660913-3 : For ActiveSync client type, browscap info provided is incorrect.

Component: Access Policy Manager

Symptoms:
Clients using Microsoft ActiveSync are failing access policy evaluation.

Conditions:
-- This occurs with clients using Microsoft ActiveSync.
-- It can be encountered on upgrade if you are upgrading to version 12.1.2 - 14.1.0 from an earlier version.

Impact:
Clients using ActiveSync cannot authenticate.

Workaround:
None.


660759-1 : Cookie hash persistence sends alerts to application server.

Component: Fraud Protection Services

Symptoms:
When Persistence cookie insert is enabled with a non-default cookie name, the cookie might be overwritten after an alert is handled.

Conditions:
-- Persistence profile in their virtual server.
-- Profile relies on cookie hash persistence.
-- Non-default Cookie name used for cookie persistence.

(Default cookie naming strategy appends Pool Name, which results in two cookies set with different names and different values, leaving the application pool persistence cookie unmodified.)

Impact:
Sends alerts to application server. Traffic might be sent to wrong pool member.

Workaround:
Use an iRule similar to the following to remove persistence cookie in case of alerts:

ltm rule /Common/cookie_persist_exclude_alerts {
    when HTTP_REQUEST {
    
    #enable the usual persistence cookie profile.

    if { [HTTP::path] eq "/<alert-path>/" } {
        persist none
    }
}
}


657834-5 : Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent

Solution Article: K45005512

Component: TMOS

Symptoms:
When using OSPF with high load and network recalculation there is a possibility of a race condition that can lead to additional OSPF retransmissions being sent out. This might also cause SNMP traps to be sent, if configured on the system.

Conditions:
-- OSPF routing protocol configured.
-- System configured to send SNMP traps.
-- OSPF instability/networking flaps.

Note: The greater the number of routes flapping, the more likely to see the condition.

Impact:
There is no impact on the OSPF processing itself. The additional traffic does not cause failing adjacencies or loss of routing information.

However, this might cause many additional OSPF related traps to be sent, which might cause additional load on the external network monitoring system.

Workaround:
While this does not have a direct workaround, you may want to investigate the cause of the network/OSPF instability that causes the additional retransmissions.


653573-6 : ADMd not cleaning up child rsync processes

Component: Anomaly Detection Services

Symptoms:
ADMd daemon on device is spinning up rsync processes and not cleaning them up properly, causing tons of this zombie processes

Conditions:
If rsync process ends via exit (in the case of some trouble)

Impact:
No technical impact, but there are many zombie processes

Workaround:
Restart admd (bigstart restart admd) to remove all existing rsync zombies.


648621-6 : SCTP: Multihome connections may not expire

Component: TMOS

Symptoms:
SCTP: Multihome connections may not expire when forcibly deleted.

Conditions:
When the multi-homing connections have been forcibly deleted from tmsh command.

Impact:
The multi-homing connections won't be expired.

Workaround:
Don't manually deleted the multi-homing connections.


648270-1 : mcpd can crash if viewing a fast-growing log file through the GUI

Component: TMOS

Symptoms:
If the GUI tries to display a log file that is actively growing by thousands of log entries per second, the GUI might hang, and mcpd could run out of memory and crash.

Conditions:
The GUI tries to display a log file that is actively growing by thousands of log entries per second.

Impact:
mcpd crashes, and it and tmm restart. Traffic disrupted while tmm restarts.

Workaround:
Do not use the GUI to view a log file that is growing by thousands of log entries per second.


646440-1 : TMSH allows mirror for persistence even when no mirroring configuration exists

Component: Local Traffic Manager

Symptoms:
When Mirroring is not configured in a high-availability (HA) configuration, the Configuration Utility (GUI) correctly hides the 'mirror' option for Persistence profile. However, Persistence Mirroring can still be enabled via TMSH.

Conditions:
-- Mirroring is configured in an HA configuration.
-- Persistence profile.
-- Using TMSH.

Impact:
A memory leak and degraded performance can occur when:

-- The Mirroring option of a Persistence profile is enabled.
-- Mirroring in the HA environment is not configured.

Workaround:
Always use the Configuration Utility (GUI) to configure Persistence profiles.

If you encounter this issue, complete the following procedure to locate Persistence profiles with Mirroring enabled, and then disable Mirroring for those profiles:

1. Access the BIG-IP Bash prompt.

2. List the Persistence profiles with the following command:
      tmsh list ltm persistence

3. Examine the Persistence profiles to identify the ones with 'mirror enabled'.

4. Disable Mirroring for each Persistence profile, using a command similar to the following:
tmsh modify ltm persistence <persistence_type> <profile_name> mirror disabled

5. Save the changes to the Persistence profiles:
tmsh save sys config


641450-7 : A transaction that deletes and recreates a virtual may result in an invalid configuration

Solution Article: K30053855

Component: TMOS

Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.

Config load error:
    01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.

Configuration-change-time error in /var/log/ltm:
    err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>

Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).

Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.

Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
   1. Delete virtual server.
   2. Create virtual server (with an empty profile list).
   3. Modify the virtual server's profile list.


632553-4 : DHCP: OFFER packets from server are intermittently dropped

Component: Local Traffic Manager

Symptoms:
With a DHCP relay virtual server, OFFER packets from DHCP server are intermittently not forwarded to the client and dropped on BIG-IP.

Conditions:
It is not known exactly what triggers this condition, but it occurs intermittently when the DHCP relay virtual server is in use.

Impact:
Client machines joining the network do not receive DHCP OFFER messages.

Workaround:
Enforce that the serverside flow is getting deleted, e.g. if dhcp server 10.0.66.222 is broken, issue the following tmsh command:

tmsh delete sys connection ss-server-addr 10.0.66.222 cs-server-port 67


625807-1 : tmm cored in bigproto_cookie_buffer_to_server

Component: Local Traffic Manager

Symptoms:
TMM cores on SIGSEGV during normal operation.

Conditions:
It is not known exactly what triggers this, but it may be triggered when a connection is aborted in a client-side iRule iRule, this log signature may indicate that this is being triggered:

tmm3[11663]: 01220009:6: Pending rule <irule_name> <HTTP_REQUEST> aborted for <ip> -> <ip>

Impact:
Traffic disrupted while tmm restarts.


606032-5 : Network Failover-based HA in AWS may fail

Component: TMOS

Symptoms:
MCPD posts an error that network failover is not configurable:
01071ac2:3: Device-group (/Common/autoscale-group): network-failover property must be disabled in VE-1NIC.

Conditions:
Attempting to setup high availability (HA) in Amazon Web Services (AWS) with only 1 network interface.

Impact:
Configuration of HA in AWS cannot be completed.

Workaround:
The current workaround is to configure HA in AWS with at least 2 network interfaces.


601220-3 : Multi-blade trunks seem to leak packets ingressed via one blade to a different blade

Component: TMOS

Symptoms:
When a multi-blade VIPRION deployment first starts up or recovers from a chassis-wide force-offline/release-offline event, multi-blade trunks seem to leak packets that ingressed on one blade, out the same trunk's member interfaces on other blades.

Conditions:
-- Multi-blade VIPRION deployment.
-- Chassis-wide reboot or force-offline/release-offline event occurs.

Impact:
This is a very intermittent issue that is not reproducible and happens for only a few milliseconds. This may temporarily impact the upstream switch L2 FDB and cause slight traffic redirection as the upstream switch will learn the source MAC of the gratuitous ARPing host from the same trunk the traffic was broadcast to.

Note: This is not an F5-specific problem. It occurs on every stack switch hardware under these conditions.

Workaround:
There is no workaround.


600985-1 : Network access tunnel data stalls

Component: Access Policy Manager

Symptoms:
In certain scenarios, the network access tunnel stays up; however, no data transfer occurs on the tunnel. This issue occurs intermittently.

Conditions:
The cause of this issue is not yet known.

Impact:
Data stalls on the tunnel and hence wont be able to access any applications. However, Edge Client shows the VPN tunnel as 'Connected'.

Workaround:
Manually re-establish the tunnel.


591305-3 : Audit log messages with "user unknown" appear on install

Component: TMOS

Symptoms:
Multiple log entries in /var/log/audit similar to

May 4 11:37:35 localhost notice mcpd[5488]: 01070417:5: AUDIT - client Unknown, user Unknown - transaction #33-1 - object 0 - create_if { db_variable { db_variable_name "version.edition" db_variable_value "<none>" db_variable_sync_type "private_internal" db_variable_data_type "string" db_variable_display_name "Version.Edition" } } [Status=Command OK]

Conditions:
This happens on initial install, it is not yet known what triggers it.

Impact:
This is the result of a daemon on the system not properly identifying itself to mcpd. The log messages can be safely ignored.


581921-5 : Required files under /etc/ssh are not moved during a UCS restore

Solution Article: K22327083

Component: TMOS

Symptoms:
The SSH files required for SSH sign on are not transferred when performing a UCS restore operation. Further, files are not transferred even during upgrade.

Conditions:
This can happen when performing a UCS restore operation, or when upgrading from one version to the next.

Impact:
This might impact SSH operations.

Workaround:
Add the /etc/ssh directory to the UCS backup configuration. This causes all subsequent UCS backup and restore operations will now include the /etc/ssh/ directory.

To complete this procedure, refer to K4422: Viewing and modifying the files that are configured for inclusion in a UCS archive :: https://support.f5.com/csp/article/K4422.


569859-5 : Password policy enforcement for root user when mcpd is not available

Component: TMOS

Symptoms:
When the mcpd configuration database is not available password policy is not enforced when changing passwords for the user 'root' using the command-line utility 'passwd' utility.

Conditions:
-- Advanced shell access
-- mcpd is not available.
-- Change root password with the 'passwd' utility.

Impact:
Root password may be set to a string that does not comply with the current password policy.

Workaround:
None.


544958-1 : Monitors packets are sent even when pool member is 'Forced Offline'.

Component: Local Traffic Manager

Symptoms:
If you have a pool member associated with more than one virtual server and the pool member is marked Forced-Offline, the pool monitor will continue to function if the monitor is assigned to both pools.

Conditions:
-- Pools containing identical members.
-- Pool monitoring configured.
-- Pool members are Forced Offline.

Impact:
Monitors packets are sent even when pool member is 'Forced Offline'.

Workaround:
None.


534187-5 : Passphrase protected signing keys are not supported by SAML IDP/SP

Component: Access Policy Manager

Symptoms:
Signing operation may fail if the BIG-IP system is used as a SAML Identity Provider or Service Provider and is configured to use passphrase-protected signing keys.

Conditions:
Private key used to perform digital signing operations is passphrase protected.

Impact:
SAML protocol will not function properly due to inability to sign messages.

Workaround:
To work around the problem, remove the passphrase from the signing key.


505037-5 : Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop

Solution Article: K01993279

Component: Local Traffic Manager

Symptoms:
Modifying a monitored pool with a gateway failsafe device might put secondary into restart loop.

Conditions:
Only occurs in clustered environments, when modifying a monitored pool to set the gateway failsafe device while the secondary is down. Symptom occurs when the secondary comes back up and attempts to update the health status of a pool.

Impact:
Secondary in a restart loop.

Workaround:
Remove the gateway failsafe device. Re-apply when the blade is up.


504522-4 : Trailing space present after 'tmsh ltm pool members monitor' attribute value

Component: Local Traffic Manager

Symptoms:
Values returned from the tmsh command 'ltm pool pool members monitor' have a trailing space, such as returning '/Common/myhttps ' (note the trailing-space). This trailing-space is also observed for the value returned from a REST call.

Conditions:
'tmsh' or a REST call is used to return the 'monitor' for pool members.

Impact:
Scripts or custom applications processing this returned output may wish to 'trim' whitespace on the value (as a trailing space is present); or should not assume the trailing space will be present in the future (as this behavior is not guaranteed).

Workaround:
Use a script or custom applications to 'trim' trailing whitespace for returned values.


498926 : Client can fail to start a new session in multi-domain SSO.

Component: Access Policy Manager

Symptoms:
A client cannot start a new session from the session expired page if the session expires on the primary auth domain before the policy completes.

Conditions:
-- Configure multi-domain SSO.
-- Client attempts to access an application (www.site.com) and is then redirected to the auth domain (www.primaryauth.com).
-- The auth policy is allowed to expire without completing.

Impact:
The 'start a new session' prompt cannot send the client back to the application to restart the policy, since that information was lost when the session expired. The client must use the back button to return to the application to start a new session.

Workaround:
As a workaround, in Customization, modify the HREF for the Session Expired Message so that it redirects to www.site.com.

In the customization text for the Session Expired Message, replace [SESSION_RESTART_URL] with the session variable %{session.server.network.name}.


486712-5 : GUI PVA connection maximum statistic is always zero

Component: TMOS

Symptoms:
The GUI PVA connection maximum statistic is always zero, regardless of the number of PVA connections established.

Conditions:
This occurs when fastL4 connections are used.

Impact:
The customer cannot determine the maximum number of PVA connections because the stat is always zero.


484683-2 : Certificate_summary is not created at peer when the chain certificate is synced to HA peer.

Component: TMOS

Symptoms:
The other Peer of a high-availability (HA) pair cannot show the summary of cert-chain by 'tmsh run sys crypto check-cert verbose enabled' after config-sync.

Conditions:
Conditions leading to this issue include:
1. On the command line or in the GUI, setup an HA Pair
2. Import Certificate chain to one BIG-IP system.
3. 'run config-sync' to sync the Certificate chain to the peer BIG-IP system.

Impact:
After a ConfigSync operation, the certificate chain summary is not created on other HA peers.

Workaround:
Copy the cert-chain file to a place (such as /shared/tmp/), and update the cert-chain using a command similar to the following:
modify sys file ssl-cert Cert-Chain_Browser_Serv.crt source-path file:/shared/tmp/Cert-Chain_Browser_Serv.crt_58761_1


474797-4 : Nitrox crypto hardware may attempt soft reset while currently resetting

Component: Local Traffic Manager

Symptoms:
Nitrox crypto hardware may attempt soft reset to clear a stuck condition while already engaged in a soft reset attempt.

Conditions:
Soft reset is needed to clear a stuck condition occurring in the timeframe during which another soft reset is occurring.

Impact:
The initial soft reset attempt does not complete as the process is restarted by the new attempt.

Workaround:
Correct the condition resulting in the need for the soft reset to clear the stuck condition or disable hardware-based crypto acceleration by setting db variable 'tmm.ssl.cn.shunt' to disable.

To disable hardware-based crypto acceleration issue the following command:

tmsh modify sys db tmm.ssl.cn.shunt value disable

Note: Disabling hardware-based crypto acceleration results in all crypto actions being processed in software, which might result in higher CPU and memory usage based on traffic patterns.


264701-3 : GTM: zrd exits on error from bind about .jnl file error (Formerly CR 68608)

Component: Global Traffic Manager (DNS)

Symptoms:
The zrd process exits and cannot be restarted.

Conditions:
This occurs when the journal is out-of-sync with the zone.

Impact:
The zrd process cannot be restarted.

Workaround:
Before beginning, ensure that no one else is making config changes (i.e., consider making changes during a maintenance window).

I) On a working system, perform the following:
1. # rndc freeze $z

(Do this for all nonworking zones. Do not perform the thaw until you finish copying all needed files to the nonworking system.)

2. # tar zcvf /tmp/named.zone.files namedb/db.[nonworking zones].
3. # rndc thaw $z

II) On each nonworking system, perform the following:
1. # bigstart stop zrd; bigstart stop named
2. Copy the nonworking /tmp/named.zone.files from a working GTM system.
3. # bigstart start named; bigstart start zrd.

(Before continuing, review /var/log/daemon.log for named errors, and review /var/log/gtm for zrd errors0.)

Repeat part II until all previously nonworking systems are working.

III) On a working GTM system, run the following command:
# touch /var/named/config/named.conf.


222220-4 : Distributed application statistics

Component: Global Traffic Manager (DNS)

Symptoms:
Distributed application statistics shows only requests passed to its first wide IP.

Conditions:
Using Distributed application statistics and multiple wide-IP-members.

Impact:
The system does not include statistics for requests passed to other wide-IP-members of the distributed application.

Workaround:
None.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************