BIG-IP Release Information

Version: 14.1.0
Build: 116.0

NOTE: This release includes fixes for the Spectre Variant 1 and Meltdown vulnerabilities (CVE-2017-5753, CVE-2017-5754).
In some configurations, installing software containing these fixes might impact performance. You can disable these fixes to recover performance. Please see K91229003 for additional Spectre and Meltdown information.

Known Issues in BIG-IP v14.1.x

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
739970	CVE-2018-5390	K95343321	Linux kernel vulnerability: CVE-2018-5390
738735	CVE-2018-1336	K73008537	Tomcat Vulnerability: CVE-2018-1336
726089	CVE-2018-15312	K44462254	Modifications to AVR metrics page
725815	CVE-2018-15320	K72442354	vlangroup usage may cause a excessive resource consumption
724339-5	CVE-2018-15314	K04524282	Unexpected TMUI output in AFM
724335-5	CVE-2018-15313	K21042153	Unexpected TMUI output in AFM
722091	CVE-2018-15319	K64208870	TMM may crash while processing HTTP traffic
717888-3	CVE-2018-15323	K26583415	TMM may leak memory when a virtual server uses the MQTT profile.
717742	CVE-2018-2798, CVE-2018-2811, CVE-2018-2795, CVE-2018-2790, CVE-2018-2783, CVE-2018-2825, CVE-2018-2826, CVE-2018-2796, CVE-2018-2799, CVE-2018-2815, CVE-2018-2800, CVE-2018-2814, CVE-2018-2797, CVE-2018-2794	K44923228	Oracle Java SE vulnerability CVE-2018-2783
716992-1	CVE-2018-5539	K75432956	The ASM bd process may crash
715923	CVE-2018-15317	K43625118	When processing TLS traffic TMM may reset connections
710244	CVE-2018-5536	K27391542	Memory Leak of access policy execution objects
709979	CVE-2017-12613	K52319810	Apache Portable Runtime vulnerability CVE-2017-12613
709688	CVE-2017-3144 CVE-2018-5732 CVE-2018-5733	K08306700	dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733
707186-2	CVE-2018-5514	K45320419	TMM may crash while processing HTTP/2 traffic
702232	CVE-2018-5517	K25573437	TMM may crash while processing FastL4 TCP traffic
701253	CVE-2018-15318	K16248201	TMM core when using MPTCP
698080	CVE-2018-5503	K54562183	TMM may consume excessive resources when processing with PEM
695072	CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558	K23030550	CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558
688516	CVE-2018-5518	K03165684	vCMPd may crash when processing bridged network traffic
651741-3	CVE-2017-5970,	K60104355	CVE-2017-5970 kernel.el7: ipv4: Invalid IP options could cause skb->dst drop
741858	CVE-2018-15324	K52206731	TMM may crash while processing Portal Access requests
734822	CVE-2018-15325	K77313277	TMSH improvements
726409	CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077	K61429540	Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
725801	CVE-2017-7889	K80440915	CVE-2017-7889: Kernel Vulnerability
725635	CVE-2018-3665	K21344224	CVE-2018-3665: Intel Lazy FPU Vulnerability
724759	CVE-2018-11237	K35981055	glibc vulnerability CVE-2018-11237
721282	CVE-2018-3639	K58304450	Java Vulnerability: CVE-2018-3639
719554	CVE-2018-8897	K17403481	Linux Kernel Vulnerability: CVE-2018-8897
717900-3	CVE-2018-5528	K27044729	TMM crash while processing APM data
714369-2	CVE-2018-5526	K62201098	ADM may fail when processing HTTP traffic
714350-2	CVE-2018-5526	K62201098	BADOS mitigation may fail
710705	CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421	K34035645	Multiple Wireshark vulnerabilities
710238	CVE-2015-5180 CVE-2018-1000001 CVE-2017-15670 CVE-2017-12132 CVE-2014-9402 CVE-2017-1000366 CVE-2017-15804	K55001100	glibc Vulnerabilities: CVE-2015-5180 CVE-2018-1000001 CVE-2017-15670 CVE-2017-12132 CVE-2014-9402 CVE-2017-1000366 CVE-2017-15804
709711	CVE-2017-10193     CVE-2017-10198     CVE-2017-10274     CVE-2017-10281     CVE-2017-10285     CVE-2017-10295     CVE-2017-10345     CVE-2017-10346     CVE-2017-10347     CVE-2017-10348     CVE-2017-10349     CVE-2017-10350     CVE-2017-10355     CVE-2017-10356     CVE-2017-10357     CVE-2017-10388     CVE-2018-2579     CVE-2018-2588     CVE-2018-2599     CVE-2018-2602     CVE-2018-2603     CVE-2018-2618     CVE-2018-2629     CVE-2018-2633     CVE-2018-2634     CVE-2018-2637     CVE-2018-2641     CVE-2018-2663     CVE-2018-2677     CVE-2018-2678	K04734043	Multiple Java Vulnerabilities
709256	CVE-2017-9074 CVE-2017-7542	K61223103	CVE-2017-9074: Local Linux Kernel Vulnerability
705799	CVE-2018-15325	K77313277	TMSH improvements
705476	CVE-2018-15322	K28003839	Appliance Mode does not follow design best practices
703940	CVE-2018-5530	K45611803	Malformed HTTP/2 frame consumes excessive system resources
699453	CVE-2018-15327	K20222812	Web UI does not follow current best coding practices
698813	CVE-2018-5538	K45435121	When processing DNSX transfers ZoneRunner does not enforce best practices
689465	CVE-2017-10102 CVE-2017-10107 CVE-2017-10096 CVE-2017-10101 CVE-2017-10089 CVE-2017-10090 CVE-2017-10087 CVE-2017-10110 CVE-2017-10074 CVE-2017-10067 CVE-2017-10116 CVE-2017-10243 CVE-2017-10115 CVE-2017-10135 CVE-2017-10108 CVE-2017-10109 CVE-2017-10081 CVE-2017-10053 CVE-2017-3511 CVE-2017-3526 CVE-2017-3509 CVE-2017-3539 CVE-2016-5542 CVE-2017-3533 CVE-2017-3544 CVE-2017-3241 CVE-2017-3272 CVE-2017-3289 CVE-2016-5548 CVE-2016-5546 CVE-2017-3253 CVE-2016-5547 CVE-2017-3252 CVE-2016-5552 CVE-2017-3261 CVE-2017-3231 CVE-2016-2183	K15518610	Multiple Java Vulnerabilities
689463	CVE-2016-6210 CVE-2016-6515 CVE-2016-10009 CVE-2016-10011 CVE-2016-10012 CVE-2016-10708	K14845276	openssh security security update
677088	CVE-2018-15321	K01067037	BIG-IP tmsh vulnerability CVE-2018-15321
659142-1	CVE-2016-10200	K68852819	CVE-2016-10200
643554-9	CVE-2017-3731 CVE-2017-3732 CVE-2016-7055	K37526132 K44512851 K43570545	OpenSSL vulnerabilities - OpenSSL 1.0.2k library update
640493-2	CVE-2016-7543	K73705133	Bash vulnerability CVE-2016-7543
636453-8	CVE-2016-10009	K31440025	OpenSSH vulnerability CVE-2016-10009
617273-9	CVE-2016-5300	K70938105	Expat XML library vulnerability CVE-2016-5300
593139-11	CVE-2014-9761	K31211252	glibc vulnerability CVE-2014-9761
714879	CVE-2018-15326	K34652116	APM CRLDP Auth passes all certs
710148	CVE-2017-1000111 CVE-2017-1000112	K60250153	CVE-2017-1000111 & CVE-2017-1000112
656912-6	CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464, CVE-2017-6451, CVE-2017-6458	K32262483	Various NTP vulnerabilities
655726	CVE-2015-8984	K29241247	GNU C Library (glibc) vulnerability CVE-2015-8984
648227-4	CVE-2015-5180	K55001100	glibc vulnerability CVE-2015-5180
641101-5	CVE-2016-8743	K00373024	httpd security and bug fix update CVE-2016-8743
602288-1	CVE-2016-3706	K06493172	glibc vulnerability CVE-2016-3706
579592-6	CVE-2015-8776	K23946311	glibc vulnerability CVE-2015-8776
578983-3	CVE-2015-8778	K51079478	glibc: Integer overflow in hcreate and hcreate_r
510311-1	CVE-2014-9402	K16365	GNU C Library (glibc) vulnerability CVE-2014-9402
726417	CVE-2018-12020	K55121327	GnuPG vulnerability CVE-2018-12020
720623	CVE-2018-1111	K32541890	DHCP Client Script Code Execution vulnerability CVE-2018-1111
701785	CVE-2017-18017	K18352029	Linux kernel vulnerability: CVE-2017-18017
691757-2	CVE-2017-15906	K89621551	OpenSSH vulnerability CVE-2017-15906
689702	CVE-2017-5334 CVE-2017-5335 CVE-2017-5336 CVE-2017-5337 CVE-2017-7869 CVE-2017-7507 CVE-2016-7444	K31336596	GNUTLS Vulnerabilities

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
723698	1-Blocking		Address lists and port lists used for AFM firewall rules cannot be created unless AFM is provisioned
716392	1-Blocking		Support for 24 vCMP guests on a single 4450 blade
693359	1-Blocking		AWS M5 and C5 instance families are supported
689328	1-Blocking		Incremental discovery reports empty results when the uri query parameter begins with '/'
705311	2-Critical		Seperate ePVA offload timing configuration according to protocol
700918	2-Critical		vADC: default gateway route required, lasthop kernel module removed
641724-1	2-Critical		BIG-IP VE support for GCE
743970	3-Major		Ensure 8 GB RAM vCMP guests have no more than three modules provisioned before upgrading★
734527	3-Major		BGP 'capability graceful-restart' for peer-group not properly advertised when configured
722560	3-Major		The configuration may fail to load if a pool-type route is created that does not reference a pool
718812	3-Major		Removed 3des-cbc from default cipher list for SSHD.
717391	3-Major		advCustHelp - how to add, remove, and modify advanced customization without it
715750	3-Major		The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.
708389-2	3-Major		BADOS monitoring with Grafana requires admin privilege
704751	3-Major		Add virtual server name is recorded by the remote logging profile
667486	3-Major		Update default tcp, f5-tcp-wan ,f5-tcp-lan and f5-tcp-mobile profile.
661909-1	3-Major		First-time root and admin passwords must now comply with the password policy.
605860	3-Major		Gx, Gy and Sd SessionIds have fixed prefixes
594551	3-Major		Start to allow clientSSL profiles to be configured without RSA type key/cert pair
575788	3-Major		non-local static ARP entries are not recreated on tmm restart
575667	3-Major		HTTP::has_responded has been introduced to give user status on if a specific request has been responded to.
542880	3-Major		BIG-IP system should support cipher suites ChaCha20 and Poly1305
532181	3-Major		SNMP passphrases appear to change each time they are displayed in TMSH
741408	4-Minor		netHSM partition password length increase to 192 characters
700728	4-Minor		Provide an internal parameter to configure allowed empty headers
676026	4-Minor		Add support for more profiles with the http-transparent profile.
660850	4-Minor		/etc/motd is now included in UCS files
637946	4-Minor		Do not manually create a sys management-ip on a clustered BIG-IP Platform through the admin_ip object.
629256	4-Minor		Qkview now contains cloud metadata
604731	4-Minor		Improvement for 'tmsh show ltm pool' command

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
721364-2	1-Blocking		BIG-IP per-application VE BYOL license does not support three wildcard virtual servers
708956-2	1-Blocking	K51206433	During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'
700315	1-Blocking	K26130444	Ctrl+C does not terminate TShark
746557	2-Critical		Do not provision both GTM and LC modules when upgrading on C117 BIG-IP★
743810	2-Critical		AWS: Disk resizing in m5/c5 instances fails silently.
743790	2-Critical		BIG-IP system should trigger a HA failover event when expected HSB device is missing from PCI bus
743233	2-Critical		Default engineID may have different lengths
743082	2-Critical		Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members★
741423	2-Critical		Secondary blade goes offline when provisioning ASM/FPS on already established config-sync
739285	2-Critical		GUI partially missing when VCMP is provisioned
738887	2-Critical		The snmpd daemon may leak memory when processing requests.
738119	2-Critical		SIP routing UI does not follow best practices
737900	2-Critical		mcpd might crash on an unlicensed system
737055	2-Critical		Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy
734539	2-Critical		The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads
725696	2-Critical		A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted
723722	2-Critical		MCPD crashes if several thousand files are created between config syncs.
723298	2-Critical		BIND upgrade to version 9.11.4
723130-2	2-Critical		Invalid-certificate warning displayed when deploying BIG-IP VE OVA file
721924	2-Critical		bgpd may crash processing extended ASNs
721350	2-Critical		The size of the icrd_child process is steadily growing
719597-2	2-Critical		HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0
717785	2-Critical		Interface-cos shows no egress stats for CoS configurations
716391	2-Critical	K76031538	High priority for MySQL on 2 core vCMP may lead to control plane process starvation
715820	2-Critical	K61422392	vCMP in HA configuration with VIPRION chassis might cause unstable data plane
715061	2-Critical		vCMP: tmm core in guest when stopping vCMP guest from host
714795	2-Critical		ospfd cores when configured with 'area 0 range 0.0.0.0/0'
714281	2-Critical		NSH tunnel reject inner packet from other vendor
713598	2-Critical		Failed attempt to resize 'appdata' leaves volume unmounted.
712401	2-Critical		Enhanced administrator lock/unlock for Common Criteria compliance
711683	2-Critical		bcm56xxd crash with empty trunk in QinQ VLAN
710277	2-Critical		IKEv2 further child_sa validity checks
708968	2-Critical		OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address
707003-1	2-Critical		Unexpected syntax error in TMSH AVR
706688-1	2-Critical		Automatically add additional certificates to BIG-IP system in C2S and IC environments
706423	2-Critical		tmm may restart if an IKEv2 child SA expires during an async encryption or decryption
703761	2-Critical		Disable DSA keys for public-key and host-based authentication in Common Criteria mode
703669	2-Critical		Eventd restarts on NULL pointer access
703045	2-Critical		If using TMSH commands with deprecated attributes in iAPP, the upgrade will fail.
701898-3	2-Critical		Certain virtual address route-advertisement settings break upgrades from 13.0.0 hotfix rollups
701877	2-Critical		new command-line tools (curl and nghttp) added
700086	2-Critical		AWS C5/M5 Instances do not support BIG-IP VE
698931	2-Critical		Corrupted SessionDB messages causes TMM to crash
692890	2-Critical		Adding support for BIG-IP 800 in 13.1.x
692158	2-Critical		iCall and CLI script memory leak when saving configuration
660577-1	2-Critical		openldap; prevent crash on rc==LDAP_SUCCESS && res==NULL
581851-3	2-Critical	K16234725	mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands
743818	3-Major		In LTM Policy Rule page, replacing 'forward node' action with 'forward pool' does not delete the node property
741902	3-Major		sod does not validate message length vs. received packet length
741599	3-Major		After upgrade, Client SSL profile may have extra cert-key-chain structure
740746	3-Major		RSA key creation fails for generating key/csr pair when using gen-csr challenge-password
740517	3-Major		Application Editor users are unable to edit HTTPS Monitors via the Web UI
740413	3-Major		sod not logging Failover Condition messages
740135	3-Major		Traffic Group ha-order list does not load correctly after reset to default configuration
739872	3-Major		The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover
739533	3-Major		In rare circumstances, config sync may fail to delete files in /config/filestore/.snapshots_d/, filling up /config
739126-1	3-Major		Multiple VE installations may have different sized volumes
738445	3-Major		IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup
737901	3-Major		Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode
737437	3-Major		IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages
737397	3-Major		User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP
735565	3-Major		BGP neighbor peer-group config element not persisting
734846	3-Major		Redirection to logon summary page does not occur after session timeout
734452	3-Major		Standby device goes active during UCS restore after default config is loaded and a serial cable is used for failover
733585	3-Major		Merged can use %100 of CPU if all stats snapshot files are in the future
727467	3-Major		Some iSeries appliances can experience traffic disruption when the HA peer is upgraded from 12.1.3 and earlier to 13.1.0 or later.
727297	3-Major		GUI TACACS+ remote server list should accept hostname
726935	3-Major		Device management and GUI can be configured using different crt/key
726622	3-Major		Entropy start-up sentinel file is not cleared on successful start
725985	3-Major		REST API takes more than 20 seconds when 1000+ virtual servers with SNAT-Pool configured
725792	3-Major		BWC: Measure log-publisher if used might result in memory leak
724143	3-Major		IKEv2 connflow expiration upon ike-peer change
723579	3-Major		OSPF routes missing
722682	3-Major		Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load★
722380	3-Major		The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.
721740	3-Major		CPU stats are not correctly recorded when snapshot files have timestamps in the future
721488	3-Major		procps-ng Vulnerabilities: CVE-2018-1124, CVE-2018-1126
721342-1	3-Major		No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments.
721016-1	3-Major		vcmpd fails updating VLAN information on vcmp guest
720961-2	3-Major		Upgrading in Intelligence Community AWS environment may fail
720819	3-Major		Certain platforms may take longer than expected to detect and recover from HSB lock-ups
720756-2	3-Major		SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS
720713	3-Major		TMM traffic to/from a i10600/i10800 device in vCMP host mode may fail
720651	3-Major		Running Guest Changed to Provisioned Never Stops
720461	3-Major		qkview prompts for password on chassis
720269	3-Major		TACACS audit logging may append garbage characters to the end of log strings
720110	3-Major		0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session.
720104-3	3-Major		BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'
720081	3-Major		dhclient.mgmt db variable value will need to be changed before downgrading from this version
719396	3-Major	K34339214	DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot.
718817	3-Major		Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail.
718525	3-Major		PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting
718397	3-Major		IKEv2: racoon2 appends spurious trailing null byte to ID payloads
718201-1	3-Major		No alert for failed RAID disk
716851	3-Major		SNMP EngineID type configuration for IPv4 and IPv6 address selection selects the loopback address
716437	3-Major		Need AAM provisioned to assign iSession profiles to virtual servers
716180	3-Major		Some browsers may prevent the Start Screen from opening in a new tab when set to Network Map
716166	3-Major		Dynamic routing not added when conflicting self IPs exist
715200	3-Major		VE with only hda drive does not report disk statistics
714986	3-Major		Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot
714974	3-Major		Platform-migrate of UCS containing QinQ fails on VE★
714903	3-Major		Errors in chmand
714654	3-Major		Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM
714303	3-Major		X520 virtual functions do not support MAC masquerading
713729	3-Major		GUI SSL Certificate does not display correct expiration dates
713708-7	3-Major		Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI
713319	3-Major		GUI iRule Data Group properties: when viewing object with IPv4-mapped IPv6 address get 'An error has occurred while trying to process your request.'
712266	3-Major		Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware
712126	3-Major		slf4j Vulnerability: CVE-2018-8088
712102	3-Major	K11430165	customizing or changing the HTTP Profile's IPv6 field hides the field or the row
712033	3-Major		When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name
711879-1	3-Major		Web GUI can sometime display the wrong cert and key for a GTM monitor that has the same name as some LTM monitor.
711249	3-Major		NAS-IP-Address added to RADIUS packet unexpectedly
710827	3-Major		TMUI dashboard daemon stability issue
710666	3-Major		VE with interface(s) marked down may report high cpu usage
710232	3-Major		platform-migrate fails when LACP trunks are in use
710017	3-Major	K10211160	iControl SOAP/GUI cannot generate SSL certificate or CSR for password-protected SSL key
709936-3	3-Major		Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.
709544	3-Major		VCMP guests in HA configuration become Active/Active during upgrade★
709444	3-Major		"NTP not configured on device" warning seen when NTP symmetric key authentication is configured
709192	3-Major		GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart
708601	3-Major		Display of Network Map is unreadable in browsers that cache old files
708558	3-Major		SNMP traps do not follow current best practices
708554	3-Major		SNMP traps do not follow current best practices
708484	3-Major		Network Map might take a long time to load
708291	3-Major		iApp import immediately merges arbitrary configuration objects
708117	3-Major		TMUI - Subject Alternative Name text box is not populated when renewing SAN-enabled cert
707740	3-Major		Failure deleting GTM Monitors when used on mulitple Virtual Servers with the same ip:port combination
707585	3-Major		Use native driver for 82599 NICs instead of UNIC
707509	3-Major		Initial vCMP guest creations can fail if certain hotfixes are used
707445-2	3-Major	K47025244	Nitrox 3 compression hangs/unable to recover
707391	3-Major		BGP may keep announcing routes after disabling route health injection
706890	3-Major		i2000, i4000 i86 series platforms only - interface flow control not implemented
706804	3-Major		SNMP trap destination configuration of network option is missing "default" keyword
706169	3-Major		tmsh memory leak
706115	3-Major		MCPD configuration load fails after reboot if user manually configures a static route while 1nic autoconfig is enabled.
706104	3-Major		Dynamically advertised route may flap
705655	3-Major		Virtual address not responding to ICMP when ICMP Echo set to Selective
705037	3-Major	K32332000	System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
704804	3-Major		The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address
704755	3-Major		EUD_M package could not be installed on 800 platforms
704733	3-Major		NAS-IP-Address is sent with the bytes in reverse order
704449	3-Major		Orphaned tmsh processes might eventually lead to an out-of-memory condition
704247	3-Major		BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted
703869-2	3-Major		Waagent updated to 2.2.21
703766	3-Major		TMUI - Multiple Certificates cannot be deleted in a single operation
702917	3-Major		Fragmented icmpv6 packets are not displayed when using tcpdump with icmp6 filter
702227	3-Major		Memory leak in TMSH load sys config
701826-1	3-Major		qkview upload to ihealth fails or unable to untar qkview file
701722	3-Major		Potential mcpd memory leak for signed iRules
701289	3-Major		LTM v12.1.2: Static BFD with BIG-IP floating IP address
701249	3-Major		RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1
700888	3-Major		VDisk Migration Doesn't Log Information About Failures
700827	3-Major		B2250 blades may lose efficiency when source ports form an arithmetic sequence.
700794	3-Major		Cannot replace a FIPS key with another FIPS key via tmsh
698947	3-Major		BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.
698619	3-Major		Disable port bridging on HSB ports for non-vCMP systems
697794-1	3-Major		ROM layout file missing for Blade B2250 in BIG-IP VIPRION 2400 chassis
696731	3-Major	K94062594	The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled
692753-5	3-Major		shutting down trap not sent when shutdown -r or shutdown -h issued from shell
691749	3-Major		Delete sys connection operations cannot be part of TMSH transactions
689700	3-Major		NSS vulnerability CVE-2017-7805
685021	3-Major		A cold faulted SSD drive may assert the BIOS causing a failure to boot
684096	3-Major		stats self-link might include the oid twice
682369	3-Major		Inserting an un-powered PSU and then removing the un-powered PSU puts the BMC into an incorrect PSU status state.
681009	3-Major		Large configurations can cause memory exhaustion during live-install★
676432-1	3-Major		i5000/i10000 Series platform serial console baud rate 38400 gets reset to 19200 after reboot
675311	3-Major		Introduce a user-input timeout to Vconsole
674486-1	3-Major		Expat Vulnerability: CVE-2017-9233
674455-3	3-Major		Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS
673238	3-Major		GUI Dashboard export history may have inconsistent time intervals
671712-1	3-Major		The values returned for the ltmUserStatProfileStat table are incorrect.
670528	3-Major	K20251354	Warnings during vCMP host upgrade.
669585	3-Major		The tmsh sys log filter is unable to display information in uncompressed log files.
667618	3-Major		Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
666406-1	3-Major	K62832776	rpcbind was removed from the BIG-IP
660712	3-Major		Performance update to VE filesystem type
658665	3-Major		A new tmsh command to flush all ePVA flow cache entries
658557	3-Major		The snmpd daemon may leak memory when processing requests.
651379-1	3-Major		Issues with Password Policy when expired passwords changed via command line
642990-1	3-Major	K05304332	Processes started from interactive shells do not generate core files when they crash
639575-6	3-Major		Using libtar with files larger than 2 GB will create an unusable tarball
620567-1	3-Major		HTTP to HTTPS TMUI redirection erroneously allows HTTP access to iControl SOAP and iControl REST
606032-1	3-Major		Network Failover-based HA in AWS may fail
589083	3-Major		TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.
588483	3-Major		Soft lockup may occur when vCMP host TMMs run realtime without yielding.
551925	3-Major		Misdirected UDP traffic with hardware acceleration
510889	3-Major		CRL critical extensions not supported
494321	3-Major	K75201605	'tmsh install sys software block-device-image' installs the local image instead of the block-device image.★
480206	3-Major		IKE peer (ike-peer) configuration objects in non-Common partition are visible to all in GUI
740133	4-Minor		cmp_dest --command resolve with --platform option but without --opaque_data option produces incorrect results.
738985	4-Minor		BIND vulnerability: CVE-2018-5740
734694	4-Minor		HTTP monitors fail to be persisted if Alias Address includes a route domain
723988	4-Minor		IKEv1 phase2 key length can be changed during SA negotiation
723711	4-Minor		IPsec keys are once again logged when db variable ipsec.debug.logkeys equals 1
722410	4-Minor		Forward Error Correction missing Auto option
721526	4-Minor		tcpdump fails to write verbose packet data to file
716139	4-Minor		For BIG-IP with PVA enabled, PVA Acceleration status in Virtual Server doesn't match that of the Virtual Server's profile
715331	4-Minor		IKEv2 logs peers_id comparisons and cert verfication failures
714749	4-Minor		cURL Vulnerability: CVE-2018-1000120
713947	4-Minor		stpd repeatedly logs "hal sendMessage failed"
713932	4-Minor		Commands are replicated to PostgreSQL even when not in use.
713138-1	4-Minor		TMUI ILX Editor inserts an unnecessary linefeed
713134	4-Minor		Small tmctl memory leak when viewing stats for snapshot files
712010	4-Minor		/proc/swaps is collected in qkview
710410	4-Minor		TMM hardware accelerated compression not registering for all compression levels.
709186	4-Minor		VLAN SYN cookies go into constant activated/deactivated cycle
708415-1	4-Minor		Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled
707631	4-Minor		The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI
706737	4-Minor		APM SAML inline SSO documentation
705179	4-Minor		BWC stats for rates are published in bits per second instead of bytes per second
704336	4-Minor		Updating 3rd party device cert not copied correctly to trusted certificate store
703509	4-Minor		Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled
697766	4-Minor	K12431303	Cisco IOS XR ISIS routers may report 'Authentication TLV not found'
694595	4-Minor		Some process names may have last character truncated when viewing in iHealth
689491-1	4-Minor		cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled
685582	4-Minor		Incorrect output of b64 unit key hash by command f5mku -f
662725-1	4-Minor		tmsh kernel default log levels does not match documentation
660057	4-Minor		support dynamic command line flags when executing a java process
653418-2	4-Minor		Host Processor Superuser keys in /root/.ssh/authorized_keys no longer necessary
649728	4-Minor		'mkdisk' utility can fail when creating bootable USBs on older running versions of BIG-IP
644975-3	4-Minor	K09554025	/var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost
622787	4-Minor		Sync state remaining on 'Awaiting Initial Sync' when adding third device
436116	4-Minor	K43726131	The tcpdump utility may fail to capture packets
720669	5-Cosmetic		Within the GUI, the 'MQTT-TLS' service port is incorrectly reported as 'common.all.MQTT-TLS'.
720391	5-Cosmetic		BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'
713491	5-Cosmetic		IKEv1 logging shows spi of deleted SA with opposite endianess
694940-1	5-Cosmetic		glibc vulnerabilities (CVE-2017-15670 / CVE-2017-15671)
685383	5-Cosmetic		Collect bigip.license files in qkview

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
722594	1-Blocking	K91300169	TCP flow may not work as expected if double tagging is used
744269	2-Critical		dynconfd restarts if FQDN template node deleted while IP address change in progress
744117	2-Critical		The HTTP URI is not always parsed correctly
742627	2-Critical		SSL session mirroring may cause memory leakage if HA channel is down
741814	2-Critical		Auto Last Hop for management connections cannot be disabled/enabled
740963	2-Critical		VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart
739927	2-Critical		Bigd crashes after a specific combination of logging operations
739003	2-Critical		TMM may crash when fastl4 is used on epva-capable BIG-IP
738046	2-Critical		SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby
737758	2-Critical		MPTCP Passthrough and VIP-on-VIP can lead to TMM core
737445	2-Critical		Use of TCP Verified Accept can disable server-side flow control
734276	2-Critical		TMM may leak memory when SSL certificates with VDI or EAM in use
727044	2-Critical		TMM may crash while processing compressed data
726239	2-Critical		interruption of traffic handling as sod daemon restarts TMM
725545-2	2-Critical		Ephemeral listener might not be set up correctly
724906	2-Critical		sasp_gwm monitor leaks memory over time
724868	2-Critical	K11662998	dynconfd memory usage increases over time
724214	2-Critical		TMM core when using Multipath TCP
724213	2-Critical		Modified ssl_profile monitor param not synced correctly
723300-1	2-Critical		TMM may crash when tracing iRules containing nameless listeners on internal virtual servers
722893	2-Critical	K30764018	The TMM - host interface may stall when the kernel memory is fragmented
722387	2-Critical		TMM may crash when processing APM DTLS traffic
720136	2-Critical		Upgrade may fail on mcpd when external netHSM is used
716900	2-Critical		TMM core when using MPTCP
715883-2	2-Critical		tmm crash due to invalid cookie attribute
715747-2	2-Critical		TMM may restart when running traffic through custom SSLO deployments.
713766	2-Critical		VLAN failsafe failover may not occur
713612	2-Critical		tmm might restart if the HTTP passthrough on pipeline option is used
710858	2-Critical		tmm crash due to a bad HA header
710221	2-Critical	K67352313	Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled
709828	2-Critical		fasthttp can crash with Large Receive Offload enabled
707207	2-Critical		iRuleLx returning undefined value may cause TMM restart
706631-1	2-Critical		A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.
703191	2-Critical		HTTP2 requests may contain invalid headers when sent to servers
700393-4	2-Critical		Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash
700056	2-Critical		MCPD process may lock up and restart when applying Local Traffic Policy to virtual server
699624	2-Critical	K93400155	Config with custom 'SIP' or 'Firepass' monitor fails to load after upgrade★
635191	2-Critical		Under rare circumstances TMM may crash
571651	2-Critical	K66544028	Reset Nitrox3 crypto accelerator queue if it becomes stuck.
431480-4	2-Critical		Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message
747581	3-Major		IPv6 Duplicate Address Detection may fail.
739638	3-Major		BGP failed to connect with neighbor when pool route is used
739379	3-Major		Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error
738523	3-Major		SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages
738521	3-Major		i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.
738455	3-Major		TLS1.2 and earlier 'do not advertise' signature algorithm RSA-PSS
737147	3-Major		Key creation on Thales fails with thales 12.40 on tmm interface
734692	3-Major		Incorrect prefix of ICMP error messages in NAT64
727292	3-Major		SSL in proxy shutdown case does not deliver server TCP FIN
727222	3-Major		206 Partial Content responses from ramcache have malformed Content-Range header
726734	3-Major		DAGv2 port lookup stringent may fail
726319	3-Major		'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses
726232-5	3-Major		iRule drop/discard may crash tmm
726001	3-Major		Rapid datagroup updates can cause type corruption
724564	3-Major		A FastL4 connection can fail with loose-init and hash persistence enabled
722677	3-Major		High-Speed Bridge may lock up
722363	3-Major		Client fails to connect to server when using PVA offload at Established
722222	3-Major		Private SSL key file access is too permissive
721621	3-Major		Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node
721261	3-Major		v12.x Policy rule names containing slashes are not migrated properly
720799	3-Major		Virtual Server/VIP flaps with FQDN pool members when all IP addresses change
720460-2	3-Major		Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly
720293	3-Major		HTTP2 IPv4 to IPv6 fails
719600	3-Major		TCP::collect iRule with L7 policy present may result in connection reset
717346	3-Major	K13040347	[WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total
716952	3-Major		With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete.
716716	3-Major		Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core
716492	3-Major	K59332523	Rateshaper stalls when TSO packet length exceeds max ceiling.
715785	3-Major		Incorrect encryption error for monitors during sync or upgrade
715756	3-Major		Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only
715467	3-Major		Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY
714559	3-Major		Removal of HTTP hash persistence cookie when a pool member goes down.
714384	3-Major		DHCP traffic may not be forwarded when BWC is configured
713951	3-Major		tmm core files produced by nitrox_diag may be missing data
713934	3-Major		Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response
713585	3-Major	K31544054	When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long
712819	3-Major		'HTTP::hsts preload' iRule command cannot be used
712664	3-Major		IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address
712475	3-Major	K56479945	DNS zones without servers will prevent DNS Express reading zone data
712437	3-Major	K20355559	Records containing hyphens (-) will prevent child zone from loading correctly
712378	3-Major		Permission is denied when accessing iRulesLX workspace
711981	3-Major		BIG-IP system accepts larger-than-egress MTU, PMTU update
711281	3-Major		nitrox_diag may run out of space on /shared
710996	3-Major		VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP
710493	3-Major		Nitrox PX recovery failure will not retry as it was designed to.
710355	3-Major		High CPU when using HTTP::collect for large chunked payloads
710028	3-Major		LTM SQL monitors may stop monitoring if multiple monitors querying same database
709963	3-Major		Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
709133	3-Major		When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur
709132	3-Major		When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur
708266	3-Major		IPv6 NDP with vlan-groups: unexpected Neighbor Advertisement and ICMPv6 unreachable messages
708249	3-Major		nitrox_diag utility generates QKView files with 5 MB maximum file size limit
708068	3-Major		Tcl commands like "HTTP::path -normalize" do not return normalized path.
707961	3-Major	K50013510	Unable to add policy to virtual server; error = Failed to compile the combined policies
707951-1	3-Major		Stalled mirrored flows on HA next-active when OneConnect is used.
707691	3-Major		BIG-IP handles some pathmtu messages incorrectly
706102	3-Major		SMTP monitor does not handle all multi-line banner use cases
704764	3-Major		SASP monitor marks members down with non-default route domains
704381	3-Major		SSL/TLS handshake failures and terminations are logged at too low a level
703580-3	3-Major		TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.
703266	3-Major		Potential MCP memory leak in LTM policy compile code
702450	3-Major		The validation error message generated by deleting certain object types referenced by a policy action is incorrect
702439-5	3-Major	K04964898	Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset
702151-4	3-Major		HTTP/2 can garble large headers
701186	3-Major		With auto-lasthop enabled tmm accepts traffic from invalid addresses
701068	3-Major		HTTP/2 now provides a way to inspect stream reset causes.
700287	3-Major		SSL Forward Proxy not to cache expired server certificate
699750	3-Major		Content-Length is a valid HTTP/2 Header
699598	3-Major		HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR
698379	3-Major	K61238215	HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(
698014	3-Major		SSID Persistence does not work with TLS v1.3. Warning message logged.
693244	3-Major		BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned
689776	3-Major		Misuse of LB::reselect in LB_FAILED event
688553	3-Major		SASP GWM monitor may not mark member UP as expected
680671	3-Major		Support for Thales Security World version 12.40.2
678872	3-Major		Inconsistent behavior for virtual-address and selfip on the same ip-address
678460-1	3-Major		HTTP 302 Redirect status text is HTTP-version dependent
677841	3-Major		Server SSL TLS session reuse with changed SNI uses incorrect session ID
677709-1	3-Major		pkcs11d daemon can generate a very large number of log messages
677457-1	3-Major	K13036194	HTTP/2 Gateway appends semicolon when a request has one or more cookies
674591	3-Major	K37975308	Packets with payload smaller than MSS are being marked to be TSOed
672312	3-Major		IP ToS may not be forwarded to serverside with syncookie activated
667111	3-Major		iRule event after source pick is complete and before setting up the server side flow
635173	3-Major		Standby BIG-IP TMM uses unexpectedly large amount of memory
634201	3-Major		POST requests get reset on early server response.
618884	3-Major		Behavior when using VLAN-Group and STP
608359	3-Major		Add extra decision logging for LTM load balancing (support only)
602708	3-Major		Traffic may not passthrough CoS by default
579252-4	3-Major		Traffic can be directed to a less specific virtual during virtual modification
534288	3-Major		Tab completion for ltm policy-strategy shows extra values
748441	4-Minor		SafeNet purchased by Gemalto -- impacting links to support
724746	4-Minor		Incorrect RST message after 'reject' command
719247	4-Minor	K10845686	HTTP::path and HTTP::query iRule functions cannot be set to a blank string
719179	4-Minor		iRule class command now has '-list' option for get/names/match/search functions
716922	4-Minor		Reduction in PUSH flags when Nagle Enabled
716213	4-Minor		BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic
713533	4-Minor		list self-ip with queries does not work
712637	4-Minor		Host header persistence not implemented
704277	4-Minor		TMSH help missing for One-Connect limit-type property
702281	4-Minor		OneConnect header transformations may cause some Websocket connections to reset.
697988	4-Minor		During config sync, if many client-ssl profiles are on a virtual server the CPU may briefly spike to 100%
693966	4-Minor		TCP sndpack not reset along with other tcp profile stats
693901	4-Minor		Active FTP data connection may change source port on client-side
682283	4-Minor		Malformed HTTP/2 request with invalid Content-Length value is served against RFC
677285	4-Minor		The documentation for SSL::sni is ambiguous
665331	4-Minor		The wrong profile name is used for the HTTP header limits
664618	4-Minor		Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block'
604272	4-Minor		SMTPS profile connections_current stat does not reflect actual connection count.
594064-1	4-Minor	K57004151	tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.
513310	4-Minor		TMM might core when a profile is changed.
495242-1	4-Minor		mcpd log messages: Failed to unpublish LOIPC object
658382	5-Cosmetic		Large numbers of ERR_UNKNOWN appearing in the logs

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
739846	2-Critical		Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection
737726	2-Critical		If named is restarted and zrd is not restarted, ZoneRunner can lose contact with the DNS server daemon
718885	2-Critical	K25348242	Under certain conditions, monitor probes may not be sent at the configured interval
713066	2-Critical	K10620131	Connection failure during DNS lookup to disabled nameserver can crash TMM
712653-1	2-Critical	K32518458	A GTM global variable has been added to "force invalid NS names" for all auto-generated zones for WideIPs.
710424	2-Critical	K00874337	Possible SIGSEGV in GTMD when GTM persistence is enabled.
707310	2-Critical		DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)
737529	3-Major		[GTM] load or save configs removes backslash \ from GTM pool member name
737332	3-Major		It is possible for DNSX to serve partial zone information for a short period of time
726255	3-Major		dns_path lingering in memory with last_access 0 causing high memory usage
723792	3-Major		GTM regex handling of some escape characters renders it invalid
723095	3-Major		Add record type breaks commands 'modify gtm pool type all'; errors on nonexistent pool
722734	3-Major		'No Access' error when viewing properties page of a GTM Pool member whose name includes a partition that does not exist on that BIG-IP system.
719644	3-Major		If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★
715448	3-Major		Providing LB::status with a GTM Pool name in a variable caused validation issues
714507	3-Major		[tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server
710246	3-Major		DNS-Express was not sending out NOTIFY messages on VE
710032	3-Major		'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system.
688335	3-Major	K00502202	big3d may restart in a loop on secondary blades of a chassis system
615222	3-Major		GTM configuration fails to load when it has GSLB pool with members containing more than one colon character★
726412	4-Minor		Virtual server drop down missing objects on pool creation
723963	4-Minor		Log message to GTM logs if an invalid regular expression is given to a monitor.
717113	4-Minor		It is possible to add the same GSLB Pool monitor multiple times
707592	4-Minor		Log Search option in GSLB similar to one in Logs:Audit:Search in Web GUI.
705505	4-Minor	K76117754	Attempting to create GTM SIP monitor from GUI results in general database error
691054	4-Minor		Incorrect BIGIP_GTMD_SERVER_NOIP_SNMP_STATUS_CHANGE_WHY_X SNMP message when deleting server with IP address.
421966	4-Minor		Unable to determine what topology record was selected from pool and pool member decision logging

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
716788	2-Critical		TMM may crash while response modifications are being performed within DoSL7 filter
715450	2-Critical	K05874142	tmm restarts under certain conditions
745358	3-Major		ASM GUI does not follow best practices
741077	3-Major		Mobile Firefox on Android 9 falsely detected as Selenium
741075	3-Major		Mobile Firefox on Android 9 in Desktop Mode may be falsely detected
740719	3-Major		ASM CSP header parser does not honor unsafe-inline attribute within script-src directive
739635	3-Major		No learning when creating policy using guided configuration
739618	3-Major		When loading AWAF license, cannot set rule to control ASM in LTM policy
739437	3-Major		null in request causes parameters violation to be skipped
739342	3-Major		Learning not occurring for some policies
738864	3-Major		javascript functions in href are learned from response as new URLs
738789	3-Major		ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog
738674	3-Major		Ajax blocking page breaks ajax based applications
738647	3-Major		Add the login detection criteria of 'status code is not X'
737500	3-Major		Apply Policy and Upgrade time degradation when there are previous enforced rules
734762	3-Major		Automatic policy learning is slower when there are thousands of policies
734718	3-Major		Users may get blocked on Web Scraping or CAPTCHA
726262	3-Major		Mobile Firefox in Desktop Mode may be falsely detected
726168	3-Major		Users may get blocked on Web Scraping or CAPTCHA
725464	3-Major		Updating tests according to canIUse database
724414	3-Major		ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled
724032	3-Major		Searching Request Log for value containing backslash does not return expected result
723756	3-Major		Improving Proactive Bot Defense Detection
722618	3-Major		New Chrome version is blocked when using Proactive Bot Defense
721741	3-Major		BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
721399	3-Major		Signature Set cannot be modified to Accuracy = 'All' after another value
719459	3-Major		Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled
719005	3-Major		Login request may arrive corrupted to the backend server after CAPTCHA mitigation
718409	3-Major		Users may get blocked on Web Scraping or CAPTCHA
718234-1	3-Major		Updating tests according to canIUse database
718232	3-Major		Some FTP servers may cause false positive for ftp_security
717756	3-Major		High CPU usage from asm_config_server
716940	3-Major		Traffic Learning screen graphs shows data for the last day only
716757	3-Major		Improve Bot Detection in Web Scrapping Feature
716324	3-Major		CSRF protection fails when the total size of the configured URL list is more than 2 KB
715128	3-Major		Simple mode Signature edit does not escape semicolon
713282	3-Major		Remote logger violation_details field does not appear when virtual server has more than one remote logger
712362	3-Major		ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase
711818	3-Major		Connection might get reset when coming to virtual server with offload iRule
711405	3-Major	K14770331	ASM GUI Fails to Display Policy List After Upgrade
706665	3-Major		ASM policy is modified after pabnagd restart
705274	3-Major		Policy Audit Log should be cleaned by data size as well as number of rows
704643	3-Major		Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule
703129	3-Major		False 'Web Rootkit detected' on UC browser for ChromeOS running on a mobile device
701856	3-Major		Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart
701025	3-Major		BD restart on a device where 'provision.tmmcountactual' is set to a non-default value
689879	3-Major		No support for AppScan mitigation of Cross-Site Scripting on URLs
683241	3-Major	K70517410	Improve CSRF token handling
675673	3-Major		Policy history files should be limited by settings in a configuration file.
674256-4	3-Major	K60745057	False positive cookie hijacking violation
629628	3-Major		Request Events Missing Due to Policy Builder Restart
606983	3-Major		ASM errors during policy import
592504-1	3-Major		False positive illegal length violation can appear
451396	3-Major	K81448021	ASM OWA Exchange 2010 Application-Ready Security Policy should change URL content profile.
424588	3-Major		iRule command [DOSL7::profile] returns empty value
741061	4-Minor		Proactive Bot Defense with Single Page Application may cause page to scroll down
722294	4-Minor		Reported session ID keeps changing for the same user session when ASM doesn't track sessions
721752	4-Minor		Null char returned in REST for Suggestion with more than MAX_INT occurrences
720581	4-Minor		Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files
718767	4-Minor		Duplicate key error in PL_SCANNER_CONFIG on particular binary policy import
717741	4-Minor		Accepted suggestions originating in accepted requests are not disclosed in audit log as such
717730	4-Minor		Add a logging module that will log the beginning of long requests to bd.log
717525	4-Minor		Behavior for classification in manual learning mode
708720	4-Minor		Not all ASM cookies are sent with 'secure' flag when turning on dosl7.use_secure_cookies
708576	4-Minor		Errors related to dosl7d_tcpdumps_cleaner appearing in email every hour
706662	4-Minor		Improving Single Page Application event handling
706633	4-Minor		Improving Single Page Application event handling
706632	4-Minor		Improving Single Page Application event handling
703673	4-Minor		a specific kind of request with can be incorrectly identified as a login request
635534	4-Minor		DDoS Hybrid Defender: new signatures available message when they are not
603071	4-Minor		XHTML validation fails on obfuscated JavaScript
497457	4-Minor		track L7DOS entities in irules in transparent mode only when attack occurs
706845	5-Cosmetic		False positive illegal multipart violation

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
746823-3	2-Critical		AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members
721474	2-Critical		AVR does not send all SSLO statistics to offbox machine.
740086-1	3-Major		AVR report ignore partitions for Admin users
740024	3-Major		Web page not load correctly if load time is enabled
737867	3-Major		Scheduled reports are being incorrectly displayed in different partitions
737863	3-Major		Advanced Filters for Captured Transactions not working on Multi-Blade Platforms
726852	3-Major		AVR inject CSPM event when there is no analytics profile on the virtual server
715153-3	3-Major		AVR can generate many files in /var/avr/loader folder, which might cause disk-usage problem
713283-1	3-Major		Missing transaction count in = application security report under view by IP Intelligence
710315	3-Major		AVR-profile might cause issues when loading a configuration or when using config sync
699671	3-Major		Additional logging for AVR mailer
690631	3-Major		Add Legal / Illegal column to ASM reporting charts page
670048	3-Major		Failure to retrieve large number of Bot Defense log records
721408-2	4-Minor		Possible to create Analytics overview widgets in '[All]' partition
699181	4-Minor		For HTTP statistic AVR collects Host Names only instead of the full URI

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
739716	1-Blocking		APM Subroutine loops without finishing
406117	1-Blocking		Installing a hotfix may cause APD to continuously restart
747621	2-Critical		Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used
747192	2-Critical		Small memory leak while creating Access Policy items
744556	2-Critical		Upgrade PingAccess SDK used by BIG-IP APM to v1.1.3
741535	2-Critical		Memory leak with Form-based Client-initiated SSO
740777	2-Critical		Secondary blades mcp daemon restart when subroutine properties are configured
739947	2-Critical		TMM may crash while processing APM traffic
739674	2-Critical		TMM might core in SWG scenario with per-request policy.
737442	2-Critical		Error in APM Hosted Content when set to public access
722013-1	2-Critical		MCPD restarts on all secondary blades post config-sync involving APM customization group
720214-2	2-Critical		NTLM Authentication might fail if Strict Update in iApp is modified
720189-2	2-Critical		VDI settings in APM Webtop have the incorrect URL for Citrix Receiver client download
719149	2-Critical		VDI plugin might hang while processing native RDP connections
716747-1	2-Critical		TMM my crash while processing APM or SWG traffic
715250	2-Critical		TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED
713820	2-Critical		Pass in IP to urldb categorization engine
699686-2	2-Critical		localdbmgr can occasionally crash during shutdown
697452-2	2-Critical		Websso crashes because of bad argument in logging
684484	2-Critical		Deferenced NULL object causes core
660826-2	2-Critical		BIG-IQ Deployment fails with customization-templates
419836	2-Critical		When switch edit files in advanced customization without saving, the changes will be lost
745600-1	3-Major		Removal of timer object from tmm timer-ring when a tcl context is released.
739939	3-Major		Ping Access Agent Module leaks memory in TMM.
739744	3-Major		Import of Policy using Pool with members is failing
739381	3-Major		Users of role Manager are unable to look up the URL Categories
739024	3-Major		Kerberos auth fails intermittently after upgrade from v14.0.0
738582	3-Major		Ping Access Agent Module leaks memory in TMM.
738397	3-Major		SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.
737355	3-Major		HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files
737064	3-Major		ACCESS::session iRule commands may not work in serverside events
734316	3-Major		Per-Request Policy may require enabling SSL Forward Proxy Bypass
726616	3-Major		TMM crashes when a session is terminated
726592	3-Major		Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop
725867	3-Major		ADFS proxy does not fetch configuration for non-floating virtual servers
725840	3-Major		Customization group object is not deleted when SAML resource object is deleted
725412-2	3-Major		APM does not follow current best practices for HTTP headers
724571	3-Major		Importing access profile takes a long time
724341	3-Major		Import of Access Profile with Machine Cert Checker and default CA Profile is failing
722991	3-Major		File "dead.letter" may show up in /root directory
722969	3-Major		Access Policy import with 'reuse' enabled instead rewrites shared objects
722423	3-Major		Analytics agent always resets when Category Lookup is of type custom only
721982	3-Major		Automatically disable Nagle's Algorithm for RD Gateway connections
721840-1	3-Major		Protocol Lookup agent has been removed
720757	3-Major		Without proper licenses Category Lookup always fails with license error in Allow Ending
720695	3-Major		Export then import of APM access Profile/Policy with advanced customization is failing
720626	3-Major		Portal Access: CSS custom properties are supported by server-side CSS parser.
720030	3-Major		Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)
719079	3-Major		Portal Access: same-origin AJAX request may fail under some conditions.
718136	3-Major		32-bit F5 VPN and Endpoint Inspector apps are discontinued on Linux
716473	3-Major		Unable to upgrade APM Desktop Clients on BIG-IP Virtual Edition
715207-1	3-Major		coapi errors while modifying per-request policy in VPE
714961-2	3-Major		antserver creates large temporary file in /tmp directory
714902-2	3-Major		Restjavad may hang if discover task fails and the interval is 0
714700	3-Major		SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy
713655	3-Major		RouteDomainSelectionAgent might fail under heavy control plane traffic/activities
713389	3-Major		TMSH/REST API does not honor access-info client ip or username filter
713156-2	3-Major		AGC cannot do redeploy in Exchange and ADFS use cases
713111	3-Major		When ASM and APM are configured on the same virtual server, ASM might report some errors in its logging.
712857	3-Major		SWG-Explicit rejects large POST bodies during policy evaluation
711427	3-Major		Edge Browser does not launch F5 VPN App
710884	3-Major		Portal Access might omit some valid cookies when rewriting HTTP request.
710655	3-Major		In APM Citrix Storefront Integration mode ICA file returns duplicate TrasnportReconnectEnabled parameter
710305	3-Major		When ASM and APM are configured on the same virtual server, ASM could throw some errors in its logging.
710044	3-Major		Portal Access: same-origin AJAX request may fail in some case.
708326	3-Major		'Apply Access Policy' light on for source profile after copying
707953	3-Major		Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page
706797	3-Major		Portal Access: some multibyte characters in JavaScript code may not be handled correctly
706374	3-Major		Heavy use of APM Kerberos SSO can sometimes lead to memory corruption
704587	3-Major	K15450552	Authentication with UTF-8 chars in password fails for ActiveSync users
704524	3-Major		[Kerberos SSO] Support for EDNS for kerberos DNS SRV queries
701800	3-Major		SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x
699267	3-Major		LDAP Query may fail to resolve nested groups
698836	3-Major		Increased APM session capacity is not available after installing an APM session count License
688651	3-Major		ActiveX/Java based RDP resources are deprecated
683113-1	3-Major	K22904904	[KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users
619636	3-Major	K19123634	Unhelpful log message 'internal_cause' when the session is deleted due to accessing the root URI
575728	3-Major		Support APM Webtop's Native RDP resources on Linux with Remmina/FreeRDP clients
444767	3-Major		Issues with Outlook Web App through APM Portal Access only on InternetExplorer11
734595	4-Minor		sp-connector is not being deleted together with profile
734544	4-Minor		Suggest breaking up the API protection profile into multiple in case large number of paths like 12k in the OpenAPI specification file
727322	4-Minor		Exporting profile/policy with pools from Common and importing to non-Common partitions might not work
713150	4-Minor		Portal Access: correct processing of JavaScript code with template literals
464002	4-Minor		NA Admin UI requires options that are not needed

WebAccelerator Fixes

ID Number	Severity	Solution Article(s)	Description
706642	2-Critical		wamd may leak memory during configuration changes and cluster events

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
745397-1	2-Critical		Virtual server configured with FIX profile can leak memory.
706750	2-Critical		Changing CGNAT SIP ALG profile log settings while handling traffic may cause tmm crash.
703515-1	2-Critical	K44933323	MRF SIP LB - Message corruption when using custom persistence key
741951-1	3-Major		Multiple extensions in SIP NOTIFY request cause message to be dropped.
738070	3-Major		Persist value for the RADIUS Framed-IP-Address attribute is not correct
727288-1	3-Major		Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC
709383	3-Major		DIAMETER::persist reset non-functional
699431-1	3-Major		Possible memory leak in MRF under low memory
645188	3-Major		Need a per TMM Diameter Identity for "origin-host-rewrite" in Diameter session profile

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
726154	2-Critical		TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies
724532	2-Critical		SIG SEGV during IP intelligence category match in TMM
720045-2	2-Critical		IP fragmented UDP DNS request and response packets dropped as DNS Malformed
717909-1	2-Critical		tmm can abort on sPVA flush if the HSB flush does not succeed
630137	2-Critical		Dynamic Signatures feature can fill up /config partition impacting system stability
734645	3-Major		AFM TCP Half Open vector might show mitigation when that is not happening
724679	3-Major		Non-attacking IP addresses could be logged along with attacking IP addresses when DoS detects an attack
721610-2	3-Major		GUI does not show selfIP active firewall policies in non-0 route domains
713707	3-Major		ix600 platforms will now have DoS Enforcement in Software Mode enabled automatically
712710-2	3-Major		TMM may halt and restart when threshold mode is set to stress-based mitigation
702738-2	3-Major	K32181540	Tmm might crash activating new blob when changing firewall rules
700822	3-Major		GUI slow with large number of entries in network firewall address list
591606	3-Major		Failure to load config post upgrade: "Rate threshold cannot be set to 0."★
456376-1	3-Major	K53153545	BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32
707054	4-Minor		SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162
699454	4-Minor		Web UI does not follow current best coding practices

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
726665	2-Critical		tmm core dump due to SEGFAULT
699531	2-Critical		Potential TMM crash due to incorrect number of attributes in a PEM iRule command
737374	3-Major		local-db PEM Subscriber Activity log missing
721704	3-Major		UDP flows are not deleted after subscriber deletion
711570	3-Major		PEM iRule subscriber policy name query using subscriber ID, may not return applied policies
711093	3-Major		PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled
709670	3-Major	K44067891	iRule triggered from RADIUS occasionally fails to create subscribers.
709610	3-Major		Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM
704781	3-Major		PEM does not use 'default' value configured for a custom Diameter-AVP
685968	3-Major		PEM Gx/Gy/Sd sessions ignore DIAMETER_TOO_BUSY result code from PCRF/OCS
683540	3-Major		PEM will optimize out classification if possible.
676346	3-Major		PEM displays incorrect policy action counters when the gate status is disabled.
663874	3-Major	K77173309	Off-box HSL logging does not work with PEM in SPAN mode.
648802	3-Major		Required custom AVPs are not included in an RAA when reporting an error.
642023	3-Major		2nd Gy CCA-u is ignored by PEM if 2 CCR-u messages are sent before the 1st CCA-u is received.
640548	3-Major		In Gy delayed binding mode, CCR-Us triggered by concurrent flows are blocked.
624187	3-Major		Relocate TUC AVP to group AVP USU

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
721570	1-Blocking	K20285019	TMM core when trying to log an unknown subscriber
734446	2-Critical		TMM crash after changing LSN pool mode from PBA to NAPT
700957	2-Critical		DNAT performance drops up to 50% when a second blade is added
739272	3-Major		Incorrect zombie counts in PBA stats with long PBA block-lifetimes
727212	3-Major		Subscriber-id query using full length IPv6 address fails.
702675	3-Major		CGNAT translations fail when using Fastl4 + Default Dag + intra-chassis connection mirroring

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
714362	2-Critical		CSP headers block additional JavaScript in Chrome 65
742037	3-Major		FPS live updates do not install when minor version is different
738669	3-Major		Login validation may fail for a large request with early server response
737368	3-Major		Fingerprint cookie large value may result in tmm core.
725718	3-Major		Client's scripts trigger alerts while changing fields' values legally
724448	3-Major		Enabling EDI protection by 'id' attribute configuration
719186	3-Major		Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts
716318	3-Major		Engine/Signatures automatic update check may fail to find/download the latest update
713011	3-Major		Parameter handling and Ajax support for all HTTP request methods
708046-1	3-Major		Phishing alert failed on IB login page
704683	3-Major		HTML Field Obfuscation not working in IE7
704257	3-Major		Reporting found forbidden words context
693701	3-Major		Substitute value support on change password pages
664650-4	3-Major		Real time encryption on non-password fields
659290-1	3-Major		FPS should indicate live-update status (new content available/downloaded/auto-downloaded/download-failed)
737498	4-Minor		sticky_id in fingerprint cookie sometimes contains large value
719198	4-Minor		Disable eval execution in websafe's code
698307	4-Minor		Datasafe: Fingerprinting code runs, but is not needed.

Anomaly Detection Services Fixes

ID Number	Severity	Solution Article(s)	Description
741761	2-Critical		admd might fail the heartbeat, resulting in a core
739277-1	2-Critical		TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode
714334	2-Critical		admd stops responding and generates a core while under stress.
741993	3-Major		The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured.
741752	3-Major		[BADOS] state file is not saved when virtual server reuses a self IP of the device
720585	3-Major		Signatures generated by Behavioral DOS algorithm can create false-positive signatures
718772	3-Major		The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists)
718685	3-Major		The measured number of pending requests is two times higher than actual one

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
741435	3-Major		Using local traffic policies with type 'CE Profile', a new rule does not have the option to classify traffic
726303-3	3-Major		Unlock 10 million custom db entry limit
724847-1	3-Major		DNS traffic does not get classified for AFM port misuse case

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
718033	1-Blocking		REST calls fail after installing BIG-IP software or changing admin passwords
705593	4-Minor		CVE-2015-7940: Bouncy Castle Java Vulnerability

iApp Technology Fixes

ID Number	Severity	Solution Article(s)	Description
726872	3-Major		IApp LX directory disappears after upgrade or restoring from ucs★

Protocol Inspection Fixes

ID Number	Severity	Solution Article(s)	Description
723847	3-Major		Disable flow if no protocol inspection profile is attached.
723305	3-Major		Performance degrades when no inspections are enabled in IPS
705661	3-Major		Virtual server in a non-default partition cannot select protocol inspection profile in the /Common partition
713307	4-Minor		slot1/whitebird-4800 notice Not supported protocol log message
710911	4-Minor		Cannot filter Protocol Inspections display based on Action 'Don't Inspect'

 

Cumulative fix details for BIG-IP v14.1.0 that are included in this release

748441 : SafeNet purchased by Gemalto -- impacting links to support

Component: Local Traffic Manager

Symptoms:
safenet was purchased by Gemalto and the safenet-inc.com site links no longer work. Docs need updates for support links.

Conditions:
User tries to use the old safenet links in the old docs and does not use the new links in the new doc pointing toward gemalto.

Impact:
User goes to a non-working link.

Workaround:
Docs updated to reflect that SafeNet was purchased by Gemalto -- impacting support links/urls in docs. New support link user should use is: https://supportportal.gemalto.com

Fix:
Changed SafeNet support link/url to Gemalto support link/url.

---

747621 : Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used

Component: Access Policy Manager

Symptoms:
Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used, e.g. RADIUS server performs two factor authentication.

Conditions:
1. Native VMware Horizon client is used to connect via APM.
2. RADIUS authentication agent is present in Access Policy.
3. RADIUS server asks for challenge response (e.g. 2FA).

Impact:
Authentication fails. User can't get access to VMware Horizon resources.

Workaround:
None.

Fix:
Fixed issue preventing native VMware Horizon client to authenticate with RADIUS challenge.

---

747581 : IPv6 Duplicate Address Detection may fail.

Component: Local Traffic Manager

Symptoms:
When a new Self IP address is added, the BIG-IP system sends Neighbor Solicitation messages to the solicited-node multicast address corresponding to the new address but does not send Neighbor Solicitation messages to the solicited-node multicast address corresponding to the link local address.

Conditions:
IPv6 Strict Compliance is enabled.

Impact:
Duplicate link-local addresses may not get detected.

Workaround:
None.

---

747192 : Small memory leak while creating Access Policy items

Component: Access Policy Manager

Symptoms:
Memory slowly leaks for every access policy item added: 32 + 80 bytes for each item.

Conditions:
The leak occurs while creating new policy items in Access.

Impact:
After long uptime mcpd may crash due to lack of memory.

Workaround:
restart mcpd periodically if you modify Access policies frequently by adding or deleting policy items.

Fix:
Leak was fixed by clearing the leaked objects.

---

746823-3 : AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members

Component: Application Visibility and Reporting

Symptoms:
In a configuration that AVR is set to send telemetry data to external source (like connection with BIG-IQ), and there is large number of config objects in the system, such as virtual servers and pool-members. AVRD is constantly crashing.

Conditions:
1. AVR is set to send telemetry data to external source (like connection with BIG-IQ).
2. Large number of config objects in the system, such as virtual servers and pool-members.

Impact:
AVRD process is crashing and telemetry data is not collected.

Workaround:
N/A

Fix:
The issue is fixed, AVR can handle any number of virtuals/pool-members when sending its telemetry.

---

746557 : Do not provision both GTM and LC modules when upgrading on C117 BIG-IP★

Component: TMOS

Symptoms:
On C117 BIG-IP, before upgrading to this version, make sure if you are using GTM or LC module, do not provision both modules. Provision one or the other.

Conditions:
C117 BIG-IP provisioned with GTM and LC modules, among others.

Impact:
Upgrade may fail if you have GTM and LC modules both provisioned, due to memory constraints.

Workaround:
Before upgrading, if you are using GTM or LC, make sure only provision one or the other, and not both.

Fix:
Provision either GTM or LC as needed, but not both.

---

745600-1 : Removal of timer object from tmm timer-ring when a tcl context is released.

Component: Access Policy Manager

Symptoms:
If a tcl context is associated with a tmm-timer (while creating access session) using iRule, the timer object is removed during tcl context release but its association remains. When the timer fires, it tries to access a memory which is already freed, causing tmm to crash and generate a core.

Conditions:
Creating access session using iRule.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Now the timer object created under tcl context is tied with tcl command context and a callback function. This function will be called every time a tcl context is released. This will allow any additional cleanup (e.g. removal of timer from timer ring) and freeing the tcl command context.

---

745397-1 : Virtual server configured with FIX profile can leak memory.

Component: Service Provider

Symptoms:
System memory increases with each transmitted FIX message. tmm crash.

Conditions:
-- Virtual server configured with a FIX profile.
-- FIX profile specifies a message-log-publisher.

Impact:
Memory leak. Specifically, in the xdata cache. Potential traffic disruption while tmm restarts.

Workaround:
If possible, discontinue use of message logging functionality. Removing the message-log-publisher from the FIX profile stops xdata growth.

---

745358 : ASM GUI does not follow best practices

Component: Application Security Manager

Symptoms:
When processing requests to the administrative webUI, ASM does not follow best practices.

Conditions:
ASM provisioned and enabled.
Authenticated user with Administrator, Resource Administrator, or ASM Administrator roles.

Impact:
Unexpected HTML output.

Workaround:
None.

Fix:
When processing webUI requests ASM now follows best practices.

---

744556 : Upgrade PingAccess SDK used by BIG-IP APM to v1.1.3

Component: Access Policy Manager

Symptoms:
Upgrading PingAccess SDK from v1.0.0 to v1.1.3

Conditions:
The SDK is upgraded during system upgrade.

Impact:
BIG-IP APM will internally use PingAccess SDK v1.1.3 when interacting with PingAccess servers.

Workaround:
Not Applicable.

Fix:
Upgraded PingAccess SDK used by BIG-IP APM to the v1.1.3, applicable when BIG-IP APM interacts with PingAccess servers.

---

744269 : dynconfd restarts if FQDN template node deleted while IP address change in progress

Component: Local Traffic Manager

Symptoms:
The dynconfd daemon may crash and restart if an FQDN template node is deleted (by user action or config sync) while ephemeral nodes are in the process of being created, and deleted as the result of new IP addresses being returned by a recent DNS query.

Conditions:
This may occur on BIG-IP version 14.0.0.3 (and BIG-IP versions 13.1.x or v12.1.x with engineering hotfixes for ID 720799, ID 721621 and ID 726319), under the following conditions:
1. A DNS query returns a different set of IP addresses for one or more FQDN names.
2. While new ephemeral node(s) are being created (for new IP addresses and deleted (for old IP addresses), an FQDN template node is deleted (either by user action or config sync).

Impact:
The dynconfd daemon crashes and restarts.
Ephemeral nodes may not be updated in a timely manner while the dynconfd daemon is restarting.

Fix:
The dynconfd daemon does not crash and restart if an FQDN template node is deleted while ephemeral nodes are in the process of being created and deleted as the result of new IP addresses being returned by a recent DNS query.

---

744117 : The HTTP URI is not always parsed correctly

Component: Local Traffic Manager

Symptoms:
The HTTP URI exposed by the HTTP::uri iRule command, Traffic Policies, or used by ASM is incorrect.

Conditions:
-- HTTP profile is configured.
-- The URI is inspected.

Impact:
If the URI is used for security checks, then those checks might be bypassed.

Workaround:
None.

Fix:
The HTTP URI is parsed in a more robust manner.

---

743970 : Ensure 8 GB RAM vCMP guests have no more than three modules provisioned before upgrading★

Component: TMOS

Symptoms:
On earlier builds of BIG-IP software (specifically, version 14.0.0 and earlier), TMSH might allow vCMP Guests with 8 GB or less to provision more than three modules, even though the recommended practice counsels against doing so.

Upgrading a system with a vCMP guest configured with more than three modules results in a 'failed load,' as returned in 'tmsh show sys mcp' command results.

This configuration might potentially cause out-of-memory problems once traffic is passed.

Conditions:
-- vCMP guests with 8 GB RAM or less.
-- Four or more modules provisioned.
-- Upgrade the system.

Impact:
Possible out-of-memory errors on BIG-IP systems once traffic gets passed.

Workaround:
Provision no more than three modules on 8 GB RAM vCMP guests before upgrading.

If more than three modules are already provisioned, before upgrading vCMP guests with 8 GB or less of RAM, remove provisioning on some modules to ensure that there are no more than three modules provisioned before upgrading.

Fix:
The process halts with an error when attempting to provision more than three modules on vCMP guests with 8 GB or less of RAM.

Behavior Change:
In earlier releases, you could provision more than three modules on vCMP guests with 8 GB or less of RAM. Now, the provisioning process halts with an error when attempting to do so.

---

743818 : In LTM Policy Rule page, replacing 'forward node' action with 'forward pool' does not delete the node property

Component: TMOS

Symptoms:
On the LTM Policy Rule page, replacing 'forward node' action with 'forward pool' does not delete the node property.

Conditions:
An LTM policy rule exists, where the action is forward and the object type is node, and the node field is filled out.

Impact:
The modified rule shows the new configuration with the pool, while it still uses the old configuration with the node.

Workaround:
Delete the existing action and add a new action with the correct pool.

Fix:
Changing the object type from node to pool now clears the existing node or virtual server property in the forward action.

---

743810 : AWS: Disk resizing in m5/c5 instances fails silently.

Component: TMOS

Symptoms:
Resizing the disk in an m5/c5 instance in AWS has no impact on the disk size, and this operation fails silently.

Conditions:
BIG-IP system deployed in AWS with m5/c5 instance type that uses NVME disks instead of the usual native paravirt disks.

Impact:
Disk resizing fails; administrators cannot grow the instance disk in response to their requirements and instance utilization post-deployment.

Workaround:
There is no workaround.

Fix:
AWS: Disk resizing now works as expected.

---

743790 : BIG-IP system should trigger a HA failover event when expected HSB device is missing from PCI bus

Component: TMOS

Symptoms:
In some rare circumstances, the HSB device might drop off the PCI bus, resulting in the BIG-IP system not being able to pass traffic. However, no high availability (HA) failover condition is triggered, so the BIG-IP system stays active.

Conditions:
HSB drops off the PCI bus. This is caused in response to certain traffic patterns (FPGA issue) that are yet to be determined.

Impact:
No failover to standby unit after this error condition, causing site outage.

Workaround:
None.

Fix:
Now the active BIG-IP system fails over to the standby when HSB on the active unit drops off the PCI bus.

---

743233 : Default engineID may have different lengths

Component: TMOS

Symptoms:
The initial engineIDType on an unconfigured system is NETSNMP_RND. If the snmpd configuration file is read and there is no stored engine ID then one is generated based on current system time (and some other bits) to produce a random engineID. When randomly generated engineID changed length in release 14.0.0 of the BIG-IP to include some trailing zeros.

Conditions:
Use of unconfigured engineID on a clean install with version 14.0.0 or later. Note the engineIDType of NETSNMP_RND cannot be user configured.

Impact:
This can be confusing because the alert daemon and the snmp agent both issue traps and the alert daemon traps did not include the trailing zeros.

Workaround:
There is no workaround.

Fix:
The bug has been fixed and the trailing zeros are no longer included in the randomly generated engine ID.

---

743082 : Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members★

Component: TMOS

Symptoms:
Upgrading to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 might result a configuration that fails to load due to a stray colon-character that gets added to the configuration file.

Conditions:
-- Upgrade from pre-12.1.3 to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2.
-- GTM Pool Members.

Impact:
Configuration fails to load.

Workaround:
Remove stray colon-character from bigip_gtm.conf.

Fix:
Fixed an issue preventing configurations from loading into 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from a version before 12.1.3.

---

742627 : SSL session mirroring may cause memory leakage if HA channel is down

Component: Local Traffic Manager

Symptoms:
If SSL session mirroring is enabled, but the HA channel is down, attempts to mirror may result in memory leakage.

Conditions:
- SSL session mirroring enabled
- HA channel is down

Impact:
Memory leakage over time resulting in eventual memory pressure leading to performance degradation and possible TMOS restart.

Workaround:
Ensuring that the HA peer is present and connected will avoid the leakage. Otherwise, no reasonable workaround exists short of disabling SSL session mirroring.

Fix:
SSL session mirroring no longer leaks memory when the HA channel is down.

---

742037 : FPS live updates do not install when minor version is different

Component: Fraud Protection Services

Symptoms:
Install update file with a different minor version.
For example, install update file versioned 13.1.1 on BIG-IP version 13.1.0.

Conditions:
FPS is licensed and provisioned.

Impact:
FPS engine and signature cannot be updated.

Workaround:
N/A

Fix:
The minor version in update file is now ignored and only the major version is validated.

---

741993 : The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured.

Component: Anomaly Detection Services

Symptoms:
The BIG-IP system does not answer the request matching the L7 policy that disabled DOSL7 when BADOS is configured. The connection hangs.

Conditions:
1. Create a DoS profile Behavioral & Stress-based (D)DoS Detection.
2. Create an L7 policy to disable DoS profile (even on all URLs).
3. Attach both to a virtual server.
4. Send a request to the virtual server.

Impact:
Connection hangs.

Workaround:
There is no workaround other than disabling the Behavioral & Stress-based (D)DoS Detection from the DoS profile.

Fix:
The system now correctly handles a disabled DOSL7 policy.

---

741951-1 : Multiple extensions in SIP NOTIFY request cause message to be dropped.

Component: Service Provider

Symptoms:
When SIP NOTIFY messages are sent with a request URI that contains multiple client extensions, the system does not forward the message as expected.

Conditions:
SIP NOTIFY messages sent with a request URI that contains multiple client extensions.

Impact:
NOTIFY message is not forwarded.

Workaround:
None.

Fix:
Improved SIP URI parser now correctly handles multiple extensions in a URI.

---

741902 : sod does not validate message length vs. received packet length

Component: TMOS

Symptoms:
sod may crash or produce unexpected behavior.

Conditions:
If a malformed network failover packet is received by sod, it may cause an invalid memory access.

Impact:
sod may crash, causing a failover.

Workaround:
None.

Fix:
sod validates the received packet length and does not reference invalid memory.

---

741858 : TMM may crash while processing Portal Access requests

Solution Article: K52206731

---

741814 : Auto Last Hop for management connections cannot be disabled/enabled

Component: Local Traffic Manager

Symptoms:
Disabling/Enabling Auto Last Hop for management connections does not take effect. By default, it is enabled and stays enabled after a change.

Conditions:
-- Manual BIG-IP Management Port Configuration is configured. IP address and Network Mask is set, but Management Route is empty.
-- Auto Last Hop for management connections is disabled.
# tmsh mod ltm global-settings general mgmt-auto-last-hop disable
-- BIG-IP system is rebooted.
# full_box_reboot

Impact:
Auto Last Hop for management connections is still enabled on management interface and the BIG-IP system is still accessible outside local management network.

Workaround:
To work around this issue, use the following commands to move the lasthop.modules script to the /etc/sysconfig/sysinit directory:
# mv -v /etc/sysconfig/modules/lasthop.modules
/etc/sysconfig/sysinit/00activate-early-lasthop.sysinit

2. Reboot the BIG-IP system.
# full_box_reboot

Fix:
The lasthop.modules lasthop.modules script has been moved to the /etc/sysconfig/sysinit directory, so this issue no longer occurs.

---

741761 : admd might fail the heartbeat, resulting in a core

Component: Anomaly Detection Services

Symptoms:
When the system is under heavy I/O stress, admd might fail the heartbeat (which is required by sod, the failover daemon), so sod kills the admd daemon, resulting in a core.

Conditions:
-- System is under heavy I/O stress.
-- admd fails the heartbeat.

Impact:
The system generates an admd core file. Traffic disrupted while admd restarts.

Workaround:
None.

---

741752 : [BADOS] state file is not saved when virtual server reuses a self IP of the device

Component: Anomaly Detection Services

Symptoms:
BADOS state file is not saved.

Conditions:
Virtual server reuses a self IP of the device.

Impact:
After admd restarts, learned information - baseline and good dataset can disappear.

Workaround:
None.

Fix:
This system now handles this situation without impact, so the state file is saved as expected.

---

741599 : After upgrade, Client SSL profile may have extra cert-key-chain structure

Component: TMOS

Symptoms:
Extra cert-key-chain structure appears in Client SSL profile after upgrade from pre-v14.0.0 versions to v14.0.0. The extra cert-key-chain object with a 'usage CA' attribute appears even when the SSL profile is not configured for SSL forward proxy prior to upgrade.

The 'usage CA' cert-key-chain structure is expected when an SSL profile is configured for SSL forward proxy.

Conditions:
-- SSL profiles have had their 'proxy-ca-cert' and 'proxy-ca-key' attributes modified (even if simply set to the default value of 'none' explicitly).
-- The 'clientssl' built-in profile if that profile is modified via the GUI.
-- Upgrade from pre-v14.0.0 versions to v14.0.0.

Impact:
Extraneous 'usage CA' cert-key-chain entries added to configuration after upgrade.

Workaround:
Before upgrading, use tmsh to set the 'proxy-ca-cert' and 'proxy-ca-key' attributes values back to their default by specifying the value as 'default-value'.

After upgrade on an affected system, for SSL profiles that are not configured for SSL forward proxy:
1. Delete the extra cert-key-chain object.
2. Edit the configuration file with a text editor and remove the 'proxy-ca-cert' and 'proxy-ca-key' attributes for those profiles.
3. Re-load the configuration using the following command: tmsh load sys config

Fix:
The system no longer adds an extra cert-key-chain structure in Client SSL profiles after upgrade from pre-v14.0.0 versions.

---

741535 : Memory leak with Form-based Client-initiated SSO

Component: Access Policy Manager

Symptoms:
With Form-based Client-initiated SSO configured, BIG-IP system memory usage increases with every HTTP request that is proxied to the backend. The type of memory that increases is tmjail. You can view memory usage using the following command: tmsh sys show memory.

At some point, the BIG-IP system enables connection evictions in order to reduce the memory pressure, which causes service disruptions. You might see the following warning log messages.

-- warning tmm[20537]: 011e0002:4: sweeper_segment_cb_any: Aggressive mode /Common/default-eviction-policy activated (0) (global memory).
-- warning tmm1[20537]: 01010290:4: TCP: Memory pressure activated.
-- err tmm1[20537]: 011e0003:3: Aggressive mode sweeper: /Common/default-eviction-policy (100000000000b) (global memory) 413 Connections killed.

Conditions:
Form-based Client-initiated SSO is used.

Impact:
Potential service disruption.

Workaround:
No workaround other than not using Form-based Client-initiated SSO.

Fix:
The memory leak associated with Form-based Client-initiated SSO no longer occurs.

---

741435 : Using local traffic policies with type 'CE Profile', a new rule does not have the option to classify traffic

Component: Traffic Classification Engine

Symptoms:
In a local traffic policy with type 'CE Profile', a new rule does not have the option to classify traffic.

Conditions:
-- PEM, AFM, APM, or SWG is provisioned.
-- Local traffic policy with type 'CE Profile'.
-- Create a new rule.

Impact:
No GUI option to classify traffic. Cannot use the GUI reclassify traffic using LTM Policies.

Workaround:
Use TMSH to configure the policies and rules for classifying traffic.

Fix:
LTM Policies with type of CE Profiles is now able to reclassify traffic.

---

741423 : Secondary blade goes offline when provisioning ASM/FPS on already established config-sync

Component: TMOS

Symptoms:
When provisioning ASM for the first time on a device that is already linked in a high availability (HA) config-sync configuration, any other cluster device that is on the trust domain experiences mcpd restarting on all secondary blades due to a configuration error.

The system logs messages similar to the following in /var/log/ltm:
-- notice mcpd[12369]: 010718ed:5: DATASYNC: Done initializing datasync configuration for provisioned modules [ none ].
-- err mcpd[9791]: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.
-- err mcpd[9791]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.... failed validation with error 16908342.
-- notice mcpd[12369]: 0107092a:5: Secondary slot 2 disconnected.

Conditions:
-- Cluster devices are joined in the trust for HA or config-sync.
-- Provisioning ASM or FPS on clusters which are already joined in a trust.
-- ASM and FPS have not been provisioned on any of the devices: this is the first ASM/FPS provisioning in the trust.

Impact:
Traffic on all secondary blades is interrupted while mcpd restarts. Then, traffic is resumed.

Workaround:
Before provisioning ASM/FPS (but after setting up a trust configuration):

1. On the device on which ASM/FPS is about to be provisioned, create the datasync-global-dg device group and add all of the available devices.

For example, if there are two devices in the Trust Domain: test1.lab.com and test2.lab.com, and you plan to provision ASM/FPS for the first time on test1.lab.com, first run the following command from test1.lab.com:

tmsh create cm device-group datasync-global-dg devices add { test1.lab.com test2.lab.com }

2. Do not sync the device group.
3. Then on test1.lab.com, you can provision ASM/FPS.

Fix:
Secondary blades no longer go offline when provisioning ASM/FPS on already established HA or config-sync configurations.

---

741408 : netHSM partition password length increase to 192 characters

Component: Local Traffic Manager

Symptoms:
Some netHSM vendors require that the partition password be longer than 64 characters. That may cause the failure of netHSM partition authentication of such vendors.

Conditions:
Partition password length at the network HSM needs to be longer than 64 characters.

Impact:
netHSM cannot be authenticated, so most of the netHSM operations fail.

Workaround:
For AWS cloudHSM the fix can work without any workarounds. For the future vendors that require longer password than 192, the following workarounds can be considered:

-- Use shorter password than 64 characters
-- Some vendors may have a workaround such as setting an environmental variable for the password.

Fix:
This release increases the password length limit to 192 characters.

Behavior Change:
This release increases the password length limit to 192 characters. Previously, the limit was 64 characters.

---

741077 : Mobile Firefox on Android 9 falsely detected as Selenium

Component: Application Security Manager

Symptoms:
Clients running Firefox on an Android 9 and selecting 'Request Desktop Site' may get blocked when Proactive Bot Defense is enabled. The 'Classification Reason' will show 'Selenium Detected'.

Conditions:
-- Proactive Bot Defense or Device ID features are enabled.
-- Client uses Firefox on on mobile device that is running Android 9, and selects 'Request Desktop Site'.

Impact:
Client may be blocked or get CAPTCHA challenge. Bot Defense Request Log will falsely show 'Selenium Detected' in the 'Classification Reason' field.

Workaround:
There is no workaround at this time.

Fix:
Mobile Firefox on Android 9 in Desktop Mode is no longer blocked due to false detection as Selenium.

---

741075 : Mobile Firefox on Android 9 in Desktop Mode may be falsely detected

Component: Application Security Manager

Symptoms:
Clients running Firefox on an Android 9 and selecting 'Request Desktop Site' may have a falsely detected user agent.

Conditions:
-- Proactive Bot Defense or Device ID features are enabled.
-- Client uses Firefox on on mobile device which is running Android 9, and selects 'Request Desktop Site'.

Impact:
Client may possibly get the CAPTCHA challenge, or Device ID functionality may not work correctly.

Workaround:
There is no workaround at this time.

Fix:
Mobile Firefox on Android 9 in Desktop Mode now functions correctly.

---

741061 : Proactive Bot Defense with Single Page Application may cause page to scroll down

Component: Application Security Manager

Symptoms:
When Proactive Bot Defense is enabled together with Single Page Application on the DoS Application Profile, the page may scroll all the way down when the application sends an AJAX request.

Conditions:
- Application DoS Profile is used with Proactive Bot Defense, Block Suspicious Browsers, and Single Page Application -- all enabled.
- Back-end web page is longer than the height of the user's browser window.
- The back-end web application is sending an AJAX request.

Impact:
Users browsing the application may see their browser window scrolled all the way down. When this happens, the screen can be scrolled back up without a problem.

Workaround:
There is no workaround at this time.

Fix:
Proactive Bot Defense challenges with Single Page Application no longer cause the browser window to scroll down.

---

740963 : VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart

Component: Local Traffic Manager

Symptoms:
VIP-on-VIP traffic might cause TCP retransmit bursts, which in certain situations can cause tmm to restart.

Conditions:
- Virtual server handling TCP traffic.
- iRule using the 'virtual' command.

Impact:
Temporary memory consumption and potential for tmm to restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TCP retransmit bursts are now handled gracefully.

---

740777 : Secondary blades mcp daemon restart when subroutine properties are configured

Component: Access Policy Manager

Symptoms:
Secondary blades' MCP daemons restart with the following error messages:
-- err mcpd[26818]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested Subroutine Properties (/Common/confirm_10 /Common/confirm_10) was not found.... failed validation with error 16908342.

Conditions:
When a subroutine is configured in the access policy.

Impact:
The secondary blade MCP daemon restarts. Cannot use subroutine in the access policy.

Workaround:
There is no workaround other than to not use subroutine in the access policy.

Fix:
You can now use subroutines in the access policy.

---

740746 : RSA key creation fails for generating key/csr pair when using gen-csr challenge-password

Component: TMOS

Symptoms:
Failed to generate RSA key in pair with CSR via TMSH command when using key password options.

Response from create sys crypto key command when using challenge-password option:
Syntax Error: Key creation doesn't support challenge-password option.

Response from create sys crypto key command when using prompt-for-password option:
Syntax Error: Key creation doesn't support prompt-for-password option.

Conditions:
This issue happens while using either of the key password protect options while generating CSR and RSA key via tmsh command: create sys crypto key.

Impact:
Cannot generate password-protected RSA key via tmsh command.

Workaround:
There is no workaround.

Fix:
The system now support the creation of CSR and RSA key when using password options via tmsh command.

---

740719 : ASM CSP header parser does not honor unsafe-inline attribute within script-src directive

Component: Application Security Manager

Symptoms:
Browser reports Content-Security-Policy error when ASM modifies the 'Content-Security-Policy' (CSP) header.

Conditions:
1. ASM provisioned.
2. ASM policy attached to a virtual server.
3. CSRF or Ajax blocking page enabled within ASM policy
4. Backend server sends 'Content-Security-Policy' header with 'script-src' 'unsafe-inline' directive.

Impact:
Browser posts 'Content-Security-Policy' error and stops JavaScript execution.

Workaround:
Disable 'Content-Security-Policy' header parsing for ASM policies. To do so, follow these steps:

1. In /usr/share/ts/bin/add_del_internal, run the following command:
add csp_enabled 0

2. Restart ASM by running the following command:
bigstart restart asm

Fix:
ASM 'Content-Security-Policy' header parser no longer modifies the 'Content-Security-Policy' header when there is 'script-src' 'unsafe-inline' directive arriving from a backend server. This is correct behavior.

---

740517 : Application Editor users are unable to edit HTTPS Monitors via the Web UI

Component: TMOS

Symptoms:
A user with Application Editor role cannot modify an HTTPS Monitor via the GUI. The user is sent the the following, misleading and incorrect error message: Access Denied: user does not have delete access to object (ssl_cert_monitor_param)

Conditions:
The logged in GUI user must be an Application Editor role for the partition containing the HTTPS Monitor

Impact:
The user must use TMSH to modify an HTTPS Monitor.

Workaround:
Run the following tmsh command: modify ltm monitor https"\

---

740413 : sod not logging Failover Condition messages

Component: TMOS

Symptoms:
When a failsafe fault occurs, sod does not log a message indicating that the device is unable to become Active.

Conditions:
Failsafe fault.

Impact:
No 'Failover Condition'messages logged in /var/log/ltm.

Workaround:
None.

---

740135 : Traffic Group ha-order list does not load correctly after reset to default configuration

Component: TMOS

Symptoms:
After resetting the BIG-IP configuration to default (i.e., 'tmsh load sys config default'), if a configuration is loaded where the name of the self-device changes, this may cause the self-device to be removed from any traffic group HA Order lists.

Conditions:
-- Must be loading a configuration after resetting to default.
-- Must have at least one traffic group using the 'HA Order' Failover Method.

Impact:
Incorrect HA configuration.

Workaround:
Reload the configuration a second time.

Fix:
Prevented the self-device from getting removed from the HA Order list during a configuration load.

---

740133 : cmp_dest --command resolve with --platform option but without --opaque_data option produces incorrect results.

Component: TMOS

Symptoms:
Using cmp_dest --command resolve with --platform option but without the --opaque_data option produces incorrect results.

Conditions:
-- The DAG hash is P8DAG (you can check by running the following command: tmctl -d blade tmm/daglib).
-- The platform option is used
-- The opaque_data option is not used, so cmp_dest uses cmp_state to infer it.

Impact:
Incorrect results for cmp_dest resolve command.

Workaround:
Explicitly provide opaque_data option.

Fix:
Now, running the cmp_dest --command resolve and including the --platform option without the --opaque_data option produces correct results.

---

740086-1 : AVR report ignore partitions for Admin users

Component: Application Visibility and Reporting

Symptoms:
The behavior of AVR's reporting feature changed after an upgrade.

Reports generated for specific partition include data from all partitions.

Conditions:
-- Users with Admin role.
-- AVR provisioned.
-- AVR profile configured and attached to a virtual server.
-- User with Admin role creates Scheduled Reports or uses GUI to view AVR reports.

Impact:
AVR GUI pages or Scheduled Reports defined for one partition include AVR data from other partitions.

Workaround:
One workaround is to have non-Admin users generate reports.

For non-Admin users, the partition is honored.

Fix:
AVR GUI pages or Scheduled Reports defined for one partition now show all users AVR data from only that partition.

---

740024 : Web page not load correctly if load time is enabled

Component: Application Visibility and Reporting

Symptoms:
The web page does not load correctly. The TSPD_101 cookie is not present. All headers after the f5_cspm cookie are ignored.

Conditions:
-- AVR profile is attached to a virtual server.
-- Load time is enabled.

Impact:
Resources, such as scripts and CSS, are blocked when using Bot Defense Browser Verification due to anomaly 'Resource request without browser verification cookie'.

Workaround:
There is no workaround.

Fix:
All page resources now load correctly.

---

739970 : Linux kernel vulnerability: CVE-2018-5390

Solution Article: K95343321

---

739947 : TMM may crash while processing APM traffic

Component: Access Policy Manager

Symptoms:
Under certain condition TMM may crash while processing APM traffic

Conditions:
APM enabled.

Impact:
TMM crash leading to a failover event.

Workaround:
None.

Fix:
TMM now correctly processes APM traffic.

---

739939 : Ping Access Agent Module leaks memory in TMM.

Component: Access Policy Manager

Symptoms:
Whenever a ping access request traverses through apm_ivs (internal virtual server) to the Ping Access Agent (e.g., Cache-Miss), a memory leak occurs.

Conditions:
Ping Access Agent request that is not served from local cache (e.g., in the Cache-Miss case).

Impact:
The slow memory leak might eventually cause TMM to restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Ping Access Agent Module no longer leaks memory in TMM.

---

739927 : Bigd crashes after a specific combination of logging operations

Component: Local Traffic Manager

Symptoms:
Bigd crashes. Bigd core will be generated.

Conditions:
1. Boot the system and set up any monitor.
2. Enable and disable bigd.debug:
-- tmsh modify sys db bigd.debug value enable
-- tmsh modify sys db bigd.debug value disable
3. Enable monitor logging.

Impact:
Bigd crashes.

Workaround:
None.

Fix:
Bigd no longer crashes under these conditions.

---

739872 : The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover

Component: TMOS

Symptoms:
Running the 'load sys config verify' command for a configuration that would alter the high availability (HA) Group score for a Traffic Group can cause the HA group score to be updated.

Conditions:
Run 'load sys config verify' with configuration data that affects a Traffic Group's HA Group score.

Impact:
Unintended failover.

Workaround:
None.

Fix:
HA Group scores are no longer updated when running 'load sys config verify' commands.

---

739846 : Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection

Component: Global Traffic Manager (DNS)

Symptoms:
When the big3d runs out of memory for iQuery connections, a segmentation fault might occur.

Conditions:
-- Not enough memory to create additional iQuery connections.
-- Receive an new iQuery connection.

Impact:
Segmentation fault and big3d restarts. No statistics collection or auto-discovery while big3d restarts.

Workaround:
None.

Fix:
The big3d process no longer gets a segmentation fault when reaching the limits of the memory footprint while trying to establish iQuery connections.

---

739744 : Import of Policy using Pool with members is failing

Component: Access Policy Manager

Symptoms:
Import of Policy using Pool with members is failing with an error Pool member node (/Common/u.x.y.z%0) and existing node (/Common/u.x.y.z) cannot use the same IP Address (u.x.y.z)

Conditions:
Policy has pool attached to it with resource assign or chained objects

Impact:
Policy is not being imported on the same box

Workaround:
There is no workaround at this time.

Fix:
ng-import is now importing policy correctly.

---

739716 : APM Subroutine loops without finishing

Component: Access Policy Manager

Symptoms:
Some APM subroutines never finish. In authentication use cases, the end-users will continue to see logon pages, even after submitting correct credentials. In SWG confirm-and-continue use cases, the end-users will continue to see confirm boxes, even if they had already clicked "continue".

Conditions:
APM with a subroutine. Reproducibility will vary by platform and deployment.

Impact:
Subroutines never finish. End-users are not able to access resources.

Workaround:
TMM restart does resolve the issue.

Fix:
The memory corruption issue was resolved and the subroutines now correctly finish.

---

739674 : TMM might core in SWG scenario with per-request policy.

Component: Access Policy Manager

Symptoms:
TMM can core when Secure Web Gateway (SWG) is configured, and SSL is resumed through per-request policy.

Conditions:
-- SWG is configured.
-- SSL is resumed through per-request policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM does not core now when using SWG scenario with per-request policy.

---

739638 : BGP failed to connect with neighbor when pool route is used

Component: Local Traffic Manager

Symptoms:
BGP peering fails to be established.

Conditions:
- Dynamic routing enabled.
- BGP peer connect through a pool route or ECMP route.

Impact:
BGP dynamic route paths are not created.

Workaround:
Use a gateway route.

Fix:
BGP peering can be properly established through a pool route.

---

739635 : No learning when creating policy using guided configuration

Component: Application Security Manager

Symptoms:
No learning suggestions for policy

Conditions:
Creating a policy using WGC (guided configuration)

Impact:
Policy is not learned by the policy builder

Workaround:
Either of:
- deactivate (disconnect policy from VS) and re-activate the policy
- restart to policy builder fixes the problem
[killall -s SIGHUP pabnagd]

Fix:
Policy created using WGC (guided configuration) is now initialized correctly and being learned

---

739618 : When loading AWAF license, cannot set rule to control ASM in LTM policy

Component: Application Security Manager

Symptoms:
When using AWAF license, you cannot use the BIG-IP Configuration Utility to set rule to control ASM in an LTM policy.

Conditions:
- AWAF license

Impact:
Admin cannot use the BIG-IP Configuration Utility create LTM policy that controls ASM, and must use TMSH.

Workaround:
Use TMSH to create the rule instead of GUI:
For example:
create ltm policy Drafts/test99 controls add { asm } requires add { http } rules add { rule1 { actions add { 0 { asm enable policy dummy2 }} ordinal 1 }}

Fix:
Users can now create LTM rule in the BIG-IP Configuration Utility that controls ASM if have AWAF license.

---

739533 : In rare circumstances, config sync may fail to delete files in /config/filestore/.snapshots_d/, filling up /config

Component: TMOS

Symptoms:
If mcpd loses connection with a peer in the middle of a config sync operation when a large file is being transferred, the temporary copy of that file in /config/filestore/.snapshots_d/ might not be deleted. If this happens enough times with large enough files, those temporary files might fill the /config filesystem.

Conditions:
-- A config sync of a large file is happening.
-- The mcp connection between peers is lost.

Impact:
When that happens, the temporary files that should be deleted, might not be. This is not a problem until the issue has occurred many times, leaving many temporary files, at which point /config can run out of space. /config may get to 100% full. Having /config at 100% full might cause config sync to fail, prevent configuration changes, and other issues.

Workaround:
Delete all files in /config/filestore/.snapshots_d that are more than an hour old.

Fix:
A new function has been added that cleans up old snapshot files when an error occurs.

---

739437 : null in request causes parameters violation to be skipped

Component: Application Security Manager

Symptoms:
When Null in request violation is issued, on a specific scenario other expected parameters related violations are not issued.

Conditions:
Null appears at a specific location.

Impact:
Expected violations are not issued. The null in request violation is issued.

Workaround:
N/A

Fix:
The parameter related violations are issued.

---

739381 : Users of role Manager are unable to look up the URL Categories

Component: Access Policy Manager

Symptoms:
User accounts configured with the role of Manager cannot use the URL Category Lookup functionality.

Conditions:
-- User accounts configured with the role of Manager.
-- Attempt to use the URL Category Lookup functionality.

Impact:
No access to the lookup function. Cannot use the URL Category Lookup functionality.

Workaround:
Have a user configured with the role resource administrator or Admin access this feature.

Fix:
Users configured with the role of Manager can now access the URL Category lookup feature.

---

739379 : Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error

Component: Local Traffic Manager

Symptoms:
In situation where multiple SSL forward proxies are connected via virtual targeting, the SNI value extracted from ClientHello and saved in 1st layer of SSL forward proxy may get overwritten by the 2nd layer of SSL forward proxy. When this happens, certification verification will fail when 1st layer of SSL forward proxy attempts to validate certificate.

Conditions:
Two SSL forward proxies connected via virtual command in iRule.

Impact:
Client traffic gets random reset.

Workaround:
None.

Fix:
The search scope of storing parsed SNI is now local to each SSL forward proxy.

---

739342 : Learning not occurring for some policies

Component: Application Security Manager

Symptoms:
No learning suggestions for some policies

Conditions:
Exact conditions are unknown. This occurred during a specific internal automated scenario, but any manual attempts to reproduce it failed.

Impact:
Learning not occurring for several policies.

Workaround:
restart to policy builder fixes the problem
[killall -s SIGHUP pabnagd]

Fix:
Fixed the case where the policy builder learns only for some of the policies.

---

739285 : GUI partially missing when VCMP is provisioned

Component: TMOS

Symptoms:
GUI may be partially missing.

Conditions:
VCMP must be provisioned.

Impact:
GUI may be partially missing.

Workaround:
Use tmsh or deprovision VCMP.

Fix:
the GUI now works as expected when VCMP is provisioned.

---

739277-1 : TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode

Component: Anomaly Detection Services

Symptoms:
TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode

Conditions:
-- The virtual server is deleted during POST data.
-- BADOS configured in standard/aggressive mode.

Impact:
TMM core / traffic does not path through till TMM restarts.

Workaround:
You can work around this issue using either of the following options if you plan to delete a virtual server:

-- First detach the DoS protection profile.
-- Remove BADOS configuration or change BADOS mitigation to Conservative.

Fix:
This release corrects an TMM crash that occurred when the virtual server was deleted during POST data and BADOS was in standard/aggressive mode.

---

739272 : Incorrect zombie counts in PBA stats with long PBA block-lifetimes

Component: Carrier-Grade NAT

Symptoms:
Due to a truncation error, a long Port Block Allocation (PBA) block lifetime can cause the PBA zombie stats to get incremented before the block lifetime expires and even though a zombie block has not been created.

Conditions:
Large Scale NAT (LSN) pool or Firewall NAT source-translation with a Port Block Allocation Block Lifetime greater than 65535.

Impact:
This bug affects only the 'Active Zombie Port Blocks', 'Total Zombie Port Blocks Created', and “Total Zombie Port Blocks Deleted” counters. It does not convert active blocks to zombie blocks before the block lifetime expires.

Workaround:
There is no workaround.

Fix:
The 'Active Zombie Port Blocks', 'Total Zombie Port Blocks Created' counters are now incremented only when the PBA block lifetime expires.

---

739126-1 : Multiple VE installations may have different sized volumes

Component: TMOS

Symptoms:
When installing a 2nd, 3rd, (or more) version of BIG-IP to a Virtual Edition (VE) instance, the sizes of the non-shared volumes may be smaller than the first. This can be an issue if, for example, /var is smaller and fills up due to UCS archives, data gathered during troubleshooting, etc.

Conditions:
Install an additional version of BIG-IP to an existing VE instance.

Impact:
Disk volumes may run out of space sooner than expected, leading to issues when that space is needed for other operations.

Workaround:
Provision additional disk space to expand the available storage.

Fix:
In this release, the installer handles this condition without issue.

---

739024 : Kerberos auth fails intermittently after upgrade from v14.0.0

Component: Access Policy Manager

Symptoms:
Kerberos auth fails and the client get credentials prompt (although it does not work even when entering credentials).

Conditions:
1. Configure SWG explicit or transparent proxy.
2. Configure start -> 401 negotiate -> variable assign <session.server.network.name = return "your_proxy_fqdn"> (required for Kerberos auth) -> Kerberos auth in main access policy.
3. Configure start -> SSL check -> [HTTPS | HTTP ] -> category lookup -> allow in per-request policy.
4. Send HTTP/HTTPS request from explicit or transparent client.

Impact:
Kerberos authentication fails.

Workaround:
Change the permission and ownership of the Kerberos keytab file with these commands:
chmod 640 <Kerberos keytab file>
chgrp root <Kerberos keytab file>

Fix:
The permission of the Kerberos keytab file will be rw-r----- tomcat root which will make sure Kerberos auth does not fail.

---

739003 : TMM may crash when fastl4 is used on epva-capable BIG-IP

Component: Local Traffic Manager

Symptoms:
TMM may crash when fastl4 is used on epva-capable BIG-IP.

Conditions:
The virtual server has fastl4 profile installed, has iRule installed and the iRule uses SERVER_CONNECTED event. The pool member is route-able but does not exist.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
The issue is fixed.

---

738985 : BIND vulnerability: CVE-2018-5740

Component: TMOS

Symptoms:
deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c.

Conditions:
"deny-answer-aliases" feature is explicitly enabled

Impact:
Crash of the BIND process and loss of service while the process is restarted

Workaround:
Only servers which have explicitly enabled the "deny-answer-aliases" feature are at risk and disabling the feature prevents exploitation.

Fix:
BIND patched to correct CVE-2018-5740

---

738887 : The snmpd daemon may leak memory when processing requests.

Component: TMOS

Symptoms:
Under certain conditions, the snmpd daemon may leak memory when processing requests.

Conditions:
This issue is known to occur on a multi-blade vCMP guest after specific maintenance operations have been carried out by an Administrator on the guest.

Impact:
Once enough memory has leaked, the system may become unstable and fail unpredictably.

Workaround:
If the snmpd daemon is consuming excessive memory, restart it with the following command:

bigstart restart snmpd

Fix:
The snmpd daemon no longer leaks memory when a multi-blade vCMP guest reaches a certain condition.

---

738864 : javascript functions in href are learned from response as new URLs

Component: Application Security Manager

Symptoms:
New urls representing javascript functions are learned from response.

Conditions:
Learn from response is turned on and URLs learning set to 'Always'

Impact:
Wrong URLs are created and added to the policy (not really interfering with enforcement but adds redundant noise to the policy)

Workaround:
Either:
- Change URL learning from 'Always' to any of the other learning options (Compact \ Selective \ Never).
- Disable learn from response

Fix:
javacript functions are no longer learned from responses as new URLs.

---

738789 : ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog

Component: Application Security Manager

Symptoms:
ASM blocks requests when a request payload is an xml document with a prolog line at the begging with encoding="us-ascii"

Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- ASM handles xml traffic with encoding="us-ascii" (this is very unlikely, the common case is encoding="utf-8")

Impact:
Blocked xml requests

Workaround:
Remove xml profile from a url in asm policy or disable XML malformed document detection via asm policy blocking settings

Fix:
xml parser is fixed and now allows encoding="us-ascii"

---

738735 : Tomcat Vulnerability: CVE-2018-1336

Solution Article: K73008537

---

738674 : Ajax blocking page breaks ajax based applications

Component: Application Security Manager

Symptoms:
When ajax blocking page is enabled within ASM policy it interferes with the web-app's ajax API's by hooking ajax responses. As a result ajax response isn't passed to a native response handler. The symptoms are ajax requests stuck or not being fired.

Conditions:
- ASM Provisioned
- ASM policy attached to a virtual
- Ajax Blocking page enabled within asm policy

Impact:
Ajax based web-app won't work properly.

Workaround:
Disable Ajax Blocking page feature in asm policy.

Fix:
ASM Ajax blocking response hooks are fixed to address the issue.

---

738669 : Login validation may fail for a large request with early server response

Component: Fraud Protection Services

Symptoms:
in case of large request/response, if FPS needs to store ingress and ingress chunks in buffer for additional processing (ingress :: for parameter parsing, egress :: for login validation's banned/mandatory strings check or scripts injection), if the server responds fast enough, the buffer may contain mixed parts of request/response. This may have several effects, from incorrectly performing login-validation to generating a tmm core file.

Conditions:
-- Login validation is enabled and configured to check for banned/mandatory string.
-- A username parameter is configured.
-- There are no parameters configured for encrypt/HTML Field Obfuscation (HFO), and no decoy parameters.
-- There is a large request and response.
-- The system response very quickly.

Impact:
This results in one or more of the following:
-- Login validation failure/skip.
-- Bad response/script injection.
-- tmm core. In this case, traffic is disrupted while tmm restarts.

Workaround:
None.

Fix:
FPS now handles ingress/egress buffers separately, so this issue no longer occurs.

---

738647 : Add the login detection criteria of 'status code is not X'

Component: Application Security Manager

Symptoms:
There is a criterion needed to detect successful login.

Conditions:
Attempting to detect successful login when the response code is not X (where 'x' = some code).

Impact:
Cannot configure login criteria.

Workaround:
None.

Fix:
This release adds a new criterion to the login criteria.

---

738582 : Ping Access Agent Module leaks memory in TMM.

Component: Access Policy Manager

Symptoms:
While handling Ping Access Request, if the internal events passing between modules fail, it might cause a memory leak inside TMM.

Conditions:
Internal events passing between Ping Access Request processing modules fail.

Impact:
Ping Access Agent Module leaks memory in TMM.

Workaround:
None.

---

738523 : SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages

Component: Local Traffic Manager

Symptoms:
When monitoring an SMTP server that emits multi-line '250' responses to the initial 'HELO' message, the monitor fails. If monitor logging is enabled on the pool member, the system posts an error similar to the following in the monitor log:

09:50:08.580145:(_Tcl /Common/mysmtp): ERROR: failed to complete the transfer, Failed to identify domain.

Conditions:
-- Monitoring an SMTP server.
-- SMTP server is configured to return a multi-line '250' response to the initial 'HELO' message.

Impact:
The pool member is marked down even though it is actually up.

Workaround:
None.

Fix:
The system now handles multi-line '250' responses to the initial 'HELO' message.

---

738521 : i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.

Component: Local Traffic Manager

Symptoms:
A trunk configured between a BIG-IP i4x00/i2x00 platform and an upstream switch may go down due to the presence of the VLAN tag.

Conditions:
LACP configured between a BIG-IP i4x00/i2x00 platform and an upstream switch.

Impact:
Trunks are brought down by upstream switch.

Workaround:
There is no workaround other than disabling LACP.

Fix:
The system no longer transmits a VLAN tag for LACP PDUs, so this issue no longer occurs.

---

738455 : TLS1.2 and earlier 'do not advertise' signature algorithm RSA-PSS

Component: Local Traffic Manager

Symptoms:
'Do not advertise' support for RSA-PSS signature algorithms in TLS1.2 and earlier versions. This is advertised by the default cipher group.

Conditions:
-- TLS1.2 and earlier.
-- Attempting to use 'Do not advertise.'

Impact:
No support for 'Do not advertise.' Possible handshake failure with unsupported signature algorithm.

Workaround:
Use a cipher group with RSA-PSS removed from the signature algorithms. Switch to using the cipher string from cipher groups.

Fix:
There is now 'Do not advertise' support for RSA-PSS signature algorithms in TLS1.2 and earlier versions.

---

738445 : IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup

Component: TMOS

Symptoms:
INVALID_SPI notification does not delete the IPsec-SA with the SPI value that appears in the notify payload. This occurs because the handler of INVALID-SPI notifications performs the following incorrect actions:

-- Fetches SPI from payload as if it's a string, rather than the network byte order integer it actually is.

-- Attempts phase 2 lookup via selector ID (reqid) rather than SPI.

Either alone prevents finding the SA to delete.

Conditions:
An IKEv1 IPsec peer sends an INVALID-SPI notification to the BIG-IP system.

Impact:
The IPsec-SA with that SPI cannot be found and is not deleted.

Workaround:
From the BIG-IP command line, you can still manually delete any IPsec-SA, including the invalid SPI, using the following command:
# tmsh delete net ipsec ipsec-sa spi <spi number>

Fix:
SPI is now extracted correctly from the payload as a binary integer, and the phase 2 SA lookup is done with a proper SPI search, which also requires a match in the peer address.

---

738397 : SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.

Component: Access Policy Manager

Symptoms:
For a BIG-IP system configured as IdP, in the SAML-IdP-initiated case: If the IdP has a Per-Request policy (in addition to a V1 policy), such that the Per-Request policy has a subroutine or a subroutine macro with a logon page, the system reports access failure on running the policy.

The error logged is similar to the following: '/Common/sso_access:Common:218f759e: Authorization failure: Denied request for SAML resource /Common/saml_resource_obj1&state=000fffff032db022'.

Conditions:
-- BIG-IP system configured as IdP.
-- SAML IdP initiated case in which the following is true:
  + The IdP has a Per-Request policy (in addition to a V1 policy).
  + That Per-Request policy has a subroutine or a subroutine macro with a logon page.

Impact:
Access is denied. The request URI has '&state=<per-flow-id>' appended to the SAML Resource name.

Workaround:
None.

Fix:
The system now checks for additional query parameters in the request_uri while extracting Resource name so it is not incorrectly set to 'ResourceName&state=<per-flow-id>' which causes the access failure.

---

738119 : SIP routing UI does not follow best practices

Component: TMOS

Symptoms:
The SIP routing UI does not follow best practices.

Conditions:
Administrative access to the SIP Profile web UI.

Impact:
Unexpected HTML output.

Workaround:
None.

Fix:
The SIP routing UI does now follows best practices.

---

738070 : Persist value for the RADIUS Framed-IP-Address attribute is not correct

Component: Service Provider

Symptoms:
Using the RADIUS Framed-IP-Address attribute as a persistence value does not work correctly.

Conditions:
Using RADIUS and persisting on the Framed-IP Address attribute (RADIUS AVP 8).

Impact:
RADIUS requests may not get persisted to the servers they should be.

Workaround:
Use an iRule to persist instead, e.g.:

ltm rule radius-persistence {
    when CLIENT_DATA {
    persist uie [RADIUS::avp 8]
}
}

Fix:
We now use the correct value for persistence.

---

738046 : SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby

Component: Local Traffic Manager

Symptoms:
For FastL4 connections, SERVER_CONNECTED currently doesn't fire on the standby device. If the standby device then becomes active, the first packet from the server on an existing FastL4 connection causes SERVER_CONNECTED to fire. Depending on what the iRule does in SERVER_CONNECTED, a variety of results can occur, including TMM coring due to commands being executed in unexpected states.

Conditions:
-- High availability configuration.
-- Mirrored FastL4 virtual server.
-- Attached iRule contains a SERVER_CONNECTED event.

Impact:
SERVER_CONNECTED does not fire when expected on standby device. When the standby device becomes active, the SERVER_CONNECTED iRule may cause TMM to core with traffic being disrupted while TMM restarts.

Workaround:
None.

Fix:
SERVER_CONNECTED now fires when expected on the standby device.

---

737901 : Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode

Component: TMOS

Symptoms:
On iSeries platforms, when a VLAN is attached to a vCMP guest, the management MAC address and the host VLAN MAC address will be the same.

Conditions:
-- Creating a VLAN on the host and attaching it to a vCMP guest.
-- iSeries platforms.

Impact:
The management MAC address is the same as the Host VLAN MAC address, resulting in the same MAC being used for the VLAN traffic originating from the vCMP Host along with the Host's mgmt Interface traffic, potentially resulting in issues relating to the inability to differentiate traffic to mgmt port or traffic ports.

Workaround:
There is no workaround at this time.

Fix:
The management MAC address and Host VLAN MAC address are now different on iSeries platforms, so the system can differentiate traffic as expected.

---

737900 : mcpd might crash on an unlicensed system

Component: TMOS

Symptoms:
On an unlicensed system with a built-in iRule attached to a virtual server, mcpd might crash.

Conditions:
-- Unlicensed system (including as a result of the service agreement check date validation treating a license as invalid).
-- At least one built-in, system-supplied iRule is attached to a virtual server.
-- mcpd loads from the config files, such as when having just upgraded.

Impact:
On an unlicensed system, mcpd might crash repeatedly.

Workaround:
Perform the following procedure:

1. Reactivate the license on the system from the command-line, following the instructions in K2595: Activating and installing a license file from the command line :: https://support.f5.com/csp/article/K2595.

2. License the system.

Note: Running commands (e.g., tmsh show /sys hardware) on VIPRION systems while mcpd is down might fail or otherwise not work as expected.

---

737867 : Scheduled reports are being incorrectly displayed in different partitions

Component: Application Visibility and Reporting

Symptoms:
Scheduled analytics reports are being displayed in the list regardless of selected partition. However, you can only open reports belonging to the selected partition, even if they belong to 'Common'.

Conditions:
System configured with multiple partitions.

Impact:
It makes it difficult to modify reports from different partitions.

Workaround:
Switch to the report's partition before editing it.

Fix:
Report's partition is now indicated in the list and correct handling is performed according to standard partition rules.

---

737863 : Advanced Filters for Captured Transactions not working on Multi-Blade Platforms

Component: Application Visibility and Reporting

Symptoms:
On multi-blade systems, when you navigates to System :: Logs : Captured Transactions, click on Expand Advanced Filters, choose something, and click Update, the GUI reports a 'Could not get captured events' message.

Conditions:
-- Multi-blade systems.
-- AVR provisioned.
-- AVR HTTP Analytics Profile configured with 'Internal Traffic Capturing Logging Type' option enabled.

Impact:
The Captured Transactions filter does not work.

Workaround:
None.

Fix:
The Captured Transactions filter now works as expected.

---

737758 : MPTCP Passthrough and VIP-on-VIP can lead to TMM core

Component: Local Traffic Manager

Symptoms:
If a FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled, TMM may produce a core upon receiving certain traffic.

Conditions:
A FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with a TCP profile attached that has MPTCP passthrough enabled, and certain traffic is received.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not using an iRule with the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled.

Fix:
If MPTCP passthrough is enabled, the system now processes incoming MPTCP connections coming from the loop device as if MPTCP is disabled.

---

737726 : If named is restarted and zrd is not restarted, ZoneRunner can lose contact with the DNS server daemon

Component: Global Traffic Manager (DNS)

Symptoms:
ZoneRunner displays the following error message when attempting to list resource records: No route to host.

Conditions:
-- named is restarted outside of the normal start up procedure.
-- zrd is not restarted.

Impact:
ZoneRunner cannot communicate with named, and thus cannot display resource records.

There are temporary addresses created on the loopback address to facilitate communication between the zrd and named processes. When named is restarted, these temporary address are inadvertently removed.

Workaround:
Restart the zrd process using the following command:
bigstart restart zrd

Fix:
The system no longer removes loopback addresses when named is restarted, so this issue no longer occurs.

---

737529 : [GTM] load or save configs removes backslash \ from GTM pool member name

Component: Global Traffic Manager (DNS)

Symptoms:
GTM config fails to load, and posts an error similar to the following:

Syntax Error:(/config/bigip_gtm.conf at line: 47) the "create" command does not accept wildcard configuration identifiers

Conditions:
GTM server virtual server name contains a backslash (\) character.

Impact:
GTM config fails to load.

Workaround:
Edit bigip_gtm.conf manually and add the \ character.

Important: The system removes the \ (which results in further validation failures) in response to any of the following actions:
-- Load the GTM config.
-- Make changes to the GTM config, and you or the system saves it.
-- cpcfg operation.
-- Upgrade the system.

---

737500 : Apply Policy and Upgrade time degradation when there are previous enforced rules

Component: Application Security Manager

Symptoms:
When there are previously enforced rules present in the system, the time to apply changes made to a policy, and the time to upgrade the configuration to a new version suffers.

Conditions:
-- Signature Staging is enabled.
-- Updated Signature Enforcement is set to 'Retain previous rule enforcement and place updated rule in staging'.
-- Signatures are enforced on a policy.
-- A new ASM Signature Update is installed, which modifies the matching rule for some enforced signatures.

Impact:
The time to apply changes made to a policy, and the time to upgrade the configuration to a new version, suffers from a inefficiently performing query related to the existence of previously enforced rules.

Workaround:
There is no workaround at this time.

Fix:
Query indexing and performance is fixed: Apply Policy executes in the same time whether there are previously enforced rules in the system or not.

Enforcing all signatures in a set now correctly removes the previously enforced rule from the signature.

---

737498 : sticky_id in fingerprint cookie sometimes contains large value

Component: Fraud Protection Services

Symptoms:
Fingerprint cookie contains a large value. Intermittently, when the cookie is not sync, the fingerprint cookie might contain a larger number of characters than 13.

Conditions:
The cookie is not sync.

Impact:
Fingerprint cookie contains a value larger than the expected 13 characters.

Workaround:
None.

Fix:
fingerprint cookie always contains 13 characters.

---

737445 : Use of TCP Verified Accept can disable server-side flow control

Component: Local Traffic Manager

Symptoms:
Unexpectedly high memory usage, aggressive sweeper messages, TCP memory pressure messages in logs.

Conditions:
Verified Accept is enabled in TCP profiles that are associated with virtual servers.

Impact:
Excessive memory usage.

Workaround:
There is no workaround other than disabling Verified Accept.

Fix:
Fixed server-side flow control.

---

737442 : Error in APM Hosted Content when set to public access

Component: Access Policy Manager

Symptoms:
Error when rendering APM Hosted content when set to public access.

Conditions:
APM enabled
Hosted content enabled
Hosted content set to public access

Impact:
Unexpected HTML output in webtop pages

Workaround:
when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
   if {[HTTP::uri] starts_with "/vdesk/resource_info_v2.xml?" && [URI::decode [HTTP::query]] contains "<"} {
     HTTP::uri [HTTP::path]
   }
}

Fix:
None.

---

737437 : IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages

Component: TMOS

Symptoms:
The BIG-IP system might fail to re-establish an IKEv1 phase 1 security association (ISAKMP-SA) when the Initiator starts the exchange using UDP port 4500. The exchange progresses to the point of NAT detection, whereupon the BIG-IP system stops using the Non-ESP marker and sends malformatted ISAKMP.

Conditions:
All of the following must be true:
-- The BIG-IP system is an IKEv1 Responder.
-- ISAKMP phase 1 negotiation starts on UDP port 4500.
-- NAT is detected on only one side during the phase 1 exchange.

Impact:
-- Establishment of an ISAKMP-SA will fail until the peer device switches to UDP port 500.
-- The remote peer may send INVALID-SPI messages quoting SPI numbers that do not exist.

Workaround:
To help workaround this issue, you can try the following:
-- Make sure the BIG-IP system is always the Initiator.
-- Bypass NAT.
-- Configure both the BIG-IP system and remote peer to use address IDs that are not the same as the IP addresses used in the ISAKMP exchange, thus causing the BIG-IP system to think there is NAT on both sides.

Fix:
The BIG-IP system now keeps the Non-ESP marker when NAT is detected.

---

737397 : User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP

Component: TMOS

Symptoms:
Unable to archive certificates or keys using GUI and iControlSOAP.

Conditions:
When the user is in Certificate Manager role.

Impact:
Unable to backup certificates or keys.

Workaround:
The user in Certificate Manager role is still be able to export the key and see its PEM string. So you can manually create an archive file by copying the PEM string into a file.

---

737374 : local-db PEM Subscriber Activity log missing

Component: Policy Enforcement Manager

Symptoms:
PEM subscriber activity log is empty when published to local database.

Conditions:
-- PEM subscriber activity log is configured.
-- The endpoint is local-db.

Impact:
Missing activity logs for external server.

Workaround:
Configure the destination as local-syslog publisher.

Fix:
PEM Subscriber Activity log is now populated.

---

737368 : Fingerprint cookie large value may result in tmm core.

Component: Fraud Protection Services

Symptoms:
The JavaScript component calculates part of the fingerprint cookie value. In some rare cases, large values are generated and may result in tmm core.

Conditions:
A large value (more than 35 characters) inside the fingerprint cookie.

Impact:
Memory overrun, tmm core in some cases.

Workaround:
N/A

Fix:
FPS will check the value and truncate it if it exceeds the maximum length.

---

737355 : HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files

Component: Access Policy Manager

Symptoms:
HTTP Strict-Transport-Security (HSTS) headers are missing for some APM-generated files.

Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS enabled.
-- HTTP GET requests for APM renderer files, including CSS, JS, and image files from the webtop.

Impact:
Without these headers, the user agent (browser) may switch to non-secure communication.

Workaround:
None.

Fix:
When the HTTP profile is configured with HSTS enabled, all APM renderer files are now sent with HSTS headers.

---

737332 : It is possible for DNSX to serve partial zone information for a short period of time

Component: Global Traffic Manager (DNS)

Symptoms:
During zone transfers into DNS Express, partial zone data may be available until the transfer completes.

Conditions:
-- Two zones being transferred during the same time period
  + zone1.example.net
  + zone2.example.net

-- Transfer of zone1 has started, but not finished.

-- zone2 starts a transfer and finishes before zone1 finishes, meaning that the database might be updated with all of the zone2 data, and only part of the zone1 data.

Impact:
Partial zone data will be served, including possible NXDOMAIN or NODATA messages. This happens until zone1 finishes and saves to the database, at which time both zones' data will be complete and correct.

Workaround:
The workaround is to limit the number of concurrent transfers to 1. However this severely limits the ability of DNS Express to update zones in a timely fashion if there are many zones and many updates.

Fix:
All zone transfers are now staged until they are complete. The zone transfer data is then saved to the database. Only when the zone data has completed updating to the database will the data be available to queries.

---

737147 : Key creation on Thales fails with thales 12.40 on tmm interface

Component: Local Traffic Manager

Symptoms:
The key creation is failing for Thales 12.40 installed on tmm interface on BIG-IP.

Conditions:
This occurs when creating keys using tmsh on Thales 12.40 via the tmm interface on BIG-IP

Impact:
You cannot create any keys/certs on Thales.

Workaround:
No workaround.

Fix:
The fix is included which fixes this intermittent key creation failure on Thales 12.40.

---

737064 : ACCESS::session iRule commands may not work in serverside events

Component: Access Policy Manager

Symptoms:
-- 'ACCESS::session sid' will returns empty.
-- 'ACCESS::session data get <varname>' returns empty.

Conditions:
-- Using IP-based sessions
-- ACCESS::session iRule commands in a serverside iRule event, such as HTTP_PROXY_CONNECT.
-- Using SSL Bypass. Note: This issue is known to occur when using SSL Bypass, but this is not the only configuration that exhibits the problem.

Impact:
iRules may not work as expected.

Workaround:
There is no workaround at this time.

Fix:
The ACCESS::session iRules now work in serverside events when doing IP-based sessions.

---

737055 : Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy

Component: TMOS

Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you cannot login to the Configuration Utility. Instead the system presents a blank page, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP system.

Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.

Impact:
You are unable to login to the Configuration Utility.

Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP system in the Referer header.

---

735565 : BGP neighbor peer-group config element not persisting

Component: TMOS

Symptoms:
neighbor peer-group configuration element not persisting after restart

Conditions:
- dynamic routing enabled
- BGP neighbor configured with peer-group
- BIG-IP or tmrouted daemon restart

Impact:
BGP peer-group configuration elements don't persist

Workaround:
Reconfigure BGP neighbor peer-group after restart

Fix:
BGP neighbor peer-group configuration is properly save to configuration, and persists after restart

---

734846 : Redirection to logon summary page does not occur after session timeout

Component: TMOS

Symptoms:
After a BIG-IP Administrator user session times out, the user is not automatically redirected to the logon summary page, despite being configured to do so.

Conditions:
-- The BIG-IP system is configured to redirect to the logon summary page immediately after logging in, using the following db variable:
ui.users.redirectsuperuserstoauthsummary = true

-- The BIG-IP Administrator users' session automatically times out.

Impact:
The system does not comply with government security requirements that BIG-IP Administrator users be sent automatically to the logon summary. BIG-IP Administrator users must manually navigate to the logon summary page

Workaround:
Manually navigate to the logon summary page.

---

734822 : TMSH improvements

Solution Article: K77313277

---

734762 : Automatic policy learning is slower when there are thousands of policies

Component: Application Security Manager

Symptoms:
Policy learning takes longer than previous versions when there are thousands of policies.

Conditions:
-- Specific load over thousands of policies.
-- Automatic policy building.
-- Requests do not have violations.

Impact:
It takes longer for the system learn all the policies.

Workaround:
To work around this, set the following variable to 100:

pb_sampling_high_cpu_load

Note: The default is 10, which gets 10 sampled requests. Setting the value to 100 impacts performance.

(Note: The parameter name is misleading, as the variable does not relate to CPU load.)

Fix:
Issue is mitigated in this release. The policies get learned slower in 14.0.x and later, on systems with a high load of legal traffic and many policies.

What took an hour to learn in previous versions might take several hours. You can use the internal parameter, pb_sampling_high_cpu_load, to adjust this.

(Note: The parameter name is misleading, as the variable does not relate to CPU load.)

---

734718 : Users may get blocked on Web Scraping or CAPTCHA

Component: Application Security Manager

Symptoms:
Some users may get falsely blocked under the Web Scraping violation. Similarly, some users may fail to pass the CAPTCHA challenge when triggered by Brute Force Mitigation, DoSL7 Mitigation, or Proactive Bot Defense.

Conditions:
Either:
- Web Scraping is enabled with Bot Detection set to alarm or to block (13.1.x/14.0.x).
- CAPTCHA mitigation is in use due to another suspicious activity, triggered by Brute Force Mitigation, DoSL7 Mitigation, or Proactive Bot Defense (14.0.x).

Impact:
Some legitimate users may get blocked.

Workaround:
Running these commands may prevent these browsers from getting blocked:

-- /usr/share/ts/bin/add_del_internal add ws_cshui_susp_event_bot_score 0
-- bigstart restart asm

This disables one of the tests that cause the false positive.

Fix:
Fixed false detection of some users as bots causing them to be blocked by Web Scraping or CAPTCHA.

---

734694 : HTTP monitors fail to be persisted if Alias Address includes a route domain

Component: TMOS

Symptoms:
HTTP monitors fail to be persisted.

Conditions:
-- The monitor is of HTTP type.
-- Its Alias Address includes a route domain.

Impact:
Saving the monitor returns an 'Invalid IP' error message.

Workaround:
Use tmsh to create and update an HTTP monitor whose address includes a route domain.

Fix:
HTTP monitors with an Alias Address that includes a route domain are persisted as expected.

---

734692 : Incorrect prefix of ICMP error messages in NAT64

Component: Local Traffic Manager

Symptoms:
When ICMPv4 error messages are returned for NAT64 connections, the source address of the ICMPv6-translated error message uses ::ffff as the IPv6 prefix, creating an IPv4-mapped IPv6 address.

Conditions:
-- NAT64 enabled.
-- ICMPv4 error messages are returned from IPv4 hosts and routers.

Impact:
The ICMP error messages cannot be routed to the client and are dropped by intermediate routers. This can prevent clients from properly detecting errors such as unreachable hosts and networks. This causes failures in utilities such as ping and traceroute.

Workaround:
There is no workaround at this time.

Fix:
The ICMPv4 error messages are correctly translated to ICMPv6.

---

734645 : AFM TCP Half Open vector might show mitigation when that is not happening

Component: Advanced Firewall Manager

Symptoms:
In AFM, it is possible that the device-level TCP Half Open vector will show int_drops when actually LTM per-vlan syncookie is mitigating the attack.

Conditions:
When AFM is enabled and LTM per-vlan syncookie is doing HW syncookies.

Impact:
Stats could be misleading.

Workaround:
You can turn off the AFM TCP half Open vector.

Fix:
Now, we will only show the TCP half Open stats when we are actually mitigating through TCP half Open vector.

---

734595 : sp-connector is not being deleted together with profile

Component: Access Policy Manager

Symptoms:
If a profile is connected to an SSO SAML IdP configuration with an SP connector, the sp-connector is not available for delete when the profile is deleted.

Conditions:
-- Profile is connected to an SSO SAML IdP configuration with an SP connector.
-- Deleting the profile and attempting to delete the sp-connector.

Impact:
The SP connector is not listed for delete when the profile is deleted.

Workaround:
To delete the SP connector, run the following command:
tmsh delete apm sso saml-sp-connector NAME

Fix:
SP connectors are now available for delete when profile is deleted.

---

734544 : Suggest breaking up the API protection profile into multiple in case large number of paths like 12k in the OpenAPI specification file

Component: Access Policy Manager

Symptoms:
Restjavad runs out of heap and reports an out-of-memory exception while parsing a large number of paths in the OpenAPI specification file.

Conditions:
A large number of paths (e.g., 12 KB) in the OpenAPI Specification File.

Impact:
Cannot upload a large number of paths in a OpenAPI specification file. restjavad reports an out-of-memory exception.

Workaround:
Break the specification file into multiple, create multiple profiles.

Fix:
Break OpenAPI Specification File into multiple files, and create multiple profiles.

---

734539 : The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads

Component: TMOS

Symptoms:
When an IKEv1 peer sends an INVALID-SPI payload, and BIG-IP system cannot find the phase-two Security Association (SA) for that SPI but can find phase-one SA involved; the racoon daemon may crash if there are additional INVALID-SPI payloads afterward.

Conditions:
-- An INVALID-SPI notification is received.
-- That phase-two SA is already gone.
-- The phase-one parent SA is still around.
-- Subsequent notification INVALID-SPI payloads involve the same phase-one SA.

Impact:
The v1 racoon daemon cores, interrupting traffic until new tunnels can be established after racoon restarts.

Workaround:
There is no workaround at this time.

Fix:
The system no longer destroys the parent phase-one SA when an INVALID-SPI notification cannot find the target phase-two SA, so this issue does not occur.

---

734527 : BGP 'capability graceful-restart' for peer-group not properly advertised when configured

Component: TMOS

Symptoms:
BGP neighbor using peer-group with 'capability graceful-restart' enabled (which is the default). However, on the system, peer-group defaults to disable. Because there is no config statement to enable 'capability graceful-restart' after restart, it gets turned off after config load, which also turns it off for any BGP neighbor using it.

Conditions:
- Neighbor configured to use peer-group.
- Peer-group configured with capability graceful-restart, but with the default: disabled.

Impact:
Because peer-group is set to disable by default, and there is no operation to enable it after restart, 'capability graceful-restart' gets turned off after config load, and neighbors using it from peer-group get turned off as well.

Workaround:
Re-issue the commands to set peer-group 'capability graceful-restart' and 'clear ip bgp *' to reset BGP neighbors.

Fix:
The peer-group now has 'capability graceful-restart' enabled by default, so this issue no longer occurs.

Behavior Change:
In this release, peer-group has 'capability graceful-restart' enabled by default.

---

734452 : Standby device goes active during UCS restore after default config is loaded and a serial cable is used for failover

Component: TMOS

Symptoms:
Standby device goes active during UCS restore after default config is loaded.

Conditions:
High-availability-configured BIG-IP devices that use a serial cable for failover. On the standby device:

-- The default config is loaded.
-- A UCS is subsequently loaded.

Impact:
Traffic erroneously fails over to the BIG-IP device that has the UCS loaded. Traffic subsequently fails back to the original BIG-IP device after the device that erroneously went Active senses the serial cable being asserted from the other device.

Workaround:
There is no workaround.

---

734446 : TMM crash after changing LSN pool mode from PBA to NAPT

Component: Carrier-Grade NAT

Symptoms:
TMM crashes after changing LSN pool mode from PBA to NAPT when long lived connections are killed due to the PBA block lifetime and zombie timeout expiring.

Conditions:
An LSN pool using PBA mode with a block lifetime and zombie timeout set and long lived connections.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Instead of changing the LSN pool mode from PBA to NAPT, create a new LSN pool configured for NAPT and change the source-address-translation pool on the virtual servers that use the PBA pool.

The PBA pool can be deleted after the virtual servers are no longer using it.

Fix:
TMM no longer crashes after changing LSN pool mode from PBA to NAPT.

---

734316 : Per-Request Policy may require enabling SSL Forward Proxy Bypass

Component: Access Policy Manager

Symptoms:
For some SSL/TLS traffic, the per-request policy does not complete, leading to hanging connections and/or connection resets.

Conditions:
Reproducible with any forward proxy configuration involving per-request policies. This includes Secure Web Gateway (SWG) and SSL Orchestrator (SSLO).

To reproduce, the SSL Forward Proxy Bypass feature must be disabled in the client and server SSL profiles. This is equivalent to 'always intercept'.

Impact:
Policy execution may stall. Clients may experience hanging connections and/or connection resets.

Workaround:
Perform the following procedure:
1. Enable the SSL Forward Proxy Bypass feature in the client and server SSL profiles.
2. Set the default action to 'Intercept'.

Fix:
Now policy execution for per-request policies in SWG and SSLO use cases work properly when SSL Forward Proxy Bypass is not enabled.

---

734276 : TMM may leak memory when SSL certificates with VDI or EAM in use

Component: Local Traffic Manager

Symptoms:
TMM 'method' memory usage grows over time when VDI and serverssl *or* EAM and clientssl are configured on the same VIP.

Conditions:
One or both of the following:

-- VDI and serverssl are configured on the same VIP
-- EAM and clientssl are configured on the same VIP

Impact:
TMM memory usage grows over time leading to eventual performance degradation and potential traffic outage if TMM cores.

Workaround:
No workaround short of not using these combinations of features.

Fix:
TMM no longer leaks memory when VDI and serverssl *or* EAM and clientssl are configured together on the same VIP.

---

733585 : Merged can use %100 of CPU if all stats snapshot files are in the future

Component: TMOS

Symptoms:
Merged uses %100 of CPU if it cannot remove the oldest snapshot file, due to all snapshot files having timestamps in the future.

Conditions:
All stats snapshot file having timestamps in the future, release has the fix for issue 721740, but not this issue.

Impact:
Merged using %100 of the CPU.

Workaround:
Remove snapshot stats files that have timestamps in the future and restart merged.

Fix:
Correctly exit cleanup logic when all stats snapshot files have timestamps in the future.

---

727467 : Some iSeries appliances can experience traffic disruption when the HA peer is upgraded from 12.1.3 and earlier to 13.1.0 or later.

Component: TMOS

Symptoms:
-- CPU core 0 can be seen utilizing 100% CPU.
-- Other even cores may show a 40% increase in CPU usage.
-- Pool monitors are seen flapping in /var/log/ltm.
-- System posts the following messages:
   + In /var/log/ltm:
     - err tmm4[21025]: 01340004:3: HA Connection detected dissimilar peer: local npgs 1, remote npgs 1, local npus 8, remote npus 8, local pg 0, remote pg 0, local pu 4, remote pu 0. Connection will be aborted.
    + In /var/log/tmm:
      - notice DAGLIB: Invalid table size 12
      - notice DAG: Failed to consume DAG data

Conditions:
-- Active unit on a pre-12.1.3.1 release.
-- Standby peer upgraded to a 13.1.0 or later release.
-- Device is an iSeries device (i5600 or later).

Important: This issue may also affect iSeries HA peers on the same software version if the devices do not share the same model number.

Note: Although this also occurs when upgrading to 12.1.3.8 and 13.0.x, the issue is not as severe.

Impact:
- High CPU usage.
- Traffic disruption.

Workaround:
Minimize impact on affected active devices by keeping the upgraded post-13.1.0 unit offline as long as possible before going directly to Active.

For example, on a 12.1.3 unit to be upgraded (pre-upgrade):
-- Run the following command: tmsh run sys failover offline persist
-- Run the following command: tmsh save sys config
-- Upgrade to 13.1.0.8.
-- Unit comes back up on 13.1.0.8 as 'Forced Offline' and does not communicate with the active unit running 12.1.3 at all.
-- Set up HA group and make sure the 12.1.3 Active unit's HA score is lower than 13.1.0.8.
-- To cause the 13.1.0.8 unit to go directly to Active and take over traffic, run the following command on the unit running 13.1.0.8:
tmsh run sys failover online

At this point, the 12.1.3 unit starts to show symptoms of this issue, however, because it is no longer processing traffic, there is no cause for concern.

Fix:
This release introduces a new bigdb variable DAG.OverrideTableSize. To prevent the issue on an upgraded post-13.1.0 unit, set DAG.OverrideTableSize to 3.

In order to return the system to typical CPU usage, you must set the db variable, and then restart tmm by running the following command:
bigstart restart tmm

(Restarting tmm is required for 13.1.1.2 and newer 13.1.1.x releases.)

Note: Because the restart is occurring on the Standby unit, no traffic is disrupted while tmm restarts.

---

727322 : Exporting profile/policy with pools from Common and importing to non-Common partitions might not work

Component: Access Policy Manager

Symptoms:
Exporting profile/policy with pools from the Common partition and importing to non-Common partitions might result in an error.

Conditions:
-- Profile/policy is in Common partition and has either:
  + A pool assigned to it directly via pool assign.
  + Uses an object that uses a pool (e.g., an Active Directory Server that has a pool configured pool).
-- Importing to a non-Common partition configured with a Route Domain ID other than 0.

Impact:
Import operation does not complete. Cannot import profile/policy.

Workaround:
None.

Fix:
%0 rd is added to IP addresses so when the policy is exported it explicitly refers to 0 RD, which allows for correct export and import of the profile/policy.

---

727297 : GUI TACACS+ remote server list should accept hostname

Component: TMOS

Symptoms:
Cannot add hostnames to the Remote - TACACS+ server list in the GUI.

Conditions:
-- On the System :: Users : Authentication page with Remote - TACACS+ specified.
-- Add hostname to the server list.

Impact:
Validation does not accept a hostname. Cannot add hostname as a server.

Workaround:
Use tmsh to add a hostname.

Fix:
The system now allows hostname to be added with proper validation in this case.

---

727292 : SSL in proxy shutdown case does not deliver server TCP FIN

Component: Local Traffic Manager

Symptoms:
Connection is not torn down.

Conditions:
HTTPS server disconnects connection when in handshake.

Impact:
Potential resource exhaustion.

Workaround:
You can mitigate this condition in either of the following ways:

-- Wait for system to clean up lingering connections.

-- Use tmsh to clean up connections. (Note: Sometimes this might not work as expected depending on conditions.)

Fix:
SSL server side handles this error situation by sending out all remaining egress data and sending a shutdown signal to lower filters.

---

727288-1 : Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC

Component: Service Provider

Symptoms:
Diameter message routing framework sends Capabilities-Exchange-Request (CER)/Device-Watchdog-Request (DWR) with hop-by-hop (h2h) ID and end-to-end (e2e) ID set to 0 as the server.

Conditions:
Diameter Message Routing Framework (MRF) in use

Impact:
The BIG-IP system sends CER and DWR to remote peers.
However, the BIG-IP system sends e2e=0 and h2h=0 as the server ID in the CER and DWR requests. This does not comply with RFC 6733 (https://tools.ietf.org/html/rfc6733).

Workaround:
Use an DIAMETER_EGRESS iRule event to change the hop-by-hop ID and end-to-end server ID.

---

727222 : 206 Partial Content responses from ramcache have malformed Content-Range header

Component: Local Traffic Manager

Symptoms:
When ramcache serves a 206 Partial Content response from cache, the Content-Range header repeats the name:

  Content-Range: Content-Range: bytes 0-5/28

Conditions:
Request from client for partial document (Range header) against a virtual server with a web-acceleration profile having no applications (ramcache), where the requested document is present in ramcache.

Impact:
The client may mishandle the response, as the Content-Range header is malformed. This may cause additional traffic as the client may retrieve the entire document in a subsequent request due to the malformed response.

Workaround:
Remove the duplicate portion of the Content-Range header using an iRule at HTTP_RESPONSE_RELEASE time.

Fix:
The Content-Range header is now correctly formed for 206 Partial Content responses served from ramcache.

---

727212 : Subscriber-id query using full length IPv6 address fails.

Component: Carrier-Grade NAT

Symptoms:
FW NAT / CGNAT modules query the subscriber ID using IPv6 address. If the query is done using the IPv6 mask, under some circumstances the query fails.

Conditions:
The network is using an IPv6 mask other than 128. Subscribers are created using the masked IP address as the key. If NAT module uses the complete IP address as the query key, the subscriber will not be found.

Impact:
Logs contain UNKNOWN subscriber-id.

Workaround:
There is no workaround at this time.

Fix:
Subscriber ID queries using IPv6 address are now returning the subscriber-id.

---

727044 : TMM may crash while processing compressed data

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing compressed data.

Conditions:
Compression enabled
Hardware compression disabled

Impact:
TMM crash leading to a failover event.

Workaround:
No workaround.

Fix:
TMM now correctly processes compressed traffic

---

726935 : Device management and GUI can be configured using different crt/key

Component: TMOS

Symptoms:
Device management and GUI using different crt/key Device Certificates : Device Certificate ›› Device Certificate" displays different certificate than the GUI uses.

Conditions:
modified default httpd crt/key file locations using tmsh command:
  tmsh modify sys httpd ssl-certkeyfile /config/httpd/conf/ssl.key/new-server.key ssl-certfile /config/httpd/conf/ssl.crt/new-server.crt

Impact:
"Device Certificates : Device Certificate ›› Device Certificate" will not display the correct certificate.

Workaround:
keep sys httpd ssl-* pointing at default locations:
tmsh modify sys httpd ssl-certkeyfile /config/httpd/conf/ssl.key/server.key ssl-certfile /config/httpd/conf/ssl.crt/server.crt

Fix:
GUI will now allow you to configure device certificate and Device key which pointed to non-default cert/key file location.
Default cert/key file locations are:
/config/httpd/conf/ssl.crt/server.crt
/config/httpd/conf/ssl.key/server.key

---

726872 : IApp LX directory disappears after upgrade or restoring from ucs★

Component: iApp Technology

Symptoms:
After BIG-IP version upgrade or restoring from UCS, iApps/Application Services/Applications LX screen displays instances of iApps LX, but their UI is not functional. That is caused by the software defect causing iApp LX directory to disappear from /var/config/rest/iapps.

Conditions:
This issue can only happen during initial start after BIG-IP version upgrade or restoring from UCS. The more iApps LX instances and the more configuration they use, the more likely this issue to happen. We observed this issue with 90+ instances of f5-ddos-hybrid-defender iApp LX.

Impact:
The code of iAppLX is removed from the system because of the defect. That makes iAppLX UI unusable. The configuration deployed by the iApp LX instances remains in effect. The iApp LX configuration data remain intact and UI can be completely restored after manual installation of iApp LX code.

Workaround:
1. Copy iAppLX code from an unaffected BIG-IP to the BIG-IP impacted by this defect. For example,
/var/config/rest/iapps/f5-ddos-hybrid-defender.
2. Create a symlink to UI code for UI to work. For example,
ln -sfvn /var/config/rest/iapps/f5-ddos-hybrid-defender/presentation /var/iapps/www/f5-ddos-hybrid-defender
3. Restart restjavad:
bigstart restart restjavad
4. Restart restnoded:
bigstart restart restnoded

Fix:
The issue should not happen when upgrading to the BIG-IP version with the fix or restoring from UCS on the BIG-IP version with the fix.

---

726852 : AVR inject CSPM event when there is no analytics profile on the virtual server

Component: Application Visibility and Reporting

Symptoms:
When there is a request for page load time in the analytics profile, and changes to the configuration remove the analytics profile, AVR will continue to inject the Client Side Performance Monitoring (CSPM) cookie.

Conditions:
-- Request for page-load-time statistic.
-- The analytics profile has been removed from the virtual server.

Impact:
Page-load-time cookie is injected when it should not be.

Workaround:
Uncheck the page-load-time checkbox before removing the profile from the virtual server.

Fix:
AVR now injects CSPM cookie only when it needed.

---

726734 : DAGv2 port lookup stringent may fail

Component: Local Traffic Manager

Symptoms:
Under certain circumstances tmm might not be able to find a local port, and the connection may fail. This happens, for example, for active FTP with mirroring enabled.

Conditions:
Active FTP with mirroring enabled.

Impact:
Connection cannot get established.

Workaround:
There is no workaround other than to disable mirroring.

Fix:
TMM is now always able to find a local port.

---

726665 : tmm core dump due to SEGFAULT

Component: Policy Enforcement Manager

Symptoms:
tmm core dump due to SEGFAULT.

Conditions:
System under load in network. Other conditions required to recreate this are unknown, but indicated a potential memory-handling issue.

Impact:
The blade reboots resulting in failover. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The apparent memory-handling issue leading to the SEGFAULT has been corrected, so the tmm core and failover no longer occur.

---

726622 : Entropy start-up sentinel file is not cleared on successful start

Component: TMOS

Symptoms:
When the entropy start-up fails, a file is created that will prevent a reboot loop. However, if the entropy start-up succeeds, the file remains.

Conditions:
Entropy start-up fails and then succeeds.

Impact:
The entropy start-up sentinel file is not cleared as it should be. If an entropy failure happens again, then all subsequent rebooting for a failed entropy is disabled. Should the entropy succeed and then later fail, the reboot to handle the failed entropy start-up will not happen.

Workaround:
User can manually remove the start-up failure sentinel file using the following command:
/bin/rm -f /.entropy_failure_sentinal_file

Fix:
Now, if the entropy start-up succeeds, the system removes that file, so that subsequent failures reboot at least once. This is correct behavior.

---

726616 : TMM crashes when a session is terminated

Component: Access Policy Manager

Symptoms:
TMM crashes when it is releasing the memory used by a session that is terminated. Either one of the following error messages might appear in the TMM log:

-- notice panic: ../kern/umem.c:4166: Assertion "valid type" failed.

-- notice panic: ../kern/page_alloc.c:705: Assertion "vmem_hashlist_remove not found" failed.

Conditions:
The memory used by a session is corrupted during the lifetime of the session. This issue happens infrequently.

Impact:
TMM restarts, causing service interruption if the BIG-IP system is not part of a high-availability setup.

Workaround:
There is no workaround at this time.

Fix:
TMM no longer crashes when removing an access session.

---

726592 : Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop

Component: Access Policy Manager

Symptoms:
Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop. This could be triggered by invalid state of our control plane daemons.

Conditions:
This is an extremely rare situation that can be caused by invalid logsetting config messaging between our daemons. However, once it happens it can impact multiple daemons at the same time causing all of them to hang.

Impact:
Once this happens it can impact multiple daemons (apmd, apm_websso, localdbmgr) at the same time causing all of them to hang.

Workaround:
There is no workaround at this time, you can recover by restarting the daemons that hang.

Fix:
We have fixed a memory corruption that can break the linkages in our data structure which would cause certain traversals to loop indefinitely.

---

726417 : GnuPG vulnerability CVE-2018-12020

Solution Article: K55121327

---

726412 : Virtual server drop down missing objects on pool creation

Component: Global Traffic Manager (DNS)

Symptoms:
Available virtual servers are not populated in the drop down list during Pool creation.

Conditions:
Virtual server names containing single quote, backslash, or greater-than and less-than signs: ' \ < >.

Impact:
Unable to add available virtual servers to pools.

Workaround:
After pool creation, go into that newly created pool, click 'Members', and then click 'Manage', and use the Virtual Server drop-down list to add any virtual servers.

Fix:
Fixed the drop down for virtual servers. Now virtual servers get loaded in the drop-down list during pool creation.

---

726409 : Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077

Solution Article: K61429540

---

726319 : 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses

Component: Local Traffic Manager

Symptoms:
When FQDN nodes and pool members are used in LTM pools, a message similar to the following may be logged if the DNS server returns a different set of IP address records to resolve the FQDN name:

err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.

Conditions:
This message may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name, and new ephemeral pool members are created corresponding to the new IP addresses.

This may occur intermittently depending on timing conditions.

Impact:
These log messages are cosmetic and do not indicate any impact to traffic or BIG-IP operations.

Workaround:
None.

Fix:
'The requested Pool Member ... already exists' messages are no longer logged occasionally when an FQDN pool member name resolves to different IP addresses.

---

726303-3 : Unlock 10 million custom db entry limit

Component: Traffic Classification Engine

Symptoms:
Cannot add more than 10 million custom db entries.

Conditions:
This happens when you try to add more than 10 million custom db entries.

Impact:
Not able to add more than 10 million entries.

Workaround:
There is no workaround at this time.

Fix:
This release provides a sys db var, tmm.urlcat.no_db_limit, to allow growth beyond the existing limit of 10 million custom db entries.

---

726262 : Mobile Firefox in Desktop Mode may be falsely detected

Component: Application Security Manager

Symptoms:
Clients running Firefox on an Android device and selecting 'Request Desktop Site' may have a falsely detected user agent.

Conditions:
-- Proactive Bot Defense or Device ID features are enabled. -- Client uses Firefox on an Android device and selects 'Request Desktop Site'.

Impact:
Client may possibly get the CAPTCHA challenge, or Device ID functionality may not work correctly.

Workaround:
None.

Fix:
Mobile Firefox in Desktop Mode now functions correctly.

---

726255 : dns_path lingering in memory with last_access 0 causing high memory usage

Component: Global Traffic Manager (DNS)

Symptoms:
dns_path not released after exceeding the inactive path ttl.

Conditions:
1. Multiple tmm's in sync group
2. Multiple dns paths per GTM needed for load balancing.

Impact:
High memory usage.

Workaround:
There is no workaround at this time.

Fix:
dns_path memory will be released after ttl.

---

726239 : interruption of traffic handling as sod daemon restarts TMM

Component: Local Traffic Manager

Symptoms:
When the receiving host in a TCP connection has set its send window to zero (stopping the flow of data), following certain unusual protocol sequences, the logic in the TMM that persists in probing the zero window may enter an endless loop.

Conditions:
When the TCP implementation is probing a zero-window connection under control of a persist timer.

Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This fix handles a rare TMM crash when TCP persist timer is active.

---

726232-5 : iRule drop/discard may crash tmm

Component: Local Traffic Manager

Symptoms:
TMM crash after an iRule attempts to drop packet.

Conditions:
Virtual server with UDP profile, and following iRule:
when LB_SELECTED {
    drop
    # discard - drop is the same as discard
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
TMM correctly handles 'drop' command in 'LB_SELECTED' event.

---

726168 : Users may get blocked on Web Scraping or CAPTCHA

Component: Application Security Manager

Symptoms:
Users using touchscreen or touchpad may get falsely blocked under the Web Scraping violation. Similarly, some users may fail to pass the CAPTCHA challenge when triggered by Brute Force Mitigation, DoSL7 Mitigation, or Proactive Bot Defense.

Conditions:
Either:
- Web Scraping is enabled with Bot Detection set to alarm or to block (13.1.x/14.0.x).
- CAPTCHA mitigation is in use due to another suspicious activity, triggered by Brute Force Mitigation, DoSL7 Mitigation, or Proactive Bot Defense (14.0.x).

And:
User is using touchscreen or touchpad.

Impact:
Some legitimate users may get blocked.

Workaround:
None.

Fix:
Fixed false detection of some users as bots causing them to be blocked by Web Scraping or CAPTCHA.

---

726154 : TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies

Component: Advanced Firewall Manager

Symptoms:
TMM might restart when changing firewall or NAT configurations on a virtual server with the same name as a route-domain.

Conditions:
- There is a virtual server and a route-domain that have the same name in the configuration.
- A firewall or NAT policy is being attached or removed from one or both of the virtual server or route-domain.

Impact:
TMM might halt and traffic processing temporarily ceases. TMM restarts and traffic processing resumes.

Workaround:
There is no workaround other than not to use the same name for virtual server and route-domain objects.

Fix:
TMM no longer crashes under the conditions described. Firewall and NAT configurations are applied correctly on virtual servers with the same names as route-domains.

---

726089 : Modifications to AVR metrics page

Solution Article: K44462254

---

726001 : Rapid datagroup updates can cause type corruption

Component: Local Traffic Manager

Symptoms:
'invalid class type" error message in /var/log/ltm.

Conditions:
Using external datagroups and updating them before the previous update has finished, such as with:

-- Executing config-sync.

-- echo "create sys file data-group dg-test source-path file:///var/tmp/dg_test type string separator :=; create ltm data-group external dg-test external-file-name dg-test; modify sys file data-group dg-test source-path file:///var/tmp/dg_test" | tmsh -a

Impact:
iRule fails.

Workaround:
Ensure that changes to a datagroup are done processing (by looking for the 'finished' message in the LTM logs) before updating them again.

Fix:
Rapid updates no longer cause type corruption.

---

725985 : REST API takes more than 20 seconds when 1000+ virtual servers with SNAT-Pool configured

Component: TMOS

Symptoms:
REST API takes more than 20 seconds to complete the GET request when there are 1000+ virtual servers configured with the same SNAT-Pool.

Conditions:
-- A large number (1000+) of virtual servers.
-- Configured with the same SNAT pool.

Impact:
REST API takes more than 20 seconds to response to the GET request.

Workaround:
None.

Fix:
Under these conditions, now the response time is approximately 5 seconds.

---

725867 : ADFS proxy does not fetch configuration for non-floating virtual servers

Component: Access Policy Manager

Symptoms:
If the virtual address of a virtual server has a non-floating traffic group (e.g., traffic-group-local-only), ADFS proxy does not perform periodic configuration updates, including listing allowed URIs from ADFS, and thus blocks all the requests (by responding with 404).

Conditions:
-- Virtual address of virtual server has non-floating traffic group.

-- ADFS proxy feature is enabled on the virtual server.

Impact:
All the requests to ADFS are blocked.

Workaround:
Set floating traffic group for virtual address (e.g., traffic-group-1).

Fix:
ADFS proxy now fetches configuration from ADFS for non-floating virtual servers.

---

725840 : Customization group object is not deleted when SAML resource object is deleted

Component: Access Policy Manager

Symptoms:
Customization group object for the corresponding SAMLResource object is in the configuration store, even after SAMLResource is deleted in GUI/TMSH.

Conditions:
-- Customization Object is in the configuration store.
-- Delete the SAMLResource.

Impact:
There is no functional impact, but additional configuration objects exist in the configuration store.

Workaround:
Delete the customization group object manually in TMSH.

The BIG-IP system administrator can delete those customization groups if the corresponding SAML resources are deleted or do not exist in the configuration.

The command 'list apm policy customization-group' lists all the customization groups. The SAML-specific customization groups end with '_resource_saml_customization' and are prefixed with the SAML resource name (SAML resource name concatenated with literal 'resource_saml_customization').

Fix:
Customization group objects are now deleted when the SAML Resource object is deleted.

---

725815 : vlangroup usage may cause a excessive resource consumption

Solution Article: K72442354

---

725801 : CVE-2017-7889: Kernel Vulnerability

Solution Article: K80440915

---

725792 : BWC: Measure log-publisher if used might result in memory leak

Component: TMOS

Symptoms:
When Measure is used in BWC with log publisher defined, it might result in a memory leak in tmm.

Conditions:
-- BWC dynamic policy is configured.
-- Measure is enabled.
-- Log-publisher is defined.

Impact:
Memory leak in errdef.

Workaround:
There is no workaround other than not to enable Measure in the BWC dynamic policy.

Fix:
Configuring Measure in the BWC dynamic policy no longer results in a memory leak.

---

725718 : Client's scripts trigger alerts while changing fields' values legally

Component: Fraud Protection Services

Symptoms:
When a client's script manipulates EDI-protected fields, an EDI alert is triggered, even though the script is trusted.

Conditions:
Protected field manipulation by a trusted script.

Impact:
Alerts are triggered for trusted scripts.

Workaround:
None.

Fix:
This release allows trusted scripts to manipulate protected fields if a trusted (user-triggered) event has occurred.

---

725696 : A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted

Component: TMOS

Symptoms:
When OCSP Stapling is enabled on a client SSL profile, certain uncommon operations might result in a tmm timer queue getting into a loop, which results in tmm being aborted by sod. tmm restart

Conditions:
-- There are SSL handshakes waiting for an OCSP response, and one of the following:
  + There is a CMP transition.
  + There are changes made to the OCSP object.

Impact:
tmm restarts. Traffic interrupted while tmm restarts.

Workaround:
There is no workaround other than disabling OCSP stapling.

Fix:
The timer issue has been corrected.

---

725635 : CVE-2018-3665: Intel Lazy FPU Vulnerability

Solution Article: K21344224

---

725545-2 : Ephemeral listener might not be set up correctly

Component: Local Traffic Manager

Symptoms:
When ephemeral listeners are set up across a cluster, the transaction might fail.

Conditions:
When using Network Access tunnel with proxy ARP and no SNAT.

Impact:
The client-assigned IP address might intermittently fail to be resolved via ARP on the serverside/leasepool VLAN.

Workaround:
None.

Fix:
The ephemeral listener is now set up correctly.

---

725464 : Updating tests according to canIUse database

Component: Application Security Manager

Symptoms:
Some browser capabilities are changed.

Conditions:
Proactive Bot Defense, Block suspicious browsers is enabled.

Impact:
Browsers might get scored wrongly, and therefore get captcha/tcp rst when they shouldn't (Or not get when they should).

Workaround:
None.

Fix:
Updating internal database according to CanIUse DB.

---

725412-2 : APM does not follow current best practices for HTTP headers

Component: Access Policy Manager

Symptoms:
APM does not follow current best practices for HTTP headers

Conditions:
APM enabled

Impact:
HTTP headers not generated as intended

Workaround:
None.

Fix:
APM now follows current best practices for HTTP headers

---

724906 : sasp_gwm monitor leaks memory over time

Component: Local Traffic Manager

Symptoms:
The Server/Application State Protocol (SASP) monitor, sasp_gwm memory usage slowly increases over time.

Conditions:
The Server/Application State Protocol (SASP) monitor is configured.
The leakage occurs during normal operation of the monitor and is not tied to any specific user or traffic action.

Impact:
sasp_gwm grows over time and eventually the system may be pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.

Workaround:
Periodic restarts of sasp_gwm processes avoids the growth affecting the system.

Fix:
The sasp_gwm monitor no longer leaks memory when processing messages.

---

724868 : dynconfd memory usage increases over time

Solution Article: K11662998

Component: Local Traffic Manager

Symptoms:
dynconfd memory usage slowly increases over time as it processes various state-related messages.

Conditions:
No special conditions as dynconfd is a core LTM process. Large numbers of pool members combined with flapping might increase the rate of memory usage increase.

Impact:
dynconfd grows over time and eventually the system is pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.

Workaround:
Periodic restarts of dynconfd avoids the growth affecting the system.

Fix:
dynconfd no longer leaks memory when processing messages.

---

724847-1 : DNS traffic does not get classified for AFM port misuse case

Component: Traffic Classification Engine

Symptoms:
When DNS query name has a label length of greater than 23 bytes, it does not get classified as DNS.

Conditions:
-- AFM provisioned.
-- A port misuse policy for DNS and a service policy configured.
-- DNS query name with label length of greater than 23 bytes.

Impact:
DNS does not get classified properly for some cases.

Workaround:
There is no workaround at this time.

Fix:
Allowed DNS label length is now 64 bytes, so any DNS query name where each label name is fewer than 64 byes is now properly classified.

---

724759 : glibc vulnerability CVE-2018-11237

Solution Article: K35981055

---

724746 : Incorrect RST message after 'reject' command

Component: Local Traffic Manager

Symptoms:
BIG-IP sends RST containing "Internal error in tcpproxy invalid state for repick" instead of correct "iRule execution (reject command)".

Conditions:
Virtual Server with a HTTP profile, and an iRule using 'reject' command.

Impact:
Investigating RST causes may be confusing.

Workaround:
There is no workaround at this time.

Fix:
TMM sends correct RST message.

---

724679 : Non-attacking IP addresses could be logged along with attacking IP addresses when DoS detects an attack

Component: Advanced Firewall Manager

Symptoms:
During an attack, MySQL might log IP addresses that are not part of an attack along with the IP addresses that are part of the attack.

Conditions:
This occurs when the system detects a BadEndpoint attack.

Impact:
The system might log messages related to IP addresses that are not part of the attack. These IP addresses are not part of the attack and may be ignored.

Workaround:
None.

Fix:
The system now tracks a special state that detects which Endpoints are bad, so it ignores the IP addresses that are not part of the attack.

---

724571 : Importing access profile takes a long time

Component: Access Policy Manager

Symptoms:
It takes a long time for the 'Apply Access Policy' link to show up on the admin UI after importing an access profile.

Conditions:
-- Access policy with many macros.
-- Import exported profile multiple times with Reuse Existing Objects checked
-- As the number of imports increases, so does the latency.

Impact:
The imported access policy takes a long time to be imported and ready to use.

Workaround:
None.

---

724564 : A FastL4 connection can fail with loose-init and hash persistence enabled

Component: Local Traffic Manager

Symptoms:
The BIG-IP system fails to create a connection after 3WHS when using loose-init and hash persistence.

This can happen if traffic is redirected from one BIG-IP system to another, with the second BIG-IP system failing to create the connection, causing an interruption of traffic on that connection.

Conditions:
-- Virtual server configured with hash persistence.
-- FastL4 profile with loose-init enabled.

Impact:
Traffic fails when redirected from one BIG-IP system to another.

Workaround:
There is no workaround other than to disable hash persistence.

Fix:
A FastL4 connection no longer fails with loose-init and hash persistence enabled.

---

724532 : SIG SEGV during IP intelligence category match in TMM

Component: Advanced Firewall Manager

Symptoms:
TMM restart while matching traffic from source IP to IP Intelligence category.

Conditions:
Multiple configuration changes that include deleting the custom IP intelligence categories.

Impact:
TMM restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer restarts while matching traffic from source IP to IP Intelligence category.

---

724448 : Enabling EDI protection by 'id' attribute configuration

Component: Fraud Protection Services

Symptoms:
When protecting a field with EDI by its 'id' attribute, no protection is applied.

Conditions:
Protect with EDI a form field by its 'id' attribute.

Impact:
No protection provided.

Workaround:
None.

Fix:
This release now supports this feature.

---

724414 : ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled

Component: Application Security Manager

Symptoms:
When ASM inspects WebSocket frames, the bd daemon memory is leaking; eventually ASM stops inspecting traffic and sends resets or bypass requests.

Conditions:
ASM module is provisioned.
-- ASM policy and WebSocket profile are attached to a virtual server.
-- WebSocket URL has JSON profile attached to it.
-- JSON profile has parse parameters flag enabled (this is the default).

Impact:
ASM may reset connections; failover might occur.

Workaround:
There are two workarounds:
-- Remove JSON profile from WebSocket URL in the ASM policy.

-- Disable parse parameters flag in the json profile.

Fix:
The system now frees the allocated memory when it finishes the inspect of a WebSocket frame.

---

724341 : Import of Access Profile with Machine Cert Checker and default CA Profile is failing

Component: Access Policy Manager

Symptoms:
Export and then reimport of Access Profile with Machine Cert Checker agent configured with default CA Profile is failing the following error:
The requested profile_certificateauthority (Common/certificateauthority) was not found. Unexpected Error: Loading configuration process failed.

Conditions:
Any Profile/Policy with Machine cert and default settings

Impact:
Low: affecting only import/export.

Workaround:
Use non-default CA Profile at the export time.

Fix:
Export and import of Profile with default CA Profile works properly.

---

724339-5 : Unexpected TMUI output in AFM

Solution Article: K04524282

---

724335-5 : Unexpected TMUI output in AFM

Solution Article: K21042153

---

724214 : TMM core when using Multipath TCP

Component: Local Traffic Manager

Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic interrupted while TMM restarts.

Workaround:
There is no workaround other than to disable MPTCP.

Fix:
TMM no longer produces a core.

---

724213 : Modified ssl_profile monitor param not synced correctly

Component: Local Traffic Manager

Symptoms:
After modifying the ssl_profile attribute on an HTTPS monitor on a device in a high availability (HA) configuration, and after performing a full ConfigSync, the corresponding monitor on the peer-sync unit does not have the updated value.

Conditions:
-- An HTTPS monitor is used on BIG-IP systems in an HA configuration.
-- The ssl_profile field is modified on an HTTPS monitor.
-- A sync-to-peer (full ConfigSync, not incremental sync) is attempted to propagate the modified ssl_profile value to the peer units.

Impact:
The ssl_profile value for the HTTPS monitor on the peer unit is set to none, resulting in the two devices reporting themselves as in-sync, but having potentially different HTTPS monitor configurations.

Workaround:
-- Do not run HTTPS monitors using in-tmm monitors,
-- Use the traditional HTTPS monitor configuration for SSL-attributes (cipherlist, key, cert, and compatibility attributes on HTTPS monitor).

Note: Using these attributes generates deprecation warnings, but the configuration still takes effect.

Fix:
After modifying the ssl_profile attribute on an HTTPS monitor on a system within an HA configuration, and after performing a full ConfigSync, the corresponding monitor on the peer unit now receives the updated monitor attribute, as expected.

---

724143 : IKEv2 connflow expiration upon ike-peer change

Component: TMOS

Symptoms:
Altering the definition of an ike-peer does not expire the connflow used for the tunnel, so it remains in use for the tunnel.

Conditions:
-- Making any change to an IKEv2 ike-peer, even insignificant changes such as a description change.
-- Running a system version that has new attribute auth-rule inside ike-peer.

Note: This is not likely to occur in older system versions where no ike-peer state exists inside a connflow, because any ike-peer changes do replace the associated objects. In those cases, even though the same connflow is used, the system uses new algorithms for the ike-peer.

Impact:
In effect, you cannot change the configuration of the flow by changing the peer definition.

Workaround:
There is no workaround at this time.

Fix:
Changes in ike-peer now expire any existing connflow for that ike-peer. This affects only a system version that has new attribute auth-rule inside ike-peer.

---

724032 : Searching Request Log for value containing backslash does not return expected result

Component: Application Security Manager

Symptoms:
Searching within Request Log for a value containing backslash does not return the expected result. This happens because escaping of backslashes in REST API access is handled differently with 'eq' and 'contains' filters.

Conditions:
Searching within Request Log for a value containing backslash.

Impact:
Search within Request Log record containing backslash does not return the expected result.

Workaround:
Backslashes in REST API requests should be doubled when searching using 'contains' filter, but must not be doubled when searching with 'eq' filter.

Fix:
Searching within Request Log for a value containing backslash returns the expected result.

---

723988 : IKEv1 phase2 key length can be changed during SA negotiation

Component: TMOS

Symptoms:
Using IKEv1, if phase2 key length does not agree on both sides, a responder accepts whatever the initiator proposes as key length, but only after an initiator is authenticated. This results in key length downgrade or upgrade at a trusted peer's request, because the IKEv1 daemon was configured to obey the other peer's key length request.

Conditions:
The value of the ike-phase2-encrypt-algorithm on both sides agree on the encryption algorithm, but differ in key length. For example, if the initiator picks AES128 when the responder expects AES256.

Impact:
The responder accepts AES128 anyway. Although phase1 key length must be an exact match, when phase2 key length does not match, this allows an initiating peer to change the key length a responder uses, thus changing the strength configured by that responder.

Workaround:
No workaround is known at this time.

Fix:
Policy in phase2 negotiation is now changed to require exact match in key length for both initiator and responder, so both sides get the strength explicitly configured for that peer. Now config must be identical on both sides for ike-phase2-encrypt-algorithm inside ipsec-policy.

---

723963 : Log message to GTM logs if an invalid regular expression is given to a monitor.

Component: Global Traffic Manager (DNS)

Symptoms:
Memory consumption of big3d increases due to the regular expression failing to compile and leaking memory.

Conditions:
The regex passed contains some combination of escape characters such as "^ http\/\d\.\d [23]\d\d"

Impact:
Big3d memory consumption increases.

Workaround:
Use a different regular expression. For example "^ http\/\d\.\d [23]\d\d" can be replaced with "^HTTP/[0-9].[0-9] [23][0-9][0-9]".

Fix:
Extra validation was added for regular expressions. A better escaping of certain characters was implemented. An error message will be logged to the GTM logs when a regular expression fails to compile. Also glibc's regcomp() was fixed to not leak memory when failing to compile.

---

723847 : Disable flow if no protocol inspection profile is attached.

Component: Protocol Inspection

Symptoms:
If protocol inspection profile is attached with no compliance checking or signatures enabled, the system still processes all the packets through the IPS library.

Conditions:
-- Protocol inspection profile is defined and attached to a virtual server.
-- The profile contains no inspections.

Impact:
Potential performance degradation.

Workaround:
If no inspections are needed, then remove the protocol inspection profile from the virtual server. Otherwise, there is no workaround.

Fix:
If no inspections are enabled, there is no performance degradation when attaching the protocol-inspection profile.

---

723792 : GTM regex handling of some escape characters renders it invalid

Component: Global Traffic Manager (DNS)

Symptoms:
The memory footprint of big3d increases.

Conditions:
GTM monitor recv string such as the following: ^http\/\d\.\d[23]\d\d

Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory. The monitor marks the server it is monitoring UP as long as the server returns any response.

Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}

Fix:
Fixed handling of escape characters. Recv strings that previously failed to compile will now compile.

---

723756 : Improving Proactive Bot Defense Detection

Component: Application Security Manager

Symptoms:
As part of Proactive Bot Defense tests, 2 webrootkit function are falsely detected.

Conditions:
Proactive Bot Defense is enabled.

Impact:
The limit allowed from those functions lowered by 2 (limit can be configurable using a bigDB).

Workaround:
Raise the required webrootkit function threshold by 2.
(Using bigDB dosl7.web_rootkit_report_min_score)

Fix:
Correctly detecting functions.

---

723722 : MCPD crashes if several thousand files are created between config syncs.

Component: TMOS

Symptoms:
If more than several thousand (typically 20,000, but number varies by platform) files, for example SSL certificates or keys, are created between config syncs, the next config sync operation will take too long and mcpd will be killed by sod.

Conditions:
Creation of several thousand SSL certificates or keys followed by a config sync operation.

Impact:
Traffic is disrupted while the MCPD process restarts.

Workaround:
Run a config sync operation after every ~5000 files created.

Fix:
MCPD no longer crashes if several thousand files are created between config sync operations.

---

723711 : IPsec keys are once again logged when db variable ipsec.debug.logkeys equals 1

Component: TMOS

Symptoms:
Logging of keys when debug mode was "debug" or higher in IKEv1's /var/log/racoon.log was disabled in an earlier release. IKEv2's logging of keys in other log files was disabled as well.

Conditions:
-- When negotiating any IKEv1 security association.
-- When negotiating any IKEv2 security association when ikedaemon log level has been set to debug or debug2.

Impact:
Keys, nonces, and several other "sensitive" values are no longer logged for either IKEv1 or IKEv2, making it hard to decrypt test traffic when debugging in the aftermath of problems.

Workaround:
There is no work around on the BIG-IP. However, debug logs on the remote peer, if not a BIG-IP, may provide the desired key information.

Fix:
The previous default logging of keys and other values have been restored, if db variable ipsec.debug.logkeys is set equal to one instead of zero.

The new default value of ipsec.debug.logkeys is one. But this only logs IKEv2 keys when ikedaemon log level is debug or debug2.

---

723698 : Address lists and port lists used for AFM firewall rules cannot be created unless AFM is provisioned

Component: TMOS

Symptoms:
Address lists and port lists used for AFM firewall rules cannot be created unless AFM is provisioned. This makes it impossible to create these items to share with LTM virtual servers.

Conditions:
Trying to create shared address lists and port lists for AFM firewall rules and LTM virtual servers.

Impact:
Cannot create address lists and port lists to share between AFM firewall rules and LTM virtual servers.

Workaround:
None.

Behavior Change:
There is now a top-level TMUI menu entry named 'Shared Objects' containing address lists and port lists. AFM firewall rules already used these; now LTM can too, specifically virtual servers.

---

723579 : OSPF routes missing

Component: TMOS

Symptoms:
When newer link-state advertisement (LSA) (with greater seq) comes in, the Open Shortest Path First (OSPF) discards the old one by marking it DISCARD. The SPF calculation function suspends the calculation every 100 vertexes. If the discard happens during such a suspend, then after the calculation resumes, the discarded LSAs are ignored,n which can cause route unreachable, and eventually route withdraws.

Conditions:
A very large number (~500, beyond best practices) of routers in a single OSPF area.

Impact:
Intermittent route flaps occur that might cause unreachable destination or increased network traffic due to the non-optimal route choice.

Workaround:
There is no workaround.

Fix:
The 'vertex threshold' IMISH parameter is now provided for OSPF/OSPF6, and it is meant to control the amount of vertexes calculated in one bunch (the default value is 100). This value can be increased to prevent LSA discards. The value of 0 means that SPF calculation is not suspended at all, and in case of large areas this may cause slow responsiveness of OSPF and LSA drops, eventually.

---

723305 : Performance degrades when no inspections are enabled in IPS

Component: Protocol Inspection

Symptoms:
When protocol inspection is attached to a virtual server, but the profile contains no inspections, there is a performance degradation of around 15%.

Conditions:
-- Protocol inspection profile is defined and attached to a virtual server.
-- The profile contains no inspections.

Impact:
Performance degradation.

Workaround:
Enable at least one inspection in the profile.

Fix:
If no inspections are enabled, there is no performance degradation when attaching the protocol-inspection profile.

---

723300-1 : TMM may crash when tracing iRules containing nameless listeners on internal virtual servers

Component: Local Traffic Manager

Symptoms:
TMM may crash when tracing iRules containing nameless listeners on internal virtual servers.

Conditions:
-- Using iRule tracing.
-- Internal virtual servers.
-- Listener iRule, where the listener has no name.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when tracing iRules containing nameless listeners on internal virtual servers.

---

723298 : BIND upgrade to version 9.11.4

Component: TMOS

Symptoms:
The BIG-IP system is running BIND version 9.9.9.

Conditions:
BIND on BIG-IP system.

Impact:
BIND 9.9 Extended Support Version was supported until June, 2018.

Workaround:
None.

Fix:
BIND version has been upgraded to 9.11.4.

---

723130-2 : Invalid-certificate warning displayed when deploying BIG-IP VE OVA file

Component: TMOS

Symptoms:
The OVA signing certificate that signs BIG-IP Virtual Edition (VE) OVA files expired. When deploying a BIG-IP VE from an OVA file, an invalid-certificate warning might be displayed due to the expired OVA signing certificate.

Conditions:
This issue may be encountered during the creation of new instances of BIG-IP VE in clients that check the validity of the OVA signing certificate (e.g., VMware).

Note: Existing BIG-IP VE instances are not subject to this issue.

Impact:
There might be questions about the integrity of the OVA file, and in some cases, might not be able to deploy a new instance from an OVA file.

Workaround:
The expired OVA signing certificate has been replaced with a valid signing certificate.

Fix:
The expired OVA signing certificate has been replaced with a valid signing certificate.

---

723095 : Add record type breaks commands 'modify gtm pool type all'; errors on nonexistent pool

Component: Global Traffic Manager (DNS)

Symptoms:
tmsh command returns an error similar to the following message:
01070227:3: Pool Member references a nonexistent Pool (/Common/poolname of type NAPTR)

Conditions:
Changing the record type on GTM pool members by running the following command: tmsh modify gtm pool type all members add.

Impact:
Unable to add pool members quickly to all pools of the same type.

Workaround:
There is no workaround at this time.

---

722991 : File "dead.letter" may show up in /root directory

Component: Access Policy Manager

Symptoms:
In /root directory, there is a file named "dead.letter" with

  /etc/cron.daily/cleanup_sync_files:
  ls: cannot access /config/filestore/sync_file_request_d: No such file or directory

Conditions:
If your device does not use LocalDB feature or there is no local user created.

Impact:
The file /root/dead.letter grows daily by 5 lines regarding missing sync_file_request_d directory.

Workaround:
Having MAILTO="" in /etc/crontab will stop this from happening.

Fix:
The "dead.letter" will not be generated anymore.

---

722969 : Access Policy import with 'reuse' enabled instead rewrites shared objects

Component: Access Policy Manager

Symptoms:
If a policy is exported and then imported with 'reuse' it rewrites objects on the server instead of simply reusing them.

Conditions:
-- Exporting profile A.
-- Importing profile B, with 'reuse' configured.
-- The objects in both profiles are named the same and are the same type.

Impact:
-- 'Reused' objects on the system are modified.
-- Policy A requires 'apply', because objects shared with Policy B are overwritten.

Workaround:
None.

Fix:
Access policy import with 'reuse' option enabled no longer rewrites shared objects

---

722893 : The TMM - host interface may stall when the kernel memory is fragmented

Solution Article: K30764018

Component: Local Traffic Manager

Symptoms:
MCP logs 'Removed publication with publisher id TMMx' and the affected TMM restarts.

Conditions:
This occurs when the following conditions are met:
-- Linux kernel memory fragmentation exists.
-- Another operation is occurring, including (among others):
  + Config-sync with full reload is initiated.
  + Running tcpdump.

Impact:
Degraded performance and unexpected failover when tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The internal driver has been improved, allowing it to work in low- and/or fragmented-memory conditions.

---

722734 : 'No Access' error when viewing properties page of a GTM Pool member whose name includes a partition that does not exist on that BIG-IP system.

Component: Global Traffic Manager (DNS)

Symptoms:
The BIG-IP system posts a 'No Access' error message instead of the GTM Pool member's properties.

Conditions:
-- At least two BIG-IP systems in a sync group.
-- One of the BIG-IP systems has a partition that does not exist on the other, with a GTM Pool member on that partition.
-- The issue occurs when a GSLB Server discovers that GTM Pool member and displays it on its properties page.

Note: This same error message displays for GSLB Server's virtual server properties accessed by navigating to GSLB :: servers :: [server] :: virtual servers :: [virtual server]. The differing issues have been fixed in differing releases. You can find information about the similar issue in the AskF5 Bug Tracker article for 710032.

Impact:
It makes the GSLB pool member's properties page unavailable in this case.

Workaround:
Use either of the following workaroudns:
-- Use TMSH to view or edit the properties of that GTM Pool member.

-- Create partitions on the GTM device to match those appearing to be referenced in the object names.

Fix:
Partition checking has been disabled on the GTM side, since a pool member owned by a server is always in the partition of that server (/Common).

---

722682 : Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load★

Component: TMOS

Symptoms:
Loading configuration process failed after upgrade when pool member names contain colons. The system posts errors similar to the following:
01070226:3: Pool Member 443:10.10.10.10 references a nonexistent Virtual Server
Unexpected Error: Loading configuration process failed.

Conditions:
-- GTM pool member has colon in its name.
-- Upgrade to any of the following versions:
  + 12.1.3.x
  + Any 13.0.x
  + All 13.1.x earlier than 13.1.1.2
  + 14.0.x earlier than 14.0.0.3

Impact:
The system removes the part of the pool member name that precedes the colon, and configuration load fails. For example, when the configuration contains a pool member named example_pm:443:10:10:10:10, the system removes the part of the pool member name that precedes the first colon, in this case, example_pm, leaving the pool member name 443:10.10.10.10.

Workaround:
After upgrade, add two backslash characters, \\ before the first colon, : character.

1. Upgrade the BIG-IP DNS system to the new version of software.
2. SSH to log into the bash prompt of the BIG-IP DNS system.
3. Run the following command to add the string \\ in front of the first colon character, : in the name of each affected GTM pool member:

  for j in $(find /config/ -name bigip_gtm.conf); do for i in $(awk '$0 ~ /^gtm server.*:/ {gsub("[/:]"," ",$0); print $4}' ${j}); do sed -i "s, /Common/${i}, /Common/${i}\\\\\\\,g" ${j} | grep " /Common/${i}"; done; done

4. Run the following command: load sys config gtm-only

Fix:
Configuration load no longer fails when upgrading with a configuration that contains BIG-IP DNS pools with members whose names contain colon characters.

---

722677 : High-Speed Bridge may lock up

Component: Local Traffic Manager

Symptoms:
Under certain conditions, hardware systems with a High-Speed Bridge and using Layer 2 forwarding configurations may experience a lockup of the High-Speed Bridge.

Conditions:
Hardware platform with High-Speed Bridge.
Layer 2 forwarding enabled.
vlangroup.flow.allocate disabled.

Impact:
High-Speed Bridge lockup, leading to a failover event.

Workaround:
The vlangroup.flow.allocate DB variable is enabled by default.

Ensure that vlangroup.flow.allocate is enabled with the command:
modify /sys db vlangroup.flow.allocate value enable

---

722618 : New Chrome version is blocked when using Proactive Bot Defense

Component: Application Security Manager

Symptoms:
Mozilla Chrome versions 67 and later, selenium is false-detected.

The system posts a message similar to the following:
-- info tmm1[24434]: Rule /Common/UBOT_PRINT <BOTDEFENSE_ACTION>: client_anomaly {Selenium WebDriver Detected}.

Conditions:
-- Proactive Bot Defense.
-- Block suspicious browsers is enabled.

Impact:
Legitimate users using Chrome 67 and later might get blocked/captcha.

Workaround:
None.

Fix:
This version fixes the selenium test for new Chrome versions.

---

722594 : TCP flow may not work as expected if double tagging is used

Solution Article: K91300169

Component: Local Traffic Manager

Symptoms:
TCP flow may have an incorrect ACK number, and the flow may stall or reset. The BIG-IP system sends an ACK that is higher than it should be based on the data received from the client.

Conditions:
Double tagging is used.

Impact:
TCP connection fails.

Workaround:
Change the db variable tm.tcplargereceiveoffload value to disable.

Fix:
TCP flow now has the correct ACK number when double tagging is used.

---

722560 : The configuration may fail to load if a pool-type route is created that does not reference a pool

Component: TMOS

Symptoms:
The configuration may fail to load if a pool-type route is created that does not reference a pool.

Conditions:
This occurs in either of the following situations:
-- A route is created via tmsh specifying 'pool none'.
-- No pool is selected in the configuration utility when 'Use Pool' is selected.

Note: It is possible to not select a pool only if there are no pools configured on the BIG-IP system.

Impact:
The configuration is accepted, but the resulting configuration does not load.

Workaround:
There is no workaround other than not creating a pool-type route with no pool.

Behavior Change:
pool for static route object can no longer be set to "none"

---

722423 : Analytics agent always resets when Category Lookup is of type custom only

Component: Access Policy Manager

Symptoms:
Analytics errors out with a log that says you cannot use custom lookup only along with analytics (/var/log/apm). Even if the Analytics agent is set to disable RST on failure, the agent will send a RST.

Conditions:
In the per-request policy, Category Lookup agent is set to custom lookup only.

Impact:
This configuration leads to an Analytics agent with 'RST on Failure' disabled. The BIG-IP Admin cannot make the choice to disable RST on failure for this particular setup (even though it is a misconfiguration).

Workaround:
You can avoid the RST and error by modifying the configuration to use a standard category lookup before the analytics agent.

Using a custom-only 'Category Lookup' immediately followed by 'Response Analytics' is not a valid configuration. In this configuration, Analytics cannot run the way it is supposed to because it does not have the right information. 'Response Analytics' gives the option to choose what to do on error: RST, or continue on, implying that the non-RST option is valid. If the admin chooses to not reset, the system should log the error and continue. In this case, the system actually does send a RST, even though the RST is not what the BIG-IP admin intended to configure.

Fix:
Disabling RST on failure now works properly in this scenario now. The configuration is still technically incorrect, but now the system takes the correct specified action-upon-error.

---

722410 : Forward Error Correction missing Auto option

Component: TMOS

Symptoms:
100 GB Interfaces lack the Forward Error Correction Auto option in the GUI.

Conditions:
This occurs on BIG-IP systems with 100 GB interfaces.

Impact:
Cannot Forward Error Correction to Auto using the GUI.

Workaround:
Use tmsh to set Forward Error Correction to Auto.

Fix:
Forward Error Correction now has an Auto option in the GUI.

---

722387 : TMM may crash when processing APM DTLS traffic

Component: Local Traffic Manager

Symptoms:
When processing DTLS traffic for APM, TMM may crash.

Conditions:
APM provisioned and configured.
DTLS enabled in APM configuration.

Impact:
TMM crash, leading to a failover event.

Workaround:
None.

Fix:
DTLS traffic is now processed as expected.

---

722380 : The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.

Component: TMOS

Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then TMM panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On these platforms, the reboot occurs before the core file is fully written, resulting in a truncated core.

Conditions:
An HSB lockup occurs on an i10600 or i10800 platform, triggering a core dump and a nic_failsafe reboot.

Impact:
The reboot happens after the core dump begins before it completes, resulting in a truncated core dump, which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Reboot is delayed until TMM core file is completed.

---

722363 : Client fails to connect to server when using PVA offload at Established

Component: Local Traffic Manager

Symptoms:
A client can fail to connect to the server on subsequent attempts if using FastL4 with hardware (HW) acceleration.

When this issue occurs, the profile_bigproto_stat/rxsynatestablished stat is non-zero.

Conditions:
A FastL4 virtual server is configured with offload_state = EST.

Impact:
Clients fail to connect to the server.

Workaround:
There is no workaround other than to disable PVA acceleration.

---

722294 : Reported session ID keeps changing for the same user session when ASM doesn't track sessions

Component: Application Security Manager

Symptoms:
A reported session ID is not maintained for the same user session.

Conditions:
-- Simple, feature-less policy (i.e., policy contains only attack signatures).

-- There are no cookies coming in from the server.

Impact:
The TS cookie is not created since there is no cookie-enforcing feature that is turned on (such as session tracking). Although this is correct behavior, it might result in confusion when there is a different, random session ID on each request.

Workaround:
Turn on a cookie-related feature (such as session tracking).

Fix:
session_id is no longer shown in request log when TS cookie does not exist. This prevents any potential confusion when viewing the logs in this situation.

---

722222 : Private SSL key file access is too permissive

Component: Local Traffic Manager

Symptoms:
The following private key files are world readable so anyone logged onto the BIG-IP system can read them:

/config/ssl/ssl.key/.tmp1024rsa.pem
/config/ssl/ssl.key/.tmp512rsa.pem

These files are regenerated hourly so the any potential impact is very minimal.

Conditions:
Any standard BIG-IP installation exhibits this.

Impact:
Non-root users can read SSL private keys.

Workaround:
None.

Fix:
The listed files are now only readable by the root user.

---

722091 : TMM may crash while processing HTTP traffic

Solution Article: K64208870

---

722013-1 : MCPD restarts on all secondary blades post config-sync involving APM customization group

Component: Access Policy Manager

Symptoms:
After performing a series of specific config-sync operations between multi-blade systems, the MCPD daemon restarts on all secondary blades of one of the systems.

Each affected blade will log an error message similar to the following example:

-- err mcpd[5038]: 01070711:3: Caught runtime exception, Failed to collect files (snapshot path () req (7853) pmgr (7853) not valid msg (create_if { customization_group { customization_group_name "/Common/Test-A_secure_access_client_customization" customization_group_app_id "" customization_group_config_source 0 customization_group_cache_path "/config/filestore/files_d/Common_d/customization_group_d/:Common:Test-A_secure_access_client_customization_66596_1" customization_group_system_path "" customization_group_is_system 0 customization_group_access 3 customization_group_is_dynamic 0 customization_group_checksum "SHA1:62:fd61541c1097d460e42c50904684def2794ba70d" customization_group_create_time 1524643393 customization_group_last_update_time 1524643393 customization_group_created_by "admin" customization_group_last_updated_by "admin" customization_group_size 62 customization_group_mode 33188 customization_group_update_revision 1

Conditions:
This issue occurs when all of the following conditions are met:

- You have configured a device-group consisting of multi-blade systems (such as VIPRION devices or vCMP guests).

- Systems are provisioned for APM.

- The device-group is configured for incremental manual synchronizations.

- On one system (for example, source_system), you create an APM configuration object (for example, a connectivity profile) that causes the automatic creation of an associated customization group.

- You synchronize the configuration from the source_system to the device-group.

- On the source_system, you create a new configuration object of any kind (for example, an LTM node).

- Instead of synchronizing the newest configuration to the device-group, you synchronize the configuration from another device in the device-group to the source_system (which effectively undoes your recent change).

- The MCPD daemon restarts on all secondary blades of the source_system.

Impact:
While the MCPD daemon restarts, the blade is offline, and many other BIG-IP daemons need to restart along with MCPD.

-- If the source_system is Active, the load capacity of the system temporarily decreases proportionally to the number of blades restarting. Additionally, if the systems use the min-up-members or HA-Group features, losing a certain number of secondary blades may trigger a failover.

-- If the source_system is Standby, some of the previously mirrored information may become lost as TMM on secondary blades restarts along with MCPD. Should this system later become the Active system, traffic may be impacted by the lack of previously mirrored information.

Workaround:
None.

Fix:
The MCPD daemon no longer restarts on secondary blades after config-sync of APM.

---

721982 : Automatically disable Nagle's Algorithm for RD Gateway connections

Component: Access Policy Manager

Symptoms:
When APM's RD Gateway virtual server has Nagle's Algorithm enabled in the client TCP profile, it might severely degrade responsiveness of RDP client, to the point when it becomes unusable.

Conditions:
-- APM is used as RD Gateway.
-- Nagle's Algorithm is enabled in client TCP profile.

Impact:
RDP client becomes unresponsive.

Workaround:
Disable Nagle's Algorithm in the client TCP profile.

Fix:
The system now automatically disables Nagle's Algorithm for RD Gateway connections.

---

721924 : bgpd may crash processing extended ASNs

Component: TMOS

Symptoms:
Under certain conditions bgpd may crash while processing extended ASNs.

Conditions:
Dynamic routing enabled.
Extended ASP capabilities enabled: bgp extended-asn-cap enabled

Impact:
Dynamic routing disrupted while bgpd restarts.

Fix:
bgpd now processes extended ASNs as expected.

---

721840-1 : Protocol Lookup agent has been removed

Component: Access Policy Manager

Symptoms:
The Protocol Lookup agent has been removed from the product.

Conditions:
Trying to use the Protocol Lookup agent.

Impact:
No Protocol Lookup agent is present.

Workaround:
There is no workaround. The Protocol Lookup agent has been removed in this release.

Fix:
In this release, you can use the SSL Check agent instead.

---

721752 : Null char returned in REST for Suggestion with more than MAX_INT occurrences

Component: Application Security Manager

Symptoms:
Unable to view ASM event log details for a majority of violations.

Conditions:
Suggestion with more than MAX_INT (2,147,483,647) occurrences.

Impact:
Null char returned in REST for Suggestion with more than MAX_INT occurrences.

Workaround:
Use the following sql command:

UPDATE PLC.PL_SUGGESTIONS set occurrence_count = 2147483647 where occurrence_count < 0;

Fix:
Null char is no longer returned in REST for Suggestion with more than MAX_INT occurrences.

---

721741 : BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative

Component: Application Security Manager

Symptoms:
bd log spits this error.
-------
ECARD_POLICY|NOTICE|May 24 04:49:42.035|4143|table.h:2408|IPTableList::del_object key not found in table
ECARD|ERR |May 24 04:49:42.035|4143|table.h:0398|KEY_UPDATE: Failed to REMOVE data will continue to add
-------

Conditions:
Configuring IP Address Exceptions in certain order - w/ and w/o route domain.

Impact:
BD and BD_Agent out-of-sync for IP Address Exception, causes false positives / false negatives

Workaround:
There is no workaround at this time.

Fix:
System no longer generates these false positive/negative log entries.

---

721740 : CPU stats are not correctly recorded when snapshot files have timestamps in the future

Component: TMOS

Symptoms:
One symptom is that a message similar to the following comes out in the log files frequently.

May 24 16:31:53 lusia_60.F5.COM warning merged[6940]: 011b0914:4: No individual CPU information is available.

Merged CPU stats will be 0.

Conditions:
If all of the snapshot stats files have timestamps in the future, CPU stats will not be correctly merged.

Impact:
Frequent error messages in the logs, and incorrect merged CPU stats.

Workaround:
Remove all of the stats snapshot files that have timestamps in the future and restart merged.

Fix:
Merged has been update to correctly deal with the case where all of the stats snapshot file have timestamps in the future, and will correctly merge the CPU stats.

---

721704 : UDP flows are not deleted after subscriber deletion

Component: Policy Enforcement Manager

Symptoms:
UDP flows continue to live till UDP idle time occurs, even after the subscriber is gone and the option for immediate deletion of the flow is enabled.

Conditions:
-- The option to delete flows upon subscriber deletion is enabled.
-- The UDP flow is established with an idle time greater than the re-evaluate timeout.

Impact:
The UDP flows continue to be alive after the required time, but only act to drop the traffic.

Workaround:
To work around this issue:
1. Modify the UDP idle timer to a suitable value.
2. Force delete the UDP flow from CLI.

Fix:
UDP flows are now deleted after subscriber deletion.

---

721621 : Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node

Component: Local Traffic Manager

Symptoms:
If an LTM pool is configured with only FQDN members, the DNS server resolves the FQDN to IP addresses that match statically-configured LTM nodes, and the IP address records returned by the DNS server change, an ephemeral pool member may not be added to the pool for the new IP address.

When in this state, if the FQDN template pool member is deleted from the pool, a new ephemeral pool member may be added corresponding to the last IP address record returned by the DNS server.

Conditions:
This may occur when:
1. Static nodes are configured which match addresses that may be returned in the DNS query for a given FQDN name.
2. An FQDN node is created with autopopulate disabled, for an address which may resolve to the same address as one of the static nodes.
3. This FQDN node is added (as a pool member) with autopopulate disabled, to a pool with no other non-FQDN members.
4. The DNS server resolves the FQDN name to an address that matches one of the static nodes.
5. A subsequent DNS query resolves the FQDN name to a different address that matches a different static node.

Impact:
In this case:
-- The original ephemeral member is removed from the pool.
-- A new ephemeral member for the new address may NOT be added to the pool.
-- In this state, if the FQDN template member is deleted from the pool, a new ephemeral member (i.e., the missing ephemeral with new IP address) is re-added to the pool.

Note. This symptom can occur only if the statically-configured node is created prior to an ephemeral pool member being created for the same IP address. If an ephemeral pool member and node are created first, it is not possible to create a statically-configured node or pool member using the same IP address.

Overall, traffic for the affected pool may not be sent to correct pool member (new ephemeral address).

If no other members are defined in the pool, traffic will be interrupted.

Workaround:
This issue can be prevented by:
-- Avoiding configuring a static (non-FQDN) node with an IP address that matches any address that might be returned by the DNS server when resolving the FQDN.
-- Adding a statically-configured pool member to the pool in addition to the FQDN template member.

Once the symptom occurs, recovery is possible by performing either of the following actions:
-- Delete the statically-configured node with the conflicting IP address.
-- Recreate the node using the following procedure:
1. Delete the FQDN template member from the pool.
2. Delete the orphaned ephemeral member from the pool.
3. Re-add the FQDN template member to the pool.

Fix:
When an FQDN pool member address resolves to the same IP address as an existing static node, the corresponding ephemeral pool member is successfully created and deleted as expected, including when the IP address returned by the DNS query changes.

---

721610-2 : GUI does not show selfIP active firewall policies in non-0 route domains

Component: Advanced Firewall Manager

Symptoms:
Selecting a self-IP containing '%' does not filter the policy/rules.

Conditions:
This occurs when the following conditions are met:
-- Using the GUI.
-- Viewing active policies for a selfIP in a non-Common partition.
-- The self-IP is in RDx (where RD is route domain, and x is not 0 (zero), as designated by the percent (%) sign).

Impact:
Active Rules page do not show filtered policy/rules for a selected self-IP.

Workaround:
Use tmsh to find the policy attached to a given self-IP

Fix:
GUI now shows filtered FW policies for self-IP containing '%'.

---

721570 : TMM core when trying to log an unknown subscriber

Solution Article: K20285019

Component: Carrier-Grade NAT

Symptoms:
Using CGNAT or FW-NAT with subscriber-id logging enabled can cause a TMM core when the subscriber ID is unknown.

Conditions:
-- A LSN pool or FW-NAT source translation that has a logging profile with subscriber-id enabled.
-- A PEM profile that allows unknown subscribers.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Config PEM to deny connections from unknown subscribers.

Fix:
The system no longer crashes. It logs 'unknown' for unknown subscribers.

---

721526 : tcpdump fails to write verbose packet data to file

Component: TMOS

Symptoms:
On some BIG-IP platforms, tcpdump is unable to write verbose packet data to a file (e.g., 'tcpdump -nni 2.1:nn -e -vvv -s 0 -w /tmp/dump.pcap').

Conditions:
Use tcpdump with -w and -v options on a front panel interface that is actively sending/receiving traffic.

This occurs on the following hardware:

-- BIG-IP 5000,7000, 10000, i5000, i7000, i10000, i11000, and i15000 platforms.
-- VIPRION B4400, B4300, B2200, and B2100 blades.

Impact:
Cannot use tcpdump to write verbose packet data to file.

Workaround:
There is no workaround at this time.

Fix:
The tcpdump operation is now able to write verbose packet data to file.

---

721488 : procps-ng Vulnerabilities: CVE-2018-1124, CVE-2018-1126

Component: TMOS

Symptoms:
The procps-ng packages contain a set of system utilities that provide system information, including ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch, and pwdx.

procps-ng, procps: Integer overflows leading to heap overflow in file2strvec (CVE-2018-1124)

procps-ng, procps: incorrect integer size in proc/alloc.* leading to truncation / integer overflow issues (CVE-2018-1126)

Conditions:
Multiple integer overflows leading to heap corruption flaws were discovered in file2strvec(). These vulnerabilities can lead to privilege escalation for a local attacker who can create entries in procfs by starting processes, which will lead to crashes or arbitrary code execution in proc utilities run by other users (eg pgrep, pkill, pidof, w).

A flaw was found where procps-ng provides wrappers for standard C allocators that took `unsigned int` instead of `size_t` parameters. On platforms where these differ (such as x86_64), this could cause integer truncation, leading to undersized regions being returned to callers that could then be overflowed. The only known exploitable vector for this issue is CVE-2018-1124.

Impact:
None. This vulnerability does not affect BIG-IP systems running in default, standard or recommended configurations.

Workaround:
None

Fix:
Upgrade to latest version

---

721474 : AVR does not send all SSLO statistics to offbox machine.

Component: Application Visibility and Reporting

Symptoms:
When using the 'use-offbox' option, AVR does not send SSLO statistics to the offbox system.

Conditions:
-- AVR provisioned.
-- Use-offbox is enabled.

Impact:
SSLO statistics are not available for BIG-IQ analytics.

Workaround:
There is no workaround.

Fix:
AVR now sends SSLO statistics to offbox systems when the 'use-offbox' option is enabled.

---

721408-2 : Possible to create Analytics overview widgets in '[All]' partition

Component: Application Visibility and Reporting

Symptoms:
When creating new widgets, they are created under the currently set partition. If the partition is '[All]' (not a real partition), this name will be used to create the widgets.

In newer version of BIG-IP software (v13.x or later), there is validation that disallows using non-existent partitions. When upgrading configurations that contain the '[All]' designation on the widgets, the operation fails because of those objects that have the invalid partition.

Conditions:
Using BIG-IP software v11.x (or similar) to create widgets while in the read-only '[All]' pseudo-partition.

Impact:
Upgrade to v13.x or later fails.

Workaround:
Manually edit the configuration files and change '[All]' to 'Common', after which the upgrade should succeed.

Fix:
It is no longer possible to create widgets while not in an actual writeable partition.

---

721399 : Signature Set cannot be modified to Accuracy = 'All' after another value

Component: Application Security Manager

Symptoms:
ASM Signature Set cannot be modified to Accuracy = 'All' after another value was used previously.

Conditions:
-- ASM Signature Set has a value set for Accuracy filter.
-- Accuracy is subsequently set to 'All'.

Impact:
The change to Accuracy = 'All' does not take effect. ASM Signature Set cannot be modified to Accuracy = 'All'.

Workaround:
You can use either of the following workarounds:

-- Delete and re-create the Signature Set with the desired value.
-- Modify the filter to a value that will match all results (such as Accuracy is greater than or equal to 'Low').

Fix:
ASM Signature Set can now be set to Accuracy = 'All' after a value was previously set.

---

721364-2 : BIG-IP per-application VE BYOL license does not support three wildcard virtual servers

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) admin can create only 1 wildcard virtual servers for per-application BYOL license.

Note: If you are using BIG-IQ 6.0.0 or 6.0.1 to manage AWS-based, per-app BIG-IP VE systems running versions 13.1.0.5 through 13.1.0.8, you must use the following AWS templates:

-- Default-AWS-f5-HTTPS-WAF-lb-template
-- Default-AWS-f5-HTTPS-offload-lb-template

For these two templates, ports 443 and 80 (for HTTP redirect) are hard-coded in an iRule, which enable this functionality.

Conditions:
Per-app VE with BYOL license.

Impact:
Per-app VE with BYOL license does not work as expected.

Workaround:
N/A

Fix:
Per-app VE BYOL license now supports three wildcard virtual servers.

---

721350 : The size of the icrd_child process is steadily growing

Component: TMOS

Symptoms:
The resident segment size (rss) for the icrd_child process continues to increase on issuing iCR GET requests. This increase is permanent and the rss does not drop back to its original size.

Conditions:
The following is an example config under which this issue occurs. Note this is an illustrative example; the actual issue might occur for various config objects.

GET tm/ltm/virtual?expandSubcollections=true wherein the virtual has some profiles associated with it.

ltm pool p-http { }
ltm virtual novel-1000 {
...
    pool p-http
    profiles {
        analytics { }
        http { }
        tcp { }
    }
....
}


# tmctl proc_pid_stat 'proc_name=icrd_child' -s proc_name,ppid,vsize,rss

On subsequent GET requests the rss size continues to increase.

Impact:
Increase in the rss of the icrd_child process. This increase could lead to icrd_child core or swapping of processes into the rss due to limited memory left for other processes.

Workaround:
There is no workaround.

Fix:
The memory leak was identified and fixed.

---

721342-1 : No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments.

Component: TMOS

Symptoms:
No Per-App Virtual Edition (VE) LTM or Per-App VE WAF images for various cloud environments.

Conditions:
Various Cloud environments (i.e., Azure, Google, AWS).

Impact:
No options to use various Per-App VE features.

Workaround:
None.

Fix:
There are now offerings for various cloud environments (Azure, Google, AWS). There are two types of Per-App VE LTM and two of Per-App VE WAF images.

---

721282 : Java Vulnerability: CVE-2018-3639

Solution Article: K58304450

---

721261 : v12.x Policy rule names containing slashes are not migrated properly

Component: Local Traffic Manager

Symptoms:
When migrating from v12.x to v13.0.x, 13.1.x, or 14.0.x, LTM polices that have rules containing the slash character will not migrate properly, and roll-forward migration will fail.

Conditions:
-- BIG-IP systems running v12.x.
-- Configuration contains LTM Policy rules whose names include the slash (/) character.
-- Upgrading to v13.0.x, 13.1.x, or 14.0.x.

Impact:
Roll-forward migration fails with the error: illegal characters in rule name.

Workaround:
Edit the rule names within LTM Policies, replacing the now-illegal slash (/) character with a legal alternative, such as the underscore (_).

Alternately, prior to migration, rename the rules on the v12.x system, and then perform the upgrade.

Fix:
BIG-IP software v12.x Policy rule names containing slashes are properly migrated.

---

721016-1 : vcmpd fails updating VLAN information on vcmp guest

Component: TMOS

Symptoms:
VLANs are not properly attached to a vCMP guest. They are in fact absent from the VLAN shared memory segment.

In the host /var/log/ltm, this message is observed:
err vcmpd[7839]: 01510004:3: Error updating vlan shm seg: -39

In the guest, these messages are observed:
warning chmand[8827]: 012a0004:4: VcmpShmIntf::querySeg: err code -30
warning chmand[8827]: 012a0004:4: readShmData: vCmpShmIntf: Query segment error
warning chmand[8827]: 012a0004:4: VcmpShmIntf::querySeg: err code -30

Conditions:
-- vCMPd provisioned on a BIG-IP system.
-- vCMP guests deployed.
-- More than 3259 VLANs attached to guests from host.

Impact:
Cannot use newly deployed VLAN in the guest. Running the following command does not show the attached VLANs.
$ tmsh list net vlan in the guest

Workaround:
None.

---

720961-2 : Upgrading in Intelligence Community AWS environment may fail

Component: TMOS

Symptoms:
After importing an AWS instance into the Intelligence Community (IC) AWS environment you cannot upgrade to 13.1.0.2 (or later) because their license fails to validate afterwards.

Conditions:
-- Manually imported BIG-IP image into AWS IC.
-- Upgraded to 13.1.0.2 or newer.

Impact:
The system fails to validate the license after rebooting into the new software. Licenses are inoperative after the upgrade.

Workaround:
To work around this issue, perform the following procedure:
1. Redeploy a BYOL image from the IC marketplace.
2. Move over the license.
3. Configure the system.

Fix:
This release provides improved license validation to address this situation by detecting the IC environment, but allowing prior licenses to function.

---

720819 : Certain platforms may take longer than expected to detect and recover from HSB lock-ups

Component: TMOS

Symptoms:
In the unlikely event of a HSB lock-up, certain BIG-IP platforms may take longer than expected to detect and recover from the condition.

For instance, it may take several minutes for an affected unit to detect the condition and initiate the predefined failsafe action.

Instead, the recovery mechanism should trigger almost instantaneously.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP system is an i56xx/i58xx, i76xx/i78xx, or i106xx/i108xx platform.

-- The HSB locks-up due to a different issue.

Impact:
Traffic is negatively impacted until the BIG-IP system detects and remedies the condition. This might take up to 15 minutes before remedied by a reboot, depending on other traffic being processed.

Workaround:
None.

Fix:
The HSB lock-up is now promptly detected and remedied.

---

720799 : Virtual Server/VIP flaps with FQDN pool members when all IP addresses change

Component: Local Traffic Manager

Symptoms:
When using FQDN pool members, if all ephemeral members are removed and replaced by a DNS query that returns an entirely new set of IP addresses (no overlap with previous DNS query results), all ephemeral pool members are removed before the new ephemeral pool members are created.

This results in a brief moment when there are no ephemeral members (that can receive traffic) in the pool.

Conditions:
A DNS query for the FQDN node in which the pool members belong, returns an entirely new set of IP addresses (no overlap with previous DNS query results).

Impact:
The brief moment during which there are no ephemeral members (that can receive traffic) in the pool can cause a Virtual Server or Virtual Address using that pool to flap.

Workaround:
It is possible to work around this issue by:
1. Adding a pool member with a statically-configured IP address.
2. Including multiple FQDN pool members in the pool, to limit the effect of the ephemeral members changing for a single FQDN pool member.

Fix:
When using FQDN pool members, ephemeral members whose IP addresses are not present in the most DNS query results are not immediately deleted from the pool.

To prevent the brief condition in which there are no ephemeral members in the pool (which can cause a Virtual Server or Virtual Address using that pool to flap), creation of new ephemeral nodes and pool members occurs immediately, but deletion of old new ephemeral nodes and pool members occurs after a delay.

The duration of the delay follows the fqdn 'down-interval' value configured for the associated FQDN template node.

---

720757 : Without proper licenses Category Lookup always fails with license error in Allow Ending

Component: Access Policy Manager

Symptoms:
When a per-request policy's Category Lookup agent queries Standard Categories with an expired SWG/URLF license (and has 'RST on failure' disabled), the execution always ends with the following log messages:

Error: Global concurrent url filter session limit reached

The connection is aborted.

Conditions:
Category Lookup agent set to query the urldb engine (standard categories) with either no SWG/URLF license or an expired license.

Impact:
Even if 'RST on failure' is disabled, traffic cannot reach the allow ending successfully.

Workaround:
Remove the Category Lookup with standard category lookup from the per-request policy if the licenses do not allow for its use.

Fix:
The allow ending is now reached successfully and does not error out if Category Lookup fails due to licensing errors but is set to disable 'RST on failure'.

---

720756-2 : SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS

Component: TMOS

Symptoms:
The SNMP query for platform marketing name is 'unknown' for i11400-DS/i11600-DS/i11800-DS.

Conditions:
-- On licensed system, check OID marketing name.
-- Using i11400-DS/i11600-DS/i11800-DS platforms.

Impact:
Cannot tell the actual platform name in the SNMP query.

Workaround:
There is no workaround at this time.

Fix:
SNMP platform name is now reported correctly on BIG-IP i11400-DS/i11600-DS/i11800-DS platforms.

---

720713 : TMM traffic to/from a i10600/i10800 device in vCMP host mode may fail

Component: TMOS

Symptoms:
When a i10600/i10800 device is configured as a vCMP host and at least one vCMP guest is running (or ever ran), TMM traffic to the vCMP host may fail.

Note: Management port traffic to/from the device is unaffected.

Note: TMM traffic to/from the vCMP guests running on the device is unaffected. This issue affects only the vCMP host.

The most visible symptom is that TMM on the vCMP host fails to answer ARP requests that it receives for its own Self-IP addresses.

Conditions:
This issue occurs when all of the following conditions apply:

- i10600/i10800 device in vCMP host mode.

- At least one vCMP guest is deployed or was deployed, at some point.

Impact:
Inability to communicate to/from the vCMP host via its Self-IP addresses.

Workaround:
None.

Fix:
The vCMP host continues to handle traffic correctly once a guest is started.

---

720695 : Export then import of APM access Profile/Policy with advanced customization is failing

Component: Access Policy Manager

Symptoms:
An exported policy containing advanced customization fails to import.

Conditions:
-- Export policy containing advanced customization.
-- Import the same policy.

Impact:
Import fails.

Workaround:
None.

Fix:
Access policy import containing advanced customization now succeeds.

---

720669 : Within the GUI, the 'MQTT-TLS' service port is incorrectly reported as 'common.all.MQTT-TLS'.

Component: TMOS

Symptoms:
In some sections of the GUI, the 'MQTT-TLS' service port may be incorrectly reported as 'common.all.MQTT-TLS'.

Conditions:
This is currently known to happen in the 'Virtual Server List' screen when a virtual server is configured to listen on port 8883 (a.k.a. MQTT-TLS).

Impact:
None. The issue is cosmetic and has no effect on traffic.

Workaround:
None.

Fix:
The 'MQTT-TLS' service port is reported as such within the GUI.

---

720651 : Running Guest Changed to Provisioned Never Stops

Component: TMOS

Symptoms:
After changing a vCMP guest status to provisioned the guest remains running showing a status of stopping.

Conditions:
-- Guests deployed on a BIG-IP VCMP host.
-- Changing the state from deployed to provisioned.

Impact:
Guests do not stop and change status until vcmpd process is restarted.

Workaround:
There is no workaround.

Fix:
The guest now stops when the state is changed from deployed to provisioned.

---

720626 : Portal Access: CSS custom properties are supported by server-side CSS parser.

Component: Access Policy Manager

Symptoms:
Modern CSS includes custom properties (variables). Portal Access does not support them. When a custom property contains some external URL values, this value cannot be rewritten.

Conditions:
CSS file or HTML STYLE element with custom property inside, for example:

:root {
  --iset: image-set(url("/images/image-384.jpg") 1x, url("/images/image-768.jpg") 2x,);
}

.img {
  background-image: var(--iset);
}

Impact:
Web application may not work correctly.

Workaround:
Use iRules to substitute 'var()' function calls in CSS files with the corresponding custom property values.

Fix:
Now Portal Access supports CSS custom properties in server-side CSS parser.

---

720623 : DHCP Client Script Code Execution vulnerability CVE-2018-1111

Solution Article: K32541890

---

720585 : Signatures generated by Behavioral DOS algorithm can create false-positive signatures

Component: Anomaly Detection Services

Symptoms:
There is probability that the generated signatures will block unknown traffic (the traffic that was not presenting before the attack) even if it's not necessary from service health perspective

Conditions:
Run attack traffic.
In parallel run unknown traffic.
It should exceed the learned baseline together with the good traffic.

Impact:
The signatures may block unknown traffic even if it's not necessary from S/H perspective

Workaround:
There is no workaround at this time.

Fix:
Implement adaptive ratio threshold for covering current bad traffic samples. The ratio increases as long as the health is not good.
If the health returns to good levels (below one) the ratio is restarted to the initial value.

---

720581 : Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files

Component: Application Security Manager

Symptoms:
When using Policy Merge to add an XML Profile from policy A to policy B, if there are any Schema files (such as xsd or wsdl) associated with the profile, then the XML Profile added to policy B erroneously points to the file that is in policy A and does not create a new reference within policy B.

Conditions:
Policy Merge is used to add an XML Policy that contains a schema file from one policy to another.

Impact:
-- The reference to an object in another policy breaks BIG-IQ discovery.
-- The policy is not consistent after export/import.

Workaround:
None.

Fix:
Policy Merge now correctly adds the dependent files to the target policy with consistent references.

---

720461 : qkview prompts for password on chassis

Component: TMOS

Symptoms:
Qkview prompts for a password when executing getnodedates from the chassis module.

Conditions:
SSH auth keys are missing or corrupted.

Impact:
This blocks collecting qkview.

Workaround:
Edit the /user/bin/getnodedates script and add -oBatchMode=yes for the SSH command as shown in the following example:

        $date = `/usr/bin/ssh -q -oBatchMode=yes -oStrictHostKeyChecking=no $ip /bin/date`;

Fix:
The qkview is no longer blocked with a password prompt.

---

720460-2 : Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly

Component: Local Traffic Manager

Symptoms:
The sys db compression.strategy is used to control the compression-provider selection. When it is set to 'softwareonly', compression somehow still selects a hardware accelerator.

Conditions:
This always happens when compression.strategy is set to 'softwareonly'.

Impact:
Compression.strategy set to 'softwareonly' does not work, and if there is a problem in a hardware accelerator, compression will still select the hardware accelerator, even though software compression is desired.

Workaround:
There is no workaround.

Fix:
The system now supports software compression when the sys db variable compression.strategy is set to 'softwareonly'.

---

720391 : BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'

Component: TMOS

Symptoms:
BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' and 'unknown' when OID sysObjectID is queried.

Conditions:
1. Execute 'tmsh show sys hardware'.
2. Query for OID sysObjectID using snmpwalk.

Impact:
System is reported as 'none', when it should be i7800-D. Platform with dual SSD not correctly identified using tmsh command or snmpwalk.

Workaround:
None.

Fix:
Added new SNMP OID for BIG-IP i7800 Dual SSD, reported as BIG-IP i7800-D, which is the correct designation.

---

720293 : HTTP2 IPv4 to IPv6 fails

Component: Local Traffic Manager

Symptoms:
An IPv4-formatted virtual server with an IPv6-formatted pool member cannot establish the connection to the pool member if HTTP2 is configured.

Conditions:
-- IPv4 virtual Server.
-- IPv6 pool member.
-- HTTP2 profile.

Impact:
Traffic connection does not establish; no traffic passes.

Workaround:
None.

Fix:
In this release, an IPv4-formatted virtual server with an IPv6-formatted pool member works with HTTP2.

---

720269 : TACACS audit logging may append garbage characters to the end of log strings

Component: TMOS

Symptoms:
When using TACACS audit logging, you might see extra 'garbage' characters appended to the end of logging strings.

Conditions:
Using audit forwarding with a remote TACACS server.

Impact:
Confusing log messages. Remote TACACS logging might stop altogether after some time.

Workaround:
There is no workaround at this time.

Fix:
Prevented extra characters from being appended to TACACS audit logs.

---

720214-2 : NTLM Authentication might fail if Strict Update in iApp is modified

Component: Access Policy Manager

Symptoms:
Exchange Proxy NTLM Authentication failure when iApp strict updates is disabled initially and then turned on. NTLM authentication fails with STATUS_NO_LOGON_SERVERS.

Conditions:
The Strict Update option in the iApp is modified.

Impact:
Any service using NTLM authentication will be disrupted.

Workaround:
Restart ECA and NLAD modules to work correctly again. To do so, run the following commands:

bigstart restart nlad
bigstart restart eca

Fix:
NTLM authentication now works as expected when Strict Update in the iApp is modified.

---

720189-2 : VDI settings in APM Webtop have the incorrect URL for Citrix Receiver client download

Component: Access Policy Manager

Symptoms:
VDI settings have HTML5 package URL instead of Citrix Receiver download link. Hyperlink directs to HTML5 package link.

Conditions:
-- Citrix VDI is configured in Replacement mode.
-- HTML5 package is configured using Citrix client bundle.
-- Citrix HTML5 client bundle is used with Connectivity profile attached to the virtual server.

Impact:
The incorrect package is downloaded to the APM Webtop user.

Workaround:
None.

Fix:
Fixed the hyperlink for Citrix Receiver download in VDI settings of Webtop.

---

720136 : Upgrade may fail on mcpd when external netHSM is used

Component: Local Traffic Manager

Symptoms:
When upgrading from 13.1 to 14.1, there might be deadlock between mcpd and mcpd. "bigstart status pkcs11d" might return
"pkcs11d down, waiting for mcpd to release running semaphore".

Conditions:
Upgrading from 13.1 to 14.1 for BIG-IP with external netHSM enabled.

Impact:
External netHSM is not functional or the whole appliance/blade is not functional.

Workaround:
Try reinstalling external netHSM.

Fix:
The fix broke the circular dependency between mcpd's validation and pkcs11d.

---

720110 : 0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session.

Component: TMOS

Symptoms:
Neither learned nor default-originate default routes (0.0.0.0/0) are sent to the BGP peer if the BGP peer has terminated the BGP session with TCP FIN, without BGP notify message.

Conditions:
1. BGP session is terminated without BGP notify (just TCP FIN).
2. Either learned (not originated in DUT) and default-originate (originated in DUT) routes are not sent.

Impact:
Default routes are not propagated in the network after the BGP peer restart.

Workaround:
There is no workaround at this time.

Fix:
Default routes are now always sent after the BGP session reset. Consistent behavior between BGP session reset with and without BGP notify message.

---

720104-3 : BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'

Component: TMOS

Symptoms:
BIG-IP i2800/i2600 650W AC PSU is missing marketing name under 'show sys hardware' and displays 'unknown' when OID sysObjectID is queried.

Conditions:
-- Execute 'tmsh show sys hardware'.
-- Query for OID sysObjectID using snmpwalk.
-- Using BIG-IP i2800/i2600 platforms.

Impact:
System reports an empty marketing name when queried. Platform with 650W AC PSU not identified using tmsh command or snmpwalk.

Workaround:
There is no workaround at this time.

Fix:
Added new SNMP OID for BIG-IP i2800/i2600 650W AC PSU.

---

720081 : dhclient.mgmt db variable value will need to be changed before downgrading from this version

Component: TMOS

Symptoms:
Configuration does not load after downgrading.

BIG-IP versions earlier than v14.1.0 recognize only 2 values for dhclient.mgmt (enable, disable). In 14.1.0, 2 new values were added to dhclient.mgmt (dhcpv4, dhcpv6). If the configuration uses one of the new values, you cannot downgrade to a version earlier than v14.1.0.

Conditions:
This occurs when the following conditions are met:
-- The BIG-IP system is running v14.1.0 or later.
-- The BIG-IP admin has manually changed the dhclient.mgmt value to dhcpv4 or dhcpv6 from the default enable. (To determine the value, you can run the following command: getdb dhclient.mgmt.)
-- The configuration has been saved using the command: tmsh save sys config
-- Downgrade to any pre-14.1.0 version.

Impact:
Config does not load, and BIG-IP system will be inoperative. You can still SSH into the device, however.

Workaround:
To prevent this issue from occurring, before downgrading to any pre-14.1.0 version, follow these steps:

1. Change the dhclient.mgmt value to either 'enable' or 'disable'.
2. Run the following command:
save sys config
3. Perform the downgrade.

If you have already attempted a downgrade and your configuration is not loading, you can edit the /config/bigip_base.conf file to change the dhclient.mgmt value to enable or disable.

Fix:
Before downgrading from v14.1.0 to a previous version, change the dhclient.mgmt to either "enable" or "disable". And save sys config.

---

720045-2 : IP fragmented UDP DNS request and response packets dropped as DNS Malformed

Component: Advanced Firewall Manager

Symptoms:
AFM/DHD treats the IP fragmented UDP DNS packet (request or response) as DNS Malformed packet and drops these packets.

Conditions:
-- AFM/DHD is enabled (provisioned and licensed).
-- DNS Malformed vector is enabled at Device context (by default, it's always enabled).
-- AFM/DHD receives fragmented IP packet for UDP DNS request or response.

Impact:
AFM/DHD incorrectly treats such packets as DNS malformed and drops them.

If AFM/DHD receives any DNS request/response UDP packet that is fragmented at the IP layer, the system drops the packet, interrupting DNS service between client/servers through BIG-IP systems.

Workaround:
None.

Fix:
This issue is now fixed, as follows:

a) For IP fragmented UDP DNS request packet, AFM parses the first IP fragment to retrieve the L4 (UDP) header and DNS header and Question section.

  - If this information is available in the first IP fragment, AFM processes the packet for further DoS checks.
  - If this information is not available in first IP fragment, AFM drops the fragment as DNS Malformed.

b) For IP fragmented UDP DNS response packet, AFM parses the first IP fragment to retrieve the L4 (UDP) header and DNS header and Question section.

  - If this information is available in the first IP fragment, AFM processes the packet for further DOS checks.
  - If, however, this information is not available in first IP fragment, default behavior is that AFM allows such fragmented DNS response packet through. This behavior can be changed to drop incomplete IP fragmented DNS response packet by setting db variable 'Dos.dns.respfrag.allow' to 'false'.

---

720030 : Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)

Component: Access Policy Manager

Symptoms:
Kerberos DNS SRV requests are generated without enabling EDNS0. Without this, internal DNS server (dnscached) truncates the UDP response if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in a lot of TIME_WAIT connections on the socket using dnscached.

Conditions:
APM end users using Kerberos SSO to access backend resources.

Impact:
Ability to create new DNS requests is affected, if there are numerous sockets in TIME_WAIT. This can result in scalability issues.

Workaround:
For BIG-IP software v12.x and later,

Edit the /etc/resolv.conf file to add an EDNS0 option.

There is no workaround if you are running a version earlier than 12.x.

Fix:
Kerberos DNS SRV requests now support EDNS0, so that UDP responses greater than 512 bytes can be received correctly, eliminating the need to re-send the request on TCP while communicating to the internal DNS server (dnscached).

---

719644 : If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★

Component: Global Traffic Manager (DNS)

Symptoms:
When an LTM configuration has virtual server names containing period (.), a GTM configuration with auto-discovery enabled is upgraded from v11.5.x to a later version might lose consistency.

Conditions:
-- Upgrading GTM from v11.5.x to later versions (e.g., BIG-IP DNS v12.x).
-- Auto-discovery is enabled.
-- LTM configuration containing virtual server names containing the period character (.).
-- The same virtual server name is used in multiple partitions.

Impact:
The configuration after the upgrade might be affected in the following ways:
-- Missing virtual servers.
-- Deletion of some pool members.
-- Virtual servers with incorrect addresses.

Workaround:
There is no workaround at this time.

Fix:
This release supports GTM upgrades from 11.x to BIG-IP DNS 12.x and later versions for cases where:
-- Auto-discovery is enabled.
-- LTM virtual server name a period character (.).
-- The same virtual server name is used in multiple partitions.

---

719600 : TCP::collect iRule with L7 policy present may result in connection reset

Component: Local Traffic Manager

Symptoms:
If an iRule utilizing TCP::collect and HTTP_REQUEST is on a virtual server with an L7 policy, the policy engine may cause the connection to be unexpectedly reset with a 'policy execution error' reset cause, and 'Unable to resume pending policy event on connflow' will be logged to /var/log/ltm.

Conditions:
TCP::collect and HTTP_REQUEST iRule with L7 policy on virtual server.

Impact:
Connections may be unexpectedly reset and errors logged to /var/log/ltm.

Workaround:
At the start of the HTTP_REQUEST event, issue an 'after 1' command to allow the policy engine to reach a consistent state before proceeding with the remainder of the iRule.

---

719597-2 : HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0

Component: TMOS

Symptoms:
When two VIPRION chassis with B2250 blades try to form a high availability (HA) connection, with one running v12.1.1 and the other running v13.1.0, HA connections between TMMs on Active and TMMs on Standby might fail.

Conditions:
-- Two VIPRION chassis with B2250 blades.
-- One blade running v12.1.1 and the other running v13.1.0.
-- Try to configure HA connection.

Impact:
Fail to form HA connection.

Workaround:
There is no workaround other than installing the same software on both blades.

Fix:
A new sys db mhdag.bitshift is added to support HA configurations using B2250 blades running v12.1.1 and v13.1.x. Set mhdag.bitshift to 5 on VIPRION chassis with B2250 blades running v13.1.x by running the following command: tmsh modify sys db mhdag.bitshift value 5

HA between VIPRION chassis running v12.1.1 and v13.1.x with B2250 blades now works as expected.

---

719554 : Linux Kernel Vulnerability: CVE-2018-8897

Solution Article: K17403481

---

719459 : Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled

Component: Application Security Manager

Symptoms:
Policy builder suggests adding already existing URLs (as HTTPS) learned from response.

Conditions:
-- Differentiate HTTP and HTTPS URLs is disabled.
-- Learn-from response is enabled.
-- Server responses contain HTTPS links for HTTP requests instead of using protocol-relative URLs.

Impact:
This is a cosmetic issue in that incorrect suggestions are created. There is no impact to functionality.

Workaround:
Add the incorrect suggestions to the 'ignore' list.

Fix:
Policy builder no longer creates suggestions to add already existing URLs.

---

719396 : DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot.

Solution Article: K34339214

Component: TMOS

Symptoms:
DHCP Client on the BIG-IP system sends host-name 'localhost' in DISCOVER packet after first boot.

Note: The problem goes away after the first boot.

Conditions:
-- DHCP is enabled (this is the default on BIG-IP systems).
-- Initial startup.

Impact:
This can affect the lease given out by the DHCP server in the given network if the DHCP server is configured in such a way as to dynamically update the DNS based on the host-name option in the lease.

Workaround:
-- Empty the /var/lib/dhclient/dhclient.leases file.
-- Run the following command: bigstart restart dhclient

Fix:
DHCP Client on the BIG-IP system no longer sends 'localhost' as the host-name in DISCOVER packet after first boot.

---

719247 : HTTP::path and HTTP::query iRule functions cannot be set to a blank string

Solution Article: K10845686

Component: Local Traffic Manager

Symptoms:
The HTTP::path and HTTP::query iRule functions generate an error if called with an argument that is a blank string, resulting in connection termination.

Conditions:
In an iRule where the argument is a blank string:
  HTTP::path ""
  HTTP::query ""

Impact:
Error encountered while executing iRule "HTTP::query $blank", and the connection is terminated with an error in the logs similar to the following:
   -- err tmm[17219]: 01220001:3: TCL error: /Common/ir_1-4045405141_query <HTTP_REQUEST>

Workaround:
To set HTTP::query to blank, use the following function:
HTTP::uri [HTTP::path]

To set HTTP::path to blank, use the following function:
HTTP::uri [HTTP::query]

Fix:
HTTP::path and HTTP::query iRule functions now accept blank string arguments.

---

719198 : Disable eval execution in websafe's code

Component: Fraud Protection Services

Symptoms:
In Pages where CSP is enabled and as a result eval is execution is blocked, there's an option to disable its execution in websafe's javascript.

Conditions:
Pages where CSP enabled and in particular eval is not allowed.

Impact:
There's a javascript error, "Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src"). Source: call to eval() or related function blocked by CSP."

Workaround:
N/A

Fix:
A new option via the "Before Load Function" to disable eval in websafe's javascript.

---

719186 : Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts

Component: Fraud Protection Services

Symptoms:
Multipart/form-data requests are not supported in FPS. FPS-protected pages which have the enhanced data-manipulation feature enabled, may generate a false-positive 'missing strong integrity parameter' alert for multipart/form-data requests.

Conditions:
-- FPS profile attached to a virtual server.
-- Multipart/form-data requests to a URL.
-- Enhanced data-manipulation feature enabled on a protected URL.

Impact:
False-positive 'missing strong integrity parameter' alert.

Workaround:
Use the ANTIFRAUD::disable_alert iRule command to drop the alert:

(set the static::drop_alert variable, probably matching URL name and checking that Content-Type header starts with 'multipart/form-data')

when ANTIFRAUD_ALERT {
    if {$static::drop_alert eq 1 &&
            [ANTIFRAUD::alert_type] eq "vtoken" &&
            [ANTIFRAUD::alert_component] eq "no_strong_integrity_param" } {
        ANTIFRAUD::disable_alert
        set static::drop_alert 0
    }
}

Fix:
FPS no longer sends automatic-transaction alerts for unsupported requests, so multipart/form-data requests no longer generate false positive 'missing strong integrity parameter' alerts.

---

719179 : iRule class command now has '-list' option for get/names/match/search functions

Component: Local Traffic Manager

Symptoms:
If the class command is invoked and returns only one item, it returns one item. If invoked and it returns multiple items, it returns a list.

Conditions:
Using datagroups in an iRule.

Impact:
Inconsistent, perhaps unexpected, output.

Workaround:
None.

Fix:
The -list option now makes the class command return the result as a list unless there is no result.

---

719149 : VDI plugin might hang while processing native RDP connections

Component: Access Policy Manager

Symptoms:
Rarely, during processing of native RDP connections, the VDI plugin might hang, which prevents launch of VDI resources (Native RDP, Citrix, VMware View) from the APM Webtop.

Conditions:
APM Webtop is configured with native RDP resource.

Impact:
VDI resources (Native RDP, Citrix, VMware View) cannot be launched from APM Webtop.

Workaround:
None.

Fix:
Fixed rare VDI plugin hang caused by processing of native RDP connections.

---

719079 : Portal Access: same-origin AJAX request may fail under some conditions.

Component: Access Policy Manager

Symptoms:
Portal Access may reject response to same-origin AJAX request if host names in request and its origin differ in case.

Conditions:
Same-origin AJAX request with a host name whose case differs from the case of the origin page's host name, for example:

Request page: https://example.com/some/file
Page with URL: https://Example.com/origin/page.html

Impact:
Web application may not work correctly.

Workaround:
Use an iRule to remove 'F5_origin' parameter from the AJAX requests, for example:

when HTTP_REQUEST {
  if { [ HTTP::path ] contains "/iNotes/Forms9.nsf/iNotes/Proxy/" and [ HTTP::query ] contains "F5_origin=" } {
    regsub {F5_origin=[0-9a-f]+&F5CH=I} [ HTTP::query ] {F5CH=I} query
    HTTP::query $query
  }
}

Fix:
Now Portal Access handles same-origin AJAX requests correctly when host name case differs from the host name of origin page.

---

719005 : Login request may arrive corrupted to the backend server after CAPTCHA mitigation

Component: Application Security Manager

Symptoms:
Login request arrives corrupted (specifically, some of the characters in the payload are changed).

Conditions:
-- A brute force CAPTCHA mitigation happens.
-- Specific traffic conditions.

Impact:
Login request fails.

Workaround:
None.

Fix:
CAPTCHA request-handling now works as expected.

---

718885 : Under certain conditions, monitor probes may not be sent at the configured interval

Solution Article: K25348242

Component: Global Traffic Manager (DNS)

Symptoms:
When sufficient resources are configured with the same monitor interval, and the monitor timeout value is no more than two times the monitor interval, the monitored resource may be marked as unavailable (due to a timeout) then immediately changed to available.

Conditions:
Monitor interval is lower than the number of resources configured with the same monitor interval.

Impact:
Monitor probes are not consistently performed at the configured interval.

Workaround:
Set the monitor interval to a value greater than the number of resources monitored using that same interval value.

The key to this workaround is to ensure that the sum of the resources monitored at a given interval is not greater than the interval. That can be accomplished several ways depending on your configuration and requirements.

For example, if the monitoring interval is 30 seconds and there are 40 different monitors with a 30-second interval and each monitor is assigned to exactly one resource, there are at least two options:

-- Change the interval for 10 of the monitors to a different value.

-- Set the monitor interval to 40.

Note: If you change the monitor interval, make sure to also change the timeout value to follow best practices:
timeout value = (3 x interval) + 1.

Fix:
Monitoring is now consistently performed at the configured interval regardless of the number of resources with the same monitor interval.

---

718817 : Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail.

Component: TMOS

Symptoms:
Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest fails due to a race condition.

There are log entries in /var/log/liveinstall.log:

-- error: status 256 returned by command: F5_INSTALL_SESSION_TYPE=install tmsh -f save sys ucs /var/tmp/kRf24pKXTQ.ucs.
-- info: tar: config/.ucs_base_mac: Cannot stat: No such file or directory.
-- info: Unexpected Error: UCS saving process failed.

Conditions:
-- Installing onto secondary VIPRION blade or onto VIPRION-based vCMP guest.

Impact:
Software installation fails.

Workaround:
You can use either workaround:
-- Add 'ignore .ucs_base_mac' to the 'monitor dir /config' stanza in /etc/csyncd.conf on all blades, and then restart csyncd on all blades by running "clsh bigstart restart csyncd"

-- Retry the installation until it succeeds.

---

718812 : Removed 3des-cbc from default cipher list for SSHD.

Component: TMOS

Symptoms:
3des-cbc is still available in the default cipher list for the SSH daemon (sshd) on the BIG-IP management address.

Conditions:
Using cipher 3des-cbc in the default configuration.

Impact:
There is no specific impact, however, many open source projects (e.g., OpenSSL) and international certification standards (e.g., Common Criteria) have deprecated support for 3DES-based ciphers.

Workaround:
None.

Fix:
Removed 3des-cbc from default cipher list for sshd.

Important: Clients that support only 3des-cbc will no longer be able to connect to the BIG-IP system in the default configuration.

For information about restoring 3des-cbc support for configurations that require it, see K80425458: Modifying the list of ciphers and MAC algorithms used by the SSH service on the BIG-IP system or BIG-IQ system :: https://support.f5.com/csp/article/K80425458. The string needed to restore support is '3des-cbc'.

Behavior Change:
The cipher 3des-cbc has been included for many releases of BIG-IP software. Starting in this release 3des-cbc has been removed from the default cipher string. This change improves overall security of the BIG-IP system's default configuration of sshd.

Important: Clients that support only 3des-cbc will no longer be able to connect to the BIG-IP system in the default configuration.

You can restore 3des-cbc support for configurations that require it by modifying the cipher string to include 3des-cbc. For information, see K80425458: Modifying the list of ciphers and MAC algorithms used by the SSH service on the BIG-IP system or BIG-IQ system :: https://support.f5.com/csp/article/K80425458. The string needed to restore support is '3des-cbc'.

---

718772 : The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists)

Component: Anomaly Detection Services

Symptoms:
The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists).

Conditions:
Attack with traffic with 'unknown' header, for example
'Upgrade-Insecure-Requests: 1'.

Impact:
In the GUI, when the signature with the predicate 'unknown_header' is edited, this predicate is empty (instead of exists / does not exist).

Workaround:
There is no workaround.

Fix:
1. Change 'http.unknown_header' predicate into 'http.unknown_header_exists'.
2. Keep supporting the old format 'http.unknown_header'.

---

718767 : Duplicate key error in PL_SCANNER_CONFIG on particular binary policy import

Component: Application Security Manager

Symptoms:
A specific binary policy file could not be imported due to corrupted records in table "PL_SCANNER_CONFIG".

Conditions:
This can occur with a binary policy file with corrupted records in table "PL_SCANNER_CONFIG".

Impact:
The binary policy file with corrupted records cannot be imported.

---

718685 : The measured number of pending requests is two times higher than actual one

Component: Anomaly Detection Services

Symptoms:
The measured number of pending requests is two times higher than actual.

Conditions:
Virtual server configured with a Behavioral DoS profile.

Impact:
Server stress mechanism is more sensitive than planned. A temporary traffic spike can cause unnecessary DoS mitigation start.

Note: The admd process provides stress-based DoS detection and mitigation control. When admd is not running, there is no stress-based anomaly detection or behavioral statistics aggregation.

Workaround:
Modify the adm.health.sensitivity value.

For example, to change health sensitivity from 50 to 500, run the following command:
tmsh modify sys db adm.health.sensitivity value 500

Fix:
Fixed initial adm flow sampling, so that the measured number of pending requests now equals actual.

---

718525 : PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting

Component: TMOS

Symptoms:
After removing the mcpd binary database and restarting, occasionally there are errors similar to the following in /var/log/ltm:

warning postgres[7663]: [3-1] ERROR: duplicate key value violates unique constraint "vlan_pkey"

(The object type may be something other than 'vlan_pkey'.)

Conditions:
This occurs when you remove the mcpd binary database and reboot the system.

Impact:
The configuration does not load until 'bigstart restart' is executed.

Workaround:
None.

Fix:
The 'duplicate key value' errors are no longer seen when removing the mcpd binary database and restarting.

---

718409 : Users may get blocked on Web Scraping or CAPTCHA

Component: Application Security Manager

Symptoms:
Users using touchscreen or touchpad may get falsely blocked under the Web Scraping violation. Similarly, some users may fail to pass the CAPTCHA challenge when triggered by Brute Force Mitigation, DoSL7 Mitigation, or Proactive Bot Defense.

Conditions:
Either:
- Web Scraping is enabled with Bot Detection set to alarm or to block (13.1.x/14.0.x).
- CAPTCHA mitigation is in use due to another suspicious activity, triggered by Brute Force Mitigation, DoSL7 Mitigation, or Proactive Bot Defense (14.0.x).

And:
User is using touchscreen or touchpad.

Impact:
Some legitimate users may get blocked.

Workaround:
None.

Fix:
Fixed false detection of some users as bots causing them to be blocked by Web Scraping or CAPTCHA.

---

718397 : IKEv2: racoon2 appends spurious trailing null byte to ID payloads

Component: TMOS

Symptoms:
IPsec clients implementing RFC5996 correctly cannot interoperate with the BIG-IP system when the peers-id-type is anything other than address, because racoon2 inside BIG-IP appends a null byte to any string-based ID type (for both peers_id and my_id). This makes the IKE_AUTH exchange fail, usually because the ID_I from the initiator cannot match the peers-id-value in config for that ike-peer, because there is a one-byte difference between the compared strings.

Conditions:
When any non-BIG-IP client initiates an IKE negotiation using any id-type that is not IPv4 or IPv6. In particular, fqdn and asn1dn for peers-id-type in local BIG-IP configurations.

Impact:
IKE negotiation fails during the second IKE_AUTH exchange of messages, preventing any tunnel from being established. Outage with a non-BIG-IP client is permanent until the config is changed to use peers-id-type=address.

Workaround:
Use peers-id-type=address to interoperate with non-BIG-IP clients for IPsec.

Fix:
Because RFC5996 forbids trailing null bytes in ID payloads, the BIG-IP software was actually not compliant with the RFC by encoding payloads this way itself. It only worked because both initiator and responder did the same thing. Now the BIG-IP software does not add the extra trailing null byte into ID payloads and local ID values, so the BIG-IP system can accept IKE_AUTH messages from non-BIG-IP clients.

Note: this fix creates an incompatibility with previous BIG-IP version when peers-id-type is any other type than address.

---

718234-1 : Updating tests according to canIUse database

Component: Application Security Manager

Symptoms:
Some browser capabilities are changed.

Conditions:
Proactive Bot Defense, Block suspicious browsers is enabled.

Impact:
Browsers might get scored incorrectly, and therefore get captcha/tcp rst when they should not (Or not get captcha/tcp rst when they should).

Workaround:
None.

Fix:
Browsers now work as expected.

---

718232 : Some FTP servers may cause false positive for ftp_security

Component: Application Security Manager

Symptoms:
A login might get rejected after a lower number of failed logins than is configured for 'Maximum Username Login Retries'. BIG-IP system posts the following error message: 530 Too many failed login attempts by the user.

Conditions:
-- The server sends unexpected ingresses that are rejected.
-- There is a value specified for 'Maximum Username Login Retries'.

Impact:
A legitimate user might be rejected and have to wait until the configured 'Re-enable login' time.

Workaround:
There is no workaround at this time.

Fix:
This release provides an internal param that, when enabled, causes these unknown ingresses from the server to be ignored. Because of the traffic-specific nature of this issue, use of this internal parameter should occur under the direction of F5 Support.

---

718201-1 : No alert for failed RAID disk

Component: TMOS

Symptoms:
If a BIG-IP system boots with a failed drive in a RAID array, no alert will be logged.

Conditions:
-- BIG-IP system with dual SSDs.
-- One of the drives has previously failed.
-- The system is booted/rebooted.

Impact:
There is no warning that the system is not operating in a mirrored RAID state.

Workaround:
Run 'tmsh show sys raid disk all-properties' to show the status of the RAID array

---

718136 : 32-bit F5 VPN and Endpoint Inspector apps are discontinued on Linux

Component: Access Policy Manager

Symptoms:
32-bit F5 VPN and Endpoint Inspector apps are not available for new installation or update on Linux.

Conditions:
Use a browser (Mozilla Firefox or Google Chrome) to establish network access (VPN) for 32-bit F5 VPN and Endpoint Inspector apps.

Impact:
APM end user cannot establish network access (VPN) on 32-bit Linux using a browser. APM does not offer 32-bit F5 VPN and Endpoint Inspector apps for installations or update.

Workaround:
Use 32-bit CLI VPN client.

Fix:
Because of increased size, low usage, and industry trends, F5 has discontinued support of the desktop Linux 32-bit VPN and Endpoint Inspection apps.

---

718033 : REST calls fail after installing BIG-IP software or changing admin passwords

Component: Device Management

Symptoms:
After installing the latest BIG-IP software, or changing the BIG-IP admin passwords once or twice, REST calls might fail with the following error: 400 - Bad Request.

Conditions:
The conditions under which this occurs are not well understood. The issue occurs randomly, and is likely the result of a timing issue.

Impact:
REST calls or GUI operations fail to work. Get errors on screen.

Workaround:
Run the following command on the BIG-IP system:
$ bigstart restart restjavad

---

717909-1 : tmm can abort on sPVA flush if the HSB flush does not succeed

Component: Advanced Firewall Manager

Symptoms:
When the BIG-IP system comes up, or when tmm/dwbld/iprepd restarts, tmm does a flush of sPVA. If the operation does not succeed, the system can wait for 10 seconds, which might cause an abort due to heartbeat failure. tmm crash

Conditions:
-- BIG-IP system comes up, or tmm/dwbld/iprepd restart.
-- HSB flush does not succeed within ~3 seconds (it is supposed to succeed within ~3 seconds unless something is wrong with the HSB).

Impact:
tmm will have to be restarted. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
The system now checks asynchronously to determine whether or not the flush sPVA has succeeded.

---

717900-3 : TMM crash while processing APM data

Solution Article: K27044729

---

717888-3 : TMM may leak memory when a virtual server uses the MQTT profile.

Solution Article: K26583415

---

717785 : Interface-cos shows no egress stats for CoS configurations

Component: TMOS

Symptoms:
No egress packet counts per CoS queue are reported on B21x0 and 5x00/7x00 platforms. The issue affects the egress packet statistics reporting per CoS queue only. The operation of the CoS feature is not affected and the egress packets statistics reporting per external interface is also not affected.

Conditions:
-- Valid 8 HW CoS feature configuration has been enabled and passing traffic.
-- BIG-IP 5x00/7x00 platforms and VIPRION 21x0 blades.
-- Running the show net interface-cos command.

Impact:
Egress packet statistics reported per CoS queue shows no counts.

Workaround:
None.

Fix:
This release supports per egress CoS queue packet count statistics reporting for BIG-IP 5x00/7x00 platforms and VIPRION 21x0 blades.

---

717756 : High CPU usage from asm_config_server

Component: Application Security Manager

Symptoms:
Use of Automatic policy builder might result in high CPU usage of asm_config_server (and ASM slowdown).

Conditions:
- Automatic policy builder.
- Several entity types learning in 'Add all entities' configuration.

Impact:
ASM availability impacted.

Workaround:
-- Switch to Manual policy builder.
-- Set entity types learning to compact / selective / never.

Fix:
Policy builder no longer puts unnecessary load on ASM configurations.

---

717742 : Oracle Java SE vulnerability CVE-2018-2783

Solution Article: K44923228

---

717741 : Accepted suggestions originating in accepted requests are not disclosed in audit log as such

Component: Application Security Manager

Symptoms:
When a request is accepted from request log, several suggestions can be automatically accepted by the policy builder. These accepted suggestions are shown in audit log as accepted suggestions of the policy builder without disclosing the fact that the suggestions were accepted due to an accepted request.

Conditions:
Accepting request from request log.

Impact:
Audit log can be misleading (e.g., if the policy builder is in manual mode, it is very unexpected to see automatic suggestions accepted).

Workaround:
None.

Fix:
Audit log record of accepted suggestions originating in accepted request will change as follows:

- Component stays 'Policy Builder'.
- Description includes the following information: 'Operation originated in user-accepted request. Support ID: xxxxxxxxxxxxx'.
- 'User' is the user that accepted the request.

---

717730 : Add a logging module that will log the beginning of long requests to bd.log

Component: Application Security Manager

Symptoms:
ASM provides no visibility regarding which requests are considered long, as well as the frequency of such requests, in order to better determine the long_request_buffer_size and max_concurrent_long_requests internal parameters.

Conditions:
Arrival of long requests.

Impact:
You are unable to determine the long_request_buffer_size and max_concurrent_long_requests internal parameters.

Workaround:
N/A

Fix:
A new logging module: "LONG_REQUEST" was added in order to log these long requests.

Two log entries were added:

1. DEBUG - Printed once every long request.
2. NOTICE - Printed together with UMU stats (every 15 seconds or so), when the total number of concurrent long requests has changed.

For example:

LONG_REQUEST|DEBUG |Sep 07 11:42:55.776|21996|io_plugin.c:9596|Long request for account id 1, url /index.php, buffer size 10000000, content-length :200000, content-type: application/x-www-form-urlencoded, number of concurrent long requests: 1, maximum number of concurrent long requests allowed: 111, beginning of payload: 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222

LONG_REQUEST|NOTICE|Sep 07 11:43:03.296|22010|temp_func.c:4164|Total allocated long request buffers: 1, Total memory used by long request buffers: 10000000 bytes

---

717525 : Behavior for classification in manual learning mode

Component: Application Security Manager

Symptoms:
- Extractions are added to parameters in manual mode.
- In manual learning mode on 'fallback to default' URL classification is not ended properly (resulting in repetitive audit log attempts to end URL classification).
- In manual learning mode on 'fallback to default', parameter staging is set to true.
- The system writes errors to pabnagd.log.

Conditions:
- Manual learning mode.
- Classification is on for either parameters or URLs.
- Any option of 'Learn Dynamic Parameters' is turned on (even if checkbox is disabled).

Impact:
- URL content types are not enforced in manual mode.
- Parameters are getting staged automatically in manual mode.
- Parameters are classified as dynamic (value type).
- Extractions are added to dynamic parameters

Workaround:
- Update the URLs manually (any update will take them out of classification).
- Manually unstage parameters with 'fallback to default'.
- Unset parameters' dynamic value type (or uncheck all parameters' dynamic classification options in 'Learning And Blocking Settings').

Fix:
- URLs end classification successfully on 'fallback to default' in manual mode.
- Parameters staging is not changed on 'fallback to default' in manual mode.
- Parameters are not classified as dynamic in manual mode.
- Extractions are not added to dynamic parameters in manual mode.
- No errors in pabnagd.log.

---

717391 : advCustHelp - how to add, remove, and modify advanced customization without it

Component: Access Policy Manager

Symptoms:
Beginning in v13.x, advCustHelp does not work as expected.

Conditions:
Using advCustHelp with version v13.x, or later.

Impact:
Cannot use advCustHelp to add, remove, or modify advanced customization.

Workaround:
Here are the commands to substitute:

-- To list all customization groups on the device:
tmsh list apm policy customization-group

-- To list one customization group, use the following command:
tmsh list apm policy customization-group NAMEOFCG

-- To add new advanced customization, use the following command:
modify apm policy customization-group NAMEOFCG templates add { NAMEOF.INC { local-path PATHTOFILE } }

-- To delete advanced customization, use the following command:
modify apm policy customization-group NAMEOFCG templates delete { NAMEOF.INC }

-- To update files, use the following command:
modify apm policy customization-group NAMEOFCG templates modify { NAMEOF.INC { local-path PATHTOFILE } }

Fix:
Beginning in this release, advCustHelp has been removed.

Behavior Change:
Beginning in v13.x, you cannot use advCustHelp to add, remove, or modify advanced customization.

Here are the commands to substitute:

-- To list all customization groups on the device:
tmsh list apm policy customization-group

-- To list one customization group, use the following command:
tmsh list apm policy customization-group NAMEOFCG

-- To add new advanced customization, use the following command:
modify apm policy customization-group NAMEOFCG templates add { NAMEOF.INC { local-path PATHTOFILE } }

-- To delete advanced customization, use the following command:
modify apm policy customization-group NAMEOFCG templates delete { NAMEOF.INC }

-- To update files, use the following command:
modify apm policy customization-group NAMEOFCG templates modify { NAMEOF.INC { local-path PATHTOFILE } }

---

717346 : [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total

Solution Article: K13040347

Component: Local Traffic Manager

Symptoms:
WebSocket profile statistics for current and maximum connections are always very large, even right after restarting the system. The numbers are several orders of magnitude larger than the statistics for total connections.

Conditions:
Rarely occurring, unstable network could be one of the reasons.

Impact:
Cannot use stats for troubleshooting.

Workaround:
Reset the stats using the following command:
# tmsh reset-stats ltm profile websocket

---

717113 : It is possible to add the same GSLB Pool monitor multiple times

Component: Global Traffic Manager (DNS)

Symptoms:
After adding a monitor in the Web GUI and updating, the monitor does not get removed from the Available list and can be added again.

Conditions:
This issue affects the GSLB Pool create and properties pages.

Impact:
The impact is only for those adding the monitor. No extra system resources are used when adding multiple identical monitors to a pool.

Workaround:
None.

Fix:
Once a monitor is added via the Web GUI, that monitor is now removed from the Available list.

---

716992-1 : The ASM bd process may crash

Solution Article: K75432956

---

716952 : With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete.

Component: Local Traffic Manager

Symptoms:
When TCP Nagle enabled, the data sent from server is handled by the SSL filter to offload data processing. The SSL filter forwards the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message to TCP4 filter. Because Nagle is enabled, this leaves the last offloaded packet 'stuck' in the TCP4 filter.

Conditions:
-- Nagle is enabled.
-- SSL filter is in the chain.

Impact:
The last data packet waits until all other packets have been ACKd.

Workaround:
None.

Fix:
SSL filter now holds the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message if an offloaded data packet is still in progress.

---

716940 : Traffic Learning screen graphs shows data for the last day only

Component: Application Security Manager

Symptoms:
Traffic Learning screen graphs shows data for the last day only.

Conditions:
Visit Learning screen 1 hour after policy creation.

Impact:
Statistics shown are for the last day. No statistics for longer or for shorter periods of time.

Workaround:
There is no workaround.

Fix:
Statistics are shown for the correct time interval, at most 2 weeks/policy creation date. Possible statistics intervals are as follows: 1 hour, 1 day, 2 weeks.

---

716922 : Reduction in PUSH flags when Nagle Enabled

Component: Local Traffic Manager

Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.

Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.

Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.

Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.

Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.

Mote: To take advantage of some of the Nagle benefits, use 'Auto'.

Fix:
Revised PUSH flag setting logic to set the flag in cases where sending is Nagle-limited.

---

716900 : TMM core when using MPTCP

Component: Local Traffic Manager

Symptoms:
In some cases TMM may crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic interrupted while TMM restarts.

Workaround:
There is no workaround other than to disable MPTCP.

Fix:
TMM no longer produces a core.

---

716851 : SNMP EngineID type configuration for IPv4 and IPv6 address selection selects the loopback address

Component: TMOS

Symptoms:
TMSH commands allow you to enter parameters that are put into the snmpd.conf file for configuring the SNMP agent. If you specify an engineID, then it will be part of the system configuration that may synchronize as part of a failover group. That behavior may be undesirable, so instead, you can specify an engineIDType. Then each BIG-IP system makes its own engineID based upon type.

Supported types are:
-- IPv4 (1)
-- IPv6 (2)
-- MAC address (3)
-- Text (4)

Here is a sample tmsh command:
tmsh modify sys snmp include "engineIDType 3"

There is a bug when the engineIDType is 1 or 2 (IPv4 address or IPv6 address) such that the BIG-IP system selects the localhost address which gives a non-unique engineID.

Conditions:
Using engineIDType 1 or engineIDType 2 uses localhost address of 172.0.0.1 or ::

Impact:
The engineID is not unique. This is especially a problem on vCMP.

Workaround:
Use engineIDType 3. Then the engineID is based on the MAC address, which is reliably unique.

Fix:
In this release, the system determines the engineID in the following ways:

-- The cluster IP address, if it is available, is used for a chassis.
-- If there is no cluster address, then for IPv4, the eth0 or mgmt address is used. For IPv6 the first NIC's MAC address is used with fe80 in the first two bytes (this is the same logic that generates link-local addresses use).
-- If you specify an engineIDNic as a variable in the snmpd.conf file, then that is the MAC address used.

---

716788 : TMM may crash while response modifications are being performed within DoSL7 filter

Component: Application Security Manager

Symptoms:
TMM might crash when a response is modified by the DoSL7 filter while injecting an HTML response from a backend server.

Conditions:
-- ASM provisioned.
-- DoS application profile is attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts, failover may occur.

Workaround:
There is no workaround other than to remove the DoS application profile from the virtual server.

Fix:
Response modification handler has been modified so that this issue no longer occurs.

---

716757 : Improve Bot Detection in Web Scrapping Feature

Component: Application Security Manager

Symptoms:
When Browsing using Firefox automated tools, Bot might not be detected.

Conditions:
Enabling Web Scraping->Bot Detection, and browsing using automated tools on a Firefox browser.

Impact:
A Bot might not be detected, and will not be blocked.

Workaround:
None.

Fix:
Improve bot detection.

---

716747-1 : TMM my crash while processing APM or SWG traffic

Component: Access Policy Manager

Symptoms:
Under certain circumstances, TMM may crash when processing APM or SWG.

There will be a log message in /var/log/apm near the time of crash with this:

err tmm[20598]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_initiate_swgt_policy_done, Line: 17000.

Conditions:
APM or SWG enabled.

Impact:
TMM crash, leading to a failover event.

Workaround:
There is no workaround at this time.

Fix:
TMM now processes APM and SWG traffic as expected.

---

716716 : Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core

Component: Local Traffic Manager

Symptoms:
TMM cores when the system has a kernel route configured, but no matching TMM route.

Conditions:
The scenario that can lead to this state is unknown.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
Either remove the kernel route, or add a matching TMM route.

Fix:
This release prevents the core that occurred when the kernel has a route that has no corresponding TMM route.

---

716492 : Rateshaper stalls when TSO packet length exceeds max ceiling.

Solution Article: K59332523

Component: Local Traffic Manager

Symptoms:
If a TCP Segmentation Offload (TSO) packet length exceeds the rateshaper's max ceiling, it causes the flow to stall.

Conditions:
TSO packet length exceeds the rateshaper's configured max ceiling.

Impact:
The flow stalls. Subsequent flows cannot go to the rateshaper from that particular tmm.

Workaround:
If you are running BIG-IP software v12.1.3.2 (or later) or v13.1.0(.x), you can use the following workaround:

There is a sys db variable called 'rateshaper.cmpdivide', which is enabled by default. When enabled, the system internally divides the bandwidth (rate/ceiling/burst) between the available tmm cores. If this issue occurs, set 'rateshaper.cmpdivide' to enabled.

There is no workaround for other versions.

Fix:
Rateshaper no longer stalls when TSO packet length exceeds max ceiling.

---

716473 : Unable to upgrade APM Desktop Clients on BIG-IP Virtual Edition

Component: Access Policy Manager

Symptoms:
Upgrading the APM client images (a.k.a. Desktop Client) may fail on some BIG-IP Virtual Edition (VE) systems running v13.1.0 software versions, as a result of insufficient space in /var.

Conditions:
/var does not have sufficient free disk space for the APM client image ISO file (slightly less than ~300 MB).

Reasons for a lack of space might include:

-- UCS archives and SCF files, which default to being stored in /var.
-- Other modules that store data in /var, e.g. APM, ASM, or AFM.

Impact:
Cannot upgrade Desktop Client 7.1.6.1. When this occurs:
-- In the GUI, the system posts the following error message: Image File Error: call tmsh to install image failed.

-- In tmsh, the system posts the following error message:
Data Input Error: File operation failed on "/var/apm/images/apmclients-7160.2018.417.2013-4204.0.iso".

Workaround:
Before installing, increase the size of /var. For example, from the command line of a BIG-IP system, /var can be expanded by 1 GB by running the following and then rebooting the system for the changes to take effect:

NEW_SIZE=$(($(df -P /var | tail -1 | awk '{print $2}') + 1*1024*1024)); echo "Resizing /var to $NEW_SIZE (unit: 1K blocks); changes should take effect after a reboot"; tmsh modify sys disk directory /var new-size $NEW_SIZE; tmsh save sys config

Note: This workaround only applies to a single device, and will not persist across upgrades.

For more information about apmclients-7160.2018.417.2013-4204.0.iso, see Release Notes:
APM Desktop Client 7.1.6.1 https://support.f5.com/kb/en-us/products/big-ip_apm/releasenotes/related/relnote-desktop-client-7-1-6-1.html.

For information about installing BIG-IP Edge Client, see K52547540: Updating BIG-IP Edge Client for the BIG-IP APM system :: https://support.f5.com/csp/article/K52547540.

Fix:
Can now upgrade APM Desktop Clients on BIG-IP Virtual Edition.

---

716437 : Need AAM provisioned to assign iSession profiles to virtual servers

Component: TMOS

Symptoms:
Cannot assign iSession profiles to a virtual server in the GUI, when AAM module is not provisioned.

Conditions:
-- AAM module is not provisioned.
-- Using the GUI.
-- Attempting to configure an iSession profile for a virtual server.

Impact:
User can't assign iSession profile to a virtual server in GUI, when AAM module is not provisioned. iSession Profile is not available as an option in acceleration config table under Local Traffic :: Virtual Servers : Virtual Server List :: New Virtual Server.

Workaround:
None.

Fix:
AAM provisioning is no longer a requirement for specifying an iSession profile from the virtual server configuration page.

---

716392 : Support for 24 vCMP guests on a single 4450 blade

Component: TMOS

Symptoms:
Cannot create more than 12 vCMP guests per blade.

Conditions:
-- Using vCMP.
-- VIPRION blades.

Impact:
Cannot configure more than 12 vCMP guests.

Workaround:
None.

Fix:
This release supports 24 vCMP guests on 4450 blades. Increased vCMP density ensures that all guests can access the hardware capabilities available from the BIG-IP platforms and VIPRION blades.

Behavior Change:
This release supports 24 vCMP guests on VIPRION 4450 blades. Increased vCMP density ensures that all guests can access the hardware capabilities available from BIG-IP platforms and VIPRION blades.

---

716391 : High priority for MySQL on 2 core vCMP may lead to control plane process starvation

Solution Article: K76031538

Component: TMOS

Symptoms:
vCMP guest with only 2 cores (or 2 cores per blade for multi-blade guests) may undergo control plane process starvation, which could lead to failover due to CPU starvation of sod.

Conditions:
-- A device using Intel Hyper-Threading Technology is configured with only 2 cores (or 2 cores per blade for multi-blade vCMP guests).
-- A module using MySQL is provisioned, MySQL, for example BIG-IP ASM and BIG-IP Analytics (AVR). These other modules also implicitly provision AVR: ASM, AFM, DOS, APM, PEM, and vCMP.

Impact:
Control plane processes may experience CPU starvation, including failover due to CPU starvation of sod. This is a rarely occurring issue.

Workaround:
Revert to pre-11.5.1 HF4 behavior by setting the scheduler.splitplanes.asmopt database key to false.
 
IMPORTANT: You should not revert to pre-11.5.1 HF4 behavior unless requested by F5 Support. However, if required, you can disable this new behavior and revert to pre-11.5.1-HF4 behavior. For instructions on how to do so, see K16469: Certain BIG-IP ASM control plane processes are now pinned to the highest-numbered logical CPU core :: https://support.f5.com/csp/article/K16469.

---

716324 : CSRF protection fails when the total size of the configured URL list is more than 2 KB

Component: Application Security Manager

Symptoms:
When the cross-site request forgery (CSRF) protection URL list is of a total size that is greater than 2 KB. As a result, CSRF injection fails.

Conditions:
- CSRF protection is enabled.
- The total length of the defined CSRF URL list is more than 2 KB.
- A protected URL is accessed.

Impact:
CSRF false-positive violation.

Workaround:
Use wildcards to minimize total CSRF URL size.

Fix:
Increased the default maximum total CSRF URL list size to 5 KB and added the internal parameter csrf_dyn_params_buffer_size in case further adjustment is needed.

---

716318 : Engine/Signatures automatic update check may fail to find/download the latest update

Component: Fraud Protection Services

Symptoms:
Engine/Signatures automatic update check may fail to find/download the latest update if the timestamp of the factory update file is later than the timestamp of the update file in downloads.f5.com.

Note: This issue is relevant only for engineering hotfixes.

Conditions:
This occurs when the following conditions are met:
-- Engineering hotfix.
-- The factory update file timestamp is later than the timestamp of the update file in downloads.f5.com.

Impact:
Automatic update check will detect the wrong update file.

Workaround:
Manually check, and then download and install the update file from downloads.f5.com, if needed.

Fix:
The factory update file timestamp is now set to 0, unless there is a reason to install the factory file over the current update file in downloads.f5.com.

---

716213 : BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic

Component: Local Traffic Manager

Symptoms:
When APM connects to Active Directory Federation Services (ADFS), a blank page is observed. The log file /var/log/ltm exhibits a TCP reset issued by the BIG-IP system. The TCP capture informs that the issue is due to an out-of-bounds error that occurs when traffic gets parsed by the SSL Persistence Parser (SSID).

Conditions:
-- SSL persistence (SSID) is enabled for a virtual host.
-- APM connects to ADFS.

Impact:
A blank page is observed due to the TCP reset.

Workaround:
No workaround is available.

Fix:
The SSL persistence parser now validates the handshake message data-bytes are available prior to fetching them, so the bounds error does not get raised.

---

716180 : Some browsers may prevent the Start Screen from opening in a new tab when set to Network Map

Component: TMOS

Symptoms:
Network Map opens in a new tab when it serves as the Start Screen (as set in System :: Preferences), essentially acting as a popup window. Depending on the browser and the security settings you have, the browser might prevent the Network Map from opening and might post an error, or show the general Welcome page instead.

Conditions:
-- Set the Network Map as the Start Screen.
-- Log out and log back in to the BIG-IP system.

Impact:
The browser does not open Network Map in a new tab, and posts an error or the main Welcome screen instead.

Workaround:
To work around this issue, add the BIG-IP system's IP address to the browser's whitelist or allowed-popups list.

Fix:
Network Map opens in a new tab when it serves as the Start Screen. The main Welcome page also opens at startup.

---

716166 : Dynamic routing not added when conflicting self IPs exist

Component: TMOS

Symptoms:
Missing dynamic route in dynamic routing daemon as shown via 'show ip route'.

Conditions:
When a self IP host address is the same as the network address of the dynamic route being propagated. For example: self IP 10.10.10.0/31 versus dynamic route 10.10.10.0/24; or 10.10.0.0/24 versus dynamic route 10.10.0.0/16.

Impact:
Propagation of the dynamic route to the kernel, TMM.

Workaround:
There is no workaround other than not creating self IPs on the network address of a prefix.

---

716139 : For BIG-IP with PVA enabled, PVA Acceleration status in Virtual Server doesn't match that of the Virtual Server's profile

Component: TMOS

Symptoms:
for Fast L4 Virtual Servers with PVA enabled, the Virtual Server Properties page row for PVA Acceleration is displayed as 'None' when it should show 'Dedicated'

Conditions:
The BIG-IP must have hardware that supports PVA Acceleration

Impact:
This is a cosmetic issue.

Workaround:
use the tmsh command 'tmsh show ltm virtual my_virtual'

Fix:
PVA Acceleration row on Virtual Server properties pages now displays as 'Dedicated' rather than 'None' when PVA Acceleration is set to Dedicated in the system.

---

715923 : When processing TLS traffic TMM may reset connections

Solution Article: K43625118

---

715883-2 : tmm crash due to invalid cookie attribute

Component: Local Traffic Manager

Symptoms:
tmm crash due to invalid request-side cookie attribute.

Conditions:
While processing an HTTP request, an iRule tries to add a cookie attribute to a cookie that is only valid in an HTTP response (for instance, an 'expires' attribute).

Impact:
TMM cored. Traffic disrupted while tmm restarts.

Workaround:
None.

---

715820 : vCMP in HA configuration with VIPRION chassis might cause unstable data plane

Solution Article: K61422392

Component: TMOS

Symptoms:
When multiple vCMP guests are deployed in a high availability (HA) with VIPRION chassis, the data plane cluster might become unstable. When this issue occurs, the system posts repeated log messages in /var/log/ltm similar to the following:

-- CDP: exceeded 1/2 timeout for PG 3

Conditions:
-- Multiple vCMP guests are deployed.
-- HA configured.
-- Using VIPRION chassis.

Impact:
Unstable data plane might cause traffic disruption/packet drops.

Workaround:
None.

Fix:
This issue no longer occurs.

---

715785 : Incorrect encryption error for monitors during sync or upgrade

Component: Local Traffic Manager

Symptoms:
The system logs an error message similar to the following in /var/log/ltm:

err mcpd[6823]: 01071768:3: Encryption of the field (password) for object (<monitor name>) failed.

This may cause a configuration sync to fail, or an upgrade to fail.

Conditions:
The exact conditions are unknown, however it may occur under these circumstances:

-- Performing a config sync operation.
-- Performing an upgrade.

Impact:
Inability to sync peer devices, or an inability to upgrade.

Workaround:
There is no workaround at this time.

Fix:
This error is no longer triggered erroneously.

---

715756 : Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only

Component: Local Traffic Manager

Symptoms:
When filesystems critical to TMOS functional operation are mounted read-only, clusterd on that blade should trigger a primary election if it was primary. Either way, the cluster should be informed of this critical error state.

Conditions:
A critical filesystem (e.g., '/', '/var', '/var/run', '/config', '/shared') has been mounted read-only.

Impact:
The blade with read-only filesystems and degraded functionality might stay primary and claim to be passing traffic.

Workaround:
There is no workaround other than to avoid mounting filesystems read-only on a BIG-IP system.

Fix:
The blade with read-only filesystems and degraded functionality now yields primaryship to a more healthy cluster member.

---

715750 : The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.

Component: Local Traffic Manager

Symptoms:
Upon receiving a FIN midstream in an SSL connection, the BIG-IP system will immediately proxy the FIN to the remote host on the peer side. At this point, depending on the specific configuration of the remote host on the peer side, the BIG-IP system may exhibit behaviors that may be deemed undesirable.

For instance, if the remote host on the peer side acknowledges the FIN but ignores it and keeps sending data to the BIG-IP system, the BIG-IP system will drop all ingress data (i.e., not proxy it) while keeping the side that transmitted the original FIN open indefinitely.

Once the remote host on the peer side completes transmitting data and sends a FIN of its own, the BIG-IP system will finally release the side that sent the original FIN by allowing it to close.

Conditions:
This issue occurs when the following conditions are met:

-- A standard virtual server with the clientssl and serverssl profiles in use.

-- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.

Impact:
There is no real impact to the BIG-IP system because of this issue. However, both the client and the server can be negatively impacted by this issue.

For example, if the original FIN was received by the BIG-IP system on the clientside:

-- The client connection is not allowed to close for potentially a very long time. During this time, the client does not receive anything other than Keep-Alive packets from the BIG-IP system. This can delay or adversely impact applications on the client.

-- The server continues to send data to the BIG-IP system unnecessarily. After accounting for the fact this could be a lot of data and many connections could be in this state, the server and/or its surrounding network could become impacted/congested. At a minimum, this might cause a waste of resources.

Workaround:
There is no workaround at this time.

Fix:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.

Behavior Change:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.

---

715747-2 : TMM may restart when running traffic through custom SSLO deployments.

Component: Local Traffic Manager

Symptoms:
TMM restarts with a SIGSEGV signal and dumps core.

Conditions:
This issue is known to happen when passing traffic through some custom SSLO deployments (e.g., iRule-based configurations).

Impact:
TMM restarts. If the system is in a high availability configuration, a failover occurs. Traffic disrupted while TMM restarts.

Workaround:
There is no workaround at this time.

Fix:
TMM no longer restarts.

---

715467 : Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY

Component: Local Traffic Manager

Symptoms:
If the 'A' record for an FQDN node is removed or replaced on the DNS server, then the BIG-IP system does not remove the old ephemeral pool member or create the new pool member and node.

Conditions:
-- FQDN nodes.
-- Pool members with a service port of ANY.

Impact:
Ephemeral pool member and nodes are not removed or updated when the DNS 'A' record is removed or changed.

Workaround:
There is no workaround at this time.

Fix:
Upon a DNS 'A' record being removed or changed, the ephemeral pool members and nodes based on the old value are removed or changed.

---

715450 : tmm restarts under certain conditions

Solution Article: K05874142

Component: Application Security Manager

Symptoms:
tmm restarts in certain cases; no traffic goes through the BIG-IP system.

Conditions:
-- DoSL7 with Device ID enabled.
-- HTTP/2.0 profile configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable proactive bot defense (PBD) or HTTP/2.0

Fix:
tmm no longer restarts under these conditions.

---

715448 : Providing LB::status with a GTM Pool name in a variable caused validation issues

Component: Global Traffic Manager (DNS)

Symptoms:
When utilizing an LB::status iRule where the GTM Pool name was provided in a variable, instead of directly written into the command, the system posts the following error message: Can't read 'monkey': no such variable.

Conditions:
LB::status pool a <Variable containing string>.

Impact:
Unable to use LB::status iRule.

Workaround:
There is no workaround at this time.

Fix:
Can now use LB::status iRule command to display the status of a GTM Pool when the name of the pool is provided in a variable.

---

715331 : IKEv2 logs peers_id comparisons and cert verfication failures

Component: TMOS

Symptoms:
Insufficient information is logged when a certificate fails verification, or when ID_I in an IKE_AUTH request does not match configuration for peers_id in the ike-peer description.

Conditions:
When IKE_AUTH fails due to either certificate verification failure or mismatch of ID_I and peers_id.

Impact:
Hard to diagnose proximate cause of IKE negotiation failure during IKE_AUTH exchange.

Workaround:
There is no workaround at this time.

Fix:
When log level is at least debug, each ID_I and peers_id comparison is logged, so both config and IKE_AUTH payload content is clearly revealed.

When certificate verification occurs, failure is now always logged with PROTO_ERR level, and success is also logged with INFO level when log level is at least debug.

---

715250 : TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED

Component: Access Policy Manager

Symptoms:
TMM generates a core and restarts when RPC resumes iRule event ACCESS_SESSION_CLOSED.

Conditions:
Plugin RPC call has iRule event ACCESS_SESSION_CLOSED configured.

Impact:
System instability, failover, traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

---

715207-1 : coapi errors while modifying per-request policy in VPE

Component: Access Policy Manager

Symptoms:
System reports errors about coapi in /var/log/ltm when modifying a per-request policy in the Visual Policy Editor (VPE).

err coapi: PHP: requested conversion of uninitialized member.

Conditions:
-- The per-request policy being modified is attached to the virtual server.
-- Using VPE.

Impact:
The impact can vary by version.
-- In some versions it represents a stray error log.
-- In other versions the 'Accepted Languages' in the Logon Page agent does not have the full list.
-- In other versions, there are server 500 errors when modifying agents.

Workaround:
To work around this issue, perform the following procedure: 1. Remove the per-request policy from the virtual server.
2. Modify the policy.
3. Add the policy back to the virtual server.

Fix:
Now per-request access policies can be simultaneously used and edited without causing spurious 'coapi' log errors.

---

715200 : VE with only hda drive does not report disk statistics

Component: TMOS

Symptoms:
On a BIG-IP Virtual Edition (VE) setup, there are no disk stats. The system logs error messages similar to the following: err chmand[7946]: 012a0003:3: Disk Latency Monitor: No disks found.

Conditions:
-- VE with only an hda drive.

-- Navigate to inspector pages Monitoring :: Dashboards :: Device :: Health to view the statistics.

Impact:
Disk usage statistics are all zeroes. 'No Data' on Inspector pages charts: 'Disk Operations', 'Disk Throughput', and 'Disk Merges' The system reports that no disks are found.

Workaround:
Reconfigure the VE hypervisor so the virtual disk is named sda or vda instead of hda.

Fix:
The system now uses the hda disk when it is the only available disk, so the statistics are correctly reported.

---

715153-3 : AVR can generate many files in /var/avr/loader folder, which might cause disk-usage problem

Component: Application Visibility and Reporting

Symptoms:
-- The folder /var/avr/loader contains many files (e.g., more than 1500 files).
-- monpd is not running.

Conditions:
This occurs when the following conditions are met:
-- Avrd is running.
-- monpd is down.

Impact:
AVR writes many files to /var/avr/loader. Depending on disk usage, this might cause disk-usage problems.

Workaround:
There are two possible workarounds:
-- Restart monpd. When monpd starts up, it deletes the files under /var/avr/loader.
-- Delete all files under /var/avr/loader.

Fix:
There is now a limit for the /var/avr/loader folder, so that it can contain no more than 1100 files. This prevents disk-usage problems.

---

715128 : Simple mode Signature edit does not escape semicolon

Component: Application Security Manager

Symptoms:
When creating a user-defined ASM Signature in Simple mode, semicolon followed by space cannot be used in a keyword.

Conditions:
-- Using a user-defined ASM Signature in Simple mode.
-- There is a semicolon followed by a space in a keyword.

Impact:
The signature cannot be created.

Workaround:
The signature can be created in Advanced Mode by escaping semicolon as "|3B|".

---

715061 : vCMP: tmm core in guest when stopping vCMP guest from host

Component: TMOS

Symptoms:
A tmm core in the guest on the primary blade, not the secondary blade, after the guest is disabled on the hypervisor.

Conditions:
-- A cross-blade vCMP guest.
-- Guest is disabled on the hypervisor.

Impact:
Because the guest is in the process of being disabled, there is no impact on traffic, however, the core file may take up space on the guest on the primary blade.

Workaround:
To mitigate the disk problem, manually delete the core file.

---

714986 : Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot

Component: TMOS

Symptoms:
On an iSeries platform, when the console baud rate is changed through TMSH, new terminal sessions revert back to the previous baud rate instead of adopting the new setting unless the unit is rebooted.

Conditions:
1. Modify the console baud rate in BIG-IP through TMSH on an iSeries platform (i2xxx, i4xxx, i5xxx, i7xxx, i10xxx, i15xxx), for example: tmsh modify sys console baud-rate 9600.

2. Exit from the login prompt in the current terminal session, or kill it and start a new session.

Impact:
The BIG-IP system reverts to the previous baud rate instead of the new setting. Inability to create any new serial console connections with the modified baud-rate without a reboot.

Workaround:
The problem can be mitigated by manually reprogramming the TTY device and restarting the agetty process and bash login sessions. This closes any existing console connections, but newly established connections will connect at the modified baud rate.

1. Use TMSH to modify the baud rate to the desired speed by running a command similar to the following:

tmsh modify sys console baud-rate 9600

2. Re-program the TTY device with the desired speed by running a command similar to the following:

stty -F /dev/ttyS0 9600

3. Kill the existing agetty process so it will re-start at the new baud rate by running the following command:

/usr/bin/killall -q agetty

4. Restart bash logins by running the following command:

/bin/kill -HUP `/bin/ps -A | /bin/grep ttyS0 | /bin/grep -v grep | /bin/grep bash | /bin/awk '{print $1}'` >/dev/null 2>&1

Fix:
In addition to reprogramming the UART with the new baud rate, the BIG-IP system now re-initializes the TTY device and agetty process with the correct speed so that new terminal sessions reflect the change.

---

714974 : Platform-migrate of UCS containing QinQ fails on VE★

Component: TMOS

Symptoms:
If you are doing platform-migrate from a hardware device to a Virtual Edition (VE) guest, and the UCS that came from the hardware device has a QinQ VLAN configuration, then the upgrade will fail.

Conditions:
-- VLAN with a QinQ configuration exists on the hardware configuration.
-- UCS file is saved on the hardware device.
-- UCS is copied to a VE guest.
-- Attempt to load the configuration using the following command: load sys ucs <UCS filename> no-license platform-migrate.

Impact:
The UCS load will fail and generate an error:

01071bd8:3: The tag-mode for requested member <VLAN name> has to be 'none' on platforms that do not support QinQ. Unexpected Error: Loading configuration process failed.

Workaround:
None.

Fix:
The configuration now loads successfully, disables QinQ on the associated VLAN, and warns that this action was automatically taken.

---

714961-2 : antserver creates large temporary file in /tmp directory

Component: Access Policy Manager

Symptoms:
SWG Analytics (running through the antserver daemon) creates a large temporary file in the /tmp directory due to a lack of write permissions on the appropriate directory.

Conditions:
-- SWG provisioned.
-- Viewing SWG Analytics.

Impact:
/tmp is temporarily populated with a large file that might fill up the directory if it is already close to capacity.

Workaround:
There is no workaround at this time.

Fix:
System now writes to /shared/tmp/ant_server so that it no longer writes to /tmp, so the issue no longer occurs.

---

714903 : Errors in chmand

Component: TMOS

Symptoms:
VIPRION cluster does not form; only primary blade stays online. Chassis manager chmand generated a core file. System logs the following error in ltm log: err clusterd[11162]: 013a0004:3: Error adding cluster mgmt addr, HAL error 7.

Conditions:
-- Restoring UCS.
-- Chassis starting up.
-- System in stressed condition, where there is very little or no memory available.

Impact:
Cluster does not form.

Workaround:
None.

Fix:
These errors in chmand are fixed.

---

714902-2 : Restjavad may hang if discover task fails and the interval is 0

Component: Access Policy Manager

Symptoms:
If a discover task fails because of a network issue, the system tries to run the task again at the next scheduled time. If the discover interval is set to 0, the system retries immediately, which may cause restjavad hang.

Conditions:
If a provider has configured discover interval 0 and the discover task failed because of network issues.

Impact:
The discover task tries to use a lot CPU when restjavad continuously retries the task.

Workaround:
Change the discover interval to 1 hour or more.

Fix:
Now, if the discover interval is 0 and the discover task fails because of a network issue, the system sends the task to the finished state and does not retry anymore.

---

714879 : APM CRLDP Auth passes all certs

Solution Article: K34652116

---

714795 : ospfd cores when configured with 'area 0 range 0.0.0.0/0'

Component: TMOS

Symptoms:
ospfd core. Loss of dynamic routing functionality.

Conditions:
- Enable dynamic routing with OSPFv2.
- Configure OSPF with the following value: area 0 range 0.0.0.0/0.

Impact:
Loss of dynamic routing functionality.

Workaround:
None.

Fix:
ospfd no longer cores when configured with "area 0 range 0.0.0.0/0"

---

714749 : cURL Vulnerability: CVE-2018-1000120

Component: TMOS

Symptoms:
It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.

Conditions:
BIG-IP systems are not affected by this vulnerability.

Impact:
None.

Workaround:
None.

Fix:
Patched CVE-2018-1000120

---

714700 : SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy

Component: Access Policy Manager

Symptoms:
To address a vulnerability in their CredSSP implementation Microsoft released set of updates for all versions of Windows (https://aka.ms/credssp). Although the APM implementation is not affected by this vulnerability, the Microsoft Windows Server fix introduces compatibility issues. The update adds new Group Policy 'Encryption Oracle Remediation', which, if set to 'Force Updated Clients' on the server might break SSO for APM's native RDP resources.

Conditions:
-- RDP server has https://aka.ms/credssp update installed.
-- 'Encryption Oracle Remediation' Group Policy on the RDP server is set to 'Force Updated Clients'.

Impact:
SSO for native RDP resources does not work.

Workaround:
Set 'Encryption Oracle Remediation' Group Policy on the RDP server to 'Mitigated'.

Fix:
SSO for native RDP resources is now compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy.

---

714654 : Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM

Component: TMOS

Symptoms:
While creating a static route, tmrouted disconnects with error: existing entry is not a dynamic.

Conditions:
Creating a static route for a network that already has an advertised dynamic route.

Impact:
TMM's connection to tmrouted goes down, which results in loss of the dynamic route for TMM.

Workaround:
There is no workaround other than not creating a static route for routes received through dynamic routing.

Fix:
Creating static routes for advertised dynamic route no longer causes the tmrouted-to-TMM connection to drop.

---

714559 : Removal of HTTP hash persistence cookie when a pool member goes down.

Component: Local Traffic Manager

Symptoms:
When HTTP cookie hash persistence is configured the cookie is removed when a pool member goes down. This is incorrect if pool members are using session replication.

Conditions:
- Cookie hash persistence is configured.
- A pool member that the persistence record points to goes down.
- Pool members are using session replication.

Impact:
Connected clients must establish a new session.

Workaround:
To configure HTTP cookie hash persistence, use an iRule similar to the following:

when CLIENT_ACCEPTED {
    persist cookie hash JSESSIONID
}

Fix:
HTTP hash persistence cookie is no longer removed when a pool member goes down.

If you need to remove the cookie, use an iRule similar to the following:

when PERSIST_DOWN {
    HTTP::cookie remove JSESSIONID
}

---

714507 : [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server

Component: Global Traffic Manager (DNS)

Symptoms:
GTM pool member dependency cannot be listed correctly using the following command:
# tmsh list gtm pool

Conditions:
-- Virtual server dependency in GTM server.
-- Running the command: tmsh list gtm pool.

Impact:
1. Pool member dependencies are not listed.
2. Pool member dependency information is missing when saving config:
    # tmsh save sys config gtm-only

Workaround:
List specific gtm pools instead by running a command similar to the following:
# tmsh list gtm pool a p1

---

714384 : DHCP traffic may not be forwarded when BWC is configured

Component: Local Traffic Manager

Symptoms:
DHCP traffic may not be forwarded when BWC is configured on the system.

Conditions:
-- DHCP virtual server configured.
-- BWC policy configured and attached to the route-domain.

Impact:
DHCP traffic may not be forwarded.

Workaround:
There is no workaround other than to remove the BWC policy.

Fix:
DHCP traffic is now forwarded when BWC is configured,

---

714369-2 : ADM may fail when processing HTTP traffic

Solution Article: K62201098

---

714362 : CSP headers block additional JavaScript in Chrome 65

Component: Fraud Protection Services

Symptoms:
The FPS option 'Additional JavaScript' does not run in recent versions of Google Chrome when CSP blocks inline scripts.

Conditions:
-- Site using the FPS 'Additional JavaScript' feature.
-- CSP is enabled.

Impact:
Configured JavaScript does not run in the browser.

Workaround:
There is no workaround other than installing the most recent FPS engine file.

Fix:
CSP headers no longer block 'Additional JavaScript' in Google Chrome when CSP blocks inline scripts.

---

714350-2 : BADOS mitigation may fail

Solution Article: K62201098

---

714334 : admd stops responding and generates a core while under stress.

Component: Anomaly Detection Services

Symptoms:
admd stops responding and generates a core while under stress.

Conditions:
-- The BIG-IP system is under stress.
-- CPU starvation is occurring.

Impact:
admd core and restart.

Note: The admd process provides stress-based DoS detection and mitigation control. When admd is not running, there is no stress-based anomaly detection or behavioral statistics aggregation.

Workaround:
None.

Fix:
This issue no longer occurs.

---

714303 : X520 virtual functions do not support MAC masquerading

Component: TMOS

Symptoms:
MAC masquerading is not supported when using X520 virtual functions via SR-IOV in Virtual Edition (VE). This is due to a lack of functionality in the underlying hardware.

Conditions:
-- Use SR-IOV virtual functions as interfaces within VE.
-- Configure MAC masquerading with a shared MAC that should follow the active system after traffic group failovers.

Impact:
MAC masquerading will not function in this environment.

Workaround:
There is no workaround other than not to use MAC masquerading, as conventional failover works for this environment.

Fix:
MAC masquerading is now supported when using X520 virtual functions via SR-IOV in Virtual Edition (VE).

---

714281 : NSH tunnel reject inner packet from other vendor

Component: TMOS

Symptoms:
NSH does not interoperate between BIG-IP systems and some external NSH vendors.

Conditions:
-- NSH tunnel.
-- The external NSH vendor cannot configure inner packet MAC destination.

Impact:
The BIG-IP system rejects the packet. Lost connectivity with some of the vendors.

Workaround:
To work around this limitation, you can do either of the following:

-- Use an external vendor that does support configuration of inner packet MAC destination.

-- Avoid use NSH for external vendors without such ability.

Fix:
The system can now passes NSH packets as expected in this scenario.

---

713951 : tmm core files produced by nitrox_diag may be missing data

Component: Local Traffic Manager

Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.

Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.

Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
When the nitrox_diag utility generates a tmm core file, that file now includes data for all tmm threads instead of only one.

---

713947 : stpd repeatedly logs "hal sendMessage failed"

Component: TMOS

Symptoms:
On non-primary clustered blades in a BIG-IP chassis environment, stpd may repeatedly log "hal sendMessage failed"

Conditions:
Two or more blades clustered in a chassis with STP enabled on one or more ports.

Impact:
All BIG-IP blades

Workaround:
No workaround except to ignore log messages - they are spurious and have no ill effect on the system besides log spam.

---

713934 : Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response

Component: Local Traffic Manager

Symptoms:
Received malformed Truncated DNS response.

Conditions:
-- Using iRule 'DNS::question name' to shorten the name.
-- DNS response is longer than 4096 UDP limit.

Impact:
DNS request might not be resolved correctly.

Workaround:
There is no workaround at this time.

Fix:
In this release, when DNS::query name changes the query name, the software ensures that the request is updated with proper lengths.

---

713932 : Commands are replicated to PostgreSQL even when not in use.

Component: TMOS

Symptoms:
In MCP, PostgreSQL is used only by AFM. Even when AFM is not provisioned, however, commands are being replicated to PostgreSQL.

Conditions:
AFM is not provisioned.

Impact:
Unnecessary CPU cycles spent by MCP replicating commands to PostgreSQL.

Workaround:
None.

Fix:
Prevented replication of commands to PostgreSQL when it is not in use.

---

713820 : Pass in IP to urldb categorization engine

Component: Access Policy Manager

Symptoms:
Category lookup results might be less accurate. In some cases, the system returns 'uncategorized' when the reference (Forcepoint) returns a specific category.

Conditions:
Category Lookup agent is in per-request policy using the categorization engine to lookup up a website's classification.

Impact:
Actions leveraging categorization results will be applied incorrectly.

Workaround:
None.

Fix:
This release can now pass in more information to the urldb categorization engine, which supports finger-grained categorization.

---

713766 : VLAN failsafe failover may not occur

Component: Local Traffic Manager

Symptoms:
VLAN failsafe may not take effect and cause failover.

Conditions:
If the VLAN failsafe is disabled, and then re-enabled, it might not properly take effect.

Impact:
System will not fail over when it should.

Workaround:
The failure condition is cleared by the next reboot following the disable/enable.

Fix:
Failover occurs as expected.

---

713729 : GUI SSL Certificate does not display correct expiration dates

Component: TMOS

Symptoms:
GUI SSL Certificate bundle (Including ca-bundle), the expiration date displayed on the certificates list page shows the date of the first certificate in the bundle, and the highest expiration date in the bundle.

Conditions:
Have a SSL certificate bundle containing certificates with different expiration dates.

Impact:
This is a GUI display issue; there is no functional impact.

Workaround:
There is no workaround at this time.

Fix:
GUI SSL Certificate bundle expiration dates on the certificates list page shows the expiration date of the first certificate within the bundle to expire and the highest expiration date in the bundle.

---

713708-7 : Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI

Component: TMOS

Symptoms:
On the BIG-IP GUI, under System :: Software Management :: Update Check, after pressing 'Check now', the 'Available Update' shows a long string 'OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install' instead of the EPSEC version, e.g.: epsec-1.0.0-679.0.

Conditions:
-- Under System :: Software Management :: Update Check.
-- Press 'Check now'.

Impact:
Cannot determine what version is available by viewing 'Available Update'. Although this is how all the other updates work, it can result in a confusing BIG-IP user experience.

Workaround:
To have the browser show the link's destination address, view the browser's status fields while hovering the cursor over the following link text: OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install.

Fix:
The output now shows the version, e.g.: epsec-1.0.0-679.0.

---

713707 : ix600 platforms will now have DoS Enforcement in Software Mode enabled automatically

Component: Advanced Firewall Manager

Symptoms:
The sys db variable dos.forceswdos controls DoS enforcement in software mode. ix600 platforms with TurboFlex licenses restrict DoS enforcement to software mode. The default for dos.forceswdos is 'disable', so DoS enforcement does not work on those platforms until this setting is changed to 'enabled'.

Conditions:
-- ix600 platforms, as detailed in the following list:

  + BIG-IP i2600
  + BIG-IP i4600
  + BIG-IP i5600
  + BIG-IP i7600
  + BIG-IP i10600
  + BIG-IP i12600
  + BIG-IP i15600
  + BIG-IP i11600

-- TurboFlex license.

-- Using software versions 13.1.x-14.0.0.

Impact:
The dos.forceswdos db variable is set to false by default in the configuration, meaning that DoS works in Hardware mode on capable hardware platforms. However, due to licensing restrictions for ix600 platforms, DoS enforcement can run only in software mode. For ix600, if the dos.forceswdos setting is not changed to true, DoS enforcement does not work at all.

Workaround:
Manually set the sys db variable dos.forceswdos to true to enable DoS enforcement in software mode.

Note: In its default value 'false', DoS enforcement is in hardware mode, which is not supported by ix600. If you upgrade the license from ix600 to ix800, this db variable is still set to 'true', meaning DoS is operating in software mode. To run DoS in hardware mode on ix800 platforms, set the db variable to false.

Fix:
This change supports licensing behavior on ix600 platforms with Turboflex licenses, and enables DoS enforcement in supported software mode automatically (sets db variable to true). To have DoS enforcement in hardware mode requires ix800 or higher licenses, whenever available, and requires that the sys db variable dos.forceswdos be set to false.

---

713655 : RouteDomainSelectionAgent might fail under heavy control plane traffic/activities

Component: Access Policy Manager

Symptoms:
If per-session access policy requests route domain selection during policy evaluation, the agent might hang and fail to retrieve route domain information. APMD might restart and produce a core file.

Conditions:
-- Policy sync operation.
-- System receives a query for route domain information.
-- There is a heavy load of control plane traffic to process.

Impact:
Poor performance and/or APMD restarts with a core file, causing brief disruption of the authentication service.

Workaround:
None.

Fix:
Route domain selection operations no longer fail under heavy control-plane traffic/activities.

---

713612 : tmm might restart if the HTTP passthrough on pipeline option is used

Component: Local Traffic Manager

Symptoms:
The TMM may crash if the HTTP profile's 'passthrough_pipeline' field is set to 'passthrough'.

Conditions:
-- HTTP profile is configured as a transparent proxy.
-- HTTP profile has the 'passthrough_pipeline' field is set to 'passthrough'.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
tmm no longer crashes when HTTP switches to passthrough mode in some cases.

---

713598 : Failed attempt to resize 'appdata' leaves volume unmounted.

Component: TMOS

Symptoms:
If attempts at resizing the /appdata partition fail (due to insufficient free space), /appdata is left unmounted on boot.

Conditions:
Physical volume is too full to accommodate /appdata resizing. The typical case is when there are already many other software volumes before the resize task has been able to run.

Impact:
/appdata is not mounted after the system comes up.

Workaround:
Manually remount the appdata partition.

Fix:
Failed attempt to resize 'appdata' no longer leaves volume unmounted.

---

713585 : When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long

Solution Article: K31544054

Component: Local Traffic Manager

Symptoms:
Config load could be very long and CPU usage very high.

Conditions:
There are many iRule and they are installed on many virtual servers.

Impact:
BIG-IP system performance could be degraded during the load and may cause system lock up.

Workaround:
Run "tmsh modify sys db rule.validation value syntax", this causes iRule validation to check iRule syntax only; the semantic checks will not be performed.

Fix:
In this release, the config loading time is cut significantly.

---

713533 : list self-ip with queries does not work

Component: Local Traffic Manager

Symptoms:
"list net self" command always returns all Self IPs, regardless of the regex patterns.

Conditions:
list net self always returns all Self IPs

Impact:
You are unable to filter the Self IP list using a regex pattern.

Fix:
You can now use pattern matching to list Self IPs

---

713491 : IKEv1 logging shows spi of deleted SA with opposite endianess

Component: TMOS

Symptoms:
Sometimes the IKEv1 racoon daemon logs a 32-bit child-SA spi with octets in backwards order (reversing the endianness).

Conditions:
When an SA is deleted.

Impact:
Logging typically shows a network byte order spi in the wrong order. Cosmetic interference with logging interpretation.

Workaround:
There is no workaround at this time.

Fix:
The spi values are shown in the correct endianness now.

---

713389 : TMSH/REST API does not honor access-info client ip or username filter

Component: Access Policy Manager

Symptoms:
TMSH/REST API does not filter Username or Client IP for access-info command. The user gives the input as Username or Client IP; still, the tmsh/rest API output does not filter correctly and produces the entire output.

Conditions:
The user gives Username or Client IP for tmsh "show apm access-info" command expecting the filtering will occur based on that given input.

Impact:
TMSH and REST API command produces more output.

Workaround:
Client Side script in REST API can ignore the empty session in the output and honor the values only when Client IP presents in case of Username as input. Similarly, the script can ignore the values when Username presents in case of Client IP as input.

Fix:
Filtering should be based on the given input either Username or Client IP based in TMSH and the corresponding REST output.

---

713319 : GUI iRule Data Group properties: when viewing object with IPv4-mapped IPv6 address get 'An error has occurred while trying to process your request.'

Component: TMOS

Symptoms:
In GUI iRule Data Group properties, when viewing an object with an IPv4-mapped IPv6 address get the following error: An error has occurred while trying to process your request.

Conditions:
-- iRule Data Group configured with an IPv4-mapped IPv6 address in tmsh.
-- Attempting to view that Data Group in the GUI.

Impact:
Cannot view or modify iRule Data Groups with these IPv4-mapped IPv6 addresses using the GUI.

Workaround:
Use tmsh to view and modify iRule Data Groups with IPv4-mapped IPv6 addresses.

---

713307 : slot1/whitebird-4800 notice Not supported protocol log message

Component: Protocol Inspection

Symptoms:
When ASM or AFM are licensed and provisioned, creating a FastL4 virtual server with a protocol other than TCP or UDP causes TMM to produce unnecessary log messages in the per-TMM log files (/var/log/tmm*)

Redundant prints in tmm log. E.g.,
<13> Mar 21 21:17:19 slot1/whitebird-4800 notice Not supported protocol

Conditions:
1. ASM or AFM are licensed and provisioned
2. Create a FastL4 virtual server with a protocol other than TCP or UDP

Impact:
Cosmetic, no functionality is affected.

Workaround:
None

Fix:
Remove this unnecessary print from tmm log

---

713283-1 : Missing transaction count in = application security report under view by IP Intelligence

Component: Application Visibility and Reporting

Symptoms:
Transactions without an IP reputation threat are not listed on application security reports under viewed by IP Intelligence.

Conditions:
-- All transactions without an IP reputation threat.
-- Application security reports.

Impact:
Transaction count statistics are missing.

Workaround:
None.

Fix:
A new category for IP reputation has been added, 'No Threat', for these transactions from an IP address that has no bad reputation, and will be listed under 'No Threat'.

---

713282 : Remote logger violation_details field does not appear when virtual server has more than one remote logger

Component: Application Security Manager

Symptoms:
Remote logger violation_details field appears empty.

Conditions:
-- More than one remote logger is attached to the virtual server.
-- A violation occurs.
-- Viewing the associated log.

Impact:
Violation_details field appears empty in logs.

Workaround:
There is no workaround at this time.

Fix:
Remote logger violation_details field is now populated as expected when the virtual server has more than one remote logger.

---

713156-2 : AGC cannot do redeploy in Exchange and ADFS use cases

Component: Access Policy Manager

Symptoms:
In AGC exchanges or Active Directory Federation Services (ADFS) configurations, the system creates an SSL HTML form and SSO HTML form control object. Because of the limitation of ICRD, the system cannot directly delete SSO HTML form control objects.

Conditions:
-- Redeploy occurs in an AGC exchange ADFS configuration.
-- Modifying existing configurations.

Impact:
Redeploy fails, configuration remain unmodified.

Workaround:
Do a undeploy, followed by a deploy.

Fix:
Redeploy now succeeds when using AGC with Exchange and ADFS use cases.

---

713150 : Portal Access: correct processing of JavaScript code with template literals

Component: Access Policy Manager

Symptoms:
Modern JavaScript includes template literals, but Portal Access does not support them.

Conditions:
JavaScript code with template literals, for example:

var a = Func `current location ${window.location}`;

Impact:
Web application may not work correctly.

Workaround:
There is no workaround at this time.

Fix:
Portal Access can process JavaScript code with template literals.

---

713138-1 : TMUI ILX Editor inserts an unnecessary linefeed

Component: TMOS

Symptoms:
If you use the TMUI edit for ILX, the system will append a linefeed character every time you save. This is not usually apparent, but if you edit the file, then delete your changes, and then save it, it will still register as changed.

A message indicates the need to refresh the workspace, and the actual content of the file will change, but not the functionality.

Conditions:
Edit a workspace file in ILX via the TMUI editor (i.e., the GUI).

Impact:
File contents can change unexpectedly and have needless characters at the end.

Workaround:
Use TMSH or a different editor, that is not TMUI, to change those files.

Fix:
TMUI no longer appends a linefeed character when saving.

---

713134 : Small tmctl memory leak when viewing stats for snapshot files

Component: TMOS

Symptoms:
When viewing statistics for snapshot files, tmctl leaks a small amount of memory and displays the message:

tmctl: BUG: tmstat_dealloc invoked on a handle with rows outstanding; release all rows before calling tmstat_dealloc at <address>

Conditions:
Using tmctl to view statistics of snapshot files, for example:
tmctl -D /shared/tmstat/snapshots memory_usage_stat -s time,name,allocated,max_allocated name=access

Impact:
Errors written to output when running tmctl. The leak itself is very small and is only for tmctl (i.e., it does not have a cumulative, detrimental effect on the system that a TMM or MCP leak might).

Workaround:
None.

Fix:
This issue no longer occurs when using tmctl to view statistics for snapshot files.

---

713111 : When ASM and APM are configured on the same virtual server, ASM might report some errors in its logging.

Component: Access Policy Manager

Symptoms:
When APM (SSO feature) and ASM are configured on the same virtual server, WebSSO recreates requests on 401 responses. Such requests have the same support ID, so ASM logs errors.

Conditions:
APM (WebSSO) and ASM are configured on same virtual server.

Impact:
ASM might potentially block such requests, so APM SSO functionality may not work.

Workaround:
There is no workaround except to not configure APM (WebSSO) and ASM on same virtual server.

Fix:
This issue has been fixed.

---

713066 : Connection failure during DNS lookup to disabled nameserver can crash TMM

Solution Article: K10620131

Component: Global Traffic Manager (DNS)

Symptoms:
TMM restart as a result of a DNS lookup to disabled nameserver.

Conditions:
DNS lookup that tries to connect to a nameserver that is not reachable for some reason.

This could be an explicit 'RESOLV::lookup' command in iRule, or it could be DNS lookups internally triggered by APM or HTTP.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
Verify connectivity to nameserver.

As an alternative, refrain from using RESOLV::lookup in iRules.

Fix:
This issue is now fixed.

---

713011 : Parameter handling and Ajax support for all HTTP request methods

Component: Fraud Protection Services

Symptoms:
Parameters can be configured only for GET or POST HTTP request methods.

Conditions:
Need to protect parameters of HTTP request method that is not GET or POST.

Impact:
Parameters on HTTP requests that are not GET or POST cannot be configured.

Workaround:
None.

Fix:
Parameter handling and Ajax support for all HTTP request methods are now available.

---

712857 : SWG-Explicit rejects large POST bodies during policy evaluation

Component: Access Policy Manager

Symptoms:
When an access profile of type SWG-Explicit is being used, there is a 128 KB limit on POST bodies while the policy is being evaluated.

The system posts an error message similar to the following in /var/log/apm:
err tmm[13751]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 3048

Conditions:
This applies only during policy evaluation. After the policy has been set to 'Allow', there is no limit to the POST body.

Impact:
Unable to start an SWG-Explicit policy with a large POST body.

Workaround:
None.

Fix:
This release introduces a db variable 'tmm.access.maxrequestbodysize'. You can now avoid this issue by setting a value larger than the 128 KB POST body size. The maximum supported value is 25000000 (25 MB).

---

712819 : 'HTTP::hsts preload' iRule command cannot be used

Component: Local Traffic Manager

Symptoms:
Using the 'HTTP::hsts preload' iRule command in the GUI, you might see error message similar to the following:
01070151:3: Rule [/Common/test] error: /Common/test:3: error: ["invalid argument preload; expected syntax spec: "][HTTP::hsts preload enable].

The message is incorrect: the command has the correct format. However, the system does not run it.

Conditions:
Using the 'HTTP::hsts preload' iRule command in the GUI.

Impact:
The command does not run. Cannot use the 'HTTP::hsts preload' iRule command in the GUI.

Workaround:
None.

Fix:
'HTTP::hsts preload' iRule command now works as expected.

---

712710-2 : TMM may halt and restart when threshold mode is set to stress-based mitigation

Component: Advanced Firewall Manager

Symptoms:
When auto-DoS vector's threshold mode is set to stress-based mitigation, but the vector is in disabled state, TMM may halt and restart.

Conditions:
-- Threshold mode is set to stress-based mitigation.
-- Vector is disabled.

Impact:
TMM restarts. Traffic disrupted while TMM restarts.

Workaround:
There is no workaround other than not setting threshold mode to stress-based mitigation if the vector is disabled.

Fix:
TMM no longer restarts when threshold mode is set to stress-based mitigation and the vector is in disabled state.

---

712664 : IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address

Component: Local Traffic Manager

Symptoms:
As a result of a known issue IPv6 NS may be dropped if corresponds for host on remote VLAN of transparent vlangroup and matches a Virtual address with disabled ARP setting

Conditions:
- transparent vlan-group
 - Virtual Address with ARP disabled
 - Virtual Address corresponds to remote IPv6 host address

Impact:
NS for the host is dropped.
Traffic will not reach the remote host as resolution does not complete.

Workaround:
Do not use overlapping Virtual-addresses with ARP disabled, or enable ARP.

Fix:
IPv6 NS is no longer dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address.

---

712653-1 : A GTM global variable has been added to "force invalid NS names" for all auto-generated zones for WideIPs.

Solution Article: K32518458

Component: Global Traffic Manager (DNS)

Symptoms:
Fall back to BIND is enabled by default and if the use of the GTM hostname is misunderstood, the device could be exposed to potential DNS hijacking.

Conditions:
GTM automatically creates a zone file using the GTM hostname. If Fall back to BIND is tuned on and the Wide IP goes down, BIND will respond with an answer that has NS records in the authority section.

Impact:
If the device uses an unregistered hostname, a third party could register it and and hijack the domain.

Workaround:
Workaround A:
- Change the hostnames on the GTMs to be a label within a domain you own.
- Change the NS records in all the autogenerated zones that are not already pointing at a real domain to point at this hostname.

Workaround B:
- Turn off Fallback to BIND

Fix:
A GTM global variable has been added to "force invalid NS names" for all auto-generated zones for WideIPs.
This variable is enabled by default for security purposes. This must be a gtm global so that it is synced.
If this value is "true/enabled" then ".invalid." is appended to the BIG-IP's hostname. (See RFCs 6761 and 2606).
This is the recommended way to build DNS names that should not escape into the public domain.

---

712637 : Host header persistence not implemented

Component: Local Traffic Manager

Symptoms:
Online documentation describes a persistence mechanism which uses the HTTP Host: header. However, this mechanism is not implemented, and attempts to use it generates an error.

Conditions:
Online help for ltm persistence says that Host persistence can be enabled via iRule, but attempting to do so generates an error 'invalid argument host'.

Impact:
Although this does not impact any existing functionality, the documented function is not available.

Workaround:
There is no workaround at this time.

Fix:
LTM Host: header persistence is implemented.

---

712475 : DNS zones without servers will prevent DNS Express reading zone data

Solution Article: K56479945

Component: Local Traffic Manager

Symptoms:
DNS Express does not return dig requests.

Conditions:
DNS Express is configured a zone without a server.

Impact:
DNS Express does not return dig requests.

Workaround:
You can use either of the following workarounds:
-- Remove the zone without the server.
-- Configure a server for the zone.

Fix:
DNS zones without servers no longer prevent DNS Express reading zone data.

---

712437 : Records containing hyphens (-) will prevent child zone from loading correctly

Solution Article: K20355559

Component: Local Traffic Manager

Symptoms:
The dig command returns no record with SOA from the parent zone even though dnsxdump shows that the record exists.

Conditions:
-- Parent zone has a record containing - (a hyphen) and the preceding characters match the child zone. For example,
 myzone.com -- parent
 foo.myzone.com -- child
 
-- In myzone.com, you have a record of the following form:
foo-record.myzone.com

Impact:
DNS can not resolve records correctly.

Workaround:
None.

Fix:
DNS now handles the case in which the parent zone has a record containing - (a hyphen) and the preceding characters match the child zone.

---

712401 : Enhanced administrator lock/unlock for Common Criteria compliance

Component: TMOS

Symptoms:
The Network Device and Firewall collaborative Protection Profiles v2.0 require certain behavior for locking and unlocking administrative-user accounts on the BIG-IP system. BIG-IP software needs to be enhanced for compliance with those requirements.

Conditions:
The ccmode script must be run to activate these enhancements. Also, see the Common Criteria Guidance document (published when the certificate is obtained) for more details.

Impact:
Without these enhancements activated, the BIG-IP system is not compliant with Common Criteria requirements.

Workaround:
Risk acceptance for Common Criteria non-compliance.

Fix:
To meet Common Criteria requirements, the BIG-IP system is enhanced in two areas:

1. The primary administrative user account (generally 'admin') can be locked out, as any other administrative-user account can be. However, it is never locked out when signing in from the serial console.

2. Locked out administrative-users are unlocked only after an administrator-specified time period has passed. The default is 10 minutes, and is set in the ccmode script.

---

712378 : Permission is denied when accessing iRulesLX workspace

Component: Local Traffic Manager

Symptoms:
Attempting to access the iRulesLX workspace page after a workspace has been created will result in an error similar to:

General database error retrieving information.General error: 01070711:3: boost::filesystem::status: Permission denied: "/var/ilx/workspaces/Common/ilxtest_ws/rules/ilx-test-rule.tcl" in statement [SELECT COUNT(*) FROM dev_workspace WHERE name LIKE '%']

Conditions:
It happens after the workspace is created.

Impact:
Cannot access iRuleLX workspace.

Workaround:
running "setenforce 0" will allow you to access the GUI page and work normally.

Fix:
This problem is fixed in v14.1.0.

---

712362 : ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase

Component: Application Security Manager

Symptoms:
When the WebSocket HTTP handshake response comes without 'Switching Protocols' reason phrase at the first line, the ASM does not follow up WebSocket frames on the WebSocket's connection.

The system posts the following messages in /ts/log/bd.log:
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0269|101 Switching Protocols HTTP status arrived, but the websocket hanshake failed.
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0270|Possible reasons are websocket profile isn't assigned on a virtual server or handshake is illegal.

Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- WebSocket backend server sends 101 response without the 'Switching Protocols' phrase.

Impact:
WebSocket frames stalls.

Workaround:
#1 Change the backend server:
Change WebSocket backend server to return 101 response to include the 'Switching Protocols' reason phrase:

HTTP/1.1 101 Switching Protocols


#2 Use an irRule:
when SERVER_CONNECTED {
    TCP::collect 15
}
when SERVER_DATA {
    if { [TCP::payload 15] contains "HTTP/1.1 101 \r\n" } {
        TCP::payload replace 0 12 "HTTP/1.1 101 Switching Protocols"
    }
}

Fix:
This release correctly handles 101 responses even without the 'Switching Protocols' reason phrase.

---

712266 : Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware

Component: TMOS

Symptoms:
Messages like the following may show up in /var/log/ltm:

-- crit tmm5[28908]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=11): ctx dropped.

This occurs because the decompression of large compressed data failed.

Conditions:
This issue occurs when compressed data cannot be decompressed in a single request to the Nitrox 3 hardware accelerator.

Impact:
Requests fail with a connection reset.

Workaround:
Use zlib software decompression.

Fix:
This release fixes this decompression issue in the Nitrox 3 driver.

---

712126 : slf4j Vulnerability: CVE-2018-8088

Component: TMOS

Symptoms:
An XML deserialization vulnerability was discovered in slf4j's EventData which accepts anXML serialized string and can lead to arbitrary code execution.

Conditions:
An XML deserialization vulnerability was discovered in slf4j's EventData which accepts anXML serialized string and can lead to arbitrary code execution.

Impact:
None. This vulnerability does not impact BIG-IP in any default, standard or recommended configuration.

Workaround:
None.

Fix:
Updated slfj

---

712102 : customizing or changing the HTTP Profile's IPv6 field hides the field or the row

Solution Article: K11430165

Component: TMOS

Symptoms:
Customizing or changing the HTTP Profile's IPv6 field hides the field or the row.

Conditions:
Customizing or changing the HTTP Profile's IPv6 field.

Impact:
The HTTP Profile's IPv6 field cannot be customized or changed.

Workaround:
Use tmsh to set the HTTP Profile's IPv6 field.

Fix:
Customizing or changing the HTTP Profile's IPv6 field doesn't hide the field or the row.

---

712033 : When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name

Component: TMOS

Symptoms:
When you make a REST request to association list in /stats you get a duplicate name in the selfLink after members in both the entries and the selfLink, e.g.:

# restcurl -X GET -u admin /tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats
{
  "kind": "tm:ltm:pool:members:membersstats",
  "generation": 3,
  "selfLink": "https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats?ver\u003d14.0.0",
  "entries": {
    "https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/~Common~node1:8105/stats": {

Conditions:
When making a REST request to an object in /stats that is an association list.

Impact:
The selfLink has a duplicate name. SelfLinks for associations do not work.

Workaround:
None.

Fix:
This version uses the full path, so the issue no longer occurs, e.g.:

# restcurl -X GET -u admin /tm/ltm/pool/~Common~pool1/members/~Common~node1:8103/stats

---

712010 : /proc/swaps is collected in qkview

Component: TMOS

Symptoms:
Not applicable. /proc/swaps is collected in qkview for getting additional information on system state for debugging purposes.

Conditions:
Not applicable.

Impact:
None

Workaround:
collect /proc/swaps file manually and share with f5 for debugging if needed.

Fix:
/proc/swaps is collected in qkview for getting additional information on system state for debugging purposes.

---

711981 : BIG-IP system accepts larger-than-egress MTU, PMTU update

Component: Local Traffic Manager

Symptoms:
A Path MTU (PMTU) message can lead to the BIG-IP system to falsely assume an egress MTU on the related flow to be larger than the interface egress MTU.

Conditions:
A valid PMTU message.

Impact:
BIG-IP sends larger-than-configured interface egress MTU messages.

Workaround:
None.

Fix:
The BIG-IP system now limits the flow egress MTU to the interface egress MTU.

---

711879-1 : Web GUI can sometime display the wrong cert and key for a GTM monitor that has the same name as some LTM monitor.

Component: TMOS

Symptoms:
The web GUI displays an incorrect value for cert and key for a GTM monitor.

Conditions:
The GTM monitor has the same name as an LTM monitor.

Impact:
Incorrect data can be presented regarding the GTM monitor's cert and key.

Workaround:
Use TMSH to display the correct cert and key.

---

711818 : Connection might get reset when coming to virtual server with offload iRule

Component: Application Security Manager

Symptoms:
When IN_DOSL7_ATTACK event is triggered, and iRule has an async command in it, events might be released out of order, causing connection RST.

Conditions:
1. Have DoS profile with iRule turned on.
2. iRule is async (such as wait, DNS resolving, etc.).
3. Send POST request.

Impact:
Connection receives a RST.

Workaround:
There is no workaround at this time.

Fix:
Modified event ordering, which avoids connection RST.

---

711683 : bcm56xxd crash with empty trunk in QinQ VLAN

Component: TMOS

Symptoms:
When an empty trunk (no members) is configured 'tagged' in a QinQ VLAN, bcm56xxd will continuously crash.

Conditions:
Trunk with no members, configured as 'tagged' in a QinQ VLAN.

Impact:
bcm56xxd continuously crashes.

Workaround:
Use either of the following workarounds:
-- Add members to the trunk.

-- Remove the trunk from the QinQ VLAN.

Fix:
Do not program QinQ switch hardware if the trunk has no members.

---

711570 : PEM iRule subscriber policy name query using subscriber ID, may not return applied policies

Component: Policy Enforcement Manager

Symptoms:
PEM::subscriber config policy get <subscriber id> does not return policy names

Conditions:
PEM iRule using subscriber ID to get policy name.

Impact:
Subscriber policy names are not returned.

Workaround:
Use PEM::subscriber config policy get <IP address> instead.

Fix:
Subscriber policy names are now returned when running PEM iRules using subscriber ID to get policy names.

---

711427 : Edge Browser does not launch F5 VPN App

Component: Access Policy Manager

Symptoms:
On Microsoft Windows v10, use Edge Browser to establish VPN. Edge Browser does not launch F5 VPN App.

Conditions:
On Windows 10, use Edge Browser to establish VPN.

Impact:
APM end user cannot establish VPN tunnel using Edge Browser.

Workaround:
Use Mozilla Firefox or Google Chrome.

Fix:
You can now use Windows 10 to launch Edge Browser to establish VPN connections.

---

711405 : ASM GUI Fails to Display Policy List After Upgrade

Solution Article: K14770331

Component: Application Security Manager

Symptoms:
After upgrade to version 13.1.0 or later, ASM GUI fails to display the Policy List.

Conditions:
Using an 11.5.0 to 11.5.4-HF1 version that is affected by the issue of policies with duplicate REST IDs that occurred after restoring from policy history or using Policy Diff to compare policies.

Impact:
ASM GUI starting using the REST API from version 13.1.0, so any systems that have been affected by this issue on a previous version now cause the GUI to fail to display the Policy List.

Workaround:
On the device run the following script:
---------------------------------
perl -MF5::DbUtils -MF5::Utils::Rest -MF5::ASMConfig::Entity::Policy -e '$dbh = F5::DbUtils::get_dbh();
 $dbh->begin_work();
 $dbh->do("UPDATE PLC.PL_POLICIES a SET a.rest_uuid = \"\" WHERE a.rest_uuid IN ( SELECT rest_uuid FROM (SELECT rest_uuid FROM PLC.PL_POLICIES GROUP BY rest_uuid having count(*) > 1) b)");
 F5::Utils::Rest::populate_uuids(dbh => $dbh);
 $dbh->commit();'
---------------------------------
Note: In a management environment, this change must be pushed to the peer as a full sync. The easiest way to do so is to ensure that the ASM sync device group is in manual sync mode, and to push the config to the peers from the device where the script was run.

Fix:
This data inconsistency is now repaired on upgrade, and the GUI loads the policy list successfully.

---

711281 : nitrox_diag may run out of space on /shared

Component: Local Traffic Manager

Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.

Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.

Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.

Workaround:
The only workaround is to ensure there is enough free space for the files to be created.

In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.

Fix:
nitrox_diag now clears the older data before gathering new data, instead of after. Note, however, that if there is insufficient free space on /shared to collect the raw data, the operation still cannot succeed.

---

711249 : NAS-IP-Address added to RADIUS packet unexpectedly

Component: TMOS

Symptoms:
RADIUS authentication request contains NAS-IP-Address attribute with value 127.0.0.1.

Conditions:
VIPRION (single or multiblade) with no cluster member IP addresses configured.

Impact:
Authentication does not work as it has invalid/unrecognized source NAS-IP-Address.

Workaround:
Configure cluster member IP address or define hostname and address via global-settings remote-host.

---

711093 : PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled

Component: Policy Enforcement Manager

Symptoms:
PEM sessions may stay in the marked-for-delete state after session deletion.

Conditions:
This occurs if Gx final usage reporting response comes before Gy delete response (CCA).

Impact:
PEM sessions remain in marked-for-delete state.

Workaround:
None.

Fix:
PEM sessions no longer stay in the marked-for-delete state after session delete

---

710996 : VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP

Component: Local Traffic Manager

Symptoms:
The behavior of outgoing IPv6 management and IPv4 management traffic from the primary blade differs:
IPv4 traffic is sourced from the cluster IP
IPv6 traffic is sourced from the cluster member IP

Conditions:
IPv6 configured on the 'cluster' address and 'cluster member' address.

Impact:
The blade IP address, rather than the cluster floating IP, will be used as the source IP when querying the RADIUS server for remote-auth login against the management port.

Workaround:
There is no workaround at this time.

---

710911 : Cannot filter Protocol Inspections display based on Action 'Don't Inspect'

Component: Protocol Inspection

Symptoms:
When reviewing a Protocol Inspections profile, it is possible to filter the inspections by the configured Action, except for 'Don't Inspect.' If you select 'Don't Inspect" no inspections are displayed.

'Accept','Drop', and 'Reject' all work as expected

Conditions:
Protocol Inspection provisioned and configured with at least one policy.

Impact:
Difficulty in bulk editing or reviewing inspections with Action set to 'Don't Inspect.'

Workaround:
There is no workaround at this time.

Fix:
Can now filter Protocol Inspections display based on Action 'Don't Inspect'

---

710884 : Portal Access might omit some valid cookies when rewriting HTTP request.

Component: Access Policy Manager

Symptoms:
Portal Access is not sending certain cookies to the backend application.

Conditions:
-- Request path and cookie path are equal.
-- The last character of request path is not a forward slash (/).

Impact:
Backend application does not receive some cookies and may decide that APM end users are not authenticated, when they are.

Workaround:
There is no workaround at this time.

Fix:
Fixed an issue in Portal Access which could cause web-applications to lose some valid cookies.

---

710858 : tmm crash due to a bad HA header

Component: Local Traffic Manager

Symptoms:
tmm crash in an extreme rare situation that a HA header get corrupted

Conditions:
This can occur during normal tmm operation while Device Service Clustering is configured.

Impact:
Traffic disrupted while tmm restarts.

Fix:
A tmm crash has been fixed.

---

710827 : TMUI dashboard daemon stability issue

Component: TMOS

Symptoms:
Some dashboard requests may cause a crash of TMUI dashboard daemons, affecting the TMUI dashboard.

Conditions:
Request sent to BIG-IP dashboard.

Impact:
Only the TMUI dashboard goes offline. Other TMUI functionality is not affected by this issue.

Workaround:
None available.

Fix:
Setup a correct exception handling prevented TMUI dashboard service failure.

---

710705 : Multiple Wireshark vulnerabilities

Solution Article: K34035645

---

710666 : VE with interface(s) marked down may report high cpu usage

Component: TMOS

Symptoms:
The "tmm" process may appear to be running at 90% or above in linux cpu reporting utilities such as "top" or "ps", even if the system is not handling a large amount of traffic.

In this case, "tmsh show sys tmm-info" continues to report tmm's cpu usage accurately.

Conditions:
- BIG-IP Virtual Edition
- One or more interfaces configured and used in the BIG-IP configuration is marked down

Impact:
tmm consumes cpu cycles even when idle. This may impact other guests running on the same hardware if the hypervisor has oversubscribed its cpu resources.

Workaround:
Disable any interface that is currently marked down.

For example:
  tmsh modify net interface 1.1 disabled

and then restart tmm:
  bigstart restart tmm

---

710655 : In APM Citrix Storefront Integration mode ICA file returns duplicate TrasnportReconnectEnabled parameter

Component: Access Policy Manager

Symptoms:
In APM Citrix Storefront Integration mode, the ICA file returns a duplicate TransportReconnectEnabled parameter when Storefront is configured in Internal-only mode.

Conditions:
-- Citrix Storefront is configured with LTM and APM.
-- Storefront is configured in Internal-only mode (i.e., no remote access enabled).
-- While launching the application from the portal, ICA file returns a duplicate parameter for TransportReconnectEnabled.

Impact:
Citrix Receiver might misinterpret this ICA parameter. No immediate visible impact is seen.

Workaround:
None.

Fix:
APM now properly returns the ICA parameter TransportReconnectEnabled.

---

710493 : Nitrox PX recovery failure will not retry as it was designed to.

Component: Local Traffic Manager

Symptoms:
The Nitrox PX encounters an error and proceeds to perform a soft reset, but if the soft reset fails, then there are no further attempts at recovery will be taken. The device will remain offline and no failsafe action will be triggered.

Conditions:
When a Nitrox PX device starts recovery and the soft reset procedure fails to complete successfully, the driver only logs the failure.

Impact:
Whenever a Nitrox PX soft reset fails, the device is left offline and remain unusable until TMM is restarted or the BIG-IP system is rebooted. No retries are attempted even though the driver is designed to retry three times before triggering the failsafe action.

Workaround:
to recover service to the Nitrox PX devices once this occurs, issue the following command to restart tmm:
bigstart restart tmm

Note: Traffic will be disrupted while tmm restarts.

Fix:
The system now triggers another reset sequence at the next opportunity when a soft reset fails.

---

710424 : Possible SIGSEGV in GTMD when GTM persistence is enabled.

Solution Article: K00874337

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM persistence is enabled, GTMD may occasionally crash and restart.

Conditions:
GTM persistence is enabled.

Impact:
GTMD may occasionally restart.

Workaround:
Disable GTM persistence.

Fix:
GTMD will no longer crash and restart when persistence is enabled.

---

710410 : TMM hardware accelerated compression not registering for all compression levels.

Component: TMOS

Symptoms:
DEFLATE/gzip compression levels other than level 1 bypass the hardware accelerator and are serviced in software, resulting in higher CPU utilization and slower compression times.

Conditions:
-- Compression requests for DEFLATE/gzip levels other than level 1.
-- BIG-IP devices using Cave Creek SSL hardware acceleration.

Impact:
Compression requests serviced by software are scheduled on local CPUs. During heavy compression traffic, overall system traffic flow may be reduced. Compression requests serviced in software may take significantly longer to complete.

Workaround:
None.

Fix:
Hardware accelerator correctly registers for all DEFLATE/gzip compression levels, not just level 1.

---

710355 : High CPU when using HTTP::collect for large chunked payloads

Component: Local Traffic Manager

Symptoms:
When collecting large amounts of chunked payload, approximately one million bytes, the processing to parse each chunk for the chunk headers and offsets results in large CPU utilization.

Conditions:
-- HTTP profile is attached to virtual server.
-- Server sends chunked response.
-- An iRule on the virtual server uses the HTTP::collect command to collect and parse large chunked payloads.

Impact:
High CPU utilization.

Workaround:
None.

---

710315 : AVR-profile might cause issues when loading a configuration or when using config sync

Component: Application Visibility and Reporting

Symptoms:
Some fields in AVR-profile contain lists of items. Those lists can be set only if the relevant flag is set to 'true'. In case of a flag configuration change, the system must keep the lists as they were and not reset them, so they can be available in case the flag changes back again.

Validation settings were created such that the lists flag is set to 'true' by default, but this can cause the load/merge process to break if the list was set, and afterwards the flag was set to 'false'.

Conditions:
Setting the relevant flag to 'false' after creating a list of items.

The relevant fields in AVR-profile that have that logic are:
-- IPs-list.
-- Subnets-list.
-- Countries-list.
-- URLs-list.

Impact:
Management load and sync process may not work as expected.

Workaround:
None.

Fix:
Validation for those fields when the associated flag is set to 'false' will be skipped in a load/merge scenario.

---

710305 : When ASM and APM are configured on the same virtual server, ASM could throw some errors in its logging.

Component: Access Policy Manager

Symptoms:
When ASM and APM WebSSO are on same virtual server, WebSSO might generate a new request. When that happens, ASM might see multiple requests with same support ID. This can cause issues with ASM and log errors.

Conditions:
When APM WebSSO is configured (only for Basic, NTLM, Kerberos).

Impact:
ASM stops processing the HTTP requests that have duplicate support IDs, causing an issue to ASM/APM end users.

Workaround:
None.

Fix:
When ASM and APM WebSSO are on same virtual server, WebSSO no longer generates a new request, so duplicate support IDs are no longer created.

---

710277 : IKEv2 further child_sa validity checks

Component: TMOS

Symptoms:
A tmm restart can occur when a child_sa is rekeyed at expiration time, provided a race condition occurs.

Conditions:
Encountering the issue in which rekeying a child_sa might core when race conditions allowed that child_sa to be destroyed while in use.

Impact:
Restart of tmm and outage of IPsec tunnels until renegotiated.

Workaround:
None.

Fix:
The validity of a child_sa and its traffic selector are checked now before use, to prevent failure when freed objects are accidentally used.

---

710246 : DNS-Express was not sending out NOTIFY messages on VE

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express is not sending out NOTIFY messages on BIG-IP Virtual Edition (VE).

Conditions:
-- DNS Express configured to send out NOTIFY messages.
-- Running on BIG-IP VE configuration.

Impact:
DNS secondary servers serving stale data.

Workaround:
There is no workaround at this time.

Fix:
DNS Express now sends out NOTIFY messages on VE.

---

710244 : Memory Leak of access policy execution objects

Solution Article: K27391542

---

710238 : glibc Vulnerabilities: CVE-2015-5180 CVE-2018-1000001 CVE-2017-15670 CVE-2017-12132 CVE-2014-9402 CVE-2017-1000366 CVE-2017-15804

Solution Article: K55001100

---

710232 : platform-migrate fails when LACP trunks are in use

Component: TMOS

Symptoms:
Use of the platform-migrate option might fail due to some configurations being invalid on the new system. The error message generated appears as follows:

01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform.

Conditions:
You have a trunk with LACP enabled.
-- You are migrating from a hardware platform to a Virtual Edition (VE).

Impact:
Configuration fails to migrate.

Workaround:
After taking the old system offline, but before saving the UCS, disable LACP on all trunks.

---

710221 : Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled

Solution Article: K67352313

Component: Local Traffic Manager

Symptoms:
In an high availability (HA) configuration where an FQDN template-node on the 'active' unit is 'Force Offline', and the configuration is synchronized to the 'standby' unit, upon 'Enable' on that FQDN template-node in the 'active' unit (and the configuration is synchronized to the 'standby' unit), the ephemeral nodes associated with that FQDN template node remain Unavailable on the 'standby' unit.

Conditions:
HA configuration is configured with 'active' sync.
-- FQDN template-node is configured.
-- After ephemeral nodes are refreshed on the 'active' unit, it transitions to the 'standby' unit.
-- The FQDN template node on the (new-'active') unit is 'Force Offline' by the user.
-- The user explicitly 'Enable' that FQDN template node on the 'active' unit.

Impact:
The ephemerals on the 'standby' unit remain unavailable, even though the associated FQDN template node is 'available'. However, as no traffic is routed to the 'standby' unit, traffic is unaffected. Upon transition from 'standby' to' active', the ephemeral nodes will be refreshed and traffic should continue.

Workaround:
You can use either of these configuration options to prevent this issue from occurring:
-- Select 'Disabled' (rather than 'Force Offline') for the FQDN template node on the 'active' unit.
-- Configure the node without using FQDN.

Fix:
Upon 'Force Offline' and then 'Enable' for an FQDN template node on an 'active' unit in an HA configuration, the ephemerals on the 'standby' unit will reflect the re-enabled status based on the associated FQDN template-node on the 'active' unit.

---

710148 : CVE-2017-1000111 & CVE-2017-1000112

Solution Article: K60250153

---

710044 : Portal Access: same-origin AJAX request may fail in some case.

Component: Access Policy Manager

Symptoms:
If base URL for current HTML page contains default port number, same-origin AJAX request from this page may fail via Portal Access.

Conditions:
- HTML page with explicit default port in base URL, for example:
  <base href='https://some.com:443/path/'>

- Same-origin AJAX request from this page, for example:
  var xhr = new XMLHttpRequest;
  xhr.open('GET', 'some.file');

Impact:
Web application may not work correctly.

Workaround:
It is possible to use iRule to remove default port number from encoded back-end host definition in Portal Access requests, for example:

when RULE_INIT {
  # hex-encoded string for 'https://some.com'
  set ::encoded_backend {68747470733a2f2f736f6d652e636f6d}
  # '3a343433' is hex-encoded form for ':443'
  set ::pattern "/f5-w-${encoded_backend}3a343433\$"
  set ::remove_end [ expr { [ string length $::pattern ] - 2 } ]
  set ::remove_start [ expr {$::remove_end - 7} ]
}

when HTTP_REQUEST {
  if { [HTTP::path] starts_with "$::pattern" } {
    set path [ string replace [HTTP::path] $::remove_start $::remove_end "" ]
    HTTP::path "$path"
  }
}

Fix:
Now same-origin AJAX requests are handled correctly if URL contains default port number.

---

710032 : 'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system.

Component: Global Traffic Manager (DNS)

Symptoms:
The BIG-IP system posts a 'No Access' error message instead of the virtual server's properties.

Conditions:
-- At least two BIG-IP systems in a sync group.
-- One of the BIG-IP systems has a partition that does not exist on the other with an LTM virtual server on that partition.
-- The issue occurs when a GSLB Server discovers that LTM virtual server and displays it on its virtual server page.

Note: This same error message displays for GSLB pool member properties accessed by navigating to GSLB :: pools :: [pool] :: members :: Member : Address. The differing issues have been fixed in differing releases. You can find information about the similar issue in the AskF5 Bug Tracker article for 722734.

Impact:
It makes the GSLB Server's virtual server's properties page unavailable in this case.

Workaround:
Use either of the following workaroudns:
-- Use TMSH to view or edit the properties of that virtual server.

-- Create partitions on the GTM device to match those appearing to be referenced in the object names.

Fix:
Partition checking has been disabled for virtual servers on the GTM side, since a virtual server owned by a server is always in the partition of that server (/Common).

---

710028 : LTM SQL monitors may stop monitoring if multiple monitors querying same database

Component: Local Traffic Manager

Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.

When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:

[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'

then multiple, periodic instances of the following message, referencing the same connection string:

Abandoning hung SQL query: '<query string>' for: '<connection string>'

or:

<connection string>(<thread-number>): Hung SQL query; abandoning

Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.

And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.

Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.

Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.

To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.

Fix:
LTM SQL monitors continue monitoring when multiple monitors/ query the same server and database.

---

710017 : iControl SOAP/GUI cannot generate SSL certificate or CSR for password-protected SSL key

Solution Article: K10211160

Component: TMOS

Symptoms:
Cannot use iControl SOAP commands or the GUI to generate SSL certificate or CSR for a SSL key that is protected by password.

Conditions:
The SSL key is password-protected. That is, the key file has the below pattern as prefix.

[root@big3:Active:Standalone] shared # head -2 test12345.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED

Impact:
Unable to generate a certificate or CSR for a key using iControl SOAP or the GUI.

Workaround:
You can use the following workarounds:

Workaround A: Use tmsh to create the certificate or CSR. To do so, follow this procedure:
1. Run a command similar to the following:
tmsh create sys crypto cert test12345 key test12345 common-name cn
2. Enter the PEM pass phrase: <<input the key's password>>
3. Run a command similar to the following:
tmsh create sys crypto csr test12345 key test12345 common-name cn
4. Enter the PEM pass phrase: <<input the key's password>>

Workaround B: Generate the certificate and CSR file using OpenSSL commands and then import them onto the BIG-IP system.

1. Run a command similar to the following:
openssl req -x509 -sha256 -days 365 -key test12345.key -in test12345.csr -out test12345.crt
2. Enter the pass phrase for test12345.key: 12345
3. Run a command similar to the following:
tmsh install sys crypto cert test12345 from-local-file /shared/test12345.crt
4. Run a command similar to the following:
tmsh install sys crypto csr test12345 from-local-file /shared/test12345.csr

Fix:
Can now use iControl SOAP commands or the GUI to generate SSL certificate or CSR for a SSL key that is protected by password.

---

709979 : Apache Portable Runtime vulnerability CVE-2017-12613

Solution Article: K52319810

---

709963 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.

Component: Local Traffic Manager

Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.

Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.

Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.

Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.

---

709936-3 : Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.

Component: TMOS

Symptoms:
/var/log/boot.log has this error:
dhcp_config: save error: 01070911:3: The requested host (ntp-servers-ip) is invalid for servers in ntp (/Common/ntp).

Conditions:
- The BIG-IP system has DHCP enabled for management interface.
- Multiple NTP servers or domain-search are specified in the dhclient lease (stored at /var/lib/dhclient/dhclient.leases).

Impact:
- DNS and NTP servers are not configured in MCPD.
- Name resolution can break.

Workaround:
None.

Fix:
Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.

---

709828 : fasthttp can crash with Large Receive Offload enabled

Component: Local Traffic Manager

Symptoms:
fasthttp and lro can lead to a tmm crash.

Conditions:
fasthttp and lro enabled. (lro is enabled by default >= 13.1.0)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use fasthttp

Fix:
fasthttp with lro enabled no longer causes tmm to crash.

---

709711 : Multiple Java Vulnerabilities

Solution Article: K04734043

---

709688 : dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733

Solution Article: K08306700

---

709670 : iRule triggered from RADIUS occasionally fails to create subscribers.

Solution Article: K44067891

Component: Policy Enforcement Manager

Symptoms:
The subscriber can not be added with the same IP address after retries. This is a rarely occurring issue: if the daily average of subscriber additions is ~30000 subscribers, 5 to 6 subscribers face this problem (0.02%).

Conditions:
Running iRule to create PEM sessions from RADIUS packets using the 'PEM::subscriber create' command.

Impact:
Intermittently (a few operations per day), the command silently fails. No session is created, and no TCL error is produced. Subscriber addition requires manual intervention.

Workaround:
Trigger a RADIUS START using a different IP address for the subscriber.

---

709610 : Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM

Component: Policy Enforcement Manager

Symptoms:
Session replacement fails as a result of a race condition between multiple RADIUS Accounting Start and Stop messages for the same subscriber.

Conditions:
This occurs when the following conditions are met:
-- These SysDB variables are set as follows:
sys db tmm.pem.session.radius.retransmit.timeout {
    value "0"
}
sys db tmm.pem.session.provisioning.continuous {
    value "disable"
}

-- Actions occur in the following order:
 1. PEM receives RADIUS START with subscriber ID1 and IP1.
 2. PEM receives RADIUS STOP with subscriber ID1 and IP1.
 3. PEM receives RADIUS START with subscriber ID1 and IP2.
 4. PEM receives RADIUS STOP with subscriber ID1 and IP2.

-- The time interval between steps 1 and 2 is very small (less than ~1ms).

Impact:
Subscriber session creation via PEM may fail.

Workaround:
There is no workaround other than to leave SysDbs variables set to the default values.

Fix:
The system now handles PEM subscriber session updates properly, so this issue no longer occurs.

---

709544 : VCMP guests in HA configuration become Active/Active during upgrade★

Component: TMOS

Symptoms:
When devices in a Device Service Cluster (DSC) are upgraded, multiple devices might become Active simultaneously.

During upgrade, the process erroneously clears the management-ip during reboot, and then synchronizes to other members of the DSC. If the system is not performing an upgrade, the error is repaired as the device starts up, and has no visible effect. If an upgrade is being performed, the management-ip cannot be repaired, and the DSC members lose contact with each other, so they all become Active.

Conditions:
-- Running on VIPRION chassis systems, either natively, or as a vCMP guest.
-- Upgrading from any affected versions (TMOS v12.1.3, TMOS v13.0.0, TMOS v13.0.1, TMOS v13.1.0), to any other version.

Impact:
When multiple devices become Active simultaneously, traffic is disrupted.

Workaround:
There is no workaround other than to remain in Active/Active state until upgrade is complete on all chassis in the DSC are finished. See K43990943: VIPRION systems configured for high availability may become active-active during the upgrade process :: https://support.f5.com/csp/article/K43990943 for more information on how to mitigate this issue.

Fix:
The erroneous management-ip change is not made, and the HA failover mechanism operates correctly across upgrade.

---

709444 : "NTP not configured on device" warning seen when NTP symmetric key authentication is configured

Component: TMOS

Symptoms:
When NTP symmetric key authentication is configured, as per https://support.f5.com/csp/article/K14120, and the BIG-IP is part of a device service cluster, then a warning similar to this will be seen periodically in /var/log/ltm:

warning mcpd[6317]: 01071af0:4: NTP not configured on device 1.2.3.4 - within a trust

Conditions:
- NTP symmetric key authentication must be configured.
- The BIG-IP must be part of a device service cluster.
- Non-authenticated NTP servers must not be in-use.

Impact:
Incorrect NTP warnings are seen periodically in /var/log/ltm.

Workaround:
There is no workaround at this time.

Fix:
Prevented this warning from being emitted when NTP symmetric key authentication is in-use in a device service cluster.

---

709383 : DIAMETER::persist reset non-functional

Component: Service Provider

Symptoms:
When the iRule DIAMETER::persist reset is called, it is meant to remove existing persistence records from diadb. Without this bug fix, calling DIAMETER::persist reset has no effect and the persistence record remains.

Conditions:
Diameter session profile has persistence enabled and an iRule attempts to remove a persistence record.

Impact:
not provided by ENE

Workaround:
none

Fix:
DIAMETER::persist reset now functions properly. You can delete diameter persistence records with this iRule.

---

709256 : CVE-2017-9074: Local Linux Kernel Vulnerability

Solution Article: K61223103

---

709192 : GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart

Component: TMOS

Symptoms:
The export operation of SSL keys and certificate into a .tgz archive file fails when the httpd daemon is restarted.

Conditions:
-- Export SSL Keys and certificates into archive file.
-- httpd is restarted.

Impact:
Export of SSL Keys and certificates into archive file does not work immediately after httpd restart via GUI/iControl.

Workaround:
After httpd restart, perform other operation like creating a key/cert before exporting archive file.

Fix:
The system allows exporting SSL keys and certificate to be archived into .tgz files after httpd restart.

---

709186 : VLAN SYN cookies go into constant activated/deactivated cycle

Component: TMOS

Symptoms:
When VLAN SYN cookies are enabled on the BIG-IP client-side VLAN and per-virtual SYN cookies are disabled, and syn flood is running, VLAN SYN cookies can be observed activated as expected, but then BIG-IP falls into a never-ending cycle of VLAN SYN cookies activating/deactivating.

Conditions:
Hardware syncookie enabled on specific VLAN, and syn flood is run against that VLAN

Impact:
BIG-IP doesn't stay in hardware syncookie mode, diminishing the protection effect

Workaround:
Switch to VIP-based syncookie protection

Fix:
Use an estimated total per-VLAN syncookies generation count to determine if it is time to exit per-VLAN syncookie mode globally. The PDE register only reports the syncookie counts on the local PDE, and the number becomes lower with a platform with many PDEs assigned to tmms, which can easily fall below the fixed global exit threshold. By estimating the total syncookies count, we can make different platforms have similar exit condition.

---

709133 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur

Component: Local Traffic Manager

Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error can occur.

Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- An error occurs when reading the certificate serial number.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not setting the tmm.ssl.loggingcreatedcerts BigDB variable.

Fix:
Double-free removed.

---

709132 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur

Component: Local Traffic Manager

Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a buffer overflow can occur.

Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- A malformed certificate with a serial number length equal to 256 bytes is parsed during forging.

Impact:
A off-by-one error causes one byte to write off the end of an array.

Workaround:
There is no workaround other than to not set tmm.ssl.loggingcreatedcerts BigDB variable.

Fix:
Buffer no longer overflows.

---

708968 : OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address

Component: TMOS

Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not created in TMM when passed from Dynamic Routing protocols like OSPFv3.

Conditions:
- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.

Impact:
- Route entry is not created in TMM, packets addressed to such a destination might not be delivered at all or might not be delivered using the most efficient route.
- Connection between TMM and tmrouted is restarted that is a small performance overhead.

Workaround:
- If possible IPv4 address or IPv4-compatible IPv6 address should be passed instead of IPv4-mapped IPv6 address, however this depends on other routers.

---

708956-2 : During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'

Solution Article: K51206433

Component: TMOS

Symptoms:
During system bootup, the system occasionally posts the following error message and the system does not come up:
 Dataplane INOPERABLE - only 1 HSBes found on this platform.

Conditions:
This occurs occasionally at system bootup.
-- Using the following platforms:
i4600, i4800, i10600, i10800, i2600, i2800, i7600, i7800, i5600, i5800, i15600, i15800, i12600, i12800, HERCULON i2800, HERCULON i5800, HERCULON i10800, i11600, i11800, i11800-DS, i5820-DF, i7820-DF.

Impact:
System does not come up.

Workaround:
Reboot system.

Because this condition only happens occasionally, rebooting typically corrects the issue.

Fix:
This release fixes a race condition that might have occurred while reading FPGA firmware loading status.

---

708720 : Not all ASM cookies are sent with 'secure' flag when turning on dosl7.use_secure_cookies

Component: Application Security Manager

Symptoms:
When turning on dosl7.use_secure_cookies bigdb, all cookies set by DoSL7 are expected to be sent with the 'secure' flag. However, this is not the case for the TS_27 cookie: it is sent without the 'secure' flag.

Conditions:
1. Efoxy (persistent client identification) is on.
2. dosl7.use_secure_cookies bigdb is on.

Impact:
TS_27 cookie is sent without the 'secure' flag.

Workaround:
There is no workaround other than to turn off efoxy.

Fix:
DoSL7 cookies are now sent with the correct 'secure' flag.

---

708601 : Display of Network Map is unreadable in browsers that cache old files

Component: TMOS

Symptoms:
Loading the GUI Network Map might display with code or garbage characters rather than the expected results.

Conditions:
-- Upgrading from 12.x to later versions of BIG-IP software.
-- The browser has cached resources to the Network Map.

Impact:
Network Map page display of Network Map is unreadable, or there is no data displayed.

Workaround:
You can recover from this using either of the following:
-- Perform a 'hard refresh' on the page by holding down the Ctrl key and pressing F5 or the reload button on the browser to force a reload of the page and force download of the needed resource file.
-- Clear the browser cache of Javascript files and reload the Network Map again.

Fix:
This version of the software ensures that Firefox retrieves the latest resource files.

---

708576 : Errors related to dosl7d_tcpdumps_cleaner appearing in email every hour

Component: Application Security Manager

Symptoms:
Errors may be sent in system emails once an hour due to a runtime error in the dosl7d_tcpdumps_cleaner which is run in an hourly cron job.

Here is an example of such an email:

From: root (Cron Daemon)
To: root
Subject: Cron <root@servername> run-parts /etc/cron.hourly
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
X-Cron-Env: <LANG=en_US.UTF-8>
X-Cron-Env: <SHELL=/bin/bash>
X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <MAILTO=root>
X-Cron-Env: <HOME=/>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>

/etc/cron.hourly/dosl7d_tcpdumps_cleaner:

Use of uninitialized value $s in division (/) at /etc/cron.hourly/dosl7d_tcpdumps_cleaner line 111.

Conditions:
- The administrator configures the BIG-IP system to deliver locally generated email messages, or the administrator checks local emails to root, on the BIG-IP.
- The hardware supports RAID, even if RAID is not configured.

Impact:
- Email messages with errors being sent once an hour.
- DoSL7 tcpdump files may not be automatically cleaned if used in the DoS profile.

Workaround:
None

Fix:
The dosl7d_tcpdumps_cleaner cron job no longer sends error email messages every hour.

---

708558 : SNMP traps do not follow current best practices

Component: TMOS

Symptoms:
SNMP traps do not follow current best practices

Conditions:
SNMP v3 trap destinations configured

Impact:
SNMP traps do not follow current best practices

Fix:
SNMP traps now follow current best practices

---

708554 : SNMP traps do not follow current best practices

Component: TMOS

Symptoms:
SNMP traps do not follow current best practices

Conditions:
SNMP v3 trap destinations configured

Impact:
SNMP traps do not follow current best practices

Fix:
SNMP traps now follow current best practices

---

708484 : Network Map might take a long time to load

Component: TMOS

Symptoms:
Network Map loading time is directly proportional to the number of profiles/policies associated with a virtual server. When there are a significant number, Network Map might take many tens of seconds to load; when there are fewer associated profiles/policies, loading time is shorter.

For example, consider a configuration that contains virtual servers with a large number of associated profiles/policies.

In the following example config, the virtual server has two associated profiles. The time to load the Network Map page increases with each additional profile/policy.

# tmsh list ltm virtual vs
ltm virtual vs {
    creation-time 2018-03-06:18:27:53
    destination 0.0.0.0:any
    ip-protocol tcp
    last-modified-time 2018-03-06:18:27:53
    mask any
    profiles {
        myhttp { }
        tcp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        socks-tunnel
    }
    vs-index 5
}

Conditions:
-- Navigate to Local Traffic :: Network Map in the BIG-IP Configuration Utility.

-- The configuration contains a significantly large number of profiles/policies associated with the virtual server.

Impact:
It takes tens of seconds to load the Network Map page.

Workaround:
None.

---

708415-1 : Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled

Component: TMOS

Symptoms:
When setting the flow control value of an interface with a copper SFP to any value other than 'none' and the link partner has flow control disabled on their end, the interface stats will not reflect the configured flow control setting. This is because the interface stats reflect the negotiated link state rather than the advertised capabilities.

Conditions:
BIG-IP device is using copper SFPs.
-- Flow control is enabled on an interface.
-- That interface is connected to another device where flow control has not been enabled.

For example, an administrator might perform the following on a BIG-IP system with a copper SFP on interface 1.1:

# modify net interface 1.1 flow-control tx-rx

# show net interface 1.1 all-properties

Under the 'Flow Ctrl' column of the interface properties, the value will indicate 'none' even though the interface was configured to enable transmit and receive flow control. This is because the column does not indicate the advertised capabilities but rather the negotiated property of the link.

Impact:
There is no functional impact, as flow control cannot be performed until both link partners agree to support it.

Workaround:
Flow control must be enabled on the remote device and the link must be re-negotiated, in order for the flow control configuration to take effect and be reflected in the interface properties of the link.

Fix:
Interface Flow Control Status is now updated when using copper SFPs and Link Partner Flow Control is disabled.

Note: The 'Flow Ctrl Req' label under 'tmsh show net interface all-properties' differs in previous versions: 'Flow Ctrl'. The value listed is the same, however, and represents the admin-requested value, and not the operational value.

---

708389-2 : BADOS monitoring with Grafana requires admin privilege

Component: Anomaly Detection Services

Symptoms:
Current Grafana monitoring requires admin privilege.
Grafana stores its internal database in unencrypted format, so the admin password can be extracted from a compromised computer.

Conditions:
Monitoring using Grafana.

Impact:
Guest user cannot access data needed for Grafana.

Workaround:
None.

Fix:
There is now a REST call to pool the Grafana statistics. This allows any user (including guest), not just admin or root, to access data needed for Grafana.

Behavior Change:
This release introduces the following tmsh commands:
-- tmsh run util admdb - for help
   + list-element path_folder - lists folder
   + view-element path_file - view file contents
   + list-metrics path vs
   + table-query base_path db sRate tsfiles ts metric_columns_aliases

The path must be under /shared/admdb, for example:

-- run util admdb list-element /shared/admdb/default/_a_l_l

-- run util admdb view-element /shared/admdb/default/_a_l_l/info.sysinfo/1000/1522229248000.txt

-- run util admdb table-query /shared/admdb default 1000 '[1522233344000]' '[1522234774492,1522235074492]' '[["info.attack",["v0"],"Attack"],["sig.health",["v0"],"Health"],["info.learning",["v0"],"Learning"],["info.learning",["v2"],"Learned samples"]]'

---

708326 : 'Apply Access Policy' light on for source profile after copying

Component: Access Policy Manager

Symptoms:
Copying Access Profile with advanced customization options might cause 'Apply Access Policy' light on the source profile.

Conditions:
This occurs in the following scenario:

1. Create an access profile.
2. Create a webtop resource and assign to the access policy via VPE's Advanced Resource Assign agent.
3. Go to customization, in advanced mode, change the item under webtop, e.g., webtop_help.inc and save it.
4. Apply the policy.
5. Make copy of the profile.

Impact:
'Apply Access Policy' light is turned on (yellow) for the source access profile.

Workaround:
There is no workaround at this time.

Fix:
No change to the source profile: the light is green.

---

708291 : iApp import immediately merges arbitrary configuration objects

Component: TMOS

Symptoms:
Using the 'iApp Template' import GUI to import a file that contains valid configuration objects results in immediate changes to BIG-IP system configuration. This is different from typical iApp workflows, which require an Application instance sourced from a Template. Instead, in this case, configuration changes are applied immediately upon import.

Conditions:
File that contains valid configuration objects is imported via iApp Template import functionality.

Impact:
Changes contained in the imported file are immediately applied to BIG-IP system configuration.

Workaround:
Audit all files imported to the BIG-IP system. If files contain valid configuration objects, expect configuration changes to occur immediately upon import to the BIG-IP system.

Fix:
This release adds a confirmation message to the GUI iApp Template Upload, similar to the one for tmsh.

---

708266 : IPv6 NDP with vlan-groups: unexpected Neighbor Advertisement and ICMPv6 unreachable messages

Component: Local Traffic Manager

Symptoms:
Stale NDP entries will generate an ICMPv6 Neighbor Advertisement (NA) if Neighbor Solicitations (NS) are received in rapid succession.

Conditions:
Neighbor entry being queried by the NS is in the probe state caused by the previous NS packet.

Impact:
Unexpected NA informs about the reachability of the neighbor that in fact might be not reachable.

Workaround:
There is no workaround at this time.

Fix:
Unexpected Neighbor Advertisement is no longer generated if Neighbor Solicitations are received in rapid succession.

---

708249 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit

Component: Local Traffic Manager

Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.

Conditions:
Run the nitrox_diag command.

Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.

Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0

Fix:
Nitrox_diag utility now uses the -s0 command to generate QKView files, so there is no longer a 5 MB maximum file size limit, and the full QKView file is created.

---

708117 : TMUI - Subject Alternative Name text box is not populated when renewing SAN-enabled cert

Component: TMOS

Symptoms:
GUI SSL Certificate renew does not auto populate Subject Alternative Name text box with the current certificates Subject Alternative Name.

Conditions:
1. Create/Import a certificate with SAN in to the system.
2. Try to renew the same certificate
3. SAN text box in renew screen is not auto populated with certificate's SAN.

Impact:
GUI SSL certificate renew screen does not auto populate SAN text box with current certificate's SAN, user has to enter it manually.

Workaround:
Copy paste SAN from current certificate while renewing the certificate through GUI.

Fix:
GUI SSL certificate renew screen auto populates SAN text box with current certificate's SAN.

---

708068 : Tcl commands like "HTTP::path -normalize" do not return normalized path.

Component: Local Traffic Manager

Symptoms:
When using HTTP::path with the -normalized parameter:

"%2E%2E" is converted to ".." (expected)
"/foo/../bar" is converted to "/bar" (expected)
"/foo/%2E%2E/bar" is converted to "/foo/../bar" (unexpected)

Conditions:
The TCL command HTTP::path -normalize does not return normalized path as expected.

Impact:
Unexpected result.

Workaround:
There is no workaround.

Fix:
The TCL command HTTP::path -normalize should return normalized path.

---

708046-1 : Phishing alert failed on IB login page

Component: Fraud Protection Services

Symptoms:
Phishing alert won't be sent in phishing site which will be uploaded from NAB IB login page.

Conditions:
1. Copy NAB IB login page and upload it as phishing site.
2. Navigate to the new phishing site.

Impact:
Phishing alert won't be sent.

Workaround:
N/A

Fix:
After that fix' the phishing alert will be sent.

---

707961 : Unable to add policy to virtual server; error = Failed to compile the combined policies

Solution Article: K50013510

Component: Local Traffic Manager

Symptoms:
LTM policy does not compile if it has more than one similar condition, and some of them refer to datagroup and others to non-datagroup types. The policy compiles if similar conditions all refer to datagroups or to non-datagroups.

010716d8:3: Compilation of ltm policies for virtual server /Common/vs_name failed; Failed to compile the combined policies.

Conditions:
-- LTM policy that has more than one similar condition.
-- Some conditions refer to datagroup types.
-- Some conditions refer to non-datagroup types.

Following is an example of such an LTM policy (i.e., referring to both datagroup and non-datagroup types):

ltm policy /Common/example_ltm_policy {
      published-copy /Common/block_URI
      requires { http }
      rules {
          example_Rule {
              conditions {
                  0 {
                      http-host
                      host
                      datagroup /Common/example_datagroup <------ Datagroup
                  }
                  1 {
                      http-host
                      host
                      values { example.com } <------ Non-Datagroup
                  }
              }
          }
      }
      strategy /Common/first-match
 }

Impact:
LTM policy does not compile. Cannot use the policy.

Workaround:
Create a datagroup for the non-datagroup type and use it in policy instead.

Fix:
LTM Policy compiles if it has more than one similar condition, and some of them refer to datagroup and others to non-datagroup types.

---

707953 : Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page

Component: Access Policy Manager

Symptoms:
APM and APM Lite licenses are not distinguishable from the Provisioning UI: they both show as Licensed but APM lite only includes licenses for 10 sessions.

Conditions:
Viewing APM and APM Lite licenses in the GUI.

Impact:
Cannot distinguish the difference in types of licenses.

Workaround:
Check license file and verify what type of apm license is enabled: mod_apm (Full APM) or mod_apml (APM Lite).

Fix:
Change UI to state limited instead of licensed when only mod_apml is licensed.

---

707951-1 : Stalled mirrored flows on HA next-active when OneConnect is used.

Component: Local Traffic Manager

Symptoms:
-- 'tmctl -d blade tmm/umem_usage_stat | grep xdata' may show increased memory usage.
-- 'tmsh show sys connect' shows idle flows.

Conditions:
- OneConnect profile is configured.
- High availability (HA) mirroring is enabled.

Impact:
- Some flows are mirrored incorrectly.
- Stalled flows may occupy a lot of memory.

Workaround:
Disable OneConnect.

Fix:
Stalled mirrored flows no longer appear when OneConnect is used.

---

707740 : Failure deleting GTM Monitors when used on mulitple Virtual Servers with the same ip:port combination

Component: TMOS

Symptoms:
User would get "monitor is in use" when attempting to delete a GTM Monitor, even after removing that monitor from all GTM Virtual Servers

Conditions:
Attach a gtm monitor to multiple gtm virtual servers in the same transaction, where both of the virtual servers are monitoring the same ip:port

Impact:
User will not be able to ever delete the un-used gtm monitor

Workaround:
Remove monitor from VSs
Reload GTM configuration with tmsh load sys config gtm-only
Delete monitor

Fix:
Fixed issue preventing users from deleting an unused GTM monitor, if that monitor was attached to two different GTM virtual servers of the same ip+port combination.

---

707691 : BIG-IP handles some pathmtu messages incorrectly

Component: Local Traffic Manager

Symptoms:
FastL4 virtual servers incorrectly handle some pathmtu messages, such as ICMPv4 unreachable/fragmentation needed and ICMPv6 packet too big.

Conditions:
This occurs when the following conditions are true:
-- The client sends a window scaling factor greater than 0 (zero).
-- The server sends a window scaling factor equal to 0 (zero).
-- The pmtu message is within the window, but does not reflect the exact expected sequence number. The delta is bigger than the advertised window scaled at a factor of 0 (zero).

Impact:
pmtu message is erroneously ignored.

Workaround:
There is no workaround at this time.

Fix:
This issue no longer occurs.

---

707631 : The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI

Component: TMOS

Symptoms:
The 'SYN Challenge Handling' setting of a TCP profile can be reverted to defaults when a TCP profile is updated using the BIG-IP management GUI.

Conditions:
The SYN Challenge Handling settings of a TCP profile have previously been set to non-default values, and a configuration change is later made to the same TCP profile using the GUI.

Impact:
Loss of TCP profile syn challenge configuration settings

Workaround:
In the GUI, specifically set the SYN Challenge Handling fields after making an update to other TCP profile fields, or use tmsh to make the changes instead

SYN Challenge

GUI Setting: Nominal
TMSH:
    syn-cookie-enable enabled
    syn-cookie-whitelist disabled

GUI Setting: Challenge and Remember
TMSH:
    syn-cookie-enable enabled
    syn-cookie-whitelist enabled


GUI Setting: Disable Challenges:
    syn-cookie-enable disabled
    syn-cookie-whitelist disabled

Fix:
Now syn challenge handling setting isn't overwritten when tcp profile is updated

---

707592 : Log Search option in GSLB similar to one in Logs:Audit:Search in Web GUI.

Component: Global Traffic Manager (DNS)

Symptoms:
This is an improvement for the logs search in the Web GUI under System:Logs:GSLB.
The improvement offers more ways to search through the GSLB logs.

Conditions:
No specific conditions need to be met.

Impact:
No impact. The GSLB log search in the Web GUI will now offer more ways to search the logs.

Workaround:
N/A

Fix:
N/A

---

707585 : Use native driver for 82599 NICs instead of UNIC

Component: TMOS

Symptoms:
-- Lower performance in TPS.
-- Increased CPU consumption for throughput.

Conditions:
-- Running BIG-IP Virtual Edition (VE) (UNIC is the default Virtual Function Network Driver for VE).
-- High data rates, perhaps particularly when connection mirroring is configured.

Impact:
Lower TPS performance numbers and higher CPU usage in throughput tests.

Workaround:
In case of UNIC, extra CPUs must be allocated to handle SoftIRQs for higher performance.

Fix:
This release provides a native driver based on F5's physical platforms.

---

707509 : Initial vCMP guest creations can fail if certain hotfixes are used

Component: TMOS

Symptoms:
vCMP guest fails to enter the 'provisioned' or 'deployed' states and similar messages can be seen in /var/log/ltm:

-- vcmpd[14254]: 01510003:2: Guest (guest_name): Install failed.
-- vcmpd[14254]: 01510004:3: Guest (guest_name): Install to VDisk /shared/vmdisks/guest_name.img FAILED: Child exited with non-zero exit code: 255

Conditions:
Creating vCMP guest using certain hotfix images, such as BIG-IP HF software released as partial .iso software images, and engineering hotfixes.

Impact:
vCMP guest cannot be created.

Workaround:
1. Create and deploy the vCMP guest using the full .iso base software image.
2. Log in to the vCMP guest once it has finished starting up.
3. Apply the hotfix image or engineering hotfix.

Fix:
Guest creation succeeds.

---

707445-2 : Nitrox 3 compression hangs/unable to recover

Solution Article: K47025244

Component: TMOS

Symptoms:
LTM logs show the following message:

    Nitrox 3, Hang Detected: compression device was reset

When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.

Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.

Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.

Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.

Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.

There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:

A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).

Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.

Fix:
Compression device reset recovery made more robust for some compression failures.

---

707391 : BGP may keep announcing routes after disabling route health injection

Component: TMOS

Symptoms:
As a result of a known issue BIG-IP with BGP configured may continue to announce routes even after disabling the virtual address or disabling route announcement on the virtual address.

Conditions:
BGP configured with multiple routes announced via Virtual-address route announcements.
Configuration changes made on the BGP configuration itself.
Virtual address or its route health announcement disabled.

Impact:
Prefixes continue to exist in the BGP table even after disabling the virtual address (visible via imish with the "show ip bgp" command); which will continue to announce the prefix to configured peers.

Workaround:
Workaround would be to restart the dynamic routing process.

Fix:
BGP may no longer keeps announcing routes after disabling route health injection

---

707310 : DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)

Component: Global Traffic Manager (DNS)

Symptoms:
It is possible that when performing a sufficiently large DNSSEC signed zone transfer (e.g., ~1 KB records) that the final packet (or several packets) of NSEC3s and RRSIGs could be missing from the zone. This issue can be detected using a free third-party tool such as ldns-verify-zone or some other DNSSEC validating tool.

Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc.), or from DNS Express.

Impact:
The DNSSEC signed zone transfer could be incomplete, that is missing some NSEC3s and RRSIGs. An incomplete DNSSEC zone is considered an invalid zone.

Workaround:
There is no workaround at this time.

Fix:
DNSSEC signed zone transfers from general authoritative DNS Servers as well as from DNS Express are now complete regardless of the number of records in the zone.

---

707207 : iRuleLx returning undefined value may cause TMM restart

Component: Local Traffic Manager

Symptoms:
When an iRulesLX rule returns an undefined value, TMM may restart. An example of an undefined value is one where
its jsonrpc v2.0 representation is missing required fields, such as "result".

Conditions:
iRulesLX is licensed, and a rule is run that returns an undefined value.

Impact:
Traffic is interrupted.

Workaround:
There is no workaround at this time.

Fix:
A TMM restart resulting from an iRulesLX rule returning an undefined value was fixed.

---

707186-2 : TMM may crash while processing HTTP/2 traffic

Solution Article: K45320419

---

707054 : SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162

Component: Advanced Firewall Manager

Symptoms:
User cannot configure SYN Cookie MSS values for Fast L4 Profiles outside of 256-9162.

Conditions:
Under syncookie activated condition, SYN Cookie MSS value is set to < 256.

Impact:
Under syncookie activated condition, server side MSS lower than SYN Cookie MSS lower limit cannot be honored on client side. As a result, server side MSS discards data segment if larger than SYN Cookie MSS lower limit.

Fix:
This ID allows to configured 128-9162.

---

707003-1 : Unexpected syntax error in TMSH AVR

Component: TMOS

Symptoms:
The following tmsh command does not work: tmsh show analytics http report view-by virtual measures { transactions } drilldown

It fails with the following error message: 'Syntax Error: "drilldown" property requires at least one of (device device-list) to be specified before using.'

Conditions:
Whenever the affected tmsh command is run.

Impact:
The following tmsh command will not run: tmsh show analytics http report view-by virtual measures { transactions } drilldown

Workaround:
There is no workaround besides not running the affected command.

Fix:
The following command now works as expected: tmsh show analytics http report view-by virtual measures { transactions } drilldown

---

706890 : i2000, i4000 i86 series platforms only - interface flow control not implemented

Component: TMOS

Symptoms:
On i2000, i4000 i86 series platforms the flow control field for an interface incorrectly displays the requested flow control, not what is actually programmed in the hardware. Hardware flow control support on these platforms was missing in BIG-IP.
Bug 709869 tracks the problem that transmit flow-control on 1G interfaces was not implemented.

Conditions:
i2000, i4000 i86 series platforms
Flow control on interfaces was set to something other than none.

Impact:
Flow control was not enabled on interfaces where it was requested.

Fix:
On On i2000, i4000 i86 series platforms interface flow control is implemented to the extent the hardware supports it, and the tmsh show net interface all-properties will display the flow control that is programmed into the hardware.

Bug 709869 tracks the hardware support for 1G transmit flow-control that was missing.

---

706845 : False positive illegal multipart violation

Component: Application Security Manager

Symptoms:
A false positive multipart violation.

Conditions:
Uploading a file with a filename value that is encoded in non utf-8 encoding.

Impact:
A false positive violation, request rejected.

Workaround:
Might be workaround using an irule

Fix:
Corrected ASM multipart parsing.

---

706804 : SNMP trap destination configuration of network option is missing "default" keyword

Component: TMOS

Symptoms:
When SNMP trap destinations are configured, the user can specify the network that the traps are transmitted out from. By default, the routing table is consulted. Use the network keyword to overwrite this with either "management" or "other". There is also a "default" keyword, which was removed since it was confusing. However, this broke backward compatibility of the REST API; so, it was put back.

Conditions:
Including the "network default" keywords in trap configuration reports an error with version 13.0.0 where the "default" keyword was removed.

Impact:
Existing scripts may encounter errors if they used this keyword.

Workaround:
Don't use the "default" keyword with the snmp trap destination network configuration.

Fix:
The "default" keyword was put back.

---

706797 : Portal Access: some multibyte characters in JavaScript code may not be handled correctly

Component: Access Policy Manager

Symptoms:
If JavaScript code contains multi-byte character which contains 0x0A in the last byte after conversion to UTF-32 form, then this character is handled as NEW LINE by Portal Access server-side JavaScript parser. If NEW LINE is not valid in this place, JavaScript code cannot be parsed.

Conditions:
JavaScript code with multi-byte character which contains 0x0A in the last byte after conversion to UTF-32 form, for example:

  //上 aa bb

(上) gives (4E 0A) in UTF32 form. So this line is processed as the following TWO lines:

  //
  aa bb

The second line is not a valid JavaScript code.

Impact:
Web application may not work correctly.

Workaround:
There is no workaround at this time.

Fix:
Now Portal Access JavaScript parser handles multi-byte characters correctly.

---

706750 : Changing CGNAT SIP ALG profile log settings while handling traffic may cause tmm crash.

Component: Service Provider

Symptoms:
Altering the router profile log settings (log publisher and logging profile) may cause the tmm to crash when handling traffic.

Conditions:
-- CGNAT SIP ALG.
-- Changing log settings while handling traffic.

Impact:
TMM may crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Changing CGNAT SIP ALG profile log settings while handling traffic no longer causes tmm core.

---

706737 : APM SAML inline SSO documentation

Component: TMOS

Symptoms:
Internal multi-domain SSO does not work when the authentication cookie scope is host.

Conditions:
SSO configuration is assigned to an access profile for multi-domain SSO, and one of the following:
-- There is no SSO configured for the requested authentication domain.
-- The request does not map to configured authentication domains.

Impact:
Internal multi-domain SSO does not work.

Workaround:
You can use either of the following workarounds:
-- Configure the application cookie scope as 'Domain'.
-- Configure the SP-connector sp-location as 'External.

Fix:
BIG-IP APM can be configured as a SAML IdP to provide inline SSO for SPs not directly reachable by the client. For additional configuration details, see K06743491--Overview of BIG-IP APM SAML inline SSO :: https://support.f5.com/csp/article/K06743491.

---

706688-1 : Automatically add additional certificates to BIG-IP system in C2S and IC environments

Component: TMOS

Symptoms:
In order to function properly, the BIG-IP system's failover and autoscale features need extra certificates (which are used inside C2S environments) and endpoint URL. The extra certificates must be pointed to by the $AWS_CA_BUNDLE environment variable. The BIG-IP system's failover and autoscale feature use AWS CLI commands. Those AWS CLI commands need to have the $AWS_CA_BUNDLE pointing to the certificate files location and endpoint URL. These must be configured manually.

Conditions:
-- BIG-IP is running in AWS C2S (Commercial Cloud Services) where the domain is either c2s.ic.gov or sc2c.sgov.gov.

-- The BIG-IP system is configured to do failover or autoscale in those environments.

Impact:
Requires manual copying of the extra certificates, which are pointed to by AWS_CA_BUNDLE, to the BIG-IP system.

Workaround:
None.

Fix:
In this release, you can add all the needed certificates' URLs in the AWS user-data. The BIG-IP system then automatically downloads and stores the certificate and sets the $AWS_CA_BUNDLE environment variable and endpoint-url.

To use the functionality, when launching the BIG-IP system from the AWS web console, specify the C2S certificate URL and test URL in the following format:
 
c2s-keys-urls=url1,url2,url3;c2s-cert-test-url=ec2.us-iso-east-1.c2s.ic.gov:443;

Where the syntax explanation is as follows:
1. The string literal : c2s-keys-urls=
2. List of comma separated URLs.
3. A semicolon (;).
4. The string literal : c2s-cert-test-url=
5. A URL which is of following format
    <A service name (e.g., ec2)>.<The region where it is running (e.g., us-iso-east-1)>.<the domain name :443 (e.g., c2s.ic.gov:443)>
     
Example: ec2.us-iso-east-1.c2s.ic.gov:443;

---

706665 : ASM policy is modified after pabnagd restart

Component: Application Security Manager

Symptoms:
ASM policy modifications might occur after the the pabnagd daemon is restarted. Modifications include the following:

-- Length attributes might change from 'any' to a low auto learning value.
-- Check signature / metachars might change from unchecked to checked.

This applies for the following entity types:
filetypes, URLs, parameters, cookies, WS URLs, content profiles.

Conditions:
-- Configuration containing a policy in which automatic learning mode is configured.
-- Restart of pabnagd (the automated policy-building operations daemon).

Impact:
ASM policy is modified.

Workaround:
Switch policy builder to manual learning mode.

Fix:
Prevent unwanted adjust operations from being called on policy-catchup complete.

---

706662 : Improving Single Page Application event handling

Component: Application Security Manager

Symptoms:
When using Single Page Application, and registering to 'readystatechange' and 'load' events:
Callbacks are not called in ready state 1, and are called twice in ready state 4.

Conditions:
Single Page Application in enabled in ASM or DoS.

Impact:
Client page might not work as expected.

Workaround:
There is no workaround at this time.

Fix:
The system now correctly calls the original callbacks when using Single Page Application, and registering to 'readystatechange' and 'load' events.

---

706642 : wamd may leak memory during configuration changes and cluster events

Component: WebAccelerator

Symptoms:
wamd memory consumption increases over time.

Conditions:
-- AAM is provisioned so wamd is running.
-- User-initiated configuration change and/or other internal configuration or cluster events.

Impact:
wamd grows slowly over time, eventually crashing due to lack of memory. Temporary outage of services provided by wamd such as PDF linearization, invalidation, etc.

Workaround:
No workaround available.

Fix:
wamd n longer leaks memory during configuration changes and cluster events.

---

706633 : Improving Single Page Application event handling

Component: Application Security Manager

Symptoms:
When using single page application, and registering to "readystatechange" and "load" events:
The "remove event listener" does not apply.

Conditions:
Single Page Application in enabled in ASM or DoS.

Impact:
Client page might be broken.

Workaround:
None.

Fix:
Correctly calling original callbacks.

---

706632 : Improving Single Page Application event handling

Component: Application Security Manager

Symptoms:
When using Single Page Application, and registering to 'readystatechange' and 'load' events:
The event is not forwarded to the original callback.

Conditions:
Single Page Application in enabled in ASM or DoS.

Impact:
Client page might not work as expected.

Workaround:
There is no workaround at this time.

Fix:
The system now correctly calls the original callbacks when using Single Page Application, and registering to 'readystatechange' and 'load' events.

---

706631-1 : A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.

Component: Local Traffic Manager

Symptoms:
According to RFC2818, if the certificate sent by the TLS server has a valid Common Name, but the Subject Alternative Name does not match the Authenticate Name in the server-ssl profile, the connection should be terminated.

Conditions:
-- A server-ssl profile is enabled on a virtual server and has the 'authenticate-name' property set.

-- The TLS server presents a certificate in which the Subject Alternative Name does not match the configured authenticate-name.

-- Common Criteria mode licensed and configured.

Impact:
A TLS connection succeeds which should fail.

Workaround:
There is no workaround at this time.

Fix:
A remote TLS server certificate with a bad Subject Alternative Name is now rejected when Common Criteria mode is licensed and configured.

---

706423 : tmm may restart if an IKEv2 child SA expires during an async encryption or decryption

Component: TMOS

Symptoms:
TMM may discard an existing child-SA via timer during the moment it is in use for encryption or decryption. And in another spot, an error aborting negotiation can cause multiple timers associated with one child-SA, which fight one another.

Conditions:
Errors in IPsec config that fail negotiation can happen when a child-SA is in a state that does not manage timers correctly.

A config with short SA lifetime, causing frequent re-keying, can have the effect of searching for a race condition when expire happens during active use in crypto.

Impact:
TMM restarts, disrupting traffic and causing HA failover.

Workaround:
Ensure that the IPsec IKEv2 configuration in the IPsec policy is correct (the same) on both IPsec peers. Also, ensure SA lifetime has longer duration, instead of merely seconds. (The default is one day.)

Fix:
Now we ensure only one timer can be associated with a child-SA related to short-term progress toward maturity during negotiation, even if an error happens.

Now we also ensure a child-SA is safe during async crypto operations, even if they expire while currently in use.

---

706374 : Heavy use of APM Kerberos SSO can sometimes lead to memory corruption

Component: Access Policy Manager

Symptoms:
Kerberos SSO under high load can sometimes lead to system instability.

Conditions:
APM users using Kerberos SSO to access backend resources.

Impact:
This might result in unpredictable behavior such as memory corruption or core. However, the occurrence is rare since it only impacts concurrent DNS SRV requests to resolve different KDCs.

Workaround:
There is no workaround.

Fix:
Stability problems in DNS lookups in APM Kerberos SSO (S4U) have been corrected.

---

706169 : tmsh memory leak

Component: TMOS

Symptoms:
tmsh is leaking approximately 24 KB for every 'save sys config' call.

Conditions:
this occurs under the following conditions:
-- In tmsh, run the following command repeatedly:
 save sys config
-- In the GUI, modify the configuration and click Update, change pages, or otherwise cause a save to the configuration.

Impact:
This results in a memory leak, and a possible out-of-memory condition.

Workaround:
None.

Fix:
tmsh no longer leaks memory when performing configuration-save operations.

---

706115 : MCPD configuration load fails after reboot if user manually configures a static route while 1nic autoconfig is enabled.

Component: TMOS

Symptoms:
User has configured a single-nic BIG-IP VE with 1nic autoconfig enabled. The status of this DB variable can be seen through "tmsh list sys db provision.1nicautoconfig".

Conditions:
User configures a static net route through "tmsh create net route" that depends on the self-ip to reach out to the gateway associated with this static route.

Impact:
After reboot, MCPD never reaches "active" state as config load fails. This happens because the static route gateway becomes unreachable.

Workaround:
- User must disable "provision.1nicautoconfig" before creating net static routes with the following command:

tmsh modify sys db provision.1nicautoconfig value disable

Fix:
In a single-nic configuration, disable "provision.1nicautoconfig" before manually creating net static routes.

---

706104 : Dynamically advertised route may flap

Component: TMOS

Symptoms:
ZebOS may repeatedly add and delete the routes from protocol daemons. This may cause the protocol daemons to delete and re-advertise the default route.

Conditions:
- Dynamic routing in use
- Kernel routes redistributed into a routing protocol
- Static route configure in TMOS
- Route advertisement enabled on the virtual-address that's the same as the static route

Impact:
Route flapping may cause instability in the network, including inability to reach the default network advertised by the BIG-IP.

Workaround:
Since the static route will be redistributed in the same way as the virtual-address, there is no need to enable route-advertisement on the VIP virtual-address. Disabling this will resolve the problem.

The problem will also be resolved by moving the route from tmsh into ZebOS.
 - In imish config mode, "ip route <route> <gateway>"
 - In tmsh, "delete net route <route>"

Fix:
Configuring a static route in TMOS and enabling route-advertisement on the same virtual-address no longer causes route flapping in ZebOS.

---

706102 : SMTP monitor does not handle all multi-line banner use cases

Component: Local Traffic Manager

Symptoms:
An SMTP monitor does not handle all multi-line banner use cases, such as when the banner is physically split across two packets. This issue is due to attempting to parse the banner value from the first packet without a portion of the banner value that may arrive in a second packet.

Conditions:
An SMTP monitor is configured; and uses a multi-line banner; and the SMTP monitor banner is split across two physical packets.

Impact:
The SMTP monitor sends an RST after the first packet, and marks the resource down.

Workaround:
Use an SMTP monitor with a single-line banner. Or, rather than using an SMTP monitor, instead use a TCP monitor with send/recv strings.

Fix:
An SMTP monitor handles all use cases that include a multi-line banner.

---

705799 : TMSH improvements

Solution Article: K77313277

---

705661 : Virtual server in a non-default partition cannot select protocol inspection profile in the /Common partition

Component: Protocol Inspection

Symptoms:
Virtual server in a non-default partition is not able to select protocol inspection profile in the /Common partition. The system posts messages similar to the following:
01070726:3: Virtual Server /internal/vs-internalvs in partition internal cannot be referenced by Protocol Inspection Profile /Common/protocol_inspection in partition Common

Conditions:
-- Create a partition.
-- Create a virtual server in that partition.
-- Try and associate an IPS profile from /Common partition to the created virtual server.

Impact:
Cannot associate the profile.

Workaround:
None.

Fix:
Profile is now associated with virtual server.

---

705655 : Virtual address not responding to ICMP when ICMP Echo set to Selective

Component: TMOS

Symptoms:
If the virtual server's availability has taken the virtual address 'down', enabling the virtual server does not cause it to go 'up'.

Conditions:
-- ICMP Echo is set to Selective for the virtual address.
-- Disable the virtual server.
-- Enable the virtual server.

Impact:
The virtual address does not come up again. This affects the availability status of the virtual-address, and icmp-echo or route-advertisement for the virtual-address.

Workaround:
To work around this issue, do the following:
1. Set ICMP Echo to Always.
2. Disable the virtual-server.
3. Change virtual-address availability calculation back to the desired state.

Fix:
Virtual address now correctly responds to ICMP when ICMP Echo is set to Selective.

---

705593 : CVE-2015-7940: Bouncy Castle Java Vulnerability

Component: Device Management

Symptoms:
An attacker could extract private keys used by Bouncy Castle in elliptic curve cryptography with a few thousand queries.

Conditions:
No specific conditions.

Impact:
None. BIG-IP software does not use the impacted library features.

Fix:
Version 1.59 of the library is installed on the BIG-IP system at the following paths:
/usr/share/java/rest/libs/bcprov-1.59.jar
/usr/share/java/rest/libs/bcpkix-1.59.jar

---

705505 : Attempting to create GTM SIP monitor from GUI results in general database error

Solution Article: K76117754

Component: Global Traffic Manager (DNS)

Symptoms:
Attempting to create GTM SIP monitor from GUI results in 'General database error'.

Conditions:
The user creates a SIP Monitor under DNS :: GSLB :: Monitors with 'mode' being 'TCP or 'UDP'.

Impact:
Some users are unable to create SIP monitors via the GUI.

Workaround:
Use TMSH or set the 'mode' to 'TLS' or 'SIPS'.

Fix:
SIP Monitors can now be created and modified via the web GUI without any issues.

---

705476 : Appliance Mode does not follow design best practices

Solution Article: K28003839

---

705311 : Seperate ePVA offload timing configuration according to protocol

Component: TMOS

Symptoms:
BIG-IP supports ePVA offloading feature on two protocols: TCP and UDP. The timing when they are offloaded is under the same fastl4 profile option: pva-offload-state. The available timings are defined in alignment with the TCP 3-way handshake. UDP, then, mimics the definition of the TCP 3-way handshake on the first few packets on both direction traffic.

Conditions:
On a ePVA supported platform. Some of the options will need UDP ePVA feature available.

Impact:
Separate the configuration of ePVA offload timing to TCP and UDP. The TCP offload timing uses the option "tcp-pva-whento-offload" to replace the old option "pva-offload-state", but still uses the 3-way handshake to determine the timing. The UDP ePVA offload timing is defined by packet counts. Options "other-pva-clientpkts-threshold" and "other-pva-serverpkts-threshold" is the user configurable threshold. Option "other-pva-whento-offload" allows user to decide whether each side of the traffic is offloaded once the side passes the threshold or BIG-IP waits for both side of the traffic to pass the threshold and offload together. New option "other-pva-offload-direction" allows user to set which direction of the traffic the user would like to allow offloading.

Workaround:
N/A

Behavior Change:
Deprecate DB variables: pva.udpest.clientpkts.threshold, pva.udpest.serverpkts.threshold, pva.offload.uniflow.

Deprecate ltm profile fastl4 option: pva-offload-state.

Add ltm profile fastl4 options: tcp-pva-whento-offload, other-pva-whento-offload, other-pva-offload-direction, other-pva-clientpkts-threshold, other-pva-serverpkts-threshold

---

705274 : Policy Audit Log should be cleaned by data size as well as number of rows

Component: Application Security Manager

Symptoms:
When the Policy Audit Log row count is less than the maximum, but each row is very large, the total size causes errors in synchronization to the secondary blade of a chassis.

Conditions:
-- The Policy Audit Log row count is less than the maximum.
-- Each row contains a lot of data.

Impact:
Errors in synchronization to the secondary blade of a chassis.

Workaround:
As a workaround, you can delete records from the Policy Audit Log (PL_CONFIG_LOG) using the following sql command:

--------------------------------------------
CREATE TEMPORARY TABLE PROTECTED_CONFIG_LOG (config_log_id int);
INSERT INTO PROTECTED_CONFIG_LOG SELECT MAX(config_log_id) AS max_config_log_id FROM PLC.PL_CONFIG_LOG config_log2 WHERE config_log2.is_policy_version_event = 1 GROUP BY policy_id;
DELETE FROM PLC.PL_CONFIG_LOG where length(description) > 20000 and config_log_id not in (SELECT config_log_id from PROTECTED_CONFIG_LOG);
---------------------------------------------

Fix:
Now, in addition to cleaning the Policy Audit Log when the number of rows is greater than the maximum allowed, the table is also cleaned when its total size is greater than the maximum allowed.

---

705179 : BWC stats for rates are published in bits per second instead of bytes per second

Component: TMOS

Symptoms:
Earlier rates are configured in bits/sec while the stats displayed the rates in bytes/second in both tmctl and tmsh tables. This can be confusing.

Conditions:
Get Bandwidth Controller stats, rates are obtained in bytes/sec.

Impact:
BWC stats rates (tmctl and tmsh) are now published in bits per second instead of bytes per second. this does not change the rest API's, iControl and SNMP. They still publish the stats in bytes per second.

Workaround:
You can change the bytes/sec to bits/sec manually.

---

705037 : System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart

Solution Article: K32332000

Component: TMOS

Symptoms:
It is possible for the BIG-IP system to present duplicate if_index statistics of network objects, either viewed internally or polled via SNMP.

Conditions:
-- High availability (HA) configuration.
-- Tunnels configured.
-- If dynamic routing is configured, additional impact may be noted.

Impact:
-- Unreliable or confusing statistics via SNMP polling.

-- If dynamic routing is also configured, possible nsm daemon restart, which may lead to loss of dynamic routes.

Workaround:
None.

Fix:
System no longer exhibits duplicate if_index statistics.

---

704804 : The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address

Component: TMOS

Symptoms:
The NAS-IP-Address in RADIUS remote authentication requests is set to the loopback address, not the management IP.

Conditions:
This applies to remote authentication for the control plane, not APM.

Impact:
Login may be impacted.

Workaround:
There is no workaround at this time.

Fix:
NAS-IP-Address Attribute is now set correctly when the the BIG-IP system is configured to use RADIUS authentication.

---

704781 : PEM does not use 'default' value configured for a custom Diameter-AVP

Component: Policy Enforcement Manager

Symptoms:
-- PEM inserts custom AVP with the default value even if its parent AVP is not present in the incoming message.
-- PEM does not respect the configured default value; instead it inserts a default value of 0 in custom AVPs.
-- If multiple parent AVPs are present in the incoming message, the target AVP should be inserted only once for session-context-record purpose.

Conditions:
Configuring custom AVPs with the default value in the diameter application protocol profile.

Impact:
The default value functionality does not work properly.

Workaround:
None.

---

704764 : SASP monitor marks members down with non-default route domains

Component: Local Traffic Manager

Symptoms:
The LTM SASP monitor marks pool members down, whose address include non-default route domains.

Conditions:
1. Using the SASP health monitor to monitor a pool or pool member.
2. The address of the pool member includes a non-default route domain, such as:

ltm pool rd_test {
    members {
        test_1:http {
            address 12.34.56.78%99
        }
    }
    monitor my_sasp
}

Impact:
Pool members with non-default route domains will never be marked up by the SASP monitor.

Workaround:
Do not specify non-default route domains in the addresses of pool members monitored by the SASP health monitor.

The SASP protocol does not support the use of route domains in member addresses. Thus, the SASP GWM (Global Workload Manager) will ignore route domain information included in the member addresses when registered by the SASP monitor in BIG-IP, and will report the status of members using addresses without route domains.

Therefore, even with a fixed version of the SASP monitor, BIG-IP LTM administrators must be careful to avoid configuring multiple pool members with the same address except for different route domains, to be monitored by the SASP monitor. If case of such a configuration error, the status of the member reported by the SASP GWM may not accurately reflect the status of one or more of the pool members with matching IP addresses.

Fix:
The LTM SASP monitor will correctly report the status of pool members configured with addresses that include a non-default route domain, if the SASP GWM is monitoring members with matching addresses (minus route-domain information).

---

704755 : EUD_M package could not be installed on 800 platforms

Component: TMOS

Symptoms:
Attempts to install the EUD_M EUD package fail on 800 platforms even though they are supposed to be supported.

Conditions:
Attempt to install EUD_M package on 800 platforms.

Impact:
Cannot install EUD_M package on a platform that is claimed to support it.

Workaround:
None.

Fix:
EUD_M package can now be installed on 800 platforms as expected.

---

704751 : Add virtual server name is recorded by the remote logging profile

Component: Application Security Manager

Symptoms:
The virtual server name is not logged in remote logger.

Conditions:
Using remote logging.

Impact:
Missing detail about the virtual server in remote logging information.

Workaround:
None.

Fix:
The virtual server name is now recorded by the remote logging profile.

Behavior Change:
The virtual server name is now recorded by the remote logging profile. Previously, it was not.

---

704733 : NAS-IP-Address is sent with the bytes in reverse order

Component: TMOS

Symptoms:
The NAS-IP-Address has the address of the local device sent with the bytes in reverse order (e.g., 78.56.30.172, where 172.30.56.78 is expected).

Conditions:
-- This affects IPv4 addresses only.
-- BIG-IP system is configured for RADIUS authentication.

Impact:
The server may be configured to check the NAS-IP-Address before allowing logins, in which case it would fail.

Workaround:
There is no workaround at this time.

Fix:
This has been corrected.

---

704683 : HTML Field Obfuscation not working in IE7

Component: Fraud Protection Services

Symptoms:
HTML Field Obfuscation does not work when using Microsoft Internet Explorer version 7 (IE7).

Conditions:
Open protected page using IE7.

Impact:
No HTML Field Obfuscation.

Workaround:
None.

Fix:
HTML Field Obfuscation now works in IE7.

---

704643 : Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule

Component: Application Security Manager

Symptoms:
When adding or modifying a user-defined Attack Signature in Simple Edit Mode, backslashes preceding a forward slash are mistakenly doubled in regular expression keywords within the Signature.

Conditions:
-- Add or modify a user-defined Attack Signature with a regular expression keyword containing an escaped forward slash in Simple Edit Mode.

Impact:
The backslash escaping the forward slash is doubled, which changes the enforced signature rule.

Workaround:
Create or modify the Signature rule using Advanced Edit Mode.

Fix:
When adding or modifying a user-defined Attack Signature in Simple Edit Mode, backslashes preceding a forward slash are handled correctly in regular expression keywords within the Signature rule.

---

704587 : Authentication with UTF-8 chars in password fails for ActiveSync users

Solution Article: K15450552

Component: Access Policy Manager

Symptoms:
ActiveSync end users cannot login to the server.

Conditions:
-- ActiveSync end users.
-- UTF-8 characters in the password.

Impact:
ActiveSync service is unavailable.

Workaround:
Put a Variable Assign agent after Logon Page with following assignment:

(check the secure checkbox)
session.logon.last.password = set pass [mcget -secure session.logon.last.password]; binary scan $pass c* chars; set newpass ""; foreach {ch} $chars { append newpass [format %c [expr $ch & 0xFF]] }; return $newpass

Fix:
Special UTF-8 characters in user passwords now work properly with ActiveSync.

---

704524 : [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries

Component: Access Policy Manager

Symptoms:
Kerberos DNS SRV requests do not contain EDNS headers. Without this header, DNS server truncates the UDP responses if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in unnecessary round trips in order to resolve DNS SRV queries.

Conditions:
APM users using Kerberos SSO to access backend resources.

Impact:
Increased latency of HTTP request processing. If the number of APM users is large, then this issue is magnified.

Workaround:
There is no workaround at this time.

Fix:
Kerberos DNS SRV requests now support EDNS0 so that UDP responses greater than 512 bytes can be received correctly, eliminating delays caused by TCP retransmission.

---

704449 : Orphaned tmsh processes might eventually lead to an out-of-memory condition

Component: TMOS

Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.

An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:

/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh

If this issue occurs often enough, it might cause the BIG-IP system to run out of memory.

Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.

Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.

Workaround:
There are several workarounds for this issue:

-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Halt orphaned tmsh processes.

Fix:
tmsh processes are no longer orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects under these conditions.

---

704381 : SSL/TLS handshake failures and terminations are logged at too low a level

Component: Local Traffic Manager

Symptoms:
SSL/TLS handshake failures and terminations are being logged at too low of a level (INFO).

Conditions:
-- SSL/TLS connections are received or sent.
-- Handshake failures are logged.

Impact:
Sometimes other errors are produced, and the cause is a SSL/TLS handshake failure, but this failure is not being logged.

Workaround:
There is no workaround.

Fix:
SSL/TLS handhake failures and terminations are now logged at a higher level (WARNING).

---

704336 : Updating 3rd party device cert not copied correctly to trusted certificate store

Component: TMOS

Symptoms:
When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.

Conditions:
Updating Device certificate which also includes multiple intermediate and root certificates.

Impact:
The Trusted Device and Trusted server Certificates do not include intermediate CA and root certificates.

Workaround:
Manually copy/append the missing intermediate and root certificate to /config/big3d/client.crt and /config/gtm/server.crt.

Fix:
The fix will now add all the intermediate and root certificate including device certificate to Trusted Server and Trusted Device certificate bundle.

---

704277 : TMSH help missing for One-Connect limit-type property

Component: Local Traffic Manager

Symptoms:
When One-Connect profile is created or modified in TMSH and help is invoked by typing the '?' character, description for the limit-type option is missing.

Conditions:
A One-Connect profile is created or modified in TMSH.

Impact:
Command line help missing.

Workaround:
TMSH help is similar to the following:

limit-type: Connection limits with OneConnect are different from straight TCP connection limits. Three options are supported: 'none' (the default), 'idle', and 'strict'.

-- When the limit is "none", simultaneous in-flight requests and responses over TCP connections to a pool member are counted toward the limit. There may be more TCP connections open to support new requests than there can be simultaneous in-flight requests and responses. This is particularly true when SNAT pools and narrow source address masks are used.

-- When the limit is 'idle', idle connections are dropped as the TCP connection limit is reached. For short intervals, during the overlap of the idle connection being dropped and the new connection being established, the TCP connection limit may be exceeded.

-- When the limit is 'strict', the TCP connection limit is honored with no exceptions. This means that idle connections prevent new TCP connections from being made until they expire, even if they might otherwise be reused. This is not a recommended configuration except in very special cases with short expiration timeouts.

Fix:
Missing help in TMSH added.

---

704257 : Reporting found forbidden words context

Component: Fraud Protection Services

Symptoms:
When a forbidden word is found, its context may not be included in the sent HTML part of the alert.

Conditions:
A match of a forbidden word on the page.

Impact:
No context of a found forbidden word is shown.

Workaround:
N/A

Fix:
When a forbidden word is detected, HTML is now included in the “min” part of the alert to indicate the context of the forbidden word.

---

704247 : BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted

Component: TMOS

Symptoms:
BIG-IP .iso images may fail to install if multiple copies of the same image are present and have been deleted.

Conditions:
-- Have multiple copies of the same image .iso in the /shared directory on a BIG-IP system.
-- Delete one of them.

Impact:
Installation attempt of the remaining image(s) might fail.

Workaround:
Restart the lind process, so the installation can continue.

Fix:
The BIG-IP system now installs an image if multiple copies of the same image are present and have been deleted

---

703940 : Malformed HTTP/2 frame consumes excessive system resources

Solution Article: K45611803

---

703869-2 : Waagent updated to 2.2.21

Component: TMOS

Symptoms:
Microsoft updates waagent via an opensource process, but it is not compatible with BIG-IP software, and so cannot be upgraded outside of BIG-IP releases. Without this, Microsoft will not support older releases of BIG-IP systems in their environment.

Conditions:
Using Microsoft Azure.

Impact:
Microsoft does not support the version of waagent shipped as part of BIG-IP software.

Workaround:
None.

Fix:
Waagent was updated to 2.2.21 from Microsoft along with F5 changes for compatibility with BIG-IP software.

---

703766 : TMUI - Multiple Certificates cannot be deleted in a single operation

Component: TMOS

Symptoms:
Unable to delete all unused certificates/keys in single operation. If a certificate/key delete fails, the delete operation exits, leaving the remaining certificates and keys.

Conditions:
-- Multiple certificates/keys assigned to profiles.
-- At least one of the certificates/keys is in use.
-- Try to delete all certificates/keys from the SSL certificate list screen in a single operation.

Impact:
Cannot delete multiple certificates/keys in a single operation. If the delete operation fails because one certificate/key is in use, the remaining certificate/keys are not deleted, so you must perform the operation again.

Workaround:
Ignore the certificate/key that failed, and rerun the delete operation until all certificates/keys are deleted.

Fix:
The delete operation now skips certificates/keys that are in use and deletes all other remaining certificates/keys.

---

703761 : Disable DSA keys for public-key and host-based authentication in Common Criteria mode

Component: TMOS

Symptoms:
On a BIG-IP system configured for Common Criteria (CC) mode, DSA keys can still be used for key-based authentication to the BIG-IP system.

Conditions:
-- Running a CC release with CC Mode enabled.
-- Attempt to SSH-connect to the BIG-IP system from another system with a DSA key.
-- That DSA key is present in the BIG-IP system's authorized_keys file.

Impact:
If the key is in the BIG-IP system's authorized_keys file, public-key authentication succeeds, when DSA authentication should be disabled in CC mode.

Workaround:
There is no workaround at this time.

Fix:
DSA SSH keys are now disabled for public-key and host-based authentication in Common Criteria mode, as expected.

---

703673 : a specific kind of request with can be incorrectly identified as a login request

Component: Application Security Manager

Symptoms:
A regular request may be considered a login request and will be logged incorrectly

Conditions:
Parameter configured as json parameter, and a login is configured

Impact:
This can result in incorrect logging of login requests.

Workaround:
N/A

Fix:
Fixed an issue with incorrect login request logging.

---

703669 : Eventd restarts on NULL pointer access

Component: TMOS

Symptoms:
The loop that reads /config/eventd.xml to load configuration data processes data in 1024-byte chunks. If the size of the file is a multiple of 1024 bytes, the end of file condition that terminates the file read does not occur until the subsequent read. The subsequent read returns zero (0) bytes and passes an empty buffer to the parser, which causes eventd to restart repeatedly.

Conditions:
The length of the file /config/eventd.xml is a multiple of 1024 bytes.

Impact:
Causes eventd to crash.

Workaround:
To work around the problem, insert whitespace in /config/eventd.xml to pad the file to a size that is not a multiple of 1024 bytes.

---

703580-3 : TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.

Component: Local Traffic Manager

Symptoms:
TLS1.1 handshake failure on guest. The following error appears in /var/log/ltm:
warning tmm[11611]: 01260009:4: Connection error: ssl_hs_cn_vfy_fin:2339: corrupt Finished (20)

Conditions:
-- Using the VIPRION 42xx/43xx and B21xx blades.
-- Running BIG-IP software earlier than v12.1.3 (for example v12.1.2-hf2) on the vCMP host system.
-- Deploying vCMP guest running v12.1.3.
-- Using TLS1.1.

Impact:
TLS1.1 handshake fails on the guest.

Workaround:
Use the same software version on the vCMP host and vCMP guests.

Fix:
TLS1.1 handshake no longer fails running v12.x/v13.x vCMP guest with earlier BIG-IP software version on vCMP host.

---

703515-1 : MRF SIP LB - Message corruption when using custom persistence key

Solution Article: K44933323

Component: Service Provider

Symptoms:
If the custom persistence key is not a multiple of 3 bytes, the SIP request message may be corrupted when the via header is inserted.

Conditions:
Custom persistence key is not a multiple of 3 bytes

Impact:
The SIP request message may be corrupted when the via header is inserted.

Workaround:
Pad the custom persistence key to a multiple of 3 bytes in length.

Fix:
All persistence key lengths work as expected.

---

703509 : Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled

Component: TMOS

Symptoms:
Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled.

...notice tmsh[32418]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.
...notice tmsh[32418]: 01420003:5: The current session has been terminated.
...err tmsh[32417]: 01420006:3: Project-Id-Version: f5_tmsh 9.7.0 POT-Creation-Date: 2008-05-13 16:18-0700 PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE Last-Translator: F5 Networks <support@f5.com> Language-Team: LANGUAGE <en@li.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit
...err tmsh[32415]: 01420006:3: UCS saving process failed.

Conditions:
The default admin account is disabled, using an alternate user that has the administrator role.

Impact:
User is unable to save the configuration.

Workaround:
A user with the administrator role can save the config.
The root user can save the config.

Fix:
If the admin user is not the default user, a non-admin user is able to save the config in tmsh.

---

703266 : Potential MCP memory leak in LTM policy compile code

Component: Local Traffic Manager

Symptoms:
Failure in processing LTM policy may result in MCP memory leak

Conditions:
When Centralized Policy Management (CPM) fails to process LTM policy

Impact:
MCP memory leak

Workaround:
There is no workaround at this time.

Fix:
This fix handles rare MCP memory leak which may occur if CPM fails to process LTM policy

---

703191 : HTTP2 requests may contain invalid headers when sent to servers

Component: Local Traffic Manager

Symptoms:
HTTP requests handled by an HTTP/2 virtual server may have blank header names when proxied through to the server or when handled via iRules.

Conditions:
-- Virtual server has the HTTP/2 profile assigned.
-- Client and the BIG-IP system negotiate/use HTTP/2.

Impact:
HTTP/2 applications may generate CSRF-related errors. Alternately, the server may return intermittent (and from the client's perspective, spurious) 400 Bad Request responses.

Workaround:
There is no workaround other than to remove the HTTP/2 profile from the virtual server.

---

703129 : False 'Web Rootkit detected' on UC browser for ChromeOS running on a mobile device

Component: Application Security Manager

Symptoms:
When proactive bot defense, which provides headless browser detection, is enabled, a request from the UC Browser running on a mobile device, gets a high score and might be reset/CAPTCHA'd.

Conditions:
1. ASM or DOS provisioned.
2. Proactive bot defense (headless browsers detection) enabled in DoS Application profile and DoS profile assigned on a virtual server.
3. Request is sent without TSPD101 cookie.

Impact:
Potential reset/CAPTCHA in this case. In addition to the system presenting a false 'Web Rootkit detected' alert, there are other violations detected within the request.

Workaround:
You can use either of the following workarounds:
-- Disable headless browser detection (under proactive bot defense).

-- Raise reset/CAPTCHA score limits using the following commands:

list sys db dosl7.browser_legit_min_score_captcha
sys db dosl7.browser_legit_min_score_captcha {
    value "60"
}
list sys db dosl7.browser_legit_min_score_drop
sys db dosl7.browser_legit_min_score_drop {
    value "120"
}

Fix:
Rootkit checks for UC Browser are improved.

---

703045 : If using TMSH commands with deprecated attributes in iAPP, the upgrade will fail.

Component: TMOS

Symptoms:
TMSH commands with deprecated attributes will fail if used in iAPP.

Conditions:
TMSH commands with deprecated attributes will fail if used in iAPP. This is so whether the iAPP is activated during the upgrade process or simply run under iAPP service at the user display.

Impact:
TMSH commands will not execute like create command will result in no objects (eg monitor, virtual server etc) being created.

Workaround:
Try to avoid deprecated attributes of the object in the iAPP.

Fix:
All TMSH commands should handle deprecated attributes of objects consistently across TMSH command line, CLI Script and iAPP and like so:

- run TMSH commands to full execution with only warning message.
- full execution means objects action should be executed without error and no something amiss silently either.

---

702917 : Fragmented icmpv6 packets are not displayed when using tcpdump with icmp6 filter

Component: TMOS

Symptoms:
When using tcpdump to display packets, and when the the icmp6 filter is used as an option to the tcpdump program, as below for example:
tcpdump -nni 0.0 icmp6 -s0
tcpdump fails to display icmpv6 packets if they are fragmented.
Non fragmented packets are displayed correctly.

Using a different filter like:
tcpdump -nni 0.0 host <ipv6> -s0
displays the fragmented icmpv6 packets correctly.

Conditions:
1) icmpv6 packets need to be fragments ( likely because they exceeded MTU somewhere).

2) tcpdump has to be run with icmp6 specified as the filter

Impact:
Fragmented icmpv6 packets cannot be captured or displayed in tcpdump using the icmp6 filter

Workaround:
Don't use the icmp6 filter of tcpdump when you know that the packets could be fragmented. Use a host filter, or no filter ( if traffic is not too large)

---

702738-2 : Tmm might crash activating new blob when changing firewall rules

Solution Article: K32181540

Component: Advanced Firewall Manager

Symptoms:
TMM crashes with core when changing firewall rules. TMM can enter a crash-loop, so it will crash again after restarting.

Conditions:
Updating, removing, or adding firewall rules.

Specific characteristics of change that can cause this issue are unknown; this issue occurs rarely.

Impact:
Data traffic processing stops.

Workaround:
There are two workaround options:
Option A
1. Delete all policies.
2. Create them again without allowing blob compilation.
3. Repeat steps 1 and 2 until all the policies have been created (enable on-demand-compilation).

Option B
Modify all the rules simultaneously.

For example, the following steps will resolve this issue:
1. Enable on-demand-compilation
2. Select an IP address that is not used in any rules, e.g., 1.1.1.1.
3. Add that IP address to all the rules/source in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses add { 1.1.1.1 } } } }

4. Delete the IP address (restore rules) in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses delete { 1.1.1.1 } } } }
5. Disable on-demand-compilation. Doing so starts new blob compilation.

Fix:
TMM no longer crashes when changing firewall rules.

---

702675 : CGNAT translations fail when using Fastl4 + Default Dag + intra-chassis connection mirroring

Component: Carrier-Grade NAT

Symptoms:
CGNAT translations fail with the error message 'LSN Pick took too long'. The error message can be observed in logs or with the command 'tmsh show ltm lsn-pool failure-cause'.

Conditions:
-- VIPRION 4450N blades when using default dag (net vlan cmp-hash default).
-- FastL4 is configured
-- Intra-chassis connection mirroring is configured.

Impact:
Some outbound translations are rejected.

Workaround:
You can use any of the following workarounds:

-- Use SP Dag (net vlan cmp-hash src-ip/dst-ip).
-- Disable connection mirroring.
-- Configure a profile on the virtual server that is not FastL4.

Fix:
Translation attempts no longer fail in this configuration.

---

702450 : The validation error message generated by deleting certain object types referenced by a policy action is incorrect

Component: Local Traffic Manager

Symptoms:
When deleting certain objects that are referenced by policy actions, you may see a validation error like this:

# tmsh delete ltm virtual test-vs
01071726:3: Cannot delete policy action '/Common/test-vs'. It is in use by ltm policy '/Common/test-policy'.

The referenced object is not a "policy action" in this case, but is a virtual server.

Conditions:
LTM policies must be in use, and at least one policy action must forward to an object. The user must attempt to delete that object.

Impact:
Possible confusion at the error message.

Workaround:
There is no workaround at this time.

Fix:
Made the error message accurately reflect what the user was attempting to delete.

---

702439-5 : Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset

Solution Article: K04964898

Component: Local Traffic Manager

Symptoms:
If the HTTP/2 configuration header_table_size is changed from the default value of 4096, then streams will be reset with a RST_STREAM error.

Conditions:
The header_table_size field in the HTTP/2 profile is changed from the default.

Impact:
HTTP/2 connections will be unusable.

Workaround:
Set the header table size argument back to its default.

Fix:
The HTTP/2 filter correctly handles the dynamic header table resize notifications triggered by a non-default header table size. Streams will not be reset with a RST_STREAM error.

Additionally, the BIG-IP system will now send the correct number of dynamic header table resize notifications when the table is resized by the client multiple times between header blocks.

---

702281 : OneConnect header transformations may cause some Websocket connections to reset.

Component: Local Traffic Manager

Symptoms:
During the Websocket handshake, if OneConnect is on, the Websocket header is set as "connection: close", then OneConnect will transform the header to be "X-Cnection: close". If the header is set as "connection: upgrade" as well as "connection: close", then OneConnect will transform both to be "X-Cnection: close" and "X-Cnection: upgrade", respectively. This causes some Websocket handshakes to fail.

Conditions:
Virtual server has HTTP and OneConnect profiles. The request has "Connection: close" and "Connection: upgrade" headers during the Websocket handshake.

Impact:
Websocket handshakes fail resulting in connection reset.

Workaround:
Remove OneConnect or use iRule to re-add "Connection: upgrade"

---

702232 : TMM may crash while processing FastL4 TCP traffic

Solution Article: K25573437

---

702227 : Memory leak in TMSH load sys config

Component: TMOS

Symptoms:
When loading a configuration, either through tmsh load sys config or the corresponding iControl REST command, the TMSH or icrd_child processes can leak memory.

Conditions:
When configuration is loaded via TMSH or iControl REST.

Impact:
The TMSH process memory or icrd_child process memory continues to grow every time the config is loaded.

Workaround:
If memory consumption grows in the TMSH process, restart the TMSH process.

If memory consumption grows in iControl REST, restart the REST service using the following command: bigstart restart restjavad.

Fix:
There is no longer a memory leak when loading configuration in TMSH or iControl REST.

---

702151-4 : HTTP/2 can garble large headers

Component: Local Traffic Manager

Symptoms:
The HTTP/2 filter may incorrectly encode large headers.

Conditions:
A header that encodes to larger than 2048 bytes may be incorrectly encoded.

Impact:
The garbled header may no longer conform to the HPACK spec, and cause the connection to be dropped. The garbled header may be correctly formed, but contain incorrect data.

Fix:
The HTTP/2 filter correctly encodes large HTTP headers.

---

701898-3 : Certain virtual address route-advertisement settings break upgrades from 13.0.0 hotfix rollups

Component: TMOS

Symptoms:
Upgrading from a version of 13.0.0 other than the base build may result in failure depending on the values of the virtual address route-advertisement setting. If set to "selective", "any", or "all", the configuration will fail to load after the upgrade with an error similar to the following example in the /var/log/ltm file:

load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- Loading schema version: 13.0.0 Syntax Error:(/config/bigip.conf at line: 1790) invalid property value "route-advertisement":"selective"

Conditions:
- Upgrading from a version of 13.0.0 other than the base (i.e. HF1 or later).
- Upgrading to 13.1.0 or later.
- At least one virtual address with its route-advertisement value set to "selective", "any", or "all".

Impact:
Configuration will not load. If the unit being upgraded is a stand-alone unit, this will result in a traffic outage.

Workaround:
If you become aware of this issue prior to upgrading:

1. Note any virtual address route-advertisement settings that are "selective", "any", or "all".

2. Change all of these values to either "enabled" or "disabled" (note that this will change their route advertisement behavior temporarily).

3. Perform the upgrade. The goal of this step is to have the BIG-IP system perform an installation while carrying forward the new, modified configuration. Note that if your chosen destination (i.e. HD1.3) already exists and contains the very software you want to install (i.e. 13.1.1.2), then you must first delete the destination before you can re-use it. This is because, by design, the BIG-IP system will not perform an installation if the desired software is already present in the destination boot location. Attempting such an installation would just result in the BIG-IP system immediately rebooting to activate that boot location, without performing any installation and thus defeating the point of this workaround.

4. Once the upgrade completes, change the route advertisement settings back to their original values.


If you become aware of this issue after the upgrade has already failed:

1. Boot back into the old/working boot location.

2. Delete the boot location containing the failed installation.

3. Follow the procedure detailed under "If you become aware of this issue prior to upgrading".

Fix:
Upgrades from 13.0.0 hotfix rollups involving certain virtual address route-advertisement settings no longer fail.

---

701877 : new command-line tools (curl and nghttp) added

Component: TMOS

Symptoms:
This is an enhancement; new networking diagnostic tools are available.

Conditions:
none

Impact:
troubleshooting HTTP2 connectivity is easier

Workaround:
none

Fix:
Command-line tools have been updated to support HTTP/2. See 'man curl' and 'man nghttp' for details.

---

701856 : Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart

Component: Application Security Manager

Symptoms:
In rare circumstance, when Policy Builder restarts continuously (in response to a different issue in which there are many shmem segments allocated and used by tmm), ASM-config Event Dispatcher memory usage grows uncontrollably.

Conditions:
In rare circumstances, Policy Builder restarts continuously (in response to a different issue in which there are many shmem segments allocated and used by tmm).

Impact:
ASM-config Event Dispatcher memory usage grows continuously until the device eventually fails over.

Workaround:
Restart asm_config_server on all devices using the following command:
 killall asm_config_server.pl

Fix:
ASM-config Event Dispatcher memory usage remains stable even upon multiple Policy Builder restarts.

---

701826-1 : qkview upload to ihealth fails or unable to untar qkview file

Component: TMOS

Symptoms:
qkview upload to ihealth fails unable to untar qkview file.

Conditions:
When qkview file is untarred, it creates a same directory name in loop as below and fails to untar successfully.

.../dir1/
.../dir1/dir1/
.../dir1/dir1/dir1/
...

This happens due to dangling symlink dir1 which points to nothing.

[root@localhost:Active:Standalone] config # ls -l /config/bigip/auth/pam.d/dir1
lrwxrwxrwx. 1 root root 64 2018-01-30 08:56 /config/bigip/auth/pam.d/dir1 ->
[root@localhost:Active:Standalone] config # stat /config/bigip/auth/pam.d/dir1
  File: `/config/bigip/auth/pam.d/dir1' -> `'
  Size: 64 Blocks: 8 IO Block: 4096 symbolic link
Device: fd16h/64790d Inode: 112045 Links: 1
Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2018-01-30 08:56:20.000000000 -0800
Modify: 2018-01-30 08:56:20.000000000 -0800
Change: 2018-01-31 08:39:35.000000000 -0800
[root@localhost:Active:Standalone] config #

Impact:
Unable to untar qkview or qkview upload to ihealth fails.

Workaround:
Identify the dangling symlink and delete. Then generate qkview or use ihealth to generate qkview and upload to ihealth.

Fix:
Qkview tool will identify dangling symlink and handle safely to avoid looping.

---

701800 : SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x

Component: Access Policy Manager

Symptoms:
Mac RDP client 10.x shows credentials prompt when SSO-enabled native RDP resource is launched from the APM Webtop. If the user enters credentials manually, the RDP client will display an error message.

Conditions:
-- Mac RDP client is of version 10.x (e.g., 10.1.6).
-- Native RDP resource is assigned to the webtop.
-- SSO is enabled on the RDP Resource.

Impact:
RDP resource cannot be launched.

Workaround:
Add the following to 'Custom Parameters' of SSO-enabled RDP resources:
full address:s:%{session.server.network.name}
promptcredentialonce:i:1

Fix:
SSO-enabled native RDP resources now can be launched from APM Webtop with Mac RDP client 10.2.0.

---

701785 : Linux kernel vulnerability: CVE-2017-18017

Solution Article: K18352029

---

701722 : Potential mcpd memory leak for signed iRules

Component: TMOS

Symptoms:
There is an MCP memory leak that occurs when th message "Signature encryption failed" is seen in /var/log/ltm.

Conditions:
Signing of iRules must be in use. Signature encryption must be problematic.

Impact:
MCP leak memory.

Workaround:
Resolve the signature encryption issue.

Fix:
Fixed memory leak.

---

701289 : LTM v12.1.2: Static BFD with BIG-IP floating IP address

Component: TMOS

Symptoms:
In a HA configuration BFD session on both Active and Standby nodes can be configured with the same floating Self IP as a source IP address. This ends up with both Active and Standby nodes to actively send BFD Control packets to BFD neighbor. Responses from BFD neighbor are delivered to the Active node only. In effect not only the state of the session mismatches on Active and Standby node, also BFD Control packets send different information that disturbs the session.

Conditions:
- BFD sessions on HA Active and Standby have the same floating Self IP as a source IP address.

Impact:
BFD session gets disturbed both on HA Active node and BFD neighbor that might end up with invalidation of the route to the BIG-IP.

Workaround:
Workaround can be to manually disable BFD session on Standby node, however on failover the session would need to be manually restored.

Other workaround can be to use non-floating Self IP as a source IP address of BFD Control packets, this however might require some additional logic on the BFD neighbor side.

Fix:
BFD session that uses a floating Self IP as a source IP address are now suspended on the Standby node in HA configuration. On failover the session is restored. In effect the BFD Control packets are sent only from one HA node - the Active one. On failover short flap might occur, as session states are not synchronized across HA pair.

---

701253 : TMM core when using MPTCP

Solution Article: K16248201

---

701249 : RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1

Component: TMOS

Symptoms:
RADIUS requests from BIG-IP have attribute NAS-IP-Address = 127.0.0.1, which might cause authentication to fail.

The NAS-IP-Address is essentially the resource an end user client is trying to authenticate to. This is typically the management IP address of the BIG-IP system, but the BIG-IP system always sends 127.0.0.1 instead. That might fail or it might work, depending on how the server is configured.

Conditions:
This is an issue for all RADIUS authentication requests that use the attribute NAS-IP-Address.

Note: This affects remote control plane authentication only, not APM or other uses of RADIUS.

Impact:
BIG-IP system always sends 127.0.0.1 instead of the BIG-IP system's management IP address. RADIUS server might not service the request, so authentication fails.

Workaround:
There is no workaround.

---

701186 : With auto-lasthop enabled tmm accepts traffic from invalid addresses

Component: Local Traffic Manager

Symptoms:
Tmm accepts traffic from incorrect source addresses:
- 127.0.0.0/8
- 0.0.0.0/8

Conditions:
Auto-lasthop enabled.

Impact:
RFC6890 violation.

Note: This is not a vulnerability, as traffic is getting returned to the lasthop populated via auto-lasthop.
Therefore, no traffic is reaching the host; it is only an RFC violation.

Workaround:
To mitigate this issue, use the following packet filter:

net packet-filter /Common/drop_local {
    action discard
    order 5
    rule "( src net 0.0.0.0/8 or src net 127.0.0.0/8 )"
}

Fix:
TMM drops traffic from incorrect source addresses: - 127.0.0.0/8
- 0.0.0.0/8

---

701068 : HTTP/2 now provides a way to inspect stream reset causes.

Component: Local Traffic Manager

Symptoms:
The HTTP/2 protocol multiplexes multiple streams in a single connection. If a stream aborts, the connection might not. The HTTP/2 protocol condenses the reset cause into a single 4-byte integer, which is not enough to determine the real reason for the stream aborting. This makes debugging issues with HTTP/2 difficult.

Conditions:
A HTTP/2 stream aborts for any reason.

Impact:
The debugging of virtual servers that use HTTP/2 is more difficult.

Workaround:
There is no workaround at this time.

Fix:
When HTTP/2 streams abort, the reset cause may be recorded in the stats, if desired. This is configured using the normal rstcause configuration mechanisms.

A BigDB var has been added: Tmm.HTTP2.sendrstwhy. If set to 'true' and an HTTP/2 stream aborts, the BIG-IP system sends an HTTP/2 frame containing reset cause information. The frame is of type '0xf5' = 245.

---

701025 : BD restart on a device where 'provision.tmmcountactual' is set to a non-default value

Component: Application Security Manager

Symptoms:
BD restarts with this error:
    Plugin configuration load timeout. Exiting.

Conditions:
The db variable 'provision.tmmcountactual' is set to a number lower than the actual CPU count.

Impact:
BD restarts continuously.

Workaround:
You can use any of these workarounds:
-- In the GUI, set 'RWThreads' under Security :: Options : Application Security : Advanced Configuration : System Variables.

-- Use the 'add_del_internal' utility:
----------------------
# /usr/share/ts/bin/add_del_internal
USAGE:
/usr/share/ts/bin/add_del_internal add <param_name> <param_value> [--default <default_value>]
/usr/share/ts/bin/add_del_internal update <param_name> <param_value> [--default <default_value>]
/usr/share/ts/bin/add_del_internal delete <param_name>
----------------------

-- Set the bd internal parameter num_rw_threads to the amount of plugin channels that TMM expects.

-- Revert 'provision.tmmcountactual' sys db to the default value.

---

700957 : DNAT performance drops up to 50% when a second blade is added

Component: Carrier-Grade NAT

Symptoms:
When a second blade is added to a chassis, excessive memory and CPU utilization may be observed.

Conditions:
A high number of concurrent connections using a LSN pool configured in deterministic mode.

Impact:
Fewer concurrent connections are supported in a two bladed system then when using a single blade.

Workaround:
None

---

700918 : vADC: default gateway route required, lasthop kernel module removed

Component: TMOS

Symptoms:
On BIG-IP Virtual Edition (VE), connections to the management interface may fail if an explicit management route is not defined for it or was not learned from DHCP. This may prevent clients that previously managed VE from being able to do so after an upgrade.

Conditions:
-- Inbound connections to VE over the management interface (SSH, SNMP, etc.).
-- A suitable management route is not present.

Impact:
Clients that could previously connect to the management interface may be unable to do so after an upgrade if they never configured a suitable management route or one was not acquired by DHCP.

Workaround:
Configure suitable management routes or learn them via DHCP. VE will still be accessible via systems on its locally connected network segment and via the management console.

Fix:
Inbound connections using the management interface now require explicit route definitions.

Behavior Change:
BIG-IP VE no longer supplies the 'lasthop' Linux kernel module. Inbound connections using the management interface now require explicit route definitions.

---

700888 : VDisk Migration Doesn't Log Information About Failures

Component: TMOS

Symptoms:
When a vdisk migration fails the cause is unknown.

Conditions:
When users choose to move a vdisk on a multi blade chassis running vcmp.

Impact:
The cause of the failure will be unknown and users won't know what to do.

Workaround:
There is no workaround at this time.

---

700827 : B2250 blades may lose efficiency when source ports form an arithmetic sequence.

Component: TMOS

Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command: tmsh show sys tmm-traffic

Conditions:
Source ports used to connect to B2250 blade form an arithmetic sequence.

For example, some servers always use randomly selected even source port numbers. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8… 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.

Impact:
Traffic imbalance between tmm threads may result in sub-optimal performance.

Workaround:
Randomize source ports when connecting via a BIG-IP system.

Fix:
This release introduces a new variable mhdag.pu.table.size.multiplier. Setting it to 2 or 3 mitigates the issue.

---

700822 : GUI slow with large number of entries in network firewall address list

Component: Advanced Firewall Manager

Symptoms:
With 20,000 ip addresses in the network firewall address list, the GUI response(IE) when accessing the address list is slow to unresponsive.

Conditions:
When the network firewall address list has many entries eg.20000.

Impact:
Address list page becomes unresponsive.

Workaround:
Use tmsh

Fix:
Limit GUI view of address list to show first 100 entries, with a link at the bottom to go to a page to view all members of list.

---

700794 : Cannot replace a FIPS key with another FIPS key via tmsh

Component: TMOS

Symptoms:
If you try to replace an existing FIPS key using "tmsh install sys crypto key" the command fails with "is already FIPS". This can also occur when issuing the commands via the REST API.

Conditions:
If a FIPS key already created/installed via tmsh, it can not be replaced or overwritten via "tmsh install sys crypto" command.

Impact:
Fail to overwrite a FIPS key with another FIPS key via tmsh

Fix:
With the fix, the user can now use the command to replace or overwrite existing FIPS key with another key.

---

700728 : Provide an internal parameter to configure allowed empty headers

Component: Application Security Manager

Symptoms:
Some headers are expected to legitimately contain empty values. There is no option to configure this, which is required in order to define which headers may be sent with an empty value without triggering the empty-value violation, while continuing to enforce the violation on all other headers.

Conditions:
-- 'HTTP protocol compliance failed' violation:
-- 'Header name with no header value' is enabled.
-- A request arrives with a header that has no value.

Impact:
A legitimate request triggers a violation.

Workaround:
Disable 'HTTP protocol compliance failed' violation:
'Header name with no header value'.

Important: This workaround reduces general security.

An iRule workaround that uses custom violations and looks into empty headers is possible as well, for example:

when ASM_REQUEST_DONE {
    foreach header_name [HTTP::header names] {
        if {([HTTP::header value $header_name] eq "") && !($header_name eq "my-allowed-empty-header-name")} {
        log local0.info "raising EMPTY_HEADER_VIOLATION for header $header_name"
            ASM::raise EMPTY_HEADER_VIOLATION
        }
    }
}

Fix:
Added an internal parameter 'empty_header_value_allowed' that can be configured with a comma-separated list of headers for which an empty value is allowed.

Behavior Change:
This release introduces an internal parameter, 'empty_header_value_allowed', which can be configured with a comma-separated list of headers for which an empty value is allowed.

---

700393-4 : Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash

Component: Local Traffic Manager

Symptoms:
Tmm might crash due to a stale/stalled HTTP/2 stream.

Conditions:
HTTP/2 profile in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Stale/stalled HTTP2 streams are handled correctly to prevent a tmm crash.

---

700315 : Ctrl+C does not terminate TShark

Solution Article: K26130444

Component: TMOS

Symptoms:
A running TShark process on the BIG-IP system has problems exiting when the user is finished capturing and presses CTRL+C while listening on a tmm VLAN or 0.0.

Conditions:
-- Using TShark on a tmm VLAN or 0.0.
-- Pressing Ctrl+C to exit.

Impact:
TShark does not exit as expected when pressing CTRL+C.

Workaround:
To recover, you can move the process to the background (CTRL+Z) and then halt the process, by running a command similar to the following: kill -9 'pidof tshark'

Fix:
Ctrl+C now terminates TShark as expected.

---

700287 : SSL Forward Proxy not to cache expired server certificate

Component: Local Traffic Manager

Symptoms:
In SSL Forward Proxy, the client side forges a server certificate and caches the forged cert for all server certificates passed the server side certificate validation including expired certificate.

Conditions:
In SSL Forward Proxy enabled server side profile, the 'server authentication' is set to required, and the 'expired certificate response control' is set to ignore. When the backend server certificate expired, the client side SSL will forge a certificate and cache the forged certificate.

Impact:
The caching of the expired certificate may cause the SSL to use the expired certificate even when the backend server renew the certificate.

Fix:
With this fix, SSL will no longer cache expired server certificate.

---

700086 : AWS C5/M5 Instances do not support BIG-IP VE

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) does not function on AWS C5/M5 instances.

Conditions:
BIG-IP VE on AWS C5/M5 instances.

Impact:
Cannot use BIG-IP VE on AWS C5/M5 instances.

Workaround:
None.

Fix:
BIG-IP VE now functions on AWS C5/M5 Instances.

---

700056 : MCPD process may lock up and restart when applying Local Traffic Policy to virtual server

Component: Local Traffic Manager

Symptoms:
The mcpd process becomes unresponsive while attempting to load the configuration, or attempting to apply a configuration change that associates a particular local traffic policy to a virtual server. The mcpd process may also periodically restart every 5 minutes.

Conditions:
- Virtual servers configured.
- Specific policies configured and attached used by virtual servers.

Only policies configured in a specific way will trigger this situation. The specifics are not well understood, however, the vast majority of Local Traffic Policies are unaffected by this issue.

Impact:
Traffic disrupted while mcpd restarts.

Workaround:
There is no workaround.

Fix:
mcpd is responsive when an LTM Policy is attached to a virtual server, or when an already-attached policy is updated.

---

699750 : Content-Length is a valid HTTP/2 Header

Component: Local Traffic Manager

Symptoms:
Content-Length header is not removed from response header blocks.

Conditions:
Always.

Impact:
None. This is correct behavior, as the Content-Length header is a valid one in HTTP/2 header blocks.

Workaround:
None needed. This is correct behavior.

Fix:
Removed unused configuration option.

---

699686-2 : localdbmgr can occasionally crash during shutdown

Component: Access Policy Manager

Symptoms:
When localdbmgr process is restarted, occasionally, the process crashes and a core file will be generated.

Conditions:
-- APM is provisioned.
-- localdbmgr process is restarted.

Impact:
Although the process restarts, there is no impact to the APM functionality.

Workaround:
None.

Fix:
localdbmgr no longer crashes during shutdown.

---

699671 : Additional logging for AVR mailer

Component: Application Visibility and Reporting

Symptoms:
When AVR mailer fails due to server error, the exact error of failure is not reported anywhere and it is not possible to troubleshoot the issue.

Conditions:
Errors while sending out AVR e-mails

Impact:
Difficulty troubleshooting failures of mailer

Workaround:
It is possible to manually edit the mailer PHP script to increase debug level

---

699624 : Config with custom 'SIP' or 'Firepass' monitor fails to load after upgrade★

Solution Article: K93400155

Component: Local Traffic Manager

Symptoms:
A configuration that contains custom 'SIP' or 'FirePass' monitors that is upgraded from a version earlier than v13.1.0 may either fail to load, or may result in a configuration that loads the first time after the upgrade, but cannot be re-loaded from the text config files.

If the BIG-IP system has partitions other than 'Common', the initial configuration load may fail with an error such as:

01070726:3: monitor /Common/sip-monitor in partition Common cannot reference SSL profile monitor parameter /Common/sip-monitor 1 SSL_PROFILE_NAME= in partition name-of-other-partition

If the BIG-IP system only has a 'Common' partition, the initial configuration load will succeed, but subsequent attempts to load the configuration (e.g., 'tmsh load sys config') may fail with this error:

Syntax Error:(/config/bigip.conf at line: 63) "user-defined" unknown property

Which corresponds to a SIP or FirePass monitor in the configuration such as:

ltm monitor sip /Common/test_sip_monitor {
    cipherlist DEFAULT:+SHA:+3DES:+kEDH
    compatibility enabled
    debug no
    defaults-from /Common/sip
    destination *:*
    filter 488
    interval 5
    mode tcp
    time-until-up 0
    timeout 16
    user-defined SSL_PROFILE_NAME /Common/test_sip_monitor_ssl_profile
}

Conditions:
Custom 'SIP' or 'FirePass' monitor is configured, and the config is upgraded from a version earlier than v13.1.0 to version v13.1.0.

Impact:
After upgrade, the configuration fails to load with an error such as:

01070726:3: monitor /Common/sip-monitor in partition /Common cannot reference SSL profile monitor parameter /Common/sip-monitor 1 SSL_PROFILE_NAME= in partition name-of-other-partition.

Alternatively, the configuration loads after upgrade, but the config file is corrupted, and will fail to load (such as after a system restart, or upon explicit 'tmsh load sys config'), with an error such as:

Syntax Error:(/config/bigip.conf at line: 63) "user-defined" unknown property

Workaround:
Remove custom 'SIP' and 'FirePass' monitors from the configuration, and re-create them manually after upgrade is complete.

Fix:
In this release, a configuration that contains a custom 'SIP' or 'FirePass ' monitor from a version earlier than v13.1.0 now loads correctly and continues to load as expected.

---

699598 : HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR

Component: Local Traffic Manager

Symptoms:
HTTP/2 requests with a large body may result in the BIG-IP system sending RST_STREAM with FRAME_SIZE_ERROR.

Conditions:
-- HTTP/2 profile is configured on the virtual server.
-- Request has body size greater than 16 KB.

Impact:
HTTP/2 stream is reset with FRAME_SIZE_ERROR and transfer does not complete.

Workaround:
None.

Fix:
Large HTTP/2 requests are now processed as expected.

---

699531 : Potential TMM crash due to incorrect number of attributes in a PEM iRule command

Component: Policy Enforcement Manager

Symptoms:
TMM crash.

Conditions:
An iRule with a PEM iRule command that does not have the minimum number of attributes.

Impact:
Loss of service. Traffic disrupted while tmm restarts.

Workaround:
Make sure the PEM iRule command is called with at least the minimum number of parameters.

For example, make sure to call 'PEM::subscriber config policy referential set' with referential policies.

Fix:
The system now provides the correct number of attributes, preventing a NULL pointer dereference.

---

699454 : Web UI does not follow current best coding practices

Component: Advanced Firewall Manager

Symptoms:
The web UI does not follow current best coding practices while processing URL DB updates.

Conditions:
ASM provisioned.

Impact:
UI does not respond as intended.

Workaround:
None.

Fix:
The web UI now follows current best coding practices while processing URL DB updates.

---

699453 : Web UI does not follow current best coding practices

Solution Article: K20222812

---

699431-1 : Possible memory leak in MRF under low memory

Component: Service Provider

Symptoms:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.

Conditions:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.

Impact:
The table entry will be remain until the box resets.

Workaround:
There is no workaround at this time.

Fix:
The code has been fixed to remove the table entry when a memory allocation failure occurs while adding the record.

---

699267 : LDAP Query may fail to resolve nested groups

Component: Access Policy Manager

Symptoms:
LDAP Query agent may fail to resolve nested groups for a user.
/var/log/apm logfile contains the following error messages when 'debug' log level is enabled for Access Profile:
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while getting group membership down with error (No such object.).
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while querying LDAP with error (No such object.).

Conditions:
LDAP Query agent is configured in an Access Policy.
'Fetch groups to which the user or group belong' option is enabled

Impact:
LDAP Query agent fails.
unable to get user identity.
unable to finalize Access Policy.

Fix:
after fix, LDAP Query resolves all nested groups as expected and session.ldap.last.attr.memberOf attributes contains user's groups

---

699181 : For HTTP statistic AVR collects Host Names only instead of the full URI

Component: Application Visibility and Reporting

Symptoms:
AVR reports contain the "URI"s or the "Host Name + URI"s but for some scenarios, it is not needed and AVR should only report the "Host Name"s instead.
The `:PORT` portion of the URL will be included in the hostname.

Conditions:
1. AVR/ASM/DOS provisioned.
2. URLs flag is set in analytics profile

Impact:
No impact on current behavior.

Workaround:
None

Fix:
This option only available through the TMSH, so access to TMSH is desirable.
To turn on Host Name only mode, run - "tmsh modify sys db avr.collectonlyhostnamefromuri value enable".
To turn it off (the default behavior), run - "tmsh modify sys db avr.collectonlyhostnamefromuri value disable".

---

698947 : BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.

Component: TMOS

Symptoms:
The BIG-IP system may incorrectly drop packets from a GRE point-to-point tunnel with auto-lasthop disabled.

Conditions:
The auto-lasthop of a GRE point-to-point tunnel is disabled.

Impact:
The decapsulated packets may be dropped in the BIG-IP system.

Fix:
The BIG-IP system correctly processes decapsulated packets from a GRE point-to-point tunnel.

---

698931 : Corrupted SessionDB messages causes TMM to crash

Component: TMOS

Symptoms:
TMM SegFaults and restarts

Conditions:
This was reported once during normal tmm operation.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a crash related to sessiondb

---

698836 : Increased APM session capacity is not available after installing an APM session count License

Component: Access Policy Manager

Symptoms:
Unable to use extra capacity after installing an APM add-on license with a larger session count.

Conditions:
This occurs when the add-on License generated lacks the mod_apm license, meaning that no full APM license was previously installed, only the APM Light license (which constrains connections to a 10-session maximum).

To determine whether this condition exists, check the bigip.license file, or execute the following command: tmsh show sys license details. If only mod_apml is present and session counts are higher than 10, then the system is in the condition that triggers the problem.

Impact:
Unable to use extra session capability; can use only the 10-session maximum provided by the APM Light license.

Workaround:
Contact your F5 sales representative to get the correct APM add-on license with mod_apm, as well as the additional session count capability.

Fix:
The BIG-IP GUI now displays an error if an APM user count add-on license is used without a base APM license. The system reports such licenses as 'Licensed (Incomplete)'.

---

698813 : When processing DNSX transfers ZoneRunner does not enforce best practices

Solution Article: K45435121

---

698619 : Disable port bridging on HSB ports for non-vCMP systems

Component: TMOS

Symptoms:
Internal packets flooded on internal switch interfaces by the HSB can be bridged back to the HSB on BIG-IP 5000/7000 and VIPRION B2100 blades configured to enable port bridging by the switch.

Conditions:
-- Packets being flooded from the HSB to VLAN members when adding/deleting VLANs.
-- Non-vCMP systems.
-- Virtual server configured for Direct Server Return (DSR or nPath Routing).

Impact:
This triggers a FDB flush and can result in packet flooding back to the HSB and potential network saturation.

Workaround:
None.

Fix:
Port bridging on HSB interfaces in the switch for non-vCMP systems is now disabled, so this issue no longer occurs.

---

698379 : HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(

Solution Article: K61238215

Component: Local Traffic Manager

Symptoms:
Uploads for the HTTP2 virtual server fail intermittently with HTTP2 error error_code=FLOW_CONTROL_ERROR.

Conditions:
HTTP2 virtual server configured.

Impact:
Uploads for the HTTP2 virtual server might fail intermittently.

Workaround:
None.

Fix:
Uploads for the HTTP2 virtual server do not fail intermittently anymore.

---

698307 : Datasafe: Fingerprinting code runs, but is not needed.

Component: Fraud Protection Services

Symptoms:
When both datasafe and fingerprint are enabled, fingerprint collection code will be unnecessarily run on the clientside. The results of this collection are not used.

Conditions:
Both datasafe and fingerprint are enabled.

Impact:
Extra resources requested from the BIG-IP system by the client.

Workaround:
To turn off fingerprint, use the following syntax:

tmsh modify security anti-fraud profile <PROFILE_NAME> { fingerprint { collect disabled} }

Fix:
Datasafe does not execute fingerprint collection unnecessarily.

---

698080 : TMM may consume excessive resources when processing with PEM

Solution Article: K54562183

---

698014 : SSID Persistence does not work with TLS v1.3. Warning message logged.

Component: Local Traffic Manager

Symptoms:
In TLS v1.3, after initial handshake is established, the encrypted session ticket is encrypted by the back-end server. The SSL Session ID (SSID) parser, being only a passive listener, has no access to the decryption key required to decrypt the encrypted session ticket, and examine whether this is indeed a session ticket that needs to be cached for persistence.

Conditions:
This occurs when a client-side virtual server meets all of the following conditions:

-- No SSL profile is enabled.
-- SSID Persistence is one of the resources (i.e., the SSID is enabled).
-- TLS v1.3 traffic is negotiated between the SSL client and the back-end SSL server, with the BIG-IP device acting as a passive listener between the client and the back-end server.

Impact:
Configurations using SSID Persistence with TLS versions up to and including 1.2, will be impacted.

Whenever TLS 1.3 traffic is processed and the SSID filter is enabled:
-- The filter switches to pass-through.

-- No session ID or session ticket is cached for persistence. As a result:
   + The CLI command 'tmsh show ltm persistence persist persist-records' does not show any of this information.
   + No SSID persistence is used to load-balance client traffic on to a back-end server (because there is no persistence record).

Workaround:
There is no solution possible with TLS v1.3. SSID does not work because of the very nature of the TLS v1.3 protocol.

A TMM warning message is logged in the file "/var/log/ltm", in the following format:

warning tmm[12729]: 01260044:4 SSID is not supported with TLS 1.3.

Fix:
A TMM warning message is logged in the file '/var/log/ltm', in the following format:

warning tmm[12729]: 01260044:4 SSID is not supported with TLS 1.3.

---

697988 : During config sync, if many client-ssl profiles are on a virtual server the CPU may briefly spike to 100%

Component: Local Traffic Manager

Symptoms:
During config sync, if many (hundreds) of client-ssl profiles are attached to a virtual server, the CPU may spike to 100%.

Conditions:
-- Many (hundreds) of client-ssl profiles are attached to a virtual server.
-- Config sync is executed.

Impact:
If enough client-ssl profiles are attached, the watchdog could fire, crashing tmm and causing service disruption. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not attaching hundreds of client-ssl profiles to a virtual server, or disabling config sync.

Fix:
Issue no longer occurs when there are 2000+ client-ssl profiles attached to a virtual server and config sync is executed.

---

697794-1 : ROM layout file missing for Blade B2250 in BIG-IP VIPRION 2400 chassis

Component: TMOS

Symptoms:
An error similar to the following is posted when blade B2250 is PXE-booted and an attempt is made to extract OPTN class data from the SPI flashrom:

ERROR: Could not open ROM layout (/usr/firmware/victoria2-rom.layout).
Please run "flashrom --help" for usage info.

Conditions:
When the ROM layout file is missing under the /usr/firmware/ directory in Maintenance OS (MOS).

Impact:
Failure to extract OPTN class data from the SPI flashrom results in failure to determine whether the system should be RAID formatted.

Workaround:
None.

---

697766 : Cisco IOS XR ISIS routers may report 'Authentication TLV not found'

Solution Article: K12431303

Component: TMOS

Symptoms:
When peering with ISIS to Cisco IOS XR routers, messages similar to the following may be seen

isis[1003]: %ROUTING-ISIS-5-AUTH_FAILURE_DROP : Dropped L2 LSP from TenGigE0/0/0/1 SNPA 0001.47fd.a801 due to authentication TLV not found.

Conditions:
The BIG-IP system is configured for dynamic routing using the ISIS protocol, and is peered with an IOS XR router, or with another BIG-IP system running software older than than version 11.6.1.

In addition, authentication needs to be configured, and a value needs to be set for lsp-refresh-interval, or for max-lsp-lifetime. For example:


   router isis isisrouter
   is-type level-2-only
   authentication mode md5
   authentication key-chain keychain-isis
   lsp-refresh-interval 5
   max-lsp-lifetime 65535
   net 49.8002.00c1.0000.0000.f523.00

Impact:
This is a cosmetic issue. Routing is not impacted. LSPs containing actual routing information do contain the Auth TLV, as expected.

Workaround:
None.

Fix:
This issue no longer occurs.

---

697452-2 : Websso crashes because of bad argument in logging

Component: Access Policy Manager

Symptoms:
Websso would crash because of bad argument in logging

Conditions:
Only when kerberos sso is configured

Impact:
Websso would crash and so single sign on may fail.

Workaround:
The workaround is not configure kerberos SSO

Fix:
This issue has been fixed.

---

696731 : The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled

Solution Article: K94062594

Component: TMOS

Symptoms:
The standard LinkUp/LinkDown traps are issued when a port's status changes; that is, the link goes up or down. Additionally, the network manager can administratively enable and disable ports. For some platforms, there is no reliably issued standard LinkUp/LinkDown trap when a port is administratively enabled/disabled.

Conditions:
Administrative disabling an interface on BIG-IP

Impact:
May issue only the F5 Link change trap and not the additional standard MIB trap. The standard LinkUp/LinkDown traps may not be issued.

Workaround:
Use the F5-proprietary MIB: 1.3.6.1.4.1.3375.2.4.0.37 F5-BIG-IP-COMMON-MIB::BIG-IPExternalLinkChange trap to track administrative changes to links.

---

695072 : CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558

Solution Article: K23030550

---

694940-1 : glibc vulnerabilities (CVE-2017-15670 / CVE-2017-15671)

Component: TMOS

Symptoms:
https://support.f5.com/csp/article/K35129173
The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string. (CVE-2017-15670)

https://support.f5.com/csp/article/K30314331
The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak). (CVE-2017-15671)

Conditions:
Not vulnerable

Impact:
There is no impact;

Workaround:
Not vulnerable

Fix:
upgrade to latest version

---

694595 : Some process names may have last character truncated when viewing in iHealth

Component: TMOS

Symptoms:
qkview reads the contents of the /proc directory to obtain details about running processes on a BIG-IP system. Occasionally, it will drop the last character of the process name. This is observable when displaying process information on the iHealth service after uploading a qkview.

Conditions:
Always

Impact:
Minimal

Workaround:
Don't assume that every process name is complete.

Fix:
This has been fixed.

---

693966 : TCP sndpack not reset along with other tcp profile stats

Component: Local Traffic Manager

Symptoms:
TCP sndpack stat added is not being properly reset when a tmsh reset-stats command is issued.

Conditions:
When tmsh reset-stats command is issued.
-- tmsh reset-stats /ltm profile tcp <profile-name>

Impact:
TCP sndpack stat doesn't reset when tmsh reset-stats command is issued.

Workaround:
There is no workaround.

Fix:
With this fix, TCP sndpack stat will reset when tmsh reset-stats command is issued.

---

693901 : Active FTP data connection may change source port on client-side

Component: Local Traffic Manager

Symptoms:
The active FTP data connection on the client-side may use source port other than what was configured in the 'Data Port' parameter of the FTP profile.

Conditions:
FTP profile is attached to a virtual server and the 'Data Port' parameter is either left as default (20) or defined as a specific value.

Impact:
Active FTP data connection may be blocked by firewalls that expect a pre-defined source port.

Workaround:
None.

Fix:
Now strict preserve source port mode is applied for the active FTP data connection when the 'Data Port' parameter is defined. The source port mode of the control plane FTP virtual is used when the 'Data Port' parameter is set to 0.

---

693701 : Substitute value support on change password pages

Component: Fraud Protection Services

Symptoms:
In pages that more than one parameter configured with Substitute Value - enabled, we might set same value to few fields even if their real value is different.

Conditions:
Configure page with more than one parameter configured with Substitute Value - enabled

Impact:
Those fields will contain same value although their value should be different. That can break the application clientside validation.

Workaround:
N/A

Fix:
BIG-IP will set the same value to fields only if their real value is equal.

---

693359 : AWS M5 and C5 instance families are supported

Component: TMOS

Symptoms:
AWS has announced support for M5 and C5 instance families. No previous BIG-IP Virtual Edition (VE) software supports these new AWS instance families.

Conditions:
Attempting to install pre-v14.0.0.1 VE software on M5 and C5 instance families.

Impact:
The system experiences a kernel panic and might crash.

Workaround:
None.

Fix:
All necessary components are added to support AWS M5 and C5 instance families.

Behavior Change:
No previous BIG-IP Virtual Edition (VE) software supports the newly announced AWS M5 and C5 instance families. Version 14.0.0.1 officially supports the AWS M5 and C5 instance families.

---

693244 : BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned

Component: Local Traffic Manager

Symptoms:
BIG-IP silently drop the serverside TCP flow, when it receives a client-side reset and the server-side flow is still in the SYN-SENT state.

Conditions:
BIG-IP receives a client-side reset when client-side TCP flow is in ESTABLISHED state and server-side TCP flow is in SYN-SENT state, serverside flow is silently dropped.

Impact:
Since serverside pool member does not receive the RST, it remains in SYN-RECEIVED state until it runs out of syn retransmissions and eventually, due to timeout, it returns to LISTEN state.

Fix:
BIG-IP resets serverside TCP flow with RST when it receives a client-side reset and the server-side flow is still in the SYN-SENT state.

---

692890 : Adding support for BIG-IP 800 in 13.1.x

Component: TMOS

Symptoms:
Installing software version 13.1.0 fails on BIG-IP 800.

# tmsh show sys soft


---------------------------------------------------------Sys::Software Status
Volume Product Version Build Active Status
---------------------------------------------------------
HD1.1 BIG-IP 13.1.0 0.0.1868 no failed (Failed to install.)
HD1.2 BIG-IP 13.0.0 0.0.1645 yes complete
HD1.3 BIG-IP 11.6.0 0.0.401 no complete

---------------------------
Sys::Software Update Check
---------------------------
  Check Enabled true
  Phonehome Enabled true
  Frequency weekly
  Status none
  Errors 0

The system logs the following messages in /var/log/liveinstall.log:

info: Hardware is lm capable
info: System is lm capable
info: Adding application-package ltm7-application/noarch to transaction.
info: Adding application-package ros7-application/noarch to transaction.
info: Adding application-package sam-main/noarch to transaction.
info: Adding application-package sum-application/noarch to transaction.
info: Adding application-package ts-application/noarch to transaction.
info: Adding application-package wa-master/noarch to transaction.
info: Adding application-package (lm) woc-application-lm/noarch to transaction.
error: Product has no root package for Mercury
error: couldn't get package list file for LTM.ROS.SAM.SUM.TS.WA.WOC group Terminal error: Failed to install.
*** Live install end at 2018/01/02 13:29:45: failed (return code 255) ***

Conditions:
-- Installing/upgrading to v13.1.x.
-- Using the BIG-IP 800 platform.

Impact:
Install/upgrade will fail.

Workaround:
None.

Fix:
Installation now completes successfully on the BIG-IP 800 platform.

---

692753-5 : shutting down trap not sent when shutdown -r or shutdown -h issued from shell

Component: TMOS

Symptoms:
Shutting down trap not sent when shutdown -r or shutdown -h issued from shell.

Conditions:
When user access the linux shell and issues "shutdown -h" or "shutdown -r", the BIG-IP does not send shutting down trap.

Impact:
None.
Since this is user triggered command, the user is aware of the shutdown event, so the lack of trap is not critical.

Workaround:
None

Fix:
The shutdown trap is sent when user issues "shutdown -r" or "shutdown -h" from the linux shell.

---

692158 : iCall and CLI script memory leak when saving configuration

Component: TMOS

Symptoms:
Whenever an iCall script or CLI script saves the configuration, the scriptd process on the device leaks memory.

Conditions:
Use of iCall or CLI scripts to save the configuration.

Impact:
Repeated invocation might cause the system to run out of memory eventually, causing tmm to restart and disrupting traffic.

Workaround:
There is no workaround other than not saving the configuration from iCall or CLI scripts.

Fix:
scriptd process on the device no longer leaks memory when iCall and CLI scripts are used to save the configuration.

---

691757-2 : OpenSSH vulnerability CVE-2017-15906

Solution Article: K89621551

---

691749 : Delete sys connection operations cannot be part of TMSH transactions

Component: TMOS

Symptoms:
TMSH operations that delete sys connection cannot be part of transactions. Once the TMSH transaction is submitted, TMSH freezes up if a 'delete sys connection ...' command is included.

Conditions:
Include delete sys connection operations in TMSH transactions.

Impact:
TMSH freezes up and transactions do not complete.

Workaround:
Only use tmsh delete sys connection outside of TMSH transactions.

Fix:
Delete sys connection operations can be part of TMSH transactions. TMSH no longer freezes up.

---

691054 : Incorrect BIGIP_GTMD_SERVER_NOIP_SNMP_STATUS_CHANGE_WHY_X SNMP message when deleting server with IP address.

Component: Global Traffic Manager (DNS)

Symptoms:
Incorrect BIGIP_GTMD_SERVER_NOIP_SNMP_STATUS_CHANGE_WHY_X SNMP message when deleting server with IP address.

Conditions:
When deleting a GTM server with 0 < num_boxes (HAS ip), the SNMP message sent was using the OID ".1.3.6.1.4.1.3375.2.4.0.157" corresponding to BIGIP_GTMD_SERVER_NOIP_SNMP_STATUS_CHANGE_WHY_X (meant for no ip), while it should have been using OID ".1.3.6.1.4.1.3375.2.4.0.57" which corresponds to
BIGIP_GTMD_SERVER_SNMP_STATUS_CHANGE_WHY_X (for servers with ip).

Impact:
Incorrect OID - Status mapping causing incorrect SNMP messages.

Workaround:
None

Fix:
None

---

690631 : Add Legal / Illegal column to ASM reporting charts page

Component: Application Visibility and Reporting

Symptoms:
The Details table, located under the chart on the "Security >> Reporting : Application : Charts" page does not show Legal vs Illegal requests out of total number of requests reported, users have to drill down further or use additional filters.

Conditions:
1. AVR and ASM provisioned
2. At least one ASM Security Policy defined and active

Impact:
Only visual change - the table on this page now show 3 columns "Legal / Illegal / Request" instead of only "Request" previously.

Workaround:
Drill-down each item (Security Policy, Client-IP, etc') to check the Legal / Illegal request.

Fix:
The Details table, located under the chart on the "Security >> Reporting : Application : Charts" page will show two additional columns per selected report:
1. Legal - requests which wasn't marked as illegal by the security policy.
2. Illegal - requests which was marked as illegal by the security policy.

The previously unchanged column named "Request" still shows the total number of requests per selected report.

---

689879 : No support for AppScan mitigation of Cross-Site Scripting on URLs

Component: Application Security Manager

Symptoms:
Imported vulnerabilities from IBM AppScan for Cross-Site Scripting on URLs are not mitigated correctly.

Conditions:
Vulnerabilities from IBM AppScan for Cross-site Scripting on URLs are imported.

Impact:
Vulnerabilities are not mitigated correctly.

Workaround:
As a workaround, enforce signatures on the policy for 'Cross-Site Scripting' on URLs.

Fix:
URL signatures for cross-site scripting are now associated with the policy (and enforced via URL '*').

---

689776 : Misuse of LB::reselect in LB_FAILED event

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system fails to select a pool member, it provides an option to address the failure in an iRule. There are a few alternative commands to resolve the failure. These commands must be used separately. Combining them may result in connection reset or tmm restarts.

Conditions:
-- Virtual server has a configured iRule that includes both LB::reselect and HTTP::respond commands in the LB_FAILED event.
-- The event LB_FAILED is fired for a connection.

Impact:
The BIG-IP system might reset the connection, generate two HTTP responses, or result in a tmm restart. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not to use the HTTP::respond command after the LB::reselect command in the LB_FAILED event.

Fix:
The BIG-IP system now generates an error during execution of HTTP::respond commands if an LB::reselect command was performed and reset a connection.

---

689702 : GNUTLS Vulnerabilities

Solution Article: K31336596

---

689700 : NSS vulnerability CVE-2017-7805

Component: TMOS

Symptoms:
A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious client could use this flaw to cause an application compiled against NSS to crash or, potentially, execute arbitrary code with the permission of the user running the application. (CVE-2017-7805)

Conditions:
A malicious client could use this flaw to cause an application compiled against NSS to crash or, potentially, execute arbitrary code with the permission of the user running the application.

Impact:
There is no impact; F5 products are not affected by this vulnerability.

Workaround:
There is no impact

Fix:
upgrade to latest version

---

689491-1 : cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled

Component: TMOS

Symptoms:
CPU usage stats are incorrect and system looks idle when it's actually busy

Conditions:
vcmp guests with 1-core or htsplit disabled

Impact:
CPU stats are incorrect and it might make it difficult to trouble shoot problems.

---

689465 : Multiple Java Vulnerabilities

Solution Article: K15518610

---

689463 : openssh security security update

Solution Article: K14845276

---

689328 : Incremental discovery reports empty results when the uri query parameter begins with '/'

Component: TMOS

Symptoms:
Incremental discovery reports empty results when the uri has iControl (iCRD) version as query parameter.

Conditions:
For Bulk-API discovery only.
"URIS" attribute contains link with version:
{
"startDateTime": "2017-10-18T15:43:53Z",
    "uris": [
            "/mgmt/tm/security/firewall/port-list?ver=13.1.0"
    ],
    "timeoutSeconds" : 1200
 }

Impact:
No result is returned.

Workaround:
If your version is most recent, do not use version parameter

Fix:
Incremental discovery now works with uris beginning with a '/'

Behavior Change:
Incremental discovery now works with uris beginning with a '/'

---

688651 : ActiveX/Java based RDP resources are deprecated

Component: Access Policy Manager

Symptoms:
APM Webtop's ActiveX/Java based RDP resources are deprecated and will be removed in future releases.

Conditions:
ActiveX/Java based RDP resources are published on the APM Webtop.

Impact:
APM Webtop ActiveX/Java based RDP resources are deprecated and will be removed in future releases.

Workaround:
Use Native RDP resources.

Fix:
APM Webtop ActiveX/Java based RDP resources are deprecated and will be removed in next release. We recommend using Native RDP resources (Client Type - Native) instead.

---

688553 : SASP GWM monitor may not mark member UP as expected

Component: Local Traffic Manager

Symptoms:
Pool members monitored by the SASP monitor may be incorrectly marked DOWN when they should be marked UP.

Conditions:
This may occur on affected BIG-IP versions when using the SASP monitor targeting a Load Balancing Advisor GWM (Global Workload Manager).

This is more likely to occur if pool members monitored by the SASP monitor are also monitored by an additional monitor which has marked the members DOWN, or if one or more pool members monitored by the SASP monitor have been manually marked down (state user-down via tmsh, or Disabled in the GUI).

This is not expected to occur with non-affected BIG-IP versions or when using the SASP monitor targeting a Lifeline GWM (Global Workload Manager).

Impact:
Traffic handled by pool members monitored by the SASP monitor may be disrupted.

Workaround:
Removing the SASP monitor from the pool or pool member configuration then re-adding the SASP monitor may reset the pool member status to the correct state.

---

688516 : vCMPd may crash when processing bridged network traffic

Solution Article: K03165684

---

688335 : big3d may restart in a loop on secondary blades of a chassis system

Solution Article: K00502202

Component: Global Traffic Manager (DNS)

Symptoms:
After big3d_install is run against a target system, and this target system is a multi-blade chassis, the big3d utility may begin restarting in a loop on all secondary blades of the target system. The primary blade is not affected, where big3d continues to run stable.

Conditions:
The following conditions are required to encounter this issue:

-- The big3d_install utility is used against a target system.
-- The target system is a multi-blade chassis.
-- The big3d_install utility picks the iQuery installation method (and not the SSH one).
-- The big3d_install utility incorrectly determines that the local version of the big3d utility should be copied to the remote system.

Impact:
big3d does not typically do anything on secondary blades, so this issue should have no immediate material impact.

However, should the cluster elect a new primary blade, and should big3d still be restarting on that blade, this could cause iQuery communication failures between that system and remote BIG-IP systems.

Workaround:
To stop secondary blades from restarting, manually restart big3d on the primary blade using the following command:
 bigstart restart big3d

To prevent this issue from happening, you can run the big3d_install by specifying that the SSH installation method be used using the following command:
 big3d_install -use_ssh <target IP>

Fix:
big3d no longer restarts in a loop on secondary blades of a chassis system.

---

685968 : PEM Gx/Gy/Sd sessions ignore DIAMETER_TOO_BUSY result code from PCRF/OCS

Component: Policy Enforcement Manager

Symptoms:
PEM session ignore DIAMETER_TOO_BUSY result code for any CCR request from PCRF/OCS

Conditions:
If PCRF/OCS respond with DIAMETER_TOO_BUSY result code

Impact:
PEM Gx/Gy/Sd sessions retries CCR requests towards PCRF/OCS

Fix:
PEM Gx/Gy/Sd sessions will not retry CCR request if DIAMETER_TOO_BUSY result code is received

---

685582 : Incorrect output of b64 unit key hash by command f5mku -f

Component: TMOS

Symptoms:
The output of the b64 unit key hash is inconsistent upon each 'f5mku -f' command, whereas the hex version of the unit key hash was always correct/consistent.

Conditions:
Viewing output of 'f5mku -f' command.

Impact:
Inconsistent output of the b64 unit key.

Workaround:
Adding the verbose option (v) to the f5mku command will print additional information. The following command prints the hex version of the unit key header hash, which will be stable and can be used to detect changes to the unit key:

 f5mku -vf

For example:

# f5mku -vf
...
-- hdr.hash = c9:0d:13:2a:74:d4:7e:31:a4:78:5e:c8:3e:9c:b5:3d:7b:65:9c:7d
...

Fix:
The unit key hash is now the correct length and is consistent upon each 'f5mku -f' command.

---

685383 : Collect bigip.license files in qkview

Component: TMOS

Symptoms:
bigip.license files are not collected in qkview, which can make diagnostics difficult.

Conditions:
Collecting qkview in all conditions.

Impact:
F5 Support might have difficulty diagnosing an issue if the license information is not present.

Workaround:
Send license files separately from qkviews.

Fix:
bigip.license files are collected in qkview.

---

685021 : A cold faulted SSD drive may assert the BIOS causing a failure to boot

Component: TMOS

Symptoms:
A drive with a SMART failure of 202 when attempting to send the command to freeze lock the drive will cause a BIOS assert that will fail to continue to boot. This freeze lock is attempted at the end of BIOS operation just before passing off to the bootloader.

The SMART attribute 202 is named as "SSD Mode Status" in the SM863A data sheet and is described as follows: "The raw value indicates the current status of tantal capacitor health." These particular cold temperature failures are caused by damage to the tantalum capacitor used by the power loss protection circuitry inside the SSD.

Conditions:
An SSD with a SMART failure of 202.

Impact:
Failure to boot OS until the offending drive is removed.

Workaround:
Remove the faulted drive. Presumes the remaining drive has an OS installed.

Fix:
BIOS has been updated to determine the SMART command failure type, if it is not a SMART 202 failure then the assert will maintain. If this is a SMART 202 failure then the BIOS will not assert and will continue to boot.

---

684484 : Deferenced NULL object causes core

Component: Access Policy Manager

Symptoms:
TMM generates a core when an object inside of Category Lookup agent fails to be initialized correctly when the system is low on memory.

Conditions:
-- TMM low on memory.
-- Category Lookup agent in Access Per-Request Policy.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

---

684096 : stats self-link might include the oid twice

Component: TMOS

Symptoms:
The object ID might be erroneously embedded in the self-link twice.

Conditions:
query for stats such as https://<host>/mgmt/tm/ltm/pool/p1/stats

Impact:
incorrect self-link returned

Workaround:
be mindful when parsing the self-link

---

683540 : PEM will optimize out classification if possible.

Component: Policy Enforcement Manager

Symptoms:
This can occur with an unknown subscriber policy that doesn't have classification filters.
Since applying classification may impede performance significantly, there is an optimization rule that if the first policy applied to a flow doesn't have classification filters, classification for that particular flow will be optimized out. When this occurs, flows will remain unclassified for their lifetime. As a result of remaining unclassified, if PEM pushes some classification match policies to this flow, the policies will not get applied.

Conditions:
Global/unknown policies doesn't include any classification filter.

Impact:
In this scenario, classification match policies may not be applied to existing flows.

Workaround:
A simple workaround would be, put a Any/Any classification filter in global or unknown subscriber policy to enabled classification for flow at its early stage.

---

683241 : Improve CSRF token handling

Solution Article: K70517410

Component: Application Security Manager

Symptoms:
Under certain conditions, CSRF token handling does not follow current best practices.

Conditions:
CSRF is configured.

Impact:
CSRF token handling does not follow current best practices.

Workaround:
None.

Fix:
CSRF token handling now follows current best practices.

---

683113-1 : [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users

Solution Article: K22904904

Component: Access Policy Manager

Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over a period of time.

Websso CPU usage is very high.

The BIG-IP system response can rate drop to the point that the clients disconnect after waiting for a response. The system logs error messages similar to the following: Failure occurred when processing the work item.

Conditions:
-- Running APM.
-- A large number of APM end users (~20 KB) have logged on and are using Kerberos SSO.

Impact:
Increased latency of HTTP request processing.

Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.

Fix:
Improvements to the krb5 library have been implemented for better scalability, so the latency of HTTP request processing has been significantly improved.

---

682369 : Inserting an un-powered PSU and then removing the un-powered PSU puts the BMC into an incorrect PSU status state.

Component: TMOS

Symptoms:
Inserting an un-powered PSU and then removing the un-powered PSU puts the BMC into an incorrect PSU status state.

Once in this PSU incorrect status state, the BMC reports an input-lost alert on every subsequent host reboot until the PSU is re-installed, or the BMC is reset.

Conditions:
-- System is powered by a single PSU.
-- A second un-powered PSU is inserted and then removed.

Impact:
On every subsequent host reboot the system reports an input-lost alert for the not-present PSU in the ltm log, the LCD posts a warning, and the system alarm LED turns yellow.

Workaround:
Re-install the second PSU, reboot the AOM via the console AOM menu, or power cycle the platform.

---

682283 : Malformed HTTP/2 request with invalid Content-Length value is served against RFC

Component: Local Traffic Manager

Symptoms:
HTTP/2 request can include Content-Length header. When the value of a Content-Length header does not match the sum of lengths of all DATA frames from the stream, RFC requires that the system reset the stream.

Conditions:
-- A virtual server is configured with HTTP/2 profile.
-- The value of Content-Length header does not match the sum of lengths of all DATA frames from the stream.

Impact:
The BIG-IP system sends a request to a server and serves a provided response, which is not in conformance with the RFC.

Workaround:
None.

Fix:
Now, when a client sends a request over an HTTP/2 connection with a malformed HEADERS frame in which Content-Length does not match the payload size in DATA frames, the BIG-IP system correctly resets the stream with RST_STREAM frame.

---

681009 : Large configurations can cause memory exhaustion during live-install★

Component: TMOS

Symptoms:
system memory can be exhausted and the kernel will kill processes as a result.

Conditions:
During live-install, if configuration roll-forward is enabled, and the compressed configuration size is of a similar order of magnitude as total system memory.

Impact:
The kernel will kill any number of processes; any/all critical applications could become non-functional.

Workaround:
Make sure there are no un-intended large files included in the configuration. Any file stored under /config is considered part of the configuration.

If the configuration is, as intended, on the same order of magnitude as total system memory, do not roll it forward as part of live install. Instead, save it manually and restore it after rebooting to the new software.

to turn off config roll forward; setdb liveinstall.saveconfig disable

to save/restore configuration manually; see
https://support.f5.com/csp/article/K13132

---

680671 : Support for Thales Security World version 12.40.2

Component: Local Traffic Manager

Symptoms:
Support for Thales NetHSM client software "Thales Security World version 12.40.2".

Conditions:
Thales NetHSM client software "Security World version 12.40.2" is supported from BIG-IP release 14.1.0 onwards.

Impact:
Releases prior to BIG-IP version 14.1.0 do not support NetHSM client software "Thales Security World version 12.40.2".

Workaround:
Use BIG-IP release version 14.1.0 and above.

Fix:
Thales NetHSM client software "Thales Security World version 12.40.2" is supported from BIG-IP release 14.1.0 onwards.

---

678872 : Inconsistent behavior for virtual-address and selfip on the same ip-address

Component: Local Traffic Manager

Symptoms:
Inconsistent ICMP/ARP behavior for self IP address or virtual-address when virtual-address and self IP address have the same IP address.

Conditions:
Virtual-address and self IP address have the same IP address.
-- Virtual-address ICMP and ARP disabled.

Impact:
ICMP echo reply and ARP for the IP address might be inconsistent. Self IP address might override the ARP setting of a virtual address.

Workaround:
No workaround.

Fix:
This implements the initialization-order-independent set of rules of whether particular IP address should have ARP/ICMP enabled for multiple maching vaddrs. The lookup is performed from the most fine netmask to the most coarse netmask. If for particular netmask there is no maching vaddr then more coarse netmask is lookedup. Otherwise if any machnig vaddr for particular netmask have ARP/ICMP enabled then IP address will have ARP/ICMP enabled. If none of matching vaddrs for particular netmask have ARP/ICMP enabled the then IP address will have ARP/ICMP disabled.

The rule above have one exception, due to the performance optimizations. If the vaddr have both ARP and ICMP disabled then the vaddr is considered deleted.

---

678460-1 : HTTP 302 Redirect status text is HTTP-version dependent

Component: Local Traffic Manager

Symptoms:
When using the HTTP::redirect iRule, it results in a response header beginning with the following string:
   HTTP/1.0 302 Found

This could be considered non-RFC compliant, since the HTTP version is 1.0, but the status text is correct for HTTP/1.1.

For strict RFC compliance
-- HTTP/1.0 responses should specify status text 'Moved Temporarily' (RFC 1945 Section 9.3).
-- HTTP/1.1 responses should specify 'Found' (RFC 7231 Section 6.4.3).

Conditions:
When using an iRule similar to the following
    HTTP::redirect
    redirect

Impact:
Clients should be relying upon the numeric HTTP status code, and not the status text that follows, so in theory, there should be no impact. However, those clients which use the status text for processing decisions must be ready to handle status text that doesn't match the specified HTTP version.

Workaround:
None.

Fix:
HTTP::redirect status string is consistent for HTTP version.

---

677841 : Server SSL TLS session reuse with changed SNI uses incorrect session ID

Component: Local Traffic Manager

Symptoms:
If an iRule changes the SNI then the wrong session ID will be retrieved (using the original SNI).

Conditions:
Occurs when SNI is being modified by an iRule to an SNI that is different from the one specified in the server SSL profile.

Impact:
Connection may be rejected by the client if checking at the client occurs (Apache commonly does this). If the client finds that the SNI does not match the SNI in the session information, the connection may be rejected.

Workaround:
Disable SSL session cache. This has the side effect of reducing performance.

---

677709-1 : pkcs11d daemon can generate a very large number of log messages

Component: Local Traffic Manager

Symptoms:
If communication between a BIG-IP instance and the Hardware Security Module (HSM) is interrupted, during its attempts to re-establish a connection, the TMOS pkcs11d daemon will log many error messages in the /var/log/ltm log file (or in daemon.log for earlier versions).

Messages appear similar to the following:
-- err pkcs11d[21325]: 01680002:3: Session initialization error.
-- err pkcs11d[21325]: 01680032:3: netHSM: PKCS11d stopped. Verify password, and restart PKCS11d.
-- err pkcs11d[21325]: 01680029:3: netHSM: Failed login: password[incorrect]. Error[160].

Conditions:
-- Configurations employing an external HSM.
-- communication between the BIG-IP instance and the HSM is interrupted

Impact:
A sufficiently large amount of log-message handling may consume processor time and I/O resources, to the detriment of other processing.

Workaround:
None.

Fix:
pkcs11d daemon no longer generates a large number of log messages under these conditions.

---

677457-1 : HTTP/2 Gateway appends semicolon when a request has one or more cookies

Solution Article: K13036194

Component: Local Traffic Manager

Symptoms:
With an HTTP/2 profile, a virtual server on a BIG-IP system receives requests and handles cookies converting those into a cookie-string. The BIG-IP system concatenates the cookie pairs with semicolon (%3B) and a space (%20) in the cookie-string. This delimiters pair also is appended to the last cookie pair.

Conditions:
HTTP/2 profile is configured on a virtual server and a request contains one or more cookies.

Impact:
The request forwarded to a backend server contains an extra semicolon at the end of cookie-string.

Workaround:
Use an iRule to remove an extra delimiter if it negatively impacts backend server performance.

For example:

when HTTP_REQUEST {
if {[HTTP::header value "Cookie"] contains ";"}
{
set new_header [string range [HTTP::header "Cookie"] 0 end-2]
log local0.notice "$new_header"
HTTP::header replace "Cookie" $new_header
}
}

Fix:
Virtual server with HTTP/2 profile no longer appends extra delimiter to a cookie-string when it forwards the request to HTTP/1.x backend server.

---

677285 : The documentation for SSL::sni is ambiguous

Component: Local Traffic Manager

Symptoms:
The existing documentation for the iRule 'SSL::sni name' is ambiguous. There is insufficient context to determine the source of the result: the attached profile, or the ClientHello, or even another source.

Conditions:
The iRule 'SSL::sni name' is used.

Impact:
Insufficient information to determine the source of the result.

Workaround:
None.

Fix:
The documentation for the iRule 'SSL::sni name' now specifically states that the returned value comes from the active SSL profile.

---

677088 : BIG-IP tmsh vulnerability CVE-2018-15321

Solution Article: K01067037

---

676432-1 : i5000/i10000 Series platform serial console baud rate 38400 gets reset to 19200 after reboot

Component: TMOS

Symptoms:
i5000/i10000 Series platform serial console baud rate 38400 gets reset to 19200 after reboot.

Conditions:
-- Serial Console Baud Rate set to 38400.
-- i5000/i10000 Series platforms.
-- Reboot system.

Impact:
The baud rate becomes 19200 (the default) after reboot. Cannot set console baud-rate to 38400.

Workaround:
You can use either of the following workarounds:

-- Do not set 38400 as the baud rate. F5 does not recommend using 38400 baud rate on i5000/i10000 Series platforms.

-- Disable auto-baud detection by replacing a line in /sbin/agetty_serial, as follows:

Edit /sbin/agetty_serial to replace this line:
args="-L ${1} 0 ${3}"

with this line:
args="-8 -L ${1} ${2} ${3}"

Fix:
i5000/i10000 Series platform serial console baud rate 38400 no longer gets reset to 19200 after reboot.

---

676346 : PEM displays incorrect policy action counters when the gate status is disabled.

Component: Policy Enforcement Manager

Symptoms:
Action counters are incorrect.

Conditions:
PEM policy actions enabled with gate status of disabled.

Impact:
May provide an inconsistent view of PEM actions.

Workaround:
There is no workaround.

Fix:
Counters are managed correctly regardless of the gate status.

---

676026 : Add support for more profiles with the http-transparent profile.

Component: Local Traffic Manager

Symptoms:
Some profiles were prevented from being configured on a virtual server together with the http-transparent profile when they were not incompatible.

Conditions:
The http-transparent profile is attached to a virtual, and the following profiles are attempted to be used on the same virtual:

clientssl, serverssl, oneconnect, http-security (psm).

Impact:
The affected profiles could not be used together with http-transparent.

Fix:
The validation for the http-transparent profile is more lenient. It will allow additional profiles on the same virtual server that were previously prevented.

Behavior Change:
Extra profiles are now allowed to be configured on a virtual server with a http-transparent profile.

These include: clientssl, serverssl, oneconnect, and http security (psm) profiles.

Previously, the addition of these profiles would be disallowed via validation.

---

675673 : Policy history files should be limited by settings in a configuration file.

Component: Application Security Manager

Symptoms:
The /var directory is filling up with many policy history files.

Conditions:
This can occur during normal ASM operation under high load.

Impact:
/var out of space

Workaround:
You can manually delete old history files:
Go to Security ›› Application Security : Policy : History and delete history files.

Fix:
Added automatic cleaning of history files according configured maxSizeOfSavedVersions and minRetainedFilesInDir

---

675311 : Introduce a user-input timeout to Vconsole

Component: TMOS

Symptoms:
Before this change, a user could idle a vconsole (telnet) connection to a guest, and that connection would remain active indefinitely.

Conditions:
A VCMP host administrator has connected to a guest using the vconsole program.

Impact:
This change adds a timeout setting to the vconsole tool.
The timeout setting is held as sys db variable vcmp.guest.console.timeout
A wrapper program, texec, uses a pty to monitor user I/O on the command line.
If I/O is not observed on the pty after timeout seconds, then the program forked by texec is terminated.

Fix:
If I/O is not observed on the pty after timeout seconds, then the program forked by texec is terminated.

---

674591 : Packets with payload smaller than MSS are being marked to be TSOed

Solution Article: K37975308

Component: Local Traffic Manager

Symptoms:
Packets with length less than the specified MSS are sent as TSO packets, and the Broadcom NIC drops those to degrade performance.

Conditions:
When TM.TcpSegmentationOffload is enabled, Packets with length less than MSS are sent as TSO packets.

Impact:
TCP Packets are dropped.

Workaround:
Disable TSO option by setting the following SYS DB variable to disable: TM.TcpSegmentationOffload.

Fix:
Packets less than MSS are not sent as TSO packets, so there is no performance degradation.

---

674486-1 : Expat Vulnerability: CVE-2017-9233

Component: TMOS

Symptoms:
An infinite loop vulnerability due to malformed XML in external entity was found in entityValueInitProcessor function affecting versions of Expat 2.2.0 and earlier.

Conditions:
Version of expat in use on BIG-IP is v2.2.0 or earlier.

Impact:
BIG-IP is vulnerable to CVE-2017-9233 via the administrative interface.

Fix:
Expat updated to v2.2.0 or later

---

674455-3 : Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS

Component: TMOS

Symptoms:
When booted into the Maintenance OS image from the grub boot menu, running tmidiag -r drops the serial console from the grub kernel line, which causes a loss of communication on the serial console after rebooting.

Conditions:
-- Booted into Maintenance OS.
-- Running the command: tmidiag -r

Impact:
Serial console baud rate settings are incorrect. Uses the bios baud rate on the console.

Workaround:
When booting, edit the grub kernel line to include console=ttyS0.

Note: The value is "tty", an uppercase "S" character, and zero, so ttyS0.

Fix:
tmidiag has been fixed to not strip out console=ttyS0.

---

674256-4 : False positive cookie hijacking violation

Solution Article: K60745057

Component: Application Security Manager

Symptoms:
A false positive cookie hijacking violation.

Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.

Impact:
False positive violation / blocking.

Workaround:
Cookie hijacking violation when the device ID feature is turned off is almost never relevant, as it should be able to detect only cases where some of the TS cookies were taken. The suggestion is to turn off this violation.

---

673238 : GUI Dashboard export history may have inconsistent time intervals

Component: TMOS

Symptoms:
When choosing to export a week-long report from the GUI Dashboard, the generated CSV history file may at times show statistics with a 26-minute interval between each row, and at other times show statistics with a 30-minute interval between rows.

Conditions:
This behavior depends on the time of day the report is generated.

Impact:
This is only a cosmetic issue. The statistics are still averaged out correctly over the interval returned in the CSV file.

Workaround:
There is no workaround at this time.

---

672312 : IP ToS may not be forwarded to serverside with syncookie activated

Component: Local Traffic Manager

Symptoms:
IP ToS field may not be preserved on forwarding in a FastL4 virtual server when syncookie is activated.

Conditions:
-- FastL4 ip-forwarding virtual server.
-- ToS in passthrough mode.
-- Syncookie is activated in hardware mode.
-- On a hardware platform with ePVA.

Impact:
IP ToS header is not forwarded to the serverside.

Workaround:
None.

Fix:
The BIG-IP system now forwards IP ToS in syncookie mode.

---

671712-1 : The values returned for the ltmUserStatProfileStat table are incorrect.

Component: TMOS

Symptoms:
An SNMP table entry that intermittently comes back incorrectly. Specifically, an LTM profile user statistic value is returned with an OID that is off by one in the table.

Conditions:
A statistics profile is attached to a virtual server with an iRule that increments statistics on the profile. The SNMP walk of the table created by the statistics profile intermittently returns the values shifted up one OID such that the last row is zero and the first row is lost. A subsequent request is correct.

Impact:
Incorrect data returned in SNMP walk of LTM profile table.

Workaround:
The statistics themselves are kept correctly and can be accessed without using SNMP.

Fix:
The values in the ltmUserStatProfileStat table are always correct.

---

670528 : Warnings during vCMP host upgrade.

Solution Article: K20251354

Component: TMOS

Symptoms:
- Log message repeats every 5 seconds in /var/log/ltm
     slot<#>/<host> warning vcmpd[<pid>]: 01510005:4: Failed to find value for enum::cli_id (ha_feature_t::provisioning-failed).

Conditions:
- Configure vCMP host in 12.1.x or 11.6.x.
 - Deploy 13.x guest.
 - Monitor /var/log/ltm.

Impact:
Warning message displayed every 5 seconds.

Workaround:
Run the following command:
 tmsh create sys log-config filter stop_vcmpd_log message-id 01510005 publisher none

---

670048 : Failure to retrieve large number of Bot Defense log records

Component: Application Visibility and Reporting

Symptoms:
Due to resource limitations, when the device stores almost one million records of Bot Defense logs, attempting to review them in the GUI or in REST API fails.

Conditions:
-- One million records of Bot Defense log records on the device.
-- Attempting to review them in the GUI or in REST API.

Impact:
Failure to view Bot Defense logs.

Workaround:
Send Bot logs to an external logger.

---

669585 : The tmsh sys log filter is unable to display information in uncompressed log files.

Component: TMOS

Symptoms:
You notice missing log information when reviewing system logs using the tmsh show sys log command.

Conditions:
One or more of the BIG-IP sytem backup log files, designated with .1, .2, etc are not compressed.
Note: Backup log files should end with the .gz extension. For example, ltm.1.gz.
You use the tmsh show sys log command to view log information for one or more days in the past.

Impact:
Unable to view the full range of backup log information.

Workaround:
To log in to the Advanced shell (bash).
To ensure all backup logs for a particular log type are compressed, use the following command syntax:

gzip /var/log/<log>.*

For example, to compress the full set of backup logs for the ltm log type, type the following command:

Note: The following message is expected if the log file is already compressed: gzip: /var/log/<log>.gz already has .gz suffix -- unchanged'

gzip /var/log/ltm.*

Fix:
Increased flexibility of log reading mechanism, to look for both compressed (ending in .gz) and uncompressed (ending in .#) log files.

---

667618 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts

Component: TMOS

Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection will continue to be unsupported until the machine exit hardware SYN cookies.

Conditions:
A SYN flood attack or similar SYN attack where SYNs are flooded into the BIG-IP system.

Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.

Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options will not be taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.

Note that if no good traffic hits the virtual server, syncookies will also fail to deactivate, but will do so once both good traffic has been seen, and the attack has ended.

Workaround:
There is no workaround at this time.

Fix:
Hardware SYN Cookies now immediately deactivate after the SYN attack ends and valid TCP traffic starts.

---

667486 : Update default tcp, f5-tcp-wan ,f5-tcp-lan and f5-tcp-mobile profile.

Component: Local Traffic Manager

Symptoms:
Following options from the default tcp profile are changed to improve throughput.
From:
enhanced-loss-recovery disabled
fast-open disabled
init-cwnd 3
init-rwnd 3
proxy-buffer-high 49152
rate-pace disabled
send-buffer-size 65535
tail-loss-probe disabled

To:
enhanced-loss-recovery enabled
fast-open enabled
init-cwnd 10
init-rwnd 10
proxy-buffer-high 65535
rate-pace enabled
send-buffer-size 131072
tail-loss-probe enabled

Following options from the f5-tcp-wan ,f5-tcp-lan and f5-tcp-mobile are changed:
From:
enhanced-loss-recovery disabled

To:
enhanced-loss-recovery enabled

Conditions:
When default tcp, f5-tcp-wan, f5-tcp-lan, or f5-tcp-mobile profile is used.

Impact:
Gain in throughput.

Workaround:
None.

Fix:
Options in the default tcp, f5-tcp-wan ,f5-tcp-lan and f5-tcp-mobile profiles are updated to improve throughput.

Behavior Change:
Following options from the default tcp profile are changed:
From:
enhanced-loss-recovery disabled
fast-open disabled
init-cwnd 3
init-rwnd 3
proxy-buffer-high 49152
rate-pace disabled
send-buffer-size 65535
tail-loss-probe disabled

To:
enhanced-loss-recovery enabled
fast-open enabled
init-cwnd 10
init-rwnd 10
proxy-buffer-high 65535
rate-pace enabled
send-buffer-size 131072
tail-loss-probe enabled

Following options from the f5-tcp-wan, f5-tcp-lan, and f5-tcp-mobile are changed:
From:
enhanced-loss-recovery disabled

To:
enhanced-loss-recovery enabled

---

667111 : iRule event after source pick is complete and before setting up the server side flow

Component: Local Traffic Manager

Symptoms:
There is no iRule event after the source pick is complete and before setting up the server side flow.

Conditions:
Use iRule to modify the payload with source translation information.

Impact:
Cannot modify the payload with source translation information.

Workaround:
None.

Fix:
You can now use the SA_PICKED event to affect operations after source translation is completed and before server side flow is established.

---

666406-1 : rpcbind was removed from the BIG-IP

Solution Article: K62832776

Component: TMOS

Symptoms:
rpcbind was being installed on the BIG-IP and it is not being used.

Conditions:
normal install

Impact:
no impact. The daemon was removed so it wouldn't require maintenance and upgrades.

Fix:
since rpcbind is not being used on the BIG-IP it was removed.

---

665331 : The wrong profile name is used for the HTTP header limits

Component: Local Traffic Manager

Symptoms:
The HTTP_PSM profile overrides the HTTP profile's limits for http headers. However, when the limit is exceeded, the HTTP profile name is used, rather than the HTTP_PSM profile name.

Conditions:
HTTP_PSM is used, together with differing limits between HTTP and HTTP_PSM on the maximum number of headers allowed.

Impact:
The log message generated when the header count is exceeded will be misleading.

Workaround:
None.

Fix:
The HTTP header count limit now describes the correct profile that that limit came from.

---

664650-4 : Real time encryption on non-password fields

Component: Fraud Protection Services

Symptoms:
Real-time encryption for non-password field when full-AJAX encryption is enabled.

Conditions:
1. Configure specific parameter with encryption enabled.
2. The page uses AJAX.
3. Change the configured parameter value in the page after it has been populated by the end user, and then submit the page.

Impact:
when malware changes input value with JS code, the system sends this value instead of the RTE one.

Workaround:
None.

Fix:
The system now sends the real value from RTE in this case.

---

664618 : Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block'

Component: Local Traffic Manager

Symptoms:
When using Protocol Security profiles for HTTP, the HTTP Protocol Checks 'Alarm' vs. 'Block' setting will not be honored for the 'Check maximum number of headers' check. If an HTTP response contains more than the configured maximum number of headers, the connection will be reset.

Client traffic with more than the maximum allowed headers will be allowed through to the server, and an alert will be generated, as expected. The server response will also have too many headers, but the connection will be reset.

Conditions:
-- PSM HTTP Protocol Checks configured in 'Alarm' mode ('Block' disabled).
-- The maximum number of headers is exceeded for server responses.

Impact:
Connections are reset, when only alerting is expected.

Workaround:
None.

Fix:
Two threshold values are now available for monitoring the number of HTTP headers:
-- Use the HTTP security profile and select 'alarm' (as opposed to 'block').
-- Use the HTTP service protocol profile. When the 'alarm' threshold is hit, the HTTP traffic remains intact, and logging can be seen in the PSM event logs. When the HTTP service protocol profile's threshold is hit, the HTTP traffic will be blocked, and logging to be seen in both LTM log and PSM event logs.

---

663874 : Off-box HSL logging does not work with PEM in SPAN mode.

Solution Article: K77173309

Component: Policy Enforcement Manager

Symptoms:
While on-box HSL logging works, off-box HSL logging does not work with PEM in SPAN mode.

Conditions:
-- PEM in SPAN mode.
-- Off-box HSL logging is configured.

Impact:
Cannot use off-box HSL logging with PEM in SPAN mode; must use on-box HSL logging instead.

Workaround:
There is no workaround at this time.

Fix:
Off-box HSL logging now works with PEM in SPAN mode.

---

662725-1 : tmsh kernel default log levels does not match documentation

Component: TMOS

Symptoms:
Actual tmsh default was 'notice', but changed to 'debug'
so that kern.log files in qkviews are complete.
This was done so that diagnosing issues, support
has all the information in terms of kernel output.

This documentation discrepancy is a non-functional
change that should have been done in 11.5.0 when
the actual default value was changed.

Conditions:
None.

Impact:
None.

Workaround:
None.

Fix:
Adjust tmsh documentation to reflect changed default
log level to include both 'info' and 'debug'.
Unlike non-kernel components, it is arbitrary
what is considered 'notice' vs 'info' vs 'debug'.

---

661909-1 : First-time root and admin passwords must now comply with the password policy.

Component: TMOS

Symptoms:
The root and admin account passwords need to comply with the password policy, which is enforced by default in version 14.0.0 and later.

Conditions:
-- Upgrades and new installations of BIG-IP version 14.0.0.
-- Logging in.

Impact:
All passwords must comply with the BIG-IP password enforcement policy.

Workaround:
None.

Fix:
The root and admin account passwords must now comply with the password policy, which is enforced by default in version 14.0.0 and later.

Behavior Change:
In versions prior to BIG-IP version 14.0.0, on first-time boot you could log in as root or admin using the default passwords, and the passwords would not be expire, so you could use them indefinitely.
 
Beginning in BIG-IP version 14.0.0, on new installations the root and default passwords are marked as expired - on first-time boot, after logging in with the default password you will be required to change your password before proceeding. Additionally, the password policy is enabled by default so the new passwords must meet the password policy requirements.

---

660850 : /etc/motd is now included in UCS files

Component: TMOS

Symptoms:
The /etc/motd file is not included in UCS files.

Conditions:
Saving UCS files.

Impact:
/etc/motd is not restored upon load of UCS.

Workaround:
None.

Fix:
/etc/motd is now included in UCS files.

Behavior Change:
Previously, /etc/motd was not included in UCS files. Now, /etc/motd is included in UCS files.

---

660826-2 : BIG-IQ Deployment fails with customization-templates

Component: Access Policy Manager

Symptoms:
BIG-IQ involving multiple commands in a transaction to modify customization group fails.

Conditions:
Simulation by tmsh for what's done in BIG-IQ:

1) Add a log-on agent in your policy.

2) Edit the log-on agent customization (Advanced Customication: logon.inc and view.inc both)
This should create two customization templates.

3) Make a backup of the customization template files in some folder (/tmp). For example: To copy logon.inc and view.inc for logon agent in sjc-access policy?(sjc-access_act_logon_page_ag) below cp statements worked.

cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:logon.inc_74991_2 /tmp/logon.inc
:Common:sjc-access_act_logon_page_ag::logon.inc_74991_2

cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:view.inc_74991_2 /tmp/view.inc

4) tmsh

5) create /cli transaction

6) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { logon.inc { local-path /tmp/logon.inc } }

7) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { view.inc { local-path /tmp/view.inc } }

8) submit /cli transaction

Impact:
BIG IQ operation failed with scenario involving change to customization group.

Workaround:
There is no workaround.

Fix:
BIG-IQ will be able to operate on customization group successfully.

---

660712 : Performance update to VE filesystem type

Component: TMOS

Symptoms:
Ext3 filesystem I/O throughput affecting boot times.

Conditions:
Running BIG-IP Virtual Edition.

Impact:
Filesystem I/O throughput affecting boot times.

Workaround:
None

Fix:
Move VE filesystem to use ext4.

---

660577-1 : openldap; prevent crash on rc==LDAP_SUCCESS && res==NULL

Component: TMOS

Symptoms:
openldap library routine segfaults on certain condition.

Conditions:
RST in the middle of auth process.

Impact:
apmd crashes.

Fix:
This is a preventive fix for the issue.

---

660057 : support dynamic command line flags when executing a java process

Component: TMOS

Symptoms:
Java cored while running tasks for datasyncd.

Conditions:
unknown.

Impact:
datasync obfuscation process completed successfully. no impact.

Workaround:
there is no workaround at this time

Fix:
In order to improve our abilities to investigate such issues java command line flags can be configured during run-time.

---

659290-1 : FPS should indicate live-update status (new content available/downloaded/auto-downloaded/download-failed)

Component: Fraud Protection Services

Symptoms:
Snmp trap is not available for live-update status change because FPS doesn't report live-update content status via syslog.

Conditions:
Live update content status changed.

Impact:
There is no syslog indication about live-update content status change so snmp trap is not available for live-update status change.

Workaround:
There is no workaround at this time.

Fix:
FPS will report status change via syslog.

---

659142-1 : CVE-2016-10200

Solution Article: K68852819

---

658665 : A new tmsh command to flush all ePVA flow cache entries

Component: TMOS

Symptoms:
There is no command to flush all ePVA flow cache entries. The 'tmsh delete sys connection all' command causes tmm to send a ePVA flush command to HSB, but has the side effect of deleting all the connections inside tmm.

Conditions:
Traffic flows are offloaded to hardware for acceleration.

Impact:
Cannot flush the hardware flows into software.

Workaround:
None.

Fix:
This release introduces a new tmsh command: tmsh modify sys connection flow-accel-type software-only. The command flushes all ePVA flows from hardware acceleration to software.

Note: In order to keep the hardware accelerated flows out of the hardware after running the new flush command, the PVA Offload Dynamic/pva-offload-dynamic option of the FastL4 profile must be set to disabled. It is set to enabled by default.

Important: Use this command judiciously. Flushing connections to software results in a performance impact to BIG-IP systems, as all the connections are evicted to software, so hardware offloaded connections must be reinserted.

---

658557 : The snmpd daemon may leak memory when processing requests.

Component: TMOS

Symptoms:
Under certain conditions, the snmpd daemon may leak memory when processing requests.

Conditions:
A client allowed to send SNMP queries to the BIG-IP system, sends specially crafted requests.

Impact:
Once enough memory has leaked, the system may become unstable and fail unpredictably.

Workaround:
If the snmpd daemon is consuming excessive memory, restart it with the following command:

bigstart restart snmpd

Fix:
The snmpd daemon no longer leaks memory when handling specially crafted requests.

---

658382 : Large numbers of ERR_UNKNOWN appearing in the logs

Component: Local Traffic Manager

Symptoms:
There are times when LTM Policy subsystem attempts to execute particular actions, which fail and result in LTM Policy writing an error to the logs with an error type of ERR_UNKNOWN.

Conditions:
This has been observed when plugins are active and experiencing high traffic volumes. The logging of ERR_UNKNOWN occurs when filters and plug-ins experience failures (such as out of memory) and react by initiating a reset of the connection. When these filters and plug-ins return an error to LTM Policy, LTM Policy logs ERR_UNKNOWN.

Impact:
This is a case of unnecessary logging, and there is no adverse effect other than a higher-than-normal amount of logging.

Workaround:
None

---

656912-6 : Various NTP vulnerabilities

Solution Article: K32262483

---

655726 : GNU C Library (glibc) vulnerability CVE-2015-8984

Solution Article: K29241247

---

653418-2 : Host Processor Superuser keys in /root/.ssh/authorized_keys no longer necessary

Component: TMOS

Symptoms:
Keys with the name 'Host Processor Superuser' are still present in /root/.ssh/authorized_keys, but are no longer used by supported BIG-IP versions.

Conditions:
Running any currently supported version of BIG-IP software.

Impact:
The keys' presence is benign and there is no negative impact except for the confusion caused by wondering what these keys are for.

Workaround:
Keys with this label can be safely removed from the authorized_keys file manually.

Fix:
Host Processor Superuser keys have been removed from /root/.ssh/authorized_keys.

---

651741-3 : CVE-2017-5970 kernel.el7: ipv4: Invalid IP options could cause skb->dst drop

Solution Article: K60104355

---

651379-1 : Issues with Password Policy when expired passwords changed via command line

Component: TMOS

Symptoms:
Expired passwords when changed via command line caused certain password policy properties such as password expiration and password warning to get reset to zero.

Conditions:
-- Change expired password from command line (console or SSH)

Impact:
Certain password policy properties such as password expiration and password warning get reset to zero.

Workaround:
Subsequent password change via any of the management interfaces will set the affected password policy properties back to their correct values.

Fix:
Password properties are now handled consistency between the GUI and command line.

---

649728 : 'mkdisk' utility can fail when creating bootable USBs on older running versions of BIG-IP

Component: TMOS

Symptoms:
Running the 'mkdisk' utility packaged with the BIG-IP ISO on older versions of BIG-IP (v11.4.X and earlier) fails with the following error:

error: tm_install::RemovableDevice::FormatPartitioned - unable to parse version of 'sfdisk'

Conditions:
Run 'mkdisk' utility on v11.4.X or earlier, or any system where the output of '/sbin/sfdisk --version' has the form:

sfdisk (util-linux <version>)

rather than:

sfdisk from util-linux <version>

Impact:
Unable to run 'mkdisk' utility on affected versions of BIG-IP.

Workaround:
Warning: This involves editing the contents of /sbin and remounting a system-critical read-only filesystem as read-write, so proceed with caution if you decide to try this.

1. Run 'mount -o remount,rw /usr'
2. Run 'mv /sbin/sfdisk /sbin/sfdisk.bin'
2. Create a shell wrapper script like this at /sbin/sfdisk:

        #!/bin/bash
        if [ "$1" == "--version" ]; then
            printf "sfdisk from util-linux 2.13.1"
        else
            /sbin/sfdisk.bin $@
        fi

Fix:
'mkdisk' utility no longer fails on older running versions of BIG-IP due to errors parsing 'sfdisk' version

---

648802 : Required custom AVPs are not included in an RAA when reporting an error.

Component: Policy Enforcement Manager

Symptoms:
Custom Attribute-Value-Pairs (AVPs) defined on the system will not be visible in a Re-Auth-Answer (RAA).

Conditions:
This occurs when the following conditions are met:
-- PEM enabled with Gx.
-- Custom AVPs configured.
-- PEM responds with an error code in an RAA against a Policy and Charging Rules Function (PCRF) triggered action.

Impact:
Lack of custom AVPs in such an RAA may result in loss of AVP dependent service.

Workaround:
There is no workaround at this time.

Fix:
Custom AVPs included regardless of an error code in an RAA.

---

648227-4 : glibc vulnerability CVE-2015-5180

Solution Article: K55001100

---

645188 : Need a per TMM Diameter Identity for "origin-host-rewrite" in Diameter session profile

Component: Service Provider

Symptoms:
In diameter message routing framework, in the profile session config, there should be a keyword in “origin-host-rewrite” option that allow for modification of this field based on the egressing tmm on the server-side connection of the LTM. If this profile is applied to a diameter peer config that has a connection-mode of “per-tmm” this does not follow the recommendations of RFC6733. See notes below from RFC6733. With this config each tmm on the LTM device with maintain it own connection to the diameter server on the server-side and therefore should have its own DiameterIdentity.

Conditions:
If "PER-TMM" connection-mode is chosen

Impact:
Violates RFC 6733 in default installations of LTM.

Workaround:
Use iRule to have a separate Diameter identity for each connections.

---

644975-3 : /var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost

Solution Article: K09554025

Component: TMOS

Symptoms:
Entries in /var/log/maillog similar to the following:
err sSMTP[25793]: Unable to connect to "localhost" port 25.

Conditions:
This happens when certain crontab configuration files do not specify MAILTO="" at the top, and some of the scripts appearing in those files output something to STDOUT or STDERR. This causes the system to try to send an email with that output, which will fail when ssmtp is not configured to use a valid mailhost.

Impact:
Error messages logged to /var/log/maillog. Note that the maillog file is rotated so it doesn't fill up the /var/log volume.

Workaround:
1) Run the "crontab -e -u root" command; this will open the root user's crontab configuration in your default text editor.

2) Move the MAILTO="" line to the top of the file, right under the "# cron tab for root" banner.

3) Save the file and exit the text editor to install the root user's new crontab configuration.

4) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/crontab file.

5) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/cron.d/0hourly file.

6) To verify that MAILTO=root does not appear anywhere else, run the following command: grep -i -r mailto /etc/cron*.

7) If the previous command shows MAILTO=root still appears in some files, also modify those file so that MAILTO=root becomes MAILTO="".

Fix:
The crontab configuration files now specify MAILTO="" at the top, so the /var/log/maillog errors no longer occur.

---

643554-9 : OpenSSL vulnerabilities - OpenSSL 1.0.2k library update

Solution Article: K37526132 K44512851 K43570545

---

642990-1 : Processes started from interactive shells do not generate core files when they crash

Solution Article: K05304332

Component: TMOS

Symptoms:
ulimit -c is set to 0 by default for login shells. This means that if a process crashes, and the process was started from an interactive session (e.g., via SSH or the console), it will not generate a core file.

This behavior does not affect core system daemons such as TMM, MCPD, etc.

Conditions:
This occurs in the default configuration.

Impact:
Processes run/started from an interactive session (e.g., via SSH or the console) that crash will not generate core files.

Workaround:
At a bash shell, set the core file limit for the current shell (and child processes) to "unlimited" by running the following command:

    ulimit -c unlimited

Fix:
Processes that start from interactive sessions will now generate core files when they crash. The "bigstart" command ensures that the default core file limit is '0' for system services managed via sysvinit, even if restarted by an administrator.

---

642023 : 2nd Gy CCA-u is ignored by PEM if 2 CCR-u messages are sent before the 1st CCA-u is received.

Component: Policy Enforcement Manager

Symptoms:
Quota provided by the 2nd Gy CCA-u is ignored which can result in limiting the effective quota provided to a subscriber. This in turn can result in additional control plane traffic as additional Gy CCR-u's outlining quota threshold/exhaustion will be sent by PEM.

Conditions:
PEM with Gx and Gy sessions. The threshold against the provided quota should be a large percentage of the quota which would result in quota exhaustion before additional quota is provided by the OCS.

Impact:
Potential service hit and increase in control plane traffic.

Workaround:
Mitigation: Configure the threshold to be a smaller percentage of the provided quota.

---

641724-1 : BIG-IP VE support for GCE

Component: TMOS

Symptoms:
There is no support for Google Compute Engine (GCE) in BIG-IP Virtual Edition (VE).

Conditions:
Trying to use GCE with BIG-IP VE.

Impact:
No support for GCE.

Workaround:
None.

Fix:
The BIG-IP Virtual Edition (VE) now supports Google Cloud infrastructure using BYOL licenses. F5's Good, Better and Best license bundles are supported up to 5 Gbps. This release supports single NIC configurations only.

Behavior Change:
The BIG-IP Virtual Edition (VE) now supports Google Cloud infrastructure using BYOL licenses. F5's Good, Better and Best license bundles are supported.

---

641101-5 : httpd security and bug fix update CVE-2016-8743

Solution Article: K00373024

---

640548 : In Gy delayed binding mode, CCR-Us triggered by concurrent flows are blocked.

Component: Policy Enforcement Manager

Symptoms:
In Gy delayed binding mode, CCR-Us triggered by concurrent flows are blocked and PEM doesn't do re-try.

Conditions:
In Gy delayed binding mode, concurrent flows hits another rating group before the CCA-I for the first rating groups comes back.

Impact:
Quota management service will not be active for those concurrent flows.

Fix:
PEM now holds CCR-U requests for those concurrent flows and releases them after CCA-I comes back.

---

640493-2 : Bash vulnerability CVE-2016-7543

Solution Article: K73705133

---

639575-6 : Using libtar with files larger than 2 GB will create an unusable tarball

Component: TMOS

Symptoms:
Programs such as qkview create a .tar file (tarball) using libtar. If any of the files collected are greater than 2 GB, the output tar file cannot be read by /bin/tar.

This occurs due to a limitation of the file compression library employed by qkview command; the system cannot collect files larger than 2 GB in size in a Qkview.

The qkview command may generate output that iHealth cannot parse, and that the tar command cannot extract.

Conditions:
-- The file collected via libtar (e.g., by qkview or other program dynamically linking with /usr/lib/libtar-1.2.11) is greater than 2 GB.
-- A 2 GB or larger file exists in a directory that qkview normally collects.

Impact:
No qkview diagnostics file is created. Although you can extract the qkview tarball using /usr/bin/libtar, the file will be a zero-length file. Cannot submit a qkview to iHealth for analysis. Other applications using libtar will produce invalid tar files.

Workaround:
Remove the file larger than 2 GB from the system prior to running qkview or other program that uses libtar.

Fix:
With the fix to third party software, libtar, programs using libtar no longer create an unusable tarball when dealing with files larger than 2 GB.

---

637946 : Do not manually create a sys management-ip on a clustered BIG-IP Platform through the admin_ip object.

Component: TMOS

Symptoms:
The cluster member's blade-specific mgmt ip is not modified you run tmsh modify sys management-ip <ipaddr/netmask>.

Conditions:
This occurs when trying to change the management IP using tmsh modify sys management-ip <ipaddr/netmask> on a blade.

Impact:
Although the command is successful, the cluster does not use this management IP, and the blade-specific management IP is unchanged.

Workaround:
Modify the blade-specific address of a cluster-member only through the sys cluster component.

The correct command is
tmsh modify sys cluster default members { <blade_number> { address <desired ipv4 addr> }}

Fix:
A configuration error message is emitted which instructs the user to use the sys cluster component to modify the blade-specific address of a cluster-member.

Behavior Change:
Administrators can no longer manually create a sys management-ip on any clustered BIG-IP Platform through the admin_ip object. Administrators are now guided to use the sys cluster component.

---

636453-8 : OpenSSH vulnerability CVE-2016-10009

Solution Article: K31440025

---

635534 : DDoS Hybrid Defender: new signatures available message when they are not

Component: Application Security Manager

Symptoms:
Device reports that new Signatures are available after they have already been updated.

Conditions:
After updating Signatures on a Chassis device, there is a failover from the primary a secondary blade.

Impact:
The GUI incorrectly indicates that there is a new Signature update available. Choosing to update again will remove this indicator and has no negative effects.

Workaround:
Install the latest signatures again.

---

635191 : Under rare circumstances TMM may crash

Component: Local Traffic Manager

Symptoms:
tmm crash and BIG-IP failover.

Conditions:
There are no known, reproducible conditions under which this occurs. However, the tmm restart happens once, and then does not recur. The only way to determine that the issue exists is through a review of the core stack, which must be completed by F5 Support.

Impact:
tmm restart and failover. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The tmm restart and failover no longer occur.

---

635173 : Standby BIG-IP TMM uses unexpectedly large amount of memory

Component: Local Traffic Manager

Symptoms:
TMM memory usage on a BIG-IP standby device might be substantially higher than an active device, and it recovers each time when the high availability (HA) connection is lost and re-established.

Conditions:
The problem happens only on Standby device with L7 mirroring traffic in effect.

Impact:
The standby device may not be able to take over traffic when failover happens.

Workaround:
There is no workaround at this time.

Fix:
The mirroring flag is now cleared for a connection on error so the potentially high memory use no longer occurs.

---

634201 : POST requests get reset on early server response.

Component: Local Traffic Manager

Symptoms:
Connection resets are encountered on large POST requests when the server responds early and shuts down the connection.

Conditions:
AAM is enabled on the virtual server. AAM may improperly forward the response resulting in an internal error.

Impact:
Connections are reset before the response completes.

Workaround:
None.

---

630137 : Dynamic Signatures feature can fill up /config partition impacting system stability

Component: Advanced Firewall Manager

Symptoms:
When the AFM DoS Dynamic Signatures feature is enabled, inadequate file housekeeping results in the /config/filestore partition filling up. mcpd halts the other running daemons and the system becomes unresponsive.

Conditions:
AFM DoS Dynamic Signatures feature enabled

Configuration changes made but not saved

Device receives traffic.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Make all configuration changes via Configuration Tool (UI) or issue a 'save sys config partitions all' command.

If rolling back the configuration is a requirement, before making changes to the configuration, save a configuration snapshot to a file with the 'save sys config file <filename>' command. You can then load the previous configuration with a 'load sys config file <filename>' command.

Fix:
AFM DoS Dynamic Signatures file housekeeping improved, /config filestore no longer fills up.

---

629628 : Request Events Missing Due to Policy Builder Restart

Component: Application Security Manager

Symptoms:
Policy builder process restarts when it gets a UCS load event.
As a result, request events are missing from the request log while policy builder is catching up on the policies.

Conditions:
-- In a high availability environment when devices require a full ASM sync from their peer.
-- Learning is enabled for ASM policies.

Impact:
Any requests that needed to be logged due to a logging profile (e.g., Log All) will be lost during this time. This occurs because policy builder is responsible for logging these requests. These restarts are not particularly harmful.

Workaround:
None.

Fix:
Policy builder now handles requests while catching up on the policies assuring no requests are lost due to the restart.

---

629256 : Qkview now contains cloud metadata

Component: TMOS

Symptoms:
Qkview does not collect metadata about the host cloud instance in BIG-IP Virtual Edition (VE) configurations.

Conditions:
Anytime you run a qkview from a BIG-IP system running in a cloud environment

Impact:
No cloud metadata provided.

Workaround:
None.

Fix:
When running a cloud instance of BIG-IP software, qkview now collects metadata about the cloud.

Behavior Change:
Qkview previously did not collect metadata about the host cloud instance in VE configurations. Qkview now collects host environment data when executed on VE.

---

624187 : Relocate TUC AVP to group AVP USU

Component: Policy Enforcement Manager

Symptoms:
Current implementation sends Traffic Change Usage (TCU) in MSCC at the same level as USU.

Conditions:
Anytime there is a TCU.

Impact:
Interoperability with ZTE OCS, which requires it as a child USU (Used-Service-Unit)

---

622787 : Sync state remaining on 'Awaiting Initial Sync' when adding third device

Component: TMOS

Symptoms:
When adding a third device to the trust, the sync state might be show 'Awaiting Initial Sync' on the new device, while the other devices show 'In Sync'.

Note: The sync status 'Awaiting Initial Sync' is related to a hidden device group (datasync-device-<devicename>-dg), which the system automatically creates and syncs. This device group does not appear in the GUI.

Conditions:
-- ASM or FPS is provisioned.

-- The link status of the third device is offline while adding it to the trust. (This is a rarely occurring condition.)

Impact:
When this occurs, the sync status will show 'Awaiting Initial Sync'.

There is no functional impact.

Workaround:
1. Identify the device group that is out of sync using the following command: tmsh show cm sync-status

The out-of-sync device group returns a status similar to the following: datasync-device-bip2-dg (Awaiting Initial Sync): One or more devices awaiting initial config sync.

2. Find the device that owns the device-group that needs to be synced by looking at the status. For example, the device group in the previous example is 'datasync-device-bip2-dg', so the device is 'bip2'.

3. From that device, run a command similar to the following, replacing 'datasync-device-bip2-dg' with the device group that is out of sync:
   tmsh run cm config-sync force-full-load-push to-group datasync-device-bip2-dg


Note: The GUI cannot be used because this is a hidden device group that does not appear in the GUI.

Fix:
The system now handles this condition, so there are no longer sync problems when adding a third device to the device trust when ASM or FPS are provisioned while the link is down.

---

620567-1 : HTTP to HTTPS TMUI redirection erroneously allows HTTP access to iControl SOAP and iControl REST

Component: TMOS

Symptoms:
When the BIG-IP system is configured to redirect HTTP to HTTPS, iControl SOAP and iControl REST API calls are erroneously accepted on port 80 (in addition to 443).

Conditions:
The BIG-IP has 'Redirect HTTP to HTTPS' enabled.

Impact:
iControl SOAP and iControl REST calls are accepted on an unencrypted port. API calls still require authentication, but results are not encrypted.

Workaround:
None.

Fix:
HTTP to HTTPS TMUI redirection no longer erroneously allows HTTP access to iControl SOAP and iControl REST.

---

619636 : Unhelpful log message 'internal_cause' when the session is deleted due to accessing the root URI

Solution Article: K19123634

Component: Access Policy Manager

Symptoms:
APM end users that are logged into an assigned webtop that open a new browser tab or new browser window, or otherwise visit '/' (the root URI), the existing session is deleted and a new one is created. The system posts a relatively ambiguous error message in /var/log/apm:

notice tmm[20481]: 01490567:5: /Common/rdp_access:Common:9494c15a: Session deleted (internal_cause).

Conditions:
-- APM with full webtop assigned.
-- Client visits the '/' URL.

Impact:
-- Previous session is halted and a new session is begun.
-- Unhelpful and confusing log message.

Workaround:
None.

Fix:
Log message now reads 'Session deleted (restarted)'. When you see this message, it indicates that the previous session was deleted and a new session started because the APM end user accessed the root URI when there was a webtop assigned to that APM end user. This might occur when the APM end user with the assigned webtop opens a new browser tab or new browser window, or otherwise visits '/' (the root URI).

---

618884 : Behavior when using VLAN-Group and STP

Component: Local Traffic Manager

Symptoms:
May not see ICMP response traffic when using Ping within the same VLAN when STP mode is configured.

Conditions:
-- STP mode is configured.
-- Ping is issued in the same VLAN.

Note: This issue is a constraint to soft switched platforms.

Impact:
May not see ICMP response traffic.

Workaround:
None.

---

617273-9 : Expat XML library vulnerability CVE-2016-5300

Solution Article: K70938105

---

615222 : GTM configuration fails to load when it has GSLB pool with members containing more than one colon character★

Component: Global Traffic Manager (DNS)

Symptoms:
The user configuration set (UCS) configuration file may fail to load due to the global server load balancing (GSLB)-referenced virtual server name syntax. The system posts errors similar to the following:

01070226:3: Pool Member 20002 references a nonexistent Virtual Server.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have configured your BIG-IP DNS system (formerly known as BIG-IP GTM) with a virtual server name that includes the colon (:) character.
-- The virtual server is included as a GSLB pool member.
-- You save the configuration to a UCS file.
-- You attempt to load the UCS configuration file.

Impact:
Unable to create GTM Pool Member from TMSH, or to load a configuration with this object in it.

Workaround:
None.

Fix:
Fixed issue related to parsing of GTM Pool member names that prevents the use of GTM virtual servers or GTM servers with a colon (:) in the name from being used as a GTM pool member.

---

608359 : Add extra decision logging for LTM load balancing (support only)

Component: Local Traffic Manager

Symptoms:
It can be difficult to troubleshoot issues with LTM load balancing; existing logging is not detailed enough to troubleshoot some issues.

Conditions:
Support is troubleshooting issues with LTM load balancing.

Impact:
Support is unable to accurately determine why the system sends traffic to specific pool members.

Fix:
Added extra logging for load balancing. This logging is mainly for support to enable (it is not intended for use by the end-user at this stage).

---

606983 : ASM errors during policy import

Component: Application Security Manager

Symptoms:
Import failure when importing ASM policy with many Session Awareness Data Points.

ASM logs errors similar to the following:
-- crit g_server_rpc_handler_async.pl[10933]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): Could not update the Export Policy Task 'Export Policy Task (1469519765.114479)'. DBD::mysql::db do failed: Got a packet bigger than 'max_allowed_packet' bytes.

Conditions:
-- ASM provisioned.
-- Session Awareness enabled.
-- Many (more than 1000) active Session Awareness 'Block All' data points are present.
-- Export a policy.
-- Import the same policy.

Impact:
asm_config_server crash occurs. asm_config_server recovers automatically, within ~15-30 seconds.

Workaround:
Either release all Session Awareness Data Points before export, or remove them from the exported policy before importing it back.

Fix:
Import failure no longer occurs when importing ASM policy with more than 1000 Session Awareness Data Points. Now, there is a maximum of 1000 Session Awareness Data Points exported into an XML policy export.

---

606032-1 : Network Failover-based HA in AWS may fail

Component: TMOS

Symptoms:
MCPD posts an error that network failover is not configurable:
01071ac2:3: Device-group (/Common/autoscale-group): network-failover property must be disabled in VE-1NIC.

Conditions:
Attempting to setup high availability (HA) in Amazon Web Services (AWS) with only 1 network interface.

Impact:
Configuration of HA in AWS cannot be completed.

Workaround:
The current workaround is to configure HA in AWS with at least 2 network interfaces.

---

605860 : Gx, Gy and Sd SessionIds have fixed prefixes

Component: Policy Enforcement Manager

Symptoms:
All BIG-IP Gx, Gy and Sd end points use the same session ID prefix when communicating to a PCRF/OCS.

Conditions:
PEM configured with Gx, Gy or Sd.

Impact:
PCRF or DRA connected to multiple BIG-IPs cannot distinguish the Gx, Gy or Sd BIG-IP end-points using the session ID content.

Fix:
Gx, Gy or Sd session ID prefix has been made configurable.

Behavior Change:
Gx, Gy and Sd SessionIDs have configurable prefixes with the following default prefixes.
Gx.BIG-IP.f5net.com
Gy.BIG-IP.f5net.com
Sd.BIG-IP.f5net.com

---

604731 : Improvement for 'tmsh show ltm pool' command

Component: Local Traffic Manager

Symptoms:
It is hard to determine which priority group is activated at any given time.

Conditions:
Using Priority Group Activation feature.

Impact:
Confusion on which members are actively handling traffic at any given time.

Fix:
'tmsh show ltm pool' command displays additional row -
'Priority Groups' indicating which priority group is currently activated.

Behavior Change:
'tmsh show ltm pool' command displays additional information regarding currently activated priority group in a new'Priority Groups' row.

---

604272 : SMTPS profile connections_current stat does not reflect actual connection count.

Component: Local Traffic Manager

Symptoms:
SMTPS profile connections_current stat does not reflect actual connection count.

Conditions:
This occurs if you have an SMTPS virtual server configured.

Impact:
profile_smtps_stat.connections_current rises over time and doesn't reflect actual number of SMTPS connections active.

---

603071 : XHTML validation fails on obfuscated JavaScript

Component: Application Security Manager

Symptoms:
The obfuscated JavaScript injected by ASM for CSRF protection and other features causes web pages to fail w3c validation.

Conditions:
CSRF or WebScrapping enabled in ASM policy

Impact:
Threre is no end user impact, but if checking the page with w3c online validator it returns errors

Workaround:
N/A

Fix:
Wrapped the script in CDATA - the validator will not complain on errors.

---

602708 : Traffic may not passthrough CoS by default

Component: Local Traffic Manager

Symptoms:
Traffic being forwarded by TMM may not passthrough the Class of Service (CoS) received.

Conditions:
-- IP forwarding Virtual server.
-- Traffic received with priority other than 3.

Impact:
Traffic is set to L2 QoS priority 3 and may cause issues on other networking devices.

Workaround:
Create a default CoS configuration or apply L2 QoS settings in the FastL4 profile.

Fix:
TMM now correctly passes through CoS by default.

---

602288-1 : glibc vulnerability CVE-2016-3706

Solution Article: K06493172

---

594551 : Start to allow clientSSL profiles to be configured without RSA type key/cert pair

Component: Local Traffic Manager

Symptoms:
RSA type cert/key pair is a mandatory property of a clientSSL profile.

Conditions:
This is encountered when configuring a clientSSL profile.

Impact:
You are not allowed to assign cert/key pair that is not RSA.

Fix:
With this change, a clientSSL profile still requires at least one cert/key pair, but RSA type cert/key pair is no longer mandatory.

For example, before this change, the below operation fails because it
attempts to assign a clientSSL profile only an EC type cert/key.

tmsh create ltm profile client-ssl cssl cert-key-chain replace-all-with { ec { cert ec key ec }}
010717e3:3: Client SSL profile (/Common/cssl): must have RSA Server certificate/key pair.

After this change the above operation will be valid and hence the error message will no longer appear.

Behavior Change:
RSA type cert/key pair has been a mandatory configuration of a clientSSL profile.

With this change, a clientSSL profile still requires at least one cert/key pair, but RSA type cert/key pair is no longer mandatory.

---

594064-1 : tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.

Solution Article: K57004151

Component: Local Traffic Manager

Symptoms:
When the tcpdump utility is used with the ':p' modifier, it appears that the first few serverside packets are not captured.

Conditions:
-- Using the ':p' modifier with the tcpdump utility to capture serverside flows associated with clientside flows that match a tcpdump filter.
-- FastL4 or standard virtual server UDP flows are being captured.

Impact:
Typically, the peer flow will not be captured until the second packet is processed on the original flow that is captured by the tcpdump filter. Although there is no operational impact, it might cause confusion when looking for serverside traffic when capturing using a command similar to the following: tcpdump -i <vlan>:p host <client-ip>

Typical examples of missing packets include:
  -- Serverside syn and syn-ack from FastL4 TCP traffic.
  -- All serverside packets for single packet request/reply traffic, e.g., dns request/reply.

Workaround:
Specify filter that includes serverside traffic (e.g., include pool member addresses as 'host <addr>').

Fix:
tcpdump now successfully captures the first serverside packets.

---

593139-11 : glibc vulnerability CVE-2014-9761

Solution Article: K31211252

---

592504-1 : False positive illegal length violation can appear

Component: Application Security Manager

Symptoms:
A false positive illegal length violation.

Conditions:
A chunked request where the request length is more than half of the configured max request length.

Impact:
False positive illegal length violation.

Workaround:
Configure a higher max request length violation.

Fix:
Fixed a false positive request length violation.

---

591606 : Failure to load config post upgrade: "Rate threshold cannot be set to 0."★

Component: Advanced Firewall Manager

Symptoms:
After an upgrade, configurations with DoS rate thresholds set may fail to load with a "Rate threshold cannot be set to 0" error message in /var/log/ltm.

Conditions:
DoS Protection configured with rate thresholds on a pre-12.0 installation. Upgrade to 12.0 and above.

Impact:
The BIG-IP will fail to load the configuration.

Workaround:
Manually edit bigip.conf and remove all DoS rate threshold settings. Once the configuration successfully loads, apply the desired rate thresholds.

---

589083 : TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.

Component: TMOS

Symptoms:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation fails because of permission errors.

Using iControl, the system posts an error similar to the following: Error processing request for URI:http://localhost:8110/mgmt/tm/sys/config
{code:400,message: Can't create tmsh temp directory \"/config/.config.backup\" Permission denied, errorStack:[]}.

Using TMSH (e.g., running the command: tmsh save sys config), the system posts an error similar to the following:

Can't create tmsh temp directory "/config/.config.backup" Permission denied

Conditions:
This occurs when the following conditions are met:
-- Remote Authentication is configured.
-- User is logged in as a remote user who has the admin role.
-- Using TMSH or iControl for remotely authenticated user operations.

Impact:
Cannot save the configuration.

Workaround:
Use one of the following workarounds:
-- Use the GUI to save the configuration.
-- Have a locally authenticated user with admin role save the configuration.

Fix:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation now completes as expected, without permission errors.

---

588483 : Soft lockup may occur when vCMP host TMMs run realtime without yielding.

Component: TMOS

Symptoms:
The host TMM is using 100% CPU.

Conditions:
There are no higher priority processes preempting the host TMMs.

Impact:
Soft lockup occurs, system may temporarily fail to process traffic.

Workaround:
Configure the vCMP host to run with a non-zero yield percentage and restart tmm. The yield value can be configured using a Tcl option in /config/tmm_init.tcl, for example:
echo "realtime yield 10" >> /config/tmm_init.tcl.

---

581851-3 : mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands

Solution Article: K16234725

Component: TMOS

Symptoms:
The Master Control Program Daemon (MCPD) on secondary blades may unexpectedly restart when the BIG-IP system processes multiple, concurrent TMOS Shell (tmsh) commands.

Under these circumstances, a race condition may occur and cause the mcpd process on the secondary blades to fail to correctly process concurrent updates from the primary blade.

As a result of this issue, you may encounter one or more of the following symptoms:

-- The mcpd process on secondary blades unexpectedly restarts.
-- You notice error messages in the /var/log/ltm file on the BIG-IP system that appears similar to the following example:
 + err mcpd[<PID>]: 01070823:3: Read Access Denied: The current update partition ([None]) does not match the object's partition (Common), stats not reset

 + err mcpd[<PID>]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070823:3: Read Access Denied: The current update partition ([None]) does not match the object's partition (Common), stats not reset

-- Depending on your high availability (HA) configuration, the device may unexpectedly fail over to another system in the device group.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have a VIPRION platform or Virtual Clustered Multiprocessing (vCMP) guest configuration that uses two or more blades.
-- You attempt to run multiple, concurrent tmsh commands on the BIG-IP system. For example, you run a tmsh command to continually reset persistence records and at the same time run another tmsh command to continually reset the TCP statistics.

Impact:
The BIG-IP system may experience performance degradation when the secondary blades become unavailable while the mcpd process restarts. Depending on your HA configuration, the device may fail over.

Workaround:
None.

Fix:
This issue no longer occurs.

---

579592-6 : glibc vulnerability CVE-2015-8776

Solution Article: K23946311

---

579252-4 : Traffic can be directed to a less specific virtual during virtual modification

Component: Local Traffic Manager

Symptoms:
Traffic can be directed to an less specific virtual during virtual modification. It could also be dropped if there is no less specific virtual server.

Conditions:
net self external-ipv4 {
    address 10.124.0.19/16
    traffic-group traffic-group-local-only
    vlan external
  }
  net self internal-ipv4 {
    address 10.125.0.19/16
    traffic-group traffic-group-local-only
    vlan internal
  }

  ltm pool redirect-echo {
    members { 10.125.0.17:7 }
  }
  ltm virtual fw {
    description "less-specific virtual"
    destination 10.125.0.0:any
    ip-forward
    mask 255.255.255.0
    profiles { fastL4 }
    translate-address disabled
    translate-port disabled
    vlans-disabled
  }
  ltm virtual redirect-echo {
    description "enable/disable this one"
    destination 10.125.0.20:echo
    ip-protocol udp
    mask 255.255.255.255
    pool redirect-echo
    profiles { udp }
    vlans { external }
    vlans-enabled
  }

Impact:
Traffic can be directed to less specific virtual server

Workaround:
No known workaround at this time other than applying configuration changes in a manner that avoids doing them on a unit that is handling the traffic. Applying changes on the standby and then failing over and syncing or utilizing a maintenance window would be common schemes to achieve a separation between production traffic and configuration changes.

Fix:
No fix available at this time.

---

578983-3 : glibc: Integer overflow in hcreate and hcreate_r

Solution Article: K51079478

---

575788 : non-local static ARP entries are not recreated on tmm restart

Component: Local Traffic Manager

Symptoms:
Non-local static ARP entires not created/recreated on TMM restart.

Conditions:
Restarting TMM with non-local static ARP entry, or creating static ARP entry for address without a directly connected route.

Impact:
Creation of non-local static ARP entry

Workaround:
Re-create static arp entry after TMM restart. Or re-create static arp entry after adding a self-ip with network covering the static ARP address.

Behavior Change:
BIG-IP will no longer allow creation of static arp entry that can not be resolved.

---

575728 : Support APM Webtop's Native RDP resources on Linux with Remmina/FreeRDP clients

Component: Access Policy Manager

Symptoms:
APM Webtop's Native RDP resources are not supported on Linux.

Conditions:
APM Webtop's Native RDP resources are used on Linux.

Impact:
APM Webtop's Native RDP resources can't be launched on Linux.

Workaround:
There is no workaround at this time.

Fix:
APM Webtop's Native RDP resources now can be launched on Linux with Remmina/FreeRDP clients. Remmina/FreeRDP nightly build of May 16th 2018 or later is required.

---

575667 : HTTP::has_responded has been introduced to give user status on if a specific request has been responded to.

Component: Local Traffic Manager

Symptoms:
User had no way of knowing if one particular HTTP request has been responded to or not. A second response to one request would result in the rest of the connection or flow.

Conditions:
If reset of the connection is not desired when making multiple responses to one HTTP request, use the new flag HTTP::has_responded to test before sending a HTTP response.

Impact:
User has more options for multiple-response case.

Workaround:
If reset of the connection is not desired when making multiple responses to one HTTP request, use the new flag HTTP::has_responded to test before sending a HTTP response.

Behavior Change:
Invoking HTTP::respond multiple times on the same request that triggered an HTTP::request event leads to TCL errors and RSTs. This can happen when there are multiple HTTP::request events attached to a virtual and each can invoke HTTP::respond.

A new TCL command HTTP::has_response has been introduced that returns a boolean to indicate that HTTP::respond has already been invoked.

---

571651 : Reset Nitrox3 crypto accelerator queue if it becomes stuck.

Solution Article: K66544028

Component: Local Traffic Manager

Symptoms:
Certain configuration parameters used during an SSL handshake can elicit a 'queue stuck' message from the accelerator. When this happens, the /var/log/ltm log file will contain a message similar to the following:

    'n3-cryptoX request queue stuck'.

Conditions:
The BIG-IP system uses Nitrox 3 encryption hardware to perform SSL encryption.

An SSL handshake sent to the BIG-IP system is incorrectly configured or contains bad information.

Impact:
In-flight and queued contexts for the specific accelerator are dropped. After device recovery, new requests will be accelerated.

Workaround:
Disable crypto acceleration.

Fix:
The crypto accelerator is gracefully reset when the accelerator stalls due to a misconfigured request.

Note: This issue resolution is limited to SSL handshake issues, and is not a resolution for all possible causes of a 'queue stuck' event.

---

551925 : Misdirected UDP traffic with hardware acceleration

Component: TMOS

Symptoms:
UDP traffic might be forwarded to the wrong destination when using hardware acceleration.

Conditions:
If the UDP timeout is lower than the embedded Packet Velocity Acceleration (ePVA) aging timeout.

This occurs because UDP connections are accelerated until the ePVA aging timeout expires for the connection. If the ePVA aging timeout is greater than the UDP timeout, then TMM removes the connection from software, but the connection is still accelerated in the ePVA. Subsequent traffic then matches to the original connection, causing it to be sent to the wrong destination.

Impact:
Traffic can be sent to the wrong destination.

Workaround:
You can use either or both of the following workarounds:
-- Increase the UDP timeout (60s or more).
-- Disable UDP hardware acceleration.

---

542880 : BIG-IP system should support cipher suites ChaCha20 and Poly1305

Component: Local Traffic Manager

Symptoms:
This release adds support for cipher suites ChaCha20 and Poly1305.

Conditions:
Using cipher suites.

Impact:
Can now configure ChaCha20 and Poly1305.

Workaround:
None.

Fix:
This release provides support for ChaCha20 and Poly1305.

Behavior Change:
This release adds support for cipher suite ChaCha20 and Poly1305 to the crypto library.

---

534288 : Tab completion for ltm policy-strategy shows extra values

Component: Local Traffic Manager

Symptoms:
In tmsh, when making changes to ltm policy-strategy, tab completion displays extra suggested completions.

Conditions:
This occurs when tmsh user is in the ltm policy-strategy area and presses the Tab key.

Impact:
Additional parameters which are not pertinent to the ltm policy-strategy operation will be displayed, which might lead to trial-and-error to successfully complete the operation.

Workaround:
None.

Fix:
Tab completion for ltm policy-strategy correctly displays valid operands.

---

532181 : SNMP passphrases appear to change each time they are displayed in TMSH

Component: TMOS

Symptoms:
When SNMPv3 users are configured with authentication and privacy passwords, the TMSH display of encrypted passwords appears to change at each redisplay.

Conditions:
Using TMSH to repeatedly display SNMPv3 user's encrypted authentication and privacy passwords.

Impact:
This makes it appear that the passwords are changing when only their encrypted representation has been updated, which might give incorrect information to monitoring systems that automatically detect configuration changes.

Workaround:
There is no workaround at this time.

Fix:
TMSH display has been changed so that both the shallow encrypted and master key encrypted versions of the password display (the two keywords are auth-password/auth-password-encrypted and privacy-password/privacy-password-encrypted). This eliminates the issue of the SNMP passphrases appearing to change each time they are displayed in TMSH. To avoid triggering a false positive for configuration changes, monitoring systems should watch the auth-password and privacy-password values (not the deprecated -encrypted values).

Note: The auth-password-encrypted and privacy-password-encrypted keywords have been deprecated but display for backwards compatibility.

Behavior Change:
TMSH display has been changed so that both the shallow encrypted and master key encrypted versions of the password display (the two keywords are auth-password/auth-password-encrypted and privacy-password/privacy-password-encrypted). The auth-password-encrypted and privacy-password-encrypted keywords have been deprecated but display for backwards compatibility.

Note: To avoid triggering a false positive for configuration changes, monitoring systems should watch the auth-password and privacy-password values (not the deprecated -encrypted values).

---

513310 : TMM might core when a profile is changed.

Component: Local Traffic Manager

Symptoms:
TMM might core when a profile is changed.

Conditions:
A "standard" type virtual server configured with the TCP or SCTP protocol profile, and a Persistence, Access or Auth profile. This issue might occur in either of the following scenarios:
-- Change profile on the active device.
-- Change profile on the standby device and perform a config sync to the active ones.

Impact:
TMM might core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now reinitializes the TCP proxy filter chain on profile change, so that tmm no longer cores.

---

510889 : CRL critical extensions not supported

Component: TMOS

Symptoms:
When attempting to import a Certificate Revocation List (CRL), the import fails and you encounter this error:

validate_file_contents:(/Common/my.crl) :Invalidate CRL.-- critical extensions not supported.

Conditions:
This is encountered when attempting to import a CRL that contains extensions marked as critical.

Microsoft CA 2012 sets the X509v3 Issuing Distribution Point to critical by default.

Impact:
CRL import fails.

Workaround:
None.

---

510311-1 : GNU C Library (glibc) vulnerability CVE-2014-9402

Solution Article: K16365

---

497457 : track L7DOS entities in irules in transparent mode only when attack occurs

Component: Application Security Manager

Symptoms:
L7DOS entities in transparent mode was shown always regardless if there was attack or not

Conditions:
You have configured an irule to log entities that attack in DOS attack, and DOS is in transparent mode.

Impact:
A large number of entities are being logged even if an attack is not occurring.

Workaround:
N/A

---

495242-1 : mcpd log messages: Failed to unpublish LOIPC object

Component: Local Traffic Manager

Symptoms:
The system posts the following error: err mcpd[7143]: 010716d6:3: Failed to unpublish LOIPC object for (loipc_name.1417443578.297505208). Call to (shm_unlink) failed with errno (2) errstr (No such file or directory).

Conditions:
This is an intermittent issue that occurs on standby systems in High Availability (HA) configurations. In this case, the system is attempting to remove a file/directory that does not exist. Either the file has already been removed or it was not created.

Impact:
This is a benign error that can be safely ignored.

Workaround:
None.

Fix:
The system now suppresses logging when attempting to delete non-existent file.

---

494321 : 'tmsh install sys software block-device-image' installs the local image instead of the block-device image.★

Solution Article: K75201605

Component: TMOS

Symptoms:
Both the 'tmsh install sys software image' and 'tmsh install sys software block-device-image' commands set the software_desired row corresponding with the target volume, to the product/version/build of the image specified for installation. The lind process, which manages software installation/volume creation tasks, then uses that product/version/build to search for a matching image. If both a local image and a block-device-image exist with the same product/version/build, the lind picks one based on its own preference. Because of the lind preference for local images, this might result in a local image being installed, even though the command issued is 'tmsh install sys software block-device-image'.

Conditions:
-- There exists both a local image and a block-device-image with the same product/version/build.
-- You run the following command: tmsh install sys software block-device-image

Impact:
The system installs the local image instead of the block-device image.

In most cases, this is not an issue: the requested software is still installed, so the goal is achieved. In some cases, however, the image chosen by lind is not actually accessible. In this case, installation fails.

Workaround:
Delete any local images mirroring the block device being installed.

Fix:
The lind now conducts a 'read test' when searching for available images. If an image is readable and has the proper checksum, it will be used, so the installation request will not fail if it is at all possible.

---

480206 : IKE peer (ike-peer) configuration objects in non-Common partition are visible to all in GUI

Component: TMOS

Symptoms:
IKE peer configuration objects ('ike-peer') in non-Common partition are visible to all users via the web UI.

Conditions:
- Partitions are in use.
- IPsec is configured in a partition other than /Common.
- An IKE peer object is configured in partition that is not /Common.

Impact:
All users can see the IKE peer object using the web UI even though the object does not belong to the /Common partition.

Users in one partition can see list of IKE peer objects belonging to other partitions.

There is inconsistent partition behavior for IKE peer objects on the BIG-IP system and these objects will not be stored in their respective partition configuration files.

Workaround:
None.

Fix:
IKE peer configuration objects are now stored in their respective partition configuration files on the BIG-IP system. The web UI will not display the partitioned IKE peer configuration objects to unauthorized users.

---

464002 : NA Admin UI requires options that are not needed

Component: Access Policy Manager

Symptoms:
You must provide 'Client proxy address' or 'Client Proxy Autoconfig Script' values even if "Use Client Proxy" is selected in the Network Access configuration UI.

Conditions:
"Use Client Proxy" option is selected in Network Access configuration UI.

Impact:
Administrator is required to enter configuration values that won't be used.

Workaround:
Method #1: Enter dummy values for the required fields.

Method #2: Add a variable assign to the VPE (before the resource assign) with the following expression :

   {
            expression "return {<client_proxy>1</client_proxy><client_proxy_use_local_proxy>1</client_proxy_use_local_proxy>}"
            varname config.connectivity_resource_network_access./Common/<network_access_resource>.client_proxy_settings
          }

Fix:
Not Fixed

---

456376-1 : BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32

Solution Article: K53153545

Component: Advanced Firewall Manager

Symptoms:
The BIG-IP system does not allow IPv4-mapped-IPv6 notation (with prefix length greater than 32) in tmsh or GUI. When trying to add '::ffff:0.0.0.0/96' to an address list or directly to a rule the system posts an error: Error parsing IP address: ::ffff:0.0.0.0/96.

Conditions:
-- IPv4-mapped-IPv6 notation in the configuration.
-- Adding prefix length greater than 32.

Impact:
Cannot successfully specify an IPv4-mapped-IPv6 block to be configured in AFM firewall rule (and possibly other AFM configurations as well).

Workaround:
To drop the IPv4-mapped-IPv6 block, enable the following DoS db variable: dos.dropv4mapped.

Fix:
You can now use tmsh for IPv4-mapped-IPv6 notation with prefix length greater than 32.

---

451396 : ASM OWA Exchange 2010 Application-Ready Security Policy should change URL content profile.

Solution Article: K81448021

Component: Application Security Manager

Symptoms:
ASM OWA Exchange 2010 Application-Ready Security Policy should change URL content profile.

Conditions:
1. Apply OWA Exchange 2010 Application-Ready Security Policy template.
2. Template that contains 'apply_value_signature' on /Microsoft-Server-ActiveSync URL.

Impact:
Crashing ASM Enforcer daemon.

Workaround:
Change the OWA Exchange 2010 Application-Ready Security Policy template to remove 'apply_value_signature' on /Microsoft-Server-ActiveSync URL.

Fix:
Changed the OWA Exchange 2010 Application-Ready Security Policy template to remove 'apply_value_signature' on /Microsoft-Server-ActiveSync URL in avoid bd core.

---

444767 : Issues with Outlook Web App through APM Portal Access only on InternetExplorer11

Component: Access Policy Manager

Symptoms:
Access to Office365 Outlook Web Access services using Portal Access is broken for HTML5-supported browsers. The user is redirected to the APM Logout page after successfully logging in to Office365.

Conditions:
The issue occurs when user accesses Office365 Outlook Web Access application through APM Portal Access using Internet Explorer 11.

Impact:
User cannot get access to Mailbox in Office365 Outlook Web Access through Portal Access using HTML5-supported browsers.

Workaround:
This example iRule disables OWA offline-caching support:

when HTTP_REQUEST {
   if { [string tolower [HTTP::uri]] contains "/owa/manifests/appcachemanifesthandler.ashx" } {
      HTTP::respond 404
   }
}

Fix:
Portal Access now removes references to a HTML5 offline cache manifests when rewriting HTML pages. This change prevents web applications from loading such manifests.

---

436116 : The tcpdump utility may fail to capture packets

Solution Article: K43726131

Component: TMOS

Symptoms:
Although packets are flowing correctly through the BIG-IP system, the tcpdump utility may capture no packets when certain command options are used.

Conditions:
This issue occurs when all of the following conditions are met:

- You configure tcpdump to listen for packets on a physical interface (e.g., -i 1.1).

- You configure tcpdump to save the packets to a file in binary format (e.g., -w /var/tmp/example.pcap).

- You configure tcpdump to produce verbose output while capturing packets (e.g., -v, -vv or -vvv).

Impact:
The tcpdump utility does not capture any packets, which may create confusion for a BIG-IP Administrator performing troubleshooting on the system. This issue does not affect the traffic-passing abilities of the system, however.

Workaround:
You can work around this issue by starting the tcpdump utility without the -v, -vv or -vvv verbose output options.

---

431480-4 : Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message

Component: Local Traffic Manager

Symptoms:
Occasionally, you might encounter a situation in which tmm dumps a core, and the system writes to the logs a message similar to the following: notice panic: ../base/listener.c:1116: Assertion 'laddr is not NULL' failed.

Conditions:
The exact conditions that result in this error are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time, but the system recovers without any user action.

---

424588 : iRule command [DOSL7::profile] returns empty value

Component: Application Security Manager

Symptoms:
iRule command [DOSL7::profile] returns an empty value.

Conditions:
iRule with the [DOSL7::profile] command attached to a virtual server.

Impact:
The iRule returns an empty value.

Workaround:
None.

Fix:
The [DOSL7::profile] command now returns the DoS profile name attached to virtual server, as expected.

---

421966 : Unable to determine what topology record was selected from pool and pool member decision logging

Component: Global Traffic Manager (DNS)

Symptoms:
Gtm pool and pool member selection and traversal logs do not indicate what topology records were used when using topology load balancing.

Conditions:
Occurs when topology is used for load balancing either by selecting the topology load balancing method on a gtm pool or wideip, or by selecting Quality of Service (QoS) with a non-zero topology weight.

Impact:
It may be more difficult to diagnose problems with a topology configuration.

Workaround:
None. This information cannot be easily gleaned from elsewhere.

Fix:
If pool or pool member traversal logging is enabled on a wideip and a listener has an attached dns profile that has logging enabled and a logging profile, then topology selections will be logged when topology is used for load balancing, including when a topology QoS score is generated.

---

419836 : When switch edit files in advanced customization without saving, the changes will be lost

Component: Access Policy Manager

Symptoms:
When you switch from editing one file to editing another file in advanced customization without saving the first file, changes to the first file are lost.

Impact:
This is not user friendly as a user may spend a lot of time on editing the file. When clicking another file, the user does not know that changes will be lost and are not recoverable.

Workaround:
A user can only modify the file again after the change is lost.

---

406117 : Installing a hotfix may cause APD to continuously restart

Component: Access Policy Manager

Symptoms:
If you install a hotfix ISO over an existing installation that has APM provisioned, APD continuously restarts.

Conditions:
Install a hotfix ISO over an existing installation that has APM provisioned.

Impact:
APD continuously restarts.

Workaround:
To install this hotfix, type these commands:
# tmsh delete sys software volume <target volume>
# tmsh install sys software hotfix Hotfix-BIGIP-<your hotfix version>.iso volume <target volume> create-volume

Fix:
N/A

---

Known Issues in BIG-IP v14.1.x


TMOS Issues

ID Number	Severity	Solution Article(s)	Description
750580-1	2-Critical		Installation using image2disk --format may fail after TMOS v14.1.0 is installed★
748205-3	2-Critical		SSD bay identification incorrect for RAID drive replacement★
746464-1	2-Critical		MCPD sync errors and restart after multiple modifications to file object in chassis
743803-1	2-Critical		IKEv2 potential double free of object when async request queueing fails
737692	2-Critical		Handle x520 PF DOWN/UP sequence automatically by VE
726487-4	2-Critical		VIPRION secondary MCPD, Node Name encodes IP address which differs from supplied
707013-3	2-Critical		vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest
668041-4	2-Critical	K27535157	Config load fails when an iRule comment ends with backslash in a config where there is also a policy.★
621260-2	2-Critical		mcpd core on iControl REST reference to non-existing pool
751409-1	3-Major		MCP Validation does not detect when virtual servers differ only by overlapping VLANs
751024-4	3-Major		i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd
751021-1	3-Major		One or more TMM instances may be left without dynamic routes.
751011-3	3-Major		ihealth.sh script and qkview locking mechanism not working
751009-3	3-Major		Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out
750447-3	3-Major		GUI VLAN list page loading slowly with 50 records per screen
750318-3	3-Major		HTTPS monitor does not appear to be using cert from server SSL profile
749785-2	3-Major		nsm can become unresponsive when processing recursive routes
749382-1	3-Major		Bare-metal installs via 'image2disk' may fail in v14.1.0 or greater
748545-1	3-Major		Remove 'sys-unconfig' and 'rhel-configure' binaries and related systemd service
748295-1	3-Major		TMM crashes on shutdown when using virtio NICs for dataplane
748187-4	3-Major		'Transaction Not Found' Error on PATCH after Transaction has been Created
747676-3	3-Major		Remote logging needs 'localip' to set source IP properly
746657-1	3-Major		tmsh help for FQDN node or pool member shows incorrect default for fqdn interval
746266-3	3-Major		Vcmp guest vlan mac mismatch across blades.
745825-1	3-Major		The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading
744730-1	3-Major		Specifying a larger system disk during VE launch requires manual reboot for the increase to go into effect
744520-1	3-Major		virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface
744252-2	3-Major		BGP route map community value: either component cannot be set to 65535
743132-6	3-Major		mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile
742753-4	3-Major		Accessing the BIG-IP system's WebUI via special proxy solutions may fail
742170-2	3-Major		REST PUT command fails for data-group internal
740589-1	3-Major		mcpd crash with core after 'tmsh edit /sys syslog-all-properties'
740543-1	3-Major		System hostname not display in console
739118-1	3-Major		Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration
737739-1	3-Major		bash shell still accessible for admin even if disabled
737536-2	3-Major		Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
737346-1	3-Major		After entering username and before password, the logging on user's failure count is incremented.
727191-1	3-Major		Invalid arguments to run sys failover do not return an error
721585-1	3-Major		mcpd core processing ltm monitors with deep level of inheritance
721020-1	3-Major		Changes to the master key are reverted after full sync
720001	3-Major		Using custom default gateway in AWS makes instance metadata endpoint 169.254.169.254 inaccessible.
718405-2	3-Major		RSA signature PAYLOAD_AUTH mismatch with certificates
709559	3-Major		LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name
701341-4	3-Major	K52941103	If /config/BigDB.dat is empty, mcpd continuously restarts
698933-6	3-Major		Setting metric-type via ospf redistribute command may not work correctly
687888	3-Major		Unexpected result from multiple changes to a monitor-related object in a single transaction
687172-1	3-Major		Pools do not appear as expected after deploying iApp via iWorkflow
677941	3-Major		Disabling htsplit is not supported on C124
676442	3-Major	K37113440	Changes to RADIUS remote authentication may not fully sync
671553	3-Major		iCall scripts may make statistics request before the system is ready
657834-5	3-Major	K45005512	Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent
641450-7	3-Major	K30053855	A transaction that deletes and recreates a virtual may result in an invalid configuration
639619-7	3-Major		UCS may fail to load due to Master key decryption failure on EEPROM-less systems★
591305-3	3-Major		Audit log messages with "user unknown" appear on install
517829-2	3-Major	K16803	BIG-IP system resets client without sending error report when certificate is revoked
508302	3-Major		Auto-sync groups may revert to full sync
486712-5	3-Major		GUI PVA connection maximum statistic is always zero
469366	3-Major	K16237	ConfigSync might fail with modified system-supplied profiles
441195	3-Major		UCS archive restore causes file duplication in filestore
437768	3-Major		Issues using bigip1 as a device name, 'Can't save/checkpoint DB object' message
418924	3-Major		Too many iso images in /shared/images causes swap
378967	3-Major		Users are not synchronized if created in a partition
364717	3-Major		Persist records deleted when non-existing node-port is specified
751746-1	4-Minor		Downgrading from BIG-IP version 14.1.0 to an earlier version, the mode of /sys is incorrect.★
751636-1	4-Minor		Downgrading from v14.1.0 to a previous release leaves two directories with improper ownership★
725874	4-Minor		AOM update occurs at every boot up
721987	4-Minor		open-vm-tools now reports selfips in addition to management IP
720084	4-Minor		SFC statistics under the OUT column are always zero
718506	4-Minor		The engineID is included with sync'ed device configuration in the device trust
706106	4-Minor		PUT request sent to ltm/virtual failed because of ip-protocol property value any
696465	4-Minor		Running 'tmsh run /cm watch-devicegroup-device' does not work for IPv6 connections
678117	4-Minor		'Can't create a home directory' logged for remote users on secondary blades after configsync
678009	4-Minor		An internal virtual server as a Service Function (SF) displays its capability as NSH unaware
659948	4-Minor		statemirror.ipaddr db variable does not sync to peers
636823	4-Minor		Node name and node address
636615	4-Minor		Whitespace is manipulated when using certificate export/import
631083	4-Minor		Some files in home directory are overwritten on password change
567723	4-Minor		Config verify may alter tacacs system-auth
566980	4-Minor		Periodic error "User login disallowed" messages logged referring to user "guest"
484683-2	4-Minor	K84174454	certificate_summary is not created at peer when the chain certificate is synced to HA peer.
455525	4-Minor		When creating users, their role and partition information are normally expected.
679431-4	5-Cosmetic		In routing module the 'sh ipv6 interface <interface> brief' command may not show header
440713	5-Cosmetic		TMSH incorrectly shows the 'Expires' date for ramcache profile on server content with an expiry date greater than or equal to year 2038.

Local Traffic Manager Issues

ID Number	Severity	Solution Article(s)	Description
751589-1	2-Critical		In BIG-IP VE, some IP rules may not be created during the first boot up.
747617-2	2-Critical		TMM core when processing invalid timer
746710-1	2-Critical		Use of HTTP::cookie after HTTP:disable causes TMM core
745589-6	2-Critical		In very rare situations, some filters may cause data-corruption.
742184-3	2-Critical		TMM memory leak
738945-4	2-Critical		SSL persistence does not work when there are multiple handshakes present in a single record
726900-1	2-Critical		Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters
716714-4	2-Critical		OCSP should be configured to avoid TMM crash.
712534	2-Critical		DNSSEC keys are not generated when configured to use an external FIPS device
706501-1	2-Critical		VCMP guest, tmm continues to restart on Cavium Nitrox PX platform
704540	2-Critical		Monitor configuration with invalid 'key' and 'cert' not detected upon upgrade post v13.1.x★
670069	2-Critical		Rare tmm crash when changing the configuration of a FastL4 virtual server while passing traffic.
625807-1	2-Critical		tmm cored in bigproto_cookie_buffer_to_server
404659	2-Critical		State mirroring within eight-blade VIPRION 4800 chassis
366060	2-Critical		FTP mirroring fails when landing on tmm0
751036-1	3-Major		Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone
750473-4	3-Major		VA status change while 'disabled' are not taken into account after being 'enabled' again
750200-3	3-Major		DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode
749689-2	3-Major		HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart
749414-4	3-Major		Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects
749294-4	3-Major		TMM cores when query session index is out of boundary
748529-1	3-Major		BIG-IP Virtual Edition with cloudhsm integration needs to restart tmm after a fresh install
746922-6	3-Major		When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
746078-1	3-Major		Upgrades break existing iRulesLX workspaces that use node version 6
745545-1	3-Major		CMP forwarded LRO host packets do not restore LRO flag
744686-2	3-Major		Wrong certificate can be chosen during SSL handshake
743900-1	3-Major		Custom DIAMETER monitor requests do not have their 'request' flag set
742838-1	3-Major		A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition
742237-4	3-Major		CPU spikes appear wider than actual in graphs
740959-4	3-Major		User with manager rights cannot delete FQDN node on non-Common partition
739963-4	3-Major		TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
739349-3	3-Major		LRO segments might be erroneously VLAN-tagged.
738450-1	3-Major		Parsing pool members as variables with IP tuple syntax
724158	3-Major		Virtual server is not accessible from internal host when Traffic Matching Criteria is configured as address subnet
723306-1	3-Major		Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
722707-2	3-Major		mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall
720219-3	3-Major	K13109068	HSL::log command can fail to pick new pool member if last picked member is 'checking'
718790-1	3-Major		Traffic does not forward to fallback host when all pool members are marked down
717896-4	3-Major		Monitor instances deleted in peer unit after sync
717100-1	3-Major		FQDN pool member not added if FQDN resolves to same IP as another existing FQDN pool member
716167-2	3-Major		the value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the mtu of the kernel interface tmm_bp as given by $ ip a list dev tmm_bp or $ ifconfig tmm_bp
710930-3	3-Major		Enabling BigDB key bigd.tmm may cause SSL monitors to fail
704450-5	3-Major		bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
689361-4	3-Major		Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)
687044	3-Major		tcp-half-open monitors might mark a node up in error
686059-4	3-Major		FDB entries for existing VLANs may be flushed when creating a new VLAN.
671261	3-Major	K32306231	MCP does not recognize 'Notify Status to Virtual Address' when using 'Selective' setting of ICMP Echo
655383	3-Major		Failure to extend database continues to execute rather than halting because of fragmented state.
633110	3-Major	K09293022	Literal tab character in monitor send/receive string causes config load failure, unknown property
620896-1	3-Major		mcpd failes to load configuration on upgrade if the transparent monitors are configured for FQDN nodes★
620053	3-Major		Gratuitous ARPs may be transmitted by active unit being forced offline
571482	3-Major		Unbalanced double-quotes may merge lines upon config save-then-load★
473787-5	3-Major		System might fail to unchunk server response when compression is enabled
425018	3-Major		Loading a SCF after modifying self IP may cause route in Linux kernel to be dropped
383641	3-Major		Cannot use ssldump to decrypt SSL traffic protected by netHSM key
747968-3	4-Minor		DNS64 stats not increasing when requests go through dns cache resolver
747628-1	4-Minor		BIG-IP sends spurious ICMP PMTU message to server
744210-2	4-Minor		DHCPv6 does not have the ability to override the hop limit from the client.
738045-5	4-Minor		HTTP filter complains about invalid action in the LTM log file.
722534-1	4-Minor		load sys config merge not supported for iRulesLX
711562	4-Minor		TLS1.3 handshake fails for RSA PSS SHA512 with netHSM RSA 1024-bit key
702800	4-Minor		bigd crash when processing monitor instance missing node name
688542	4-Minor		SASP GWM monitor always sets No Change / No Send Flag in Set LB State Request
615443	4-Minor	K09481738	HSL::send does not support handle of type string
600466	4-Minor		Monitored nodes are not marked down upon receipt of ICMP Unreachable / Administratively Prohibited.
582595	4-Minor	K52029952	default-node-monitor is reset to none for HA configuration.
527448	4-Minor		Monitor state remains 'manual-resume-wait' after disabling and then re-enabling the monitor.
459251-1	4-Minor		Ramcache causes failed transactions.
666378-1	5-Cosmetic		A virtual server's connections per second (precision.last_value) is confusingly named.

Performance Issues

ID Number	Severity	Solution Article(s)	Description
746620-3	3-Major		"source-port preserve" does not work on BIG-IP Virtual Edition

Global Traffic Manager (DNS) Issues

ID Number	Severity	Solution Article(s)	Description
722741-1	2-Critical		Damaged tmm dns db file causes zxfrd/tmm core
751540-3	3-Major		GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server
749222-1	3-Major		dname compression offset overflow causes bad compression pointer
746877-1	3-Major		Omitted check for success of memory allocation for DNSsec resource record
746719-1	3-Major		zrd sets recursion desired and can't edit NS records when bind set recursion yes
745035-2	3-Major		gtmd crash
744937-1	3-Major		Make authenticated-denial-of-existence NSEC3 RR Types Bitmap reflect available Resource Records
744787-4	3-Major		Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias
744707-2	3-Major		Fixed crash related to DNSSEC key rollover
739553-1	3-Major		Setting large number for Wide IP Persistence TTL breaks Wide IP persistence
723288-4	3-Major		DNS cache replication between TMMs does not always work for net dns-resolver
679316-7	3-Major		iQuery connections reset during SSL renegotiation
222220-4	3-Major		Distributed application statistics
748177-1	4-Minor		Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character
744280-2	4-Minor		Enabling or disabling a Distributed Application results in a small memory leak
743987	4-Minor		DNSX can no longer receive DNS NOTIFY messages on self ips
712335-3	4-Minor		GTMD may intermittently crash under unusual conditions.
480795	4-Minor	K40120584	[GTM] Move address from one HA redundant LTM to another could cause BIG-IP monitor fail
699757	5-Cosmetic		TMSH not listing GTM Listener rules when listing all listeners

Application Security Manager Issues

ID Number	Severity	Solution Article(s)	Description
750922-1	2-Critical		BD crash when content profile used for login page has no parse parameters set
748321-1	2-Critical		bd crash with specific scenario
744347-4	2-Critical		Protocol Security logging profiles cause slow ASM upgrade and apply policy
751710-4	3-Major		False positive cookie hijacking violation
750683-1	3-Major		REST Backwards Compatibility: Cannot modify enforcementMode of host-name
750356-2	3-Major		Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted
748999-3	3-Major		invalid inactivity timeout suggestion for cookies
748851-3	3-Major		Bot Detection injection include tags which may cause faulty display of application
748409-2	3-Major		Illegal parameter violation when json parsing a parameter on a case-insensitive policy
747777-3	3-Major		Extractions are learned in manual learning mode
746750-1	3-Major		Search Engine get Device ID challenge when using the predefined profiles
746394-1	3-Major		With ASM CORS set to "Disabled" it strips all CORS headers in response.
745802-1	3-Major		Brute Force CAPTCHA response page truncates last digit in the support id
745531-2	3-Major		Puffin Browser gets blocked by Bot Defense
739945-4	3-Major		JavaScript challenge on POST with 307 breaks application
737866-2	3-Major		Rare condition memory corruption
723790-3	3-Major		Idle asm_config_server handlers consumes a lot of memory
747560-5	4-Minor		ASM REST: Unable to download Whitehat vulnerabilities
742142	5-Cosmetic		Errors in browser console in browser verification challenge

Application Visibility and Reporting Issues

ID Number	Severity	Solution Article(s)	Description
746941-2	2-Critical		avrd memory leak when BIG-IQ fails to receive stats information
749464-2	3-Major		Race condition while BIG-IQ updates common file
749461-2	3-Major		Race condition while modifying analytics global-settings
745027-2	3-Major		AVR is doing extra activity of DNS data collection even when it should not
744595-3	3-Major		DoS-related reports might not contain some of the activity that took place
744589-3	3-Major		Missing data for Firewall Events Statistics
715110-1	3-Major		AVR should report 'resolutions' in module GtmWideip
375997	5-Cosmetic		mysqld incorrectly classifies the lost+found directory as a database location resulting in benign errors in the mysql log.

Access Policy Manager Issues

ID Number	Severity	Solution Article(s)	Description
352865	1-Blocking		Firefox 4 beta crashes or displays a warning, Unresponsive script for cache-fm.js.
647590	2-Critical		Apmd crashes with segmentation fault when trying to load access policy
238556	2-Critical	K13782	The BIG-IP APM network access tunnel does not use a floating IP address
750823-1	3-Major		Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD
749036-2	3-Major		Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM
748451-3	3-Major		Manager users cannot perform changes in per-request policy properties
748070	3-Major		API Protection feature inadvertently allows editing of associated access policy
746771-3	3-Major		APMD recreates config snapshots for all access profiles every minute
745654-4	3-Major		Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
745574-1	3-Major		URL is not removed from custom category when deleted
744532	3-Major		Websso fails to decrypt secured session variables
744316-4	3-Major		Config sync of APM policy fails with Cannot update_indexes validation error.
743437-3	3-Major		Portal Access: Issue with long 'data:' URL
738547-3	3-Major		SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII
700449	3-Major		Switch statements should be terminated with '--' to mark the end of the options
673357-1	3-Major		SWG puts flow in intercept mode when session is not found
600985-1	3-Major		Network access tunnel data stalls
440924	3-Major		Upgrade from some versions to 11.6.0 can fail with APM rewrite profile★
424592	3-Major	K71220204	Request logging not logging pool name with APM
399696	3-Major		"WEBSSO::select" cannot use SSOv2 configuration objects
351360	3-Major		Network Access flows can go to wrong route domain
307037	3-Major		Dynamic Resources Are Assigned But Not Accessible
467321	4-Minor		Running Response Analytics for SSL Bypass traffic allows connection and does not have URL Request Log information
423161	4-Minor		Network Access related log messages logged after VPN tunnel is closed
422822	4-Minor		Error logged by SSOv2 plugin when unholding request done event

WebAccelerator Issues

ID Number	Severity	Solution Article(s)	Description
751383-1	4-Minor		Invalidation trigger parameter values are limited to 256 bytes
748031-1	4-Minor		Invalidation trigger parameter containing reserved XML characters does not create invalidation rule

Service Provider Issues

ID Number	Severity	Solution Article(s)	Description
751179-1	3-Major		MRF: Race condition may create to many outgoing connections to a peer
749603-1	3-Major		MRF SIP ALG: Potential to end wrong call when BYE received
749528-1	3-Major		IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap
749227-1	3-Major		MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE
748253-1	3-Major		Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection
747187-2	3-Major		SIP falsely detects media flow collision when SDP is in both 183 and 200 response
746825-1	3-Major		MRF SIP ALG with SNAT: Ephemeral listeners not created for un-subscribed outgoing calls
746731-1	3-Major		BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set
745628-1	3-Major		MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message
745514-1	3-Major		MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message
744949-1	3-Major		MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix
744275-1	3-Major		BIG-IP system sends Product-Name AVP in CER with Mandatory bit set
742829-1	3-Major		SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0
716915	3-Major		Changing iRule attached to IVS can cause 'not ready for connections' error
749704-2	4-Minor		GTPv2 Serving-Network field with mixed MNC digits
747909-5	4-Minor		GTPv2 MEI and Serving-Network fields decoded incorrectly

Advanced Firewall Manager Issues

ID Number	Severity	Solution Article(s)	Description
680804	2-Critical		TMM restart due to delayed keep alives
418812	2-Critical		Deploying large firewall policy configuration changes can exhaust available memory on the BIG-IP device.
751116-1	3-Major		DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring
749761-3	3-Major		AFM Policy with Send to Virtual and TMM crash in a specific scenario
748176-1	3-Major		BDoS Signature can wrongly match a DNS packet
748081-1	3-Major		Memory leak in BDoS module
747926-2	3-Major		Rare TMM restart due to NULL pointer access during AFM ACL logging
663946-6	3-Major		VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments

Policy Enforcement Manager Issues

ID Number	Severity	Solution Article(s)	Description
721605	2-Critical		Do not fail over data between different versions of BIG-IP software.★
747065-2	3-Major		PEM iRule burst of session ADDs leads to missing sessions
746344-3	3-Major		PEM may not re-establish diameter connection after HA switchover
726647-5	3-Major		PEM content insertion in a compressed response may truncate some data
726011-4	3-Major		PEM transaction-enabled policy action lookup optimization to be controlled by a sys db
719121	3-Major		DHCP lease query fails to work when DHCP modes are switched from Relay to Forwarding or vice-versa.
712566	3-Major		PEM quota bucket gets deleted after receiving diameter too busy for max retry count
655592	3-Major		PEM bigTCP optimization is wrongly selected in case of UNKNOWN subscriber policy.
719107	4-Minor		Message type is not displayed in CLI and incorrect message type is displayed in GUI for Subscriber Management diameter protocol profile message type CCA-T.
504273	4-Minor		Double count for PEM action and policy with forwarding endpoint

Carrier-Grade NAT Issues

ID Number	Severity	Solution Article(s)	Description
744516-4	2-Critical		TMM panics after a large number of LSN remote picks
720075	3-Major		LSN Translations may fail with 'LSN pick took too long' with NAPT mode and ipport cmp-hash
717328	3-Major		XLAT iRule commands do not support TCP Fast Open
717324	3-Major		XLAT commands do not support DSLITE
679515	3-Major		Connections may fail when source-port=preserve-strict on the virtual, L4 mirroring is enabled and LSN pool/AFM dynamic-pat NAPT mode is configured with default DAG
435646	3-Major	K16115	CGNAT: iRules invoking LSN::pool for an lsn_pool that is not connected to a virtual server will not be able to use inbound connections
721579	4-Minor		LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing

Fraud Protection Services Issues

ID Number	Severity	Solution Article(s)	Description
745783-1	3-Major		Anti-fraud: remote logging of login attempts
709319	3-Major		Post-login client-side alerts are missing username in bigIQ
660759-1	3-Major		Cookie hash persistence sends alerts to application server.
741449-3	4-Minor		alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts
738677-1	4-Minor		Configured name of wildcard parameter is not sent in data integrity alerts
715630	4-Minor		Case insensitive views in IE

Anomaly Detection Services Issues

ID Number	Severity	Solution Article(s)	Description
748121-3	2-Critical		admd livelock under CPU starvation

Traffic Classification Engine Issues

ID Number	Severity	Solution Article(s)	Description
737379-2	3-Major		URLCAT doesn't work when we have uppercase characters in feedlist

 

Known Issue details for BIG-IP v14.1.x

751746-1 : Downgrading from BIG-IP version 14.1.0 to an earlier version, the mode of /sys is incorrect.★

Component: TMOS

Symptoms:
rpm is used to check current file states versus expected file states in the 'filesystem' package; changes are detected:

[root@localhost:NO LICENSE:Standalone] config # rpm -V filesystem
.M....... /sys

Conditions:
-- BIG-IP version 14.1.0 is running.
-- An earlier software version is installed.
-- The system is then booted into that earlier version.

Impact:
There is no known impact to the system if this occurs, but running 'rpm -V filesystem' reports the discrepancy.

Workaround:
Using a shell command, run the following command to correct the mode of the directory that is incorrect:

chmod u+w /sys

---

751710-4 : False positive cookie hijacking violation

Component: Application Security Manager

Symptoms:
A false positive cookie hijacking violation.

Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.

Impact:
False positive violation / blocking.

Workaround:
N/A

---

751636-1 : Downgrading from v14.1.0 to a previous release leaves two directories with improper ownership★

Component: TMOS

Symptoms:
Downgrading from BIG-IP version 14.1.0 to an earlier version, the group ID of /var/lock and /var/spool/mail are incorrect. This can be encountered after you boot into the earlier-versioned software image. /var/log/liveinstall.log contains the following messages:

-- info: RPM: filesystem-2.4.30-3.el6.0.0.10.i686
-- info: RPM: warning: group lock does not exist - using root
-- info: RPM: warning: group mail does not exist - using root

When running the following command:
config # rpm -V filesystem
......G.. /var/lock
......G.. /var/spool/mail

The expected results are as follows:
config # rpm -V filesystem
config # stat -c %G /var/lock
lock
config # stat -c %G /var/spool/mail
mail

In this version, the results are as follows:
config # rpm -V filesystem
config # stat -c %G /var/lock
root
config # stat -c %G /var/spool/mail
root

Conditions:
-- BIG-IP version 14.1.0 is running.
-- An earlier software version is installed.
-- The system is then booted into that earlier version.

Impact:
There is no known impact to the system if this occurs; however, running rpm -V will report these two discrepancies.

This occurs because rpm versions 4.8 and earlier have built-in recognition of exactly three group names; 'root', 'mail', and 'lock'. In v4.8, these special names appear in <src>/lib/misc.c:gnameToGid. To use the group names 'mail' and 'lock' as intended, all BIG-IP releases earlier than BIG-IP v14.1.0 rely on this special feature of rpm.

BIG-IP v14.1.0 moved to rpm version 4.11, in which the function no longer exists.

Workaround:
Using a shell command, correct the group ID of the two directories that are incorrect using the following two commands:

config # chgrp lock /var/lock
config # chgrp mail /var/spool/mail

---

751589-1 : In BIG-IP VE, some IP rules may not be created during the first boot up.

Component: Local Traffic Manager

Symptoms:
The BIG-IP Virtual Edition (VE) system might not be able to install some IP rules in the host during the first boot up. As a result, some types of traffic (e.g., ssh) destined for the BIG-IP system via the data path (not via the management interface) might not be able to respond back to a sender. This issue exists only during the first boot into a new BIG-IP partition after installation.

Conditions:
This issue exists if the following conditions are met:
-- The BIG-IP system is VE.
-- Before installing a new BIG-IP image, the sys db variables 'liveinstall.saveconfig' and 'liveinstall.moveconfig' are both set to 'disable'. By default, both variables are set to 'enable'.
-- First boot into a new BIG-IP partition after installation.

Impact:
Some types of traffic (e.g., ssh) destined for the BIG-IP system via the data path (not via the management interface) might not be able to respond back to a sender.

Workaround:
You can use either of the following workarounds:

-- Restart mcpd using the following command:
bigstart restart mcpd

-- After the first boot into a new BIG-IP partition, you can simply reboot the BIG-IP system again, and then the necessary IP rules are created correctly.

---

751540-3 : GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server

Component: Global Traffic Manager (DNS)

Symptoms:
GTM changes in some devices are not synced to other GTM-configured devices in the same syncgroup.

Conditions:
-- There are multiple self IP addresses configured on one VLAN.
-- Some, but not all, self IP addresses are configured for GTM server.

Impact:
GTM Sync group not syncing properly.

Workaround:
Configure all self IP addresses in the syncgroup for GTM server.

---

751409-1 : MCP Validation does not detect when virtual servers differ only by overlapping VLANs

Component: TMOS

Symptoms:
It is possible to configure two virtual servers with the same address, port, and route domain, and have them overlap only in VLANs. MCP does not detect the overlap.

Errors like this may be seen in the ltm log:

err tmm1[29243]: 01010009:3: Failed to bind to address

Conditions:
Two (or more) virtual servers with the same address, port, and route domain, and have them overlap only in VLANs

Impact:
Traffic does not get routed properly.

Workaround:
There is no workaround other than ensuring that virtual servers that have the same address, port, and route domain have no overlap of VLANs.

---

751383-1 : Invalidation trigger parameter values are limited to 256 bytes

Component: WebAccelerator

Symptoms:
Invalidation trigger parameter values are limited to a internal representation of 256 bytes. The values are escaped for regex matching, so the effective value size from the user perspective can be somewhat smaller than 256 bytes. Oversize values result in invalidation of all content on the target policy node.

Conditions:
- AAM policy with invalidation trigger.
- invalidation trigger request with parameter value larger than 256 bytes.

Impact:
All content on target policy node is invalidated rather than the specific content targeted.

Workaround:
None.

---

751179-1 : MRF: Race condition may create to many outgoing connections to a peer

Component: Service Provider

Symptoms:
If two different connections attempt to create an outgoing connection to a peer at the same time, multiple connections may be created, even if the peer object is configured for one connection per peer. This is due to a race condition in message routing framework during connection creation.

Conditions:
-- Two different connections attempt to create an outgoing connection to a peer at the same time.
-- The peer is configured for one connection per peer.

Impact:
More than one connection to a peer is created.

Workaround:
None.

---

751116-1 : DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring

Component: Advanced Firewall Manager

Symptoms:
The DoS visibility screens (Monitoring :: Security :: Reporting : DoS) may display DNS and Network protocol DoS attacks with the incorrect mitigation details.

Conditions:
An attacked object assigned to a DoS profile with either DNS or Network security protocols that are configured to have detect-only or learn-only states for DoS attacks.

Impact:
Network or DNS DoS attacks, detected by a DoS profile with detect-only or learn-only protection, display mitigation as Blocking instead of the configured Transparent protection. This does not affect the reported traffic data found in the DoS visibility dimensions and charts.

Workaround:
None.

---

751036-1 : Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone

Component: Local Traffic Manager

Symptoms:
Virtual server status becomes unavailable when the connections are over the rate limit, and stays unavailable when the number of connections fall below the limit.

Conditions:
-- The connections are over the rate limit, making the virtual server status unavailable.
-- The number of connections fall below the limit.

Impact:
Virtual server status reports unavailable, even though it should be available.

Workaround:
This problem does not impact virtual server processing traffic. It simply reports the wrong status.

---

751024-4 : i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd

Component: TMOS

Symptoms:
Messages similar to the following appear in /var/log/ltm:

info bcm56xxd: 012c0012:6: I2C muxes are not cleared. Problem with mux 224:

Conditions:
-- i5000/i7000/i10000 platforms.
-- May be caused by a defective optic, rebooting/upgrading BIG-IP, removing and reinserting optics.

Impact:
Changes in optic state may be ignored while I2C bus is unavailable.

Workaround:
For each SFP, perform the following procedure:

1. Unplug the optic.
2. Wait 10 seconds.
3. Plug optic back in.

Note: This message might be caused by a defective optic. If error messages stop when one optic is removed, and error messages resume when the optic is inserted, replace that optic.

---

751021-1 : One or more TMM instances may be left without dynamic routes.

Component: TMOS

Symptoms:
Inspecting the BIG-IP's routing table (for instance, using tmsh or ZebOS commands) shows that dynamic routes have been learnt correctly and should be in effect.

However, while passing traffic through the system, you experience intermittent failures. Further investigation reveals that the failures are limited to one or more TMM instances (all other TMM instances are processing traffic correctly). The situation does not self-recover and the system remains in this state indefinitely.

An example of a traffic failure can be a client connection reset with cause 'No route to host'. If the client retries the same request, and this hits a different TMM instance, the request might succeed.

Conditions:
This issue is known to occur when all of the following conditions are met:

- The system is a multi-blade VIPRION or vCMP cluster.

- The system just underwent an event such as a software upgrade, a reboot of one or more blades, a restart of the services on one or more blades, etc.

Impact:
Traffic fails intermittently, with errors that point to lack of routes to certain destinations.

Workaround:
You can try to temporarily resolve the issue by restarting the tmrouted daemon on all blades. To do so, run the following command:

# clsh "bigstart restart tmrouted"

However, there is no strict guarantee this will resolve the issue, given the nature of the issue.

Alternatively, you could temporarily replace the dynamic routes with static routes.

---

751011-3 : ihealth.sh script and qkview locking mechanism not working

Component: TMOS

Symptoms:
Two qkviews can be started up on a system at the same time, which results in conflicts for each.

Conditions:
Running qkview on one terminal and then ihealth.sh in another.

Impact:
Running of two qkviews at the same time breaks both qkviews since they compete for the same files.

Workaround:
Run either qkview or ihealth.sh, not both simultaneously.

---

751009-3 : Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out

Component: TMOS

Symptoms:
After generating a Qkview or collecting a tcpdump via the BIG-IP GUI, or using the 'tmsh run util ihealth' command to do the equivalent, the /var/tmp/mcpd.out file is missing.

Conditions:
-- Generating a Qkview or collecting a tcpdump via the BIG-IP GUI.
-- Using the 'tmsh run util ihealth' command to do the equivalent operation.

Impact:
The file /var/tmp/mpcd.out is a debug file used by mcpd, primarily for collecting debug-level log information from MCPD.

The file being deleted causes challenges with trying to collect diagnostic information from a BIG-IP system (turning on mcpd debug logging), because it now requires a service impact (restarting mcpd).

Additionally, may cause challenges in managing disk space on /shared filesystem, as mcpd keeps writing to a deleted file, and it cannot be truncated.

Workaround:
Generating Qkviews by invoking the 'qkview' command directly avoids this issue.

Edit the /usr/bin/ihealth.sh script to remove the corresponding line.

From a bash shell:
1. mount -o remount,rw /usr
2. /bin/cp /usr/bin/ihealth.sh{,751009.bak}
3. sed -i '/\/bin\/rm -f \/var\/tmp\/mcpd.out/d' /usr/bin/ihealth.sh
4. mount -o remount,ro /usr

Note: This workaround does not persist across software installs/upgrades, nor does it ConfigSync or replicate across blades in a VIPRION chassis.

---

750922-1 : BD crash when content profile used for login page has no parse parameters set

Component: Application Security Manager

Symptoms:
Bd crashes. No traffic goes through ASM.

Conditions:
-- A Json Login page is configured.
-- The content profile used for the login page does not have parse parameters set.

Impact:
No traffic goes through ASM. Bd crashes.

Workaround:
Set the parse parameters setting.

---

750823-1 : Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD

Component: Access Policy Manager

Symptoms:
Memory usage in TMM keeps going up.

Conditions:
Access::policy evaluate command fails with error message in /var/log/ltm:

TCL error: ... - Failed to forward request to apmd.

Impact:
Memory leaks in TMM, which cause a TMM crash eventually.

Workaround:
Limit the amount of data that will be forwarded to APMD.

---

750683-1 : REST Backwards Compatibility: Cannot modify enforcementMode of host-name

Component: Application Security Manager

Symptoms:
Modifying the enforcementMode value fails with the following message: Valid Host Name already exists in this policy.

In 14.1.0, the capability to treat specific domains as Transparent while the rest of the policy is in Blocking moved from Host Names to the new Microservices feature. The REST endpoint for Host Names (/mgmt/tm/asm/policies/<ID>/host-names) is meant to still support setting and modifying this attribute. However, this is not happening successfully.

Conditions:
-- Running version 14.1.0 software.
-- Using a pre-14.1.0 REST API to modify the enforcementMode of a host name (/mgmt/tm/asm/policies/<ID>/host-names).

Impact:
The value change fails.

Workaround:
You can use either workaround:

-- Change the value using the GUI.

-- Use the newer endpoint: (/mgmt/tm/asm/policies/<ID>/microservices).

---

750580-1 : Installation using image2disk --format may fail after TMOS v14.1.0 is installed★

Component: TMOS

Symptoms:
When v14.1.0 is installed, subsequent installations of software performed using image2disk with the --format=volumes option from within a TMOS installation slot.

The failure occurs after the disks have been formatted, but before the TMOS installation slot is bootable, and the system is left without a TMOS installation slot.

While performing the installation, the system posts messages similar to the following in the serial console:

-- info: tm_install::RPM::rpm_db_find_by_namearch -- not found : MySQL-shared/i686
   ...
-- info: tm_install::VolumeSet::VolumeSet_install_packages -- installing package MySQL-shared (i686)
-- info: tm_install::RPM::rpm_db_find_by_namearch -- not found : openssl/x86_64
    ...
-- info: tm_install::VolumeSet::VolumeSet_install_packages -- installing package openssl (x86_64)
-- info: capture: status 32512 returned by command: chroot /mnt/tm_install/1258.DHwcwN rpm --rebuilddb
    ...
-- info: chroot: failed to run command 'rpm': No such file or directory

Conditions:
This issue occurs when all of the following conditions are met:
-- Version 14.1.0 is installed on the system, even if the system never boots into the 14.1.0 installation slot.
-- Using image2disk with the --format=volumes option specified from TMOS.
-- Installing another version of the software.


In particular, this issue affects MOS version 2.12.0-140.0, which can be checked by running this command from a bash shell on the BIG-IP system:

     grub_default -d | grep -A6 'TMOS maintenance' | grep 'TIC_STATIC_VERSION'

Impact:
The installation fails, and the system is left in a state where it is not accessible on the network and has no configuration. You must use the console to access the system.

Workaround:
You can use the following workarounds:

-- Use the Software Management screens in the GUI to perform installations
-- Use the tmsh 'sys software' commands to perform software installations.
-- Do not use the image2disk --format command to install software.

---

750473-4 : VA status change while 'disabled' are not taken into account after being 'enabled' again

Component: Local Traffic Manager

Symptoms:
The virtual-address network is not advertised with route-advertisement enabled.

Conditions:
1. Using a virtual-address with route advertisement enabled.
2. Disable virtual-address while state is down.
3. Enable virtual-address after state comes up.

Impact:
No route-advertisement of the virtual-address.

Workaround:
Toggle the route-advertisement for virtual-address.

---

750447-3 : GUI VLAN list page loading slowly with 50 records per screen

Component: TMOS

Symptoms:
GUI VLAN list page is loading slowly with there are 3200+ VLANs with the Records Per Screen Preference set to 50.

Conditions:
-- Using a VIPRION system.
-- Configuration containing 3200 or more VLANs.
-- System Preferences Records Per Screen set to 50.

Impact:
Cannot use the page.

Workaround:
Use tmsh or guishell tool to see the VLANs.

You can also try using a smaller value for the Records Per Screen option in System :: Preferences.

---

750356-2 : Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted

Component: Application Security Manager

Symptoms:
In any Split View page (Request Log, Learning, etc.): All user-defined filters are removed if you delete a newly created filter without reloading the page first.

Conditions:
-- Create a new filter.
-- Remove the new filter.

Impact:
The system removes all user-defined filters.

Workaround:
Before you delete a newly created filter, reload the page.

---

750318-3 : HTTPS monitor does not appear to be using cert from server SSL profile

Component: TMOS

Symptoms:
An HTTPS monitor using a client certificate configured in the server SSL profile fails to send the certificate during the SSL handshake.

A tcpdump shows a 0-byte certificate being sent.

Conditions:
-- In-tmm monitoring is disabled (default).
-- The server SSL profile has been modified but without changing the configured certificate or key.

The resulting message passed from mcpd to bigd will contain only the incremental modification to the profile, which bigd treats as a complete profile, meaning that it is possible for the certificate and key parameters to be lost.

Impact:
SSL handshake might fail to complete and the HTTPS monitor fails.

Workaround:
Restart bigd process by running the following command:
bigstart restart bigd

---

750200-3 : DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode

Component: Local Traffic Manager

Symptoms:
DHCP requests from the client are sent only to the first member in the DHCP server pool.

Conditions:
- BIG-IP system configured as a DHCP Relay.
- DHCP server pool contains more than one DHCP server.

Impact:
- DHCP server load balancing is not achieved.
- If the first DHCP server in the DHCP server pool does not respond or is unreachable, the DHCP client will not be assigned an IP address.

Workaround:
None.

---

749785-2 : nsm can become unresponsive when processing recursive routes

Component: TMOS

Symptoms:
imish hangs, and the BIG-IP Network Services Module (nsm) daemon consuming 100% CPU.

Conditions:
-- Dynamic routing enabled
-- Processing recursive routes from a BGP peer with different prefixlen values.

Impact:
Dynamic routing, and services using dynamic routes do not operate. nsm does not recover and must be restarted.

Workaround:
None.

---

749761-3 : AFM Policy with Send to Virtual and TMM crash in a specific scenario

Component: Advanced Firewall Manager

Symptoms:
TMM restart in a specific scenario when AFM Policy is configured in multiple contexts (Global, Route Domain, Virtual Server), with Log Translations enabled, and Send-To-VS feature configured in at least one of the rules in the Security Policy.

Conditions:
-- When using Firewall ACL Policy in more than one context, i.e., more than one of the following context has ACL Security Policy applied:
  + Global Context
  + Route Domain
  + Virtual Server Context

-- Send To Virtual Server is configured on any Rule on the Security policy.

-- Traffic matching a Rule (with logging enabled) in more than one context.

-- AFM Security Logging Profile has log Translation Field Enabled.

Impact:
TMM restart causes service disruption. Traffic disrupted while tmm restarts.

Workaround:
Disable Logging of Translation Fields in Security Logging Profile.

---

749704-2 : GTPv2 Serving-Network field with mixed MNC digits

Component: Service Provider

Symptoms:
iRules command 'GTP::ie get value' incorrectly decodes Serving-Network field, putting the least significant digit of mobile network codes (MNC) value before the other two.

Conditions:
Using the iRule command 'GTP::ie get value' to retrieve the Serving-Network field from a GTP message (the iRule construction: GTP::ie get value -message $gtp_message 83).

Impact:
The operation returns results in which the least significant digit is inserted before the other two, resulting in incorrect data being returned.

Workaround:
None.

---

749689-2 : HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart

Component: Local Traffic Manager

Symptoms:
HTTPS monitor sends different amount of cipher suites in client hello during SSL handshake and sometimes back end server fails to find a desired cipher suite from client hello. As a result, sometimes SSL handshake fails and monitor wrongly marks pool member down.

Conditions:
-- Have an SSL profile to be used by an HTTPS monitor.
-- Load the same config more than once.

Impact:
HTTPS monitor might incorrectly mark pool member down because of a failed SSL handshake.

Workaround:
Restart bigd using the following command:
bigstart restart bigd

---

749603-1 : MRF SIP ALG: Potential to end wrong call when BYE received

Component: Service Provider

Symptoms:
When a BYE is received, the media flows for a different call might be closed in error.

Conditions:
If the hash of the call-id (masked to 12 bits) matches the hash of another's call-id.

Impact:
The media flows for both calls will be closed when one receives a BYE command. A call may be incorrectly terminated early.

Workaround:
None.

---

749528-1 : IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap

Component: Service Provider

Symptoms:
Under certain conditions the wrong self-IP can be selected as a source address for connections from an Internal Virtual Server to remote servers.

Conditions:
- Using an Internal Virtual Server (IVS).
- The VLAN being used to connect from the IVS to the server does not have a floating self-IP configured.
- At least one other VLAN has a floating self-IP configured.
- The primary virtual server that connects to the IVS is using SNAT automap.

Impact:
IVS traffic might not be routed properly.

Workaround:
- Configure a floating self-IP on the IVS server side VLAN.
or
- Use a SNAT pool instead of automap.

---

749464-2 : Race condition while BIG-IQ updates common file

Component: Application Visibility and Reporting

Symptoms:
The file /var/config/rest/downloads/app_mapping.json is being used by two processes: BIG-IQ and avrd.
This can cause a race-condition between the two and in some rare cases can cause avrd to crash.

Conditions:
BIG-IQ updating /var/config/rest/downloads/app_mapping.json while avrd is reading it.

Impact:
avrd might read incomplete data, and can even core in some rare cases.

Workaround:
None.

---

749461-2 : Race condition while modifying analytics global-settings

Component: Application Visibility and Reporting

Symptoms:
Updating the analytics global-settings might cause a core for avrd.

Conditions:
Updating analytics global-settings using the following command:
tmsh modify analytics global-settings ...

Impact:
Might cause a core for avrd. After coring once, avrd is expected to start normally without any additional cores. The configuration change is expected to be applied correctly after restart is complete.

Workaround:
None.

---

749414-4 : Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects

Component: Local Traffic Manager

Symptoms:
There are two symptoms:

-- Modifying the monitor for a node or pool-member might remove monitor rule instances and monitor instances for other nodes/pool-members.
-- After those unrelated monitor rule instances and monitor instances are removed, if you try to alter the state of the pool-member/node, the system posts the following message: Invalid monitor rule instance identifier.

Conditions:
-- BIG-IP system is configured with nodes, pool-members, and pools with monitors.
-- Modify one of the nodes that is not in a pool.
-- Run the following command: tmsh load /sys config
-- Loading ucs/scf file can trigger the issue also.

Impact:
The system might delete monitor rule instances for unrelated nodes/pool-members. Pool members are incorrectly marked down.

Workaround:
Failover or failback traffic to the affected device.

---

749382-1 : Bare-metal installs via 'image2disk' may fail in v14.1.0 or greater

Component: TMOS

Symptoms:
Running a bare-metal installation via image2disk (IE, 'image2disk --format=volumes <ISO>') may fail due to a missing command in the maintenance OS.

Conditions:
The version of MOS installed on the system is from a v14.1.0 or newer ISO, and a user attempts a bare-metal installation via the 'image2disk' command.

Impact:
Unable to perform bare-metal installations/installations from MOS in affected versions.

Workaround:
The installed version of MOS can be removed with the command '/usr/lib/bpdiag -a mos'. After doing this, installing a version older than 14.1.0 will re-install an older version of MOS without this issue. You can then reboot to MOS and manually run the installation using 'image2disk' from there.

---

749294-4 : TMM cores when query session index is out of boundary

Component: Local Traffic Manager

Symptoms:
TMM cores when the queried session index is out of boundary. This is not a usual case. It is most likely caused by the memory corrupted issue.

Conditions:
When session index equals the size of session caches.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
None.

---

749227-1 : MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE

Component: Service Provider

Symptoms:
INVITE message being processed operation creates a temporary registration entry for a unregistered subscriber, this registration entry is not extended if a subsequent invite occurs. This could cause the registration to expire during a call, thus allowing the reserved translated addresses to be provided to a different subscriber.

Conditions:
An INVITE message is received when unregistered-subscriber-callout attribute in the siprouter-alg profile

Impact:
The system adds a temporary registration entry to the registration table. The lifetime for this entry is the max-session-timeout value from the siprouter-alg profile. Subsequent INVITES will not extend the lifetime.

This could cause the registration to expire during a call, allowing the reserved translated addresses to be provided to a different subscriber.

Workaround:
None.

---

749222-1 : dname compression offset overflow causes bad compression pointer

Component: Global Traffic Manager (DNS)

Symptoms:
DNS requests receive error response:
- Got bad packet: bad compression pointer
- Got bad packet: bad label type

Conditions:
When dns response is large enough so that dname redirect to an offset larger than 0x3f ff.

Impact:
DNS response is malformed.

---

749036-2 : Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM

Component: Access Policy Manager

Symptoms:
Some tmsh list commands may fail while SSLO is provisioned but no urldb or APM modules are provisioned with the following message: 'Password could not be retrieved'.

Conditions:
-- SSLO is provisioned.
-- Neither APM or URLDB are provisioned.
-- Run the generic tmsh list command.

Impact:
tmsh command fails and posts the error: Unexpected Error: Password could not be retrieved.

Note: Some 'tmsh list' commands with arguments do run. For example, 'tmsh list net vlan' provides correct output, but 'tmsh list' does not.

Workaround:
There is no workaround other than provisioning APM or URLDB.

Note: You can provision APM or URLDB even if they are not licensed. Although the full feature set is not available without a license, provisioning loads the daemons needed to support the generic 'tmsh list' command.

---

748999-3 : invalid inactivity timeout suggestion for cookies

Component: Application Security Manager

Symptoms:
ASM will report "invalid inactivity timeout" suggestions to delete a cookie, even though the cookies are being sent and are valid.

Conditions:
- Inactivity timeout feature is configured in Policy Builder
- Cookie entity is configured in the policy
- Valid, non-violating traffic containing cookies is passed

Impact:
Since non-violating traffic is not sent to the policy engine, the inactivity timeout timer is never reset, which will eventually lead to suggestions to delete the inactive cookie entities. These suggestions are erroneous because valid cookies are being sent in the traffic.

Workaround:
Ignore the inactive entity suggestions for cookies

---

748851-3 : Bot Detection injection include tags which may cause faulty display of application

Component: Application Security Manager

Symptoms:
The Bot Detection feature / Bot Defense profile includes JavaScript which is injected within <APM_DO_NOT_TOUCH> tags. Some web applications may be displayed incorrectly due to these tags.

Conditions:
- Your application includes JavaScript which dynamically adds HTML elements and expects a certain set of tags in the <head> section of the HTML.
- Bot Detection / Bot Defense are enabled.

Impact:
Some web applications may be displayed incorrectly.

Workaround:
None

---

748545-1 : Remove 'sys-unconfig' and 'rhel-configure' binaries and related systemd service

Component: TMOS

Symptoms:
The RHEL-related binaries 'sys-unconfig' and 'rhel-configure' are shipped with BIG-IP when they are not relevant.

Conditions:
Running a BIG-IP v14.1.x release

Impact:
Binaries with RHEL branding are installed on system which are not used in BIG-IP and generate superfluous files.

Workaround:
N/A

---

748529-1 : BIG-IP Virtual Edition with cloudhsm integration needs to restart tmm after a fresh install

Component: Local Traffic Manager

Symptoms:
Right after a fresh BIG-IP install to a BIG-IP VE with cloudhsm integration, a nethsm key/cert enabled SSL client profile cannot be applied to a virtual server. A warning will be generated:

warning tmm1[19027]: 01260009:4: Connection error: hud_ssl_handler:1149: invalid profile (40)

Conditions:
Apply an SSL client profile with cloudHSM key/cert at AWS cloud.

Impact:
Virtual server enabled with cloudHSM key/cert can't be configured.

Workaround:
"bigstart restart tmm" after the fresh install.

---

748451-3 : Manager users cannot perform changes in per-request policy properties

Component: Access Policy Manager

Symptoms:
Users with Admin role can edit and administer per-request policy properties. Users with Manager role, which can manage most APM objects, cannot manage this specific one.

Conditions:
User with Manager role tries to modify or change per-request policies properties.

Impact:
Cannot manage per-request policy properties if user role is Manager.

Workaround:
There is no workaround other than having an Admin user manage these objects.

---

748409-2 : Illegal parameter violation when json parsing a parameter on a case-insensitive policy

Component: Application Security Manager

Symptoms:
An illegal parameter violation is raised although the parameter is configured

Conditions:
The policy is configured as case insensitive, and a parameter is configured with capital letters

Impact:
False positive illegal parameter violation

Workaround:
Configure violation as case sensitive

---

748321-1 : bd crash with specific scenario

Component: Application Security Manager

Symptoms:
BD crash

Conditions:
A specific scenario may cause bd crash.

Impact:
Failover, traffic disturbance.

Workaround:
N/A

---

748295-1 : TMM crashes on shutdown when using virtio NICs for dataplane

Component: TMOS

Symptoms:
TMM crash on stop or restart.

Conditions:
1. Put the virtio NIC in a bad state while TMM is running (for example, detach the NIC from the host).
2. Run the following command: bigstart stop tmm

Impact:
TMM crash generates a core file. However, there is no impact on traffic as the device is already in a bad state before the crash.

Workaround:
None.

---

748253-1 : Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection

Component: Service Provider

Symptoms:
Depending on the DIAMETER settings of the BIG-IP, there can be a race condition in a mirrored device cluster where where the standby BIG-IP resets its mirror connection to the active.

Conditions:
- MRF DIAMETER in use.
- The DIAMETER session profile on the BIG-IP is configured to use Reset on Timeout.
- This is more likely to happen if (in the DIAMETER session profile) the Maximum Watchdog Failures is set to 1, and the Watchdog Timeout is configured to be the same value as the remote DIAMETER system.

Impact:
The standby is no longer mirroring the active system, and will get out of sync with it. There may be connections lost if a failover occurs.

Workaround:
More of a mitigation than a workaround:

- Configure the Maximum Watchdog Failures to a value greater than 1.
- Configure the Watchdog Timeout as something different than the same timeout on the remote peer, preferably to something that will have little overlap (i.e. the two timers should fire at the exact same time very infrequently).

---

748205-3 : SSD bay identification incorrect for RAID drive replacement★

Component: TMOS

Symptoms:
On iSeries platforms with dual SSDs, the 'bay' of a given SSD indicated in the 'tmsh show sys raid' command may be incorrect. If a drive fails, or for some other reason it is intended to be replaced, and you are using the bay number listed from the tmsh command, the wrong drive could be removed from the system resulting in system failure to operate or boot.

Conditions:
iSeries platform with dual SSDs.

Impact:
Removal of the one working drive could result in system failure and subsequent failure to boot

Workaround:
If you discover that you removed the incorrect drive, you can attempt to recover by re-inserting the drive into the bay that it was in, and powering on the device.

The following steps will help to avoid inadvertently removing the wrong drive:

As a rule for systems with this issue:
-- Power should be off when you remove a drive. This makes it possible to safely check the serial number of the removed drive.
-- Power should be on, and the system should be completely 'up' before you add a new drive.

Here are some steps to follow to prevent this issue from occurring.


1. Identify the failed drive, taking careful note of its serial number (SN). You can use any of the following commands to get the serial number:
     • tmsh show sys raid
     • tmsh show sys raid array
     • array
2. Logically remove the failed drive using the following command: tmsh modify sys raid array MD1 remove HD<>
3. Power down the unit.
4. Remove the fan tray and physically remove the failed drive.
5. Manually inspect the SN on the failed drive to ensure that the correct drive was removed.
6. Replace the fan tray.
7. Power on the unit with the remaining, single drive.
8. Once booted, wait for the system to identify the remaining (good) drive. You can confirm that this has happened when it appears in the 'array' command output.
9. Remove fan tray again (with the system running).
10. Install the new drive.
11. Use the 'array' command to determine that the new drive is recognized (Note: the tmsh commands do not show new drive at this stage.)
12. Logically add the new drive using the command command: tmsh modify sys raid array MD1 add HD<>
13. Monitor the rebuild using any of the commands shown in step 1.

Note: You must follow these steps exactly. If you insert the new drive while the system is off, and you then boot the system with the previously existing working drive and the new blank drive present, the system recognizes the blank drive as the working Array member, and you cannot add it to the array. That means system responds and replicates as if 'HD already exists'.

---

748187-4 : 'Transaction Not Found' Error on PATCH after Transaction has been Created

Component: TMOS

Symptoms:
In systems under heavy load of transactions with multiple icrd_child processes, the system might post an erroneous 'Transaction Not Found' response after the transaction has definitely been created.

Conditions:
Systems under heavy load of transactions with multiple icrd_child processes.

Impact:
Failure to provide PATCH to a transaction whose ID has been created and logged as created.

Workaround:
If transaction is not very large, configure icrd_child to only run single-threaded.

---

748177-1 : Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character

Component: Global Traffic Manager (DNS)

Symptoms:
Multiple wildcards not matched to the most specific WideIP.

Conditions:
Two wildcard WideIPs differ on a '?' and a non-wildcard character.

Impact:
DNS request will get wrong answer.

Workaround:
There is no workaround at this time.

---

748176-1 : BDoS Signature can wrongly match a DNS packet

Component: Advanced Firewall Manager

Symptoms:
When using BDoS feature for DNS protocol, and when there are auto-generated DNS Signatures or if Custom DNS signatures are configured manually, it is found that at times, a valid DNS request is dropped because it wrongly matches the configured/dynamically generated DNS Signature when the box is under load, and BDoS mitigation is ongoing.

Conditions:
Configured DNS Signature (Or) there exists a Dynamically generated DNS Signature.

Such a DNS signature is found to match a DNS packet wrongly, even though the signature match criteria is different from the matched DNS packet.

Impact:
When box is under load, the configured DNS signature gets into Attack Mitigation mode (which is normal), but may wrongly drop a DNS packet that does not match the signature.

Workaround:
Disable BDoS for protocol DNS. Also, do not use Manually configured DNS Signatures.

---

748121-3 : admd livelock under CPU starvation

Component: Anomaly Detection Services

Symptoms:
Due to the resources starvation the worker thread of admd does not get CPU for more than two minutes. At the same time, the configuration thread does get CPU.

The admd heartbeat failure occurs at 120 seconds. The SOD daemon kills admd.

The system posts messages similar to the following:

-- notice sod[6783]: 01140041:5: Killing /usr/bin/admd pid 6732
-- warning sod[6783]: 01140029:4: HA daemon_heartbeat ADMD.Anomaly0 fails action is restart.
-- warning sod[6783]: 01140029:4: HA daemon_heartbeat ADMD.Publisher0 fails action is restart.

Conditions:
-- High CPU / memory utilization,
-- Very large configuration.

Note: There are no known special configuration requirements to have this occur.

Impact:
admd restarts.
Behavioral DoS does not work.

Workaround:
Reboot the BIG-IP system.

---

748081-1 : Memory leak in BDoS module

Component: Advanced Firewall Manager

Symptoms:
TMM runs out of memory and restarts.
The memory usage as shown in "tmctl memory_usage_stat", under module line tag "session" is noticed to be high, and keeps growing.

Conditions:
The issue is seen when BDoS feature is configured, and if there exits Custom or Auto Generated BDoS Signatures. When such signatures exist, the BDoS one second timer callback leaks memory.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable BDoS feature.
Disable all configured and auto generated BDoS signatures using TMSH command:
modify security dos dos-signature all { state disabled }

---

748070 : API Protection feature inadvertently allows editing of associated access policy

Component: Access Policy Manager

Symptoms:
This release contains a feature called API Protection. API Protection access policies are hidden from the user interface in most areas except the log settings area.

Conditions:
Modifying API Protection access policy from Access :: Overview :: Event Logs :: Settings.

Impact:
If the API protection policy / profile is modified outside of API Protection GUI, the 'Apply Access Policy' may become activated with no way to deactivate it.

Workaround:
Navigate to the API Protection area and modify any part of the API Protection profile. This causes it to re-deploy, at which time the system clears the 'Apply Access Policy' prompt.

---

748031-1 : Invalidation trigger parameter containing reserved XML characters does not create invalidation rule

Component: WebAccelerator

Symptoms:
If a parameter value for an invalidation trigger contains reserved XML characters, compilation of the resulting invalidation rule fails due to the reserved characters not being escaped.

Conditions:
- AAM policy with invalidation trigger defined
- trigger request with parameter value(s) containing reserved XML characters

Impact:
The invalidation rule requested by the trigger request is not created. Content is not invalidated as expected.

Workaround:
No workaround exists.

---

747968-3 : DNS64 stats not increasing when requests go through dns cache resolver

Component: Local Traffic Manager

Symptoms:
DNS64 stats are not incrementing when running the tmsh show ltm profile dns or in tmctl profile_dns_stat commands if responses are coming from dns cache resolver.

Conditions:
DNS responses are coming from dns cache resolver.

Impact:
DNS64 stats not correct.

Workaround:
There is no workaround at this time.

---

747926-2 : Rare TMM restart due to NULL pointer access during AFM ACL logging

Component: Advanced Firewall Manager

Symptoms:
Tmm crashes while performing log ACL match logging.

Conditions:
The problem can happen only with the following configuration:
1) AFM Logging for ACLs enabled.
2) Security Network Logging profile has the property "log-translation-fields enabled"

The problem happens under extremely rare circumstances.

Impact:
Traffic disrupted while tmm restarts.

---

747909-5 : GTPv2 MEI and Serving-Network fields decoded incorrectly

Component: Service Provider

Symptoms:
MEI and Serving-Network vales obtained with GTP::ie get iRule command contains digits swapped in pairs, first digit missing and a random digit added at the back.

Conditions:
Processing GTP traffic with iRules.

Impact:
It is impossible to obtain correct value of MEI and Serving-Network fields of the GTPv2 packets when processing with iRules.

Workaround:
No workaround.

---

747777-3 : Extractions are learned in manual learning mode

Component: Application Security Manager

Symptoms:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"

Conditions:
Direct cause: Policy contains parameters with dynamic type

Indirect cause: Policy Builder is configured to classify parameters as dynamic (related to bug 717525)

Impact:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"

Workaround:
- Change all dynamic parameters value types to User Input with Alpha Numeric data type

- Unset parameters' dynamic value type (or uncheck all parameters' dynamic classification options in 'Learning And Blocking Settings').

---

747676-3 : Remote logging needs 'localip' to set source IP properly

Component: TMOS

Symptoms:
Source ip of log entries sometimes use self-ip.

Conditions:
It happens when configuring mgmt IP and route is slower than syslog-ng start.

Impact:
Remote log entry has wrong source IP address.

Workaround:
Use localip keyword to force specific IP address.

udp("1.1.1.9" port (514) localip("100.100.100.101"));

---

747628-1 : BIG-IP sends spurious ICMP PMTU message to server

Component: Local Traffic Manager

Symptoms:
After negotiating an MSS in the TCP handshake, BIG-IP then sends an ICMP PMTU message because the packet is too large.

Conditions:
The serverside allows timestamps and the clientside doesn't negotiate them.

The clientside MTU is lower than the serverside's.

There is no ICMP message on the clientside connection.

Impact:
Unnecessary retransmission by server, suboptimal xfrag sizes (and possibly packet sizes)

Workaround:
Disable timestamps on the serverside TCP profile, or proxy-mss on the clientside profile.

---

747617-2 : TMM core when processing invalid timer

Component: Local Traffic Manager

Symptoms:
TMM crashes while processing an SSLO iRules that enables the SSL filter on an aborted flow.

Conditions:
SSLO is configured and passing traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround

---

747560-5 : ASM REST: Unable to download Whitehat vulnerabilities

Component: Application Security Manager

Symptoms:
When using the Whitehat Sentinel scanner, the REST endpoint for importing vulnerabilities (/mgmt/tm/asm/tasks/import-vulnerabilities) does not download the vulnerabilities from the server automatically when no file is provided.

Conditions:
The ASM REST API (/mgmt/tm/asm/tasks/import-vulnerabilities) is used to download vulnerabilities from the server when a Whitehat Sentinel Scanner is configured.

Impact:
Vulnerabilities from the Whitehat server are not automatically downloaded when no file is provided, and it must be downloaded manually, or the GUI must be used.

Workaround:
The ASM GUI can be used to download the vulnerabilities from the Whitehat Server, or the file can be downloaded separately, and provided to the REST endpoint directly.

---

747187-2 : SIP falsely detects media flow collision when SDP is in both 183 and 200 response

Component: Service Provider

Symptoms:
A spurious error message is logged ("MR SIP: Media flow creation (...) failed due to collision") and media does not flow.

Conditions:
A SIP server responds to an INVITE with both a 183 "Session Progress" and later a "200 OK" for a single SIP call, and both responses contain an SDP with the same media info.

Impact:
Media does not flow on pinholes for which a collision was detected and reported.

Workaround:
None

---

747065-2 : PEM iRule burst of session ADDs leads to missing sessions

Component: Policy Enforcement Manager

Symptoms:
Some PEM sessions that were originally added, later disappear and cannot be added back.

Conditions:
-- Subscriber addition is done by iRule on UDP virtual servers.
-- The sessions are added in a burst.
-- A small fraction of such sessions cannot be added back after delete.

Impact:
Policies available in the missing session cannot be accessed.

Workaround:
Add a delay of at least a few milliseconds between adding multiple session with same subscriber-id and IP address.

---

746941-2 : avrd memory leak when BIG-IQ fails to receive stats information

Component: Application Visibility and Reporting

Symptoms:
AVRD has memory leak when it is failing to send statistical information to BIG-IQ.

Conditions:
BIG-IP is used by BIG-IQ version 6.0.0 or higher, and stats collection is enabled.
Plus, BIG-IQ has some malfunction that prevents it from receiving the statistical information that BIG-IP is sending (for example: all DCDs are down, or not network connection between BIG-IP and BIG-IQ).

Impact:
avrd memory is increased over time, leading to avrd restart when it is getting too large

Workaround:
Connectivity issue between BIG-IP and BIG-IQ should be fixed, not just in order to prevent this memory leak, but for more important functionality such as visibility and alerts features in BIG-IQ.

---

746922-6 : When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.

Component: Local Traffic Manager

Symptoms:
In a situation when a routing entity belonging to the child route domain is searching for an egress point for a traffic flow, it's searching for a routing entry in the child domain first, then if nothing is found, it searches for it in the parent route domain and returns the best found routing entry.

If the best routing entry from the parent route domain is selected, then it is held by a routing entity and is used to forward a traffic flow. Later, a new route entry is added to the child route domain's routing table and this route entry could be better than the current previously selected routing entry. But previously selected entry doesn’t get invalidated, thus the routing entity which is holding this entry is forwarding traffic to a less preferable egress point.

#Example:
RD0(parent) -> RD1(child)
routing table: default gw for RD0 is 0.0.0.0/0%0
pool member is 1.1.1.1/32%1
-
Pool member searched for the best egress point and found nothing in the routing table for the route domain 1 and later found a routing entry, but from the parent route domain - 0.0.0.0/0%0.
Later new gw for RD1 was added - 0.0.0.0/0%1, it's more preferable for 1.1.1.1/32%1 pool member. 0.0.0.0/0%0 should be (but is not) invalidated to force the pool member to search for a new routing entry and find a better one if it exists, as in our case - 0.0.0.0/0%1.

Conditions:
1) There are more than one route domains in the parent-child relationship.
2) There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object(for instance, pool member) which is from child route domain.
3) The routing entry from a parent route domain was selected as an egress point for the object from the child route domain.
4) New routing entry for child route domain is added.

Impact:
If a new added route is more preferable than existing in a different route domain, then the new route is not going to be used by a routing object, which has selected an "old" route previously. Thus traffic flows through these routing objects to the unexpected/incorrect egress point. This could present undesirable behavior: the route could be unreachable and all traffic for a specific pool member is dropped or virtual server couldn't find an available SNAT address or just that the wrong egress interface is being used.

Workaround:
There are several ways:
Either of this workaround should be done after a new route in child domain was added.
- Recreate a route.
Recreate a parent route domain's routes. Restart tmrouted deamon if routes were gathered via routing protocols.
-----
- Recreate a routing object.
If a pool member is affected, recreate the pool member.
If a SNAT pool list is affected, recreate it.
And so on.

---

746877-1 : Omitted check for success of memory allocation for DNSsec resource record

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may panic from SIGABRT while logging this message:
./rdata.c:25: ldns_rdf_size: Assertion `rd != ((void *)0)' failed.

Conditions:
During memory stress while handling DNSsec traffic.

Impact:
TMM panic and subsequent interruption of network traffic.

Workaround:
Keeping the workload within normal ranges reduces the probability of encounter.

---

746825-1 : MRF SIP ALG with SNAT: Ephemeral listeners not created for un-subscribed outgoing calls

Component: Service Provider

Symptoms:
When a temporary registration is created for an un-subscribed user making an outgoing call, an ephemeral listener to receive incoming messages is not created.

Conditions:
If nonregister-subscriber-callout attribute in the siprouter-alg profile is enabled, and an unregiatered client device places an outgoing call, a temporary registration is created. This temporary registration lives for the life of the call. During the lifetime of the temporary registration if the connection from the client is closed, it is not possible for an external device to reach the client.

Impact:
The callee of an outgoing call initiated by an un-registered sip device will not be able to end the call.

Workaround:
There is no workaround at this time.

---

746771-3 : APMD recreates config snapshots for all access profiles every minute

Component: Access Policy Manager

Symptoms:
When the access profile configurations in APMD and MCPD are out of sync, APMD will detect the config snapshot for one access profile is missing. This triggers AMPD to recreates the config snapshots for all access profiles. The detect-recreate cycle will repeat every minute.

Sep 11 17:57:39 BIG-IP err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...

Sep 11 17:57:59 BIG-IP notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
...

Sep 11 17:58:39 BIG-IP err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...

Sep 11 17:59:00 BIG-IP notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.

Conditions:
The condition under which the access profile configurations in APMD and MCPD become out of sync is unknown.

Impact:
TMM memory usage will increase due to excessive config snapshots created.

Workaround:
Restart APMD to clear the APMD and MCPD out of sync condition.

---

746750-1 : Search Engine get Device ID challenge when using the predefined profiles

Component: Application Security Manager

Symptoms:
When using one of the pre-defined profiles, "bot-defense-device-id-generate-after-access" and "bot-defense-device-id-generate-after-access", Search Engines might get Device ID challenges (and will most likely get blocked since cannot run JS)

Conditions:
One of the pre-defined profiles ("bot-defense-device-id-generate-after-access" or "bot-defense-device-id-generate-after-access") are attached to vs, and a valid search engine sends requests.

Impact:
Search Engines may be blocked.

Workaround:
Change mitigation of "Trusted Bot" in the attached profile to "Alarm":
1. Go to
Security ›› Bot Defense : Bot Defense Profiles ›› bot-defense-device-id-generate-after-access
or
Security ›› Bot Defense : Bot Defense Profiles ›› bot-defense-device-id-generate-before-access
2. Go to tab "Mitigation Settings"
3. For "Trusted Bot" choose "Alarm".
4. Save profile.

---

746731-1 : BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set

Component: Service Provider

Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Firmware-Revision AVPs in DIAMETER Capabilities Exchange Request messages.

Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Firmware-Revision AVP.

Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.

Workaround:
Configure an iRule in the MRF transport-config, for example:

ltm rule workaround {
    when DIAMETER_EGRESS {
        if {[serverside] && [DIAMETER::command] == "257" } {
            DIAMETER::avp flags set 267 0
        }
    }
}

---

746719-1 : zrd sets recursion desired and can't edit NS records when bind set recursion yes

Component: Global Traffic Manager (DNS)

Symptoms:
While attempting to use ZoneRunner to edit NS records, getting error:
01150b21:3: RCODE returned from query: 'SERVFAIL'.

Conditions:
-- Recursion is enabled in bind.
-- Bind is not able to reach the referenced Name Server.

Impact:
Administrator is unable to use ZoneRunner to edit NS records.

Workaround:
Set recursion to no for bind.

---

746710-1 : Use of HTTP::cookie after HTTP:disable causes TMM core

Component: Local Traffic Manager

Symptoms:
When an iRule disables HTTP with HTTP:disable, subsequent use of HTTP::cookie for that request will cause a TMM core dump.

Conditions:
1) HTTP profile is configured on the virtual.
2) HTTP:disable is called on request.
3) HTTP:cookie is then called on that request.

Impact:
Use of iRules in the above mentioned order will result in a TMM core. Traffic disrupted while tmm restarts.

Workaround:
Do not call HTTP:cookie on requests that have had HTTP disabled by HTTP:disable

---

746657-1 : tmsh help for FQDN node or pool member shows incorrect default for fqdn interval

Component: TMOS

Symptoms:
The tmsh help text for LTM nodes and pools shows the incorrect default for the fqdn 'interval' value.
The default is indicated as the TTL, whereas the actual default value is 3600 seconds (1 hour).
The configured value is displayed correctly if the node or pool is displayed using the 'all-properties' keyword.

Conditions:
Always.

Impact:
FQDN nodes and pool members may be created with a different fqdn refresh interval than intended.

Workaround:
When creating an FQDN node or pool member, specify the desired fqdn 'interval' value (either TTL, or the desired number of seconds).

---

746620-3 : "source-port preserve" does not work on BIG-IP Virtual Edition

Component: Performance

Symptoms:
BIG-IP Virtual Edition uses RSS hashing for selecting TMMs which has the side effect of causing "source-port preserve" to reuse ports aggressively. This can ultimately lead to connection failures.

Conditions:
BIG-IP virtual edition with "source-port preserve" configured on a fastl4 virtual server and VE configures RSS hash. VE will configure RSS hash if both the below conditions are met

1. VE supports RSS hash on the NIC. Currently, RSS is supported on ixlv and vmxnet3 NICs
2. The number of TMMs <= maximum number of queues supported by the NIC. For ixlv this is 4 and for vmxnet3 this is 8

Impact:
Connections may fail due to reusing ports too quickly.

Workaround:
On the Virtual Server, set source-port to "change".

---

746464-1 : MCPD sync errors and restart after multiple modifications to file object in chassis

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
This can be encountered when rapidly making changes to files such as creating and then deleting them while the config sync of the file creation is still in progress.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.

---

746394-1 : With ASM CORS set to "Disabled" it strips all CORS headers in response.

Component: Application Security Manager

Symptoms:
All access-control-* headers are removed by asm, including Cross-Origin Resource Sharing (CORS) headers. This causes CORS related javascript errors on browser console and blocks cross-domain requests that should be allowed.

Conditions:
-- ASM Provision
-- ASM policy attached to a virtual
-- Backed server sends CORS headers access-control-*

Impact:
Webapp which sends cross origin ajax requests could be broken.

Workaround:
Setup an irule on a virtual server.
when HTTP_RESPONSE {
    array set header_list { }
    foreach header_name [HTTP::header names] {
        if { [string tolower $header_name] starts_with "access-control-" } {
            set header_list($header_name) [HTTP::header $header_name]
        }
    }
}
when HTTP_RESPONSE_RELEASE {
    foreach header_name [array names header_list] {
        if {!([HTTP::header exists $header_name])} {
            HTTP::header insert $header_name $header_list($header_name)
        }
    }
}

---

746344-3 : PEM may not re-establish diameter connection after HA switchover

Component: Policy Enforcement Manager

Symptoms:
PEM diameter may not establish diameter connection after a failover, if more than 25 days have elapsed between failovers

Conditions:
If 25 days have elapsed between failovers

Impact:
Diameter connection may not happen

Workaround:
tmm restart

---

746266-3 : Vcmp guest vlan mac mismatch across blades.

Component: TMOS

Symptoms:
Guests running on blades in a single chassis report different MAC addresses on a single vlan upon host reboot for vcmp guest.

Conditions:
This issue may be seen when all of the following conditions are met:

- One (or more) blade(s) are turned off completely via AOM.
- Create two vlans.
- Deploy a multi-slot guest with the higher lexicographic vlan.
- Now, assign the smaller vlan to the guest.
- Reboot the host

Impact:
Incorrect MAC addresses are reported by some blades.

Workaround:
There is no workaround at this time.

---

746078-1 : Upgrades break existing iRulesLX workspaces that use node version 6

Component: Local Traffic Manager

Symptoms:
When upgrading a BIG-IP with iRulesLX plugins, if those plugins are based on workspaces that use node version 6 (instead of version 0.12) they will fail to work properly after the upgrade once the plugin is reloaded from the workspace.

Errors like this will be seen in /var/log/ltm:

Oct 5 06:37:12 B7200-R14-S36 info sdmd[17582]: 018e0017:6: pid[26853] plugin[/Common/test-jt-plugin.test-jt-extension] Starting the server.....jt...after upgrade...
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: Resuming log processing at this invocation; held 233 messages.
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] /var/sdm/plugin_store/plugins/:Common:test-jt-plugin_62858_3/extensions/test-jt-extension/node_modules/f5-nodejs/lib/ilx_server.js:30
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] ILXServerWrap = process.binding('ILXServerWrap').ILXServerWrap;
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] ^
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] Error: No such module: ILXServerWrap
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] at Error (native)

Conditions:
Upgrading a version of BIG-IP that is using iRulesLX that has a workspace based on node version 6. Later reloading the iRulesLX plugin from the workspace.

Impact:
The iRulesLX plugin no longer works.

Workaround:
- Navigate to the workspace folder on the BIG-IP (/var/ilx/workspaces/<partition>/<workspace name>.
- Make the file "node_version" writable (chmod +w node_version).
- Edit the node_version file: change "0.12" to "6"
- Save the node_version file.
- Make the file "node_version" read-only (chmod -w node_version).
- Reload the iRulesLX plugin from the workspace.

---

745825-1 : The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading

Component: TMOS

Symptoms:
This message may be logged while the audit_forwarder is loading the configuration:

audit_forwarder is disabled as the configuration is incomplete. Please define the following db variables: config.auditing.forward.sharedsecret, config.auditing.forward.destination and config.auditing.forward.type. And make sure config.auditing.forward.destination is not set to "::".

These DB variables may all be actually configured correctly, but since the configuration has not loaded yet this message may be logged multiple times.

Conditions:
The audit_forwarder process is starting up and loading the configuration.

Impact:
Confusing error messages in /var/log/ltm. Logging will still work as configured.

Workaround:
There is no workaround.

---

745802-1 : Brute Force CAPTCHA response page truncates last digit in the support id

Component: Application Security Manager

Symptoms:
Brute Force CAPTCHA response page shown to an end-user has a support id and the last digit is truncated.

Conditions:
- ASM Provisioned
- ASM policy attached to a virtual server
- ASM Brute Force Protection enabled in the asm policy
- ASM Brute Force sends captcha mitigation page when a website is under brute force attack.

Impact:
The support id presented to an end-user won't be matched to the one shown in the asm logs

Workaround:
There is no workaround at this time.

---

745783-1 : Anti-fraud: remote logging of login attempts

Component: Fraud Protection Services

Symptoms:
There is no support for logging of login attempts to a remote service.

Conditions:
Using high speed logging (HSL) to log login attempts.

Impact:
There is no support for logging of login attempts.

Workaround:
None.

---

745654-4 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server

Component: Access Policy Manager

Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.

Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.

Impact:
Low throughput and slow responses from Virtual server.

Workaround:
There is no workaround at this time.

---

745628-1 : MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message

Component: Service Provider

Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a NOTIFY message has been processed.

Conditions:
This occurs because the NOTIFY message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.

Impact:
Media addresses in the SDP payload are not translated.

Workaround:
There is no workaround.

---

745589-6 : In very rare situations, some filters may cause data-corruption.

Component: Local Traffic Manager

Symptoms:
In very rare situations, an internal data-moving function may cause corruption.

Filters that use the affected functionality are:
HTTP2, Sip, Sipmsg, MQTTsession, serdes_diameter, FTP.

Conditions:
The affected filters are used, and some very rare situation occurs.

Impact:
This may cause silent data corruption, or a TMM crash.

Workaround:
There is no workaround at this time.

---

745574-1 : URL is not removed from custom category when deleted

Component: Access Policy Manager

Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.

Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.

Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.

Workaround:
"bigstart restart tmm" will resolve the issue.

---

745545-1 : CMP forwarded LRO host packets do not restore LRO flag

Component: Local Traffic Manager

Symptoms:
When packets are being CMP forwarded for the host (e.g., related connection), the LRO flag is not being restored. As a result, these packets do not go through TSO which results in PMTU response and the connection hangs.

Conditions:
This issue is particular to CMP forwarded host connections which are going over the TMM interface due to explicit LRO and large MTU.

Impact:
The connection hangs.

Workaround:
There is no workaround.

---

745531-2 : Puffin Browser gets blocked by Bot Defense

Component: Application Security Manager

Symptoms:
Users using the Puffin Browser are blocked when accessing the Virtual Server when it is protected with either Proactive Bot Defense (within DoSL7 profile) or with the Bot Defense profile.
This applies to all version of the Puffin Browsers: Desktop, Android, iOS.

Conditions:
- Users using the Puffin Browser on Desktop, Android, iOS
- Bot Defense Profile, or: DoSL7 profile with Proactive Bot Defense is used while the "Block Suspicious Browsers" checkbox is enabled

Impact:
Users of the Puffin Browser cannot access the website

Workaround:
None

---

745514-1 : MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message

Component: Service Provider

Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a SUBSCRIBE message has been processed.

Conditions:
This occurs because the SUBSCRIBE message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.

Impact:
Media addresses in the SDP payload are not translated.

Workaround:
There is no workaround.

---

745035-2 : gtmd crash

Component: Global Traffic Manager (DNS)

Symptoms:
gtmd crashes

Conditions:
This rarely occurs when an iQuery connection is abnormally terminated.

Impact:
Under rare circumstances, gtmd may crash and restart.

Workaround:
None

---

745027-2 : AVR is doing extra activity of DNS data collection even when it should not

Component: Application Visibility and Reporting

Symptoms:
When collecting DNS data, AVR generates data that is used only for BIG-IQ, even if not connected to BIG-IQ.

Conditions:
DNS Statistics collection or DNS-DoS is configured.

Impact:
avrd process is taking more CPU cycles for activity that is not needed. There is no impact to functionality.

Workaround:
None.

---

744949-1 : MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix

Component: Service Provider

Symptoms:
SIP response messages have the wrong IP address in the FROM header when using NAT64.

Conditions:
If the client's IPv6 address does not match the virtual server's configured IPv6 prefix, the FROM header on a response message will have a different IP address that the request message.

Impact:
The SIP ALG with SNAT system will be unable to establish a call for the client.

Workaround:
There is no workaround at this time.

---

744937-1 : Make authenticated-denial-of-existence NSEC3 RR Types Bitmap reflect available Resource Records

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP does not know what resource records some external zone holds at the time the BIG-IP is responding to some dnssec query that asked for some record type at some owner name.
If the resource record type does not exist, then as part of the response, the BIG-IP generates an NSEC3 record (to authenticate denial of existence along with RRSIG) containing a types bitmap that is supposed to have the available RRs at the owner name.
With some new feature supported in BIND 9.12 (RFC 8198) called Aggressive use of Negative Cache, that negative response with the inaccurate types bitmap is cached which can then be re-used to show that some resource records do not exist but are in fact available at the owner name.

Conditions:
A query comes in for a zone that is not hosted on the BIG-IP where the BIG-IP is only responsible for DNSSEC signing.

Impact:
Validating resolvers implementing Aggressive Use of DNSSEC-Validated Cache may respond with NODATA for an existing resource record.

Workaround:
N/A

---

744787-4 : Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias

Component: Global Traffic Manager (DNS)

Symptoms:
WideIP alias will be replaced.

Conditions:
There is an existing alias for a WideIP and adding the same alias for another WideIP.

Impact:
The previous WideIP will be replaced.

Workaround:
Avoid adding existing WideIP for other WideIP.

---

744730-1 : Specifying a larger system disk during VE launch requires manual reboot for the increase to go into effect

Component: TMOS

Symptoms:
It is allowed to specify larger system disk size during VE launch. The larger disk will be allocated, but VE will not be able to use the extra space initially. Manual reboot will allow VE to use the extra space. Desired behavior for VE is to reboot by itself.

Conditions:
This occurs when you launch VE with a larger system disk in the initial version of 14.1

Impact:
BIG-IP cannot use the extra space

Workaround:
Reboot VE

---

744707-2 : Fixed crash related to DNSSEC key rollover

Component: Global Traffic Manager (DNS)

Symptoms:
When running out of memory, a DNSSKEY rollover event can cause a tmm core dump.

Conditions:
System low/out of memory.
DNSSKEY rollover event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.

---

744686-2 : Wrong certificate can be chosen during SSL handshake

Component: Local Traffic Manager

Symptoms:
If two certificates of the same type are configured in an SSL profile, one marked `usage CA' and the other not, the wrong one could be chosen during the handshake.

Conditions:
Two certificates of the same type are configured in an SSL profile.

Impact:
The wrong certificate could be chosen during the handshake.

Workaround:
Do not configure two certificates of the same type on an SSL profile.

---

744595-3 : DoS-related reports might not contain some of the activity that took place

Component: Application Visibility and Reporting

Symptoms:
Occasionally, some telemetry data of DoS related activity is lost.

Conditions:
No specific condition other than using the BIG-IP system anti-DDoS feature.

Impact:
DoS related reports might not contain some of the activity that takes place.

Workaround:
None.

---

744589-3 : Missing data for Firewall Events Statistics

Component: Application Visibility and Reporting

Symptoms:
Statistical information that is collected for Firewall event, has some data that is getting lost and not reported.

When this is taking place, the following message appears at avrd log:
Some rows of load_stat_firewall_events_<some number> not loaded

Conditions:
AFM is used, no particular condition that leads to this situation of losing some of the stats, usually takes place under heavy activity.

Impact:
Statistical reports of Firewall Events are missing some the the activity that actually took place.

Workaround:
There is no workaround at this time.

---

744532 : Websso fails to decrypt secured session variables

Component: Access Policy Manager

Symptoms:
Whenever websso tries to decrypt secure session variables, the following error is seen /var/log/apm:

Aug 15 21:36:25 abcd err websso.0[20421]: 014d0028:3: /Common/Test_PRP:Common:2b8e7abc: Master Decrypt failed for user test with error 'ckDecrypt: invalid ciphertext'
Aug 15 21:36:25 abcd info websso.0[20421]: 014d0009:6: /Common/Test_PRP:Common:2b8e7abc: Websso basic authentication for user 'test' using config '/Common/sso_test_obj'

Conditions:
- Per-req policy is attached to virtual server.
- Secure subsession variables are assigned to session variables using Variable Assign Agent in per-req policy.
- SSO Configuration Select agent is used in per-req policy.

Impact:
Single Sign-On (SSO) won't work correctly.

Workaround:
There is no workaround at this time.

---

744520-1 : virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface

Component: TMOS

Symptoms:
virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface.

Conditions:
Virtual server with pem profile and Vxlan-GRE tunnel interface.

Impact:
Traffic drop.

Workaround:
There is no workaround.

---

744516-4 : TMM panics after a large number of LSN remote picks

Component: Carrier-Grade NAT

Symptoms:
TMM panics with the assertion "nexthop ref valid" failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.

Conditions:
A LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.

Impact:
TMM restarts. Traffic is interrupted.

Workaround:
There is no workaround.

---

744347-4 : Protocol Security logging profiles cause slow ASM upgrade and apply policy

Component: Application Security Manager

Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.

Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.

Impact:
ASM upgrade and apply policy are delayed.

Workaround:
There is no workaround at this time.

---

744316-4 : Config sync of APM policy fails with Cannot update_indexes validation error.

Component: Access Policy Manager

Symptoms:
Config sync operation fails for APM policy when policy item of same name points to different agent on source and target

The system posts errors similar to the following:

Sync error on rfang-vemgmt.lab.labnet.com: Load failed from /Common/rfang-ve-3mgmt.lab.labnet.com 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (access_policy_item_agent) object ID (/Common/resm_act_message_box_1 /Common/resm_act_message_box_ag_1). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:access_policy_item_agent status:13)"

Conditions:
This occurs in the following scenario:

1. Configure a failover device group containing two BIG-IP systems.
2. Create an APM access profile on one unit.
  + Launch VPE for the policy.
  + Add a macro.
  + In macro add an agent, e.g., Message box.
  + Add macro to the main policy.
3. Initiate config sync to another device.
4. On one BIG-IP system, add another Message box agent using the same macro. On the other BIG-IP system, make a copy of the access profile.
5. On either BIG-IP system, initiate another config sync operation.

Impact:
Unable to sync configuration in a failover device group.

Workaround:
You can work around this using the following procedure:

1. On the device receiving the config sync, delete the APM policies that contain the referenced APM policy items.
2. Perform an overwrite-config-sync operation from the sending device to this device.

---

744280-2 : Enabling or disabling a Distributed Application results in a small memory leak

Component: Global Traffic Manager (DNS)

Symptoms:
Enabling or disabling a Distributed Application results in an 8 byte memory leak.

Conditions:
Enabling or disabling a Distributed Application.

Impact:
8 bytes of memory are leaked every time a Distributed Application is enabled or disabled. If Distributed Applications are repeatedly programmatically enabled and disabled, over time, the system might eventually exhaust all available memory.

Workaround:
None.

---

744275-1 : BIG-IP system sends Product-Name AVP in CER with Mandatory bit set

Component: Service Provider

Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.

Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Product-Name AVP.

Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.

Workaround:
Configure an iRule in the MRF transport-config, for example:

ltm rule workaround {
    when DIAMETER_EGRESS {
        if {[serverside] && [DIAMETER::command] == "257" } {
            DIAMETER::avp flags set 269 0
        }
    }
}

---

744252-2 : BGP route map community value: either component cannot be set to 65535

Component: TMOS

Symptoms:
The community value for BGP route map entries should allow values of 1-65535 for both components, but it is not allowing 65535 for either component.

Conditions:
-- Using BGP route map community values.
-- Attempting to set one or both components to 65535.

Impact:
Unable to use the full range of BGP route map community values

Workaround:
There is no workaround at this time.

---

744210-2 : DHCPv6 does not have the ability to override the hop limit from the client.

Component: Local Traffic Manager

Symptoms:
DHCPv6 packet may be dropped by a device after the DHCP relay if the client provided hop limit is 1.

Conditions:
DHCPv6 Relay configured on the BIG-IP.

Impact:
Loss of DHCPv6 service.

Workaround:
There is no workaround at this time.

---

743987 : DNSX can no longer receive DNS NOTIFY messages on self ips

Component: Global Traffic Manager (DNS)

Symptoms:
DNSX can no longer receive DNS NOTIFY messages on self ips.

Conditions:
User has configured DNSX as a DNS slave/secondary server that listens for DNS NOTIFY messages from a master DNS server.

Impact:
DNSX acting as slave/secondary can no longer receive or process DNS NOTIFY messages via self ips.

Workaround:
If your infrastructure relies on DNS NOTIFY messages being sent to DNSX slave/seconadry servers via self ips, you will need to modify the configuration on their Master DNS server(s) and also on the BIG-IP with DNSX acting as a slave secondary.

The Master needs to be configured to send DNS NOTIFY messages to either to a BIG-IP Virtual (UDP & TCP) with DNSX enabled on the associated DNS profile or configured to send to the management ip of the BIG-IP, or both. Note if using the management ip to recieve DNS NOTIFY for DNSX, you must enable this behavior by setting the dnsexpress.notifyport db variable to a port number besides zero.

---

743900-1 : Custom DIAMETER monitor requests do not have their 'request' flag set

Component: Local Traffic Manager

Symptoms:
Using the technique detailed in the Article: K14536: Customizing the BIG-IP Diameter monitor https://support.f5.com/csp/article/K14536 to create custom DIAMETER monitor requests fails for any request that uses the numeric form of a DIAMETER command code, because the 'request' flag is not set in the DIAMETER packet.

Conditions:
-- Using custom DIAMETER monitor requests.
-- Using numeric DIAMETER command codes.

Impact:
The monitor probes fail because the BIG-IP system does not set the DIAMETER 'request' flag for requests it sends when using a numeric value for the command code, so the DIAMETER server thinks it is a response

Workaround:
None.

---

743803-1 : IKEv2 potential double free of object when async request queueing fails

Component: TMOS

Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.

Conditions:
When an async IPsec crypto operation fails to queue.

Impact:
Restart of tmm. All tunnels lost must be re-established.

Workaround:
No workaround known at this time.

---

743437-3 : Portal Access: Issue with long 'data:' URL

Component: Access Policy Manager

Symptoms:
HTML page may contain a very long 'data:' URL. Portal Access cannot handle such URLs correctly.

Conditions:
HTML page with very long 'data:' similar to the following example:

    data:image/png;base64,...

Such URLs might be several megabytes long.

Impact:
The rewrite plugin cannot process HTML pages with very long URLs and restarts. The page is not sent to the end user client; web application may not work correctly.

Workaround:
There is no workaround at this time.

---

743132-6 : mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile

Component: TMOS

Symptoms:
On a chassis platform, if 'tmsh modify sys httpd ssl-certificate' is run immediately after creating a new certificate file, it's possible for mcpd to restart on the secondary blades. This happens when it takes longer for csyncd to copy the new certificate file to the other blades than it takes mcpd to send the modify message to the other blades.

Conditions:
Chassis platform with multiple blades.
Setting the httpd ssl-certificate to a new file.

Impact:
mcpd stops on secondary blades, causing those blades to go offline for a short time while mcpd and other daemons restart.

Workaround:
When setting the httpd ssl-certificate to a new file, wait a few seconds after creating the file before issuing the tmsh modify command.

---

742838-1 : A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition

Component: Local Traffic Manager

Symptoms:
If you have a published policy in /Common that is in use by a virtual server in a different partition, if you try to create and modify a draft of the existing policy, you will get an error like this:

"01070726:3: Policy /Common/Drafts/test-policy in partition Common cannot reference policy reference /Common/Drafts/test-policy /test/test-vs in partition test"

This happens in both the GUI and TMSH.

Conditions:
-- A published policy exists in /Common.
-- The published policy is attached to a virtual server in a different partition.
-- Attempt to create and modify a draft of the policy.

Impact:
Inability to edit the published policy.

Workaround:
None.

---

742829-1 : SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0

Component: Service Provider

Symptoms:
The BIG-IP system incorrectly handles SDP media ports. UAC sends SDP message body publishing capable of handling voice, text, and video. UAS responds, publishing voice, text and video not desired by setting video port to '0'. The BIG-IP system does not honor the fact that UAS does not want video, and translates video port '0' to an ephemeral port, causing the UAC to believe it must open a video channel. When the UAC sends a video connection request, the BIG-IP system sends the request to the wrong port, i.e., to the media port for text, which causes the connection to fail.

Conditions:
RTP media port defined in the SIP message is set to 0.

Impact:
Improper media channel creation.

Workaround:
You can use an iRule workaround to remove the media attributes with ports set to 0 at the ingress, and update the message body size accordingly.

---

742753-4 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail

Component: TMOS

Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.

Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:

- Remove the Referer header.

- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.

Impact:
Users cannot log on to the BIG-IP system's WebUI.

Workaround:
As a workaround, you can do any of the following things:

- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).

- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).

- Modify the proxy solution so that it inserts compatible Referer and Host headers.

---

742237-4 : CPU spikes appear wider than actual in graphs

Component: Local Traffic Manager

Symptoms:
Graphs of CPU usage show spikes that are wider than actual CPU usage.

Conditions:
CPU usage has spikes.

Impact:
Graphs of CPU spikes appear to last longer than they actually last.

Workaround:
Restart statsd to change the start of the RRD sampling interval.

---

742184-3 : TMM memory leak

Component: Local Traffic Manager

Symptoms:
-- High TMM memory utilization;
-- Aggressive sweeper activated;
-- the 'packet', 'xdata' and 'xhead' caches in the memory_usage_stat tmstat table have high 'allocated' and 'curr_allocs' numbers with a steadily increasing profile.

Conditions:
A fastL4 and a L7 profile (e.g. HTTP) are assigned to a virtual server.

Impact:
Degraded performance, possible TMM crash due to out-of-memory condition.

Workaround:
Do not add a L7 profile to a fastL4 virtual server.

---

742170-2 : REST PUT command fails for data-group internal

Component: TMOS

Symptoms:
Cannot change content of existing data-group internal using REST PUT command.

Conditions:
Using REST API.

Impact:
Cannot modify data-group internal via the REST API.

Workaround:
Add 'type' in the content

---

742142 : Errors in browser console in browser verification challenge

Component: Application Security Manager

Symptoms:
When enabling Browser Verification on the Bot Defense profile, or Suspicious Clients on the Web Scraping feature of the ASM Policy, the following error messages may be shown in the console of the end users' (clients) browsers that are accessing the virtual server.

These messages are cosmetic-only, and do not indicate any functional problem. They are displayed only when the end user opens the browser's Developer Tools to look at the Browser Console.

The messages are:
-- Not allowed to load local resource: chrome://rumola/content/rumola48.png
-- GET chrome-extension://invalid/ 0 ()
-- [Violation] Added synchronous DOM mutation listener to a 'DOMNodeInserted' event. Consider using MutationObserver to make the page more responsive.
-- [Deprecation] 'webkitURL' is deprecated. Please use 'URL' instead.
-- The Web Audio autoplay policy will be re-enabled in Chrome 70 (October 2018). Please check that your website is compatible with it.

Conditions:
-- Browser Verification is enabled on the Bot Defense profile, or Suspicious Clients on the Web Scraping feature of the ASM Policy
-- End user client accesses the virtual server and opens the Developer Tools of the browser.

Impact:
Cosmetic error messages appear in the browser's console when opened.

Workaround:
None.

---

741449-3 : alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts

Component: Fraud Protection Services

Symptoms:
JAVASCRIPT_THRESHOLD alert should contain 2 timestamps:
1. component-validation cookie timestamp (set on cookie creation)
2. current BIG-IP timestamp

currently, these timestamps are not available in the alert details

Conditions:
JAVASCRIPT_THRESHOLD alert is triggered

Impact:
it is impossible to analyze the alert

Workaround:
There is no workaround at this time.

---

740959-4 : User with manager rights cannot delete FQDN node on non-Common partition

Component: Local Traffic Manager

Symptoms:
A user that has manager rights for a non-Common partition, but not for the /Common partition, may be denied delete privileges for an FQDN template node that is created on the non-Common partition for which the user does have manager rights.

This occurs because ephemeral nodes created from the FQDN template node are 'shared' in the /Common partition, so the delete transaction fails because the user has insufficient permissions to delete the dependent ephemeral nodes on the /Common partition.

Conditions:
-- A user is created with manager rights for a non-Common partition.

-- That user does not have manager rights for the /Common partition;

-- At least one ephemeral node is created from that FQDN template node (due to DNS lookup), which is not also shared by other FQDN template nodes.

-- That user attempts to delete an FQDN template node on the non-Common partition for which the user has manager rights.

Impact:
The transaction to delete the FQDN template node fails due to insufficient permissions. No configuration changes occur as a result of the FQDN template node-delete attempt.

Workaround:
You can use either of the following workarounds:

-- Perform the FQDN template node-delete operation with a user that has manager rights to the /Common partition.

-- Create the FQDN template node on the /Common partition.

---

740589-1 : mcpd crash with core after 'tmsh edit /sys syslog-all-properties'

Component: TMOS

Symptoms:
Syslog-ng consumes more than 95% CPU starving other processes of CPU time. This leads to eventual mcpd crash with core.

Conditions:
Configuring nonexistent local IP addresses and remote log server.

Impact:
Abnormal CPU usage. Potential eventual mcpd crash with core.

Workaround:
To mitigate the issue, you can use either of the following:

-- Follow these two steps:
 1. Remove the remote log server from the configuration.
 2. Replace the nonexistent local IP addresses with self IP addresses.

-- Configure the remote destination host with a unique parameter in the configuration so that syslog does not get confused if there are multiple entries:
udp(190.45.32.51 port(514) localip(190.46.2.221) persist-name(r1));
udp(190.45.32.51 port(514) localip(190.46.2.222) persist-name(r2));
udp(190.200.60.1 port(514) localip(190.46.2.221) persist-name(r3));
udp(190.200.60.1 port(514) localip(190.46.2.222) persist-name(r4));

---

740543-1 : System hostname not display in console

Component: TMOS

Symptoms:
Hostname is not displayed in the shell prompt in bash and tmsh.

Conditions:
After reboot or upgrade, login to the host console, shell, or tmsh.

Impact:
Hostname is not displayed in the shell prompt.

Workaround:
Update hostname from GUI/TMSH.

---

739963-4 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup

Component: Local Traffic Manager

Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.

Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.

Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.

Workaround:
To restore the state of the member, remove it and add it back to the pool.

---

739945-4 : JavaScript challenge on POST with 307 breaks application

Component: Application Security Manager

Symptoms:
A JavaScript whitepage challenge does not reconstruct when the challenge is on a POST request and the response from the back-end server is 307 Redirect. This happens only if the challenged URL is on a different path than the redirected URL. This prevents the application flow from completing.

Conditions:
- JavaScript challenge / CAPTCHA is enabled from either Bot Defense, Proactive Bot Defense, Web Scraping, DoSL7 Mitigation or Brute Force Mitigation.
- The challenge is happening on a POST request on which the response from the server is a 307 Redirect to a different path.

Impact:
Server is not able to parse the request payload and application does not work. This issue occurs because the TS*75 cookie is set on the path of the challenged URL, so the redirected URL does not contain the cookie, and the payload is not reconstructed properly to the server.

Workaround:
As a workaround, you can construct an iRule to identify that the response from the server is 307 Redirect, retrieve the TS*75 cookie from the request, and add to the response a Set-Cookie header, setting the TS*75 cookie on the '/' path.

---

739553-1 : Setting large number for Wide IP Persistence TTL breaks Wide IP persistence

Component: Global Traffic Manager (DNS)

Symptoms:
Wide IP persistence is not working. Previous Wide IP persistence records are cleared.

Conditions:
This occurs when the Wide IP Persistence TTL plus the persist-record creation time is greater than 4294967295.

Impact:
Wide IP persistence does not work.

Workaround:
There is no workaround other than not setting Wide IP Persistence TTL to a number greater than 4294967295.

---

739349-3 : LRO segments might be erroneously VLAN-tagged.

Component: Local Traffic Manager

Symptoms:
Segments being processed for large receive offload (LRO) (the action the system performs to aggregate multiple incoming packets within a buffer before passing them up)
might be erroneously VLAN-tagged when LRO is enabled.

Conditions:
-- TCP LRO enabled.
-- Egress VLAN untagged.

Impact:
Egress traffic might sometimes be tagged.

Workaround:
Disable TCP LRO. To enable or disable LRO functionality, you can use the following command syntax:

tmsh modify sys db tm.tcplargereceiveoffload value <enable | disable>

---

739118-1 : Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration

Component: TMOS

Symptoms:
Changing existing self IP addresses in bigip_base.conf file directly. After uploading the changed configuration file, BIG-IP routing service provides out of date Self IP route information to dependent services.

Conditions:
- Self IP address is configured on the BIG-IP system.
- Manually change the IP address of a self IP in bigip_base.conf file.
- Load changed configuration via tmsh.

Impact:
Different services have different route information:
-- tmsh table - has the old route.
-- Dynamic routing - hHas the old and new routes.
-- Kernel table - has the new route.

Workaround:
There are two workarounds, preventive and corrective.
Preventive:
Do not manually change self IP addresses in bigip_base.conf file. It is not recommended way to add/change BIG-IP configuration. Use GUI or tmsh instead.

Corrective:
If changed configuration is uploaded. In GUI or tmsh, delete changed self IP address, and then create a self IP address with old IP address and delete it as well. Now, all affected routes are removed.

---

738945-4 : SSL persistence does not work when there are multiple handshakes present in a single record

Component: Local Traffic Manager

Symptoms:
SSL persistence hangs while parsing SSL records comprising multiple handshake messages.

Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.

Impact:
SSL persistence parser fails to parse such messages correctly. The start of the record may be forwarded on to server but then connection will stall and eventually idle timeout.

Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.

After changing or disabling persistence, the transaction succeeds and no longer hangs.

---

738677-1 : Configured name of wildcard parameter is not sent in data integrity alerts

Component: Fraud Protection Services

Symptoms:
FPS sends a data integrity alert when a parameter is configured with 'Check Data Manipulation' enabled.
the alert includes parameter's actual-name, actual-val-crc, and expected-val-crc.

For wildcard parameters, it is difficult to tell which parameter was found and triggered the data integrity alert, since FPS sends only the actual name that was found in the request.

Conditions:
Wildcard parameter defined for integrity check.

Impact:
Alert analysis is more difficult, as the actual matched parameter is not obvious.

Workaround:
None.

---

738547-3 : SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII

Component: Access Policy Manager

Symptoms:
When SAML metadata file that contains certain UTF-8 characters other than ASCII is imported, SAML SAX Parser returns error

Conditions:
When SAML metadata file contains certain UTF-8 characters other than the ASCII set,

Impact:
SAML metadata file is not imported, and the system reports an error. SAML configuration on BIG-IP systems is impacted.

Workaround:
Remove the non-ASCII UTF-8 characters, and try the import operation again.

---

738450-1 : Parsing pool members as variables with IP tuple syntax

Component: Local Traffic Manager

Symptoms:
There is a config loading warning at tmsh similar to the following: unexpected end of arguments;expected argument spec:PORT.

Conditions:
Tcl variable is used for the IP tuple instead of a plain value.

Impact:
iRule LB::reselect command may not recognize an IP tuple when it is a variable. tmsh warning shows.

Note: There is no warning in the GUI.

Workaround:
Use plain value instead of variable.

---

738045-5 : HTTP filter complains about invalid action in the LTM log file.

Component: Local Traffic Manager

Symptoms:
Payload data is collected at the HTTP_REQUEST event and finishes collecting (HTTP::release) when the NAME_RESOLVED event occurs. On releasing, data is forwarded to the serverside, triggering the HTTP_REQUEST_SEND event.
 
When trying to raise HTTP_REQUEST_SEND, the iRule queues it and returns IN_PROGRESS, because the system is already in the process of running TCLRULE_NAME_RESOLVED. (Nested iRules: TCLRULE_NAME_RESOLVED -> TCLRULE_HTTP_REQUEST_SEND)

Due to the IN_PROGRESS status, tcp_proxy skips forwarding HUDCTL_REQUEST to the serverside, but not the subsequent payload. So the HTTP filter considers this an invalid action.

Conditions:
-- Standard virtual server with iRules attached (for example, using the following configuration for a virtual server):

when HTTP_REQUEST {
    HTTP::collect
    NAME::lookup @10.0.66.222 'f5.com'
}
when NAME_RESOLVED {
    HTTP::release
}
when HTTP_REQUEST_SEND {
        log local0. "Entering HTTP_REQUEST_SEND"
}

-- Client sends two HTTP Post requests.
-- After the first request, the second connection is kept alive (for example, by using HTTP header Connection) so that the second request can reuse the same connection.

Impact:
The second request gets reset, and the system logs errors in the LTM log file.

Workaround:
To avoid nested iRules in this instance, simply remove the HTTP_REQUEST_SEND from the iRule.

---

737866-2 : Rare condition memory corruption

Component: Application Security Manager

Symptoms:
BD dameon core

Conditions:
Slow server and slow offload services.

Impact:
A bd crash, traffic distrubance

Workaround:
None.

---

737739-1 : bash shell still accessible for admin even if disabled

Component: TMOS

Symptoms:
With the administrator role, you have an option in TMUI to disable or restrict terminal access. If you disable or restrict access, the corresponding REST endpoint is neither disabled nor restricted.

Conditions:
Use TMUI as the admin, or as a user with the administrator role, and either of the following:
-- Disable terminal access.
-- Restrict access to TMSH.

Impact:
Users with the Administrator role can obtain shell access via REST.

With terminal access disabled:
-- If you attempt to login using SSH, you will not be to do so.
-- If you make a POST request to the /mgmt/tm/util/bash endpoint with a body that includes a command to run, that command will be run.

With access to TMSH restricted:
-- A POST request to the /mgmt/tm/util/bash endpoint that includes a body with a command to run will be run.

Workaround:
None.

---

737692 : Handle x520 PF DOWN/UP sequence automatically by VE

Component: TMOS

Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that is passed to the BIG-IP-VE). If an x520 device's PF is set down and then up, tmm does not recover traffic on that interface.

Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.

Impact:
VE does not process any traffic on that VF.

Workaround:
Reboot VE.

---

737536-2 : Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.

Component: TMOS

Symptoms:
The use case is the following:
|OSPF 1|---|Network1|------[|OSPF process 1|---BIG-IP system---|OSPF process 2|]-----|Network2|---|OSPF 2|

Attempting to redistribute default route received from OSPF process that is peering with the Internet to OSPF process 2. However, if that route is removed (e.g., an Internet link goes down), OSPF process 2 removes the associated route and the 'default-information originate' command is the ideal choice, because as long as the OSPF process 1 default route is in the routing table, the default route is redistributed into OSPF process 2. If that route is gone, OSPF process 2 immediately removes it from routing table. Enabling 'default-information originate' on OSPF process 2 does not affect the outcome, and a default route is not injected like it should be.

Conditions:
-- On the BIG-IP system, OSPF routing protocol is enabled on a route-domain.
-- Routing configuration example:

OSPF router config examples:
***
OSPF 1:
!router ospf 1
 ospf router-id 10.13.0.7
 redistribute ospf
 network 10.13.0.0/16 area 0.0.0.1
 default-information originate

OSPF 2:
router ospf 1
 ospf router-id 10.14.0.5
 redistribute ospf
 network 10.14.0.0/16 area 0.0.0.1

BIG-IP system:
router ospf 1
 ospf router-id 10.13.0.2
 network 10.13.0.0/16 area 0.0.0.1
router ospf 2
 ospf router-id 10.14.0.9
 network 10.14.0.0/16 area 0.0.0.1
***

-- Enable 'default-information originate' on BIG-IP OSPF process 2 should allow OSPF process 2 to receive advertised default route from BIG-IP OSPF process 1 if such exists.

# expected OSPF routers configuration on the BIG-IP system:
router ospf 1
 ospf router-id 10.13.0.2
 network 10.13.0.0/16 area 0.0.0.1
router ospf 2
 ospf router-id 10.14.0.9
 network 10.14.0.0/16 area 0.0.0.1
 default-information originate

Impact:
A default route from OSPF process 1 is not advertised into OSPF process 2 routing table.

Workaround:
None.

---

737379-2 : URLCAT doesn't work when we have uppercase characters in feedlist

Component: Traffic Classification Engine

Symptoms:
A URL does not get classified when there are uppercase characters in the feedlist.

Conditions:
Using uppercase characters in the feedlist.

Impact:
URL is not classified as expected.

Workaround:
There is no workaround at this time.

---

737346-1 : After entering username and before password, the logging on user's failure count is incremented.

Component: TMOS

Symptoms:
Listing login failures (i.e., using the following command: 'tmsh show auth login-failures') shows a failed login for the user who is currently logging in via console or SSH.

Conditions:
-- A user is logging in via console or SSH.
-- Between the time the system presents the password prompt and the user enters the password.

Note: This does not apply to GUI or iControl REST logins.

Impact:
If many logins for the same user get to this state simultaneously, it may be enough to exceed a specified lockout threshold, locking the user out.

Workaround:
There is no workaround other than using the GUI or iControl REST to log in to the system.

---

727191-1 : Invalid arguments to run sys failover do not return an error

Component: TMOS

Symptoms:
If an invalid device name is used in the sys failover command, the device name reject is logged in /var/log/ltm and failover does not occur. No error or failure message is displayed on the command line.

Note: In prior versions, the system incorrectly performed a force-to-standby operation (no 'device' specified), rather than a directed failover operation (failover to specified 'device'). Although this resulted in the active device becoming standby, it did not cause the system to choose the (nonexistent) device specified.

Conditions:
Run a tmsh command similar to the following:
sys failover standby traffic-group traffic-group-1 device invalid_name

Impact:
Since no failover occurs and no error/warning is returned, this may result in some confusion.

Workaround:
There is no workaround.

---

726900-1 : Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters

Component: Local Traffic Manager

Symptoms:
Virtual server may attempt to use syncookies on first SYN packet rather than allowing the connection to pass through to the real server.

Conditions:
Modifying a virtual server (CLI/iControl/GUI) to switch from FastL4 or TCP profiles to an 'ip-other' profile.

Impact:
The configured 'ip-other' virtual server will fail to accept all traffic. For example, a TCP or a UDP flow which should have been accepted and processed by the 'ip-other' virtual server will be dropped incorrectly, trying to enforce 'Syn Cookie' validation.

Workaround:
When switching a virtual server profile from FastL4/TCP to the 'ip-other' profile, delete the virtual server and then re-add it with the 'ip-other' profile.

---

726647-5 : PEM content insertion in a compressed response may truncate some data

Component: Policy Enforcement Manager

Symptoms:
HTTP compressed response with content insert action can truncate data.

Conditions:
PEM content insertion action with compressed HTTP response.

Impact:
Data might be truncated.

Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.

---

726487-4 : VIPRION secondary MCPD, Node Name encodes IP address which differs from supplied

Component: TMOS

Symptoms:
MCPD on secondary blade of VIPRION exits and restarts, logging errors similar to the following:

-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.

-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.

Conditions:
-- VIPRION platform.
-- Non-primary blade.
-- Modified default route domain for a partition.
-- Deleting and creating pool members during configuration save from a different client.

Impact:
Failovers and traffic degradation while blade restarts.

Workaround:
There is no workaround other than not to delete/create pool members from a different client while saving configuration changes in another client.

---

726011-4 : PEM transaction-enabled policy action lookup optimization to be controlled by a sys db

Component: Policy Enforcement Manager

Symptoms:
There is no way to disable optimization if time-based actions are enabled in the PEM policy and a statistical transaction-based action enforcement is desired.

Conditions:
If the PEM classification tokens do not change.

Impact:
Time-based actions such as insert content may not get applied to such flows.

Workaround:
None.

---

725874 : AOM update occurs at every boot up

Component: TMOS

Symptoms:
Due to a corrupted AOM image loaded in Manufacturing between 5/15/2018 and 5/31/2018 on certain platforms, TMOS attempts to update the AOM every time TMOS boots. After the update, the system runs normally.

Conditions:
This issue occurs under the following conditions:
-- Using AOM/BMC version 4.06 (4.6.17).
-- Using BIG-IP i2000 or i4000 platforms.
-- The hardware was manufactured between 2018-05-15 and 2018-05-31.

Impact:
Systems that are in this state attempt to update the AOM on every boot, after which they proceed to boot normally.

Note: The AOM-update attempt is not an indication of a functional issue. Although the AOM-update attempt occurs at each bootup, once the attempt complete, the system functions normally.

Workaround:
Manually update the firmware using a later AOM image.

---

724158 : Virtual server is not accessible from internal host when Traffic Matching Criteria is configured as address subnet

Component: Local Traffic Manager

Symptoms:
When a Traffic Matching Criteria address-range uses subnet, the related virtual address is created with arp=disabled, icmp=disabled. This means
that the address (any addr in the subnet) will not respond to arp or icmp, and hence the vs will be unreachable.

If the flags are manually enabled then the virtual becomes reachable from client, however, it is still not reachable from the internal host.

Conditions:
When a Traffic Matching Criteria address-range uses subnet, this problem happens.

Impact:
Virtual server is not accessible from internal host.

Workaround:
Use specific address range in Traffic Matching Criteria.

---

723790-3 : Idle asm_config_server handlers consumes a lot of memory

Component: Application Security Manager

Symptoms:
Idle asm_config_server handlers needlessly uses a large amount of memory.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a big XML ASM policy and then leaving the BIG-IP system idle. Relevant asm_config_server handler process increases its memory consumption and stays that way, holding on to the memory until it is released with a restart.

Impact:
Unnecessary memory consumption.

Workaround:
1) Lower the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server:
---------------
# perl -pi.bak -e 's/MaxMemorySize=471859200/MaxMemorySize=262144000/' /etc/ts/tools/asm_config_server.cfg
---------------

2) Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------

Notes:
-- The provided workaround does not permanently fix the issue. Instead it alleviates the symptoms of memory pressure, by (1) lowering the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server, and (2) freeing up all the memory that is currently taken by all asm_config_server processes.
-- This workaround does not cause any down time; the asm_config_server processes automatically start within ~30 seconds.

---

723306-1 : Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition

Component: Local Traffic Manager

Symptoms:
Loading correct configuration with 'tmsh load /sys config' fails. The error message appears similar to the following:

    01070726:3: Virtual Address /test/0.0.0.0 in partition test cannot be referenced by Virtual Server /Common/test-internal in partition Common.
Unexpected Error: Loading configuration process failed.

Conditions:
Creating internal virtual server, when 0.0.0.0 address exists on another partition.

Impact:
Inability to load config, with created internal virtual server.

Workaround:
Create internal virtual server first; then create the 0.0.0.0 address on different partition.

---

723288-4 : DNS cache replication between TMMs does not always work for net dns-resolver

Component: Global Traffic Manager (DNS)

Symptoms:
System DNS resolvers (net dns-resolver objects) do not share DNS reply information between the dns resolver instances across TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.

Conditions:
There are no LTM DNS *cache* objects present in the BIG-IP configuration.

Impact:
A performance impact resulting from each TMM having to perform unnecessary DNS lookups.

Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.

Note: This workaround is effective even without a DNS license (although in that case, the placeholder object must be created using tmsh, as the GUI menu would not be available without a DNS license.)

---

722741-1 : Damaged tmm dns db file causes zxfrd/tmm core

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd/tmm cores on startup.

Conditions:
Damaged tmm dns db file.

Impact:
System remains in a tmm-restart loop caused by tmm opening a corrupted tmmdns.bin on startup and segfaulting. Traffic disrupted while tmm restarts.

Workaround:
Delete the damaged db files.

---

722707-2 : mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall

Component: Local Traffic Manager

Symptoms:
The 'debug' log for a 'mysql' monitor may incorrectly report data being received from the database when network routing is configured to drop packets from that database, causing confusion when diagnosing packet traffic. This might be stimulated by configuring the firewall to enable traffic to/from the 'mysql' database, and then (after the 'mysql' monitor successfully connecting with the database) changing firewall rules to drop packets returned *from* the database.

Conditions:
-- A 'mysql' monitor successfully connects to the 'MySql' database.
2. Once connection is established, firewall rules are changed to 'DROP' packets returned from the 'MySQL' database, resulting in several entries in the 'mysql' monitor 'debug' log that incorrectly suggest packets were received from the 'MySQL' database.

Impact:
Several log entries may be made in the 'mysql' debug log suggesting packets were received from the 'MySQL' database (after a previous successful database probe connection), when in fact those packets were dropped due to changes in the firewall rules. These log entries may confuse debugging scenarios, but will typically self-correct (such as after three log message entries).

Workaround:
When configuring network traffic for 'MySQL' database resources, ensure symmetry for traffic handling (either bi-directional packet routing between 'bigd' and the 'MySQL' database is supported, or neither 'send' nor 'receive' packet routing to the 'MySQL' database is supported).

---

722534-1 : load sys config merge not supported for iRulesLX

Component: Local Traffic Manager

Symptoms:
iRulesLX configurations are (for the most part) contained in the file system, rather than the 'traditional' BIG-IP config files. An attempt to merge configurations containing iRulesLX using the tmsh command 'load sys config merge' options fails with an error similar to the following:

# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ilx plugin test-plugin {
  from-workspace test-ws
}
Validating configuration...
Unexpected Error: "basic_string::at"

Conditions:
The configuration being merged contains iRulesLX.

Impact:
The merge will fail with the error: Unexpected Error: "basic_string::at". The previous configuration will continue to work.

Workaround:
There is no workaround at this time for merging iRulesLX configuration. If the iRulesLX configuration is removed from the configuration to be merged, the merge will work.

---

721987 : open-vm-tools now reports selfips in addition to management IP

Component: TMOS

Symptoms:
open-vm-tools (VMware Tools) only reports IP addresses for the management interface. Thus, IP addresses for self IP addresses on VLANs are not visible to automation tools that act on the IP addresses reported through VMware Tools.

Conditions:
This occurs when using BIG-IP Virtual Edition (VE) in VMware environments.

Impact:
The VMware Tools report only their management IP addresses. Any processes, such as automation, that want to discover self IP addresses on VLANs cannot do so using VMware Tools.

Note: This does not represent functionality provided in BIG-IP software. Rather, it is descriptive of how the VMware Tools work. This information is provided here for those whose automation or other tasks might depend on IP addresses reported by VMware Tools.

Workaround:
Connect automation tools to the management interface learned via open-vm-tools.

You can then use tmsh or iControl to discover the self IP addresses for further orchestration or automation.

---

721605 : Do not fail over data between different versions of BIG-IP software.★

Component: Policy Enforcement Manager

Symptoms:
Fail over of data between different versions of BIG-IP software may cause a crash if the version's data structures differ.

Conditions:
Failover of data between different versions of BIG-IP systems.

Impact:
This might cause a software crash if the data structure differs between the versions.

Workaround:
Remove the high availability (HA) configuration (disable session-db mirroring) before upgrading, and then reconnect HA after software upgrade on both chassis is fully completed.

---

721585-1 : mcpd core processing ltm monitors with deep level of inheritance

Component: TMOS

Symptoms:
If the level of ltm monitor inheritance (defaults-from) is too large, i.e 9. then mcpd will fail to send sod a heartbeat within the heartbeat timeout; therefore sod will restart mcpd.

Conditions:
LTM monitors that have 9 levels of inheritance

i.e.

mon1 defaults from mon2, which defaults from mon3, which defaults from mon4 ... to mon10

Impact:
mcpd is restarted which will cause services to failover.

Workaround:
Rework the ltm monitors so that the level of inheritance is less than 9.

---

721579 : LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing

Component: Carrier-Grade NAT

Symptoms:
When checking persistence TTL by using 'lsndb list all', TTL for 'LSN Persistence Entries' and Age for 'LSN Inbound Mapping Entries' are reset once at around the halfway point of the persistence timeout, even though there is no traffic.

Conditions:
-- LSN with persistence timeout configured.
-- Using the following command: lsndb list all.

Impact:
lsndb shows misleading stats.

Workaround:
There is no workaround at this time.

---

721020-1 : Changes to the master key are reverted after full sync

Component: TMOS

Symptoms:
Changing the master key on a device that is in a device cluster are reverted when performing a full sync of any device-group. The master key is reset to its previous value.

Conditions:
-- The BIG-IP system is in a device cluster.
-- You change the master key from within TMSH.

Impact:
Subsequent configuration loads fail on the device.

Workaround:
There is no workaround.

---

720219-3 : HSL::log command can fail to pick new pool member if last picked member is 'checking'

Solution Article: K13109068

Component: Local Traffic Manager

Symptoms:
This occurs in certain configurations where the HSL::log command is using a remote high speed log (HSL) pool with failing pool members. If a pool member goes into a 'checking' state and the command attempts to send the log via that pool member, it can fail to send and all future log commands from that iRule will also fail, if that pool member is actually unavailable.

Conditions:
-- Using HSL::log command.
-- iRule with a remote high speed logging configured.

Impact:
Failure to send log messages via HSL.

Workaround:
Follow this procedure:
1. Change the 'distribution' method of the remote high speed config to something else.
2. Save the configuration.
3. Change the method back.

---

720084 : SFC statistics under the OUT column are always zero

Component: TMOS

Symptoms:
TMSH displays SFC statistics under the OUT column as zero.

Conditions:
Traffic passing through SFC chains configured on the BIG-IP

Impact:
- Zero statistics displayed is misleading.
- Logic created that uses these statistics may be negatively impacted and might not work as expected.

Workaround:
None.

---

720075 : LSN Translations may fail with 'LSN pick took too long' with NAPT mode and ipport cmp-hash

Component: Carrier-Grade NAT

Symptoms:
Large Scale NAT (LSN) translations might fail when ipport cmp-hash is configured on the ingress and/or egress VLANs. LSN pick fails with LSN_ERR and failure-cause 'LSN pick took too long' on VIPRION B2150 blades, although any platforms may see failures or a decrease in performance.

Conditions:
-- LSN pool in NAPT mode.
-- ipport hash configured on ingress and/or egress VLAN.
-- VIPRION B2150 blades.

Impact:
Potentially, lower performance and failed connections.

Workaround:
Configure the ingress/egress VLANs with either default or SPDAG.

---

720001 : Using custom default gateway in AWS makes instance metadata endpoint 169.254.169.254 inaccessible.

Component: TMOS

Symptoms:
There are multiple symptoms that a BIG-IP system shows when affected by this issue:
-- License fails on bootup with the following error :
halGetDossier returned error (7): Dossier generation failed.

-- Failover between BIG-IP instances fails abruptly with the following error:
Unable to retrieve domain name from ec2 metadata.

Conditions:
-- Both the licensing and Failover/HA in AWS depends on access to the instance metadata provided by the EC2 cloud via the http endpoint at 169.254.169.254.

-- The default gateway provided by AWS through DHCP ensures access to this metadata endpoint without any additional configuration. However, when using a custom default gateway, the access to the instance metadata endpoint might not work.

Impact:
- License inoperable after bootup.
- Failover between BIG-IP systems does not complete successfully.

Workaround:
Configure a route for 169.254.169.254/32 to get to the AWS subnet default gateway. And then run a startup script after mcpd is up to reload the license. The workaround has two parts.

WORKAROUND:
----------
Before upgrade:

Part 1:
-------
On the BIG-IP system, create a management-route for the link-local destination 169.254.169.254.

1) Set db key to allow route for link-local address:
   tmsh modify sys db config.allow.rfc3927 value enable

2) Create management-route for 169.254.169.254/32 that points to the AWS-provided subnet default gateway:
   tmsh create sys management-route meta-endpoint network 169.254.169.254/32 gateway <AWS subnet GW IP>

3) Save the config:
   tmsh save sys config

4) Create a qkview:
   qkview -f /var/tmp/before_upgrade


PART 2
-------

Workaround:
----------
Reload the license by running a script once the system is up. (This process is fully documented in K11948: Configuring the BIG-IP system to run commands or scripts upon system startup :: https://support.f5.com/csp/article/K11948.)

---

719121 : DHCP lease query fails to work when DHCP modes are switched from Relay to Forwarding or vice-versa.

Component: Policy Enforcement Manager

Symptoms:
The BIG-IP system does not process DHCP lease query replies from the server and fails after three retries when DHCP modes are switched from Relay to Forwarding or vice-versa.

Conditions:
-- PEM configured with DHCP Lease Query enabled.
-- DHCP mode switched from Relay to Forwarding or vice-versa, after a successful DHCP Lease query operation.

Impact:
Traffic-generated subscriber detection via DHCP Lease query fails.

Workaround:
Mitigation: Restart the TMM after switching from DHCP relay to forwarding mode or vice-versa.

Note: When configured independently, DHCP in relay mode or forward mode works as expected.

---

719107 : Message type is not displayed in CLI and incorrect message type is displayed in GUI for Subscriber Management diameter protocol profile message type CCA-T.

Component: Policy Enforcement Manager

Symptoms:
If versions earlier than v13.1.0 have Subscriber Management diameter protocol message type CCA-T, their message type is not displayed on the command-line interface (CLI) and is incorrectly displayed as CCR-I in the GUI when upgraded to later versions.

Conditions:
-- Upgrade to v13.1.0 or later.
-- Configuration has Subscriber Management diameter protocol message type CCA-T.

Impact:
incorrectly displayed as CCR-I in the GUI.

Note: This configuration has no effect.

Workaround:
Delete the Subscriber Management diameter protocol message that has no message-type when viewed from CLI.

---

718790-1 : Traffic does not forward to fallback host when all pool members are marked down

Component: Local Traffic Manager

Symptoms:
Traffic does not get forwarded to fallback hosts.

Conditions:
All the pool members are marked administrative down.

Impact:
Traffic does not get forwarded.

Workaround:
Pick a monitor working properly for the pool.

---

718506 : The engineID is included with sync'ed device configuration in the device trust

Component: TMOS

Symptoms:
The engineID is supposed to be unique per device; however, it is possible to configure the engineID directly and it will synchronize across the device trust to multiple devices.

Conditions:
The user has configured a numeric engineID through use of the tmsh sys include directive.

Impact:
The engine ID of a device is not unique.

Workaround:
Do not hard code a numeric engine ID. If you do not want to use the generated engine ID then, configure engine ID type and a unique ID will be generated even when the configuration is synchronized.

---

718405-2 : RSA signature PAYLOAD_AUTH mismatch with certificates

Component: TMOS

Symptoms:
IPsec IKEv2 negotiation with other vendors may fail to establish tunnels when certificate authentication is configured, using either RSA signature or DSS.

The value of PAYLOAD_AUTH does not match when the BIG-IP system compares it with what the remote peer sends. The same certificate works when the BIG-IP system is the initiator, but not when another vendor is the initiator.

Conditions:
Interoperating with other vendors under IKEv2 while using certificates.

Impact:
IKEv2 tunnels fail to establish, failing the second IKE_AUTH exchange in the protocol.

Workaround:
Use pre-shared key authentication.

---

717896-4 : Monitor instances deleted in peer unit after sync

Component: Local Traffic Manager

Symptoms:
An incremental-sync from a modified-node that was set to 'user-down' causes the target-node on the target-device to have only a single monitor instance, rather than the several monitor instances that were present on the from-node.

During the incremental sync, the system issues several messages similar to the following: err mcpd[6900]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 24913.

Conditions:
-- In high availability (HA) configurations.
-- A node is modified, and then manually set to 'user-down'.
-- That node has more than one associated monitor.
-- An incremental-sync occurs to the paired device.

Impact:
After incremental-sync, a single monitor instance exists for the node on a 'backup' unit in an HA configuration, rather than the several monitor instances that exist for that node on the 'active' unit; and that node session is 'enabled' (where the 'from-node' was 'disabled); and that node status may be 'up' (where the 'from-node' was 'user-down'), and later transition to 'down' from a monitor-fail.

Thus, after incremental-sync, the target-node may then be 'down', while the active unit in the HA configuration continues to function as expected.

Workaround:
There are several workarounds:
-- Perform a 'full-sync' (rather than an 'incremental-sync').
-- Ensure the node is 'user-up' (not 'user-down') before the incremental-sync.
-- Perform 'tmsh load sys config' on the target unit. In this case, the 'Invalid monitor rule instance identifier' messages will be seen, but the configuration will successfully load, and the target-unit will run correctly with the expected configuration.

---

717328 : XLAT iRule commands do not support TCP Fast Open

Component: Carrier-Grade NAT

Symptoms:
TCP::collect may not find initial data payloads in TFO connections, causing unexpected behavior during iRule execution.

Conditions:
Usage of TCP::collect iRule with TCP Fast Open connections.

Impact:
Loss of connectivity on TCP Fast Open connections.

Workaround:
Disable TCP Fast Open in TCP profiles attached to ALGTK virtual servers by configuring: 'fast-open disabled'.

---

717324 : XLAT commands do not support DSLITE

Component: Carrier-Grade NAT

Symptoms:
iRule command XLAT::src_endpoint_reservation does not support the creation of DSLITE translations.

Conditions:
iRule XLAT command usage with DSLITE.

Impact:
XLAT iRule commands using DSLITE may not function.

Workaround:
None.

---

717100-1 : FQDN pool member not added if FQDN resolves to same IP as another existing FQDN pool member

Component: Local Traffic Manager

Symptoms:
FQDN ephemeral pool members and corresponding FQDN ephemeral nodes may not created if multiple FQDN template pool members created rapidly, without the corresponding FQDN template nodes being created first.

The missing FQDN ephemeral pool members may be created an hour after initial operations.

Conditions:
This may occur when all of the following conditions are true:
-- Multiple FQDN template pool members are created rapidly, such as during config load or multiple FQDN template pool members created in a single tmsh cli transaction, without the corresponding FQDN template nodes being created first.
-- The FQDN names in the newly-created FQDN template nodes all resolve to the same IP address.

Impact:
One or more FQDN ephemeral pool members may not be created, which could result in a pool with no members, and any virtual servers using that pool to fail to pass traffic.

Workaround:
The following steps, alone or in combination, may help avoid this issue:

1. Avoid rapid creation of multiple FQDN template pool members (such as by creating multiple in single tmsh cli transaction).
2. Create the corresponding FQDN template nodes first, before creating the FQDN template pool members.

Once this issue occurs (such as, after a config load), you can recover from this condition by deleting and recreating the FQDN template pool members that have no corresponding FQDN ephemeral pool members.

In addition, creating the corresponding FQDN template nodes first, with an FQDN 'interval' value set to a shorter timeout than the default (3600 seconds) allows automatic recovery from this condition after the configured FQDN 'interval' period (instead of after the default period of one hour).

---

716915 : Changing iRule attached to IVS can cause 'not ready for connections' error

Component: Service Provider

Symptoms:
Internally connecting from a parent virtual server to an internal virtual server (IVS) fails, resulting in failure of whatever service was being attempted. This is indicated by the following error message:

err tmm1[29909]: 017b0002:3: IVS (connection from parent 172.16.88.20:60109 -> 10.10.10.10:80): Internal virtual server /Common/ivs_name is not ready for connections.

Subsequent transactions on the IVS on the same TMM fail.

Conditions:
A transaction on a virtual server is in the process of connecting to the IVS internally, while at the same time an iRule is added or modified on that IVS.

Note: This issue occurs because of a race-condition, so it occurs intermittently.

Impact:
The transaction in progress succeeds, but the next transaction on the IVS on the same TMM fails, along with the service it was part of. The IVS no longer functions on the affected TMM until the TMM is restarted.

Workaround:
There is no workaround other than not changing iRules on an IVS while a transaction on a virtual server is in the process of connecting to the IVS internally.

If this occurs after changing the configuration, restart the TMM. Traffic disrupted while TMM restarts.

---

716714-4 : OCSP should be configured to avoid TMM crash.

Component: Local Traffic Manager

Symptoms:
TMM generates a core if OCSP is not configured in the SSL profile.

Conditions:
OCSP not configured in the SSL profile.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than configuring OCSP in SSL profiles.

---

716167-2 : the value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the mtu of the kernel interface tmm_bp as given by $ ip a list dev tmm_bp or $ ifconfig tmm_bp

Component: Local Traffic Manager

Symptoms:
The MTU of the tmm_bp kernel interface may be out-of-sync with the value of sys db vlan.backplane.mtu as well as out-of-sync with the MTU displayed by $ tmsh show /net vlan all-properties -hidden.

Conditions:
This issue occurs on first-boot after upgrading to versions after
12.1.1 HF1.

Impact:
From the data plane perspective, this issue can cause excessive IP fragmentation on tmm_bp vlan and high cpu usage.
In some cases it would also cause packet loss.
From the config perspective, this issue has a few smaller impacts:
(a) fragmented packets on the tmm_bp interface if those packets have length greater than the actual MTU of this interface as given by the kernel with $ ip a list dev tmm_bp | egrep -i mtu or $ifconfig tmm_bp.
   (i) Note: This isn’t impactful to the running system. Fragmented packets are reassembled in order for TCP clients of the tmm_bp interface.
(b) the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the mtu of the kernel interface tmm_bp as given by $ ip a list dev tmm_bp or $ ifconfig tmm_bp .

(c) similarly, the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the mtu of the Net::Vlan tmm_bp as given by $ tmsh show net vlan -hidden tmm_bp.


Paraphrasing: vlan tmm_bp MTU (as found in vlan.backplane.MTU) is not applied to the corresponding kernel interface.

Workaround:
A series of subsequent restarts rolls the correct setting through:
  # tmsh stop sys service all
  # tmsh start sys service all

To verify:
  # ip addr show dev tmm_bp ; tmsh show net vlan -hidden tmm_bp \; list sys db vlan.backplane.mtu

---

715630 : Case insensitive views in IE

Component: Fraud Protection Services

Symptoms:
Using Microsoft Internet Explorer (IE) with the Edge browser to navigate between views does not work if the view names differ only in case (e.g., view test1 and view TEST1). IE/Edge does not recognize it as changing views, so WebSafe will keep working with the first view configuration.

Conditions:
1. IE/Edge browser.
2. Have views with same name but different case.

Impact:
WebSafe does not change views. This occurs because the IE browser hash is case-insensitive.

So in the case of the test1/TEST1 example, when you navigate to test1, the configuration loads and you see the message in the console, but when you navigate from test1 to TEST1 (or tEst1, tEST1, etc.), the browser does not do anything and does not change the page, so WebSafe cannot load the TEST1 config.

Workaround:
Use another browser, such as Mozilla Firefox or Google Chrome.

---

715110-1 : AVR should report 'resolutions' in module GtmWideip

Component: Application Visibility and Reporting

Symptoms:
AVR does not report 'resolutions' in GtmWideip module.

Conditions:
One of the following modules is provisioned: AVR, AFM, or DNS/GTM.

Impact:
There are no statistics reported on 'resolutions' in GtmWideip module.

Workaround:
There is no workaround.

---

712566 : PEM quota bucket gets deleted after receiving diameter too busy for max retry count

Component: Policy Enforcement Manager

Symptoms:
PEM keeps retrying CCR-i even after reaching max retry count, in the case where OCS responds to CCR-i with DIAMETER_TOO_BUSY result code.

Conditions:
If OCS sends CCA DIAMETER_TOO_BUSY (result code 3004) for CCR-i messages,

Impact:
PEM keeps retrying even after the max retry count is reached.

Workaround:
None.

---

712534 : DNSSEC keys are not generated when configured to use an external FIPS device

Component: Local Traffic Manager

Symptoms:
DNSSEC keys that use an external FIPS device are not generated, and an SELinux denial is reported in /var/log/auditd/audit.log. The logged permission denial should indicate that a process running under the 'mcpd_t' SELinux context was denied the 'execmem' permission.

Conditions:
-- A device is configured with one or more DNSSEC keys that are configured to be generated by an external FIPS device (indicated by the 'use-fips' option being set to 'external').
-- An unpatched version of the Thales client software be in use on the device.

Impact:
DNSSEC keys will not be generated when configured to use the external FIPS device.

Workaround:
Update the version of the Thales client software that is in use on the device.

---

712335-3 : GTMD may intermittently crash under unusual conditions.

Component: Global Traffic Manager (DNS)

Symptoms:
GTMD may intermittently crash when an unexpected error occurs while creating a statistics row for a resource added to the configuration.

Conditions:
When a pool member is added to the system and there is an unexpected failure to create the associated statistics row.

Impact:
GTMD restarts.

Workaround:
There is no workaround at this time.

---

711562 : TLS1.3 handshake fails for RSA PSS SHA512 with netHSM RSA 1024-bit key

Component: Local Traffic Manager

Symptoms:
TLS1.3 handshake fails 1024-bit netHSM key with error message of
"C_Sign with pss: pkcs11_rv=0x00000006, CKR_FUNCTION_FAILED".

Conditions:
netHSM 1024-bit RSA key is used

Impact:
C_Sign operation failed which leads to TLS1.3 handshake failed.

Workaround:
Don't use netHSM 1024-bit RSA key, it is not safe and should not be recommended.

---

710930-3 : Enabling BigDB key bigd.tmm may cause SSL monitors to fail

Component: Local Traffic Manager

Symptoms:
When bigd.tmm is enabled, SSL monitors may begin to fail.

Conditions:
-- The in-tmm monitoring feature is enabled via the bigd.tmm db variable (it is disabled by default)
-- The cipher string of the attached SSL profile uses keywords that are invalid with TMM.

Impact:
The cipher string will no longer be valid when bigd.tmm is enabled and the keywords will need to be modified or removed. SSL monitors begin to fail after modifying bigd.tmm.

Workaround:
Modify or remove incompatible keywords from the ciphers string; the in-tmm monitoring feature only allows ciphers that are allowed by SSL profiles.

---

709559 : LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name

Component: TMOS

Symptoms:
Loading configuration fails on upgrade

Conditions:
Must have a profile named "/Common/ssh" and must be upgrading to v12.1.2

Impact:
The system won't be functional

Workaround:
Delete or rename "/Common/ssh"

---

709319 : Post-login client-side alerts are missing username in bigIQ

Component: Fraud Protection Services

Symptoms:
A client-side alert that contains a FPS-Username header with a value, but an empty fpm_username parameter - will be reported with "Unknown" username in bigIQ.

Conditions:
1. post login (alert is sent after submitting username parameter) client side alerts
2. alert-pool points to bigIQ IP (not Alert-Server)

Impact:
Post login client side alerts are missing username (will show as "Unknown" in bigIQ, works well with Alert-Server).

Workaround:
Route all client-side alerts to another virtual server and strip of the empty fpm_username parameter from payload/query-string.

---

707013-3 : vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest

Component: TMOS

Symptoms:
- clusterd restarts on secondary blade
- /var/log/ltm: "Management IP (<guest_management-ip>) already in use by (vcmp guest <guest_name>)"

Conditions:
1. blade power off/on using bladectl command allows to reproduce ~80% of the time
2. not sure if this is specific to platform:
 - was able to reproduce easily on (B2100 - A109),
 - issue reproduced multiple times in cusomter environment on (B2150 - A113)
 - not able to reproduce with the same steps and version on 4800 (PB300) viprion

Impact:
- Secondary slot on viprion hypervisor is in "INOPERATIVE" state

Workaround:
On the VMCP Host, copy the file /shared/db/cluster.conf from the primary to all secondary cluster members.

For a four slot chassis, issue this command from the primary:
$ for i in 1 2 3 4; scp /shared/db/cluster.conf slot$i:shared/db/cluster.conf ; done

Clusterd should then recover from the restart loop on secondary blades.

---

706501-1 : VCMP guest, tmm continues to restart on Cavium Nitrox PX platform

Component: Local Traffic Manager

Symptoms:
TMM continues to restart on vCMP guest.
/var/log/tmm shows:
<13> Feb 1 00:00:30 slot1/hostname notice ** SIGSEGV **
<13> Feb 1 00:00:30 slot1/hostname notice fault addr: 0x1d8
<13> Feb 1 00:00:30 slot1/hostname notice fault code: 0x1
.
.
.

Conditions:
-- Using the following platforms:
  + BIG-IP 800, 1600, 3600, 3900, 6900, 89xx, 11xxx.
  + VIPRION 42xx/43xx and B21xx blades.
-- Configure vCMP host and guest.

System has Common Criteria or FIPS mode enabled.

Impact:
vCMP guest can't become active.

Workaround:
There is no workaround.

---

706106 : PUT request sent to ltm/virtual failed because of ip-protocol property value any

Component: TMOS

Symptoms:
PUT request to ltm/virtual fails unexpectedly because ip-protocol property value any

Conditions:
When sending PUT request to ltm/virtual

Impact:
PUT request modifies properties that user includes in the request and resets the rest of property value to default.

Default ip-protocol property value could be 'any', 'ip' or 'hopopt'

Workaround:
Using PATCH request

---

704540 : Monitor configuration with invalid 'key' and 'cert' not detected upon upgrade post v13.1.x★

Component: Local Traffic Manager

Symptoms:
A monitor configuration with invalid SSL-attributes for 'key' or 'cert' is not detected as invalid, and upon upgrade to on-or-after v13.1.0 may result in an invalid configuration; or may result in a config that loads with the pool 'up', but the monitor 'key' and 'cert' attributes must be added manually. The invalid configuration includes: 'key' and 'cert' attributes do not match, or are not supported. This affects the following monitors, which contain SSL attributes: 'https', 'SIP', 'Firepass'.

In some cases this issue may present with valid and matching 'key' and 'cert', with the 'key' in the encrypted form.

Conditions:
-- A pre-v13.1.0 configuration containing monitors with invalid 'key' or 'cert' attributes (i.e., 'https', 'SIP', 'Firepass' monitors).
-- In some cases the 'key' and 'cert' may be valid and match, with the 'key' in the encrypted form.
-- Upgrading that configuration to v13.1.0 or later.

Impact:
After upgrade, the configuration does not load.

Workaround:
You can use the following workarounds:

-- Repair configuration attributes so that 'key' and 'cert' attributes match, so upgrade may complete successfully.

-- Remove the monitors before the upgrade, and re-add them after the upgrade is completed.

-- In the case where the 'key' and 'cert' are valid and match, replace the encrypted key with the decrypted form.

Note: Clearing the 'key' and 'cert' values properly resets the attributes to 'DEFAULT', which is a recommended practice.

---

704450-5 : bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration

Component: Local Traffic Manager

Symptoms:
A rarely seen scenario exists where 'bigd' crashes when the BIG-IP system is under extremely heavy load, due to 'bigd' running with an incomplete configuration and attempting to interact with 'mcpd' prior to being fully configured by 'mcpd'. This may occur when 'mcpd' is sufficiently delayed in configuring 'bigd' upon 'bigd' process start (at system-start, or upon 'bigd' process re-start), such that 'bigd' attempts to report monitoring results to 'mcpd' prior to fully receiving its configuration (from 'mcpd').

Conditions:
BIG-IP is under heavy load; and 'bigd' process is (re-)started; and 'mcpd' is delayed in relaying the full configuration to 'bigd'; and 'bigd' attempts to report monitoring results to 'mcpd'.

Impact:
Monitoring is delayed while bigd is restarting. If the load lasts for a long enough period of time, bigd might repeatedly fail to start and monitoring will not resume. In some cases 'bigd' may run with an incomplete configuration.

Workaround:
Reduce the load on the system.

---

702800 : bigd crash when processing monitor instance missing node name

Component: Local Traffic Manager

Symptoms:
bigd crashes when processing a node monitor instance that is missing a node name. This behavior has been observed once, and the cause is unknown.

Conditions:
-- A node monitor instance is configured, but which is missing a node name.
-- It is not currently known what other conditions lead to this state.

Impact:
bigd crashes and restarts when processing that node monitor instance that has no node name. Monitor probing from that bigd instance will not occur while bd restarts.

Workaround:
None. This behavior has been observed once, and the cause is unknown.

---

701341-4 : If /config/BigDB.dat is empty, mcpd continuously restarts

Solution Article: K52941103

Component: TMOS

Symptoms:
If another issue causes /config/BigDB.dat to be empty, mcpd will fail to start up.

Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.

Impact:
The system will fail to start up, and mcpd will continually restart.

Workaround:
Remove this empty file. (If BigDB.dat is nonexistent, the issue will not occur.)

---

700449 : Switch statements should be terminated with '--' to mark the end of the options

Component: Access Policy Manager

Symptoms:
Certain system iRules use tcl code that switches on the HTTP path string, taken from the [HTTP::path] command. It is possible to pass a string to it with a leading '-', and TCL interprets this as an option to the switch statement and will likely abort the connection.

Conditions:
Using system iRules:
_sys_APM_ExchangeSupport_OA_BasicAuth
_sys_APM_ExchangeSupport_OA_NtlmAuth
_sys_APM_ExchangeSupport_main

Impact:
TCL will likely abort the connection if such a path is found.

---

699757 : TMSH not listing GTM Listener rules when listing all listeners

Component: Global Traffic Manager (DNS)

Symptoms:
TMSH does not show attached iRules on a GTM Listener when listing the listener via 'tmsh list gtm listener'.

Conditions:
A GTM Listener is configured with an iRule attached

Impact:
You would not see the iRule attached to the GTM Listeners when no name was provided

Workaround:
Specify the name of the listener to see

---

698933-6 : Setting metric-type via ospf redistribute command may not work correctly

Component: TMOS

Symptoms:
When using a dynamic routing configuration, where an OSPF process redistributes routes setting a metric-type from another OSPF process the metric type is not changed.

Conditions:
Dynamic routing configuration with 2 or more OSPF processes redistributing routes using the "redistribute ospf <other process number> metric-type <type>"

Impact:
Metric type is not changed.

Workaround:
Change metric-type using a route-map applied to the redistribute command.

---

696465 : Running 'tmsh run /cm watch-devicegroup-device' does not work for IPv6 connections

Component: TMOS

Symptoms:
Running 'tmsh run /cm watch-devicegroup-device' where the BIG-IP systems config sync addresses are of type IPv6 does not work.

Conditions:
-- Running the command: tmsh run /cm watch-devicegroup-device.
-- BIG-IP systems config sync addresses are of type IPv6.

Impact:
Functionality is not available.

Workaround:
None.

---

689361-4 : Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)

Component: Local Traffic Manager

Symptoms:
It is possible for an overwrite-configsync to change an 'unchecked' monitor to 'up', when that unchecked monitor references a node that does not respond to ICMP requests. This may occur when a node does not respond to ICMP requests for exactly one of two paired devices, but a configuration change made to one device causes the 'up' status to be propagated to the 'unchecked' device.

Conditions:
Two pool members are monitored; and one references a node not responding to ICMP requests; and a gateway_icmp monitor is on both nodes; and an overwrite-configsync is initiated from a paired device, where the node does respond to ICMP requests from that paired device.

Impact:
The overwrite-configsync causes the 'unchecked' monitor to transition to 'up', when it should remain 'unchecked' for the device to which the node does not respond to ICMP requests.

Workaround:
Ensure network configuration such that a monitored node responds to ICMP requests from both (or neither) of each paired-device. Alternatively, initiate configuration changes only from the device to which the node will not respond to ICMP requests.

---

688542 : SASP GWM monitor always sets No Change / No Send Flag in Set LB State Request

Component: Local Traffic Manager

Symptoms:
The version of the SASP monitor requests updates only from the SASP GWM (Global Workload Manager) for members whose state has changed from what the GWM last reported. The previous version of the SASP monitor requested periodic updates for all members monitored by the GWM.

Conditions:
Running the version of the SASP (Server/Application State Protocol) monitor included in post-12.1.2 BIG-IP software.

Note: This behavior does not occur with previous versions of the SASP monitor, included in pre-12.1.2 versions of BIG-IP software.

Impact:
This change in behavior from the previous SASP monitor implementation has not been confirmed to cause any observable symptoms. If any symptoms are observed which are suspected to be the result of this change, a support request should be opened with F5 support for further investigation.

Workaround:
None.

---

687888 : Unexpected result from multiple changes to a monitor-related object in a single transaction

Component: TMOS

Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction will attempt to 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.

Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object, such as (delete, create, modify).

Impact:
The monitor-related object may be unchanged; or monitoring may stop for that object.

Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').

---

687172-1 : Pools do not appear as expected after deploying iApp via iWorkflow

Component: TMOS

Symptoms:
Only two of three pools are visible in the iApp view on the BIG-IP system after deploying via iWorflow 2.2, though the pool can be found as expected in the Pools view.

Conditions:
-- After deploying via iWorflow 2.2.
-- Using iApp to view configured pools.

Impact:
Unreliable query response can result in unexpected behavior.

Workaround:
Do not rely on the iApps Component View, but inspect
BIG-IP (management GUI) Local Traffic pages such as
Local Traffic :: Pools : Pool List or examine the
/config/bigip.conf file to ascertain whether a desired
BIG-IP configuration has been created.

---

687044 : tcp-half-open monitors might mark a node up in error

Component: Local Traffic Manager

Symptoms:
The tcp-half-open monitor might mark a node or pool member up when it is actually down, when multiple transparent monitors within multiple 'bigd' processes probe the same IP-address/port.

Conditions:
All of the following are true:
-- There are multiple bigd processes running on the BIG-IP system.
-- There are multiple tcp-half-open monitors configured to monitor the same IP address.
-- One or more of the monitored objects are up and one or more of the monitored objects are down.

Impact:
The BIG-IP system might occasionally have an incorrect node or pool-member status, where future probes may fix an incorrect status.

Workaround:
You can use any of the following workarounds:

-- Configure bigd to run in single process mode by running the following command:
   tmsh modify sys db bigd.numprocs value 1

-- Use a tcp monitor in place of the tcp-half-open monitor.

-- Configure each transparent monitor for different polling cycles to reduce the probability that an 'up' response from the IP address/port is mistakenly viewed as a response to another monitor that is currently 'down'.

---

686059-4 : FDB entries for existing VLANs may be flushed when creating a new VLAN.

Component: Local Traffic Manager

Symptoms:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN.

Conditions:
- Creating a new VLAN with existing VLANs using trunk members. - STP is enabled on its trunk member.

Impact:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN. This will result in potential network saturation.

Workaround:
To avoid the FDB flushing on trunk member interfaces of existing, unrelated VLANs, ensure that STP is disabled on its trunk member.

---

680804 : TMM restart due to delayed keep alives

Component: Advanced Firewall Manager

Symptoms:
TMM killed with SIGABRT by the SOD process that monitors all process's health. TMM misses the keep alive, hence the restart.

The stack trace shows that tmm was killed when it was waiting on a memory map (sys_mmap_obj) call.

Conditions:
The memory map call is known to take a long time to complete when the disk IO sub-systems is very slow.

On a BIG-IP Virtual Edition, and with a busy hypervisor, the disk IO can get overloaded at times if all VMs are active on IO, choking the IO sub-system.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
This problem is not likely to persist after a TMM service restart. So no user intervention is required.

If this problem happens repeatedly, it would be required to take a look at IO Resources used by the various VMs provisioned, monitor disk IO OPS on VSphere, and ensure that the system is capable of handling basic level of Disk IOPS.

---

679515 : Connections may fail when source-port=preserve-strict on the virtual, L4 mirroring is enabled and LSN pool/AFM dynamic-pat NAPT mode is configured with default DAG

Component: Carrier-Grade NAT

Symptoms:
Connections may fail even when no colliding flows are present that use the same translation IP and port

Conditions:
Virtual server setting source-port=preserve-strict, L4 mirroring is enabled and LSN pool/AFM dynamic-pat NAPT mode is configured with default DAG

Impact:
Connections fail

---

679431-4 : In routing module the 'sh ipv6 interface <interface> brief' command may not show header

Component: TMOS

Symptoms:
In the BIG-IP Advanced Routing module the 'sh ipv6 interface <interface> brief' command does not show header

Conditions:
- Advanced Routing module licensed and configured
- From within imish shell, run the command 'sh ipv6 interface <interface> brief'.

Impact:
The header is not shown.

Workaround:
Run the equivalent command without indicating the interface:
sh ipv6 interface brief

---

679316-7 : iQuery connections reset during SSL renegotiation

Component: Global Traffic Manager (DNS)

Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record

Conditions:
This occurs when a system tries to send data over the iQuery connection while the two endpoints are performing SSL renegotiation.

Note: iQuery connections automatically perform SSL renegotiation every 24 hours.

Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.

Note: This is a subtly different issue from the one (with a very similar error, 140940F5 vs 140940E5) described in Bug ID 477240: iQuery connection resets every 24 hours :: https://cdn.f5.com/product/bugtracker/ID477240.html (K16185: BIG-IP GTM iQuery connections may be reset during SSL key renegotiation :: https://support.f5.com/csp/article/K16185).

This issue occurs even in versions where ID477240 is fixed. There is no fix for this specific trigger of the same message.

Workaround:
There is no workaround at this time.

---

678117 : 'Can't create a home directory' logged for remote users on secondary blades after configsync

Component: TMOS

Symptoms:
When a remotely authenticated user logs in, a new entry is created in /config/bigip/auth/userrolepartitions. During config sync operations, the secondary blade of the device receiving the config, logs the following errors:

-- err mcpd[7575]: 01070261:3: Can't create a home directory for username /home/<username> (Failed opening home directory: /home/<username> - No such file or directory)

There is no /home/<username> on the device used as the source of the config sync.

The error message is logged on the secondary blade (of the target system) but not the primary one.

Conditions:
1. Remote user username in /config/bigip/auth/userrolepartitions.
2. No home directory for the remote user in /home/.

Impact:
There is no apparent impact beyond the error message, which sounds quite serious, but has no functional impact.

Workaround:
Create local user account for remote authenticated users.

To do so using the GUI, navigate to System :: Users : User List, and click Create.

---

678009 : An internal virtual server as a Service Function (SF) displays its capability as NSH unaware

Component: TMOS

Symptoms:
TMSH displays an internal virtual server configured as a Service Function as 'nsh-aware disabled'.

Conditions:
Internal virtual server configured as a service function.

Impact:
Essentially, the BIG-IP system is always in NSH-aware mode. Custom logic outside BIG-IP-provided logic that is based on NSH awareness of a Service Function will be impacted if NSH-aware capabilities are derived from the TMSH output.

Workaround:
None.

---

677941 : Disabling htsplit is not supported on C124

Component: TMOS

Symptoms:
setting scheduler.splitplanes.ltm = false (htsplit disabled) will cause C124 (i114000 platform) to fail to pass traffic.

Conditions:
You should not disable htsplit unless requested by F5.

See https://support.f5.com/csp/article/K15003

Since disabling htsplit is not supported on the C124, you should not disable htsplit.

Impact:
None.

---

676442 : Changes to RADIUS remote authentication may not fully sync

Solution Article: K37113440

Component: TMOS

Symptoms:
With multiple devices in a sync group, changes to remote authentication (for example, changes made using commands such as: tmsh modify auth radius system-auth servers replace-all-with { AAA_a AAA_b } ) will be effective on the device where the change was made.

And although the changes are synced to tmsh config on the other devices in the group, the changes are not effective on those devices, as may be observed by checking that the changes do not appear in /config/bigip/auth/pam.d/system-auth and /config/bigip/auth/pam.d/radius/system-auth.conf.

Conditions:
Devices in a sync group that will sync system-auth config.

Impact:
Changes to RADIUS authentication will not be effective throughout the device group.

Workaround:
After syncing RADIUS changes, run the following command on all devices:
 tmsh save sys config && tmsh load sys config.

---

673357-1 : SWG puts flow in intercept mode when session is not found

Component: Access Policy Manager

Symptoms:
In SWG, flows that should be getting bypassed are placed in intercept mode.

Conditions:
This occurs when the per-request policy receives an https request and a session is not established.

Impact:
In some cases, the client sees certificate warning.

Workaround:
If the access policy is "start->allow"; following iRule can be used for workaround:

when CLIENT_ACCEPTED {
        if { [ACCESS::session exists] } {
            log local0. "Found Access Session"
            log local0. [ACCESS::session exists]
        } else {
          set sid [ACCESS::session create -lifetime 300 -timeout 300 -flow]
          log local0. "No Access Session found, creating $sid"
          ACCESS::session data set session.ui.mode "0"
          ACCESS::session data set session.policy.result "allow"
        }
}

---

671553 : iCall scripts may make statistics request before the system is ready

Component: TMOS

Symptoms:
iCall scripts may make statistics requests before statsd (a necessary service for stats collection) is ready.

Conditions:
Early during startup.

Impact:
The Tcl script may generate an error and stop working.

Workaround:
Use Tcl's 'catch' command to detect and handle the error.

---

671261 : MCP does not recognize 'Notify Status to Virtual Address' when using 'Selective' setting of ICMP Echo

Solution Article: K32306231

Component: Local Traffic Manager

Symptoms:
When selecting 'Notify Status to Virtual Address' on a virtual server, and using the 'Selective' setting of ICMP Echo for a corresponding virtual address, MCP does not recognize that this setting has changed and does not modify the ICMP echo settings of the virtual address accordingly. The previous setting will continue to take effect until another (unrelated) change is made to the virtual address.

Conditions:
The 'Selective' setting of ICMP Echo is used for a virtual address, and the user selects 'Notify Status to Virtual Address' on a virtual server associated with that address.

Impact:
The previous setting will continue to take effect, until an (unrelated) change is made to the virtual address, at which point the new setting will take effect.

Workaround:
After changing the 'Notify Status to Virtual Address' on a virtual server (where 'Selective' setting of ICMP Echo is used for the corresponding virtual address), make another change to the virtual address to cause the new setting to take effect.

---

670069 : Rare tmm crash when changing the configuration of a FastL4 virtual server while passing traffic.

Component: Local Traffic Manager

Symptoms:
Rare tmm crash when changing the configuration of a FastL4 virtual server while passing traffic.

Conditions:
-- FastL4 virtual server.
-- Configuration change while passing traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None. This is a rarely occurring issue.

---

668041-4 : Config load fails when an iRule comment ends with backslash in a config where there is also a policy.★

Solution Article: K27535157

Component: TMOS

Symptoms:
Config load fails when an iRule contains a commented line that ends with an escape character (backslash), and the config also contains an LTM policy. Depending on the iRule, you might also see the following error: Syntax Error:(/config/bigip.conf at line: 42078) double quotes are not balanced.

Conditions:
-- iRule contains commented line that ends with a backslash.
-- The config also contains a policy.

For example, an iRule similar to the first example, and a policy similar to the second:

ltm rule /Common/log_info {
  when HTTP_RESPONSE {
    #log local0. "Original Location header value: [HTTP::header value Location],\
     updated: [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]"
}
}

...

ltm policy /Common/Test_Policy {
    controls { forwarding }
    requires { http tcp }
    rules {
        TestPol_Rule1 {
            actions {
                0 {
                    forward
                    select
                    node 10.2.10.20
                }
            }
            conditions {
                0 {
                    tcp
                    address
                    matches
                    values { 10.1.10.20 }
                }
            }
        }
    }
    strategy /Common/first-match
}

Impact:
Config load fails.

Workaround:
You can use any of the following workarounds:
-- Delete the line of code with the comment.
-- Put the entire comment on one line of code.
-- Divide lengthy comments into a series of smaller ones, so that each comment fits within one line of code.
-- Move the iRule so that it is sequentially before the LTM policy in the config file.

---

666378-1 : A virtual server's connections per second (precision.last_value) is confusingly named.

Component: Local Traffic Manager

Symptoms:
A virtual server's current connections-per-second statistic has a confusing name. The statistic is maintained when rate limiting is configured for a virtual server. The statistic is updated when the virtual hits a rate-limiting condition, and it stays at the last value it held when the limit was hit.

Conditions:
If the rate limit is never configured then the value is 0. If the rate limit is configured and is hit, then the value is the active count when the limit was hit. The value stays at that count until the limit is hit again.

Impact:
There is no functional impact, but the statistic's meaning is confusing.

Workaround:
The MIB description should clarify the meaning of this statistic.

---

663946-6 : VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments

Component: Advanced Firewall Manager

Symptoms:
When DNS is under load greater than the AFM-configured rate limit, certain IPv4 packets are categorized as IPv6 atomic fragments and may be dropped due to rate limits.

Conditions:
-- AFM enabled.
-- DNS load greater than AFM-configured rate limit for IPv6 atomic fragments (default 10 KB).

Impact:
May result in lower than expected DNS load test results.

Workaround:
Use either of the following workarounds:
-- Disable AFM.
-- Increase detection limit for IPv6 atomic fragments under AFM.

Note: For AFM HW DoS protection, the host and vCMP guest must be the same version, disable hardware DoS checking on the vCMP guest to prevent this issue. To do so, set sys db dos.forceswdos to 'true'.

---

660759-1 : Cookie hash persistence sends alerts to application server.

Component: Fraud Protection Services

Symptoms:
When Persistence cookie insert is enabled with a non-default cookie name, the cookie might be overwritten after an alert is handled.

Conditions:
-- Persistence profile in their virtual server.
-- Profile relies on cookie hash persistence.
-- Non-default Cookie name used for cookie persistence.

(Default cookie naming strategy appends Pool Name, which results in two cookies set with different names and different values, leaving the application pool persistence cookie unmodified.)

Impact:
Sends alerts to application server. Traffic might be sent to wrong pool member.

Workaround:
Use an iRule similar to the following to remove persistence cookie in case of alerts:

ltm rule /Common/cookie_persist_exclude_alerts {
    when HTTP_REQUEST {
    
    #enable the usual persistence cookie profile.

    if { [HTTP::path] eq "/<alert-path>/" } {
        persist none
    }
}
}

---

659948 : statemirror.ipaddr db variable does not sync to peers

Component: TMOS

Symptoms:
Modifying /sys state-mirroring or db variable statemirror.ipaddr does not sync to peers.

Conditions:
-- Modify /sys state-mirroring or db variable statemirror.ipaddr.
-- Sync to peers.

Impact:
Attempts to configure State Mirroring appear to have been successful, but the system does not state-mirror properly because the configuration is not properly synchronized

Workaround:
Update State Mirroring configuration via the 'cm device' object in tmsh, or via the GUI.

---

657834-5 : Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent

Solution Article: K45005512

Component: TMOS

Symptoms:
When using OSPF with high load and network recalculation there is a possibility of a race condition that can lead to additional OSPF retransmissions being sent out. This might also cause SNMP traps to be sent, if configured on the system.

Conditions:
-- OSPF routing protocol configured.
-- System configured to send SNMP traps.
-- OSPF instability/networking flaps.

Note: The greater the number of routes flapping, the more likely to see the condition.

Impact:
There is no impact on the OSPF processing itself. The additional traffic does not cause failing adjacencies or loss of routing information.

However, this might cause many additional OSPF related traps to be sent, which might cause additional load on the external network monitoring system.

Workaround:
While this does not have a direct workaround, you may want to investigate the cause of the network/OSPF instability that causes the additional retransmissions.

---

655592 : PEM bigTCP optimization is wrongly selected in case of UNKNOWN subscriber policy.

Component: Policy Enforcement Manager

Symptoms:
Some actions of PEM policy require full-proxy implementation. They do not work for bigTCP. BigTCP gets selected for those actions too.

Conditions:
PEM listener is configured with optimization. An UNKNOWN user policy gets applied with an action that cannot be used with bigTCP (HTTP redirect for example).

Impact:
Subscribers whose credentials are not known do not get correct remedial action.

Workaround:
Disable optimization in PEM profile. Create separate virtual servers with bigTCP to get the utility of optimization.

---

655383 : Failure to extend database continues to execute rather than halting because of fragmented state.

Component: Local Traffic Manager

Symptoms:
Rarely occurring failure to extend database results in operations continuing to execute rather than halting because of fragmented state. Various behavior might occur, for example: unexpected traffic to disabled pool members, intermittent updated cert usage, receipt of messages such as 'MCP message handling failed' or 'Memory allocation failed: can't allocate memory to extend db size', and others.

Conditions:
TMM heap is fragmented such that memory allocation fails when extending the database.

Impact:
Operations continues to execute rather than halting, as might be expected. The system might report a variety of unexpected log messages and/or behaviors due to subsequent inconsistent state.

Note: This is an extremely rare condition that occurs only when TMM is left in an inconsistent state. Although it is possible that this might eventually lead to bad behavior downstream, the event itself does not cause memory issues.

Workaround:
None.

---

647590 : Apmd crashes with segmentation fault when trying to load access policy

Component: Access Policy Manager

Symptoms:
Rarely, apmd restarts when trying to re-load an access policy.

Conditions:
This occurs when some of the policy items are modified while apmd is trying to re-load the access policy.

Impact:
The apmd process restarts.

Workaround:
None.

---

641450-7 : A transaction that deletes and recreates a virtual may result in an invalid configuration

Solution Article: K30053855

Component: TMOS

Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.

Config load error:
    01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.

Configuration-change-time error in /var/log/ltm:
    err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>

Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).

Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.

Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
   1. Delete virtual server.
   2. Create virtual server (with an empty profile list).
   3. Modify the virtual server's profile list.

---

639619-7 : UCS may fail to load due to Master key decryption failure on EEPROM-less systems★

Component: TMOS

Symptoms:
The following error:
'Symmetric Unit Key decrypt failure - decrypt failure'
is logged to /var/log/ltm when attempting to load a UCS.
Configuration fails then to load due to a secure attribute decryption failure.

Conditions:
1. UCS contains secure attributes.
2. UCS contains a '/config/bigip/kstore/.unitkey' file.
3. The current '/config/bigip/kstore/.unitkey' file does not match the '.unitkey' file within UCS.
4. System does not utilize an EEPROM for storing its unitkey. (For more information, see K73034260: Overview of the BIG-IP system Secure Vault feature :: https://support.f5.com/csp/article/K73034260.)

Impact:
The configuration fails to load.

Workaround:
Perform the following procedure:

1. Stop the system:
# bigstart stop
2. Replace the '/config/bigip/kstore/.unitkey' file with the '.unitkey' file from the UCS
3. Replace the '/config/bigip/kstore/master' file with the 'master' file from the UCS
4. Remove the mcp db to forcibly reload the keys:
# rm -f /var/db/mcpd.bin
# rm -f /var/db/mcpd.info

5. Restart the system and reload the configuration:
# bigstart start
# tmsh load sys config
or
# reboot

---

636823 : Node name and node address

Component: TMOS

Symptoms:
If you create a node with a name that is an IP address but the IP address is different than the name, it can produce an error when adding the node to a pool.

Conditions:
This can occur if the node name is, for example, /Common/10.10.10.10 and the IP address is 10.10.10.10%1

Impact:
When you attempt to add the node to a pool, an error will occur:

Node name /Common/10.10.10.10 encodes IP address 10.10.10.10 which differs from supplied address field 10.10.10.10%1

Workaround:
If you set the node name to an IP address it must be identical to the actual IP address.

---

636615 : Whitespace is manipulated when using certificate export/import

Component: TMOS

Symptoms:
Whitespace is manipulated when using certificate export/import. This causes the certificates to have different checksums despite being functionally identical.

Conditions:
-- Export a certificate.
-- Import the same certificate.

Impact:
Two certs are functionally identical, but whitespace differences not introduced by the user cause checksums to vary.

Workaround:
None.

---

633110 : Literal tab character in monitor send/receive string causes config load failure, unknown property

Solution Article: K09293022

Component: Local Traffic Manager

Symptoms:
BIG-IP allows you to paste in monitor send or receive strings that contains tabs, but the tabs do not get quoted when it gets saved to the configuration. This will cause the configuration load to fail, with this error signature:

Loading configuration...
  /config/bigip_base.conf
  /config/bigip_user.conf
  /config/bigip.conf
Syntax Error:(/config/bigip.conf at line: <line>) "<text>" unknown property

Conditions:
This can occur if you copy/paste a monitor send or receive string and paste it into the send/recv string field in tmsh or the GUI.

Impact:
The monitor will not work as expected, and subsequent config loads will fail on unknown property.

Workaround:
Since you are still able to use the BIG-IP GUI, you can update the monitor send or receive string using \t to represent the tab, and save the changes.

---

631083 : Some files in home directory are overwritten on password change

Component: TMOS

Symptoms:
The files

  .bash_logout
  .bash_profile
  .bashrc

in a user's home directory are overwritten when that user's password is changed.

Conditions:
Change a user's password.

Impact:
Customizations to these files would be lost on password change. This only applies to users with advanced shell access.

Workaround:
Back up the files to a different location before making a password change.

---

625807-1 : tmm cored in bigproto_cookie_buffer_to_server

Component: Local Traffic Manager

Symptoms:
TMM cores on SIGSEGV during normal operation.

Conditions:
It is not known exactly what triggers this, but it may be triggered when a connection is aborted in a client-side iRule iRule, this log signature may indicate that this is being triggered:

tmm3[11663]: 01220009:6: Pending rule <irule_name> <HTTP_REQUEST> aborted for <ip> -> <ip>

Impact:
Traffic disrupted while tmm restarts.

---

621260-2 : mcpd core on iControl REST reference to non-existing pool

Component: TMOS

Symptoms:
MCPd cores when attempting to create a pool and a monitor reference by using a REST call such as:

curl -u admin:admin -H "Content-Type: application/json" -X POST http://localhost:8100/tm/ltm/pool -d'{"name":"test_pool","monitor":" "}'

Conditions:
The monitor reference in the REST call must be comprised of a single space character.

Impact:
MCPd restarts, causing many of the system daemons to restart as well.

Workaround:
Don't use spaces in the monitor reference name.

---

620896-1 : mcpd failes to load configuration on upgrade if the transparent monitors are configured for FQDN nodes★

Component: Local Traffic Manager

Symptoms:
In /var/log/ltm the following errors will be logged

Oct 6 07:01:11 localhost err tmsh[11209]: 01420006:3: Loading configuration process failed.
Oct 6 07:01:12 localhost emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all" - failed. -- 01070734:3: Configuration error: Transparent monitors are not currently available for FQDN nodes. Unexpected Error: Loading configuration process failed.

Conditions:
Running 11.6.0 or prior with transparent monitors configured for FQDN nodes and then upgrading to 11.6.1 or higher.

Impact:
The BIG-IP will stay INOPERATIVE until the configuration is changed and loaded.

Workaround:
After the upgrade, bigip.conf needs to be changed so that the transparent monitor is no longer configured for the FQDN node. After the edits are made, the config needs to be reloaded.

---

620053 : Gratuitous ARPs may be transmitted by active unit being forced offline

Component: Local Traffic Manager

Symptoms:
When cluster's active is forced offline, the non-primary blades may send gratuitous ARPs.

Conditions:
Cluster's active blade is forced offline.

Impact:
Potential impact to traffic if the gratuitous ARPs of the blade which goes offline is received before the unit taking over as primary, or if gratuitous ARPs are rate-limited on upstream or downstream devices.

Workaround:
Failover the cluster before forcing offline or configuring MAC masquerading.

---

615443 : HSL::send does not support handle of type string

Solution Article: K09481738

Component: Local Traffic Manager

Symptoms:
HSL::send performs no action when supplied with a logging handle which is a Tcl string.

Conditions:
Pass handle of type string to HSL::send.

Impact:
HSL::send does not perform intended action.

Workaround:
Use handle provided by HSL::open directly.

---

600985-1 : Network access tunnel data stalls

Component: Access Policy Manager

Symptoms:
In certain scenarios, the network access tunnel stays up; however, no data transfer occurs on the tunnel. This issue occurs intermittently.

Conditions:
The cause of this issue is not yet known.

Impact:
Data stalls on the tunnel and hence wont be able to access any applications. However, Edge Client shows the VPN tunnel as 'Connected'.

Workaround:
Manually re-establish the tunnel.

---

600466 : Monitored nodes are not marked down upon receipt of ICMP Unreachable / Administratively Prohibited.

Component: Local Traffic Manager

Symptoms:
Monitored nodes are not marked down upon receipt of ICMP Unreachable / Administratively Prohibited.

Conditions:
ICMP Unreachable / Administratively Prohibited received.

Impact:
Monitored nodes are not marked down.

Workaround:
None.

---

591305-3 : Audit log messages with "user unknown" appear on install

Component: TMOS

Symptoms:
Multiple log entries in /var/log/audit similar to

May 4 11:37:35 localhost notice mcpd[5488]: 01070417:5: AUDIT - client Unknown, user Unknown - transaction #33-1 - object 0 - create_if { db_variable { db_variable_name "version.edition" db_variable_value "<none>" db_variable_sync_type "private_internal" db_variable_data_type "string" db_variable_display_name "Version.Edition" } } [Status=Command OK]

Conditions:
This happens on initial install, it is not yet known what triggers it.

Impact:
This is the result of a daemon on the system not properly identifying itself to mcpd. The log messages can be safely ignored.

---

582595 : default-node-monitor is reset to none for HA configuration.

Solution Article: K52029952

Component: Local Traffic Manager

Symptoms:
default-node-monitor is reset to none for high availability (HA) configuration.

Conditions:
Scenario #1
Upgrading HA active/standby configuration, and reboot standby.
Where configuration consists of the following:
  * ltm node with a monitor.
  * ltm default-node-monitor with a different monitor.

Scenario #2
Given a HA active/standby configuration with an ltm default-node-monitor configured, set device-group sync-leader.

Impact:
Monitoring will stop after upgrading or setting sync-leader for all nodes that relied on the default-node-monitor.

Workaround:
Reconfigure a default-node-monitor.

---

571482 : Unbalanced double-quotes may merge lines upon config save-then-load★

Component: Local Traffic Manager

Symptoms:
Unbalanced double-quotes used in the configuration will cause load failure, or will merge subsequent configuration lines until a balancing double-quote character is found. For example, an improper expression may be used to configure a monitor 'recv' value that results in an unbalanced (odd number) of double-quote characters, such as "R\\"eceive" (note three double-quote characters, resulting in an unbalanced string).

The string is considered unbalanced with an odd number of double-quote characters, regardless of escaping (such as double- or triple-backslash escaping).

Conditions:
An odd count of double-quotes are used for a configuration value, resulting in an unbalanced string.

For example, configuring a monitor 'recv' value as "R\\"eceive" results in an unbalanced string (notice three double-quotes, an odd number).

Impact:
The configuration will fail to load, as it is improperly formed. In some cases the configuration may successfully load, but the unbalanced string will cause newline(s) to be implicitly escaped until a balancing double-quote is found; this will merge subsequent lines to the unbalanced line, resulting in the consumed lines to not be considered as configuration values, but as the merged continuation of the unbalanced line.

Workaround:
Modify configuration values that use double-quotes to be balanced (i.e., configuration items should have an even-number of double-quoted characters, even if they are escaped).

---

567723 : Config verify may alter tacacs system-auth

Component: TMOS

Symptoms:
TACACS system-auth stops working after running config verify.

Conditions:
Running config verify where the tacacs system-auth does not match the running config (e.g., altered secret or server list).

Impact:
Unable to login to system with tacacs system-auth.

Workaround:
Reload the running configuration.

---

566980 : Periodic error "User login disallowed" messages logged referring to user "guest"

Component: TMOS

Symptoms:
In /var/log/ltm, the following may be seen periodically:

Jan 11 14:40:43 slot1/test err mcpd[9432]: 01070827:3: User login disallowed: User (guest) is not an administrator, does not have a UID of zero, and has not been assigned a role on a partition.

Conditions:
Unknown

Impact:
Unknown, likely minimal, except extraneous logs

---

527448 : Monitor state remains 'manual-resume-wait' after disabling and then re-enabling the monitor.

Component: Local Traffic Manager

Symptoms:
When using a monitor with the 'manual resume' feature enabled, the member will remain disabled after forcibly disabling then re-enabling the monitor.

Conditions:
Using monitor with the 'manual resume' configured.

Impact:
Member remains disabled after forcibly disabling then re-enabling the monitor.

Workaround:
None.

---

517829-2 : BIG-IP system resets client without sending error report when certificate is revoked

Solution Article: K16803

Component: TMOS

Symptoms:
When the BIG-IP system is configured for OCSP authentication, if the OCSP server reports that a certificate has been revoked, client connections are reset without sending SSL error alerts.

Conditions:
BIG-IP system configured for OCSP authentication.

Impact:
Client connections are reset without sending SSL error alerts.

Workaround:
Use the following iRule for the OSCP authentication profile instead of the system-supplied iRule:

when CLIENT_ACCEPTED {
    set tmm_auth_ssl_ocsp_sid 0
    set tmm_auth_ssl_ocsp_done 0
}


when CLIENTSSL_CLIENTCERT {
    if {[SSL::cert count] == 0} {
        return
    }
    set ssl_version [SSL::cipher version]
    set tmm_auth_ssl_ocsp_done 0
    if {$tmm_auth_ssl_ocsp_sid == 0} {
        set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
        AUTH::subscribe $tmm_auth_ssl_ocsp_sid
    }
    AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
    AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
    AUTH::authenticate $tmm_auth_ssl_ocsp_sid
    SSL::handshake hold
}


when CLIENTSSL_HANDSHAKE {
    set tmm_auth_ssl_ocsp_done 1
}


when AUTH_RESULT {
    if {[info exists tmm_auth_ssl_ocsp_sid] && ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {
        set tmm_auth_status [AUTH::status]
        array set tmm_auth_response_data [AUTH::response_data]
        if {$tmm_auth_status == 0} {
            set tmm_auth_ssl_ocsp_done 1
            SSL::handshake resume
        }
        elseif {($tmm_auth_status == 1) && ($tmm_auth_response_data(ocsp:response:status) eq "revoked")} {
            if { $ssl_version equals "TLSv1.2" } { set hex_version "0303" }
            elseif { $ssl_version equals "TLSv1.1" } { set hex_version "0302" }
            elseif { $ssl_version equals "TLSv1.0" } { set hex_version "0301" }
            else { reject }
            set hex_response "15${hex_version}0002022C"
            set bin_response [binary format H* $hex_response]
            TCP::respond "$bin_response"
            TCP::close
        } elseif {($tmm_auth_status != -1) || ($tmm_auth_ssl_ocsp_done == 0)} {
            reject
        }
    }
}

---

508302 : Auto-sync groups may revert to full sync

Component: TMOS

Symptoms:
If a large number of configuration changes in the same device group are being applied rapidly, device sync may start to generate full loads instead of incremental patches.

Conditions:
This only affects auto-sync device groups.

Impact:
The system may spuriously start to generate full loads instead of incremental changes.

Workaround:
Any of these is sufficient:

* If a large series of syncs are expected, temporarily disable auto-sync for the device group in question.

* Wrap all of the changes into a single transaction.

* Add a short pause in between changes.

---

504273 : Double count for PEM action and policy with forwarding endpoint

Component: Policy Enforcement Manager

Symptoms:
The policy & action hit count for subscribers is incremented twice.

Conditions:
1. The subscriber is of the origin data traffic.
2. The flow that created the subscriber lives longer than 60 seconds.

Impact:
In the above mentioned condition, which is very rare, the action & policy count is incremented twice.

Workaround:
None

---

486712-5 : GUI PVA connection maximum statistic is always zero

Component: TMOS

Symptoms:
The GUI PVA connection maximum statistic is always zero, regardless of the number of PVA connections established.

Conditions:
This occurs when fastL4 connections are used.

Impact:
The customer cannot determine the maximum number of PVA connections because the stat is always zero.

---

484683-2 : certificate_summary is not created at peer when the chain certificate is synced to HA peer.

Solution Article: K84174454

Component: TMOS

Symptoms:
The other Peer of a high-availability (HA) pair cannot show the summary of cert-chain by 'tmsh run sys crypto check-cert verbose enabled' after config-sync.

Conditions:
Conditions leading to this issue include:
1.) Setup an HA Pair
2.) Import Certificate chain to one BIG-IP system.
3.) 'run config-sync' to sync the Certificate chain to the peer BIG-IP system.

Impact:
The other Peer of HA Pair cannot show the summary of cert-chain by 'tmsh run sys crypto check-cert verbose enabled' after config-sync.

Workaround:
Copy the cert-chain file to a place (such as /shared/tmp/), and update the cert-chain using:
*********************************************************
root@(eng-3900A)(cfg-sync In Sync)(Standby)(/Common)(tmos)# modify sys file ssl-cert Cert-Chain_Browser_Serv.crt source-path file:/shared/tmp/Cert-Chain_Browser_Serv.crt_58761_1
*********************************************************

---

480795 : [GTM] Move address from one HA redundant LTM to another could cause BIG-IP monitor fail

Solution Article: K40120584

Component: Global Traffic Manager (DNS)

Symptoms:
[GTM] Move address from one HA redundant LTM to another could cause BIG-IP monitor failure.

Conditions:
BIG-IP redundant LTM server configuration with one address at 'Address List' and another at 'Peer Address List', one of the addresses is moved from another.

Impact:
Only one of the redundant LTM systems get probed. If the probed LTM is standby, it ignores the probe request. Available BIG-IP redundant LTM server is marked down; the monitor does not work, and all hosted virtual servers are marked down.

Workaround:
In the GUI, delete the address from either the "Address List" or "Peer Address List" and click "Update". Then add the address to the other field and click "Update".

---

473787-5 : System might fail to unchunk server response when compression is enabled

Component: Local Traffic Manager

Symptoms:
If a BIG-IP virtual server is configured with a compression profile and either:

- an NTLM profile
- or an APM access policy

When a pool member sends a chunked (and uncompressed) HTTP response to the BIG-IP system (Transfer-Encoding: chunked), if the BIG-IP system compresses the payload, it does so without unchunking it.

This results in the BIG-IP system sending the client a malformed response that contains chunked encoding markers in the compressed content.

Conditions:
This issue occurs when the following conditions are met:
-- The NTLM and OneConnect profiles are applied to a virtual server. This can also be triggered when replacing the NTLM profile with an APM access policy configuration on the virtual server.
-- HTTP compression is enabled on the virtual server.

Impact:
HTTP responses to the client are malformed. When decompressed, the HTTP response payload incorrectly contains HTTP chunked encoding markers.

Workaround:
To work around this issue, you can either modify the type of response chunking or disable compression. For information on how to do so, see K14030: The BIG-IP system may fail to unchunk server responses when compression is enabled, available here: https://support.f5.com/csp/article/K14030.

---

469366 : ConfigSync might fail with modified system-supplied profiles

Solution Article: K16237

Component: TMOS

Symptoms:
A config sync operation might fail with a parent-profile-not-found error message, despite the fact that the parent profile is present in the running configuration of both systems.

Conditions:
On the sync target (the system receiving the configuration, and the one that reports a sync failure), a system-supplied profile (e.g. /Common/serverssl) has been modified, and is present in /config/bigip.conf.

Impact:
An administrator is unable to synchronize system configurations. The system might post messages similar to the following example: '01020036:3: The requested parent profile (/Common/serverssl) was not found.'

Workaround:
One of the following: 1. Manually replicate the changes on the base profile to the system that is sourcing the config sync.
2. Undo the changes to the base profile on the system that is receiving the config sync (to do so, save the configuration, manually remove the base profile from /config/bigip.conf, and then re-load the configuration), and then perform a force sync operation. 3. Perform a sync in the other direction.
Important: Performing a sync in this direction overrides any unsync'd changes on the other system.

---

467321 : Running Response Analytics for SSL Bypass traffic allows connection and does not have URL Request Log information

Component: Access Policy Manager

Symptoms:
SWG report (Access Policy ›› Event Logs : URL Request Logs ) doesn't show the logs for HTTPS site when in SSL bypass mode when Response Analytics Agent is present in per-request policy.

Conditions:
SWG Explicit
Per-request policy:
Start -> Protocol Lookup (HTTPS) -> Category Lookup (SNI) -> SSL Bypass Set -> Response Analytics -> Allow

Impact:
Admin is not aware of the SSL Bypass traffic being processed as no log information is available in URL Request Logs

Workaround:
None.

---

459251-1 : Ramcache causes failed transactions.

Component: Local Traffic Manager

Symptoms:
In a keep alive transaction, the second or later request is not responded to, and the TCP connection is aborted.

Conditions:
When an OWS closes a keep alive connection when it should not. This implies a possible a web server defect.

Impact:
Keep alive connections will not work consistently.

Workaround:
An iRule set that rewrites the Connection header on 1.1 version transactions may mitigate this, but at the cost of requiring a separate connection per requested object.

If the web server error is intermittent, it may be more efficient to allow for the occasional retry.

---

455525 : When creating users, their role and partition information are normally expected.

Component: TMOS

Symptoms:
If for some special reasons, the role and partition information are not present, there are two cases where this might occur:

When the user's role and partition information is not provided, by default, the no-access role and all partitions are assumed.

If the user's role and partition are explicitly deleted, this is also allowed with no further error message. This is potentially useful in cases where you want to preserve the user data such as password for later re-activation the user.

In both cases, the user cannot login successfully due to the lack of the necessary role-partition information.

Conditions:
User's role and partition information is missing or removed.

Impact:
The user with missing role and partition information is prohibited from login.

Workaround:
None.

---

441195 : UCS archive restore causes file duplication in filestore

Component: TMOS

Symptoms:
UCS archive restoration process duplicates files if there is already an existing file with same version. This causes UCS archives to increase in size during subsequent archive / restoration process.

Conditions:
Here is an example of how this might occur: 1.) On two APM-configured devices (unit A, unit B), with the same software version and same EPSEC version. 2.) Create a UCS on unit A, and restore that UCS to unit B. 3.) The system duplicates the EPSEC version from unit B.

Impact:
UCS created is larger by the size of the duplicated file (in the example, the UCS is approximately 30 MB larger because it contains two copies of EPSEC).

Workaround:
This issue has no workaround at this time.

---

440924 : Upgrade from some versions to 11.6.0 can fail with APM rewrite profile★

Component: Access Policy Manager

Symptoms:
Configuration will not load. BIG-IP system is nonfunctional after upgrade to 11.6.0.

Log message:
Configuration error: cannot attach profile (/Common/rewriteplugin) to virtual server (/Common/apm_virtual_server)

Conditions:
This happens on upgrade from 11.4.1 to 11.6.0.

Impact:
As a result, the site is down after upgrade.

Workaround:
To work around the problem, manually edit bigip.conf to remove:
/Common/rewriteplugin { }

from the Virtual Server configuration stanza.

---

440713 : TMSH incorrectly shows the 'Expires' date for ramcache profile on server content with an expiry date greater than or equal to year 2038.

Component: TMOS

Symptoms:
The command "tmsh show ltm profile ramcache" shows an incorrect 'Expires' date for content whose correct expiry date is after the year 2038.

Conditions:
A Virtual Server is configured with the ramcache profile and request content from the server contains an expiry date >= year 2038

Impact:
When you run 'tmsh ltm profile ramcache', the Expires date is incorrect. There is no operational impact.

---

437768 : Issues using bigip1 as a device name, 'Can't save/checkpoint DB object' message

Component: TMOS

Symptoms:
Using 'bigip1' as a device name results in various unexpected behaviors. For example, when configuring high availability (HA), you might see the following error message:
-- 01070710:3: Can't save/checkpoint DB object, class:devicegroup_device status:13 - EdbCfgObj.cpp, line 127. Unexpected Error: Loading configuration process failed.

Conditions:
-- Configuring HA.
-- Using 'bigip1' as the device name.

Impact:
Various unexpected behaviors, including that the system posts an error similar to the following: 01070710:3: Can't save/checkpoint DB object, class:devicegroup_device status:13 - EdbCfgObj.cpp, line 127. Unexpected Error: Loading configuration process failed.

Workaround:
Before configuring high availability, set the device name to something other than 'bigip1'. Otherwise, the configuration will not work as expected.

The BIG-IP system reserves 'bigip1' as the factory default device name. Do not use 'bigip1' for device names in your configuration.

---

435646 : CGNAT: iRules invoking LSN::pool for an lsn_pool that is not connected to a virtual server will not be able to use inbound connections

Solution Article: K16115

Component: Carrier-Grade NAT

Symptoms:
lsn-pool inbound setting does not work when not associated with a virtual server.

Conditions:
lsn-pool with inbound or hairpinning enabled
That lsn-pool is not associated with a virtual server but is assigned by an iRule.

Impact:
inbound and hairpinning is not enabled for subscribers using that lsn-pool when assigned via an iRule.

Workaround:
Create a virtual server for each lsn-pool.

---

425018 : Loading a SCF after modifying self IP may cause route in Linux kernel to be dropped

Component: Local Traffic Manager

Symptoms:
Loading a SCF after modifying self IP may cause route in Linux kernel to be dropped. Linux host applications may not be able to connect when they are expected to.

Conditions:
Create a config with a self IP on a VLAN and a default gateway route on that VLAN, save a SCF file, then modify the self IP in that SCF file and then load the SCF.

Impact:
Linux kernel default gateway route is dropped and host applications looking for the route may not be able to connect.

Workaround:
Reset the config to default before loading modified SCF: 1. tmsh load sys default. 2. tmsh load sys scf SCF_flename. For more information, see SOL14572: Routes configured in a single configuration file may be missing from the Linux kernel route table after loading the single configuration file, available here: http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14572.

---

424592 : Request logging not logging pool name with APM

Solution Article: K71220204

Component: Access Policy Manager

Symptoms:
Pool name is not being logged when access profile is attached to the virtual.

Conditions:
1. Create a pool for syslog server called "syslog-pool"

2. Create a request logging profile like the following:

ltm profile request-log reqlog-pool {
    app-service none
    defaults-from request-log
    response-log-pool syslog-pool
    response-log-template "Path is $HTTP_PATH, Pool is $VIRTUAL_POOL_NAME"
    response-logging enabled
}

3. Attach it to an HTTP virtual server with a valid default pool.

4. Send some requests and observe the path and pool are logged.

5. Create an access profile. Edit access policy to be "Start -> Allow".

6. Attach it to the virtual server.

Impact:
Pool name is not being logged most of the time.

Workaround:
This issue has no workaround at this time.

---

423161 : Network Access related log messages logged after VPN tunnel is closed

Component: Access Policy Manager

Symptoms:
When a Network Access session and an APM session are closed simultaneously, one of these logs is written at the NOTICE level:
apm logs: "VPN Cleanup: failed to release IPv4 ERR_ARG"
tmm logs: "address <p> in leasepool <lease pool> is unassigned - can't release"

Conditions:
This happens when a Network Access resource and a Network Access webtop are assigned using the Advanced Resource Assign action, and the Network Access session is closed.

Impact:
These are logged at the notice level, and can be safely ignored.

Workaround:
N/A

---

422822 : Error logged by SSOv2 plugin when unholding request done event

Component: Access Policy Manager

Symptoms:
Errors are logged by SSOv2 plugin while processing traffic:

err tmm2[29966]: 01490514:3: 00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: access_extract_uri, Line: 12335
err tmm2[29966]: 01490514:3: 00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: access_block_irule_events_for_uri, Line: 15888
err tmm2: 014d0002:3: SSOv2 plugin error(-1) in sso/sso.c:1018

Conditions:
This can be encountered during normal operation while SSO is configured.

Impact:
Errors are logged erroneously, this does not impact request processing.

Workaround:
No Workaround

---

418924 : Too many iso images in /shared/images causes swap

Component: TMOS

Symptoms:
Secondary blades in a cluster go into swap when there are too many iso images in /shared/images.

Conditions:
Too many iso images in /shared/images.

Impact:
Secondary blades are slow.

Workaround:
Use tmsh or the GUI to delete as many iso images from /shared/images as feasible.

---

418812 : Deploying large firewall policy configuration changes can exhaust available memory on the BIG-IP device.

Component: Advanced Firewall Manager

Symptoms:
Processing large configuration changes on an under-provisioned or overly-utilized BIG-IP device could result in memory and resource exhaustion. Errors will be reported on the BIG-IP device logs if this condition occurs.

Conditions:
This occurs while BIG-IP is deploying large firewall policy configuration changes.

Impact:
If resources are exhausted on the BIG-IP devices, users could experience traffic interruption on the BIG-IP device.

Workaround:
Check the memory and the performance of the BIG-IP system prior to deploying any large configuration change sets. This will help alleviate any performance or resource exhaustion issues that could occur when processing large configuration changes on a heavily-loaded BIG-IP device.

---

404659 : State mirroring within eight-blade VIPRION 4800 chassis

Component: Local Traffic Manager

Symptoms:
State mirroring within the eight-blade VIPRION 4800 chassis is not supported for this release. To workaround this, mirror between two separate chassis.

Conditions:
State mirroring within eight-blade VIPRION 4800 chassis

Impact:
Although this is not supported, you might see intermittent successful mirroring attempts when configured.

Workaround:
Mirror between two separate chassis.

---

399696 : "WEBSSO::select" cannot use SSOv2 configuration objects

Component: Access Policy Manager

Symptoms:
Selecting an SSO configuration with WEBSSO::select does not work for form-based client-initiated and SAML SSO configurations.

Conditions:
iRule utilizing WEBSSO::select

Impact:
iRule validation error that might look like the following:

01070151:3: Rule [/Common/test_sso] error: Unable to find sso_config (test) referenced at line 4: [WEBSSO::select test]

Workaround:
To work around the problem, use a variable to assign the configuration object name:

set sso_config /Common/SAML-config
WEBSSO::select $sso_config
unset sso_config

---

383641 : Cannot use ssldump to decrypt SSL traffic protected by netHSM key

Component: Local Traffic Manager

Symptoms:
If the captured traffic is protected by netHSM, it cannot be decrypted, even with the access to the netHSM key.

Conditions:
SSL traffic protected by netHSM keys.

Impact:
Cannot decrypt the netHSM key-protected SSL traffic using ssldump.

Workaround:
None.

---

378967 : Users are not synchronized if created in a partition

Component: TMOS

Symptoms:
Users in partitions attached to sync-only device groups do not sync to other devices in that device group.

Conditions:
There are users whose active partitions are attached to a sync-only device group.

Impact:
This affects sync-only device groups only, not the failover device group.

Workaround:
None.

---

375997 : mysqld incorrectly classifies the lost+found directory as a database location resulting in benign errors in the mysql log.

Component: Application Visibility and Reporting

Symptoms:
mysqld incorrectly classifies the lost+found directory as a database location resulting in benign errors in the mysql log.
[ERROR] Invalid (old?) table or database name 'lost+found'
120104 7:12:52 [ERROR] /usr/sbin/mysqld: Can't find file:
'./lost+found/AVR_STAT_CLIENT_IP_T.frm' (errno: 13)

Conditions:
This occurs in all versions of BIG-IP running MySQL including all of 11.x and 12.x.

Impact:
None. The error is benign.

---

366060 : FTP mirroring fails when landing on tmm0

Component: Local Traffic Manager

Symptoms:
There is an issue that is rarely encountered in FTP mirroring.

Conditions:
FTP mirroring occasionally fails when connections come from tmm0.

Impact:
When it does fail, the idle timer on the standby is
not updated and the connection is reaped in the 30-50 second range.

Workaround:
None.

---

364717 : Persist records deleted when non-existing node-port is specified

Component: TMOS

Symptoms:
There is an issue when using the node-port option with the delete command for persistence persist-records.

Conditions:
This occurs when using the delete command to delete persistence records on a nonexistent port.

Impact:
The system deletes all the persist table entries irrespective of the port specified. In addition, the show command with nonexistent port displays all the entries irrespective of the port specified.

Workaround:
None, except to ensure that the port exists before deleting the persist table entries.

---

352865 : Firefox 4 beta crashes or displays a warning, Unresponsive script for cache-fm.js.

Component: Access Policy Manager

Symptoms:
Firefox 4 beta crashes or displays a warning, Unresponsive script for cache-fm.js. This happens after you navigate to a web application through reverse proxy from a Windows client and then log in.

Conditions:
If user tries to navigate(login) to some sites (e.g OSA2010, DWA8.5, SharePoint2010),then
browser is crashed or "Unresponsive script" warning is appeared for "cache-fm.js".

Impact:
Browser crash.

Workaround:
There is no workaround at this time.

---

351360 : Network Access flows can go to wrong route domain

Component: Access Policy Manager

Symptoms:
Sometimes when assigning different route domains to Network Access clients connecting to the same virtual server or using the same connectivity profile, traffic from the client can go out into the network associated with the wrong route domain. This could happen when two clients are assigned the same IP address (from different lease pools containing the same address ranges) and different route domains and try to access the same IP address on the internal network using the same TCP/IP protocol.

Conditions:
- Both source and destination IP addresses are the same
- IP protocol is the same (i.e. ICMP, TCP, or UDP),
- For TCP/UDP both source and destination ports are the same,
- For ICMP the message type and ID are the same,
- Connection.VlanKeyed option is enabled (which is default),
- Both clients use the same connectivity profile.

Impact:
Client connection can be directed to the wrong network.

Workaround:
To work around this problem, when sharing IP address ranges among route domains, use separate virtual servers for each route domain, with different connectivity profiles.

---

307037 : Dynamic Resources Are Assigned But Not Accessible

Component: Access Policy Manager

Symptoms:
Resources appear assigned in session record but are not accessible by the client.

Conditions:
This issue occurs if the resources are assigned via Variable Assign agent.

Impact:
Resources are unavailable to client.

Workaround:
In the VPE, add a branch with Resource Assign agent that will never reach. With the Resource Assign agent, assign all the resources that are referenced by Variable Assign agent.

---

238556 : The BIG-IP APM network access tunnel does not use a floating IP address

Solution Article: K13782

Component: Access Policy Manager

Symptoms:
AAA types for SecurID and RADIUS in APM will not source packets from the floating IP address for the traffic group. Because RSA authentication server is sensitive to the incoming IP address of the authentication packets, an extra virtual server is required to SNAT the authentication requests to the correct (floating) address so that the same source IP will be used in both members of an HA pair.

Conditions:
You see this when you use RADIUS AAA or RSA AAA in an APM access policy.

Impact:
Authentication will fail because RSA expects the source IP address to be specific, and will not tolerate changes for HA failover.

Workaround:
To work around the problem, create an extra virtual server with a specific SNAT so that the floating IP is used for the authentication requests.

---

222220-4 : Distributed application statistics

Component: Global Traffic Manager (DNS)

Symptoms:
Distributed application statistics shows only requests passed to its first wide IP.

Conditions:
Using Distributed application statistics and multiple wide-IP-members.

Impact:
The system does not include statistics for requests passed to other wide-IP-members of the distributed application.

Workaround:
None.

---

★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade