Supplemental Document : BIG-IP 14.1.2.3 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.1.2

BIG-IP APM

  • 14.1.2

BIG-IP Analytics

  • 14.1.2

BIG-IP Link Controller

  • 14.1.2

BIG-IP LTM

  • 14.1.2

BIG-IP PEM

  • 14.1.2

BIG-IP AFM

  • 14.1.2

BIG-IP FPS

  • 14.1.2

BIG-IP DNS

  • 14.1.2

BIG-IP ASM

  • 14.1.2
Updated Date: 01/23/2020

BIG-IP Release Information

Version: 14.1.2.3
Build: 5.0

Cumulative fixes from BIG-IP v14.1.2.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.6 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release
Known Issues in BIG-IP v14.1.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
749324-1 CVE-2012-6708 K62532311 jQuery Vulnerability: CVE-2012-6708


Functional Change Fixes

ID Number Severity Solution Article(s) Description
782529-2 2-Critical   iRules does not follow current design best practices
769193-5 3-Major   Added support for faster congestion window increase in slow-start for stretch ACKs
760234-1 4-Minor   Configuring Advanced shell for Resource Administrator User has no effect


TMOS Fixes

ID Number Severity Solution Article(s) Description
806093-1 2-Critical   Unwanted LDAP referrals slow or prevent administrative login
789169-2 2-Critical   Unable to create virtual servers with port-lists from the GUI
780817-5 2-Critical   TMM can crash on certain vCMP hosts after modifications to VLANs and guests.
762385 2-Critical   Wrong remote-role assigned using LDAP authentication after upgrade to 14.1.x and later
762205-2 2-Critical   IKEv2 rekey fails to recognize VENDOR_ID payload when it appears
757357-3 2-Critical   TMM may crash while processing traffic
846157-3 3-Major   TMM may crash while processing traffic on AWS
817917-1 3-Major   TMM may crash when sending TCP packets
809205 3-Major   CVE-2019-3855: libssh2 Vulnerability
794501-2 3-Major   Duplicate if_indexes and OIDs between interfaces and tunnels
785741-1 3-Major   Unable to login using LDAP with 'user-template' configuration
778125-1 3-Major   LDAP remote authentication passwords are limited to fewer than 64 bytes
761144-4 3-Major   Broadcast frames may be dropped
760439-4 3-Major   After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status
759654-1 3-Major   LDAP remote authentication with remote roles and user-template failing
759499-2 3-Major   Upgrade from version 12.1.3.7 to version 14.1.0 failing with error
758781-3 3-Major   iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates
758527-2 3-Major   BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode
757519-1 3-Major   Unable to login using LDAP authentication with a user-template
756450-1 3-Major   Traffic using route entry that's more specific than existing blackhole route can cause core
754691-1 3-Major   During failover, an OSPF routing daemon may crash.
750318-3 3-Major   HTTPS monitor does not appear to be using cert from server-ssl profile
746266-3 3-Major   Vcmp guest vlan mac mismatch across blades.
738943-3 3-Major   imish command hangs when ospfd is enabled
738236-7 3-Major   UCS does not follow current best practices
789893-2 4-Minor   SCP file transfer hardening


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
816273-2 1-Blocking   L7 Policies may execute CONTAINS operands incorrectly.
826601-5 2-Critical   Prevent receive window shrinkage for looped flows that use a SYN cookie
816625-1 2-Critical   The TMM may crash in a rare scenario involving HTTP unchunking, and plugins.
808301-2 2-Critical   TMM may crash while processing IP traffic
800369-2 2-Critical   The fix for ID 770797 may cause a TMM crash
800305-2 2-Critical   VDI::cmp_redirect generates flow with random client port
791057-1 2-Critical   MCP may crash when traffic matching criteria is updated
770797-1 2-Critical   HTTP2 streams may get stuck in rare situations
836661 3-Major   Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet.
834373-3 3-Major   Possible handshake failure with TLS 1.3 early data
830797-2 3-Major   Standby high availability (HA) device passes traffic through virtual wire
818429-4 3-Major   TMM may crash while processing HTTP traffic
815449-2 3-Major   BIG-IP closes connection when an unsized response is served to a HEAD request
797977-1 3-Major   Self-IP traffic does not preserve the TTL from the Linux host
772545-3 3-Major   Tmm core in SSLO environment
765517-1 3-Major   Traffic Match Criteria validation fails when create Virtual server with address list with overlapping address space but a different ingress VLAN
761185-2 3-Major K50375550 Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic
761112-3 3-Major   TMM may consume excessive resources when processing FastL4 traffic
760771-1 3-Major   FastL4-steered traffic might cause SSL resume handshake delay
758992-2 3-Major   The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address
758872-3 3-Major   TMM memory leak
758655-1 3-Major   TMC does not allow inline addresses with non-zero Route-domain.
753514-3 3-Major   Large configurations containing LTM Policies load slowly
749689-2 3-Major   HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart
726176-2 3-Major   Platforms using RSS and xor_fold DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
712919-2 3-Major   Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server.
824365-3 4-Minor   Need informative messages for HTTP iRule runtime validation errors
806085-2 4-Minor   In-TMM MQTT monitor is not working as expected
769309-2 4-Minor   DB monitor reconnects to server on every probe when count = 0
754003-3 4-Minor K73202036 Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate
747628-1 4-Minor   BIG-IP sends spurious ICMP PMTU message to server
744210-2 4-Minor   DHCPv6 does not have the ability to override the hop limit from the client.


Performance Fixes

ID Number Severity Solution Article(s) Description
776133-1 2-Critical   RSS hash is not used on VE resulting in performance impact on non-SR-IOV devices


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
761032-2 3-Major   TMSH displays TSIG keys
760471-3 3-Major   GTM iQuery connections may be reset during SSL key renegotiation.


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
813945-3 2-Critical   PB core dump while processing many entities
813389-1 2-Critical   TMM Crashes upon failure in Bot Defense Client-Side code
791669 2-Critical   TMM might crash when Bot Defense is configured for multiple domains
790349-2 2-Critical   merged crash with a core file
756108-1 2-Critical   BD crash on specific cases
754109-1 2-Critical   ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive
832857 3-Major   Support ID on AJAX CAPTCHA popup (SPA) does not match the Support ID in log
832205 3-Major   ASU cannot be completed after Signature Systems database corruption following binary Policy import
831661-2 3-Major   ASMConfig Handler undergoes frequent restarts
824101-1 3-Major   Request Log export file is not visible for requests including binary data
824037-2 3-Major   Bot Defense whitelists do not apply for IP 'Any' when using route domains
812341-2 3-Major   Patch or Delete commands take a long time to complete when modifying an ASM signature set.
805353-1 3-Major   ASM reporting for WebSocket frames has empty username field
800453-3 3-Major   False positive virus violations
793017-1 3-Major   Files left behind by failed Attack Signature updates are not cleaned
786913-2 3-Major   Upgrade failure from 13.0.x or earlier when using LTM Policies with DOSL7
783513-2 3-Major   ASU is very slow on device with hundreds of policies due to logging profile handling
781021-2 3-Major   ASM modifies cookie header causing it to be non-compliant with RFC6265
778681-2 3-Major   Factory-included Bot Signature update file cannot be installed without subscription
754841-1 3-Major   Policy updates stall and never complete
754425-1 3-Major   Exported requests cannot be opened in Internet Explorer or Edge browser
734228 3-Major   False-positive illegal-length violation can appear
725551-2 3-Major   ASM may consume excessive resources
795769-3 4-Minor   Incorrect value of Systems in system-supplied signature sets
789817-1 4-Minor   In rare conditions info fly-out not shown
760462-1 4-Minor   Live update notification is shown only for provisioned/licensed modules
758459-1 4-Minor   Cross origin AJAX requests are blocked Cross-Origin Resource Sharing (CORS) protection
620301-1 4-Minor   Policy import fails due to missing signature System in associated Signature Set


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
833113-3 3-Major   Avrd core when sending large messages via https
787677-3 3-Major   AVRD stays at 100% CPU constantly on some systems
781581-3 3-Major   Monpd uses excessive memory on requests for network_log data


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
757782-1 2-Critical   OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default
825805-1 3-Major   NTLM Auth may fail due to incorrect handling of EPM response
766577-2 3-Major   APMD fails to send response to client and it already closed connection.
756363-1 3-Major   SSLO or SWG connections using proxy chaining to Explicit Proxy can get reset
741222-2 3-Major   Install epsec1.0.0 into software partition.
643935-4 3-Major   Rewriting may cause an infinite loop while processing some objects


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
833213-3 3-Major   Conditional requests are served incorrectly with AAM policy in webacceleration profile


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
761345-3 3-Major   Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode
802865-1 3-Major   The iControl REST query request returning empty list for DoS Protected Objects


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
821133-2 3-Major   Wrong wildcard URL matching when none of the configured URLS include QS


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
748813-3 2-Critical   tmm cores under stress test on virtual server with DoS profile with admd enabled
767045-2 3-Major   TMM cores while applying policy


Protocol Inspection Fixes

ID Number Severity Solution Article(s) Description
787845 4-Minor   Tmsh command 'show running-config' fails when Protocol Inspection is not licensed.



Cumulative fixes from BIG-IP v14.1.2.2 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
815689-3 3-Major   Azure walinuxagent has been updated to v2.2.42.



Cumulative fixes from BIG-IP v14.1.2.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
795197-1 CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 K26618426 Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
771873-5 CVE-2019-6642 K40378764 TMSH Hardening
767653-1 CVE-2019-6660 K23860356 Malformed HTTP request can result in endless loop in an iRule script
636400-3 CVE-2019-6665 K26462555 CPB (BIGIP->BIGIQ log node) Hardening
810657-2 CVE-2019-6674 K21135478 Tmm core while using service chaining for SSLO
795797-2 CVE-2019-6658 K21121741 AFM WebUI Hardening
788773-2 CVE-2019-9515 K50233772 HTTP/2 Vulnerability: CVE-2019-9515
788769-2 CVE-2019-9514 K01988340 HTTP/2 Vulnerability: CVE-2019-9514
781449-2 CVE-2019-6672 K14703097 Increase efficiency of sPVA DoS protection on wildcard virtual servers
777737-3 CVE-2019-6671 K39225055 TMM may consume excessive resources when processing IP traffic
773673-2 CVE-2019-9512 K98053339 HTTP/2 Vulnerability: CVE-2019-9512
768981-2 CVE-2019-6670 K05765031 vCMP Hypervisor Hardening
761014-2 CVE-2019-6669 K11447758 TMM may crash while processing local traffic
758018-5 CVE-2019-6661 K61705126 APD/APMD may consume excessive resources
756458-3 CVE-2018-18559 K28241423 Linux kernel vulnerability: CVE-2018-18559
756218-1 CVE-2019-6654 K45644893 Improve default management port firewall
751152-1 CVE-2018-5407 K49711130 OpenSSL Vulnerability: CVE-2018-5407
751143-1 CVE-2018-5407 K49711130 OpenSSL Vulnerability: CVE-2018-5407
745103-6 CVE-2018-7159 K27228191 NodeJS Vulnerability: CVE-2018-7159
798249-2 CVE-2019-6673 K81557381 TMM may crash while processing HTTP/2 requests
759536-2 CVE-2019-8912 K31739796 Linux kernel vulnerability: CVE-2019-8912
757617-1 CVE-2018-16864
CVE-2018-16865
CVE-2018-16866
K30683410 Systemd vulnerabilities: CVE-2018-16864, CVE-2018-16865, CVE-2018-16866


Functional Change Fixes

ID Number Severity Solution Article(s) Description
759135-2 3-Major   AVR report limits are locked at 1000 transactions
714292-3 3-Major   Transparent forwarding mode across multiple VLAN groups or virtual-wire
788269-3 4-Minor   Adding toggle to disable AVR widgets on device-groups


TMOS Fixes

ID Number Severity Solution Article(s) Description
793045-2 2-Critical   File descriptor leak in net-snmpd while reading /shared/db/cluster.conf
788033 2-Critical   tpm-status may return "Invalid" after engineering hotfix installation
781377-2 2-Critical   tmrouted may crash while processing Multicast Forwarding Cache messages
770953 2-Critical   'smbclient' executable does not work
767877-3 2-Critical   TMM core with Bandwidth Control on flows egressing on a VLAN group
765533-2 2-Critical K58243048 Sensitive information logged when DEBUG logging enabled
760475-1 2-Critical   Apache spawns more processes than the configured limit, causing system low memory condition
755575-1 2-Critical   In MOS, the 'image2disk' utility with the '-format' option does not function properly
726240-1 2-Critical   'Cannot find disk information' message when running Configuration Utility
788557-5 3-Major   BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior
788301-5 3-Major K58243048 SNMPv3 Hardening
777261-4 3-Major   When SNMP cannot locate a file it logs messages repeatedly
766873 3-Major   Omission of lower-layer types from sFlow packet samples
761993-2 3-Major   The nsm process may crash if it detects a nexthop mismatch
761933-1 3-Major   Reboot with 'tmsh reboot' does not log message in /var/log/audit
761160-2 3-Major   OpenSSL vulnerability: CVE-2019-1559
760998-1 3-Major   F5.ip_forwarding iAPP fails to deploy
759814-1 3-Major   Unable to view iApp component view
758119-6 3-Major K58243048 qkview may contain sensitive information
747592-1 3-Major   PHP vulnerability CVE-2018-17082
724109-2 3-Major   Manual config-sync fails after pool with FQDN pool members is deleted
648621-6 3-Major   SCTP: Multihome connections may not expire
776073-1 4-Minor   OOM killer killing tmmin system low memory condition as process OOM score is high
760680-1 4-Minor   TMSH may utilize 100% CPU (single core worth) when set to be a process group leader and SSH session is closed.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
759968-3 1-Blocking   Distinct vCMP guests are able to cluster with each other.
809165-2 2-Critical   TMM may crash will processing connector traffic
803845-2 2-Critical   When in HA, the Standby device is forwarding traffic causing a loop and subsequent network shutdown
787825-2 2-Critical K58243048 Database monitors debug logs have plaintext password printed in the log file
778077-3 2-Critical   Virtual to virtual chain can cause TMM to crash
774913-1 2-Critical   IP-based bypass can fail if SSL ClientHello is not accepted
760078-1 2-Critical   Incorrect source MAC used when the BIG-IP in L2 transparent mode generates a TCP RST packet.
758714-1 2-Critical   Virtual wire on a BIG-IP does not pass traffic when configured over two terminating link aggregation/trunk ports.
757578-2 2-Critical   RAM cache is not compatible with verify-accept
757441-4 2-Critical   Specific sequence of packets causes Fast Open to be effectively disabled
755585-1 2-Critical   mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction
747858-2 2-Critical   OSPF packets are duplicated in the BIG-IP in L2 transparent mode using virtual wires
746710-1 2-Critical   Use of HTTP::cookie after HTTP:disable causes TMM core
737985-2 2-Critical   BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode.
734551-3 2-Critical   L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server
801497-2 3-Major   Virtual wire with LACP pinning to one link in trunk.
798105-1 3-Major   Node Connection Limit Not Honored
795437-4 3-Major   Improve handling of TCP traffic for iRules
794581 3-Major   Transfer might stall for an object served from WAM cache
788325-2 3-Major K39794285 Header continuation rule is applied to request/response line
787433-3 3-Major   SSL forward proxy: OCSP signer certificate isn't refreshed or regenerated when forward proxy CA key/cert is changed
784713-3 3-Major   When SSL forward proxy is enabled, AKID extension of the OCSP signer certificate on the clientside is not correct
773821-1 3-Major   Certain plaintext traffic may cause SSLO to hang
773421-1 3-Major   Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied
769801-1 3-Major   Internal tmm UDP filter does not set checksum
761385-1 3-Major   Without a virtual server, responses from server to client are dropped in a BIG-IP system when the latter is deployed in L2 transparent mode using virtual wire.
761381-1 3-Major   Incorrect MAC Address observed in L2 asymmetric virtual wire
754525-1 3-Major   Disabled virtual server accepts and serves traffic after restart
748891-2 3-Major   Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system.
742237-4 3-Major   CPU spikes appear wider than actual in graphs
719300-3 3-Major   ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address
689361-4 3-Major   Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)
751586 4-Minor   http2 virtual does not honour translate-address disabled
747585-3 4-Minor   TCP Analytics supports ANY protocol number


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
783849-2 3-Major   DNSSEC Key Generations are not imported to secondary FIPS card


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
781637-2 3-Major   ASM brute force counts unnecessary failed logins for NTLM
781605-3 3-Major   Fix RFC issue with the multipart parser
781069-2 3-Major   Bot Defense challenge blocks requests with long Referer headers
773553-2 3-Major   ASM JSON parser false positive.
769997-1 3-Major   ASM removes double quotation characters on cookies
769981-2 3-Major   bd crashes in a specific scenario
764373-3 3-Major   'Modified domain cookie' violation with multiple enforced domain cookies with different paths
753711-1 3-Major   Copied policy does not retain signature staging
751710-4 3-Major   False positive cookie hijacking violation
746394-1 3-Major   With ASM CORS set to 'Disabled' it strips all CORS headers in response.
745802-1 3-Major   Brute Force CAPTCHA response page truncates last digit in the support id
727107-4 3-Major   Request Logs are not stored locally due to shmem pipe blockage
803445-3 4-Minor   When adding several mitigation exceptions, the previously configured actions revert to the default action
772473-3 4-Minor   Request reconstruct issue after challenge
761088-1 4-Minor   Remove policy editing restriction in the GUI while auto-detect language is set
695878-2 4-Minor   Signature enforcement issue on specific requests


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
761749-2 2-Critical   Security pages unavailable after switching RT mode on off few times
797785-2 3-Major   AVR reports no ASM-Anomalies data.
792265-3 3-Major   Traffic logs does not include the BIG-IQ tags
773925-2 3-Major   Sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB tables files
765785-3 3-Major   Monpd core upon "bigstart stop monpd" while Real Time reporting is running


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
811145-2 2-Critical   VMware View resources with SAML SSO are not working
797541-1 2-Critical K05115516 NTLM Auth may fail when user's information contains SIDS array
784989-2 2-Critical   TMM may crash with panic message: Assertion 'cookie name exists' failed
779177-2 2-Critical   Apmd logs "client-session-id" when access-policy debug log level is enabled
777173-2 2-Critical   Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error
821369 3-Major   Incomplete Action 'Deny' does not take effect for HTTP-Connect
788417-2 3-Major   Remote Desktop client on macOS may show resource auth token on credentials prompt
787477-2 3-Major   Export fails from partitions with '-' as second character
786173-1 3-Major   UI becomes unresponsive when accessing Access active session information
783817-2 3-Major   UI becomes unresponsive when accessing Access active session information
782569-1 3-Major   SWG limited session limits on SSLO deployments
775621-2 3-Major   urldb memory grows past the expected ~3.5GB
769853-2 3-Major K24241590 Access Profile option to restrict connections from a single client IP is not honored for native RDP resources
756777-1 3-Major   VDI plugin might crash on process shutdown during RDG connections handling
750823-1 3-Major   Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD
749161-2 3-Major   Problem sync policy contains non-ASCII characters
746768-4 3-Major   APMD leaks memory if access policy policy contains variable/resource assign policy items
697590-2 3-Major   APM iRule ACCESS::session remove fails outside of Access events
781445-1 4-Minor   named or dnscached cannot bind to IPv6 address
759579-1 4-Minor   Full Webtop: 'URL Entry' field is available again
756019-1 4-Minor   OAuth JWT Issuer claim requires URI format


Service Provider Fixes

ID Number Severity Solution Article(s) Description
808525-2 2-Critical   TMM may crash while processing Diameter traffic
811745-2 3-Major   Failover between clustered DIAMETER devices can cause mirror connections to be disconnected
804313-2 3-Major   MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.
761685-3 3-Major   Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set
750431-1 3-Major   Persistence record is deleted in MRF SIP after updating timeout value with the iRule 'SIP::persist timeout'
748253-1 3-Major   Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection
786565-2 4-Minor   MRF Generic Message: unaccepted packets received by GENERIC MESSAGE filter causes subsequent messages to not be forwarded


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
800209-1 3-Major   The tmsh recursive list command includes DDoS GUI-specific data info
780837-1 3-Major   Firewall rule list configuration causes config load failure
761234-2 3-Major   Changing a virtual server to use an address list should be prevented if the virtual server has a security policy with a logging profile attached
760355 4-Minor   Firewall rule to block ICMP/DHCP from 'required' to 'default'


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
760438-3 3-Major   PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions
759192-3 3-Major   TMM core during display of PEM session under some specific conditions
756311-4 3-Major   High CPU during erroneous deletion
753163-4 3-Major   PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
804185-2 3-Major   Some WebSafe request signatures may not work as expected
783565-2 3-Major   Upgrade support for DB variable to attach AJAX payload to vToken cookie should be consistent with config in MCP
775013-2 3-Major   TIME EXCEEDED alert has insufficient data for analysis


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
803477-2 3-Major   BaDoS State file load failure when signature protection is off



Cumulative fixes from BIG-IP v14.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
773649-6 CVE-2019-6656 K23876153 APM Client Logging


Functional Change Fixes

ID Number Severity Solution Article(s) Description
771705-1 3-Major   You may not be able to log into BIG-IP Cloud Edition if FSCK fails
754875-1 3-Major   Enable FIPS in prelicensed VE images without requiring a reboot


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
753485-1 2-Critical   AVR global settings are being overridden by HA peers


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
757306-3 3-Major   SNMP MIBS for AFM NAT do not yet exist


Protocol Inspection Fixes

ID Number Severity Solution Article(s) Description
794285 1-Blocking   BIG-IQ reading AFM configuration fails with status 400



Cumulative fixes from BIG-IP v14.1.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
807477-10 CVE-2019-6650 K04280042 ConfigSync Hardening
797885-2 CVE-2019-6649 K05123525 ConfigSync Hardening
796469-6 CVE-2019-6649 K05123525 ConfigSync Hardening
810557-8 CVE-2019-6649 K05123525 ASM ConfigSync Hardening
809377-6 CVE-2019-6649 K05123525 AFM ConfigSync Hardening
799617-2 CVE-2019-6649 K05123525 ConfigSync Hardening
799589-2 CVE-2019-6649 K05123525 ConfigSync Hardening
794389-6 CVE-2019-6651 K89509323 iControl REST endpoint response inconsistency
794413-2 CVE-2019-6471 K10092301 BIND vulnerability CVE-2019-6471
793937-1 CVE-2019-6664 K03126093 Management Port Hardening


Functional Change Fixes

ID Number Severity Solution Article(s) Description
744937-8 3-Major K00724442 BIG-IP DNS and GTM DNSSEC security exposure


TMOS Fixes

ID Number Severity Solution Article(s) Description
798949-3 3-Major   Config-Sync fails when Config-Sync IP configured to management IP
760622-3 3-Major   Allow Device Certificate renewal from BIG-IP Configuration Utility
760363-1 3-Major   Update Alias Address field with default placeholder text


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
811333-2 3-Major   Upgrade fails when SSLv2 cipher is in the cipher list of an SSL profile



Cumulative fixes from BIG-IP v14.1.0.6 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
769361-2 CVE-2019-6630 K33444350 TMM may crash while processing SSLO traffic
767401-1 CVE-2019-6629 K95434410 TMM may crash while processing TLS traffic
759343-6 CVE-2019-6668 K49827114 MacOS Edge Client installer does not follow best security practices
758909-1 CVE-2019-6628 K04730051 TMM may crash will processing PEM traffic
758065-4 CVE-2019-6667 K82781208 TMM may consume excessive resources while processing FIX traffic
757084-2 CVE-2019-6627 K00432398 Bypassing SSL interception in SSL Orchestrator may crash TMM if virtual server is SNAT enabled
757023-2 CVE-2018-5743 K74009656 BIND vulnerability CVE-2018-5743
756538-4 CVE-2019-6645 K15759349 Failure to open data channel for active FTP connections mirrored across an HA pair.
754944-1 CVE-2019-6626 K00432398 AVR reporting UI does not follow best practices
754345-2 CVE-2019-6625 K79902360 WebUI does not follow best security practices
754103-1 CVE-2019-6644 K75532331 iRulesLX NodeJS daemon does not follow best security practices
753975-2 CVE-2019-6666 K92411323 TMM may crash while processing HTTP traffic with AAM
753776-2 CVE-2019-6624 K07127032 TMM may consume excessive resources when processing UDP traffic
748502-1 CVE-2019-6623 K72335002 TMM may crash when processing iSession traffic
737731-6 CVE-2019-6622 K44885536 iControl REST input sanitization
737574-6 CVE-2019-6621 K20541896 iControl REST input sanitization
737565-6 CVE-2019-6620 K20445457 iControl REST input sanitization
726393-2 CVE-2019-6643 K36228121 DHCPRELAY6 can lead to a tmm crash
726327 CVE-2018-12120 K37111863 NodeJS debugger accepts connections from any host
757455-2 CVE-2019-6647 K87920510 Excessive resource consumption when processing REST requests
753796-1 CVE-2019-6640 K40443301 SNMP does not follow best security practices
750460-1 CVE-2019-6639 K61002104 Subscriber management configuration GUI
750298-1 CVE-2019-6638 K67825238 iControl REST may fail while processing requests
750187-1 CVE-2019-6637 K29149494 ASM REST may consume excessive resources
745371-1 CVE-2019-6636 K68151373 AFM GUI does not follow best security practices
745257-1 CVE-2018-14634 K20934447 Linux kernel vulnerability: CVE-2018-14634
742226-6 CVE-2019-6635 K11330536 TMSH platform_check utility does not follow best security practices
710857-5 CVE-2019-6634 K64855220 iControl requests may cause excessive resource usage
702469-7 CVE-2019-6633 K73522927 Appliance mode hardening in scp
673842-6 CVE-2019-6632 K01413496 vCMP does not follow best security practices
773653-6 CVE-2019-6656 K23876153 APM Client Logging
773641-6 CVE-2019-6656 K23876153 APM Client Logging
773637-6 CVE-2019-6656 K23876153 APM Client Logging
773633-6 CVE-2019-6656 K23876153 APM Client Logging
773621-6 CVE-2019-6656 K23876153 APM Client Logging


Functional Change Fixes

ID Number Severity Solution Article(s) Description
749704-2 4-Minor   GTPv2 Serving-Network field with mixed MNC digits


TMOS Fixes

ID Number Severity Solution Article(s) Description
774445-1 1-Blocking K74921042 BIG-IP VE does not pass traffic on ESXi 6.7 Update 2
789993-1 2-Critical   Failure when upgrading to 15.0.0 with config move and static management-ip.
773677-1 2-Critical K72255850 BIG-IP 14.1.0 system-journald write to /run/log/journal cause SWAP usage increase
769809-4 2-Critical   vCMP guests 'INOPERATIVE' after upgrade
765801 2-Critical   WCCP service info field corrupted in upgrade to 14.1.0 final
760573-1 2-Critical K00730586 TPM system integrity check may return invalid status when booting into BIG-IP 14.1.0
760508-1 2-Critical K91444000 On systems with multiple versions of BIG-IP in use, the 'invalid' System Integrity Status may persist
760408-3 2-Critical K23438711 System Integrity Status: Invalid after BIOS update
760164-1 2-Critical   BIG-IP VE Compression Offload HA action requires modification of db variable
757722-2 2-Critical   Unknown notify message types unsupported in IKEv2
756402-2 2-Critical   Re-transmitted IPsec packets can have garbled contents
756071-3 2-Critical   MCPD crash
755254-1 2-Critical   Remote auth: PAM_LDAP buffer too small errors
753650-2 2-Critical   The BIG-IP system reports frequent kernel page allocation failures.
750586-2 2-Critical   HSL may incorrectly handle pending TCP connections with elongated handshake time.
743803-1 2-Critical   IKEv2 potential double free of object when async request queueing fails
741503-1 2-Critical   The BIG-IP system fails to load base config file when upgrading with static IPv4
726487-4 2-Critical   MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
648270-1 2-Critical   mcpd can crash if viewing a fast-growing log file through the GUI
766365-1 3-Major   Some trunks created on VE platform stay down even when the trunk's interfaces are up
766329-2 3-Major   SCTP connections do not reflect some SCTP profile settings
765033 3-Major   Upgrades to versions that restrict resource-admin users from accessing bash may fail under certain conditions
760597-1 3-Major   System integrity messages not logged
760594 3-Major   On BIG-IP VE, 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details.
758879 3-Major   BIG-IP VE with ixlv devices does not reliably pass some traffic after hard-boot
748206-1 3-Major   Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position
748187-4 3-Major   'Transaction Not Found' Error on PATCH after Transaction has been Created
746657-1 3-Major   tmsh help for FQDN node or pool member shows incorrect default for fqdn interval
740543-1 3-Major   System hostname not display in console
725791-6 3-Major   Potential HW/HSB issue detected
718405-2 3-Major   RSA signature PAYLOAD_AUTH mismatch with certificates
581921-5 3-Major K22327083 Required files under /etc/ssh are not moved during a UCS restore
754500-2 4-Minor   GUI LTM Policy options disappearing
726317-6 4-Minor   Improved debugging output for mcpd


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
759723-1 2-Critical   Abnormally terminated connections on server side may cause client side streams to stall
758465-1 2-Critical   TMM may crash or iRule processing might be incorrect
756356-2 2-Critical   External datagroups of type string cannot use iRule command 'class match equals' for entries > 32 characters long
753912-4 2-Critical K44385170 UDP flows may not be swept
752930-3 2-Critical   Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state
747727-1 2-Critical   HTTP Profile Request Header Insert Tcl error
747239-1 2-Critical   TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection
745533-6 2-Critical   NodeJS Vulnerability: CVE-2016-5325
741048-1 2-Critical   iRule execution order could change after editing the scripts
766293-1 3-Major   Monitor logging fails on v14.1.0.x releases
760550-5 3-Major   Retransmitted TCP packet has FIN bit set
758311-1 3-Major   Policy Compilation may cause MCPD to crash
757985-1 3-Major K79562045 TMM memory leak
757698-1 3-Major   TMM crashes in certain situations of which iRule execution interleaves client side and server side flows
756270-4 3-Major   SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
754985-1 3-Major   Standby mirrored server SSL connections fail, and tmm may crash while processing mirrored TLS traffic
752078-2 3-Major   Header Field Value String Corruption
749414-4 3-Major   Invalid monitor rule instance identifier error
747907-2 3-Major   Persistence records leak while the HA mirror connection is down
742078-6 3-Major   Incoming SYNs are dropped and the connection does not time out.
740959-4 3-Major   User with manager rights cannot delete FQDN node on non-Common partition
740345-3 3-Major   TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled.
696755-3 3-Major   HTTP/2 may truncate a response body when served from cache
696735-2 3-Major   TCP ToS Passthrough mode does not work correctly
504522-4 3-Major   Trailing space present after 'tmsh ltm pool members monitor' attribute value
747968-3 4-Minor   DNS64 stats not increasing when requests go through DNS cache resolver


Performance Fixes

ID Number Severity Solution Article(s) Description
777937-3 1-Blocking   AWS ENA: packet drops due to bad checksum


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
759721-2 3-Major K03332436 DNS GUI does not follow best practices
749508-1 3-Major   LDNS and DNSSEC: Various OOM conditions need to be handled properly
749222-1 3-Major   dname compression offset overflow causes bad compression pointer
748902-5 3-Major   Incorrect handling of memory allocations while processing DNSSEC queries
746877-1 3-Major   Omitted check for success of memory allocation for DNSSEC resource record
744707-2 3-Major   Crash related to DNSSEC key rollover
723288-4 3-Major   DNS cache replication between TMMs does not always work for net dns-resolver
748177-1 4-Minor   Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
759360-2 2-Critical   Apply Policy fails due to policy corruption from previously enforced signature
749912-1 2-Critical   [BIG-IQ Integration] Deadlock occurs when adding multiple hostnames with transparent enforcement
723790-3 2-Critical   Idle asm_config_server handlers consumes a lot of memory
765449-1 3-Major   Update availability status may be inaccurate
763001-1 3-Major K70312000 Web-socket enforcement might lead to a false negative
761941-1 3-Major   ASM does not remove CSRT token query parameter before forwarding a request to the backend server
761194-2 3-Major   param data type violation on an Integer parameter, if an integer value is sent via websocket JSON
760878-3 3-Major   Incorrect enforcement of explicit global parameters
759483-1 3-Major   Message about HTTP status code which are set by default disappeared from the UI
758085-1 3-Major   CAPTCHA Custom Response fails when using certain characters
756418-1 3-Major   Live Update does not authenticate remote users
742558-1 3-Major   Request Log export document fails to show some UTF-8 characters
687759-3 3-Major   bd crash
774941-1 4-Minor   GUI misspelling in Bot Defense logging profile
768761-2 4-Minor   Improved accept action description for suggestions to disable signature/enable metacharacter in policy
766357-1 4-Minor   Two simultaneously manual installations can cause live-update inconsistency
765413-1 4-Minor   ASM cluster syncs caused by PB ignored suggestions updates
761921-1 4-Minor   avrd high CPU utilization due to perpetual connection attempts
761553-2 4-Minor   Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic
761549-2 4-Minor   Traffic Learning: Accept and Stage action is shown only in case entity is not in staging
761231-2 4-Minor K79240502 Bot Defense Search Engines getting blocked after configuring DNS correctly
759462-1 4-Minor   Site names and vulnerabilities cannot be retrieved from WhiteHat server
755005-1 4-Minor   Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations
750689-3 4-Minor   Request Log: Accept Request button available when not needed
749184-2 4-Minor   Added description of subviolation for the suggestions that enabled/disabled them
747560-5 4-Minor   ASM REST: Unable to download Whitehat vulnerabilities
769061-2 5-Cosmetic   Improved details for learning suggestions to enable violation/sub-violation


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
763349-3 2-Critical   AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out
756205-1 2-Critical   TMSTAT offbox statistics are not continuous
756102-2 2-Critical   TMM can crash with core on ABORT signal due to non-responsive AVR code
771025-3 3-Major   AVR send domain names as an aggregate
764665-2 3-Major   AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change
763005-3 3-Major   Aggregated Domain Names in DNS statistics are shown as random domain name
760356-2 3-Major   Users with Application Security Administrator role cannot delete Scheduled Reports


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
770557-3 2-Critical   Per-Session RADIUS Acct STOP message is forged based on pool route domain, but is sent through default one
769281-1 2-Critical   Per-request Acess Policy may show user interface pages incorrectly i nlanguages other than English
755447-1 2-Critical   SSLO does not deliver content generated/originated from inline device
753370-3 2-Critical   RADIUS auth might not be working as configured when there is change in RADIUS auth config name.
774633-2 3-Major   Memory leak in tmm when session db variables are not cleaned up
774213-1 3-Major   SWG session limits on SSLO deployments
760410-1 3-Major   Connection reset is seen when Category lookup agent is used in per-req policy
760250 3-Major   'Unsupported SSO Method' error when requests sharing the same TCP session
759868-1 3-Major   TMM crash observed while rendering internal pages (like blocked page) for per-request policy
758764-2 3-Major   APMD Core when CRLDP Auth fails to download revoked certificate
758701-1 3-Major   APM fails to handle Remote Desktop Gateway connections from standalone RDP clients after fresh install
757992-3 3-Major   RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup
757360-1 3-Major   Category lookup returns wrong category on subsequent traffic following initial HTTP CONNECT traffic through SSLO
755475-1 3-Major   Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync
755047-1 3-Major   Category lookup returns wrong category on CONNECT traffic through SSLO
754542-2 3-Major   TMM may crash when using RADIUS Accounting agent
752875-2 3-Major   tmm core while using service chaining for SSLO
751807-1 3-Major   SSL Orchestrator may not activate service connectors if traffic is an HTTP tunnel
751424-1 3-Major   HTTP Connect Category Lookup not working properly
749057-1 3-Major   VMware Horizon idle timeout is ignored when connecting via APM
745574-1 3-Major   URL is not removed from custom category when deleted
738430-3 3-Major   APM is not able to do compliance check on iOS devices running F5 Access VPN client
734291-1 3-Major   Logon page modification fails to sync to standby
695985-4 3-Major   Access HUD filter has URL length limit (4096 bytes)
766761-2 4-Minor   Ant-server does not log requests that are excluded from scanning


Service Provider Fixes

ID Number Severity Solution Article(s) Description
766405-2 2-Critical   MRF SIP ALG with SNAT: Fix for potential crash on next-active device
754615-2 2-Critical   Tmm crash (assert) during SIP message processing on MRF-SIP-ALG setup.
763157-2 3-Major   MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped
760370-2 3-Major   MRF SIP ALG with SNAT: Next active ingress queue filling
759077-2 3-Major   MRF SIP filter queue sizes not configurable
755630-1 3-Major   MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes
752822-1 3-Major   SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type
751179-1 3-Major   MRF: Race condition may create to many outgoing connections to a peer
746825-1 3-Major   MRF SIP ALG with SNAT: Ephemeral listeners not created for unsubscribed outgoing calls
745947-2 3-Major   Add log events for MRF SIP registration/deregistration and media flow creation/deletion
745590-1 3-Major   SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added
760930-2 4-Minor   MRF SIP ALG with SNAT: Added additional details to log events
747909-5 4-Minor   GTPv2 MEI and Serving-Network fields decoded incorrectly


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
757524 1-Blocking   Data operation attempt on object that has not been loaded
757359-1 2-Critical   pccd crashes when deleting a nested Address List
754805 2-Critical K97981358 Possible tmm crash when AFM DoS badactor or attacked-dst or endpoint vector configured
753028-2 3-Major   AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule
745809-2 3-Major   The /var partition may become 100% full requiring manual intervention to clear space
756477-2 5-Cosmetic   Drop Redirect tab incorrectly named as 'Redirect Drop'


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
744516-4 2-Critical   TMM panics after a large number of LSN remote picks


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
748121-3 2-Critical   admd livelock under CPU starvation
653573-6 2-Critical   ADMd not cleaning up child rsync processes
756877-1 3-Major   Virtual server created with Guided Configuration is not visible in Grafana


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
752803-1 2-Critical   CLASSIFICATION_DETECTED running reject can lead to a tmm core
752047-1 2-Critical   iRule running reject in CLASSIFICATION_DETECTED event can cause core



Cumulative fixes from BIG-IP v14.1.0.5 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
755817 3-Major   v14.1.0.5 includes Guided Configuration 4.1
751824-1 3-Major   Restore old 'merge' functionally with new tmsh verb 'replace'


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
663819-1 3-Major   APM NTLM Authentication for RDP Client Gateway and Microsoft Exchange Proxy are incompatible with Microsoft workaround for MS17-010 (Wannacry / Eternalblue)


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
761173-1 2-Critical   tmm crash after extended whitelist modification
751869-2 2-Critical   Possible tmm crash when using manual mode mitigation in DoS Profile
760393 3-Major   GARP is not sent from newly active device after failover for FW NAT policy rule's dest prefixes
750477-1 3-Major   LTM NAT does not forward ICMP traffic
737035-2 3-Major   New and improved infrastructure for BDoS to share learned traffic characteristics within the device group/cluster setup.


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
757088-1 2-Critical   TMM clock advances and cluster failover happens during webroot db nightly updates
758536 3-Major   Traffic Intelligence IM pkg for 14.1.0 fails to install on base build version 14.1.0.x


Protocol Inspection Fixes

ID Number Severity Solution Article(s) Description
737558-1 2-Critical   Protocol Inspection user interface elements are active but do not work
774881 3-Major   Protocol Inspection profiles can be added to a virtual server without Protocol Inspection being licensed.



Cumulative fixes from BIG-IP v14.1.0.4 that are included in this release


Functional Change Fixes

None



Cumulative fixes from BIG-IP v14.1.0.3 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
745783-1 3-Major   Anti-fraud: remote logging of login attempts


TMOS Fixes

ID Number Severity Solution Article(s) Description
758667-1 2-Critical   BIG-IP VE high availability (HA) actions are not invoked when offload hardware hangs
754541-2 2-Critical   Reconfiguring an iApp that uses a client SSL profile fails
760222 3-Major   SCP fails unexpected when FIPS mode is enabled
725625-1 3-Major   BIG-IP VE Cryptographic Offload updated to Intel QAT 1.7 v4.4.0 SDK



Cumulative fixes from BIG-IP v14.1.0.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
757025-1 CVE-2018-5744 K00040234 BIND Update
750292-2 CVE-2019-6592 K54167061 TMM may crash when processing TLS traffic
749879-2 CVE-2019-6611 K47527163 Possible interruption while processing VPN traffic
744035-6 CVE-2018-15332 K12130880 APM Client Vulnerability: CVE-2018-15332
757027-1 CVE-2019-6465 K01713115 BIND Update
745713-4 CVE-2019-6619 K94563344 TMM may crash when processing HTTP/2 traffic
745165-1 CVE-2019-6617 K38941195 Users without Advanced Shell Access are not allowed SFTP access
737910-4 CVE-2019-6609 K18535734 Security hardening on the following platforms
703835-5 CVE-2019-6616 K82814400 When using SCP into BIG-IP systems, you must specify the target filename
702472-7 CVE-2019-6615 K87659521 Appliance Mode Security Hardening
713806-8 CVE-2018-0739 K08044291 CVE-2018-0739: OpenSSL Vulnerability
699977-3 CVE-2016-7055 K43570545 CVE-2016-7055: OpenSSL Vulnerability in NodeJS ILX


Functional Change Fixes

ID Number Severity Solution Article(s) Description
755641-1 2-Critical   Unstable asm_config_server after upgrade, 'Event dispatcher aborted'
744685-2 2-Critical   BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension
744188-1 2-Critical   First successful auth iControl REST requests will now be logged in audit and secure log files
745387-1 3-Major   Resource-admin user roles can no longer get bash access
739432 3-Major   F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems
738108-1 3-Major   SCTP multi-homing INIT address parameter doesn't include association's primary address
698376-5 3-Major   Non-admin users have limited bash commands and can only write to certain directories


TMOS Fixes

ID Number Severity Solution Article(s) Description
753642-1 2-Critical   iHealth may report false positive for Critical Malware
752835-2 2-Critical K46971044 Mitigate mcpd out of memory error with auto-sync enabled.
750580-1 2-Critical   Installation using image2disk --format may fail after TMOS v14.1.0 is installed
724680-6 2-Critical   OpenSSL Vulnerability: CVE-2018-0732
707013-3 2-Critical   vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest
668041-4 2-Critical K27535157 Config load fails when an iRule comment ends with backslash in a config where there is also a policy.
621260-2 2-Critical   mcpd core on iControl REST reference to non-existing pool
757026-1 3-Major   BIND Update
753564-1 3-Major   Attempt to change password using /bin/passwd fails
751011-3 3-Major   ihealth.sh script and qkview locking mechanism not working
751009-3 3-Major   Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out
750661 3-Major   URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied.
750447-3 3-Major   GUI VLAN list page loading slowly with 50 records per screen
749382-1 3-Major   Bare-metal installs via 'image2disk' may fail in v14.1.0 or greater
746873-1 3-Major   Non-admin users are not able to run the tmsh list command due to permissions error for LTM message-routing
745825-1 3-Major   The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading
737536-2 3-Major   Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
721585-1 3-Major   mcpd core processing ltm monitors with deep level of inheritance
639619-7 3-Major   UCS may fail to load due to Master key decryption failure on EEPROM-less systems
751636-1 4-Minor   Downgrading from v14.1.0 to a previous release leaves two directories with improper ownership
737423-2 4-Minor   Binutils vulnerabilities: CVE-2018-7569 CVE-2018-10373 CVE-2018-13033


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
754143-1 2-Critical   TCP connection may hang after finished
747617-2 2-Critical   TMM core when processing invalid timer
742184-3 2-Critical   TMM memory leak
738945-4 2-Critical   SSL persistence does not work when there are multiple handshakes present in a single record
716714-4 2-Critical   OCSP should be configured to avoid TMM crash.
750200-3 3-Major   DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode
749294-4 3-Major   TMM cores when query session index is out of boundary
746131-4 3-Major   OpenSSL Vulnerability: CVE-2018-0732
744686-2 3-Major   Wrong certificate can be chosen during SSL handshake
743900-1 3-Major   Custom DIAMETER monitor requests do not have their 'request' flag set
739963-4 3-Major   TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
739349-3 3-Major   LRO segments might be erroneously VLAN-tagged.
724327-2 3-Major   Changes to a cipher rule do not immediately have an effect
720219-3 3-Major K13109068 HSL::log command can fail to pick new pool member if last picked member is 'checking'
717896-4 3-Major   Monitor instances deleted in peer unit after sync
717100-1 3-Major   FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member
716167-2 3-Major   The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp
704450-5 3-Major   bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
703593-1 3-Major   TMSH tab completion for adding profiles to virtual servers is not working as expected


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
756774-6 2-Critical   Aborted DNS queries to a cache may cause a TMM crash
756094-2 2-Critical   DNS express in restart loop, 'Error writing scratch database' in ltm log


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
752942-1 2-Critical   Live Update cannot be used by Administrator users other than 'admin' and 'root'
750922-1 2-Critical   BD crash when content profile used for login page has no parse parameters set
749136-1 2-Critical   Disk partition /var/log is low on free disk space
748321-1 2-Critical   bd crash with specific scenario
744347-4 2-Critical   Protocol Security logging profiles cause slow ASM upgrade and apply policy
721741-4 2-Critical   BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
754420-1 3-Major   Missing policy name in exported ASM request details
754066-1 3-Major   Newly added Systems are not added as part of installing a Server Technologies update file
753295-1 3-Major   ASM REST: All signatures being returned for policy Signatures regardless of signature sets
750973-1 3-Major   Import XML policy error
750793-2 3-Major   Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition
750686-1 3-Major   ASE user cannot create or modify a bot signature.
750683-1 3-Major   REST Backwards Compatibility: Cannot modify enforcementMode of host-name
750668-1 3-Major   Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition
750666-1 3-Major   Impossible to create Bot Signature/Bot Category Signature in user partition different from 'Common'
750356-2 3-Major   Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted
749500-1 3-Major   Improved visibility for Accept on Microservice action in Traffic Learning
749109-3 3-Major   CSRF situation on BIGIP-ASM GUI
748999-3 3-Major   invalid inactivity timeout suggestion for cookies
748848-2 3-Major   Anti-Bot Mobile SDK cookie name change to support identical cookies for multiple virtual servers
748409-2 3-Major   Illegal parameter violation when json parsing a parameter on a case-insensitive policy
747977-1 3-Major   File manually uploaded information is not synced correctly between blades
747777-3 3-Major   Extractions are learned in manual learning mode
747550-3 3-Major   Error 'This Logout URL already exists!' when updating logout page via GUI
746750-1 3-Major   Search Engine get Device ID challenge when using the predefined profiles
746298-1 3-Major   Server Technologies logos all appear as default icon
745813-1 3-Major   Requests are reported to local log even if only Bot Defense remote log is configured
745624-1 3-Major   Tooltips for OWASP Bot Categories and Anomalies were added
745607-1 3-Major   Bot Defense : Bot Traffic - 3 month/last year filter not displayed correctly
745531-2 3-Major   Puffin Browser gets blocked by Bot Defense
742852-1 3-Major   Bot Defense protection blocks Safari browser requests while using cross site redirect protection by 'Location' header
739945-4 3-Major   JavaScript challenge on POST with 307 breaks application
738676-1 3-Major   Errors when trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests
737866-2 3-Major   Rare condition memory corruption
754365-5 4-Minor   Updated flags for countries that changed their flags since 2010
721724-1 4-Minor   LONG_REQUEST notice print incorrect in BD log


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
746941-2 2-Critical   avrd memory leak when BIG-IQ fails to receive stats information
753446-2 3-Major   avrd process crash during shutdown if connected to BIG-IQ
749464-2 3-Major   Race condition while BIG-IQ updates common file
749461-2 3-Major   Race condition while modifying analytics global-settings
745027-2 3-Major   AVR is doing extra activity of DNS data collection even when it should not
744595-3 3-Major   DoS-related reports might not contain some of the activity that took place
744589-3 3-Major   Missing data for Firewall Events Statistics
715110-1 3-Major   AVR should report 'resolutions' in module GtmWideip


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
752592-1 2-Critical   VMware Horizon PCoIP clients may fail to connect shortly after logout
754346-2 3-Major   Access policy was not found while creating configuration snapshot.
746771-3 3-Major   APMD recreates config snapshots for all access profiles every minute
745654-4 3-Major   Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
743437-3 3-Major   Portal Access: Issue with long 'data:' URL


Service Provider Fixes

ID Number Severity Solution Article(s) Description
749603-1 3-Major   MRF SIP ALG: Potential to end wrong call when BYE received
749227-1 3-Major   MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE
748043-2 3-Major   MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP
747187-2 3-Major   SIP falsely detects media flow collision when SDP is in both 183 and 200 response
745715-2 3-Major   MRF SIP ALG now supports reading SDP from a mime multipart payload
745628-1 3-Major   MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message
745514-1 3-Major   MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message
745404-4 3-Major   MRF SIP ALG does not reparse SDP payload if replaced
744949-1 3-Major   MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix
744275-1 3-Major   BIG-IP system sends Product-Name AVP in CER with Mandatory bit set
742829-1 3-Major   SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
747104-1 1-Blocking K52868493 LibSSH: CVE-2018-10933
752363-2 2-Critical   Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled
749331-3 2-Critical   Global DNS DoS vector does not work in certain cases
747922-3 2-Critical   With AFM enabled, during bootup, there is a small possibility of a tmm crash
748176-1 3-Major   BDoS Signature can wrongly match a DNS packet
748081-1 3-Major   Memory leak in Behavioral DoS module
747926-2 3-Major   Rare TMM restart due to NULL pointer access during AFM ACL logging


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
726647-5 3-Major   PEM content insertion in a compressed response may truncate some data


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
752782-1 3-Major   'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'
741449-3 4-Minor   alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts
738677-1 4-Minor   Configured name of wildcard parameter is not sent in data integrity alerts


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
755378-1 2-Critical   HTTPS connection error from Chrome when BADOS TLS signatures configured
727136-1 3-Major   One dataset contains large number of variations of TLS hello messages on Chrome



Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
745629 2-Critical   Ordering Symantec and Comodo certificates from BIG-IP
713817-1 3-Major   BIG-IP images are available in Alibaba Cloud
738891-1 4-Minor   TLS 1.3: Server SSL fails to increment key exchange method statistics


TMOS Fixes

ID Number Severity Solution Article(s) Description
746424 2-Critical   Patched Cloud-Init to support AliYun Datasource
745851 3-Major   Changed Default Cloud-Init log level to INFO from DEBUG
742251-1 4-Minor   Add Alibaba Cloud support to Qkview


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
749774-5 3-Major   EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
749675-5 3-Major   DNS cache resolver may return a malformed truncated response with multiple OPT records

 

Cumulative fix details for BIG-IP v14.1.2.3 that are included in this release

846157-3 : TMM may crash while processing traffic on AWS

Component: TMOS

Symptoms:
Under certain conditions, TMM may crash while processing traffic with the DPDK/ENA driver on AWS systems.

Conditions:
-- BIG-IP Virtual Edition (VE) on AWS configured with the XNet DPDK/ENA driver.

Impact:
TMM restart, leading to a failover event.

Workaround:
Configure BIG-IP VE to use the sock driver instead of the default XNet driver.

Fix:
TMM now processes traffic as expected when using the XNet DPDK/ENA driver on AWS.


836661 : Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet.

Component: Local Traffic Manager

Symptoms:
Packet with unexpected source MAC is seen on the adjacent node to the BIG-IP system.

Conditions:
-- The BIG-IP system is configured in an L2 transparent mode using virtual wires.
-- Traffic forwarded between client and server in an asymmetric manner across virtual wires.

Impact:
Incorrect source MAC is used. Possible impacts to services on nodes adjacent to the BIG-IP system if policy decisions on those nodes are made with the source MAC of the received packet as input.

Workaround:
None.


834373-3 : Possible handshake failure with TLS 1.3 early data

Component: Local Traffic Manager

Symptoms:
During TLS 1.3 early data handshake, a code alert and handshake failure may occur

Conditions:
TLS 1.3 with early data resumption.

Impact:
Handshake failure.

Workaround:
Turn off early data.

Fix:
Fixes a possible TLS 1.3 early data handshake failure and code alert.


833213-3 : Conditional requests are served incorrectly with AAM policy in webacceleration profile

Component: WebAccelerator

Symptoms:
HTTP 1.1 allows a conditional request with header If-Modified-Since or If-Unmodified-Since to determine whether a resource changed since a specified date and time. If AAM is provisioned and its policy is assigned to a virtual server, it may incorrectly respond with 304 Not Modified, even after the resource was updated.

Conditions:
-- AAM is provisioned and webacceleration policy is attached to a virtual server.
-- Client sends a conditional request with If-Modified-Since or If-Unmodified-Since header.
-- The BIG-IP system responds from AAM cache.

Impact:
Client does not receive an updated resource.

Workaround:
Use webacceleration profile without AAM policy for resources that require conditional checks falling back into Ramcache.

Fix:
The BIG-IP system now respects If-Modified-Since or If-Unmodified-Since header and provides an appropriate response for the requested resource when compared to the date supplied in either header.


833113-3 : Avrd core when sending large messages via https

Component: Application Visibility and Reporting

Symptoms:
When sending large messages (>4KB) via HTTPs may cause avrd to core.

Conditions:
This typically happens when BIG-IP is managed by BIG-IQ and configuration is large and complex or traffic capturing is enabled.

Impact:
Messages to BIG-IQ are lost. In severe cases, analytics functionality may be unavailable due contiguous AVRD cores.

Workaround:
None.

Fix:
Fixed an avrd crash


832857 : Support ID on AJAX CAPTCHA popup (SPA) does not match the Support ID in log

Component: Application Security Manager

Symptoms:
The Support ID shown to the ASM end user does not appear in the logs.

Conditions:
-- ASM provisioned.
-- Bot Defense profile attached to a virtual server.
-- Single Page Application (SPA) is enabled in the Bot Defense profile.
-- AJAX request is blocked by bot defense, and CAPTCHA is shown to the ASM end user.

Impact:
ASM end user might complain about CAPTCHA and provide their Support ID to the BIG-IP administrator, but the BIG-IP administrator will not be able to find the Support ID in the logs.

Workaround:
None.

Fix:
Bot defense has been fixed so that the Support ID shown to the ASM end user matches the Support ID in the logs.


832205 : ASU cannot be completed after Signature Systems database corruption following binary Policy import

Component: Application Security Manager

Symptoms:
Signatures cannot be updated after signature systems have become corrupted in the configuration database, after a binary policy containing a user-defined Signature Set using an unknown System was imported.

Conditions:
Signature systems are corrupted in configuration database, because a binary policy containing a user-defined Signature Set using an unknown System was imported.

Impact:
Signatures cannot be updated.

Workaround:
Delete signature systems with an ID greater than 38, and re-add them by performing a signature update. You can delete these signature systems by running the following command:

mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "DELETE FROM PLC.NEGSIG_SYSTEMS WHERE system_group = ''"


831661-2 : ASMConfig Handler undergoes frequent restarts

Component: Application Security Manager

Symptoms:
Under some settings and load the RPC handler for the Policy Builder process restarts frequently, causing unnecessary churn and slower learning performance.

Conditions:
Configure one or more policies with automatic policy building enabled and learn traffic with violations

Impact:
Control Plane instability and poor learning performance on the device.

Fix:
The Policy Builder handler is now restored to a more robust process lifecycle.


830797-2 : Standby high availability (HA) device passes traffic through virtual wire

Component: Local Traffic Manager

Symptoms:
Virtual wire is forwarding traffic on standby resulting in traffic loops and potential network outage.

Conditions:
-- High availability (HA) configured.
-- Virtual wire configured.

Impact:
Standby device is passing traffic, which may create traffic loops and bring down the network.

Workaround:
Do not configure virtual wire on standby devices.

Fix:
Although you can create this configuration, the standby no longer forwards any traffic, which prevents the traffic loop and potential network outage.


826601-5 : Prevent receive window shrinkage for looped flows that use a SYN cookie

Component: Local Traffic Manager

Symptoms:
TMM cores.

Conditions:
-- VIP to VIP (looped flow) configuration.
-- SYN cookie is used.
-- Initial receive window is greater than 3.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
-- Set the initial receive window value of the VIP to 3.

Fix:
Receive window shrinkage is prevented for looped flows using SYN cookies.


825805-1 : NTLM Auth may fail due to incorrect handling of EPM response

Component: Access Policy Manager

Symptoms:
NTLM passthrough authentication may stop working after upgrade.

Conditions:
-- NTLM authentication configured.
-- Upgraded to a BIG-IP software version that contains the implementation for the Microsoft Internet Explorer feature, 'Enhanced protected mode' (EPM).
-- There are more than two protocol sequence towers included in the EPM response.

Impact:
APM end users cannot login.

Workaround:
None.

Fix:
The system can now parse EPM response as expected.


824365-3 : Need informative messages for HTTP iRule runtime validation errors

Component: Local Traffic Manager

Symptoms:
For HTTP iRule runtime validation errors, an ERR_NOT_SUPPORTED error message is appended (with rule name and event) to /var/log/ltm, but the message is not informative about the cause of the validation error:

err tmm1[20445]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri".

The system should post a more informative message, in this case:

err tmm[10662]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - can't call after responding - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri"

Conditions:
-- HTTP filter and HTTP iRules are used by a virtual server.
-- An HTTP iRule runtime validation error happens. For example, HTTP::uri is called after HTTP::respond () which is not supported.

Impact:
With no informative error messages, it is difficult to identify the validation error.

Workaround:
There is no workaround at this time.

Fix:
Informative messages are provided for HTTP iRule runtime validation errors.


824101-1 : Request Log export file is not visible for requests including binary data

Component: Application Security Manager

Symptoms:
Request Log export file is not visible.

Conditions:
Request Log export file contain request with binary data

Impact:
Cannot get data from Request Log export file.

Workaround:
None.


824037-2 : Bot Defense whitelists do not apply for IP 'Any' when using route domains

Component: Application Security Manager

Symptoms:
When defining whitelists in bot defense profiles, when the IP is set to 'Any' and route domains are in use, whitelists are not applied.

Conditions:
-- Bot Defense profile is enabled.
-- Whitelist is configured for IP 'Any' (for URL or GEO),
-- Sending a request that matches the whitelist using route domains.

Impact:
Request will be mitigated.

Workaround:
For url whitelist only:
Add micro service to the bot defense profile, configure:
1. Add required URL.
2. Specify service type 'Custom Microservice Protection'.
3. Set the 'Mitigation and Verification' setting as required (relevant for logging only).
4. In 'Automated Threat Detection', set 'Mitigation Action' to 'None'.
5. Set the microservice 'Enforcement Mode' to 'Transparent'.

This causes the associated URL to never be blocked (but no 'whitelist' will be seen in reporting).

Fix:
Enabling IP 'Any' on route domains now works as expected.


821369 : Incomplete Action 'Deny' does not take effect for HTTP-Connect

Component: Access Policy Manager

Symptoms:
Per-request policy's incomplete-action 'Deny' does not take effect for HTTP-Connect request.

Conditions:
-- SSL Orchestrator (SSLO) or APM is licensed and provisioned.
-- Per-request policy is created and attached to a virtual server.
-- Incomplete Action value of per-request policy is set to 'Deny'.

Impact:
The BIG-IP system does not reject the HTTP-Connect request when incomplete-action is set to 'Deny'.

Workaround:
None.

Fix:
Incomplete Action 'Deny' now takes effect for HTTP-Connect request.


821133-2 : Wrong wildcard URL matching when none of the configured URLS include QS

Component: Fraud Protection Services

Symptoms:
Wildcard URLs has a flag (include_query_string) which indicates if the matching should include traffic URL's QS or not

For example, if the traffic URL is '/path?a=b' and configured URL is '/path*b':

1. if include QS enabled, URL is matched
2. otherwise, no match (since matching against '/path' only)

if there are no configured URLs with "Include Query String" enabled, matching may be wrong

Conditions:
1. Wildcard URL configured in anti-fraud profile (URL name contains an asterisk)
2. None of the configured URLs has "Include Query String" enabled
3. Traffic URL contains a query-string

Impact:
URL is incorrectly matched (when it either shouldn't be matched at all or should match another configured URL). Features/signatures might not work as expected.

Workaround:
Configure at least one URL with "Include Query String" enabled

Fix:
FPS should match query string correctly (according to configuration)


818429-4 : TMM may crash while processing HTTP traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing HTTP traffic.

Conditions:
HTTP profile active.

Impact:
TMM crash, leading to a failover event.

Workaround:
None.

Fix:
TMM now processes HTTP traffic as expected.


817917-1 : TMM may crash when sending TCP packets

Component: TMOS

Symptoms:
TMM crashes and produces a core file. TMM logs show the crash being type SIGFPE, with the following panic message:

Failed assert: xnet_lib.c:795: Valid tx packet

Conditions:
-- Virtual Edition

Impact:
TMM crash leading to a failover event.

Workaround:
A temporary way to avoid the problem is to configure BIG-IP Virtual Edition (VE) to use an alternative network driver in place of the default 'xnet' driver. In releases 14.1.0 and later, this is the 'sock' driver; in releases 13.1.0 through 14.0.x, the 'unic' driver is the alternative.

Use one of the following command sequences from the BIG-IP instance's 'bash' prompt to configure the alternative driver. (Note the use of the 'greater-than' symbol.)

-- Commands for Releases 14.1.0 and later:

  # echo "device driver vendor_dev 1d0f:ec20 sock" > /config/tmm_init.tcl

[check that the file's contents are correct]

  # cat /config/tmm_init.tcl

[restart the BIG-IP's TMM processes]

  # bigstart restart tmm

[make certain that the 'driver_in_use' is 'sock']

  # tmctl -dblade -i tmm/device_probed


-- Commands for releases 13.1.0 through 14.0.0:

  # echo "device driver vendor_dev 1af4:1000 unic" > /config/tmm_init.tcl

[check that the file's contents are correct]

  # cat /config/tmm_init.tcl

[restart the BIG-IP's TMM processes]

  # bigstart restart tmm

[make certain that the 'driver_in_use' is 'unic']

  # tmctl -dblade -i tmm/device_probed

Fix:
TMM processes large packets as expected.


816625-1 : The TMM may crash in a rare scenario involving HTTP unchunking, and plugins.

Component: Local Traffic Manager

Symptoms:
The TMM crashes while passing traffic.

Conditions:
This occurs rarely on a Virtual Server configured with HTTP profile that has HTTP response chunking enabled.

Impact:
Traffic disrupted while tmm restarts.

Fix:
The TMM no longer crashes in a rare scenario involving HTTP unchunking and plugins.


816273-2 : L7 Policies may execute CONTAINS operands incorrectly.

Component: Local Traffic Manager

Symptoms:
L7 Policies involving CONTAINS operands may execute incorrectly in some cases.

The policy compiler may incorrectly combine some internal states, 'forgetting' degrees of partial evaluation of a CONTAINS operation.

Conditions:
Multiple CONTAINS conditions are used on the same virtual server.

Impact:
The wrong policy actions may be triggered.

Workaround:
It may be possible to reorder the rules in a policy to restore correct operation. However, the more complex the policy, the less likely this is.

Fix:
L7 Policy CONTAINS operations are compiled correctly. Policies with CONTAINS operations no longer trigger the wrong rule actions.


815689-3 : Azure walinuxagent has been updated to v2.2.42.

Component: TMOS

Symptoms:
Some onboarding features are not available in the current version of walinuxagent.

Conditions:
Attempting to use a feature that is not available in the current version of the Azure walinuxagent that is included in the BIG-IP release.

Impact:
Cannot use new features in the Azure walinuxagent until the Azure walinuxagent is updated.

Workaround:
None.

Fix:
The Azure walinuxagent has been updated to v2.2.42.


815449-2 : BIG-IP closes connection when an unsized response is served to a HEAD request

Component: Local Traffic Manager

Symptoms:
When HTTP response has neither Content-Length nor Transfer-Encoding and has a body, BIG-IP closes a connection to designate end of the response body. HTTP protocol allows to send HEAD request instead of GET request to obtain a response headers only (without). BIG-IP erroneously closes a connection when a response to HEAD request lacks both Content-Length and Transfer-Encoding.

Conditions:
BIG-IP has a virtual server configured to use an HTTP profile.
The server response does not include the Content-Length or Transfer-Encoding headers in response to a HEAD request, and both client and server sides expects the communication to continue over the same connection.

Impact:
Connection closes and a client may not repeat the corresponding GET request on another connection.

Fix:
Connection keeps opened when an unsized response provided to a HEAD request.


813945-3 : PB core dump while processing many entities

Component: Application Security Manager

Symptoms:
PB core dump.

Conditions:
This may happen when the system is strained and PB is processing large policies (updating many entities may happen during periodic processing, response analysis).

This is a very rarely occurring scenario.

Impact:
PB core dump and restart.

Workaround:
None.

Fix:
PB core dump no longer occurs.


813389-1 : TMM Crashes upon failure in Bot Defense Client-Side code

Component: Application Security Manager

Symptoms:
On some cases, when Bot Defense Client-Side code is running on the browser, it causes TMM to crash.

Conditions:
-- Bot Defense is enabled with any JS browser verification (before or after access).
-- Surfing using a browser to an html page.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Adding sanity test so TMM will not crash.


812341-2 : Patch or Delete commands take a long time to complete when modifying an ASM signature set.

Component: Application Security Manager

Symptoms:
When modifying an ASM signature set that is not attached to any security policy using iControl REST Patch or Delete commands, the command takes a long time to complete.

Conditions:
-- ASM provisioned.
-- Using REST API Patch or Delete command to modify an ASM signature set.

Impact:
Command takes longer (several seconds) to process on detached ASM signature sets than it takes to complete on attached signature sets.

Workaround:
None.

Fix:
Changes to signatures and signatures sets now only recompile policies that are affected by the change.


811745-2 : Failover between clustered DIAMETER devices can cause mirror connections to be disconnected

Component: Service Provider

Symptoms:
When using DIAMETER with certain settings, a failover might cause mirror connections to get disconnected.

Conditions:
-- Two or more BIG-IP systems in a high availability (HA) configuration.
-- Aggressive settings for the DIAMETER watchdog timeout and max failures.

Impact:
Loss of mirroring between BIG-IP systems.

Workaround:
None.

Fix:
Mirror connections no longer disconnect during a failover.


811333-2 : Upgrade fails when SSLv2 cipher is in the cipher list of an SSL profile

Component: Local Traffic Manager

Symptoms:
After upgrade, configuration load fails and the following error is present in /var/log/ltm log:

01070312:3: Invalid keyword 'sslv2' in ciphers list for profile /Common/serverssl-insecure-compatible
Unexpected Error: Loading configuration process failed.

Conditions:
-- BIG-IP system with SSLv2 as ciphers option in SSL profile running software v12.x/v13.x.
-- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.

Impact:
The config is not loaded, and upgrade fails.

Workaround:
If you are encountering this after upgrading, run the following commands from the bash prompt:

1. Backup the configuration:
#cp /config/bigip.conf /config/bigip_backup.conf

2. List the occurrences of 'sslv2' in the bigip.conf:
#more bigip.conf | grep -i sslv2

3. Remove the SSLv2 references:
#sed -i "s/\!SSLv2://g" /config/bigip.conf

4. Check to ensure there are no 'sslv2' references:
#more bigip.conf | grep -i sslv2

5. Verify the configuration:
#tmsh load sys config verify

6. Try loading the configuration:
#tmsh load sys config

Fix:
SSLv2 validation is removed from the configuration and upgrade succeeds.


811145-2 : VMware View resources with SAML SSO are not working

Component: Access Policy Manager

Symptoms:
Connections to SAML-enabled VMware View resources fail with following error in /var/log/apm:
err vdi[18581]: 019cffff:3: /pathname: {a7.C} Failed to handle View request: Can't find 'artifact' parameter.

Conditions:
VMware View resource is configured with SAML SSO method.

Impact:
Users cannot launch VMware View apps/desktops via SAML-enabled resource.

Workaround:
None.

Fix:
Can now successfully use VMware View resources with SAML SSO.


810657-2 : Tmm core while using service chaining for SSLO

Solution Article: K21135478


810557-8 : ASM ConfigSync Hardening

Solution Article: K05123525


809377-6 : AFM ConfigSync Hardening

Solution Article: K05123525


809205 : CVE-2019-3855: libssh2 Vulnerability

Component: TMOS

Symptoms:
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server.

Conditions:
-- Authenticated administrative user with Advanced Shell Access.
-- Use of cURL from the command line to connect to a compromised SSH server.

Impact:
A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

Workaround:
None.

Fix:
libcurl updated


809165-2 : TMM may crash will processing connector traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions TMM may crash will processing connector traffic.

Conditions:
Virtual service with Connector profile enabled.

Impact:
TMM crash leading to a failover event.

Workaround:
None.

Fix:
TMM now handles connector traffic as expected.


808525-2 : TMM may crash while processing Diameter traffic

Component: Service Provider

Symptoms:
Under certain conditions, TMM may crash while processing Diameter traffic.

Conditions:
Virtual server with Diameter profile enabled.

Impact:
TMM crash leading to a failover event.

Workaround:
None.

Fix:
TMM now processes Diameter traffic as expected.


808301-2 : TMM may crash while processing IP traffic

Component: Local Traffic Manager

Symptoms:
TMM crash with 'Assertion "l4hdr set" failed' panic message in /var/log/tmm* log.

Conditions:
Packet filter is enabled.

Impact:
TMM crash leading to a failover event.

Workaround:
Disable the packet filter.

Fix:
TMM handles IP traffic as expected.


807477-10 : ConfigSync Hardening

Solution Article: K04280042


806093-1 : Unwanted LDAP referrals slow or prevent administrative login

Component: TMOS

Symptoms:
On a BIG-IP system configured with remote LDAP/Active Directory authentication, attempting to login to the Configuration Utility or to the command-line interface may proceed very slowly or fail.

Conditions:
-- LDAP/Active Directory 'system-auth' authentication configured.
-- The Active Directory enables LDAP referrals (the default).
-- There are a large number of Active Directory servers in the enterprise, or the BIG-IP system does not have complete network connectivity to all Active Directory servers (caused by firewalls or special routes).

Impact:
The BIG-IP system may accept LDAP referrals that it is unable to process, resulting in authentication timeouts/failures.

Workaround:
To temporarily disable the referrals:

1. Edit one of the configuration files:
-- /etc/nslcd.conf
-- /config/bigip/auth/pam.d/ldap/system-auth.conf

2. Add add the following line:
referrals no

3. Restart nslcd service to apply change:
systemctl restart nslcd

Note: This change is not persistent and will be lost whenever MCPD reloads the configuration, or when other changes are made to system-auth configuration values.

Fix:
Changes to LDAP referrals value in configuration are now saved, so this issue no longer occurs.


806085-2 : In-TMM MQTT monitor is not working as expected

Component: Local Traffic Manager

Symptoms:
The monitoring probes are not being sent out to the network. Regardless of the monitor config and sys db variable.

Conditions:
Configuring the in-TMM MQTT monitor.

Impact:
Pool members with attached MQTT monitor state is incorrectly shown as DOWN.

Workaround:
None.

Fix:
In-TMM MQTT monitor now works as expected.


805353-1 : ASM reporting for WebSocket frames has empty username field

Component: Application Security Manager

Symptoms:
When using ASM to inspect and report WebSocket frames, the username field is always reported as empty or absent.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- WebSocket profile attached to a virtual server.
-- ASM logging profile attached to a virtual server.
-- WebSocket traffic inspected by ASM and logged as event log message or remote logger message.

Impact:
Poor visibility of current logged-in user in the event log for WebSocket frames.

Workaround:
None.

Fix:
ASM populates username field for logged WebSocket frames


804313-2 : MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.

Component: Service Provider

Symptoms:
The mirrored-message-sweeper-interval configuration option has no effect on the BIG-IP.

Conditions:
MRF in use, high availability configured, and a SIP profile is configured to use a specific Mirrored Message Sweeper Interval setting.

Impact:
On a system under high load, the next active device in a high availability (HA) pair could run out of memory.

Workaround:
None

Fix:
Message sweeper interval value now loads correctly.


804185-2 : Some WebSafe request signatures may not work as expected

Component: Fraud Protection Services

Symptoms:
Request signatures are part of the WebSafe signature mechanism. The request signature is achieved by configuring an FPS-protected URL and a corresponding custom-alert. If the URL is a wildcard, a priority must be assigned to determine the order of matching. URL matching by priority is not working properly. As a result, the signature do not work as expected

Conditions:
There is at least one wildcard URL configured by the request signature update file.

Impact:
A portion of WebSafe request signature do not work as expected:
-- An alert is sent, though it should not be (false-positive).
-- An alert was not sent, though it should be (false-negative).

Workaround:
Configure the same signature manually in the BIG-IP system's GUI/tmsh.

Fix:
FPS now correctly handles signature-based wildcard URL's priority.


803845-2 : When in HA, the Standby device is forwarding traffic causing a loop and subsequent network shutdown

Component: Local Traffic Manager

Symptoms:
Standby is passing traffic when a virtual wire is configured.

Conditions:
-- Virtual wire configured in high availability (HA).

Impact:
Standby device is forwarding traffic traffic when it should not, causing a loop and subsequent network shutdown.

Workaround:
None.

Fix:
The Standby device no longer passes traffic through virtual wire when it should not.


803477-2 : BaDoS State file load failure when signature protection is off

Component: Anomaly Detection Services

Symptoms:
Behavioral DoS (BADoS) loses its learned thresholds.

Conditions:
Restart of admd when signature protection is off.

Impact:
The system must relearn the thresholds, BADoS protection is not available during the learning time.

Workaround:
Turn on signatures detection.

Fix:
BADoS State file successfully loads after admd restart, even without signatures detection.


803445-3 : When adding several mitigation exceptions, the previously configured actions revert to the default action

Component: Application Security Manager

Symptoms:
After adding a new item to the mitigation exception list, you can also change its mitigation action. If you do not save the changes and then add more new exception items, the mitigation actions of the previously added items return to their default value actions.

Conditions:
-- Add mitigation exception to the Bot Configuration.
-- Change mitigation action on that new exception.
-- Add new items to exception list without first saving.

Impact:
Mitigation action exceptions might be saved with their default value actions instead of the actions you configured.

Workaround:
After adding a group of exception items and editing their actions, save the Bot Configuration properties before adding any new mitigation exception items.

Fix:
When adding several mitigation exceptions, the previously configured actions no longer revert to the default action.


802865-1 : The iControl REST query request returning empty list for DoS Protected Objects

Component: Advanced Firewall Manager

Symptoms:
DoS Protection profiles are not displayed in the GUI, but they are visible when using the tmsh command:

tmsh list security dos profile | grep "security dos profile"

Conditions:
This is encountered in Security :: DoS Protection : Protection Profiles.

Impact:
DoS Protected Objects are not included in the REST endpoint /mgmt/tm/security/presentation/tmui/virtual-list, so the GUI cannot display the DoS Protected Objects

Workaround:
Use tmsh.

Fix:
DoS Protected Objects are now visible in the GUI


801497-2 : Virtual wire with LACP pinning to one link in trunk.

Component: Local Traffic Manager

Symptoms:
A virtual-wire that uses interface trunks may use a single interface on egress.

Conditions:
Virtual-wire configured across multi-interface trunks.

Impact:
This may lead to unexpected link saturation.

Workaround:
None.


800453-3 : False positive virus violations

Component: Application Security Manager

Symptoms:
False positive ASM virus violations.

Conditions:
Specific connection characteristics between ASM and the antivirus server may cause replies from the antivirus server to be missed by the ASM. ASM reports a virus when the antivirus reply is timed out.

Impact:
False positive blocking or violation reporting.

Workaround:
The EnableASMByPass internal parameter setting can be configured to allow the antivirus server to not reply, so it won't issue a violation when it occurs.

/usr/share/ts/bin/add_del_internal add EnableASMByPass 1
bigstart restart asm

Notes:
When the internal is enabled, asm will also bypass huge HTTP requests (when they come on multiple connections) instead of reseting them.


800369-2 : The fix for ID 770797 may cause a TMM crash

Component: Local Traffic Manager

Symptoms:
In rare situations the TMM may crash after the original fix for ID 770797 is applied.

Conditions:
HTTP2 is used on the client-side of a virtual server without an MRF http_router profile.

The original fix for ID 770797 is used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The fix for ID 770797 has been altered to prevent the TMM from crashing in rare situations.


800305-2 : VDI::cmp_redirect generates flow with random client port

Component: Local Traffic Manager

Symptoms:
The VDI::cmp_redirect iRule command generates a flow with a randomly-assigned client port.

Conditions:
-- VDI::cmp_redirect iRule command used

Impact:
Client port is not the same as the original client port.

Fix:
The VDI::cmp_redirect iRule command now uses the same port.


800209-1 : The tmsh recursive list command includes DDoS GUI-specific data info

Component: Advanced Firewall Manager

Symptoms:
DDoS GUI-specific data is included when running the command: tmsh recursive list. This irrelevant information might cause confusion.

Conditions:
This occurs when the AFM module is enabled

Impact:
Extra, irrelevant data is provided in output, which can cause confusion.

Workaround:
This always happens as long as AFM is enabled. You can deprovision the AFM module to disable this command.

Fix:
DDoS GUI-specific data is now filtered out when running the command: tmsh recursive list.


799617-2 : ConfigSync Hardening

Solution Article: K05123525


799589-2 : ConfigSync Hardening

Solution Article: K05123525


798949-3 : Config-Sync fails when Config-Sync IP configured to management IP

Component: TMOS

Symptoms:
Device Group Sync Fails with error in the GUI: 01070712:3: Caught configuration exception (0), Failed to sync files.

Conditions:
Config-Sync IP configured to management IP:
sys db configsync.allowmanagement value enable

Impact:
Config-Sync of file objects such as SSL certificates fails.

Workaround:
None.

Fix:
Config-Sync has been updated to allow synchronization of file objects over the mgmt port.


798249-2 : TMM may crash while processing HTTP/2 requests

Solution Article: K81557381


798105-1 : Node Connection Limit Not Honored

Component: Local Traffic Manager

Symptoms:
Connection limits on nodes are not honored.

Conditions:
A node with connection limits set.

Impact:
More traffic will pass to the node than the limit is supposed to allow.

Workaround:
Modify the node's limit after the node is created and it will start honoring the limit.

Fix:
The node's limit is now honored.


797977-1 : Self-IP traffic does not preserve the TTL from the Linux host

Component: Local Traffic Manager

Symptoms:
The Egress traffic from TMM has IP TTL set to 255 instead of keeping the TTL from the Linux host.

Conditions:
IP/IPv6 TTL for host traffic.

Impact:
Tools like traceroute do not work because Linux host rejects the packets.

Workaround:
Adjust TTL verification restrictions

Fix:
IP TTL is preserved.


797885-2 : ConfigSync Hardening

Solution Article: K05123525


797785-2 : AVR reports no ASM-Anomalies data.

Component: Application Visibility and Reporting

Symptoms:
AVR collects data for ASM-Anomalies, which include Brute-Force and Web-Scraping activities. When reported, all metrics and dimensions are hidden. AVR output looks like this:
errdefs_msgno=\"22282253\",Entity=\"ASM_ANOMALIES\

Conditions:
When gathering statistics reporting a Brute-Force or Web-Scraping attack.

Impact:
AVR reports no ASM-Anomalies data.

Workaround:
None.


797541-1 : NTLM Auth may fail when user's information contains SIDS array

Solution Article: K05115516

Component: Access Policy Manager

Symptoms:
NTLM authentication fails when the authentication response contains a nonempty sid_and_attributes array. This will most likely occur when a user is a member of universal groups from a trusted domain.

Conditions:
- NTLM front-end authentication is configured.
- The authentication response contains nonempty sid_and_attributes array (most likely user is a member of universal groups from trusted domain)

Impact:
Users are unable to log in through the BIG-IP.

Warning messages similar to the following can be found in /var/log/apm logfile:

warning eca[11436]: 01620002:4: [Common] 192.168.0.1:60294 Authentication with configuration (/Common/server1.testsite.com) result: user01@USER01 (WORKSTATION): Fail (UNEXP_006C0065)

warning nlad[11472]: 01620000:4: <0x2b4d27397700> client[46]: DC[172.29.67.112]: schannel[0]: authentication failed for user 'user01', return code: 0x006c0065

NOTE: the return code is not necessary 0x006c0065 or 0x00000007. It can be any value. However, the larger the size of SIDS and Attributes array. The more likely the error value will be 0x00000007

Workaround:
None.


796469-6 : ConfigSync Hardening

Solution Article: K05123525


795797-2 : AFM WebUI Hardening

Solution Article: K21121741


795769-3 : Incorrect value of Systems in system-supplied signature sets

Component: Application Security Manager

Symptoms:
In properties of system-supplied Attack Signature Sets, the field "Systems" is always displayed with value All.

For example, for Generic Detection Signatures the "Systems" field should be: System Independent, General Database, Various systems

Instead, "Systems" is set to "All".

Conditions:
Only for system-supplied signature sets, while user-defined signatures sets are displayed with correctly assigned Systems.

Impact:
Misleading value of Systems

Workaround:
N/A

Fix:
Correct value of "Systems" is displayed for system-supplied signature sets


795437-4 : Improve handling of TCP traffic for iRules

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM stops processing TCP traffic when processed by an iRule

Conditions:
-- TCP profile is configured
-- Invalid packet construction

Impact:
TMM may crash, leading to a failover event.

Workaround:
None.

Fix:
TMM handles TCP traffic for iRule as expected.


795197-1 : Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Solution Article: K26618426


794581 : Transfer might stall for an object served from WAM cache

Component: Local Traffic Manager

Symptoms:
When HTTP response is served from cache, a transfer stalls due to incorrect value in Content-Length header.

Conditions:
- Virtual server with HTTP profile that has standard chunking settings.
- Web acceleration profile is configured on the virtual server.
- HTTP response is served from AAM cache.

Impact:
Transfer stalls as the client is expecting more bytes from peer (due to Content-Length header being advertised as greater than than object's actual size).

Workaround:
For the HTTP profile used, set request-chunking to selective.

Fix:
Transfer completes for an object served from WAM cache.


794501-2 : Duplicate if_indexes and OIDs between interfaces and tunnels

Component: TMOS

Symptoms:
In certain instances, having a configuration with both tunnels and interfaces can result in duplicate if_indexes between a tunnel and an interface, which also results in duplicate OIDs for SNMP.

Conditions:
There is no completely predictable trigger, but at a minimum, a configuration with at least one interface and at least one tunnel is needed.

Impact:
Duplicate if_indexes and duplicate OIDs. SNMP logs error messages:

# tmsh list net interface all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net vlan all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net tunnel all-properties | egrep "(^net)|(if-index)"
net interface 0.10 {
    if-index 64 <-------------------------------
net interface mgmt {
    if-index 32
net vlan external {
    if-index 96
net vlan internal {
    if-index 112
net vlan test {
    if-index 128
net vlan tmm_bp {
    if-index 48
net tunnels tunnel http-tunnel {
    if-index 64 <-------------------------------
net tunnels tunnel socks-tunnel {
    if-index 80


# snmpwalk -c public -v 2c localhost >/dev/null; tail /var/log/ltm

-- notice sod[4258]: 010c0044:5: Command: running disable zrd bigstart.
-- notice zxfrd[6556]: 01530007:5: /usr/bin/zxfrd started
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID ZXFRD_Publisher and filterType 1024
-- info bigd[11158]: 0114002b:6: high availability (HA) daemon_heartbeat bigd enabled.
-- info cbrd[6106]: 0114002b:6: high availability (HA) daemon_heartbeat cbrd enabled.
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID cbrd and filterType 1152921504606846976
-- info runsm1_named[6104]: 0114002b:6: high availability (HA) proc_running named enabled.
=========================

-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if_x.c:289

Workaround:
No workaround currently known.

Fix:
Duplicate if_indexes are no longer assigned to tunnels and interfaces. The resulting duplicate SNMP OIDs are prevented.


794413-2 : BIND vulnerability CVE-2019-6471

Solution Article: K10092301


794389-6 : iControl REST endpoint response inconsistency

Solution Article: K89509323


794285 : BIG-IQ reading AFM configuration fails with status 400

Component: Protocol Inspection

Symptoms:
When the BIG-IQ tries to read the AFM configuration, using REST, the operations fails with status 400, if AFM is provisioned but the Protocol Inspection module is not licensed.

Conditions:
-- AFM provisioned on BIG-IP system.
-- Protocol Inspection module is not licensed.

Impact:
The operations fails with status 400. BIG-IQ cannot read AFM configuration if Protocol Inspection module is not licensed.

Workaround:
License Protocol Inspection.


793937-1 : Management Port Hardening

Solution Article: K03126093


793045-2 : File descriptor leak in net-snmpd while reading /shared/db/cluster.conf

Component: TMOS

Symptoms:
Net-snmpd is leaking the file descriptors during the SNMP traps add/delete via tmsh.

Observe that the file descriptors used by snmpd increase using 'ls -l /proc/$(pidof snmpd)/fd'

Following error is logging into /var/log/daemon.log
err snmpd[5160]: /proc/stat: Too many open files

Conditions:
Perform add/delete on SNMP traps via tmsh.

Impact:
Failure of snmpd operations on BIG-IP systems.

Workaround:
None.

Fix:
No longer leaks file descriptors in net-snmpd while reading /shared/db/cluster.conf.


793017-1 : Files left behind by failed Attack Signature updates are not cleaned

Component: Application Security Manager

Symptoms:
If an Attack Signature update encounters an error during installation, files that are meant to be temporary are left behind on disk and a not subject to a periodic cleanup. This can eventually lead to disk space issues.

Conditions:
Attack Signature update encounters an error during installation.

Impact:
This can eventually lead to disk space issues.

Workaround:
Old sigfile.tmp.* directories under /var/ts/var/tmp can be safely removed.

Fix:
These directories are now included in the periodic file cleanup task.


792265-3 : Traffic logs does not include the BIG-IQ tags

Component: Application Visibility and Reporting

Symptoms:
AVR collects traffic data. When that data is reported to BIG-IQ, it omits the BIG-IQ tags which are required by BIG-IQ.

Conditions:
When AVR collects traffic data and sending it BIG-IQ.

Impact:
There are no BIG-IQ tags in the traffic logs. BIG-IQ is unable to map traffic-capturing logs to applications.

Workaround:
None.

Fix:
Traffic logs now include the BIG-IQ tags.


791669 : TMM might crash when Bot Defense is configured for multiple domains

Component: Application Security Manager

Symptoms:
TMM might crash and generate a core file when using a Bot Defense profile that is configured for multiple domains.

Conditions:
Bot Defense is configured with multiple 'Related Site Domains' and attached to a virtual server.

Impact:
TMM crash with core. Traffic disrupted while tmm restarts.

Workaround:
None,

Fix:
TMM no longer crashes when Bot Defense is configured for multiple domains.


791057-1 : MCP may crash when traffic matching criteria is updated

Component: Local Traffic Manager

Symptoms:
MCP may crash when traffic matching criteria is updated, either directly or as the result of a configuration sync operation.

Conditions:
The specific root cause is unknown, although the crash is related to the update of traffic matching criteria.

Impact:
mcpd restarts. This results in a failover (when DSC is in use) or a halt to traffic processing (when DSC is not in use) while mcpd is restarting.

Workaround:
None.


790349-2 : merged crash with a core file

Component: Application Security Manager

Symptoms:
merged crash and restart.

Conditions:
A tmstat sync operation is occurring in the background.

Impact:
Statistical data is not available for system utilities/graphs while merged restarted. There is no other impact beside the appearance of the core file.

Workaround:
None.

Fix:
merged core scenario fix.


789993-1 : Failure when upgrading to 15.0.0 with config move and static management-ip.

Component: TMOS

Symptoms:
Upgrade to 15.0.0 from earlier version fails.

Conditions:
This happens when upgrading to 15.0.0 from earlier versions with static management-ip (dhclient.mgmt set to disabled).

Impact:
As the config move fails, the Management IP address might not be correct on the newly installed 15.0.0 device.

Workaround:
Keep DHCP enabled before upgrading or reset the management-ip after upgrade.

Fix:
Failure when upgrading to 15.0.0 with config move and static management-ip.


789893-2 : SCP file transfer hardening

Component: TMOS

Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.

Conditions:
Administrative user with SCP access.

Impact:
Under certain conditions, the SCP file transfer system does not follow current best practices.

Workaround:
None.

Fix:
The SCP file transfer system now follows current best practices.


789817-1 : In rare conditions info fly-out not shown

Component: Application Security Manager

Symptoms:
When the question mark icon ('?') is close to the right upper corner of the page, the info fly-out is not shown when the question mark icon is clicked.

Conditions:
This can occur under the following conditions:
-- On Security :: Application Security screens that display a question mark for a help icon.
-- The ? icon is close to the right upper corner of the page.
-- Clicking the question mark icon to open the fly-out menu.

Impact:
Info fly-out not shown.

Workaround:
Change page size so that the ? icon is not in the right upper corner.

Fix:
Fly-out is shown correctly in all cases.


789169-2 : Unable to create virtual servers with port-lists from the GUI

Component: TMOS

Symptoms:
Using the GUI to create a virtual server with a port-list or address-list fails with the following error:

01070096:3: Virtual server <virtual server name> lists profiles incompatible with its protocol.

Conditions:
- The virtual server is created with an ip-protocol set to a value other than 'any'.

- A port-list or address-list is used.

Impact:
Virtual server creation fails.

Workaround:
Create the configuration in tmsh.

1. Create an LTM traffic-matching-criteria object to define the port-list and/or address list. The protocol on the traffic-matching-criteria must be set to the protocol that the virtual server will use.

2. Create the LTM virtual server, and set the traffic-matching-criteria to the name of the traffic-matching-criteria object.

Fix:
While creating virtual server with port-list from the GUI, a traffic-matching-criteria is created internally and mapped to the virtual server. This ensures that the traffic-matching-criteria object uses the same ip-protocol as the virtual server.


788773-2 : HTTP/2 Vulnerability: CVE-2019-9515

Solution Article: K50233772


788769-2 : HTTP/2 Vulnerability: CVE-2019-9514

Solution Article: K01988340


788557-5 : BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior

Component: TMOS

Symptoms:
GRST - BGP graceful reset.

The problem occurs when the routing daemon bgpd restarts/starts (e.g., by terminating the bgpd daemon) its distribution of a process and is not supported. Another way we've found is to call "bigstart restart" command on a primary blade on chassis with more than one blade.

After the new primary blade takes over, BGP and BFD sessions are recreated at around the 'graceful restart' timeout interval.

Conditions:
-- BGP and BFD are configured.
-- BGP router's 'graceful restart' option is configured, enabled (set to 120 by default).
-- The bgpd daemon is terminated.

Another way to trigger the issue is to run 'bigstart restart' on a primary blade on a chassis with more than one blade.

Impact:
If BGP peering is reset, it causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocol from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.


In most cases, unexpected routing decisions come from networks learnt by affected routing protocol when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system, typically, the routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
None.

Fix:
BGP and BFD peering is not recreated in GRST timeout anymore.


788417-2 : Remote Desktop client on macOS may show resource auth token on credentials prompt

Component: Access Policy Manager

Symptoms:
APM uses the 'username' attribute to pass auth token for SSO enabled native RDP resources on macOS. In case Windows policy forces the user to provide credentials, or if Single Sign-on fails, the end user may see a credentials prompt containing the base 64-encoded auth token in the username field.

This behavior is observed only with Remote Desktop Client v10.x for macOS.

Conditions:
-- APM Webtop is configured with Single Sign-on enabled native RDP resource.
-- Try to access the RDP resource from macOS using RDP client v10.x.

Note: This issue is known to occur when Microsoft Group Policy 'Always prompt for password upon connection' is enabled on the target RDP server: Computer Configuration \ Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Security \ Always prompt for password upon connection.

Impact:
Prompt for credentials (contains auth token in username field) causing APM end user confusion.

Workaround:
Apply the following iRule:

Note: With the following iRule implemented, users running RDP client v8 for macOS may see an empty credentials prompt when launching APM native RDP resources.

when HTTP_RESPONSE_RELEASE {
    catch {
        set locationUri [HTTP::header Location]
        if { [HTTP::status] == 302 && $locationUri starts_with "rdp://" &&
                $locationUri contains "username=s:f5_apm"} {
            HTTP::header Location \
                [string map {"username=s:f5_apm" "gatewayaccesstoken=s:"} $locationUri]
        }
    }
}

Fix:
Remote Desktop client on macOS does not show resource auth token on credentials prompt.


788325-2 : Header continuation rule is applied to request/response line

Solution Article: K39794285

Component: Local Traffic Manager

Symptoms:
When a browser communicates with a server over HTTP, it can split a long header into several lines, prepending continuation lines with leading whitespace symbols. This rule does not apply to request or response line, so having leading whitespace in a first header line is invalid. The BIG-IP system parses such line a header with empty value.

Conditions:
A virtual server is configured on the BIG-IP system with HTTP profile.

Impact:
The BIG-IP system can hide some important HTTP headers either passing those to the pool member or failing to properly handle the request (or response) or failing to correctly load balance a connection (or request in case of OneConnect profile).

Workaround:
None.

Fix:
Now, when the BIG-IP system receives an invalid request or response with leading whitespace in first header line, it properly parses the header and handles it correctly.


788301-5 : SNMPv3 Hardening

Solution Article: K58243048

Component: TMOS

Symptoms:
SNMPv3 agents do not follow current best practices.

Conditions:
SNMPv3 agents enabled.

Impact:
SNMPv3 agents do not follow current best practices.

Fix:
SNMPv3 features now follow current best practices.


788269-3 : Adding toggle to disable AVR widgets on device-groups

Component: Application Visibility and Reporting

Symptoms:
Devices on device-group get into state of not-synced when AVR-related widgets are created or modified.

It occurs more frequently when manual config sync is enabled.

It can also occur when visiting a widgets page for the first time that automatically creates default widgets on the first page visit, such as Security :: Overview : Application : Traffic. This can make it appear that a 'read-only' user visiting the page has triggered the need for a config sync.

Conditions:
-- Two or more devices are in a device-group.
-- AVR-related widgets are created or modified.

Impact:
Devices go into a non-synced state.

Workaround:
None.

Fix:
A DB-variable called avr.gui.widgets.sync has been added to disable widgets syncing. Possible values are 'disable' or 'enable', it is enabled by default.

Behavior Change:
This release adds a DB-variable, avr.gui.widgets.sync, to disable widget syncing. Possible values are 'disable' or 'enable'. It is enabled by default.


788033 : tpm-status may return "Invalid" after engineering hotfix installation

Component: TMOS

Symptoms:
When installing certain engineering hotfixes, tpm-status may return "System Integrity: Invalid".

Conditions:
Engineering hotfix installed.

Impact:
System integrity check fails.

Workaround:
None.

Fix:
System integrity check now works as expected on system with engineering hotfixes installed.


787845 : Tmsh command 'show running-config' fails when Protocol Inspection is not licensed.

Component: Protocol Inspection

Symptoms:
If the Protocol Inspection feature is not licensed then tmsh command 'show running-config' fails with 'Protocol Inspection feature not licensed.' message.

Conditions:
- AFM Protocol Inspection feature is not licensed.

Impact:
'tmsh show running-config' command returns an error: 'Protocol Inspection feature not licensed.'

Workaround:
None.

Fix:
'tmsh show running-config' command works as expected.


787825-2 : Database monitors debug logs have plaintext password printed in the log file

Solution Article: K58243048

Component: Local Traffic Manager

Symptoms:
When monitor instance is in "debug" logging enabled mode for certain monitor types, the resulting monitor instance logs may contain sensitive details like password

Conditions:
When debug mode is enabled for following monitoring types
1. mssql
2. mysql
3. oracle
4. postgresql

Impact:
The user-account password configured in the health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors/.

Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected monitor types. 2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes , remove the resulting log files from the BIG-IP system after troubleshooting is completed.

Fix:
The password filed for monitor will now be redacted by external monitors when monitor debugging is enabled.


787677-3 : AVRD stays at 100% CPU constantly on some systems

Component: Application Visibility and Reporting

Symptoms:
One thread of the avrd process spontaneously starts to consume 100% CPU.

Conditions:
The exact conditions under which this occurs are unknown, but might occur only on vCMP configurations.

Impact:
System performance degrades.

Workaround:
Restart TMM:
bigstart restart tmm

Fix:
Added processing that prevents AVRD from entering endless loops.


787477-2 : Export fails from partitions with '-' as second character

Component: Access Policy Manager

Symptoms:
Attempting to export a profile/policy from partition using the hyphen/dash (-) as the second character results in error message:
'Incorrect arguments: <partition> is not specified' error.

Conditions:
Partition with '-' as second character in the name.

Impact:
Unable to export policy from given partition

Workaround:
Rename partition without '-' as the second character.

Fix:
Export is working as expected in this scenario.


787433-3 : SSL forward proxy: OCSP signer certificate isn't refreshed or regenerated when forward proxy CA key/cert is changed

Component: Local Traffic Manager

Symptoms:
When stapling the OCSP response (and hence OCSP certificate) to the SSL client, the issuer that appears on the OCSP certificate mismatches with what is configured in the client SSL profile as the forward proxy CA cert.

Conditions:
The issue is seen when all the below conditions are met.
-- The BIG-IP system is using SSLO or SSL forward proxy.
-- The client hello sent from the SSL client includes the status request extension. This means that it requests BIG-IP system to staple the OCSP response.
-- The forward proxy CA cert in the client SSL profile is modified.

Impact:
In SSLO or SSL forward proxy mode, the server cert and the OCSP response the BIG-IP system sends to the SSL client should be both signed (issued) by the forward proxy CA cert configured at the client SSL profile. If they are signed by different issuers, it may not pass some of the validation check performed by the SSL client and might lead to SSL client's terminating the SSL handshake.

Workaround:
To updates and regenerates the OCSP signer information, after modifying the forward proxy CA cert, run the command:
bigstart restart tmm

Fix:
The issuer appearing on the OCSP response always matches the forward proxy CA cert configured at the client SSL profile.


786913-2 : Upgrade failure from 13.0.x or earlier when using LTM Policies with DOSL7

Component: Application Security Manager

Symptoms:
Upgrade fails when upgrading from 13.0.x or under if the config includes an LTM Policy (CPM) which modifies a DoS Application Profile.

Conditions:
-- LTM Policy is configured to specify a DoSL7 profile name.
-- Upgrade is from version 13.0.x or earlier.

Impact:
Upgrade failure.

Workaround:
1. Manually edit the /config/bigip.conf file, and place all of the 'security dos profile' objects before any 'ltm policy' objects.
2. Load the config.

Fix:
Upgrade no longer fails when using an LTM Policy which specifies a DoSL7 profile name.


786565-2 : MRF Generic Message: unaccepted packets received by GENERIC MESSAGE filter causes subsequent messages to not be forwarded

Component: Service Provider

Symptoms:
When a message is created using the GENERICMESSAGE::message create iRule command during the CLIENT_DATA event, if the TCP payload buffer is not cleared before the event completes, the data in the payload buffer is forwarded to the generic message filter disrupting its statemachine.

Conditions:
-- A message is created using GENERICMESSAGE::message create iRule command during CLIENT_DATA event.
-- TCP payload buffer is not cleared before the event completes.

Impact:
The data in the payload buffer is forwarded to the generic message filter disrupting its statemachine. Subsequent messages are not forwarded.

Workaround:
To fix the problem, add the following to CLIENT_DATA:
TCP::payload replace 0 [TCP::payload length] ""

Fix:
Data left in the TCP payload buffer is now ignored and does not negatively impact the filter.


786173-1 : UI becomes unresponsive when accessing Access active session information

Component: Access Policy Manager

Symptoms:
When accessing Admin UI Access :: Overview :: Active Sessions page, the page status is stuck in 'Receiving configuration data from your device'. TMSH command 'show apm access-info' also hangs.

Conditions:
-- Two vCMP guests or two chassis are set up in high availability mode.
-- If Network Mirroring is toggled between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.

Impact:
Some session variables may be lost, which results in the GUI becoming unresponsive. The Access :: Overview :: Active Sessions page in the Admin UI becomes unusable.

Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.

Fix:
The solution for the reported issue is handled by the fix provided for ID 783817. ID 786173 fixes a null pointer exception that might occur in the specific case of a certain missing session variable, which is relevant only in BIG-IP releases 14.1.0 or later.


785741-1 : Unable to login using LDAP with 'user-template' configuration

Component: TMOS

Symptoms:
Unable to login as remote-user.

Conditions:
When the following are true:
-- LDAP remote-auth configured with user-template.
-- Remote-user configured to permit login.

Impact:
Unable to login with remote-user.

Workaround:
Use bind-dn for authentication.


784989-2 : TMM may crash with panic message: Assertion 'cookie name exists' failed

Component: Access Policy Manager

Symptoms:
TMM crashes with SIGFPE panic

panic: ../modules/hudfilter/http/http_cookie.c:489: Assertion 'cookie name exists' failed.

Conditions:
-- Virtual server with remote desktop or VDI profile attached.
-- VDI logging level is set to Debug.
-- iRule that modifies/reads HTTP cookies.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Increase the log-level for VDI from 'Debug' to a higher level.

Fix:
Fixed TMM crash, which occurred when remotedesktop/VDI profile was used together with custom iRule and Debug level logging.


784713-3 : When SSL forward proxy is enabled, AKID extension of the OCSP signer certificate on the clientside is not correct

Component: Local Traffic Manager

Symptoms:
When SSL forward proxy is configured, or for SSLO, if OCSP or CRL is set on the serverside, the certificate that signs the OCSP response on the clientside does not have the correct Authority Key Identifier (AKID).

Conditions:
Configure SSL forward proxy or enable SSLO and enable OCSP or CRL on serverside/server SSL profiles.

Impact:
Incorrect AKID X509 extension for the OCSP signer certificate on the clientside. Depending on browsers/clients, this may result in the browsers/clients to not be able to use the stapled OCSP response.

Workaround:
None.

Fix:
After the fix, the OCSP signer certificate has the correct AKID X509 extension.


783849-2 : DNSSEC Key Generations are not imported to secondary FIPS card

Component: Global Traffic Manager (DNS)

Symptoms:
When new DNSSEC Key Generations are generated by FIPS card, the Generation is not imported to secondary FIPS card.

Conditions:
BIG-IP has a GTM sync group with FIPS cards in sync. New DNSSEC Key Generation is created.

Impact:
New DNSSEC Key Generation is not imported to secondary FIPS card, but the generation is synced within GTM sync group.

Workaround:
N/A

Fix:
DNSSEC Key Generation is not imported to secondary FIPS card over creation


783817-2 : UI becomes unresponsive when accessing Access active session information

Component: Access Policy Manager

Symptoms:
When accessing Admin UI Access :: Overview :: Active Sessions page, the page status is stuck in 'Receiving configuration data from your device'. TMSH command 'show apm access-info' also hangs.

The following error messages shows up in TMM log:

-- notice mcp error: 0x1020002 at ../mcp/db_access.c:831
-- notice mcp error: 0x1020031 at ../mcp/mcp_config.c:588

Conditions:
-- Two vCMP guests or two chassis are set up in high availability mode.
-- If Network Mirroring is toggled between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.

Impact:
Some session variables may be lost, which results in UI hang. Admin UI becomes unusable.

Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.


783565-2 : Upgrade support for DB variable to attach AJAX payload to vToken cookie should be consistent with config in MCP

Component: Fraud Protection Services

Symptoms:
Upgrade support for DB variable to attach AJAX payload to vToken cookie sets 'send in alerts' flag configured on parameters without checking whether automatic transaction detection is turned on on the URL.

Conditions:
-- BIG-IP version 13.1.x or 14.0.x
-- A protected URL is configured with automatic transaction detection turned off.
-- A parameter on that URL is configured with all flags turned off.
-- The DB variable antifraud.internalconfig.flag1 is set to 'enabled' value.
-- Upgrade to 13.1.x or later (with load config) started.

Impact:
After upgrade, the configuration fails to load due to an error during schema change validation

Workaround:
-- Set the DB variable antifraud.internalconfig.flag1 value to 'disabled' before the upgrade.
-- Configure 'send in alerts' flag on the parameters manually.

Fix:
Now upgrade support takes into consideration the automatic transaction detection flag on URL and sets 'send in alerts' flag on URL parameters only for URLs with automatic transaction detection turned on.


783513-2 : ASU is very slow on device with hundreds of policies due to logging profile handling

Component: Application Security Manager

Symptoms:
Signature Update (ASU) is very slow on devices with hundreds of policies due to logging profile handling.

Conditions:
-- There are hundreds of ASM policies on the device.
-- ASU is performed.
-- The BIG-IP is configured for logging profile handling.

Impact:
The ASU process takes hours to complete.

Workaround:
None.


782569-1 : SWG limited session limits on SSLO deployments

Component: Access Policy Manager

Symptoms:
SWG limited session limits are enforced on SSLO deployments that enable Explicit proxy authentication.

Conditions:
-- SSLO with Explicit proxy authentication is deployed.
-- Many concurrent SSLO connections that use custom category lookup (beyond the SWG limited session limit).

Impact:
SSLO fails to connect when the SWG limited session limit is reached.

Workaround:
None.

Fix:
If there is an SSLO profile paired with either an APM or SSLO per-request policy on a virtual server, and the operation has done a custom category only lookup, an SWG limited license is no longer consumed. This answers the case where there is auth (APM) on one virtual server, and the transparent virtual server is SSLO with custom category lookup only.


782529-2 : iRules does not follow current design best practices

Component: Local Traffic Manager

Symptoms:
iRules does not follow current design best practices.

Conditions:
iRules does not follow current design best practices.

Impact:
iRules does not follow current design best practices.

Workaround:
None.

Fix:
iRules now follows current design best practices.

Behavior Change:
Database variable 'tmm.tcl.rule.connect.allow_loopback_addresses' was created to toggle whether or not to allow loopback addresses; TRUE will restore previous behavior and enable loopback connections.

Default value is FALSE.


781637-2 : ASM brute force counts unnecessary failed logins for NTLM

Component: Application Security Manager

Symptoms:
False positive brute force violation raised and login request is blocked

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM Brute force protection enabled for NTLM login type

Impact:
login request blocked by asm policy

Workaround:
Define higher thresholds in brute force protection settings

Fix:
asm code has been fixed and do not count unnecessary failed logins for NTLM


781605-3 : Fix RFC issue with the multipart parser

Component: Application Security Manager

Symptoms:
false positive or false negative attack signature match on multipart payload.

Conditions:
very specific parsing issue.

Impact:
A parameter specific excluded signature may be matched or un-matched.

Workaround:
N/A

Fix:
Multi part parser issue was fixed.


781581-3 : Monpd uses excessive memory on requests for network_log data

Component: Application Visibility and Reporting

Symptoms:
Monpd allocates excessive memory on multi-blade devices, and in some cases the kernel may kill monpd. The following log signature may be encountered in /var/log/kern.log:

err kernel: : [1537424.588160] Out of memory: Kill process 28371 (monpd) score 117 or sacrifice child

Conditions:
This can occur in a multi-blade BIG-IP environment when you are displaying pages that query for network_log data, for example Bot Defense requests in the event log, or realtime AVR data.

Impact:
Large fluctuations in host memory usage, occasionally leading to OOM events.

Workaround:
None.

Fix:
A db variable has been added: avr.eventlogsreportrownumber, which controls the number of logs displayed. The db variable default is 10000, and supports a range from 100 through 1000000.

Note: Using the maximum value may trigger the behavior described here. The system behavior depends on the specific machine hardware.


781449-2 : Increase efficiency of sPVA DoS protection on wildcard virtual servers

Solution Article: K14703097


781445-1 : named or dnscached cannot bind to IPv6 address

Component: Access Policy Manager

Symptoms:
In some scenarios, the named process cannot bind to IPv6 addresses. This occurs because the dnscached process listens to the wildcard IPv6 address port 53 (i.e., :::53) so it cannot respond to queries sent to IPv6 addresses.

Following message is reported in ltm log:

err named[16593]: binding TCP socket: address in use.

Conditions:
-- The named and dnscached processes are not running.
-- The dnscached process is started first.
-- The named process is started later.

Impact:
The named process does not respond to the queries that are sent to IPv6 addresses at port 53.

Workaround:
1) Stop both named and dnscached process.
2) Edit the startup script for dnscached to start in IPv4-only mode.
   2a) On BIG-IP system, open the file /etc/bigstart/startup/dnscached.
   2b) Add "-4" to the command line option of dnscached.
3) Restart the processes:
bigstart restart named dnscached

Fix:
The dnscached startup script has been modified to start in IPv4-only mode, so it does not listen on any IPv6 address.


781377-2 : tmrouted may crash while processing Multicast Forwarding Cache messages

Component: TMOS

Symptoms:
Under certain conditions, tmrouted may crash while processing Multicast Forwarding Cache (MFC) messages.

Conditions:
tmrouted processing MFC messages.

Impact:
tmrouted crash, leading to a failover event.

Workaround:
None.

Fix:
tmrouted now processes MFC messages as expected.


781069-2 : Bot Defense challenge blocks requests with long Referer headers

Component: Application Security Manager

Symptoms:
The Bot Defense challenge may block the client if the Referer header is between about 1400 characters and 3072 characters long.
This client may get blocked by TCP RST, or suffer from a challenge loop.

Conditions:
-- Bot Defense with Verify before Access, or Proactive Bot Defense are configured
-- Request has a Referer header that is between ~1400 and 3072 characters long

Impact:
Legitimate browsers may get blocked or suffer from a challenge loop

Workaround:
Use an iRule to override the Referer header from the HTTP_REQUEST event, to make it shorter.

Fix:
Challenges with long Referer headers no longer block legitimate clients.


781021-2 : ASM modifies cookie header causing it to be non-compliant with RFC6265

Component: Application Security Manager

Symptoms:
When ASM strips the cookie header from the ASM cookies, it leaves the cookie header in a way that is not compliant with RFC6265 on two aspects:
1. No space after the semicolon
2. A cookie with no value is sent without the equals sign

Conditions:
-- ASM Security Policy is used
-- Request includes an ASM cookie

Impact:
Some web servers may refuse to handle non-compliant Cookie headers, causing the application flow to break.

Workaround:
Disable the cookie stripping by modifying the DB variable as follows:
tmsh modify sys db asm.strip_asm_cookies value false

Fix:
ASM now strips the ASM cookies from the request in a way that is compliant with RFC6265.


780837-1 : Firewall rule list configuration causes config load failure

Component: Advanced Firewall Manager

Symptoms:
'tmsh load sys config' reports a syntax error.

The syntax error is reported on 'security firewall rule-list rule' configuration.

Conditions:
This occurs only if any of the rule-list rule ip-protocol contains one of the following protocols:

Note: You can see the mismatched protocol names in the /etc/protocols listing file (column 1 and column 3 differ):

bbn-rcc 10 BBN-RCC-MON # BBN RCC Monitoring
nvp 11 NVP-II # Network Voice Protocol
dcn 19 DCN-MEAS # DCN Measurement Subsystems
ospf 89 OSPFIGP # Open Shortest Path First IGP
crdup 127 CRUDP # Combat Radio User Datagram

Impact:
The system fails to load the configuration.

Workaround:
Manually edit the configuration file: /config/bigip_base.conf

1. Replace the ip-protocol name from rule-list configuration:

-- Change BBN-RCC-MON to bbn-rcc.
-- Change NVP-II to nvp.
-- Change DCN-MEAS to dcn.
-- Change OSPFIGP to ospf.
-- Change CRUDP to crudp.

2. Save the file.
3. Issue the command:
 tmsh load sys config.

The configuration now loads without syntax errors.


780817-5 : TMM can crash on certain vCMP hosts after modifications to VLANs and guests.

Component: TMOS

Symptoms:
TMM crashes and produces a core file. TMM logs show the crash was of type SIGFPE, with the following panic message:

notice panic: ../base/vcmp.c:608: Assertion "guest has vlan ref" failed.

Conditions:
-- The vCMP host is a platform with more than one tmm process per blade or appliance.

  + VIPRION B4300, B4340, and B44xx blades.
  + BIG-IP iSeries i15x00 platforms

-- A VLAN is assigned to a vCMP guest.
-- The TAG of the VLAN is modified.
-- The VLAN is removed from the vCMP guest.

Impact:
While TMM crashes and restarts on the host, traffic is disrupted on all the guests running on that system.

Guests part of a redundant pair may fail over.

Workaround:
None.

Fix:
TMM no longer crashes on certain vCMP hosts after modifications to VLANs and guests.


779177-2 : Apmd logs "client-session-id" when access-policy debug log level is enabled

Component: Access Policy Manager

Symptoms:
Apmd logs the "client-session-id" when access-policy debug log level is enabled.

Conditions:
-- APM is provisioned and licensed.
-- Per-session policy is attached to virtual server.
-- Access-policy log level set to Debug.

Impact:
Client session ID is available in debug log files and may be visible to authenticated administrators

Workaround:
None.

Fix:
Apmd now no longer logs the client-session-id when access-policy debug log level is enabled.


778681-2 : Factory-included Bot Signature update file cannot be installed without subscription

Component: Application Security Manager

Symptoms:
After upgrade, the factory-included Bot Signature update file cannot be installed without subscription, even if it is already installed.

Conditions:
Device is upgraded to 14.1.0 from previous version, and does not have a Bot Signatures subscription.

Impact:
The factory-included Bot Signature update file cannot be installed.


778125-1 : LDAP remote authentication passwords are limited to fewer than 64 bytes

Component: TMOS

Symptoms:
The LDAP remote authentication password is limited to fewer than 64 bytes.

Conditions:
Configured for remote authentication with a password is longer than or equal to 64 bytes.

Impact:
Unable to login as remote-user with long password.

Workaround:
Set password that is shorter than 64 bytes.


778077-3 : Virtual to virtual chain can cause TMM to crash

Component: Local Traffic Manager

Symptoms:
when using a virtual to virtual chain using the virtual irule command a specific packet might core tmm.

Conditions:
a virtual to virtual chain using the virtual irule command

Impact:
TMM crash leading to a failover event.

Workaround:
none

Fix:
TMM now processes virtual to virtual chains as expected


777937-3 : AWS ENA: packet drops due to bad checksum

Component: Performance

Symptoms:
-- Lower throughput and tps.
-- High availability (HA) heartbeat is getting dropped, resulting in an active-active configuration.

Conditions:
AWS Elastic Network Adapter (ENA) NIC is in use.

Impact:
Performance degradation and invalid HA configuration.

Workaround:
On the BIG-IP system, turn off checksum offloading in on TX as follows:

modify sys db tm.tcpudptxchecksum value Software-only

Important: This workaround negatively affects NICs other than ENA. Therefore, the workaround is recommended exclusively when ENA is the only dataplane NICs in use in the BIG-IP system.

Fix:
AWS ENA: no packet drops due to bad checksum.


777737-3 : TMM may consume excessive resources when processing IP traffic

Solution Article: K39225055


777261-4 : When SNMP cannot locate a file it logs messages repeatedly

Component: TMOS

Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.

Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.

Impact:
This can fill up the log with errors.

Fix:
The SNMP daemon has been fixed to log this error once.


777173-2 : Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error

Component: Access Policy Manager

Symptoms:
When administrator runs Citrix vdi iApp in APM standalone deployment (LTM is not licensed), iApp fails with the following error:
01070356:3: HTTP header transformation feature not licensed

This is result of a license check added for HTTP header transformation.

Conditions:
- APM is licensed as stand alone (no LTM license)
- Admin tries to run Citrix vdi iApp

Impact:
Administrator is not able to use the iApp to configure Citrix vdi access

Workaround:
Adding LTM module license will resolve the error.

Fix:
Citrix vdi iApp now can be used to configure Citrix vdi access in an APM standalone deployment.


776133-1 : RSS hash is not used on VE resulting in performance impact on non-SR-IOV devices

Component: Performance

Symptoms:
RSS hash is not used on BIG-IP Virtual Edition (VE).

You can run the following command to see the 'n' (no) for RSS results:

tmctl -d blade -i tmm/ndal_dev_status

Example:
iface device pci if_up link_up rcso lro sw_lro lro_no_md rvho rss tcso tso
1.1 vmxnet3 11:0.0 n n y:n y:n n y y:n n y:y y

Conditions:
This is encountered on BIG-IP VE.

Impact:
Performance degradation on non-SR-IOV devices.

Workaround:
None.


776073-1 : OOM killer killing tmmin system low memory condition as process OOM score is high

Component: TMOS

Symptoms:
When BIG-IP system running under low memory situation, Out-Of-Memory killer more likely selects tmm to kill and release the resources.

Conditions:
BIG-IP version 13.0.x or later installed and system running with low memory.
AFM provisioned makes the tmm process more likely to be selected by the oom killer

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Adjust OOM score of "tmm" process through oom_score_adj proc setting.

echo "-500" > /proc/<pid_of_tmm>/oom_score_adj

Fix:
OOM score for "tmm" process is adjusted such that OOM killer will not prioritize "tmm" during system low memory condition.


775621-2 : urldb memory grows past the expected ~3.5GB

Component: Access Policy Manager

Symptoms:
When using the categorization engine (urldb), memory may increase when real-time update databases are downloaded (once every ten minutes, as available).

Conditions:
-- SWG provisioned.
-- Using urldb.
-- Real-time database updates occurring.

Impact:
Memory increases, and if there is not enough room on the BIG-IP system, urldb can core.

Workaround:
None.

Fix:
The system no longer preloads the database into memory, so memory no longer grows past what is expected.


775013-2 : TIME EXCEEDED alert has insufficient data for analysis

Component: Fraud Protection Services

Symptoms:
The time-exceeded alert does not include sufficient alert details to troubleshoot the process. It is difficult to determine whether or not the alert is valid, or how long past the request time the alert occurred.

Conditions:
Viewing alert logs for time-exceeded messages.

Impact:
Makes troubleshooting and/or analysis difficult.

Workaround:
None.

Fix:
All encryption failures alert now provides additional details to assist in troubleshooting the process.


774941-1 : GUI misspelling in Bot Defense logging profile

Component: Application Security Manager

Symptoms:
There is a misspelling in the logging profile for Bot Defense: Log Requests by Classificaiton.

Conditions:
Go to Security :: Event Logs : Logging Profiles :: Logging Profile :: Bot Defense :: Request Log.

Impact:
GUI shows misspelled word. There is no functional impact to this issue.

Workaround:
None needed. This is a cosmetic issue only.

Fix:
The text has been corrected: Log Requests by Classification.


774913-1 : IP-based bypass can fail if SSL ClientHello is not accepted

Component: Local Traffic Manager

Symptoms:
IP-based bypass can fail for SSL stream if the client sends a ClientHello that is not accepted by the BIP-IP system.

Conditions:
Client's SSL ClientHello message is not accepted by the BIG-IP system.

Impact:
Connection drop.

Workaround:
None.

Fix:
Check SSL bypass policy before parsing ClientHello message.


774881 : Protocol Inspection profiles can be added to a virtual server without Protocol Inspection being licensed.

Component: Protocol Inspection

Symptoms:
Protocol Inspection profiles can be added to a virtual server but are not applied to traffic.

To add a Protocol Inspection profile now it is required to have an AFM standalone license or to have an add-on AFM license, which includes Protocol Inspection module. Otherwise a error message is shown.

Conditions:
-- AFM is licensed as an add-on module without Protocol Inspection feature.

-- Protocol Inspection profile is configured and added to a virtual server or referenced in a firewall rule.

Impact:
It might appear that the configured Protocol Inspection profile attached to a virtual server or referenced in a firewall rule should work, but in fact, it is not applied to the actual traffic.

Workaround:
None.

Fix:
An error message is shown when trying to apply a Protocol Inspection profile to a virtual server or to a firewall rule having no Protocol Inspection license.


774633-2 : Memory leak in tmm when session db variables are not cleaned up

Component: Access Policy Manager

Symptoms:
There are some session db variables created as part of the split session proxy that have an indefinite timeout. If there is an error path or a failure with an inline service, the delete never gets called and these session keys build up over time, causing memory to leak in tmm.

Conditions:
SSLO setup with a service connector that fails.

Impact:
tmm eventually runs out of memory and generates a core file.

Workaround:
None.

Fix:
Variables have been set with a timeout so that they don't leak memory if the inline service fails.


774445-1 : BIG-IP VE does not pass traffic on ESXi 6.7 Update 2

Solution Article: K74921042

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) does not pass traffic when deployed on ESXi 6.7 Update 2 hypervisors, when the VE is using VMXNET 3 network interfaces (VMXNET 3 interfaces are the default).

Conditions:
-- BIG-IP VE running on VMware ESXi 6.7 Update 2 (build number 13006603) hypervisor.
-- VMXNET 3 NICs.

Impact:
Traffic does not pass through non-mgmt interfaces.

Workaround:
You can use the following workarounds:

-- Until this issue is fixed in a Point-Release for your software branch, you can contact F5 Networks Technical Support to obtain an Engineering Hotfix to address the issue. This workaround allows TMM to continue to use the VMXNET3 driver, which is preferable.

-- On BIG-IP version 14.1.0, you can switch to the 'sock' driver.

-- On BIG-IP versions earlier than 14.1.0, you can switch to the 'unic' driver.

Note: The workarounds that switch driver must be applied individually to devices, as they do not synchronize via ConfigSync.

To switch driver:

1. Add a line to /config/tmm_init.tcl that reads 'device driver vendor_dev 15ad:07b0 DRIVER' (replacing DRIVER with 'unic' or 'sock', as appropriate). For example:

    echo "device driver vendor_dev 15ad:07b0 sock" >> /config/tmm_init.tcl

2. Restart tmm for the changes to take effect (restarting tmm disrupts traffic):

    bigstart restart tmm

3. After tmm restarts, confirm the driver in use by examining the output of:

    tmctl -d blade tmm/device_probed

Fix:
BIG-IP VE now passes traffic on ESXi 6.7 Update 2.


774213-1 : SWG session limits on SSLO deployments

Component: Access Policy Manager

Symptoms:
SWG session limits are enforced on SSLO deployments that enable Explicit proxy authentication.

Conditions:
-- SSLO with Explicit proxy authentication is deployed.
-- Many concurrent SSLO connections (beyond the SWG session limit).

Impact:
SSLO fails to connect when the SWG session limit is reached.

Workaround:
None.

Fix:
If there is an SSLO profile paired with either an APM or SSLO per-request policy on a virtual server, and the operation has done a hostname only lookup, an SWG license is no longer consumed. This answers the case where there is auth (APM) on one virtual server, and the transparent virtual server is SSLO with hostname Category Lookup only.


773925-2 : Sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB tables files

Component: Application Visibility and Reporting

Symptoms:
For unknown reasons, sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB table files. MySQL starts reporting error 24 in its error log:

190228 8:21:17 [ERROR] mysqld: Can't open file: './AVR/AVR_STAT_FW_NAT_TRANS_DEST_H.frm' (errno: 24)
190228 8:45:36 [ERROR] mysqld: Can't open file: './AVR/AVR_STAT_ASM_NETWORK_T.frm' (errno: 24)
190228 9:12:22 [ERROR] mysqld: Can't open file: './AVR/AVR_STAT_ASM_NETWORK_T.frm' (errno: 24)

Conditions:
-- Statistics are collected locally on the BIG-IP system (that is, the BIG-IP system is not associated with a BIG-IQ device).
-- There is a considerable amount of traffic.

Impact:
Statistic reports stop working. In some cases DB becomes corrupted.

Workaround:
In /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter from 2500 to 5000.
2. Add the following parameter (right after 'open_files_limit'):
   table_open_cache=2000
3. Restart MySQL:
   bigstart restart mysql

Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.

Fix:
Embed MariaDB configuration change into the standard BIG-IP versions.


773821-1 : Certain plaintext traffic may cause SSLO to hang

Component: Local Traffic Manager

Symptoms:
SSLO relies on SSL hudfilter to detect non-SSL traffic; but certain plaintext can be mistaken as SSL traffic, which can cause a hang.

Conditions:
Initial plaintext traffic resembles SSLv2 hello message or has less than enough bytes for SSL to process.

Impact:
SSLO hangs, unable to bypass traffic.

Workaround:
None.

Fix:
Improve SSL hello parser.


773677-1 : BIG-IP 14.1.0 system-journald write to /run/log/journal cause SWAP usage increase

Solution Article: K72255850

Component: TMOS

Symptoms:
The system-journald process writes to temporary storage /run/log/journal when storage mode is set to 'auto'. The persistent directory /var/log/journal that controls where the log goes (temporary or persistent memory) is usually created during BIG-IP system reboot. In some cases, /var/log/journal is not created. In the absence of this, system-journald writes to temporary storage /run/log/journal.

Conditions:
BIG-IP upgraded from versions prior to v14.1.0 to version 14.1.0 or later.

Impact:
As it writes to temporary memory, system SWAP memory usage increases, impacting overall system performance and may result in the kernel out-of-memory killer running and killing system processes.

Workaround:
Perform these steps while running the upgraded 14.1.x system.

1. Create system-journald persistent log directory manually:

mkdir /var/log/journal
chown root:systemd-journal /var/log/journal
chmod 2755 /var/log/journal
chcon system_u:object_r:var_log_t:s0 /var/log/journal

2. Reboot the system.

Fix:
The system-journald persistent directory is always created during reboot or when the system-journald storage option is set to 'persistent'.


773673-2 : HTTP/2 Vulnerability: CVE-2019-9512

Solution Article: K98053339


773653-6 : APM Client Logging

Solution Article: K23876153


773649-6 : APM Client Logging

Solution Article: K23876153


773641-6 : APM Client Logging

Solution Article: K23876153


773637-6 : APM Client Logging

Solution Article: K23876153


773633-6 : APM Client Logging

Solution Article: K23876153


773621-6 : APM Client Logging

Solution Article: K23876153


773553-2 : ASM JSON parser false positive.

Component: Application Security Manager

Symptoms:
False positive JSON malformed violation.

Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.

Impact:
HTTP request is blocked or an alarm is raised.

Workaround:
There is no workaround other than disabling the JSON profile.

Fix:
JSON parser has been fixed as per RFC8259.


773421-1 : Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied

Component: Local Traffic Manager

Symptoms:
When OneConnect is applied to a virtual server, the server-side packets larger than the client-side MTU may be dropped.

Conditions:
-- If the client-side MTU is smaller than server-side (either via Path MTU Discovery (PMTUD), or by manually configuring the client-side VLAN).

-- OneConnect is applied.

-- proxy-mss is enabled (the default value starting in v12.0.0).

Impact:
The BIG-IP system rejects server-side ingress packets larger than the client-side MTU, with an ICMP fragmentation needed message. Connections could hang if the server ignores ICMP fragmentation needed and still sends TCP packets with larger size.

Workaround:
Disable proxy-mss in the configured TCP profile.

Fix:
OneConnect prevents sending ICMP fragmentation needed messages to servers.


772545-3 : Tmm core in SSLO environment

Component: Local Traffic Manager

Symptoms:
Unexpected SSL events can occur in SSLO configuration, possibly resulting in tmm core.

Conditions:
SSLO environment which can cause serverside ssl to become enabled during clientside handshake causing unexpected events.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Enabling SSL forward proxy verified-handshake setting available in 14.0.


772473-3 : Request reconstruct issue after challenge

Component: Application Security Manager

Symptoms:
False positive on Content-Type header in GET request.

Conditions:
After challenge is completed, the server responds to the reconstructed request with a 302-redirect.

Impact:
The BIG-IP adds to the next request (GET request) a Content-Type header.

Workaround:
There is no workaround at this time.

Fix:
The BIG-IP no longer reconstructs the next request after a redirect.


771873-5 : TMSH Hardening

Solution Article: K40378764


771705-1 : You may not be able to log into BIG-IP Cloud Edition if FSCK fails

Component: TMOS

Symptoms:
During BIG-IP Cloud Edition bootup, if FSCK fails and requires manual intervention to recover, you may not be able to proceed. This occurs because login requires the password for root, which is not typically set.

Conditions:
-- BIG-IP Cloud Edition.
-- FSCK failure on bootup requires manual intervention to recover.

Impact:
Cannot log in to BIG-IP Cloud Edition.

Important: There is no way to recover if the FSCK failure has already occurred. You must begin the BIG-IP Cloud Edition configuration again. You should implement the Workaround to prevent the issue from occurring.

Workaround:
To prevent the issue from occurring, run the following command for every filesystem:
tune2fs -i 0 <file system>


Following is a list of file systems (replace '1' with the relevant slot number if the active slot is not 1):

/dev/vg-db-vda/set.1.root
/dev/mapper/vg--db--vda-set.1._var
/dev/mapper/vg--db--vda-set.1._usr
/dev/mapper/vg--db--vda-set.1._config
/dev/mapper/vg--db--vda-dat.share
/dev/mapper/vg--db--vda-dat.log
/dev/mapper/vg--db--vda-dat.appdata

Fix:
FSCK is disabled BIG-IP Virtual Edition (VE) for both cloud and hypervisor configurations, so this issue no longer occurs.

Note: Disabling FSCK in virtual machines is considered standard operating procedure. In BIG-IP VE, FSCK is disabled upon the image creation and during live install of the full ISO. It is disabled for all file systems on all slots (boot locations). Although it is not recommended, you can manually reenable FSCK in Linux, in particular, using tune2fs to set the FSCK schedule, and updating /etc/fstab to allow it.

Behavior Change:
FSCK is now disabled in BIG-IP Virtual Edition (VE) for both cloud and hypervisor, preventing failure during bootup. FSCK disablement also persists during a downgrade. F5 Networks does not recommend reenabling FSCK. However, you can reenable it in Linux by updating /etc/fstab, so you can use tune2fs to set the FSCK schedule.


771025-3 : AVR send domain names as an aggregate

Component: Application Visibility and Reporting

Symptoms:
AVR sends domain name as an aggregate of a number of domain names.

Conditions:
-- AVR receives more than the number of domain names it can handle.
-- After AVR gets DNS calls with different domain name, it no longer clears the domain name.
-- When AVR receives the maximum number of total domain names, it start to aggregate all the new domain names.

Impact:
Cannot see the correct domain name.

Workaround:
None.

Fix:
AVR now removes old domain names, so it can add new ones and send the actual domain names it collected.


770953 : 'smbclient' executable does not work

Component: TMOS

Symptoms:
Service Message Block (SMB) monitor is not functional.

Conditions:
This occurs under all conditions.

Impact:
SMB monitors fail. This occurs because the 'smbclient' executable is not functional.

Workaround:
None.

Fix:
'smbclient' executable is runnable and SMB monitoring is working.


770797-1 : HTTP2 streams may get stuck in rare situations

Component: Local Traffic Manager

Symptoms:
If HTTP2 is used in a 'gateway' configuration on a virtual server, without the use of an MRF http_router profile, HTTP connections are used to connect to the back-end servers.

The HTTP connections are pooled, and may be reused between streams. In rare situations, an HTTP connection is reused whilst it is in the process of shutting down. This may cause the corresponding HTTP2 stream to get into an unexpected state, and get 'stuck'.

The stuck streams persist until the client closes the HTTP2 connection. If a client keeps opening new streams on the affected connection, it may eventually run out of the total allowed streams limited by the HTTP2 profile. The client may then deadlock, waiting for streams to close.

Conditions:
An HTTP2 profile is used on a virtual server without an MRF http_router profile.

Impact:
The impact depends on client behavior. Some clients will open new connections for stuck streams, so the impact will be minimal. Others will show loss of performance or hang waiting for resources that will never be delivered.

Workaround:
None.

Fix:
HTTP2 streams no longer get stuck in rare situations.


770557-3 : Per-Session RADIUS Acct STOP message is forged based on pool route domain, but is sent through default one

Component: Access Policy Manager

Symptoms:
The per-Session RADIUS Acct STOP message is forged based on the pool route domain, but is sent through the default one.

Conditions:
1. Deploy the BIG-IP system with two route domains
2. Under each route domains you have a path to the RADIUS server.
3. Create Access Policy with a Logon Page, RADIUS Acct agent fallback-to-Deny ending.
4. Attach it to the virtual server.
5. Run tcpdump -i any port 1813 -ne on the BIG-IP system.
5. Navigate to the virtual server.
6. Wait 20 seconds till STOP packets arrive.

Impact:
The BIG-IP system sends the STOP packets according to the default routing table instead of the configured route domain RADIUS server.

Workaround:
None.

Fix:
The BIG-IP system now sends the STOP packets according to the configured route domain RADIUS server.


769997-1 : ASM removes double quotation characters on cookies

Component: Application Security Manager

Symptoms:
ASM removes the double quotation characters on the cookie.

Conditions:
Cookie sent that contains double quotation marks.

Impact:
The server returns error as the cookie is changed by ASM.

Workaround:
Set asm.strip_asm_cookies to false using the following command:

tmsh modify sys db asm.strip_asm_cookies value false

Fix:
ASM no longer removes the double quotation characters on the cookie.


769981-2 : bd crashes in a specific scenario

Component: Application Security Manager

Symptoms:
bd crash with a core file.

Conditions:
-- XML profile with schema validation is attached to a security policy.

-- The bd.log shows out-of-memory messages relating to XML.

Impact:
Failover; traffic disruption.

Workaround:
Increase the memory XML uses by using the internal parameters total_xml_memory and/or additional_xml_memory_in_mb. For more information, see K10803: Customizing the amount of memory allocated to the BIG-IP ASM XML processing engine available at https://support.f5.com/csp/article/K10803


769853-2 : Access Profile option to restrict connections from a single client IP is not honored for native RDP resources

Solution Article: K24241590

Component: Access Policy Manager

Symptoms:
When launching a native RDP resource (desktop/application) from APM Webtop, APM provides an RDP file to the browser and the browser invokes the native RDP client to launch the resource with the parameters specified in the RDP file.

When Access profile option 'Restrict to Single Client IP' option is enabled, user should only be allowed to launch the resource from the client that initiated the request.

Conditions:
-- APM Webtop is configured with native RDP resource.
-- 'Restrict to Single Client IP' option is enabled in Access Profile.

Impact:
RDP file provided by APM can be used for launching the RDP resource on a client machine that did not initiate the APM session.

Workaround:
None.

Fix:
When Access Profile option 'Restrict to Single Client IP' is enabled, APM restricts native RDP resource launch from the client that initiated the APM session.


769809-4 : vCMP guests 'INOPERATIVE' after upgrade

Component: TMOS

Symptoms:
After upgrading the host or creating new vCMP guests, the prompt in the vCMP guests report as INOPERATIVE.

Conditions:
-- The system truncates the unit key. (Note: This occurs because the unit key is designed to be a certain length, and the internally generated unit key for the guest has a NULL in it.)
-- Upgrading the host.
-- Creating new guests.

Impact:
vCMP guests are sent a truncated unit key and fail to decrypt the master key needed to load the config. vCMP Guests report 'INOPERATIVE' after upgrade.

Workaround:
None.

Fix:
The system now handles a guest unit key that has a NULL in it, so vCMP guests are no longer 'INOPERATIVE' after upgrade


769801-1 : Internal tmm UDP filter does not set checksum

Component: Local Traffic Manager

Symptoms:
An internal tmm UDP filter does not set checksum for outgoing UDP packets.

Conditions:
-- An internal tmm UDP filter is in use.

Impact:
Even though a UDP packet with no checksum is permitted, it could cause some problems with some firewalls/servers.

Workaround:
For internal tmm udp filters, add the following to the UDP profile in use:

no_cksum 0

Fix:
Internal tmm UDP filters set checksum for outgoing UDP packets.


769361-2 : TMM may crash while processing SSLO traffic

Solution Article: K33444350


769309-2 : DB monitor reconnects to server on every probe when count = 0

Component: Local Traffic Manager

Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.

Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).

Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.

Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.

Fix:
The LTM database monitor keeps the network connection to the monitored database server open indefinitely when configured with the default 'count' value of 0 (zero).


769281-1 : Per-request Acess Policy may show user interface pages incorrectly i nlanguages other than English

Component: Access Policy Manager

Symptoms:
If per-request Access Policy contains a user interface page (logon page, message box, etc.), this page may not be shown correctly in the browser if English is not the preferred language.

Conditions:
-- Browser with preferred language other than English.
-- Per-request Access Policy with support of this language.
-- Access Policy Agent with user interface included in the policy (logon page, message box, decision box, various forms of Rejected Ending Agent).

Impact:
The browser shows incorrect items on the response page presented to the APM end user (e.g., the page displays incorrect language strings).

Workaround:
None.

Fix:
Now, user interface pages in non-English languages are shown correctly by per-request Access Policy Agents.


769193-5 : Added support for faster congestion window increase in slow-start for stretch ACKs

Component: Local Traffic Manager

Symptoms:
When Appropriate Byte Counting is enabled (the default), TCP's congestion window increases slower in slow-start when the data receiver sends stretch ACKs.

Conditions:
-- TCP data sender receives stretch ACKs (ACKs that acknowledges more than 2*MSS bytes of data).
-- Appropriate Byte Counting (ABC) is enabled in slow-start.

Impact:
ABC limits the increase of congestion window by 2*MSS bytes per ACK. TCP's congestion window is increased slower in slow-start, which may lead to longer transfer times.

Workaround:
There is no workaround at this time.

Fix:
A new sys db (TM.TcpABCssLimit) is provided to set TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received. If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.

Behavior Change:
There is a new db variable, TM.TcpABCssLimit for specifying TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received.

Note: If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.


769061-2 : Improved details for learning suggestions to enable violation/sub-violation

Component: Application Security Manager

Symptoms:
The title for the entity in suggestions to enable violation/sub-violation is 'Match violation'/'Matched HTTP Check', though these suggestions are created when there is no match in the observed traffic.

Conditions:
There are learning suggestions to enable violations/sub-violation in the policy

Impact:
Misleading suggestion details.

Workaround:
None.

Fix:
The misleading word 'Matched' was removed from the title.


768981-2 : vCMP Hypervisor Hardening

Solution Article: K05765031


768761-2 : Improved accept action description for suggestions to disable signature/enable metacharacter in policy

Component: Application Security Manager

Symptoms:
It is difficult to understand the description for suggestions to disable signature or enable metacharacter on parameter/URL alternative action (accept for all entities).

Conditions:
There are suggestions to disable signature or enable metacharacter on parameter/URL.

Impact:
Action description can be difficult to understand.

Workaround:
None.

Fix:
'Accept for Any Entity' action has been renamed to 'Accept Globally'. The 'Charset' type is now mentioned in the action description for better understanding of the applied action.


767877-3 : TMM core with Bandwidth Control on flows egressing on a VLAN group

Component: TMOS

Symptoms:
TMM cores during operation.

Conditions:
Known condition:
1. BWC attached to serverside connflow
2. Serverside traffic traversing/egressing VLAN group

Impact:
Traffic disrupted while tmm restarts.


767653-1 : Malformed HTTP request can result in endless loop in an iRule script

Solution Article: K23860356


767401-1 : TMM may crash while processing TLS traffic

Solution Article: K95434410


767045-2 : TMM cores while applying policy

Component: Anomaly Detection Services

Symptoms:
TMM core and possible cores of other daemons.

Conditions:
The exact conditions are unknown.

Occurrences have been seen during specialized internal testing and while applying a copied and edited ASM policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


766873 : Omission of lower-layer types from sFlow packet samples

Component: TMOS

Symptoms:
The packet samples transmitted from BIG-IP to an sFlow receiver may contain only 'http' samples, with no 'vlan' or 'interface' FLOW samples appearing. sFlow will continue to transmit CNTR (counter) telemetry packets.

Conditions:
When the BIG-IP system is configured with one or more sFlow receivers, with non-zero sampling-rate configured for 'vlan' or 'interface' types.

Impact:
External network-monitoring or management systems, which may depend on sFlow packet samples from BIG-IP systems and from other equipment, are unable properly to characterize the flow of data throughout the network.

Workaround:
None.

Fix:
This issue no longer occurs.


766761-2 : Ant-server does not log requests that are excluded from scanning

Component: Access Policy Manager

Symptoms:
Based on Request/Response Analytics agent 'Exclude Types' settings, the requests that are excluded from scanning should log a message that states, 'Response content is in excluded content list'.

Conditions:
Response or Request Analytics agent in the Per-Request Policy.

Impact:
These particular logs are not available.

Workaround:
None.

Fix:
Appropriate messages now get logged.


766577-2 : APMD fails to send response to client and it already closed connection.

Component: Access Policy Manager

Symptoms:
APMD fails to send response to client and produces error message:
err apmd[8353]: 01490085:3: /pt-qp-campus/apm-cdp-qp-qa:pt-qp-campus:bb651ae6: Response could not be sent to remote client. Socket error: Connection reset by peer

APMD does most of its action with backend authentication servers (e.g., AD, LDAP, RADIUS). If the backend server response is very slow (because of various reasons such as network issues), it might cause slow apmd client response. Sometimes, the client has already closed the connection to the virtual server, so the client connection is no longer valid.

Conditions:
Backend server is slow, causing longer-than-usual response times.

Impact:
This causes the client to close the connection. APMD fails to respond to the client.

The cumulative slowness of the backend server causes delay in response. Most of the time, the client connection is already closed. As a result, the request queue gets full. When apmd starts processing the request from the queue, the client connection is already closed for some of them, and processing those requests still continues, which is unnecessary and causes more delay.

Fix:
The system now tests the client connection after picking up the request from the request queue and before processing.
-- If the connection is already closed, the system drops the request.
-- If the request is already in progress, the system checks the client connection before saving the session variables and sending the response to client.


766405-2 : MRF SIP ALG with SNAT: Fix for potential crash on next-active device

Component: Service Provider

Symptoms:
The next active device may crash with a core when attempting to create media flows.

Conditions:
The names for the LSN pool and router profile are longer than expected.

Impact:
The TMM on the next active device may core. Traffic disrupted while tmm restarts; If the next-active device was not carrying traffic for a traffic group, traffic is not disrupted.

Workaround:
None.

Fix:
Device no longer cores.


766365-1 : Some trunks created on VE platform stay down even when the trunk's interfaces are up

Component: TMOS

Symptoms:
Trunk configured on BIG-IP Virtual Edition (VE) does not pass traffic because it is in 'down' state

Conditions:
Trunk is created on VADC for NICs that use XNet drivers.

Note: In this release, XNet drivers are used by Mellanox and AWS ENA NICs on the VE platform only

Impact:
Trunk marked 'down'; traffic does not pass through the trunk.

Workaround:
None.

Fix:
Drivers that suffered from this problem now set speed correctly for the interface.


766357-1 : Two simultaneously manual installations can cause live-update inconsistency

Component: Application Security Manager

Symptoms:
When running two manual installations of the same update type simultaneously from different browser instances, live-update may encounter inconsistencies, and one of the installations gets stuck in the 'installing' state.

Conditions:
-- Two different installations of the same update type exists.
-- Manual installation occurs both at the same time from different browser instances.

Impact:
-- One of the installations stays in the 'installing' state.
-- Cannot install other installations (.im files).

Workaround:
Run the following command:
bigstart restart tomcat

Live-update changes the status of the installation from 'installing' to 'error' and allows subsequent installation operations.

Fix:
Live-update now queues all manual installations, so they start one after another. After all installations end, only one installation has the 'installed' status.


766329-2 : SCTP connections do not reflect some SCTP profile settings

Component: TMOS

Symptoms:
The effective receive-chunks, transmit-chunks, in-streams, and out-streams parameters in SCTP traffic do not match the settings from the configured SCTP profile:

  -- The in-streams setting alters both the in-streams parameter and the tx-chunks parameter.
  -- The out-streams setting alters both the out-streams parameter and the rx-chunks parameter.
  -- The tx-chunks setting has no effect.
  -- The rx-chunks setting has no effect.

Conditions:
An SCTP virtual server is configured.

Impact:
Unexpected SCTP parameters are negotiated on SCTP connections.

Workaround:
None.

Fix:
The SCTP profile settings are now used during SCTP connection negotiation.


766293-1 : Monitor logging fails on v14.1.0.x releases

Component: Local Traffic Manager

Symptoms:
With a fresh install of v14.1.0.x, you attempt to enable monitor logging for a node or pool member, an error message appears in /var/log/ltm. Also the log file to be created fails to be created.

This behavior is due to SELinux changes. /var/log/auditd/audit.log show the SELinux violations logs.

System reports messages similar to the following in /var/log/ltm:

-- info bigd[12457]: Couldn't open logging file /var/log/monitors/Common_Splunk_HTTP_monitor-Common_node1-8088.log for monitor /Common/Splunk_HTTP_monitor on node /Common/node1.

Conditions:
-- Clean installation of v14.1.0.x software.
-- Enable monitor logging for a node or pool member.

Impact:
Monitor logging fails. Error messages logged.

Workaround:
None.

Fix:
Updated bigd SELinux rules to allow the monitor log file creations.


765801 : WCCP service info field corrupted in upgrade to 14.1.0 final

Component: TMOS

Symptoms:
WCCP 'Here I am' packets from BIG-IP to routers have corrupted service info. No 'I see you' response received from routers due to mismatched service flags information.

Conditions:
No specific condition other than WCCP configuration on BIG-IP 14.1.0.x version.

Impact:
Unable to deploy WCCP on BIG-IP in version 14.1.0.x.

Workaround:
None.

Fix:
Corrected WCCP service flags during initialization.


765785-3 : Monpd core upon "bigstart stop monpd" while Real Time reporting is running

Component: Application Visibility and Reporting

Symptoms:
Monpd cores upon "bigstart stop monpd" while Real Time reporting is running

Conditions:
Real Time UI view is active.

Impact:
None.

Workaround:
None.

Fix:
Fixed a monpd core.


765533-2 : Sensitive information logged when DEBUG logging enabled

Solution Article: K58243048

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048

Conditions:
For more information see: https://support.f5.com/csp/article/K58243048

Impact:
For more information see: https://support.f5.com/csp/article/K58243048

Workaround:
For more information see: https://support.f5.com/csp/article/K58243048

Fix:
For more information see: https://support.f5.com/csp/article/K58243048


765517-1 : Traffic Match Criteria validation fails when create Virtual server with address list with overlapping address space but a different ingress VLAN

Component: Local Traffic Manager

Symptoms:
When two virtual servers are created and they have same address list but different incoming VLANs, Traffic Match Criteria validation fails.

Conditions:
Create 2 virtual servers and they have same address list but different incoming VLANs.

Impact:
System validation fails.

Workaround:
Use non-overlapping address lists.


765449-1 : Update availability status may be inaccurate

Component: Application Security Manager

Symptoms:
Under certain condition the UI may indicate that attack signature updates are available.

Conditions:
ASM provisioned.

Impact:
Attack signature updates are listed as available when the latest signatures are already installed.

Workaround:
An accurate status for availability of updates is available in System::Software Management::Live Update

Fix:
The UI now displays an accurate availability status for attack signatures.


765413-1 : ASM cluster syncs caused by PB ignored suggestions updates

Component: Application Security Manager

Symptoms:
Frequent syncs occurring within an ASM device group.

Conditions:
Several (updating) suggestions are marked 'ignored'.

Impact:
Syncs appear in the logs (no actual performance degradation).

Workaround:
-- Remove the Ignored Suggestions. (Note: These might be re-added and you must refrain from clicking the Ignore button).

-- Remove the Ignored Suggestions and uncheck the Learn flag for the violation that causes it. (Note: The impact is that the system does not learn this violation anymore, so any future suggestions to amend the policy for that violation will not be created.)

Fix:
Policy Builder (PB) no longer updates Ignored Suggestions, so unnecessary sync operations no longer occur.


765033 : Upgrades to versions that restrict resource-admin users from accessing bash may fail under certain conditions

Component: TMOS

Symptoms:
Some versions of BIG-IP software have removed the ability to access bash from users that have resource-admin roles. Upgrades to one of these versions may fail to load the configuration on the upgraded volume with a message in /var/log/ltm similar to:

err mcpd[14994]: 01070825:3: Access denied - Administrators only: Custom shells only available to administrators, not testuser.

Conditions:
-- Users with the resource-admin role also have bash access.

-- Upgrading to an affected version from certain versions.

Impact:
The upgraded volume's configuration does not load.

Workaround:
You can use either of the following workarounds:

-- Ensure that all users with the resource-admin role do not have bash access prior to upgrading.

-- Hand-edit the bigip_user.conf to remove bash from any users with the resource-admin role and reload the configuration using the following command:
tmsh load sys config

Fix:
Upgrades no longer fail under these conditions.


764665-2 : AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change

Component: Application Visibility and Reporting

Symptoms:
When BIG-IP is registered on BIG-IQ system, sometimes avrd crashes with core.

Conditions:
-- BIG-IP is registered at BIG-IQ.
-- BIG-IQ sends configuration update to BIG-IP.

Impact:
Avrd cores and restarts. Functionality is not impacted, stats data are sent to BIG-IQ.

Workaround:
None.

Fix:
Corrected issue in setting value for internal flag.


764373-3 : 'Modified domain cookie' violation with multiple enforced domain cookies with different paths

Component: Application Security Manager

Symptoms:
When the server sends enforced cookies with the same name for different paths, a false-positive 'Modified domain cookie' violation is reported.

Conditions:
Server sends enforced cookies with the same name but with different paths.

Impact:
A valid request might be rejected.

Workaround:
None.

Fix:
The system now checks all enforced cookies correctly, so this issue no longer includes.


763349-3 : AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out

Component: Application Visibility and Reporting

Symptoms:
avrd application on BIG-IP crashes; core is generated.

Conditions:
-- The BIG-IP is configured to send data to BIG-IQ DCD node via the HTTPS protocol.

-- Connection to DCD is established but response does not arrive within the timeout interval, so the connection times out.

Impact:
avrd crashes, and a core is generated.

Workaround:
None.

Fix:
avrd now reconnects to BIG-IQ DCD in a different sequence so this issue no longer occurs.


763157-2 : MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped

Component: Service Provider

Symptoms:
Processing the response to an outbound request at the same time as an inbound request message on the same connection could cause internal state generated to be confused and the inbound request to be dropped.

Conditions:
Processing the response to an outbound request at the same time as an inbound request message on the same connection.

Impact:
The inbound request will be dropped.

Workaround:
None.

Fix:
The internal state generated is no longer confused so the inbound request is no longer dropped.


763005-3 : Aggregated Domain Names in DNS statistics are shown as random domain name

Component: Application Visibility and Reporting

Symptoms:
Many DNS queries (e.g., 50000) with different query domain names are sent and AVR aggregates data it shows aggregated names using a random name taken from the first lookup table record.

Conditions:
-- Run 50000 DNS queries, all with different domain names.
-- View Statistics :: Analytics :: DNS, and choose View By : Domain Names.

Impact:
There is one random domain name with a high counter value, other domains are shown with counter 1.

Workaround:
None.


763001-1 : Web-socket enforcement might lead to a false negative

Solution Article: K70312000

Component: Application Security Manager

Symptoms:
A request that should be blocked will be passed to server.

Conditions:
Parse parameters flag in json profile is enabled.
Requests are sent in json websocket.

Impact:
Bad requests may be passed to the server

Workaround:
Disable parse parameters flag in json profile

Fix:
Web-socket enforcement now filters requests as expected.


762385 : Wrong remote-role assigned using LDAP authentication after upgrade to 14.1.x and later

Component: TMOS

Symptoms:
When multiple attributes in a list match multiple roles, the wrong role may be assigned. Alternatively, authentication may fail when check-roles-group is disabled.

Conditions:
LDAP server replies with a list of attributes (e.g., list of memberOf) where more than one match existing role.

Impact:
BIG-IP assigns the user to the last attribute in the list that matches a role, potentially yielding a more restrictive set of permissions.

Authentication may fail when check-roles-group is disabled.

Workaround:
None.

Fix:
The correct remote-role is now assigned using LDAP authentication after upgrade to 15.1.x.


762205-2 : IKEv2 rekey fails to recognize VENDOR_ID payload when it appears

Component: TMOS

Symptoms:
Rekey with non BIG-IP systems can fail when a response contains a VENDOR_ID payload.

Conditions:
- IKEv2 Responder sends VENDOR_ID payload in rekey response.
- The ipsec.log misleadingly reports:
  [I] [PROTO_ERR]: unexpected critical payload (type 43)
  Note: This message may be correctly present under other conditions, with different type constants not equal to 43.

Impact:
BIG-IP as the initiator of rekey drops the rekey negotiation without making further progress when the responder included a VENDOR_ID payload in a response. This will result in deleting the SA for good when the hard lifetime expires, causing a tunnel outage.

Workaround:
No workaround is known at this time.

Fix:
Handling of payload types during rekey will now ignore VENDOR_ID when it appears, the same way we ignore VENDOR_ID in other messages during IKE negotiation.


761993-2 : The nsm process may crash if it detects a nexthop mismatch

Component: TMOS

Symptoms:
If there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop, nsm may crash and restart.

Conditions:
-- Dynamic routing is in use.
-- A mismatch between tmrouted and nsm for the interface index or gateway of a nexthop exists.

Impact:
There is a temporary interruption to dynamic routing while nsm is restarted.

Workaround:
None.

Fix:
Prevented nsm crashing when there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop.


761941-1 : ASM does not remove CSRT token query parameter before forwarding a request to the backend server

Component: Application Security Manager

Symptoms:
CSRT query parameter observed in tcpdump on the BIG-IP system's server side.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- CSRF enabled in ASM policy.

Impact:
Backend app gets CSRT parameter, which might impact its business logic.

Workaround:
You can remove a CSRT query parameter using a URI modification iRule on the server side.

Fix:
The system now removes the csrt query parameter before forwarding a request to the backend server


761933-1 : Reboot with 'tmsh reboot' does not log message in /var/log/audit

Component: TMOS

Symptoms:
The tmsh reboot command is missing from /var/log/audit.

Conditions:
-- Reboot a system using the command 'tmsh reboot'.
-- View the /var/log/audit log.

Impact:
The system does not log the tmsh reboot operation in the /var/log/audit log. A message similar to the following should be reported:

notice tmsh[19115]: 01420002:5: AUDIT - pid=19115 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=reboot.

Workaround:
None.


761921-1 : avrd high CPU utilization due to perpetual connection attempts

Component: Application Security Manager

Symptoms:
avrd shows high CPU utilization. Repeated retries on auth token client failed connection attempts.

Conditions:
-- The BIG-IQ system is not available (even though it is configured).
-- Frequent connection retries.

Impact:
avrd consumes a large amount of CPU.

Workaround:
Correct BIG-IQ availability and restart avrd.

Fix:
avrd now waits between connection retries, so this issue does not occur.


761749-2 : Security pages unavailable after switching RT mode on off few times

Component: Application Visibility and Reporting

Symptoms:
Security dashboard and analytics pages display "Unable to load application" and no statistics available.

Conditions:
A BIG-IP configured to collect statistics from security modules and new statistics are generated periodically.
The problem may appear when a user switches real-time mode on off few times.

Impact:
Security dashboard and analytics pages unavailable for at least few hours and some real-time statistics are lost.

Fix:
Added timeout for fetching data from statistics module.


761685-3 : Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set

Component: Service Provider

Symptoms:
Systems desiring to create a unique connection per connection client may silently end up with clients sharing an outgoing connection if routing uses a virtual server as the outgoing connection transport definition, and the virtual server has the source-port attribute set to preserve-strict.

Conditions:
-- Routing using a virtual server as the transport definition for the outgoing connection.
-- The virtual server has the source-port attribute set to preserve-strict.

Impact:
Systems desiring to create a unique connection per connection client may silently end up sharing an outgoing connection.

Workaround:
None.

Fix:
Per-client mode is now maintained when routing to a virtual server, even when preserve-strict is selected.


761553-2 : Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic

Component: Application Security Manager

Symptoms:
Text for analyzed requests might be misleading for suggestions that are created as result of an absence of violations in traffic:

X requests triggered this suggestion from date:time until date:time.

Actually:
-- 'X requests' did not trigger a violation, and no sampled are requests provided.

-- The format of the time in 'from date:time until date:time' is difficult to parse.

Conditions:
There are suggestions that were created as result of an absence of violations in traffic in the policy.

Impact:
Text might be misleading.

Workaround:
None.

Fix:
Improved text for analyzed requests for suggestions that were created as result of absence of violations in traffic


761549-2 : Traffic Learning: Accept and Stage action is shown only in case entity is not in staging

Component: Application Security Manager

Symptoms:
Accept and Stage action is available, even for entities that are in staging already.

Conditions:
Create suggestion for the entity (e.g., Attack signature on parameter) that is in staging.

Impact:
Action that is not relevant is shown.

Workaround:
None.

Fix:
Accept and Stage action is available only for suggestions on entities that are not in staging


761385-1 : Without a virtual server, responses from server to client are dropped in a BIG-IP system when the latter is deployed in L2 transparent mode using virtual wire.

Component: Local Traffic Manager

Symptoms:
Responses from a server are not received by the client.

Conditions:
-- BIG-IP system deployed in L2 transparent mode using virtual wire.
-- No virtual server is configured.

Impact:
Responses from server to client are dropped. Loss of service.

Workaround:
None.

Fix:
Set the L2 transparent flag for the server-side flow if the client-side flow has this flag set.


761381-1 : Incorrect MAC Address observed in L2 asymmetric virtual wire

Component: Local Traffic Manager

Symptoms:
Incorrect MAC Address observed in L2 asymmetric virtual wire for ICMP unreachable on UDP traffic.

Conditions:
L2 asymmetric virtual wire is configured.

Impact:
Incorrect MAC Address in teh packet when the BIG-IP system sends ICMP unreachable on UDP traffic

Workaround:
None.

Fix:
The correct MAC address is seen in the packet that is flowing from the BIG-IP system.


761345-3 : Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode

Component: Advanced Firewall Manager

Symptoms:
When manual config-sync mode is enabled for a HA setup, additional config-sync may be required after firewall blob compilation.

Conditions:
Firewall rule configuration modified on a high availability (HA) setup with manual config-sync mode enabled.

Impact:
Additional config-sync may be required after compilation completion.
A warning may be given: "There is a possible change conflict between <device1> and <device2>.", and full sync may be forced.

Workaround:
Enable auto config-sync instead of manual config-sync.

Fix:
Additional config-sync is not required in these conditions.


761234-2 : Changing a virtual server to use an address list should be prevented if the virtual server has a security policy with a logging profile attached

Component: Advanced Firewall Manager

Symptoms:
If you create a virtual server with a single address ('Host' in the GUI) for both its source and destination, then configure the virtual server's security policy with a logging profile, and then (after creating the virtual server) modify the source or destination to use a traffic matching condition, the system reports no error when updating the configuration.

Conditions:
Attempting to use a virtual server with a security policy attached that uses a logging profile with an address list as the virtual server's source or destination.

Impact:
An invalid configuration is not caught. When later loading the configuration, the system reports a validation error, and the configuration does not load.

Workaround:
None.

Fix:
An error is now generated under these conditions.


761231-2 : Bot Defense Search Engines getting blocked after configuring DNS correctly

Solution Article: K79240502

Component: Application Security Manager

Symptoms:
Bot Defense performs a reverse DNS for requests with User-Agents of known Search Engines.

A cache is stored for legal / illegal requests to prevent querying the DNS again.

This cache never expires, so in case of an initial misconfiguration, after fixing the DNS configuration, or routing or networking issue, the Search Engines may still be blocked until TMM is restarted.

Conditions:
-- Initial misconfiguration of DNS or routing or networking issue.
-- Cache stores requests to prevent future queries to DNS.
-- Correct the misconfiguration.

Impact:
Cache does not expire and is never updated, so it retains the misconfigured requests. As a result, valid Search Engines are getting blocked by Bot Defense.

Workaround:
Restart TMM by running the following command:
bigstart restart tmm

Fix:
The internal DNS cache within Bot Defense and DoSL7 now expires after five minutes.


761194-2 : param data type violation on an Integer parameter, if an integer value is sent via websocket JSON

Component: Application Security Manager

Symptoms:
A false positive occurs with 'Illegal parameter data type' violation on an integer parameter, on websocket messages

Conditions:
An explicit parameter with type integer is configured.

Impact:
A false positive can occur, 'Illegal parameter data type' is reported.

Workaround:
N/A

Fix:
Fixed a false positive with integer values


761185-2 : Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic

Solution Article: K50375550

Component: Local Traffic Manager

Symptoms:
For more information please see: https://support.f5.com/csp/article/K50375550

Conditions:
For more information please see: https://support.f5.com/csp/article/K50375550

Impact:
For more information please see: https://support.f5.com/csp/article/K50375550

Workaround:
For more information please see: https://support.f5.com/csp/article/K50375550

Fix:
For more information please see: https://support.f5.com/csp/article/K50375550


761173-1 : tmm crash after extended whitelist modification

Component: Advanced Firewall Manager

Symptoms:
tmm might crash and restart.

Conditions:
Modifying the whitelist extended entry in tmsh.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The tmm process no longer crashes when modifying the whitelist extended entry in tmsh.


761160-2 : OpenSSL vulnerability: CVE-2019-1559

Component: TMOS

Symptoms:
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).

Conditions:
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).

Impact:
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).

Workaround:
None.

Fix:
Update OpenSSL to 1.0.2s.


761144-4 : Broadcast frames may be dropped

Component: TMOS

Symptoms:
Under certain conditions, broadcast Ethernet frames may be dropped.

Conditions:
Multi-blade systems.
Stand-alone appliances and VE systems are not affected.
Single-blade vCMP guests are not affected.

Impact:
Dropped Ethernet frames.

Workaround:
None.

Fix:
Broadcast frames are now processed as expected.


761112-3 : TMM may consume excessive resources when processing FastL4 traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may consume excessive resources when processing FastL4 traffic

Conditions:
-- FastL4 profile enabled.
-- loose-init enabled.

Impact:
Excessive resource consumption, potentially leading to a failover event.

Workaround:
Disable loose-init in environments where it is not needed.

Fix:
TMM now processes FastL4 traffic as expected


761088-1 : Remove policy editing restriction in the GUI while auto-detect language is set

Component: Application Security Manager

Symptoms:
While policy language was set to auto-detect, the policy editing was not allowed.

Conditions:
Create a new policy and set the language to auto-detect.

Impact:
While policy language was set to auto-detect, the policy editing was not allowed.

Workaround:
The policy language must be set to something other than auto-detect to allow user to edit the policy from GUI. However, policy editing is possible using REST API.

Fix:
The GUI restriction was removed. User can modify the policy while the language is set to auto-detect.


761032-2 : TMSH displays TSIG keys

Component: Global Traffic Manager (DNS)

Symptoms:
TSIG key is displayed when related configuration is listed in TMSH.

Conditions:
Authenticated administrative user.
Listing TSIG keys using TMSH.

Impact:
Displaying TSIG keys is a security exposure.

Workaround:
None.

Fix:
TMSH no longer displays TSIG keys when listing configuration.


761014-2 : TMM may crash while processing local traffic

Solution Article: K11447758


760998-1 : F5.ip_forwarding iAPP fails to deploy

Component: TMOS

Symptoms:
F5.ip_forwarding iApp fails to deploy due to a syntax error in the tmsh command for syn-cookie-enable.

Conditions:
Deployment of the f5.ip_forwarding iApp fails unless you specify an existing FastL4 profile.

Impact:
Cannot deploy the f5.ip_forwarding iApp template.

Workaround:
To deploy the f5.ip_forwarding iApp, select 'Advanced' configuration mode and choose an existing FastL4 profile for the question 'What Fast L4 profile do you want to use?'

Fix:
The f5.ip_forwarding iApp template deploys the recommended FastL4 profile without error.


760930-2 : MRF SIP ALG with SNAT: Added additional details to log events

Component: Service Provider

Symptoms:
Subscriber name is not included in debug log events for temporary subscriber registration creation and deletion.

Conditions:
debug log events for temporary subscriber registration creation and deletion.

Impact:
No functional impact, but the associated MRF SIP ALG with SNAT issue might be difficult to debug.

Workaround:
None.

Fix:
Subscriber ID is now included in the log events.


760878-3 : Incorrect enforcement of explicit global parameters

Component: Application Security Manager

Symptoms:
A false positive or false negative enforcement of explicit global parameter.

Conditions:
-- A configuration with more than 255 security policies.
-- Policies configured with an explicit parameter that is unique (for example, 'static', a disabled signature, etc.).
-- Attempt to enforce that parameter.

Impact:
Wrong blocking/violations. The parameter is not found, and the wildcard * parameter is enforced instead.

Workaround:
Make the explicit parameters a wildcard parameter.

Fix:
Explicit parameters are enforced correctly on all parameters.


760771-1 : FastL4-steered traffic might cause SSL resume handshake delay

Component: Local Traffic Manager

Symptoms:
When a FastL4 virtual server steers traffic to another SSL-enabled virtual server, there can be a delay on SSL session resumption because SSL is unable to identify the connection flow.

Additionally, it has been observed that if fallback persistence is configured, the BIG-IP system might fail to start the connection serverside.

Conditions:
-- FastL4 virtual server.
-- iRule is used to steer traffic to another virtual server with client SSL enabled.
-- Multiple tmm's.

Impact:
-- Potential impact to SSL performance.
-- Possible connection failure.

Workaround:
To workaround this issue:
-- Disable FastL4.
-- Enable OneConnect.

Fix:
FastL4-steered traffic no longer causes SSL resume handshake delay.


760680-1 : TMSH may utilize 100% CPU (single core worth) when set to be a process group leader and SSH session is closed.

Component: TMOS

Symptoms:
TMSH does not correctly handle absence of input stream after closing interactive SSH session and remains active in an infinite loop using 100% CPU.

Conditions:
If TMSH is a process group leader, it will not be killed when the parent shell is terminated upon SSH session close.

This is a rare case, as TMSH must be deliberately promoted to a process group leader, e.g., with the 'setsid' command.

Usually the shell process is a group leader and, when it is terminated upon SSH session close, it kills its child processes, including TMSH.

Impact:
The equivalent of one CPU core is utilized to 100% by the TMSH process. It may be mostly scheduled on one core or spread over multiple control plane cores.

Workaround:
TMSH should not be intentionally promoted to a process group leader.

You can kill all TMSH processes using the command:

killall -9 tmsh

Warning: This command kills both abandoned and in-use TMSH processes. The latter can include other users' TMSH shells, and even system-level processes invoking the TMSH utility internally. Killing all TMSH processes can lead to various unexpected failures. You can use the 'top' command to see which TMSH process is using high CPU (e.g., 90% or more), and kill just those, as those are the likely zombie processes.

You can kill specific TMSH processes using the command:

kill -9 <pid>

Where <pid> is the process ID of the TMSH instance to kill.

Fix:
I/O error handling in TMSH has been corrected, so it no longer ignores absence of input stream which led to infinite loop.


760622-3 : Allow Device Certificate renewal from BIG-IP Configuration Utility

Component: TMOS

Symptoms:
Unable to renew Device Certificate from System :: Certificate Management : Device Certificate Management : Device Certificate :: server.crt in non-English BIG-IP configurations.

Conditions:
Attempting to renew a device certificate on the System :: Certificate Management : Device Certificate Management : Device Certificate :: using the server.crt-equivalent on a non-English BIG-IP system.

Impact:
Unable to renew Device Certificate from the BIG-IP Configuration Utility.

Workaround:
Use a command of the following syntax, replacing key name, cert name, and # of days with your values:

openssl req -new -x509 -key ../ssl.key/server.key -days <# of days> -out server.crt

For example, to renew the siteserver.key and siteserver.crt for 90 days, use the following command:

openssl req -new -x509 -key ../ssl.key/siteserver.key -days 90 -out siteserver.crt

Fix:
The system now allows Device Certificate renewal from BIG-IP Configuration Utility.


760597-1 : System integrity messages not logged

Component: TMOS

Symptoms:
On TPM-equipped platforms, log messages indicating recovery from a very rarely triggered condition, where the TPM chip needs to be cleared, are not being recorded in the logs on boot.

Conditions:
-- TPM-equipped platforms.
-- Rarely triggered condition in which the TPM chip needs to be cleared.

Impact:
No message indicating the need to clear the TPM.

Note: The need to clear the TPM does not affect the subsequent operation of system integrity checks.

Workaround:
None. The TPM is automatically cleared on boot. Once cleared, it operates normally.

Using remote attestation by submitting a QKview file to iHealth and checking the System Integrity status in the resulting report will reliably indicate any tampering in the BIOS or system startup files.

Fix:
TPM needing to be cleared message is now logged.


760594 : On BIG-IP VE, 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details.

Component: TMOS

Symptoms:
Executing 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details.

Conditions:
BIG-IP Virtual Edition

Impact:
The snmpwalk command shows the details of all partitions on previous versions. It now shows only the '/appdata' details.

Workaround:
No workaround exists for this issue currently.


760573-1 : TPM system integrity check may return invalid status when booting into BIG-IP 14.1.0

Solution Article: K00730586

Component: TMOS

Symptoms:
The Trusted Platform Module (TPM) system integrity check may return an invalid status.

As a result of this issue, you may encounter one or more of the following symptoms:

-- While the system boots to BIG-IP 14.1.0, you observe an error message that appears similar to the following example:
tpm-status-check[5025]: System Integrity Status: Invalid

-- After rebooting the system to different volumes, you continue to observe the previous error message.

Conditions:
This issue occurs when the following condition is met:

You reboot a system running either BIG-IP 13.1.x or 14.0.0 (including their point releases) to BIG-IP 14.1.0.

Impact:
The BIG-IP system reports an invalid TPM status and TPM is non-functional.

Workaround:
To recover from this issue, you must delete the grub configuration file and reboot the system twice for an automatic repair to occur. To do so, perform the following procedure:

Impact of workaround: The system will not be available while performing multiple reboots. F5 recommends that you perform this procedure during an appropriate maintenance window.

1. Log in to the command line of the affected system.
2. Mount the boot partition by typing the following command:
mkdir -p /mnt/boot; mount /dev/mapper/$(ls /dev/mapper | grep boot) /mnt/boot

3. Delete the grub.multiboot.cfg file by typing the following command:
rm -f /mnt/boot/grub2/grub.multiboot.cfg

4. Reboot the system by typing the following command:
reboot

Note: The system software fixes the grub.multiboot.cfg file automatically upon booting.

5. When the system has completed booting, log in to the command line and reboot the system again by typing the following command:
reboot

This final step properly boots the system with TPM enabled.

Fix:
Rebooting a system no longer returns the TPM error.


760550-5 : Retransmitted TCP packet has FIN bit set

Component: Local Traffic Manager

Symptoms:
After TCP sends a packet with FIN, retransmitted data earlier in the sequence space might also have the FIN bit set.

Conditions:
-- Nagle is enabled.
-- TCP has already sent a FIN.
-- A packet is retransmitted with less than MSS bytes in the send queue.

Impact:
The retransmitted packet has the FIN bit set even if it does not contain the end of the data stream. This might cause the connection to stall near the end.

Workaround:
Set Nagle to disabled in the TCP profile.

Fix:
The incorrect FIN bit is removed.


760508-1 : On systems with multiple versions of BIG-IP in use, the 'invalid' System Integrity Status may persist

Solution Article: K91444000

Component: TMOS

Symptoms:
The system security state reported by the shell utility 'tpm-state' may report 'Invalid'.

Conditions:
-- The system contains a volume running BIG-IP software version that does not support Trusted Platform Module (TPM).

-- You install a version that does support TPM.

-- The system is rebooted, from the old (non-TPM-capable) BIG-IP version to the new, TPM-capable version.

Impact:
The BIG-IP system reports an invalid TPM status upon the first boot of the upgraded BIG-IP 14.1.0 slot.

Workaround:
Rebooting the system again into 14.1.0 after initially booting into 14.1.0 resolves the issue.


760475-1 : Apache spawns more processes than the configured limit, causing system low memory condition

Component: TMOS

Symptoms:
Apache (httpd) process count MaxClients on BIG-IP systems is set to '10' in the configuration. When more requests are received, Apache spawns more processes than 10, consuming more memory.

Conditions:
Numerous clients trying to connect simultaneously to the BIG-IP GUI.

Impact:
System low memory condition can severely impact application/system performance, and sometimes triggers Out-Of-Memory (OOM) Killer, so critical applications might be terminated.

Workaround:
Complete the following procedure:

1. Modify /etc/httpd/conf/httpd.conf to have the following configuration outside of the prefork module (global):

MaxClients 10

2. Run the following command:
bigstart restart httpd


760471-3 : GTM iQuery connections may be reset during SSL key renegotiation.

Component: Global Traffic Manager (DNS)

Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.

Conditions:
This occurs occasionally during routine renegotiation.

Impact:
The affected iQuery connection is briefly marked down as the connection is marked down before the connection is immediately re-established.

Workaround:
There is no workaround.

Fix:
GTM iQuery renegotiations no longer cause the error that reset the connection.


760462-1 : Live update notification is shown only for provisioned/licensed modules

Component: Application Security Manager

Symptoms:
Live update notification in the left top corner of the screen was shown even when you cannot install updates, e.g., no permissions or no license/provisioning.

Conditions:
-- There is update for non-provisioned/licensed module.
-- Attempt to install the update.

Impact:
A notification appears and it cannot be removed.

Workaround:
None.

Fix:
Live update notification is now shown only for provisioned/licensed modules.


760439-4 : After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status

Component: TMOS

Symptoms:
After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status (e.g., transitions to standby or active).

Conditions:
Installing UCS that was taken in forced-offline state on clean installed unit.

Impact:
Unit may become active/standby before intended (e.g., during maintenance).

Workaround:
After installing the UCS, ensure that the unit is in forced-offline state as intended. If not in forced-offline state, force the unit offline before proceeding.


760438-3 : PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions

Component: Policy Enforcement Manager

Symptoms:
tmm coredump

Conditions:
-- Using an iRule to apply a referential policy in a rigorous loop.
-- This is a rarely occurring timing issue.

Impact:
Traffic impact due to tmm coredump. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The BIG-IP system now validates session presence before applying the policy.


760410-1 : Connection reset is seen when Category lookup agent is used in per-req policy

Component: Access Policy Manager

Symptoms:
The BIG-IP system sends reset to client when Category Lookup agent is used in per-req policy.

Conditions:
-- APM or SSLO is licensed and provisioned.
-- URLDB and SWG are not provisioned.
-- Category Lookup agent is used in the policy to process custom categories.

Impact:
Connection reset is seen on client from APM/SSLO box.

Workaround:
Modify Category Lookup agent 'lookup-type' property to 'custom-only' via TMSH, for example, by using a command similar to the following:

modify apm policy agent category-lookup example_prp_act_category_lookup_ag lookup-type custom-only

Fix:
Category lookup agent in per-req policy now successfully processes custom categories, so the reset no longer occurs.


760408-3 : System Integrity Status: Invalid after BIOS update

Solution Article: K23438711

Component: TMOS

Symptoms:
When BIG-IP system boots, it performs a System Integrity Check. The System Integrity Status may return one of three states: Valid, Unavailable, or Invalid.

This issue causes the System Integrity Status to return a value of 'Invalid'.

Conditions:
-- BIG-IP systems that have been manufactured using a earlier BIOS version.
-- Updating to a newer BIOS version.

Impact:
The System Integrity Status returns a status of Invalid, which may falsely indicate that the system BIOS or OS has been compromised.

Workaround:
Install the new BIOS, which fixes the issue that causes the 'Invalid' status to be reported, and, on systems where the BIOS and OS have not been compromised, returns a status of 'Valid'.

Fix:
The System Integrity Status check now return 'Valid' for systems that have not been compromised.


760393 : GARP is not sent from newly active device after failover for FW NAT policy rule's dest prefixes

Component: Advanced Firewall Manager

Symptoms:
After failover, there is no GARP from the newly active device for FW NAT policy rule's dest prefixes.

Conditions:
Configure FW NAT policy rules with proxy arp enabled for destination prefixes. After failover no GARP is sent for those destinations prefixes.

Impact:
After failover traffic can fail/degrade.

Workaround:
No workaround other than forcing the initial active HA device to be active again.

Fix:
The system now sets the high availability (HA) unit correctly for FW NAT policy.


760370-2 : MRF SIP ALG with SNAT: Next active ingress queue filling

Component: Service Provider

Symptoms:
When running MRF SIP ALG with SNAT, the ingress queue may fill, causing messages to be dropped on the next-active device.

Conditions:
-- The active device determines that an operation can be skipped because the details are already discovered processing a previous message.
-- The next-active device has not yet processed the previous message and is not able to skip the operation.

Impact:
Mirroring state is lost for the connection.

Workaround:
None.

Fix:
When the connection is mirrored, the processing operation is not skipped on either the active or next-active device.


760363-1 : Update Alias Address field with default placeholder text

Component: TMOS

Symptoms:
Unable to update Alias Address field with the default value under Local Traffic :: Monitors :: [MonitorName] after removing everything from the input field and updating again with the placeholder text.

Conditions:
-- Using a system running software in which the GUI supports Chinese characters.
-- Remove content from the Alias Address field under Local Traffic :: Monitors:: [MonitorName].
-- Enter the default placeholder text.

Impact:
Unable to update the Alias Address input field with default placeholder text after replacing the said field with blank text or a valid value.

Workaround:
Pass empty value or ::

Fix:
Allow monitors to update with default placeholder text for Alias Address


760356-2 : Users with Application Security Administrator role cannot delete Scheduled Reports

Component: Application Visibility and Reporting

Symptoms:
User accounts configured with the Application Security Administrator role cannot delete scheduled reports, while they can create/view/edit them.

Conditions:
-- Logged on with a user account configured as an Application Security Administrator.
-- Attempting to delete a scheduled report.

Impact:
Cannot complete the delete operation. Deleting scheduled reports requires root/admin intervention.

Workaround:
Use root or a user account configured as Administrator to delete scheduled reports.

Fix:
User accounts configured with the Application Security Administrator role can now delete Scheduled Reports


760355 : Firewall rule to block ICMP/DHCP from 'required' to 'default'

Component: Advanced Firewall Manager

Symptoms:
If firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.

Conditions:
-- Firewall is configured on the management port.
-- Firewall is configured with an ICMP rule to block.

Impact:
ICMP packets cannot be blocked with a firewall rule to drop on management port. ICMP packets are allowed from the management port.

Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.

# /sbin/iptables -N id760355
# /sbin/iptables -I INPUT 1 -j id760355
# /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP

Fix:
ICMP firewall rule has been moved from the f5-required to f5-default.


760250 : 'Unsupported SSO Method' error when requests sharing the same TCP session

Component: Access Policy Manager

Symptoms:
In API Protection configurations, 'Unsupported SSO Method' error occurs when requests sharing the same TCP session, and some branch selects Single-Sign On (SSO).

Conditions:
-- On the virtual server, the OneConnect profile is selected.
-- Requests sharing the same TCP session.

Impact:
Some requests are rejected.

Workaround:
Remove the OneConnect profile from the virtual server.

Fix:
Reset the SSO selection for each request, regardless of whether requests share the same TCP connection.


760234-1 : Configuring Advanced shell for Resource Administrator User has no effect

Component: TMOS

Symptoms:
Advanced shell is present in the Terminal Access dropdown list when creating a Resource Administrator User, but the functionality is not available.

Conditions:
Configuring Advanced shell for Resource Administrator User.

Impact:
There is no warning message, but the setting has no effect. Gives the false impression that you can configure a Resource Administrator User to have Advanced shell access when the role does not support it.

Workaround:
None.

Fix:
The Advanced shell option is no longer present in the Resource Administrator User Terminal Access dropdown list.

Behavior Change:
Resource Administrator User can no longer select Advanced shell. The option has been removed from the dropdown list in the GUI for the Resource Administrator User.


760222 : SCP fails unexpected when FIPS mode is enabled

Component: TMOS

Symptoms:
Secure Copy (scp) to some locations fails with the following message:
Path not allowed.

Conditions:
-- FIPS mode is enabled.
-- Copying a file to a restricted location using SCP.

Impact:
Cannot use SCP to copy to restricted locations on the BIG-IP system.

Workaround:
None.

Fix:
This scp issue no longer occurs when FIPS cards are installed.


760164-1 : BIG-IP VE Compression Offload HA action requires modification of db variable

Component: TMOS

Symptoms:
When TMM detects a compression offload device hang it does not invoke the configured high availability (HA) action.

Conditions:
This occurs when the following conditions exist:
-- BIG-IP Virtual Edition (VE) Cryptographic Offload is licensed.
-- BIG-IP VE VM has been assigned QuickAssist Virtual Functions (VFs).
-- A QuickAssist endpoint associated with one of the VFs hangs.
-- BIG-IP VE executes compression operations.

Impact:
The configured HA action does not occur when a compression offload device hangs. Clients compression requests eventually time out.

Workaround:
Disable the pfmand by running the following commands:
    tmsh modify sys db pfmand.healthstatus value disable
    tmsh save sys config

The configured HA action will now occur when a compression offload device hangs.

Note: The pfmand daemon is not needed for BIG-IP VE, so disabling the db variable has no impact for BIG-IP VE configurations.


760078-1 : Incorrect source MAC used when the BIG-IP in L2 transparent mode generates a TCP RST packet.

Component: Local Traffic Manager

Symptoms:
Packet with unexpected source MAC seen on the adjacent node to the BIG-IP.

Conditions:
- BIG-IP configured in an L2 transparent mode using virtual wires
- Traffic forwarded between client and server in an asymmetric manner across virtual wires.

Impact:
Possible impacts to services on nodes adjacent to the BIG-IP if policy decisions on those nodes are made with the source MAC of the received packet as input.


759968-3 : Distinct vCMP guests are able to cluster with each other.

Component: Local Traffic Manager

Symptoms:
-- Distinct vCMP guests are able to cluster with each other.

-- Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:

clsh tmctl -d blade tmm/vcmp -w 200 -s vcmp_name,tmid,rebroad_mac

Check the 'rebroad_mac' field for duplicate mac addresses.

vcmp_name tmid rebroad_mac
--------- ---- -----------------
default 0 02:01:23:45:01:00
vcmp1 0 00:00:00:00:00:00
vcmp5 0 02:01:23:45:01:04
vcmp6 0 00:00:00:00:00:00
vcmp7 0 02:01:23:45:01:06
vcmp8 0 00:00:00:00:00:00
vcmp9 0 02:01:23:45:01:08
vcmp10 0 02:01:23:45:01:0A <--------------
vcmp11 0 02:01:23:45:01:0A <--------------

Conditions:
-- It is not yet clear under what circumstances the issue occurs.

-- One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate 'rebroad_mac' on one or more slots.

Impact:
Only the vCMP guest acting as primary will be operative.

Workaround:
-- Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:

modify sys db clusterd.communicateovertmmbp value false.


To disable the db variable on the affected guest use the following procedure:

1. stop sys service clusterd
2. modify sys db clusterd.communicateovertmmbp value false
3. start sys service clusterd
4. save sys conf

Afterwards, the affected guest may still have the wrong management IP address. To resolve that, log into the vCMP Hypervisor and force a management IP update such as changing the netmask.

Fix:
The vCMP guests no longer end up having a non-null and duplicate 'rebroad_mac' on one or more slots. Distinct vCMP guests are no longer able to cluster with each other.


759868-1 : TMM crash observed while rendering internal pages (like blocked page) for per-request policy

Component: Access Policy Manager

Symptoms:
TMM crashes.

Conditions:
-- SSLO/SWG configured.
-- Rendering internal pages (like a blocked page).
-- Per-request policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores while rendering internal pages (like blocked page) for per-request policy.


759814-1 : Unable to view iApp component view

Component: TMOS

Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:
An error has occurred while trying to process your request.

Conditions:
-- Upgrade to v14.1.x.
-- Create a new iApp with an SSL, ASM, or Traffic policy profile.
-- Or, attempt to view an iApp containing ASM information

Impact:
Unable to access the iApp Component view. Cannot reconfigure the iApp directly (iApp : Application Services : application : any app).

Workaround:
To reconfigure the iApp, do the following:

1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List.
2. Click the Application Link :: Reconfigure.

Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.


759723-1 : Abnormally terminated connections on server side may cause client side streams to stall

Component: Local Traffic Manager

Symptoms:
The BIG-IP system provides HTTP/2 Gateway configuration when an HTTP/2 client is served by HTTP/1.x pool members. When a server-side connection terminates abnormally, TMM may crash.

Conditions:
-- A virtual server with HTTP/2 Gateway configuration is configured on the BIG-IP system.
-- Traffic on the server side has some abnormalities, resulting in aborted or unclosed connections.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash when a virtual server is configured as a HTTP/2 gateway.


759721-2 : DNS GUI does not follow best practices

Solution Article: K03332436

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS WebUI does not follow best security practices.

Conditions:
DNS services provisioned, enabled, and configured

Impact:
The DNS WebUI does not follow best security practices.

Workaround:
None.

Fix:
The DNS WebUI now follows best security practices.


759654-1 : LDAP remote authentication with remote roles and user-template failing

Component: TMOS

Symptoms:
The directory server that performs authentication requests refuses a query for authorization (user attributes), which prevents the BIG-IP user from logging on with remote authentication.

BAD_NAME errors are usually present in LDAP communication.

Conditions:
-- Configure LDAP remote authentication with remote roles and a user template.
-- As a remote user, attempt to logon.

Impact:
The query request sent to the directory server is refused because the password is not included in the request, and the server does not accept an anonymous bind request. The refused request prevents a lookup of the user account attributes on the directory server. As a result, the BIG-IP user cannot logon.

Workaround:
Remove user-template. bind-dn must be used to authenticate against LDAP server.


759579-1 : Full Webtop: 'URL Entry' field is available again

Component: Access Policy Manager

Symptoms:
'URL Entry' field is no longer visible from full webtop.

Conditions:
Using Portal Access full webtop screen.

Impact:
It is not possible to open Portal Access session with arbitrary URL from full webtop screen.

Workaround:
None.

Fix:
Now 'URL Entry' field can be enabled and used on full webtop.


759536-2 : Linux kernel vulnerability: CVE-2019-8912

Solution Article: K31739796


759499-2 : Upgrade from version 12.1.3.7 to version 14.1.0 failing with error

Component: TMOS

Symptoms:
Upgrade from version 12.1.3.7 to version 14.1.0 fails. Running 'tmsh show sys software' shows the following message:
 failed (Could not access configuration source; sda,n)

Conditions:
1. Install BIG-IP version 12.1.3.7 in new volume.
2. From 12.1.3.7, try to install 14.1.0 in new volume.

Impact:
Upgrade fails.

Workaround:
To work around this issue, delete the 14.1.0 volume and try the installation again.

The second installation of 14.1.0 succeeds in this scenario.


759483-1 : Message about HTTP status code which are set by default disappeared from the UI

Component: Application Security Manager

Symptoms:
When creating a new policy using the policy-creation page, there are status codes (200-399) that are enabled by default. There is no message about HTTP status codes that are set by default does not appear in the GUI.

Conditions:
Open Create a New Policy page.

Impact:
The message is not shown on Create Policy page

Workaround:
None.

Fix:
The message was added and shown always next to Allowed Response Status Codes input.


759462-1 : Site names and vulnerabilities cannot be retrieved from WhiteHat server

Component: Application Security Manager

Symptoms:
Site names and/or vulnerabilities cannot be retrieved from WhiteHat's server, and you get this error:

Failed to get site names
500 Can't connect to 63.128.163.17:443

Additionally, if configured, the HTTP/HTTPS proxy is not used.

Conditions:
You attempt to retrieve site names and/or vulnerabilities from WhiteHat's server.

Impact:
The site names and/or vulnerabilities cannot be retrieved.

Workaround:
You can manually enter site name in the field 'WhiteHat Site Name' on the Security :: Application Security :: Vulnerability Assessments :: Settings page, and vulnerabilities can be downloaded from the WhiteHat server and uploaded to ASM.

Fix:
Site names and vulnerabilities can now be retrieved directly from WhiteHat's server.


759360-2 : Apply Policy fails due to policy corruption from previously enforced signature

Component: Application Security Manager

Symptoms:
Apply Policy fails due to policy corruption in PLC database from a previously enforced signature.

Conditions:
1. Export a policy containing a signature with an enforced rule.
2. Update ASM Signatures (ASU).
3. Import that previously exported policy.
4. Apply the newly imported policy.

Impact:
Apply policy fails.

Workaround:
As a workaround, run the following SQL, and then apply the policy:

----------------------------------------------------------------------
UPDATE PLC.PL_POLICY_NEGSIG_SIGNATURES SET previous_enforced_rule_md5 = '' WHERE previous_enforced_rule = '' and previous_enforced_rule_md5 != ''
----------------------------------------------------------------------


759343-6 : MacOS Edge Client installer does not follow best security practices

Solution Article: K49827114


759192-3 : TMM core during display of PEM session under some specific conditions

Component: Policy Enforcement Manager

Symptoms:
TMM crashes during display of PEM session if the session has multiple IP addresses added under certain conditions.

Conditions:
-- Session has multiple IP addresses added.
-- When the session was created, addition of multiple IP addresses was not allowed.

Impact:
TMM restart. Traffic disrupted while tmm restarts.

Workaround:
Do not change the value of sys db variable tmm.pem.session.ip.addr.max while some sessions are already created.

Fix:
TMM core during display of PEM session no longer occurs.


759135-2 : AVR report limits are locked at 1000 transactions

Component: Application Visibility and Reporting

Symptoms:
AVR reports are limited to 1000 transactions. This is due to a hard-coded limit.

Conditions:
Using AVR reports for more than 1000 transactions.

Impact:
Unable to create reports with more than 1000 rows.

Workaround:
None.

Fix:
A db variable avr.stats.reportrownumberlimit has been added, that can be controlled via TMSH. The variable controls the number of rows in report within the range of 1 to 100000.

For example, for a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:

tmsh modify sys db avr.stats.reportrownumberlimit value 10000

Behavior Change:
There is a new db variable avr.stats.reportrownumberlimit available in TMSH, which controls the number of rows in an AVR report. Valid values are from 1 to 100000.

For example, to create a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:

tmsh modify sys db avr.stats.reportrownumberlimit value 10000


759077-2 : MRF SIP filter queue sizes not configurable

Component: Service Provider

Symptoms:
The ingress and egress queues of the MRF SIP filter have fixed sizes that cannot be configured.

Conditions:
If the hard-coded queue size of 512 messages or 65535 bytes are exceeded, the filter enables its flow control logic.

Impact:
Messages may be dropped.

Workaround:
None.

Fix:
The max-pending-messages and max-pending-bytes values in the SIP router profile will be used as the limits for the SIP filter's queues. If the configured value is less than the existing hard-coded limits (512 bytes or 65535 bytes), the hard-coded limits will be used.


758992-2 : The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address

Component: Local Traffic Manager

Symptoms:
tmm may use a combination of the traffic-group MAC address and the per-VLAN MAC address for traffic associated with the traffic-group.

Conditions:
All of the following:
-- The traffic-group has a MAC address set.
-- The sys db variable 'tm.macmasqaddr_per_vlan' is set to true.
-- There are multiple tmm processes running on the BIG-IP system.

Note: BIG-IP Virtual Edition is not affected since there is only one tmm process.

Impact:
Incorrect MAC address used for traffic associated with the traffic-group.

Workaround:
None.

Fix:
tmm uses the proper MAC address when there is a traffic-group mac address defined and 'tm.macmasqaddr_per_vlan' is set to true.


758909-1 : TMM may crash will processing PEM traffic

Solution Article: K04730051


758879 : BIG-IP VE with ixlv devices does not reliably pass some traffic after hard-boot

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) with ixlv devices (Intel X710/XL710/XXV710 family) might not reliably pass traffic after a hard boot of the host on which it runs.

The tmm log contains messages similar to the following:

ixlv[0:8.0]: Error: AQ returned error -1 to request 10!
ixlv[0:8.0]: Error: Error -1 waiting for PF to complete operation 4
ixlv[0:8.0]: Error: WARNING: Error adding VF mac filter!
ixlv[0:8.0]: Error: WARNING: Device may not receive traffic!


The host's kernel log might contain messages similar to the following:

i40e 0000:06:00.0: VF is not trusted, switch the VF to trusted to add more functionality

Conditions:
-- BIG-IP VE with one or more virtual functions that utilize the ixlv driver within tmm.
-- Hard reboot the host and observe traffic.

Note: This issue might be dependent upon the version of the PF driver in the host, and has been observed with at least 2.1.4 and 2.4.10, but this list is incomplete.

Impact:
IPv6 and other network traffic may be handled unreliably.

Workaround:
Reboot the guest. This problem has been observed only on the very first boot after a hard boot of the host.


758872-3 : TMM memory leak

Component: Local Traffic Manager

Symptoms:
When a Clustered Multiprocessing (CMP) disabled virtual server enters syncookie mode the flows created on TMM instances other than tmm0 are not removed, resulting in a TMM memory leak.

Note: CMP-disabled virtual servers are not distributed among the available TMM processes, but instead are processed on tmm0.

Conditions:
-- Virtual server is CMP disabled.
-- The same virtual server enters syncookie mode.

Impact:
Elevated memory utilization that may impact performance. In extreme cases, it might lead to out-of-memory crash.

Workaround:
Make sure the virtual server is not CMP disabled, for example, avoid using global variables in iRules.

Fix:
Flows of CMP-disabled virtual servers are now properly removed from all TMM instances.


758781-3 : iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates

Component: TMOS

Symptoms:
The following commands take a long time to complete when there are a large number of certificates:
get_certificate_list()
get_certificate_list_v2()
get_certificate_list_v3()

Conditions:
-- Using the get_certificate_list(), get_certificate_list_v2(), and get_certificate_list_v3() commands to get certificate information.
-- A large number of certificates (typically in the thousands) are installed on the BIG-IP system.

Impact:
Slowness might cause timeouts in applications that are calling these functions.

Workaround:
Use iControl REST API corresponding to sys/file/ssl-cert.


758764-2 : APMD Core when CRLDP Auth fails to download revoked certificate

Component: Access Policy Manager

Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.

Conditions:
Empty revoked-certificate list handling.

Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.

Workaround:
None.

Fix:
The system now checks for empty revoked certificate lists (for NULL) and lets the validation OK (because there is nothing to validate against).


758714-1 : Virtual wire on a BIG-IP does not pass traffic when configured over two terminating link aggregation/trunk ports.

Component: Local Traffic Manager

Symptoms:
Traffic does not pass through the BIG-IP system.

Conditions:
- Configure two trunk/LAG ports on a BIG-IP system.
- Create a virtual wire across it.

Impact:
Loss of service across the virtual wire.

Workaround:
None.

Fix:
Corrected the faulty validation checks during configuration that were a result of collateral damage.


758701-1 : APM fails to handle Remote Desktop Gateway connections from standalone RDP clients after fresh install

Component: Access Policy Manager

Symptoms:
Remote Desktop (RD) Gateway connections from standalone RDP clients on Mac/iOS/Android fail against a fresh APM installation.

Following error is logged into /var/log/ltm:
... 01220001:3: TCL error: /Common/_sys_APM_Citrix_SmartAccess <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::path"

Conditions:
- Fresh APM installation.
- Standalone Mac/iOS/Android RDP client uses APM as RD Gateway.

Impact:
Connection can't be established.

Workaround:
Disable "tmm.http.tcl.validation" variable:
# tmsh modify sys db tmm.http.tcl.validation value disable

Fix:
Remote Desktop (RD) Gateway connections from standalone RDP clients on Mac/iOS/Android are not failing anymore against fresh APM installation.


758667-1 : BIG-IP VE high availability (HA) actions are not invoked when offload hardware hangs

Component: TMOS

Symptoms:
When TMM detects a crypto or compression offload device hang it does not invoke the configured high availability (HA) action.

Conditions:
This occurs when the following conditions exist:
-- BIG-IP Virtual Edition (VE) Cryptographic Offload is licensed.
-- BIG-IP VE VM has been assigned QuickAssist Virtual Functions (VFs).
-- A QuickAssist endpoint associated with one of the VFs hangs.
-- BIG-IP VE executes crypto or compression operations.

Impact:
Client requests eventually time out.

Workaround:
None.


758655-1 : TMC does not allow inline addresses with non-zero Route-domain.

Component: Local Traffic Manager

Symptoms:
When trying to create a traffic-matching-criteria with inline addresses with non-zero Route-domain, receive an error:

TMC(/Common/tmc333) and addresses within the address list have different route domain.

Conditions:
Attempting to creating a traffic-matching-criteria with inline address (source or destination) and non-zero route-domain, e.g.:

create ltm traffic-matching-criteria tmc333 destination-address-inline 111.111.111.194 source-address-inline 0.0.0.0 route-domain 100

Impact:
Cannot create the traffic-matching-criteria.

Workaround:
None.

Fix:
You can now create a traffic-matching-criteria with inline addresses with non-zero Route-domain.


758536 : Traffic Intelligence IM pkg for 14.1.0 fails to install on base build version 14.1.0.x

Component: Traffic Classification Engine

Symptoms:
Traffic Intelligence IM pkg for v14.1.0 fails to install on base build version v14.1.0.1 through v14.1.0.4. This is due to strict version check in upgrade scripts.

Conditions:
When hitless upgrade for traffic intelligence with version 14.1.0 is used on base build v14.1.0.1 through v14.1.0.4.

Impact:
The process fails to load/install. The system does not receive the latest traffic intelligence signatures.

Workaround:
There is no workaround other than requesting a purpose-built traffic intelligence IM for that particular build.

Fix:
You can now install 14.1.0 IM on any other 14.1.0.x with minor version update.


758527-2 : BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode

Component: TMOS

Symptoms:
Under certain conditions BIG-IP may forward VLAN-tagged frames even if the VLAN is not defined on the ingress interface.

Conditions:
Tagged VLANs in use.
STP pass-through mode enabled.

Impact:
Frames not delivered as expected.

Workaround:
Disable global STP.

Fix:
Frames now delivered as expected.


758465-1 : TMM may crash or iRule processing might be incorrect

Component: Local Traffic Manager

Symptoms:
After modifying an iRule:
- The iRules on one or more virtual servers might fire in the wrong order.
- The iRules on one or more virtual servers might not fire at all.
- TMM might crash if the iRule event is modified again.
- TMM might crash if a virtual server is modified.

Conditions:
This occurs when all of the following conditions are met:

- An iRule is in use on more than one virtual server.
- The iRule occupies a different position in the iRule list on various virtual servers, and one or more of the other iRules define the same event.
- The iRule event is modified.

Impact:
Traffic interruption while TMM restarts.
Incorrect iRule processing.

Workaround:
None.


758459-1 : Cross origin AJAX requests are blocked Cross-Origin Resource Sharing (CORS) protection

Component: Application Security Manager

Symptoms:
When enabling Single Page Application (SPA) option in ASM, cross origin AJAX requests are resulting in the following error in the browser console, and site application might not work:

Access to XMLHttpRequest at 'https://x.com' from origin 'https://www.y.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

Conditions:
-- ASM with SPA enabled
-- App is sending cross-origin requests

Impact:
App does not work as expected.

Workaround:
Using an iRule, add the following headers to the response:

-- Access-Control-Allow-Origin with originating domain.
-- Access-Control-Allow-Credentials: true.

Fix:
This release adds the relevant CORS fields to responses.


758311-1 : Policy Compilation may cause MCPD to crash

Component: Local Traffic Manager

Symptoms:
If a policy has rules involving IPv6 addresses, and the addresses differ only on 32-bit boundaries, then the compilation of that policy may cause MPCD to crash.

Conditions:
-- A policy is attached to a virtual server.

-- That policy contains conditions that involve IPv6 addresses.

-- The addresses in different rules differ only on 32-bit boundaries.

Impact:
MCPD cores, and then restarts. The policy is not usable.

Workaround:
You can try either of the following:

-- It may be possible to create multiple rules from a given rule by altering the netmask.

-- Another possibility is to add a placeholder rule with no action that matches IP addresses differently.

Fix:
Policies involving matching IP addresses now compile correctly.


758119-6 : qkview may contain sensitive information

Solution Article: K58243048

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048

Conditions:
For more information see: https://support.f5.com/csp/article/K58243048

Impact:
For more information see: https://support.f5.com/csp/article/K58243048

Workaround:
For more information see: https://support.f5.com/csp/article/K58243048

Fix:
For more information see: https://support.f5.com/csp/article/K58243048


758085-1 : CAPTCHA Custom Response fails when using certain characters

Component: Application Security Manager

Symptoms:
When setting the CAPTCHA Custom Response in the Bot Defense GUI, saving the profile fails when using certain characters.

For example, using the following response will return the error: 'black' unknown property

This question is for testing whether you are a human visitor and to prevent automated spam submission.

<p style="color: black; padding-right:20px">
<br>
%BOTDEFENSE.captcha.image% %BOTDEFENSE.captcha.change%
<br>
<b>What code is in the image\?</b>
%BOTDEFENSE.captcha.solution%
<br>
%BOTDEFENSE.captcha.submit%
<br>
<br>
Your support ID is: %BOTDEFENSE.captcha.support_id%.

Conditions:
Attempting to configure custom CAPTCHA response in the Bot Defense profile GUI.

Impact:
Cannot configure custom CAPTCHA response in the Bot Defense Profile GUI.

Workaround:
Use TMSH or REST API to configure the CAPTCHA Custom Response.

Fix:
Configuring custom CAPTCHA response page in the Bot Defense Profile no longer fails when using certain characters.


758065-4 : TMM may consume excessive resources while processing FIX traffic

Solution Article: K82781208


758018-5 : APD/APMD may consume excessive resources

Solution Article: K61705126


757992-3 : RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup

Component: Access Policy Manager

Symptoms:
RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup

Conditions:
-- Configure Floating IP with route domain.
-- Configure RADIUS accounting server with Pool Setup.
-- Configure the virtual server containing the access policy to use the RADIUS Accounting server.
-- Access the virtual server.

Impact:
-- START message is being sent through proper egress floating IP address.
-- STOP message is not sent, and the system logs the following error message:
-- err tmm1[11193]: 01490586:3: (null):Common:8a505e8c: Processing radius acct stop message failed, connection failure.
-- err tmm1[11193]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_RTE. File: ../modules/hudfilter/access/access_session.c, Function: access_session_final_callback, Line: 4439.

Workaround:
This issue is present only when the floating IP address is configured with a non-default route domain. It works fine with the default route domain. Use of default route domain is recommended.

Fix:
RADIUS Acct STOP message is now sent as expected.


757985-1 : TMM memory leak

Solution Article: K79562045

Component: Local Traffic Manager

Symptoms:
-- TMM memory utilization baseline is slowly increasing.
-- The 'allocated' column of the 'tcl' row in the memory_usage_stat tmctl table is high and is close to the 'max_allocated' value.

Conditions:
-- The header-insert option in a custom HTTP profile is configured.
-- The profile is attached to a virtual server.

Impact:
Degraded performance, and eventual out-of-memory condition that may trigger a TMM crash. Traffic disrupted while tmm restarts.

Workaround:
Instead of the profile header-insert, use HTTP::header iRule commands.

Fix:
The header-insert option can now be configured in HTTP profiles without causing a TMM memory leak.


757782-1 : OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default

Component: Access Policy Manager

Symptoms:
Invalid 'sub' claim in JWT access token that is generated by OAuth Authorization Server.

Conditions:
-- OAuth Authorization Server is configured to return JWT access token.
-- Subject field is configured to be a session variable other than the default '%{session.assigned.uuid}'.

Impact:
Invalid value in 'sub' claim in JWT access token. If OAuth resource server depends on the value of 'sub' claim, then that functionality does not work.

Workaround:
Add Variable assign agent after OAuth Authorization agent, and assign session.assigned.oauth.authz.token.subject with the session variable name such as the following:
session.logon.last.logonname.

Fix:
OAuth Authorization Server sends valid value in 'sub' claim in the generated JWT token when subject is configured to use a session variable.


757722-2 : Unknown notify message types unsupported in IKEv2

Component: TMOS

Symptoms:
IKE negotiation fails when an unrecognized notify payload type is seen in a message processed by IKEv2.

Conditions:
Receiving an IKE message that contains a notify payload whose numeric type value is unrecognized by IKEv2.

Impact:
Negotiation fails with an aborted connection, preventing tunnel creation.

Workaround:
A peer can suppress notification payloads with advisory values that get rejected by IKEv2 within the BIG-IP system.

Fix:
All unknown notify types are now logged and then ignored.


757698-1 : TMM crashes in certain situations of which iRule execution interleaves client side and server side flows

Component: Local Traffic Manager

Symptoms:
TMM crashes in certain situations in which iRule execution interleaves client-side and server-side flows.

Conditions:
The exact conditions that cause this issue are unknown, although appear to happen in at least one configuration: OneConnect with an iRule whose execution leads to that, inside TMM, the client-side and server-side flow operations interleave.

Impact:
TMM crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
iRule clears the right side data after execution.


757617-1 : Systemd vulnerabilities: CVE-2018-16864, CVE-2018-16865, CVE-2018-16866

Solution Article: K30683410


757578-2 : RAM cache is not compatible with verify-accept

Component: Local Traffic Manager

Symptoms:
The TCP profile's verify-accept option is not compatible with the RAM cache feature

Conditions:
A TCP profile is used with the 'verify-accept' option enabled, together with a Web Acceleration via RAM cache.

Impact:
There may be a log message in /var/log/tmm# describing an 'Invalid Proxy Transition'. The RAM cache feature may not handle later pipelined requests due to the proxy shutting down the connection.

Workaround:
Do not use TCP's verify-accept option together with RAM cache.

Fix:
RAM cache now works correctly when the TCP profile enables the verify-accept option.


757524 : Data operation attempt on object that has not been loaded

Component: Advanced Firewall Manager

Symptoms:
While assigning VLANs to Traffic Matching Criteria, you get an error:

01070712:3: Data operation attempt on object that has not been loaded.

Conditions:
This occurs while trying to add or modify VLANs on a Traffic Matching Criteria.

Impact:
Error is reported; unable to add or modify VLAN assignment to Traffic Matching Criteria.

Workaround:
None.

Fix:
Fixed the issue to allow configuration of VLANs to Traffic Matching Criteria object.


757519-1 : Unable to login using LDAP authentication with a user-template

Component: TMOS

Symptoms:
User cannot login using remote LDAP authentication. This occurs because LDAP with user-template uses user-template username as DN for search.

Conditions:
LDAP authentication configuration includes user-template, which is not a valid DN.

Impact:
Remote LDAP authentication users are unable to login.

Workaround:
You can use either of the following workarounds:

-- Create a specific user for bind by configuring bind-dn and bind-pw and remove user-template.

-- Switch to local authentication.


757455-2 : Excessive resource consumption when processing REST requests

Solution Article: K87920510


757441-4 : Specific sequence of packets causes Fast Open to be effectively disabled

Component: Local Traffic Manager

Symptoms:
You see this warning in the logs:

warning tmm[21063]: 01010055:4: Syncookie embryonic connection counter -1 exceeded sys threshold 64000.

Conditions:
-- TCP Fast Open and ECN are both enabled.
-- There are multiple RST segments from the receive window received in SYN_RECEIVED state.

Impact:
TCP Fast open is disabled, as the pre_established_connections becomes very large (greater than a threshold).

Workaround:
TCP ECN option can be disabled.

Fix:
TCP Fast Open is prevented from being disabled when some conditions are met.


757360-1 : Category lookup returns wrong category on subsequent traffic following initial HTTP CONNECT traffic through SSLO

Component: Access Policy Manager

Symptoms:
Category lookup returns the wrong category on subsequent traffic following initial HTTP CONNECT traffic through F5 SSL Orchestrator (SSLO).

Conditions:
-- Outbound deployment configured in SSLO, where SSLO behaves as a transparent proxy.
-- A policy has a branch to lookup category using HTTP Connect.
-- An HTTPS client generates HTTPS traffic via an explicit proxy on the local network with a private address through SSLO as the gateway.

Impact:
Category Match is not performed on subsequent requests, resulting in fallback branch to be taken.

Workaround:
None.

Fix:
Category lookup now works correctly in this scenario.


757359-1 : pccd crashes when deleting a nested Address List

Component: Advanced Firewall Manager

Symptoms:
When removing a nested Address List or Port List, the pccd process might crash.

Conditions:
This might occur under the following conditions:
-- Removing a nested Address List or Port List using a tmsh transaction with an incorrect tmsh command order consistently results in this crash.

-- A high availability (HA) setup with config-sync enabled and there are intermittent problems with HA-connections, or out-of-memory system state, might intermittently result in this crash.

Impact:
pccd crashes with core, restarts, and correctly compiles the new configuration. There is a resulting, small delay in applying the new configuration due to the pccd restart.

Workaround:
-- If the crash occurs as a result of incorrect tmsh commands in a transaction, reorder commands to the parent list is modified or deleted before deleting the nested list.

-- If the crash is an intermittent issue due to problems with HA-connections, or an out-of-memory system state, no action is necessary; pccd correctly compiles new configuration after it restarts.

Fix:
pccd no longer crashes under these conditions, and correctly compiles the new configuration.


757357-3 : TMM may crash while processing traffic

Component: TMOS

Symptoms:
Under certain conditions, TMM may crash while processing traffic.

Conditions:
-- BIG-IP Virtual Edition (VE) using virtio interfaces with direct descriptors.

Impact:
TMM crash, leading to a failover event.

Workaround:
To work around this issue, use this procedure:

1a. For BIG-IP systems running versions earlier than 14.1.0, add the following line to /config/tmm_init.tcl:
device driver vendor_dev 1af4:1000 unic

1b. For BIG-IP systems running v14.1.0 and later, add the following line to /config/tmm_init.tcl:
device driver vendor_dev 1d0f:ec20 sock

2. Restart tmm using the following command:
bigstart restart tmm

Note: You might need to manually remove that line from /config/tmm_init.tcl after upgrading.

Fix:
TMM now processes traffic as expected.


757306-3 : SNMP MIBS for AFM NAT do not yet exist

Component: Advanced Firewall Manager

Symptoms:
SNMP MIBS for AFM NAT do not yet exist.

Conditions:
This occurs in normal operation.

Impact:
Unable to read values that do not exist in SNMP, meaning that you cannot access information that you need.

Workaround:
None.


757088-1 : TMM clock advances and cluster failover happens during webroot db nightly updates

Component: Traffic Classification Engine

Symptoms:
Webroot database mapping and unmapping takes a very long amount of time on TMM, so you might see clock advances occur. The long interval might result in a failover/state-transition in clustered environment.

Conditions:
-- Webroot database is downloaded.
-- TMM needs to swap to the new instance.

Impact:
TMM does not process traffic because of the long delay in mapping and unmapping, and failover might happen in a clustered environment.

Workaround:
You can avoid this issue by disabling BrightCloud updates, however, your environments will miss the latest updates as a result.

#vi /etc/wr_urldbd/bcsdk.cfg
  DoBcap=true
  DoRtu=false
  DownloadDatabase=false

Fix:
Mapping/Unmapping the database is done asynchronously and the delay is reduced so that the CDP failover does not happen.


757084-2 : Bypassing SSL interception in SSL Orchestrator may crash TMM if virtual server is SNAT enabled

Solution Article: K00432398


757027-1 : BIND Update

Solution Article: K01713115


757026-1 : BIND Update

Component: TMOS

Symptoms:
Upgrade BIND to 9.11.5-P4 per recommendation from ISC

Conditions:
GTM provisioned.

Impact:
BIND not up-to-date

Workaround:
None.

Fix:
Upgrade to BIND 9.11.5-P4


757025-1 : BIND Update

Solution Article: K00040234


757023-2 : BIND vulnerability CVE-2018-5743

Solution Article: K74009656


756877-1 : Virtual server created with Guided Configuration is not visible in Grafana

Component: Anomaly Detection Services

Symptoms:
The traffic of Virtual Server created with the Guided Configuration is not visible with Grafana monitoring tool.

Statistics of this virtual server are not included in the admdb part of qkview.

Conditions:
-- Create virtual server using Guided Configuration.
-- Use the Grafana monitoring tool to view virtual server statistics.
-- Create a qkview.

Impact:
Cannot view virtual server using the Grafana monitoring tool. The resulting qkview contains no statistics for this virtual server. Lack of information for debugging and troubleshooting

Workaround:
Configure virtual server manually, without the Guided Configuration

Fix:
Virtual server created with Guided Configuration is visible in Grafana and its statistics present in qkview.


756777-1 : VDI plugin might crash on process shutdown during RDG connections handling

Component: Access Policy Manager

Symptoms:
VDI plugin might crash on process shutdown if it is stopped during handling of RDG connections.

Conditions:
VDI plugin process is stopped while new RDG connection is established via APM.

Impact:
The process will be shutdown, but generated core file might cause unnecessary confusion.

Workaround:
None.

Fix:
Fixed VDI plugin crash on process shutdown during RDG connections handling.


756774-6 : Aborted DNS queries to a cache may cause a TMM crash

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may crash if an attempt is made to send a response to a TCP connection that has already been torn down.

Conditions:
TCP connections that are aborted before receiving a RESPONSE from a cache.

Impact:
Loss of service until TMM is restarted. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Aborted DNS queries to a cache no longer cause a TMM crash.


756538-4 : Failure to open data channel for active FTP connections mirrored across an HA pair.

Solution Article: K15759349


756477-2 : Drop Redirect tab incorrectly named as 'Redirect Drop'

Component: Advanced Firewall Manager

Symptoms:
Incorrect naming on navigation tabs Security :: Debug :: Drop Redirect.

Conditions:
Navigating to Security :: Debug :: Drop Redirect.

Impact:
The page name is Drop Redirect instead of Redirect Drop.

Workaround:
None.

Fix:
Drop Redirect tab is now correctly named as 'Drop Redirect'


756458-3 : Linux kernel vulnerability: CVE-2018-18559

Solution Article: K28241423


756450-1 : Traffic using route entry that's more specific than existing blackhole route can cause core

Component: TMOS

Symptoms:
TMM asserts with 'Attempting to free loopback interface'message.

Conditions:
- Using blackhole routes.
- Have a route entry that is more specific than the existing blackhole route.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use /32 blackhole routes.

Fix:
TMM no longer cores when using blackhole routes that are less specific than non-blackhole routes.


756418-1 : Live Update does not authenticate remote users

Component: Application Security Manager

Symptoms:
Remote users with Administrator or Application Security Administrator roles cannot run Live Update.

Conditions:
-- Remote user (LDAP/RADIUS).
-- Remote user logged in.
-- New installation is available.

Impact:
-- Remote users cannot manually check for updates.
-- Remote users cannot manually upload new files.
-- Remote users cannot install new update files.

Workaround:
Log in with a local user like admin, application security editor, or application security administrator.

Fix:
Authentication is directly done from MCP. Remote users are not treated like local users, so only the role of the user determines the ability to perform operations such as Live Update.


756402-2 : Re-transmitted IPsec packets can have garbled contents

Component: TMOS

Symptoms:
Before re-transmitting a packet, it is discovered to be garbled, mainly in the form of having physical length that no longer matches the logical length recorded inside the packet.

Conditions:
Possibly rare condition that might cause packet freeing while still in use.

Impact:
Likely tunnel outage until re-established.

Workaround:
No workaround is known at this time.

Fix:
This release adds checksums to verify IPsec packets are not altered between first creation and later re-transmission.


756363-1 : SSLO or SWG connections using proxy chaining to Explicit Proxy can get reset

Component: Access Policy Manager

Symptoms:
Connections get reset with reset cause "repick failed"

Conditions:
SSLO with proxy chaining to Explicit Proxy or SWG per-request policy using proxy select agent with No URI rewrite

Impact:
Connections get reset with reset cause "repick failed"

Workaround:
None

Fix:
Connections no longer get reset.


756356-2 : External datagroups of type string cannot use iRule command 'class match equals' for entries > 32 characters long

Component: Local Traffic Manager

Symptoms:
iRules using the command 'class match' with the 'equals' operator on long entries fail to return a positive match, even if they are in the datagroup, for example:

my_datagroup:
"abcdefghijklmnopqrstuvwxyz0123456" := "value1"

class match "abcdefghijklmnopqrstuvwxyz0123456" equals my_datagroup

Conditions:
This is encountered when all of the following conditions are met:
- Using an external datagroup of type string with keys longer than 32 characters.
- Using an iRule with the 'class match' command and the 'equals' operator on the external datagroup.
- Trying to match keys that are longer than 32 characters.

Impact:
iRules will act incorrectly

Workaround:
If none of the keys in the datagroup are prefixes of each other, the 'equals' operator can be changed to 'starts_with' or 'ends_with' (if none are suffixes of each other).

Fix:
iRules using the command 'class match' with the 'equals' operator on long entries now correctly matches external datagroup string entries which are longer than 32 characters.


756311-4 : High CPU during erroneous deletion

Component: Policy Enforcement Manager

Symptoms:
The utilization of some CPU cores increases and remains high for a long time. Rebooting just one blade can cause the high CPU usage to move to another blade in the chassis.

There might be messages similar to the following in tmm logs:

-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.10.10%0-4a89723e; Instance ID mismatch ERR_OK for subscriber id 310012348494 with 10.1.10.10-0-4a8987ea.

-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.18.10%0-4a8b850c; Look up returned err ERR_OK for subscriber id 3101512411557

Conditions:
The exact conditions under which this occurs are not fully understood, but one way it can be triggered is when a single TMM is crashing on a chassis system.

Impact:
The CPU usage is coming from an erroneous cleanup function, which is only running on a TMM when it's not busy; traffic is not expected to have a significant impact. However, recovering may result in a cluster-wide TMM restart, if the CPU usage does not subside. Traffic disrupted while tmm restarts.

Workaround:
Delete all subscribers from the CLI.


756270-4 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle

Component: Local Traffic Manager

Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.

Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.

Impact:
Handshake failure.

Workaround:
None.

Fix:
This has been fixed to check for the issuer among all certificates that have the same subject name as the CRL issuer.


756218-1 : Improve default management port firewall

Solution Article: K45644893


756205-1 : TMSTAT offbox statistics are not continuous

Component: Application Visibility and Reporting

Symptoms:
When BIG-IP systems are manged by BIG-IQ, the device health statistics have gaps (missing samples).

Conditions:
BIG-IP systems managed by BIG-IQ,

Impact:
Missing data on device health, such as CPU load and memory occupancy.

Workaround:
None.

Fix:
Functionality restored - BIG-IP systems send all the data as expected.


756108-1 : BD crash on specific cases

Component: Application Security Manager

Symptoms:
BD crash on specific cases.

Conditions:
Have a feature that requires Captcha/ Client side Integrity in ASM.

Impact:
No traffic to app.

Workaround:
None.

Fix:
This release fixes the specific crash scenario.


756102-2 : TMM can crash with core on ABORT signal due to non-responsive AVR code

Component: Application Visibility and Reporting

Symptoms:
ABORT signal is sent to TMM by SOD; TMM aborts with a core.

Conditions:
Non-responsive AVR code. No other special conditions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


756094-2 : DNS express in restart loop, 'Error writing scratch database' in ltm log

Component: Global Traffic Manager (DNS)

Symptoms:
DNS express (zxfrd) daemon gets stuck in a restart loop with the messages:
-- In /var/log/ltm:
Error writing scratch database (no error information available), serving database is unchanged. zxfrd will exit and restart.
-- The system posts the following message on the command line every few seconds:
emerg logger: Re-starting zxfrd

Conditions:
An update to an SOA record (and only an SOA) is received through a incremental zone transfer update (IXFR).

Impact:
Zone updates from the DNS master servers are not processed.

Workaround:
As a partial workaround, the DNS express cache files can be removed, forcing zxfrd to pull the entire zone using an AXFR request. To do so, use the following commands, in sequence:

   bigstart stop zxfrd
   rm /shared/zxfrd/*
   bigstart start zxfrd

Note: DNS express will not be able to service DNS responses until the zone transfers have completed. For this reason, this procedure should be carried out on the standby device, if possible.

Fix:
The system now properly handles IXFRs that contain only starting and ending SOA RRs, and no other RRs.


756071-3 : MCPD crash

Component: TMOS

Symptoms:
mcpd crashes on out of memory.

Conditions:
MCPD experiences a memory leak under one of the following conditions:

- A tmsh command such as the following is run:
    tmsh reset-stats ltm virtual

- The ASM or AVR module is provisioned.


In both circumstances, the 'cur_allocs' for one of MCPD's internal memory allocation types generally increases and becomes very high (e.g., millions):

tmctl -I --select cur_allocs memory_stat program=mcpd name=umem_alloc_40

Impact:
MCPD can run out of memory and crash. Traffic disrupted while mcpd restarts.

Workaround:
None.

Fix:
A memory leak that occurred in the MCPD process has been fixed.


756019-1 : OAuth JWT Issuer claim requires URI format

Component: Access Policy Manager

Symptoms:
APM currently expects the OAuth JSON web tokens (JWT) Issuer claim to be in the URI format:
-- JWT-Config does not allow Issuer setting unless it is in the URI format.
-- The issuer value in the incoming token is expected to be in the URI format and should match with the Issuer setting in the JWT-Config.

Conditions:
OAuth JWT Issuer claim in the URI format for JWT access token and ID token.

Impact:
As per RFC 7519, 'iss' claim value is a case-sensitive string containing a StringOrURI value. To comply with RFC 7519, basically allowing any string value in the Issuer claim, APM should ease this validation.

Workaround:
None.

Fix:
JWT config issuer Validation is removed to allow a string or URI value for the JWT issuer.


755817 : v14.1.0.5 includes Guided Configuration 4.1

Component: Access Policy Manager

Symptoms:
Guided Configuration is not upgraded automatically with each release; it must be manually upgraded between versions. It should be bundled into the release.

Version 14.1.0.5 includes Guided Configuration 4.1.

Conditions:
Upgrading Guided Configuration.

Impact:
Have to manually upgrade Guided Configuration.

Workaround:
Manually upgrade Guided Configuration.

Fix:
Guided Configuration v4.1 is bundled into BIG-IP software v14.1.0.5 and no longer requires manual upgrade.

Behavior Change:
Guided Configuration v4.1 is bundled into BIG-IP software v14.1.0.5. For versions earlier than 14.1.0.5 (e.g., 14.1.0.0), you had to upgrade Guided Configuration manually. That is no longer necessary.


755641-1 : Unstable asm_config_server after upgrade, 'Event dispatcher aborted'

Component: Application Security Manager

Symptoms:
Ignored suggestions for Multiple decoding or HTTP Protocol Settings present after upgrading a unit to 14.1.0 can cause the asm_config_server and pabnagd processes to enter restart loops.

Conditions:
1) On a 13.1.x system send traffic that will generate suggestions for Max Decoding Passes, Maximum Headers, and/or Maximum Parameters.
2) Set those Suggestions to be Ignored.
3) Upgrade to 14.1.0.

Impact:
-- Multiple asm_config_server restarts.
-- System instability, including inability to manage ASM settings or use traffic learning.
-- No local logging.

Workaround:
You can use either of the following workarounds:

A) Delete any such ignored suggestions using the following SQL command:
 > DELETE FROM PL_SUGGESTIONS WHERE element_type IN (7,193,75);

B) Delete any such ignored suggestions before upgrade using the GUI/REST/SQL.

Fix:
The system now handles removed Entity types during upgrade for Ignored Suggestions: Ignored suggestions for Multiple decoding or HTTP Protocol Settings are removed during upgrade. You must reconfigure the Ignore settings after upgrade.

Behavior Change:
Refactoring in 14.1.0 modified the functionality of the following Entity types: Max Decoding Passes, Maximum Headers, and/or Maximum Parameters. Ignored suggestions for Multiple decoding or HTTP Protocol Settings are removed during upgrade, so you must reconfigure the Ignore settings after upgrade.


755630-1 : MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes

Component: Service Provider

Symptoms:
The media flows get terminated after the UDP idle timeout expires on a Standby device.

Conditions:
-- High availability (HA) configuration.
-- SIP media calls on a SIP-ALG with SNAT feature enabled.

Impact:
SIP calls fail to deliver media when high availability (HA) failover occurs.

Workaround:
Partial mitigation is to set the UDP idle timeout to a higher value.

Fix:
Properly set SIP ALG media pinhole connection flags so that to not time out due to inactivity on the next active device.


755585-1 : mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction

Component: Local Traffic Manager

Symptoms:
On a VIPRION cluster, if a single transaction creates a policy with the name Drafts/NAME, publishes the policy, and attaches the policy to a virtual server, mcpd restarts on the secondary blades.

Conditions:
-- VIPRION chassis with more than one blade.
-- Single mcp transaction that:
  * Creates a policy with 'Drafts/' as part of the policy name.
  * Publishes that policy.
  * Attaches that policy to a virtual server, either in the same transaction or a later transaction.

Impact:
mcpd restarts on all secondary blades of a cluster.

Workaround:
You can use either of the following workarounds:
-- Do not create policies with 'Drafts/' in the name.
-- Do not create and publish a policy in the same transaction.


755575-1 : In MOS, the 'image2disk' utility with the '-format' option does not function properly

Component: TMOS

Symptoms:
When the BIG-IP system boots, mcpd continually restarts.

Conditions:
This occurs if you issue the 'image2disk' command with the '-format' option in the MOS (Maintenance Operating System) shell.

Impact:
When the system boots, it cannot become active.

Workaround:
In the MOS shell, do not issue the 'image2disk' utility with the '-format' option. You can achieve the same result by following the shell guidance. To begin, type 'start<enter>'.

If the system is already in the defective state, use this shell command, and then reboot:

touch /.tmos.platform.init

The problem should be resolved.

Fix:
In MOS, running 'image2disk' with the '-format' option no longer causes continuous mcpd restarts.


755475-1 : Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync

Component: Access Policy Manager

Symptoms:
After making changes to the logon page agent field, performing config sync to another device and opening the logon agent in VPE on the sync target device encounters an error. Though this problem described to the logon page agent, this is applicable to any agent that is tied to customization group.

Conditions:
1. Form a failover device group with two devices.

2. On one device, create an access policy with logon page agent. Initiate config sync to sync the policy to other devices. Verify everything is correct on target device (specifically: open VPE for the policy, Logon Page is in the policy, click on the agent, and edit box appears without issue).

3. On source device, launch VPE for the policy, click on Logon Page agent, make changes to Agent (e.g., choose 'password' type for field3. Save the change and make a config sync again.

4. Go to target device, open VPE for the policy, and click on Logon Page is in the policy.

Impact:
Config is not synced properly to another device in the device group.

Workaround:
- Workaround 1:

Step1. On Standby (where the problem happens): delete the policy in question.

Step2. On Active: modify the access policy and Sync it.

* Problem with this workaround: sometimes, you cannot properly delete the access policy in question on the standby (as customization is corrupted, some related config deletion fails).


- Workaround 2:
Step 1. On Standby (where the problem happens): try to open up access policy item using VPE. Error will show the exact location of the file that is missing, for example:

"An error 'customization::getMessages: Unable to get xml dom from /config/filestore/files_d/Common_d/customization_group_d/:Common:MyAccessPolicy_act_logon_page_ag_5678_4' has occured on server... Dialogue loading has failed."

Step 2. On Standby: copy the exact file from active unit to standby unit, change the permission (ownership/group, permission flags) of the file so that it looks similar to active.

Fix:
Target device receives identical configuration as source one after config sync after user updates logon page field in logon agent editing dialog.


755447-1 : SSLO does not deliver content generated/originated from inline device

Component: Access Policy Manager

Symptoms:
If any inline service acting as a proxy generates content for the client while resetting the server side connection, then the client might not see the content, and will instead see a reset.

Conditions:
-- F5 SSL Orchestrator (SSLO) with inline services intercepting requests and replying without letting the content go to back-end server.
-- Inline services resetting the back-end connection

Impact:
Client receives a reset instead of a redirect or error page.

Workaround:
None.

Fix:
Clients now receive the content that the inline device generates.


755378-1 : HTTPS connection error from Chrome when BADOS TLS signatures configured

Component: Anomaly Detection Services

Symptoms:
HTTPS connection error occurs. The system posts the following ltm.log warnings:

-- warning tmm1[25112]: 01260009:4: Connection error: ssl_basic_crypto_cb:694: Decryption error (20)
-- warning tmm1[25112]: 01260009:4: Connection error: hud_ssl_handler:1941: codec alert (20)

Conditions:
-- BADOS TLS signatures configured.
-- DoS profile is attached to a virtual server.
-- Using Google Chrome browser.

Impact:
HTTPS virtual server is not responsive.

Workaround:
Turn off TLS signatures flag.

Fix:
HTTPS connection error no longer occurs when connecting from Chrome to virtual server with TLS signature BADOS protection.


755254-1 : Remote auth: PAM_LDAP buffer too small errors

Component: TMOS

Symptoms:
You are unable to log into the BIG-IP system using an LDAP account.

The system might log the following message in /var/log/secure:
-- crit httpd[28010]: pam_ldap(httpd:account): buffer 'buffer_size' too small.

Note: This message might not be logged for all occurrences of this issue.

Conditions:
This occurs when the following conditions are met:

-- Remote-LDAP authentication is configured.
-- There is a user account with attributes longer than 255 characters in length.
-- That user attempts a logon to the BIG-IP system.

Impact:
LDAP authentication not working properly.

Workaround:
Configure user accounts with attributes shorter than 255 characters.

Fix:
LDAP authentication and authorization now succeeds for users under these conditions.


755047-1 : Category lookup returns wrong category on CONNECT traffic through SSLO

Component: Access Policy Manager

Symptoms:
Category lookup returns wrong category on CONNECT traffic through F5 SSL Orchestrator (SSLO).

Conditions:
-- Outbound deployment configured in SSLO, where SSLO behaves as a transparent proxy.
-- A policy has a branch to lookup category using HTTP Connect.
-- An HTTPS client generates HTTPS traffic via an explicit proxy on local network with private address through SSLO as the gateway.

Impact:
Category Match is not performed, resulting in fallback branch to be taken.

Workaround:
None

Fix:
Category lookup now works correctly in this scenario.


755005-1 : Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations

Component: Application Security Manager

Symptoms:
Illegal Request Length uses Illegal Query String Length template and vice versa, so the incorrect titles are shown in violation details.

Conditions:
Open details of Illegal Request Length or Illegal Query String Length violation in request log.

Impact:
Illegal Request Length uses Illegal Query String Length template and vice versa. Only the titles are wrong. The actual requests are recorded correctly.

Workaround:
None.

Fix:
Correct templates are now used for Illegal Request Length and Illegal Query String Length violations, so the correct titles show.


754985-1 : Standby mirrored server SSL connections fail, and tmm may crash while processing mirrored TLS traffic

Component: Local Traffic Manager

Symptoms:
Server SSL mirrored connections fail, showing any6.any - any6.any as the server connection.

Under certain conditions, the standby TMM may crash while processing mirrored TLS traffic.

Conditions:
-- Virtual server with server-side SSL.
-- Connection mirroring enabled.

Impact:
High availability (HA) connection mirroring fails. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM now processes TLS traffic as expected.


754944-1 : AVR reporting UI does not follow best practices

Solution Article: K00432398


754875-1 : Enable FIPS in prelicensed VE images without requiring a reboot

Component: Local Traffic Manager

Symptoms:
Must reboot a FIPS-enabled PAYG-Best BIG-IP Virtual Edition (VE) image to see the FIPS prompt.

Conditions:
-- Using FIPS.
-- Using PAYG-Best.
-- Using VE.

Impact:
Must reboot the system to see the FIPS prompt.

Workaround:
Reboot the system to see the FIPS prompt.

Fix:
This release enables FIPS in prelicensed VE images without requiring a reboot.

Behavior Change:
You no longer need to reboot a FIPS-enabled PAYG-Best VE image to see the FIPS prompt.


754841-1 : Policy updates stall and never complete

Component: Application Security Manager

Symptoms:
When applying new or updated ASM policies, the update process stalls and never returns.

This error is logged in /var/log/asm:

crit perl[7333]: 01310027:2: ASM subsystem error (bd_agent,F5::BdAgent::start): No ack received from BD after 600 seconds -- aborting.

Conditions:
This can occur intermittently when making policy updates.

Impact:
The policy update is not applied, and you are unable to make configuration changes.

Workaround:
Restart ASM:
bigstart restart asm

Fix:
The system now handles the application of new or updated ASM policies so that the issue no longer occurs.


754805 : Possible tmm crash when AFM DoS badactor or attacked-dst or endpoint vector configured

Solution Article: K97981358

Component: Advanced Firewall Manager

Symptoms:
tmm might crash and restart.

Conditions:
When AFM DoS badactor or attacked dst is configured on a vector, there is a race condition which can cause tmm to crash. The same race condition is present when single endpoint vectors are configured.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The race condition is now fixed.


754691-1 : During failover, an OSPF routing daemon may crash.

Component: TMOS

Symptoms:
With a specific OSPF configuration, during a failover, a peer which is changed from standby to active may experience an ospfd daemon crash.

Conditions:
High availability configuration with a routing configuration:
1) access-list with 0.0.0.0/0 filtering:
access-list 199 remark test
access-list 199 deny ip host 0.0.0.0 host 0.0.0.0
access-list 199 permit ip any any

2) OSPF router with this access-list:
router ospf 1
 ospf router-id 10.14.0.11
 bfd all-interfaces
 network 10.14.0.0/16 area 0.0.0.1
 distribute-list 199 in
!

-- The device with this configuration is in the standby state.
-- A failover occurs.

Impact:
An OSPF daemon crashes, losing routing information and OSPF dynamic routes for a moment while ospfd daemon restarts.

Workaround:
None.

Fix:
An ospfd daemon no longer crashes during a failover.


754615-2 : Tmm crash (assert) during SIP message processing on MRF-SIP-ALG setup.

Component: Service Provider

Symptoms:
tmm crashes.

Conditions:
-- SIP calls under load.
-- MRF-SIP-ALG setup.
-- Most of the calls re-use the conn flow.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fix:
If connections reach a threshold value of 64500, the connection is dropped, drop stats are updated, and a log message is reported: Message handling threshold reached on flow.


754542-2 : TMM may crash when using RADIUS Accounting agent

Component: Access Policy Manager

Symptoms:
TMM may crash when using RADIUS Accounting agent in either per-session or per-request policy.

Conditions:
- APM is provisioned and licensed.
- RADIUS Accounting agent is used in either per-session or per-request policy.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when RADIUS Accounting agent is used in the access policy.


754541-2 : Reconfiguring an iApp that uses a client SSL profile fails

Component: TMOS

Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:

-- A virtual server is created but no client SSL profile is applied.
-- In the /var/log/ltm file, the system logs messages similar to the following example:

err mcpd[6434]: 01b4002b:3: Client SSL profile (/Common/Example.app/Example_client-ssl): the profile has no RSA cert/key pair that can be modified. To add RSA cert/key, please use [cert-key-chain add]

Conditions:
This issue occurs when the following conditions are met:

-- Attempting to reconfigure an iApp.
-- The iApp contains a client SSL profile.

Impact:
The system fails to create and apply the client SSL profile to the virtual server.

Workaround:
To work around this issue, you can temporarily disable SSL in the iApp, and then enable it again.

Impact of workaround:
Reconfiguring your iApp reconfigures all BIG-IP objects associated with the iApp. This might cause service disruptions to the application the iApp has been deployed for.

1. Navigate to the impacted iApp in GUI:
iApps :: Application Services : Applications :: Example.
 
2. Find the setting associated with the client SSL profile, often titled "How should the BIG-IP system handle SSL traffic?"

3. Change the associated setting to one that does not imply the use of SSL, for example: "Plain text to and from both clients and servers."

4. Press the Reconfigure button.

5. Return to the same question and change the field back to its original setting.

6. Press the Reconfigure button once more.

Fix:
Reconfiguring an iApp that uses a client SSL profile now succeeds as expected.

This issue is resolved in the following release candidates:

f5.microsoft_exchange_2016.v1.0.3rc5.tmpl
f5.microsoft_exchange_2016.v1.0.3rc6.tmpl

Issues resolved:

- Corrected an issue that caused TCL iApps using client-ssl profiles to break when the iApp was reconfigured. This issue only affected iApps running on BIG-IP 14.1.


754525-1 : Disabled virtual server accepts and serves traffic after restart

Component: Local Traffic Manager

Symptoms:
Disabled virtual servers accept traffic after being upgraded to an affected version, or after restarting.

Conditions:
1. A virtual server is configured on pre-v14.1.0.
2. Disable the virtual server.
3. Either upgrade to an affected version, or restart the system.

Impact:
The virtual server remains 'Disabled', but it accepts and processes traffic.

Workaround:
To correct the behavior, manually enable/disable the virtual server.

Fix:
Disabled virtual servers no longer process traffic after a restart.


754500-2 : GUI LTM Policy options disappearing

Component: TMOS

Symptoms:
Listed policies disappear under 'Do the following when traffic is matched' in Local Traffic :: Policies : Policy List :: {Rule Name} when pressing Cancel or Save and opening the list again.

Conditions:
Click the Cancel or Save button on the Local Traffic :: Policies : Policy List :: /Common/policy1:rule1 properties page.

Here are some specific steps to reproduce this issue (this procedure assumes you have at least one policy with at least one rule defined):
1. Navigate to Local Traffic :: Policies : Policy List :: /Common/policy1:rule1 to open the rule1 properties page.
2. In the section 'Do the following when the traffic is matched', click to open the first dropdown menu.
  - The system lists all of the items.
3. Click Cancel.
4. Click to reopen the properties page, and click the first dropdown menu.
  - The system lists fewer of the options.
5. Repeat steps 3 and 4.

Impact:
Options disappear from the list each time you click Cancel or Save. Cannot select options because they are no longer visible in the list.

Workaround:
To return all options to the list, use the refresh button in the browser.

You can also use the following the tmsh command:
modify ltm policy Drafts/<policy name> modify { <rule name> { actions add { ...

Fix:
Policies no longer disappear under these conditions.


754425-1 : Exported requests cannot be opened in Internet Explorer or Edge browser

Component: Application Security Manager

Symptoms:
Any exported report (requests/correlation/learning) cannot be opened in Microsoft Internet Explorer (IE) or Edge brower due to javascript error

Conditions:
Viewing an exported report using IE or Edge.

Impact:
Unable to view the exported report.

Workaround:
Use a different browser.

Fix:
Exported files are now visible in all officially supported browsers.


754420-1 : Missing policy name in exported ASM request details

Component: Application Security Manager

Symptoms:
No Policy name in exported ASM Request details.

Conditions:
This is encountered when viewing the Security Events Report.

Impact:
Missing policy name in request details.

Workaround:
None.

Fix:
Policy name is now displayed in exported ASM request details.


754365-5 : Updated flags for countries that changed their flags since 2010

Component: Application Security Manager

Symptoms:
Old flags for countries that changed their flags since 2010.

Conditions:
Requests from one of the following counties:
-- Myanmar
-- Iraq
-- Libya

Impact:
Old flag is shown.

Workaround:
None.

Fix:
The three flags are now updated in ASM.


754346-2 : Access policy was not found while creating configuration snapshot.

Component: Access Policy Manager

Symptoms:
APMD fails to create configuration snapshot with the following error:

--err apmd[16675]: 01490000:3: AccessPolicyProcessor/AccessPolicyProcessor.cpp func: "dispatchEvent()" line: 1195 Msg: EXCEPTION AccessPolicyProcessor/ProfileAccess.cpp line:234 function: snapshotConfigVariables - AccessPolicy ("/Common/myPolicy") not found while creating configuration snapshot!!!!

If you attempt to modify the policy in question, the system reports a second error:

-- err apmd[16675]: 01490089:3: 00000000: Configuration change notification received for an unknown access profile: /Common/myPolicy

Conditions:
If TMM restarts and new access policy is added before TMM is fully up and running.

Impact:
Configuration snapshot is not created, and users cannot log on.

Workaround:
Recreate the access profile when TMM is stable.


754345-2 : WebUI does not follow best security practices

Solution Article: K79902360


754143-1 : TCP connection may hang after finished

Component: Local Traffic Manager

Symptoms:
TCP connections hang. Memory usage increases. TMM restarts.

Numerous hanging connections reported similar to the following:
-- config # tmsh show sys conn protocol tcp
Sys::Connections
10.0.0.1:5854 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5847 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5890 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5855 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5891 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none

Conditions:
Pool member fails to respond with an ACK to BIG-IP system serverside FIN. The BIG-IP system serverside connection eventually times out, and the clientside connection is orphaned.

Impact:
Those connections hang indefinitely (even past the idle timeout). Memory increases, eventually leading to a possible TMM out-of-memory condition, requiring a TMM restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TCP connections no longer hang under these conditions.


754109-1 : ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive

Component: Application Security Manager

Symptoms:
When the backend server sends a content-security-policy header where source-src and default-src directives are missing, ASM will modify the header when it does its own JavaScript injection, which might cause a csp policy violation for inline JavaScript code.

Conditions:
-- ASM provisioned.
-- ASM or Bot-Defense/DoS attached on a virtual server.
-- ASM or Bot/Dos does inline injections, like CSRF/CSHUI.

Impact:
Inline JavaScript does not run. The Browser reports a content-security-policy violation.

Workaround:
You can use either of the following workarounds:

-- Disable csp in ASM by running the following commands:
/usr/share/ts/bin/add_del_internal add csp_enabled 0
bigstart restart asm

-- Disable csp in Bot/DoS using an iRule:
when HTTP_REQUEST {
    set csp 0
}
when HTTP_RESPONSE {
    if { [HTTP::header exists Content-Security-Policy] } {
        set csp "[HTTP::header values Content-Security-Policy]"
    }
}
when HTTP_RESPONSE_RELEASE {
    if { $csp != 0 } {
        HTTP::header replace Content-Security-Policy $csp
    }
    set csp 0
}

Fix:
ASM/Bot/DoSL7 no longer modifies the csp header when both source-src and default-src directives are missing.


754103-1 : iRulesLX NodeJS daemon does not follow best security practices

Solution Article: K75532331


754066-1 : Newly added Systems are not added as part of installing a Server Technologies update file

Component: Application Security Manager

Symptoms:
Newly added Systems are not added as part of installing a Server Technologies update file, which prevents acceptance of Server Technology suggestion.

Conditions:
A Server Technology update file contained newly added Systems is installed.

Impact:
A suggestion to add a Server Technology using a newly added System cannot be accepted.

Workaround:
The corresponding ASM Signature update file must be loaded first.

Fix:
Newly added Systems are added correctly after installing Server Technology update file.


754003-3 : Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate

Solution Article: K73202036

Component: Local Traffic Manager

Symptoms:
For more information please see: https://support.f5.com/csp/article/K73202036

Conditions:
For more information please see: https://support.f5.com/csp/article/K73202036

Impact:
For more information please see: https://support.f5.com/csp/article/K73202036

Workaround:
None.

Fix:
For more information please see: https://support.f5.com/csp/article/K73202036


753975-2 : TMM may crash while processing HTTP traffic with AAM

Solution Article: K92411323


753912-4 : UDP flows may not be swept

Solution Article: K44385170

Component: Local Traffic Manager

Symptoms:
Some UDP connection flows do not show in connection table but do show up in stats. This might occur with datagram_lb mode is enabled on the UDP profile under heavy load.

Conditions:
-- UDP profile with datagram_lb mode enabled.
-- System under heavy load.

Impact:
Increased memory utilization of TMM.

Workaround:
None.

Fix:
The system now correctly manages all expired flows.


753796-1 : SNMP does not follow best security practices

Solution Article: K40443301


753776-2 : TMM may consume excessive resources when processing UDP traffic

Solution Article: K07127032


753711-1 : Copied policy does not retain signature staging

Component: Application Security Manager

Symptoms:
When copying a modified policy or a policy that has never been applied, all signatures are set to staging enabled.

Conditions:
Copying a modified policy or policy that has never been applied.

Impact:
All signatures in the copied policy are set to staging enabled.

Workaround:
Export the policy (either as binary or XML) and re-import.

Fix:
Signature staging settings are retained correctly after the policy is copied.


753650-2 : The BIG-IP system reports frequent kernel page allocation failures.

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the following VIPRION blade models:

- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)

Please note the issue is known to occur regardless of whether the system is running in vCMP mode or not, and regardless of whether the system is Active or Standby.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this to either 64 MB (65536 KB for 2250 blades), 48 MB (49152 KB for B4300 blades) or 128 MB (131072 KB for 4450 blades). You must do this on each blades installed in the system.

When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

Fix:
The BIG-IP system no longer experiences kernel page allocation failures.


753642-1 : iHealth may report false positive for Critical Malware

Component: TMOS

Symptoms:
A minor change in the way qkview reports executable filenames may cause iHealth to interpret the presence of malware.

Conditions:
qkview files produced by 14.1.0 when uploaded to ihealth.f5.com

Impact:
iHealth may report a false positive for malware.

Workaround:
Ignore critical errors for malware reported by iHealth for version 14.1.0 only.

Fix:
This is fixed in 14.1.0.1


753564-1 : Attempt to change password using /bin/passwd fails

Component: TMOS

Symptoms:
When we run /bin/passwd as root:
passwd.bin: unable to start pam: Critical error - immediate abort
 Failed to change user's password. Exiting.

If we then do /bin/ausearch -m avc -ts recent, we see a lot of selinux denials for passwd.bin.

Conditions:
No special conditions needed

Impact:
Root/admin user cannot change password using the standard /bin/passwd executable.

Workaround:
The workaround would be to disable selinux, change the password and re-enable selinux:

# setenforce Permissive
# passwd
# setenforce Enforcing


Alternatively, one can use the tmsh commands to change the passwords: tmsh modify auth password root

Lastly, if one wishes to modify the selinux policy, there is the standard way of doing this

# ausearch -c passwd.bin --raw | audit2allow -M mypasswd
# semoduile -i mypasswd.pp

Fix:
With fix, we have no issues with /bin/passwd.bin being denied by selinux and /bin/passwd works as expected.


753514-3 : Large configurations containing LTM Policies load slowly

Component: Local Traffic Manager

Symptoms:
Very slow performance when loading a configuration, for example, at system start up. During this time, the tmsh process shows high CPU usage.

Conditions:
Big IP 13.1.x, 14.x. Large configuration (1 MB or larger) and at least one, but more likely tens or hundreds of LTM policies defined in the configuration.

Impact:
Slow configuration loading, or in cases with very large configurations, full config load may fail after a long wait. Slowness increases with overall configuration size and number of LTM policies defined.

Workaround:
None.

Fix:
Large configurations containing LTM Policies load normally.


753485-1 : AVR global settings are being overridden by HA peers

Component: Application Visibility and Reporting

Symptoms:
Configuration of AVR global settings is being overridden by high availability (HA) peers, and thus report incorrectly to BIG-IQ Data Collection Devices (DCDs).

Conditions:
Configuring HA for systems connected to BIG-IQ.

Impact:
Configuration of BIG-IP systems in HA configuration can override each other. This might result in the following behavior:
-- A common symptom is the 'Stats Last Collection Date' shows up as Dec 31, 1969 or Jan 01, 1970, depending the timezone configuration of the device
-- The 'Stats Last Collection Date' shows up as '--'
-- The BIG-IP systems incorrectly identify themselves to BIG-IQ.
-- The BIG-IP systems report to the wrong DCD.
-- The BIG-IP systems report to DCD, even if they are not configured to report at all.
-- The BIG-IP systems do not report at all, even if they are configured to report.

Note: This bug is tightly related to BIG-IQ Bug ID 757423.

Workaround:
None.

Fix:
Synchronization of relevant fields on AVR global settings are disabled, so this issue no longer occurs.


753446-2 : avrd process crash during shutdown if connected to BIG-IQ

Component: Application Visibility and Reporting

Symptoms:
During shutdown of BIG-IP, if it is connected to BIG-IQ then avrd might crash.

Conditions:
BIG-IP is set to shutdown and configured to send statistics to BIG-IQ.

Impact:
No serious impact, since the BIG-IP is already instructed to shutdown, so the process crash is not causing any damage.

Workaround:
N/A

Fix:
Issue is fixed, avrd does not crash during shutdown


753370-3 : RADIUS auth might not be working as configured when there is change in RADIUS auth config name.

Component: Access Policy Manager

Symptoms:
RADIUS auth might not be working as configured when there is change in RADIUS auth config name. You might also see an error:

err apmd[14182]: 01490108:3: /Common/:Common:cc55b9e2: RADIUS module: authentication with 'testuser@example' failed: no response from server (0).

Conditions:
In an LTM pool that uses APM AAA RADIUS to authenticate, change (modify/delete) the name of the RADIUS authentication server in config file.

Impact:
When using tmm.default version, intermittently MCP error messages in tmm logs indicate that the RADIUS server cannot be found, and RADIUS authentication does not work as expected.

Workaround:
None.


753295-1 : ASM REST: All signatures being returned for policy Signatures regardless of signature sets

Component: Application Security Manager

Symptoms:
By default, only signatures that are included in the Security Policy enforcement via the Policy's Signature Sets are included in the response to /tm/asm/policies/<ID>/signatures.

Additionally, there should be the capability to $filter for either signatures that are in the policy or not in the policy.

These filters are not working

Conditions:
ASM REST/GUI is used to determine the number of signatures enabled on a Security Policy

Impact:
More data that expected will be returned to REST clients which may cause confusion.
Learning statistics/graphs may have confusing/incorrect numbers.

Workaround:
None

Fix:
inPolicy $filter works again, and the default behavior only returns the signatures that are in the policy.


753163-4 : PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days

Component: Policy Enforcement Manager

Symptoms:
No connection request with PCRF/OCS if high availability (HA) failover occurs after 26 days. tmm crash

Conditions:
-- Using PEM.
-- high availability (HA) failover occurs after 26 days.

Impact:
PEM does send the reconnect request within the configured reconnect, so there is no connection initiated with PCRF/OCS.

Workaround:
To restart the connection, restart tmm restart using the following command:
tmm restart

Note: Traffic disrupted while tmm restarts.

Fix:
PEM now initiates the connection with PCRF/OCS under these conditions.


753028-2 : AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule

Component: Advanced Firewall Manager

Symptoms:
When Proxy ARP is enabled for destination addresses in an FW NAT rule performing destination NAT (static-nat/static-pat), forwarding ICMP traffic matching that rule is incorrectly dropped by AFM instead of being forwarded through the BIG-IP system.

Conditions:
-- Proxy ARP is enabled for destination addresses in an FW NAT rule.
-- The BIG-IP system (AFM) receives forwarding ICMP traffic for these (untranslated) destination addresses.

Impact:
Forwarding ICMP traffic is dropped by the BIG-IP system.

Workaround:
You can disable Proxy ARP functionality for FW NAT rules to cause the BIG-IP system (AFM) to handle forwarding ICMP traffic correctly and pass it through the system to the backend.

However, this causes the BIG-IP system to not respond to ARP requests anymore for destination addresses in such rules. As a further mitigation action, you can configure static ARP entries to handle this.

Fix:
The BIG-IP system (AFM) now correctly forwards ICMP traffic through to the backend when Proxy ARP is enabled on destination addresses in the matching FW NAT rule.


752942-1 : Live Update cannot be used by Administrator users other than 'admin' and 'root'

Component: Application Security Manager

Symptoms:
When users configured with the Administrator role log into the system, they are not allowed to install security update files on the new live-update page:
System :: Software Management : Live Update

Conditions:
Logged in BIG-IP user is not 'admin' (the built-in Administrator account for the TMUI) or 'root' (the built-in Administrator account for the TMSH).

Impact:
Cannot apply security updates.

Workaround:
To install the security updates, log in as 'admin' or a BIG-IP user configured as a web-application-security-administrator or web-application-security-editor (role must be configured on all partitions or at least on the Common partition).

Fix:
Any BIG-IP user configured as Administrator can now apply security updates.


752930-3 : Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state

Component: Local Traffic Manager

Symptoms:
Virtual Servers left in unknown state. Blade keeps restarting.

Conditions:
Change default route domain (RD) of partition with wildcard Virtual Servers.

Impact:
-- Cannot persist the wildcard virtual server RD configuration.
-- Changing virtual server description after moving route-domain fails.
-- Secondary blade in constant reboot loop.

Workaround:
1. Delete wildcard virtual servers before changing default route-domain on partition.

2. Execute the following commands, in sequence, substituting your values for the configuration-specific ones in this example:

# ssh slot2 bigstart stop

# modify auth partition pa-1098-blkbbsi0000csa21ad1142 default-route-domain 109

# save sys config

# clsh rm -f /var/db/mcpdb.bin

# ssh slot2 bigstart start

Note: This recovery method might have to be executed multiple times to restore a working setup.


752875-2 : tmm core while using service chaining for SSLO

Component: Access Policy Manager

Symptoms:
tmm cores when using security services (service connect agent in per-request policies) for SSLO deployment.

Conditions:
-- Service connect agent in per-request policy.
-- SSLO deployment.

Impact:
tmm cores. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer cores when using security services (service connect agent in per-request policies) for SSLO deployment.


752835-2 : Mitigate mcpd out of memory error with auto-sync enabled.

Solution Article: K46971044

Component: TMOS

Symptoms:
If auto-sync is enabled and many configuration changes are sent quickly, it is possible for a peer system to fall behind in syncs. Once it does, it will exponentially get further behind due to extra sync data, leading to the sending mcpd running out of memory and core dumping.

Conditions:
-- Auto-sync enabled in an high availability (HA) pair.
-- High volume of configuration changes made in rapid succession. Typically, this requires hundreds or thousands of changes per minute for several minutes to encounter this condition.

Impact:
Mcpd crashes.

Workaround:
There are no workarounds other than not using auto-sync, or reducing the frequency of system configuration changes.

Fix:
This is not a complete fix. It is still possible for mcpd to run out of memory due to a peer not processing sync messages quickly enough. It does, however, make it more difficult for this scenario to happen, so configuration changes with auto-sync on can be sent somewhat more quickly without crashing mcpd as often.


752822-1 : SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type

Component: Service Provider

Symptoms:
SIP ALG calls that fail translation during ingress are not cleaned up by the system, which might result in memory being leaked inside the TMM processes.

Conditions:
SIP ALG calls that fail translation during ingress.

Impact:
TMM leaks memory, which can slow down performance and eventually cause TMM to run out of memory and restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now cleans up SIP ALG calls that fail translation during ingress, so this issue no longer occurs.


752803-1 : CLASSIFICATION_DETECTED running reject can lead to a tmm core

Component: Traffic Classification Engine

Symptoms:
When the CLASSIFICATION_DETECTED event is run on a serverside flow, and then an iRule command (e.g., to reject a flow) is run, tmm crashes.

Conditions:
-- CLASSIFICATION_DETECTED event runs on a serverside flow.
-- An iRule command runs (e.g., reject a flow).

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes under these conditions.


752782-1 : 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'

Component: Fraud Protection Services

Symptoms:
The 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'.

Conditions:
FPS Provisioning and a DataSafe license.

Impact:
The menu name has changed in this release.

Workaround:
None.

Fix:
'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'.


752592-1 : VMware Horizon PCoIP clients may fail to connect shortly after logout

Component: Access Policy Manager

Symptoms:
Sometimes if user closes opened PCoIP desktop and logs out and then logs in again, he can't launch the same desktop anymore.

Conditions:
PCoIP UDP VS has "vdi" profile assigned.

Impact:
User can't open PCoIP remote desktop during short time period (1 minute).

Workaround:
Remove "vdi" profile and assign "remotedesktop" profile to the PCoIP UDP VS:
# tmsh modify ltm virtual <PCoIP UDP VS> profiles delete { vdi }
# tmsh modify ltm virtual <PCoIP UDP VS> profiles add { remotedesktop }

In admin UI the assignment of "remotedesktop" profile can be controlled via "Application Tunnels (Java & Per-App VPN)" checkbox (right under "VDI Profile" dropdown).

Fix:
Assignment of "vdi" profile to PCoIP UDP VS does not cause intermittent connection problems anymore.


752363-2 : Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled

Component: Advanced Firewall Manager

Symptoms:
Client request fails, due to being dropped on the BIG-IP system.

Conditions:
-- The BIG-IP AFM L4 BDoS feature is enabled.
-- Virtual server setup is such that the client-facing virtual server's destination is forwarded through another virtual server, which is an internally forwarded flow.

Impact:
Client request gets dropped due to BIG-IP AFM dropping the flow.

Workaround:
Disable BDoS feature. The feature can be disabled using the following commands:

-- To disable BDoS globally, run the following command:
modify security dos device-config dos-device-config dynamic-signatures { network { detection disabled mitigation none }}

To disable BDoS globally per-profile, run the following command:
modify security dos profile <profile-name> dos-network modify { test { dynamic-signatures { detection disabled mitigation none } } }
modify security dos profile test protocol-dns modify { test { dynamic-signatures { detection disabled mitigation none } } }

Fix:
The system now handles the looped flows properly, so the BDoS module does not incorrectly cause the packet to be dropped.


752078-2 : Header Field Value String Corruption

Component: Local Traffic Manager

Symptoms:
This is specific to HTTP/2.

In some rare cases, the header field value string can have one or more of its prefix characters removed by the BIG-IP system.

Conditions:
-- The header field value string is exceptionally long, and has embedded whitespace characters.
-- HTTP/2 is used.

Impact:
A header such as:
x-info: very_long_string that has whitespace characters

may be sent to the client as:
x-info: ery_long_string that has whitespace characters

Workaround:
None.

Fix:
The BIG-IP system no longer removes the prefix characters from very long HTTP/2 header field value strings containing embedded whitespace characters.


752047-1 : iRule running reject in CLASSIFICATION_DETECTED event can cause core

Component: Traffic Classification Engine

Symptoms:
The CLASSIFICATION_DETECTED iRule event can run very early when classification happens in the classification database (srdb). If the iRule then issues a reject command, tmm cores.

Conditions:
CLASSIFICATION_DETECTED on L4 executing reject command.

Impact:
tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
iRule running reject in CLASSIFICATION_DETECTED event no longer causes tmm core.


751869-2 : Possible tmm crash when using manual mode mitigation in DoS Profile

Component: Advanced Firewall Manager

Symptoms:
tmm crash and restart is possible when using manual mode mitigation in DoS Profile.

Conditions:
When manual mode mitigation is used for any vector that is enabled in the DoS Profile that is attached to a Protected Object.

Impact:
tmm crash and restart is possible. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm crash and restart no longer occurs when using manual mode mitigation in DoS Profile.


751824-1 : Restore old 'merge' functionally with new tmsh verb 'replace'

Component: TMOS

Symptoms:
Prior to v12.1.3.4, the 'merge' command merged a specified config with the existing config, replacing certain conflicting values. In this release, the merge command operates differently, so there is a new command, 'replace', to now perform the operation previously accomplished with 'merge'.

Conditions:
Running the following command:
tmsh load /sys config file <scf-filename> merge

Impact:
Operation does not work like it did in previous releases.

Workaround:
None.

Fix:
This release restores the merge functionally from v12.x and earlier with a new tmsh verb: replace. The new TMSH command is as follows:
tmsh load sys config file <filepath> replace

Behavior Change:
This release restores the merge functionally from v12.x and earlier with a new tmsh verb: replace. The new TMSH command is as follows:
tmsh load sys config file <filepath> replace

The merge command now operates as follows:
-- Previously: if a top-level object (virtual server) existed in the config and also in the merge file, the top-level object was replaced.
-- Now: if a top-level object (virtual server) exists in both, the top-level object is recursively merged. (Pool members are merged together. LTM virtual server profiles are merged together (appended vs. replace-all-with)).


751807-1 : SSL Orchestrator may not activate service connectors if traffic is an HTTP tunnel

Component: Access Policy Manager

Symptoms:
Decrypted traffic is not forwarded to services despite even though a matching rule action in security policy selects a service chain.

Conditions:
-- Matching rule action in security policy selects a service chain.
-- Traffic is an HTTP tunnel (CONNECT method) is accepted by an outbound transparent proxy created by SSL Orchestrator.

Impact:
No visibility to decrypted traffic if it is an HTTP tunnel through SSL Orchestrator.

Workaround:
None.

Fix:
Decrypted traffic is forwarded as expected to services, when matching rule action in security policy selects a service chain, for HTTP tunnel traffic sent through SSL Orchestrator.


751710-4 : False positive cookie hijacking violation

Component: Application Security Manager

Symptoms:
A false positive cookie hijacking violation.

Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.

Impact:
False positive violation / blocking.

Workaround:
N/A


751636-1 : Downgrading from v14.1.0 to a previous release leaves two directories with improper ownership

Component: TMOS

Symptoms:
Downgrading from BIG-IP version 14.1.0 to an earlier version, the group ID of /var/lock and /var/spool/mail are incorrect. This can be encountered after you boot into the earlier-versioned software image. /var/log/liveinstall.log contains the following messages:

-- info: RPM: filesystem-2.4.30-3.el6.0.0.10.i686
-- info: RPM: warning: group lock does not exist - using root
-- info: RPM: warning: group mail does not exist - using root

When running the following command:
config # rpm -V filesystem
......G.. /var/lock
......G.. /var/spool/mail

The expected results are as follows:
config # rpm -V filesystem
config # stat -c %G /var/lock
lock
config # stat -c %G /var/spool/mail
mail

In this version, the results are as follows:
config # rpm -V filesystem
config # stat -c %G /var/lock
root
config # stat -c %G /var/spool/mail
root

Conditions:
-- BIG-IP version 14.1.0 is running.
-- An earlier software version is installed.
-- The system is then booted into that earlier version.

Impact:
There is no known impact to the system if this occurs; however, running rpm -V will report these two discrepancies.

This occurs because rpm versions 4.8 and earlier have built-in recognition of exactly three group names; 'root', 'mail', and 'lock'. In v4.8, these special names appear in <src>/lib/misc.c:gnameToGid. To use the group names 'mail' and 'lock' as intended, all BIG-IP releases earlier than BIG-IP v14.1.0 rely on this special feature of rpm.

BIG-IP v14.1.0 moved to rpm version 4.11, in which the function no longer exists.

Workaround:
Using a shell command, correct the group ID of the two directories that are incorrect using the following two commands:

config # chgrp lock /var/lock
config # chgrp mail /var/spool/mail


751586 : http2 virtual does not honour translate-address disabled

Component: Local Traffic Manager

Symptoms:
translate-address disabled on a http2 virtual is getting ignored

Conditions:
http2 virtual and translate-address disabled configured

Impact:
The traffic is translated to the destination address to the pool member

Workaround:
none

Fix:
translate-address disabled is working correctly now.


751424-1 : HTTP Connect Category Lookup not working properly

Component: Access Policy Manager

Symptoms:
1. HTTP Connect Category Lookup does not return the correct category.
2. HTTP Connect Category Lookup cannot attach the service chain correctly.

Conditions:
-- Using SSLO iApp to configure a security policy.
-- Choose conditions 'Category Lookup (All)' and '"Category Lookup (HTTP Connect)'.

Impact:
Service chain is not correctly triggered based on the SSLO iApp policy selection when HTTP Connect traffic is passed.

Workaround:
There is no workaround at this time.

Fix:
1. The Access Per-request Policy HTTP Connect Category Lookup agent now returns the correct category ID.
2. Service connector is now inserted correctly, which ensures the correct behavior when dealing with HTTP Connect tunnel traffic.


751179-1 : MRF: Race condition may create to many outgoing connections to a peer

Component: Service Provider

Symptoms:
If two different connections attempt to create an outgoing connection to a peer at the same time, multiple connections may be created, even if the peer object is configured for one connection per peer. This is due to a race condition in message routing framework during connection creation.

Conditions:
-- Two different connections attempt to create an outgoing connection to a peer at the same time.
-- The peer is configured for one connection per peer.

Impact:
More than one connection to a peer is created.

Workaround:
None.

Fix:
Only one connection is created under these conditions.


751152-1 : OpenSSL Vulnerability: CVE-2018-5407

Solution Article: K49711130


751143-1 : OpenSSL Vulnerability: CVE-2018-5407

Solution Article: K49711130


751011-3 : ihealth.sh script and qkview locking mechanism not working

Component: TMOS

Symptoms:
Two qkviews can be started up on a system at the same time, which results in conflicts for each.

Conditions:
Running qkview on one terminal and then ihealth.sh in another.

Impact:
Running of two qkviews at the same time breaks both qkviews since they compete for the same files.

Workaround:
Run either qkview or ihealth.sh, not both simultaneously.

Fix:
Starting a qkview and then running ihealth.sh halts immediately as the system detects that qkview is running.


751009-3 : Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out

Component: TMOS

Symptoms:
After generating a Qkview or collecting a tcpdump via the BIG-IP GUI, or using the 'tmsh run util ihealth' command to do the equivalent, the /var/tmp/mcpd.out file is missing.

Conditions:
-- Generating a Qkview or collecting a tcpdump via the BIG-IP GUI.
-- Using the 'tmsh run util ihealth' command to do the equivalent operation.

Impact:
The file /var/tmp/mpcd.out is a debug file used by mcpd, primarily for collecting debug-level log information from MCPD.

The file being deleted causes challenges with trying to collect diagnostic information from a BIG-IP system (turning on mcpd debug logging), because it now requires a service impact (restarting mcpd).

Additionally, may cause challenges in managing disk space on /shared filesystem, as mcpd keeps writing to a deleted file, and it cannot be truncated.

Workaround:
Generating Qkviews by invoking the 'qkview' command directly avoids this issue.

Edit the /usr/bin/ihealth.sh script to remove the corresponding line.

From a bash shell:
1. mount -o remount,rw /usr
2. /bin/cp /usr/bin/ihealth.sh{,751009.bak}
3. sed -i '/\/bin\/rm -f \/var\/tmp\/mcpd.out/d' /usr/bin/ihealth.sh
4. mount -o remount,ro /usr

Note: This workaround does not persist across software installs/upgrades, nor does it ConfigSync or replicate across blades in a VIPRION chassis.

Fix:
The problem line has been removed from the script, so this mcpd debug file is left alone (not deleted) after running ihealth.sh. Note that the GUI version of running qkview uses ihealth.sh script.


750973-1 : Import XML policy error

Component: Application Security Manager

Symptoms:
Import XML policy fails with errors:
--------
The security policy file does not conform to the schema and cannot be imported
element attack_type: Schemas validity error : Element
'attack_type': 'Web Scraping' is not a valid value
--------

Conditions:
-- A user-defined Signature Set having Attack Type 'Web Scraping' defined.

-- This Signature Set is included in an exported XML policy.

Impact:
Schema validation on XML policy import fails. Import XML policy fails with errors.

Workaround:
Use binary policy export/import.

Fix:
This release fixes the XML policy export/import process to not fail or produce Attack Type 'Web Scraping'-related errors.


750922-1 : BD crash when content profile used for login page has no parse parameters set

Component: Application Security Manager

Symptoms:
Bd crashes. No traffic goes through ASM.

Conditions:
-- A Json Login page is configured.
-- The content profile used for the login page does not have parse parameters set.

Impact:
No traffic goes through ASM. Bd crashes.

Workaround:
Set the parse parameters setting.

Fix:
BD no longer crashes when the content profile used for login page has no parse parameters set.


750823-1 : Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD

Component: Access Policy Manager

Symptoms:
Memory usage in TMM keeps going up.

Conditions:
Access::policy evaluate command fails with error message in /var/log/ltm:

TCL error: ... - Failed to forward request to apmd.

Impact:
Memory leaks in TMM, which cause a TMM crash eventually.

Workaround:
Limit the amount of data that will be forwarded to APMD.


750793-2 : Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition

Component: Application Security Manager

Symptoms:
Removing Bot/Logging/Security Service profiles that were created in a user-defined partition fails via GUI.

Conditions:
Attempting to delete Bot/Logging/Security Service profiles that were created in a user-defined partition.

Impact:
The Bot/Logging/Security Service Profile cannot be deleted via GUI.

Workaround:
Remove Bot/Logging/Cloud Security Service profiles via TMSH.

Fix:
You can now remove Bot profiles, Logging profiles, and Cloud Security Service profiles from user-defined partition.


750689-3 : Request Log: Accept Request button available when not needed

Component: Application Security Manager

Symptoms:
There are several violations that make requests unlearnable, but the Accept Request Button is still enabled.

Conditions:
This occurs in the following scenarios:

1. Request log has requests with following violations that make requests unlearnable:
 - Threat Campaign detected.
 - Null character found in WebSocket text message.
 - Access from disallowed User/Session/IP/Device ID.
 - Failed to convert character.

2. Subviolations of HTTP protocol compliance fails violation:
 - Unparsable request content.
 - Null in request.
 - Bad HTTP version.

3. Only the following violations are detected:
 - Access from malicious IP address.
 - IP address is blacklisted.
 - CSRF attack detected.
 - Brute Force: Maximum login attempts are exceeded.

Impact:
Accept Request button is available, but pressing it does not change the policy.

Workaround:
None.

Fix:
The Accept Request button is now disabled when there is nothing to be learned from request.


750686-1 : ASE user cannot create or modify a bot signature.

Component: Application Security Manager

Symptoms:
Application Security Editor user role gets a validation exception while trying to create or modify bot defense signature either via GUI, tmsh, or REST.

Conditions:
The logged on user account is configured with an Application Security Editor role.

Impact:
Application Security Editor unable to define user-defined signatures for bot defense module.

Workaround:
Change user role to Administrator or Web Application Security Administrator to create or modify bot defense signatures.

Fix:
User accounts configured for Application Security Editor can now create/modify bot defense signatures.


750683-1 : REST Backwards Compatibility: Cannot modify enforcementMode of host-name

Component: Application Security Manager

Symptoms:
Modifying the enforcementMode value fails with the following message: Valid Host Name already exists in this policy.

In 14.1.0, the capability to treat specific domains as Transparent while the rest of the policy is in Blocking moved from Host Names to the new Microservices feature. The REST endpoint for Host Names (/mgmt/tm/asm/policies/<ID>/host-names) is meant to still support setting and modifying this attribute. However, this is not happening successfully.

Conditions:
-- Running version 14.1.0 software.
-- Using a pre-14.1.0 REST API to modify the enforcementMode of a host name (/mgmt/tm/asm/policies/<ID>/host-names).

Impact:
The value change fails.

Workaround:
You can use either workaround:

-- Change the value using the GUI.

-- Use the newer endpoint: (/mgmt/tm/asm/policies/<ID>/microservices).

Fix:
Using the backwards compatible REST to update the enforcementMode of a host name now succeeds.


750668-1 : Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition

Component: Application Security Manager

Symptoms:
Removing Bot/Logging/Security Service profiles that were created in a user-defined partition fails via GUI.

Conditions:
Attempting to delete Bot/Logging/Security Service profiles that were created in a user-defined partition.

Impact:
The Bot/Logging/Security Service Profile cannot be deleted via GUI.

Workaround:
Remove Bot/Logging/Cloud Security Service profiles via TMSH.

Fix:
You can now remove Bot profiles, Logging profiles, and Cloud Security Service profiles from user-defined partition.


750666-1 : Impossible to create Bot Signature/Bot Category Signature in user partition different from 'Common'

Component: Application Security Manager

Symptoms:
For any partition other than 'Common'(i.e., a user-defined partition), cannot create a new Bot Signature or Bot Category Signature via GUI, because the form fields and buttons are disabled (grayed out).

Conditions:
-- Creating Bot Signature/Bot Category Signature.
-- The partition is set to a user-defined partition.

Impact:
No creation of Bot Signature/Bot Category Signature can be completed through GUI in a user-defined partition.

Workaround:
Create Bot Signature/Bot Category Signature in TMSH.

Fix:
Can now create Bot Signature/Bot Category Signature in user partition different from 'Common'.


750661 : URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied.

Component: TMOS

Symptoms:
A regression in configuration processing causes LTM Rewrite profile to ignore configured URI translation rules.

Conditions:
Using LTM Rewrite profiles to ignore configured URI translation rules.

Impact:
URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied.

Workaround:
None.

Fix:
Restored functionality of LTM Rewrite URI translation rules.


750586-2 : HSL may incorrectly handle pending TCP connections with elongated handshake time.

Component: TMOS

Symptoms:
HSL may incorrectly handle TCP connections that are pending 3-way handshake completion that exceed default handshake timeout.

Conditions:
-- HSL or ReqLog configured to send logging data to pool via TCP protocol.
-- TCP 3-way handshake takes longer than 20 seconds (the default handshake timeout) to complete.

Impact:
-- Service interruption while TMM restarts.
-- Failover event.

Workaround:
None.

Fix:
HSL handles unusually long pending TCP handshakes gracefully and does not cause outage.


750580-1 : Installation using image2disk --format may fail after TMOS v14.1.0 is installed

Component: TMOS

Symptoms:
When v14.1.0 is installed, subsequent installations of software performed using image2disk with the --format=volumes option from within a TMOS installation slot.

The failure occurs after the disks have been formatted, but before the TMOS installation slot is bootable, and the system is left without a TMOS installation slot.

While performing the installation, the system posts messages similar to the following in the serial console:

-- info: tm_install::RPM::rpm_db_find_by_namearch -- not found : MySQL-shared/i686
   ...
-- info: tm_install::VolumeSet::VolumeSet_install_packages -- installing package MySQL-shared (i686)
-- info: tm_install::RPM::rpm_db_find_by_namearch -- not found : openssl/x86_64
    ...
-- info: tm_install::VolumeSet::VolumeSet_install_packages -- installing package openssl (x86_64)
-- info: capture: status 32512 returned by command: chroot /mnt/tm_install/1258.DHwcwN rpm --rebuilddb
    ...
-- info: chroot: failed to run command 'rpm': No such file or directory

Conditions:
This issue occurs when all of the following conditions are met:
-- Version 14.1.0 is installed on the system, even if the system never boots into the 14.1.0 installation slot.
-- Using image2disk with the --format=volumes option specified from TMOS.
-- Installing another version of the software.


In particular, this issue affects MOS version 2.12.0-140.0, which can be checked by running this command from a bash shell on the BIG-IP system:

     grub_default -d | grep -A6 'TMOS maintenance' | grep 'TIC_STATIC_VERSION'

Impact:
The installation fails, and the system is left in a state where it is not accessible on the network and has no configuration. You must use the console to access the system.

Workaround:
You can use the following workarounds:

-- Use the Software Management screens in the GUI to perform installations
-- Use the tmsh 'sys software' commands to perform software installations.
-- Do not use the image2disk --format command to install software.


750477-1 : LTM NAT does not forward ICMP traffic

Component: Advanced Firewall Manager

Symptoms:
ICMP traffic that matches LTM NAT object on a BIG-IP system, is not forwarded through but instead is dropped on the BIG-IP system.

Conditions:
-- LTM NAT object is configured on the BIG-IP system.
-- The BIG-IP system receives ICMP traffic matching the LTM NAT object.

Impact:
Client ICMP traffic (matching LTM NAT) is not forwarded to the destination causing traffic disruption.

Workaround:
None.

Fix:
ICMP traffic matching an LTM NAT object is now forwarded to the destination as expected.


750460-1 : Subscriber management configuration GUI

Solution Article: K61002104


750447-3 : GUI VLAN list page loading slowly with 50 records per screen

Component: TMOS

Symptoms:
GUI VLAN list page is loading slowly with there are 3200+ VLANs with the Records Per Screen Preference set to 50.

Conditions:
-- Using a VIPRION system.
-- Configuration containing 3200 or more VLANs.
-- System Preferences Records Per Screen set to 50.

Impact:
Cannot use the page.

Workaround:
Use tmsh or guishell tool to see the VLANs.

You can also try using a smaller value for the Records Per Screen option in System :: Preferences.

Fix:
Improved data retrieval and rendering for the VLAN list page.


750431-1 : Persistence record is deleted in MRF SIP after updating timeout value with the iRule 'SIP::persist timeout'

Component: Service Provider

Symptoms:
MRF SIP persistence records are deleted after updating the timeout value with the iRule 'SIP::persist timeout'.

Conditions:
-- MRF SIP configured with a persistence mode enabled.
-- Persistence timeout value is modified with iRule 'SIP::persist timeout'.

Impact:
Connections are not persisted as expected, causing additional processing, load balancing, and potential for misrouted messages.

Workaround:
Do not use 'SIP::persist timeout' to update timeouts. Increase initial timeout values when using custom persistence mode or switch to a non-custom persistence mode that updates timeouts automatically without iRules.

Fix:
The iRule 'SIP::persist timeout' no longer causes the persistence record to be deleted when updating the timeout value.


750356-2 : Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted

Component: Application Security Manager

Symptoms:
In any Split View page (Request Log, Learning, etc.): All user-defined filters are removed if you delete a newly created filter without reloading the page first.

Conditions:
-- Create a new filter.
-- Remove the new filter.

Impact:
The system removes all user-defined filters.

Workaround:
Before you delete a newly created filter, reload the page.

Fix:
Filter removal now completes successfully for all scenarios.


750318-3 : HTTPS monitor does not appear to be using cert from server-ssl profile

Component: TMOS

Symptoms:
An HTTPS monitor using a client certificate configured in the server-ssl profile fails to send the certificate during the SSL handshake.

A tcpdump shows a 0-byte certificate being sent.

Conditions:
-- In-tmm monitoring is disabled (default).
-- The server-ssl profile has been modified but without changing the configured certificate or key.

The resulting message passed from mcpd to bigd will contain only the incremental modification to the profile, which bigd treats as a complete profile, meaning that it is possible for the certificate and key parameters to be lost.

Impact:
SSL handshake might fail to complete and the HTTPS monitor fails.

Workaround:
Restart bigd process by running the following command:
bigstart restart bigd

Fix:
mcpd now sends the full profile configuration to bigd upon modification.


750298-1 : iControl REST may fail while processing requests

Solution Article: K67825238


750292-2 : TMM may crash when processing TLS traffic

Solution Article: K54167061


750200-3 : DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode

Component: Local Traffic Manager

Symptoms:
DHCP requests from the client are sent only to the first member in the DHCP server pool.

Conditions:
- BIG-IP system configured as a DHCP Relay.
- DHCP server pool contains more than one DHCP server.

Impact:
- DHCP server load balancing is not achieved.
- If the first DHCP server in the DHCP server pool does not respond or is unreachable, the DHCP client will not be assigned an IP address.

Workaround:
None.


750187-1 : ASM REST may consume excessive resources

Solution Article: K29149494


749912-1 : [BIG-IQ Integration] Deadlock occurs when adding multiple hostnames with transparent enforcement

Component: Application Security Manager

Symptoms:
Transparent enforcement by hostname has been moved from the Host Name configuration to the Microservice configuration.
REST API Clients that use the backwards-compatible, old endpoint, and send multiple requests in parallel may encounter a deadlock when configuring this element.

Conditions:
1) REST API Clients configure policy enforcement transparency by hostname.
2) They use the backwards-compatible, old endpoint to do so.
3) Multiple requests are sent in parallel.

Note: This is the case for BIG-IQ managing the BIG-IP system and configuring multiple domain names.

Impact:
Configuration calls fail due to internal DB deadlocks

Workaround:
Retry the API calls (or BIG-IQ deployment)

Fix:
Deadlocks during configuration calls are retried automatically and do not interrupt deployments.


749879-2 : Possible interruption while processing VPN traffic

Solution Article: K47527163


749774-5 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled

Component: Global Traffic Manager (DNS)

Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.

Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.

Impact:
Inconsistent behavior.

Workaround:
None.

Fix:
In this release, responses are now consistent when caching is enabled.


749704-2 : GTPv2 Serving-Network field with mixed MNC digits

Component: Service Provider

Symptoms:
iRules command 'GTP::ie get value' incorrectly decodes Serving-Network field, putting the least significant digit of mobile network codes (MNC) value before the other two.

Conditions:
Using the iRule command 'GTP::ie get value' to retrieve the Serving-Network field from a GTP message (the iRule construction: GTP::ie get value -message $gtp_message 83).

Impact:
The operation returns results in which the least significant digit is inserted before the other two, resulting in incorrect data being returned.

Workaround:
None.

Fix:
The iRule command 'GTP::ie get -message $gtp_message 83' that retrieves the Serving-Network now returns the correctly ordered, three-digit values for mobile country codes (MCC) and mobile network codes (MNC) as a two-element list: {{<MCC> <MNC>} <optional data>}, where the first element is another list containing actual MCC and MNC values, while the second element is optional binary data which follows MCC and MNC. It is the same format as used for ULI field decoding.

Behavior Change:
The iRule command 'GTP::ie get -message $gtp_message 83' that retrieves the Serving-Network now returns the correctly ordered, three-digit values for mobile country codes (MCC) and mobile network codes (MNC) as a two-element list: {{<MCC> <MNC>} <optional data>}, where the first element is another list containing actual MCC and MNC values, while the second element is optional binary data which follows MCC and MNC. It is the same format as used for ULI field decoding.


749689-2 : HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart

Component: Local Traffic Manager

Symptoms:
HTTPS monitor sends different amount of cipher suites in client hello during SSL handshake and sometimes back end server fails to find a desired cipher suite from client hello. As a result, sometimes SSL handshake fails and monitor wrongly marks pool member down.

Conditions:
-- Have an SSL profile to be used by an HTTPS monitor.
-- Load the same config more than once.

Impact:
HTTPS monitor might incorrectly mark pool member down because of a failed SSL handshake.

Workaround:
Restart bigd using the following command:
bigstart restart bigd

Fix:
HTTPS monitor now sends a consistent number of cipher suites in the client hello message during the SSL handshake.


749675-5 : DNS cache resolver may return a malformed truncated response with multiple OPT records

Component: Global Traffic Manager (DNS)

Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.

Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).

Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.

Workaround:
A second query will return the cached record, which will only have one OPT record.

Fix:
DNS cache resolver now returns the correct response under these conditions.


749603-1 : MRF SIP ALG: Potential to end wrong call when BYE received

Component: Service Provider

Symptoms:
When a BYE is received, the media flows for a different call might be closed in error.

Conditions:
If the hash of the call-id (masked to 12 bits) matches the hash of another's call-id.

Impact:
The media flows for both calls will be closed when one receives a BYE command. A call may be incorrectly terminated early.

Workaround:
None.

Fix:
Entire call-id checked before terminating media flows.


749508-1 : LDNS and DNSSEC: Various OOM conditions need to be handled properly

Component: Global Traffic Manager (DNS)

Symptoms:
Some LDNS and DNSSEC out-of-memory (OOM) conditions are not handled properly.

Conditions:
LDNS and DNSSEC OOM conditions.

Impact:
Various traffic-processing issue, for example, TMM panic during processing of DNSSEC activity.

Workaround:
None.

Fix:
The system contains improvements for handling OOM conditions properly.


749500-1 : Improved visibility for Accept on Microservice action in Traffic Learning

Component: Application Security Manager

Symptoms:
Low visibility for accepted on microservice action.

Conditions:
There are suggestions that can be accepted on microservice.

Impact:
The system does not show Accept on Microservice in a suggestion.

Workaround:
None.

Fix:
Improved visibility for Accept on Microservice action and microservice-related details of suggestions.


749464-2 : Race condition while BIG-IQ updates common file

Component: Application Visibility and Reporting

Symptoms:
The file /var/config/rest/downloads/app_mapping.json is being used by two processes: BIG-IQ and avrd.
This can cause a race-condition between the two and in some rare cases can cause avrd to crash.

Conditions:
BIG-IQ updating /var/config/rest/downloads/app_mapping.json while avrd is reading it.

Impact:
avrd might read incomplete data, and can even core in some rare cases.

Workaround:
None.

Fix:
This race condition no longer occurs.


749461-2 : Race condition while modifying analytics global-settings

Component: Application Visibility and Reporting

Symptoms:
Updating the analytics global-settings might cause a core for avrd.

The avrd.log contains the following record:
AVRD_CONFIG|NOTICE... 13931|lib/avrpublisher/infrastructure/avr_mcp_msg_parser.cpp:2985| Modified Analytics Global Settings, added "0" offbox TCP addresses

Conditions:
Analytics global-settings are updated either explicitly, using a tmsh command, or implicitly, by internal process script.

Impact:
Might cause a core for avrd. After coring once, avrd is expected to start normally without any additional cores. The configuration change is expected to be applied correctly after restart is complete.

Workaround:
None.

Fix:
This represents a partial fix. See bug 764665 for an additional fix.


749414-4 : Invalid monitor rule instance identifier error

Component: Local Traffic Manager

Symptoms:
Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects.

Conditions:
-- BIG-IP system is configured with nodes, pool-members, and pools with monitors.
-- Modify one of the nodes that is in a pool.
-- Run the following command: tmsh load /sys config
-- Loading UCS/SCF file can trigger the issue also.
-- Nodes share the same monitor instance.
-- default-node-monitor is not configured.

Impact:
-- The system might delete monitor rule instances for unrelated nodes/pool-members.

-- Pool members are incorrectly marked down.

Workaround:
You can use either of the following:

-- Failover or failback traffic to the affected device.

-- Run the following command: tmsh load sys config.


749382-1 : Bare-metal installs via 'image2disk' may fail in v14.1.0 or greater

Component: TMOS

Symptoms:
Running a bare-metal installation via image2disk (IE, 'image2disk --format=volumes <ISO>') may fail due to a missing command in the maintenance OS.

Conditions:
The version of MOS installed on the system is from a v14.1.0 or newer ISO, and a user attempts a bare-metal installation via the 'image2disk' command.

Impact:
Unable to perform bare-metal installations/installations from MOS in affected versions.

Workaround:
The installed version of MOS can be removed with the command '/usr/lib/bpdiag -a mos'. After doing this, installing a version older than 14.1.0 will re-install an older version of MOS without this issue. You can then reboot to MOS and manually run the installation using 'image2disk' from there.

Fix:
Fix issues with bare-metal installations via 'image2disk' failing.


749331-3 : Global DNS DoS vector does not work in certain cases

Component: Advanced Firewall Manager

Symptoms:
Global DNS DoS vector stops working under certain conditions.

Conditions:
Packets are not made to go through its entirety.

Impact:
Global DNS data structures are overwritten by subsequent incoming packets. Global DNS DoS vector does not rate-limit the packets.

Workaround:
None.

Fix:
Global DNS DoS vector checks now prevent this issue, so rate-limiting works as expected.


749324-1 : jQuery Vulnerability: CVE-2012-6708

Solution Article: K62532311


749294-4 : TMM cores when query session index is out of boundary

Component: Local Traffic Manager

Symptoms:
TMM cores when the queried session index is out of boundary. This is not a usual case. It is most likely caused by the memory corrupted issue.

Conditions:
When session index equals the size of session caches.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The index boundary check now operates correctly in this situation, so tmm no longer cores.


749227-1 : MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE

Component: Service Provider

Symptoms:
INVITE message being processed operation creates a temporary registration entry for a unregistered subscriber, this registration entry is not extended if a subsequent invite occurs. This could cause the registration to expire during a call, thus allowing the reserved translated addresses to be provided to a different subscriber.

Conditions:
An INVITE message is received when unregistered-subscriber-callout attribute in the siprouter-alg profile

Impact:
The system adds a temporary registration entry to the registration table. The lifetime for this entry is the max-session-timeout value from the siprouter-alg profile. Subsequent INVITES will not extend the lifetime.

This could cause the registration to expire during a call, allowing the reserved translated addresses to be provided to a different subscriber.

Workaround:
None.

Fix:
Subsequent INVITEs now extend the lifetime by another max-session-timeout value.


749222-1 : dname compression offset overflow causes bad compression pointer

Component: Global Traffic Manager (DNS)

Symptoms:
DNS requests receive error response:
-- Got bad packet: bad compression pointer.
-- Got bad packet: bad label type.

Conditions:
When the DNS response is large enough so that dname redirects to an offset larger than 0x3f ff.

Impact:
DNS response is malformed. Because the DNS record is corrupted, zone transfer fails.

Workaround:
None.

Fix:
dname compression offset overflow no longer causes bad compression pointer.


749184-2 : Added description of subviolation for the suggestions that enabled/disabled them

Component: Application Security Manager

Symptoms:
Missing description of subviolation for the suggestions that enabled/disabled them.

Conditions:
There are suggestions that enabled/disabled subviolations in the security policy.

Impact:
Cannot determine the subviolation for the suggestions that enabled/disabled them.

Workaround:
Open Description in an additional tab in Learning and Blocking settings screen.

Fix:
Added description of subviolation for the suggestions that enabled/disabled them.


749161-2 : Problem sync policy contains non-ASCII characters

Component: Access Policy Manager

Symptoms:
When access policy contain non-ASCII characters, policy sync either fails or the characters are not sync'ed properly on the target.

Conditions:
-- Using an access profile.

-- Access profile contains non-ASCII characters (code point greater than 0x7f), e.g.,in VPE, add an 'Advanced Resource Assign' agent and specify an expression similar to the following in addition to the resource:

expr { [string tolower [mcget -decode {session.ad.last.attr.memberOf}]] contains [string tolower "CN=Suporte_TransmissãČo,"] || [string tolower [mcget -decodde {session.ad.last.attr.memberOf}]] contains [string tolower "CN=suporte_tx,"]}

-- Start policy sync on the profile.

Impact:
Policy sync fails or does not complete properly for the non-ASCII characters.

Workaround:
None.

Fix:
Policy sync now works properly when the policy contains non-ASCII characters.


749136-1 : Disk partition /var/log is low on free disk space

Component: Application Security Manager

Symptoms:
Warning messages, such as these on system CLI:
--------------
Broadcast message from root@bigip1.test.net (Wed Nov 7 09:01:01 2018):

011d0004:3: Disk partition /var/log (slot 1) has only 0% free
--------------

Conditions:
ASM or DoS is provisioned.

Impact:
Disk partition /var/log is low on free disk space.

Workaround:
Manually delete nsyncd logs from /var/log.

Fix:
There is now stricter log rotation for nsyncd.


749109-3 : CSRF situation on BIGIP-ASM GUI

Component: Application Security Manager

Symptoms:
CSRF situation on the BIG-IP ASM GUI that might potentially lead to resource exhaustion on the device for the moment it is being run.

Conditions:
The following URL accepts a wildcard in the parameter id, making it a heavy URL:

https://BIG-IP/dms/policy/pl_negsig.php?id=*

Impact:
Once multiple requests are sent to the target GUI, it is possible to see httpd process spiking even in core 0 (VMWare).

Workaround:
None.

Fix:
If the query string parameter has a string value the query is not executed.


749057-1 : VMware Horizon idle timeout is ignored when connecting via APM

Component: Access Policy Manager

Symptoms:
VMware Horizon has an option to set idle timeout under "View Configuration\Global Settings\General\Client-dependent settings\For clients that support applications". When there is no keyboard or mouse activity for the given time, application sessions should be disconnected (desktop sessions are staying, though).
This settings has no effect when connecting via APM.

Conditions:
VMware Horizon idle timeout setting for applications is configured and remote application is launched via APM.

Impact:
VMware Horizon idle timeout setting for applications has no effect.

Workaround:
None.

Fix:
VMware Horizon idle timeout "For clients that support applications" is now honored when connecting via APM.


748999-3 : invalid inactivity timeout suggestion for cookies

Component: Application Security Manager

Symptoms:
ASM will report "invalid inactivity timeout" suggestions to delete a cookie, even though the cookies are being sent and are valid.

Conditions:
- Inactivity timeout feature is configured in Policy Builder
- Cookie entity is configured in the policy
- Valid, non-violating traffic containing cookies is passed

Impact:
Since non-violating traffic is not sent to the policy engine, the inactivity timeout timer is never reset, which will eventually lead to suggestions to delete the inactive cookie entities. These suggestions are erroneous because valid cookies are being sent in the traffic.

Workaround:
Ignore the inactive entity suggestions for cookies

Fix:
Inactivity learning for cookies has been deprecated, the feature does not cover cookies anymore.


748902-5 : Incorrect handling of memory allocations while processing DNSSEC queries

Component: Global Traffic Manager (DNS)

Symptoms:
tmm crashes.

Conditions:
-- Heavy DNS traffic using DNS security signatures.
-- Use of external HSM may aggravate the problem.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release corrects the handling of memory allocations while processing DNSSEC queries.


748891-2 : Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system.

Component: Local Traffic Manager

Symptoms:
Potential MAC relearning at the switches the BIG-IP system is connected to.

Conditions:
-- DB variable connection.vlankeyed set to disabled.
-- Multiple virtual-wires configured on the BIG-IP system.
-- Client to server and server to client traffic using different virtual wires on the BIG-IP system.

Impact:
Packets reach their L3 destination using an unexpected L2 path.

Workaround:
None.

Fix:
Connflow next hop and previous hop updates are now done in the correct order for virtual wires.


748848-2 : Anti-Bot Mobile SDK cookie name change to support identical cookies for multiple virtual servers

Component: Application Security Manager

Symptoms:
Multiple virtual servers are each using different cookie names for cookies 72, 74, and 76. This occurred because these cookie names are dependent on virtual server properties.

Conditions:
-- Multiple subdomains are configured to resolve to different virtual servers with different ASM policies.

-- Anti-Bot Mobile SDK attempts to connect to these virtual servers.

Impact:
Anti-Bot Mobile SDK is not able to connect to multiple virtual servers using the same cookie.

Workaround:
None.

Fix:
The relevant cookie names were changed.

The format TS00000000_7x (prefix/suffix may change according to configuration) is now used for cookies 72, 74, and 76, which results in identical cookie names for all configured virtual servers.

This will allow Anti-Bot Mobile SDK to connect to multiple virtual servers using the same cookie.


748813-3 : tmm cores under stress test on virtual server with DoS profile with admd enabled

Component: Anomaly Detection Services

Symptoms:
tmm cores

Conditions:
-- Systems under stress testing.
-- Virtual server with DoS profile with admd enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Turn off Behavioral DOS.

Fix:
This tmm core no longer occurs under these conditions.


748502-1 : TMM may crash when processing iSession traffic

Solution Article: K72335002


748409-2 : Illegal parameter violation when json parsing a parameter on a case-insensitive policy

Component: Application Security Manager

Symptoms:
An illegal parameter violation is raised although the parameter is configured

Conditions:
The policy is configured as case insensitive, and a parameter is configured with capital letters

Impact:
False positive illegal parameter violation

Workaround:
Configure violation as case sensitive


748321-1 : bd crash with specific scenario

Component: Application Security Manager

Symptoms:
BD crash

Conditions:
A specific scenario may cause bd crash.

Impact:
Failover, traffic disturbance.

Workaround:
N/A


748253-1 : Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection

Component: Service Provider

Symptoms:
Depending on the DIAMETER settings of the BIG-IP system, there can be a race condition in a mirrored device cluster where the standby BIG-IP system resets its mirror connection to the active device.

Conditions:
-- MRF DIAMETER in use.
-- The DIAMETER session profile on the BIG-IP system is configured to use a non-zero watchdog timeout.
-- The DIAMETER session profile on the BIG-IP system is configured to use Reset on Timeout.
-- This is more likely to happen if (in the DIAMETER session profile) the Maximum Watchdog Failures is set to 1, and the Watchdog Timeout is configured to be the same value as the remote DIAMETER system.

Impact:
The standby is no longer mirroring the active system, and gets out of sync with it. There may be connections lost if a failover occurs.

Workaround:
To mitigate this issue:

1. Configure the Maximum Watchdog Failures to a value greater than 1.
2. Configure the Watchdog Timeout as something different from the same timeout on the remote peer, preferably to something that will have little overlap (i.e., the two timers should fire at the exact same time very infrequently).

Fix:
Prevented the standby from sending DWR packets to the active device, so that it no longer expects DWA responses that never arrive.


748206-1 : Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position

Component: TMOS

Symptoms:
Browser becomes unresponsive.

Conditions:
Loading the network map with a virtual server that contains a forwarding rule policy in the second position.

Impact:
Browser becomes unresponsive and must be restarted.

Workaround:
Change the position of the forwarding rule policy.

Fix:
The browser now behaves as expected when loading the network map with a virtual server that contains a forwarding rule policy in the second position.


748187-4 : 'Transaction Not Found' Error on PATCH after Transaction has been Created

Component: TMOS

Symptoms:
In systems under heavy load of transactions with multiple icrd_child processes, the system might post an erroneous 'Transaction Not Found' response after the transaction has definitely been created.

Conditions:
Systems under heavy load of transactions with multiple icrd_child processes.

Impact:
Failure to provide PATCH to a transaction whose ID has been created and logged as created.

Workaround:
If transaction is not very large, configure icrd_child to only run single-threaded.

Fix:
Erroneous 'Transaction Not Found' messages no longer occur under these conditions.


748177-1 : Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character

Component: Global Traffic Manager (DNS)

Symptoms:
Multiple wildcards not matched to the most specific WideIP.

Conditions:
Two wildcard WideIPs differ on a '?' and a non-wildcard character.

Impact:
DNS request gets wrong answer.

Workaround:
There is no workaround at this time.

Fix:
Multiple wildcards are now matched to the most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character.


748176-1 : BDoS Signature can wrongly match a DNS packet

Component: Advanced Firewall Manager

Symptoms:
When using BDoS feature for DNS protocol, and when there are auto-generated DNS Signatures or if Custom DNS signatures are configured manually, it is found that at times, a valid DNS request is dropped because it wrongly matches the configured/dynamically generated DNS Signature when the box is under load, and BDoS mitigation is ongoing.

Conditions:
Configured DNS Signature (Or) there exists a Dynamically generated DNS Signature.

Such a DNS signature is found to match a DNS packet wrongly, even though the signature match criteria is different from the matched DNS packet.

Impact:
When box is under load, the configured DNS signature gets into Attack Mitigation mode (which is normal), but may wrongly drop a DNS packet that does not match the signature.

Workaround:
Disable BDoS for protocol DNS. Also, do not use Manually configured DNS Signatures.

Fix:
The parsed DNS information is cached and re-used wrongly as a performance optimization, which is corrected.


748121-3 : admd livelock under CPU starvation

Component: Anomaly Detection Services

Symptoms:
Due to the resources starvation the worker thread of admd does not get CPU for more than two minutes. At the same time, the configuration thread does get CPU.

The admd heartbeat failure occurs at 120 seconds. The SOD daemon kills admd.

The system posts messages similar to the following:

-- notice sod[6783]: 01140041:5: Killing /usr/bin/admd pid 6732
-- warning sod[6783]: 01140029:4: high availability (HA) daemon_heartbeat ADMD.Anomaly0 fails action is restart.
-- warning sod[6783]: 01140029:4: high availability (HA) daemon_heartbeat ADMD.Publisher0 fails action is restart.

Conditions:
-- High CPU / memory utilization,
-- Very large configuration.

Note: There are no known special configuration requirements to have this occur.

Impact:
admd restarts.
Behavioral DoS does not work.

Workaround:
Reboot the BIG-IP system.

Fix:
admd livelock event no longer occurs in response to CPU starvation in very large configurations.


748081-1 : Memory leak in Behavioral DoS module

Component: Advanced Firewall Manager

Symptoms:
TMM runs out of memory and restarts.
The memory usage as shown in "tmctl memory_usage_stat", under module line tag "session" is noticed to be high, and keeps growing.

Conditions:
The issue is seen when BDoS feature is configured, and if there exits Custom or Auto Generated BDoS Signatures. When such signatures exist, the BDoS one second timer callback leaks memory.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
1. Disable BDoS feature.
2. Disable all configured and auto generated BDoS signatures using TMSH command:

# cd dos-common
# modify security dos dos-signature all { state disabled }


748043-2 : MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP

Component: Service Provider

Symptoms:
SIP Server sends SIP Request to the client.
The SIP Server inserts a different port, so that response are received on a different port.
The Client sends the response on the new requested port.
BIG-IP drops the packet

Conditions:
SIP Server wants the SIP Response to be coming on a different port.

Impact:
SIP Request will not receive the SIP Response

Workaround:
There is no workaround.

Fix:
Fix BIG-IP to process the SIP Response and send it to the SIP Server


747977-1 : File manually uploaded information is not synced correctly between blades

Component: Application Security Manager

Symptoms:
When you upload a file, the file is marked internally as manually uploaded. When the system downloads a file, it is marked as not being manually uploaded. This information is not passed and handled correctly on chassis.

Conditions:
-- Configuration is deployed on multiple blades
-- Fail over has occurred.
-- New update file is downloaded from ESDM on the primary blade.

Impact:
Security updates are not automatically installed on the new primary blade after failover.

Workaround:
Manually install security updates on new primary blade.

Fix:
Corrected sync/handle information about file files, whether they are manually uploaded or downloaded from ESDM.


747968-3 : DNS64 stats not increasing when requests go through DNS cache resolver

Component: Local Traffic Manager

Symptoms:
DNS64 stats are not incrementing when running the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands if responses are coming from DNS cache resolver.

Conditions:
-- DNS responses are coming from DNS cache resolver.
-- Viewing statistics using the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands.

Impact:
DNS64 stats are not correct.

Workaround:
There is no workaround at this time.


747926-2 : Rare TMM restart due to NULL pointer access during AFM ACL logging

Component: Advanced Firewall Manager

Symptoms:
Tmm crashes while performing log ACL match logging.

Conditions:
The problem can happen only with the following configuration:
1) AFM Logging for ACLs enabled.
2) Security Network Logging profile has the property "log-translation-fields enabled"

The problem happens under extremely rare circumstances.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Defensive error handling to avoid the scenario of NULL pointer access.


747922-3 : With AFM enabled, during bootup, there is a small possibility of a tmm crash

Component: Advanced Firewall Manager

Symptoms:
During bootup, with AFM enabled, there is a small possibility of a tmm crash. The tmm process generates a core file and then automatically restart.

Conditions:
-- AFM enabled.
-- sPVA-capable hardware platform.
-- Boot up the system.

Impact:
tmm crashes, coredumps, and then restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The race-condition has been fixed, so this issue no longer occurs.


747909-5 : GTPv2 MEI and Serving-Network fields decoded incorrectly

Component: Service Provider

Symptoms:
MEI and Serving-Network vales obtained with GTP::ie get iRule command contains digits swapped in pairs, first digit missing and a random digit added at the back.

Conditions:
Processing GTP traffic with iRules.

Impact:
It is impossible to obtain correct value of MEI and Serving-Network fields of the GTPv2 packets when processing with iRules.

Workaround:
No workaround.

Fix:
Decoding of GTPv2 MEI and Serving-Network fields corrected.


747907-2 : Persistence records leak while the HA mirror connection is down

Component: Local Traffic Manager

Symptoms:
Memory might leak on the active unit while the high availability (HA) mirror connection is down.

Conditions:
-- The persistence configured that requires its state to be stored stored on the BIG-IP system.
-- Mirroring is configured on the persistence profile or the virtual server.
-- Mirror connection is down, for example, next active is down/offline/unavailable.

Impact:
Memory leak until the HA mirror connection is up. Once mirror connection is up, the system releases the memory.

Workaround:
-- Disable persistence while HA mirror connection is down (e.g., performing maintenance).
-- Disable session mirroring for iRules.
-- Use persistence that does not requires its state to be stored on the BIG-IP system.
-- Restore HA connection.

Fix:
Persistence records no longer leak memory while the HA mirror connection is down.


747858-2 : OSPF packets are duplicated in the BIG-IP in L2 transparent mode using virtual wires

Component: Local Traffic Manager

Symptoms:
OSPF packets are duplicated while traversing a virtual wire.

Conditions:
BIG-IP configured in L2 transparent mode using a virtual wire.

Impact:
OSPF unreliability can impact the overall routing domain and in turn impact services dependent on it.

Workaround:
None.

Fix:
Handle multicast packets through a virtual wire correctly.


747777-3 : Extractions are learned in manual learning mode

Component: Application Security Manager

Symptoms:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"

Conditions:
Direct cause: Policy contains parameters with dynamic type

Indirect cause: Policy Builder is configured to classify parameters as dynamic (related to bug 717525)

Impact:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"

Workaround:
- Change all dynamic parameters value types to User Input with Alpha Numeric data type

- Unset parameters' dynamic value type (or uncheck all parameters' dynamic classification options in 'Learning And Blocking Settings').

Fix:
Policy Builder does not set extractions for dynamic parameters in manual mode


747727-1 : HTTP Profile Request Header Insert Tcl error

Component: Local Traffic Manager

Symptoms:
A TMM crash.

Conditions:
When the HTTP profile Request Header Insert field contains a Tcl interpreted string, Tcl is executed to expand the string before the header is inserted into the request header block.

If a Tcl error occurs

Impact:
In some cases this can cause TMM to crash. Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following to mitigate this:

-- Verify that your Tcl executes correctly in all cases.
-- Use a static string.

Fix:
TMM no longer crashes under these conditions.


747628-1 : BIG-IP sends spurious ICMP PMTU message to server

Component: Local Traffic Manager

Symptoms:
After negotiating an MSS in the TCP handshake, the BIG-IP system then sends an ICMP PMTU message because the packet is too large.

Conditions:
-- The server side allows timestamps and the client side does not negotiate them.

-- The client-side MTU is lower than the server-side MTU.

-- There is no ICMP message on the client-side connection.

Impact:
Unnecessary retransmission by server; suboptimal xfrag sizes (and possibly packet sizes).

Workaround:
Disable timestamps or proxy-mss on the server-side TCP profile.


747617-2 : TMM core when processing invalid timer

Component: Local Traffic Manager

Symptoms:
TMM crashes while processing an SSLO iRules that enables the SSL filter on an aborted flow.

Conditions:
SSLO is configured and passing traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround

Fix:
SSL filter will no longer be enabled after connection close.


747592-1 : PHP vulnerability CVE-2018-17082

Component: TMOS

Symptoms:
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.

Conditions:
This exploit doesn't need any authentication and can be exploited via POST request. Because of 'Transfer-Encoding: Chunked' header php is echoing the body as response.

Impact:
F5 products not affected by this vulnerability. Actual impact of this vulnerability is possible XSS attack.

Workaround:
No known workaround.

Fix:
The brigade seems to end up in a messed up state if something fails in shutdown, so we clean it up.


747585-3 : TCP Analytics supports ANY protocol number

Component: Local Traffic Manager

Symptoms:
No TCP analytics data is collected for an ANY virtual server.

Conditions:
1. Provision AVR
2. Create a FastL4 server that accepts all protocols.
3. Attach a TCP Analytics profile
4. Try to run UDP traffic through it.

Impact:
No TCP analytics data is collected for TCP flows when a virtual server's protocol number is ANY.

Workaround:
There is no workaround this time.

Fix:
TCP analytics now supports both ANY and TCP protocol numbers and would collect analytics for TCP flows if protocol number is ANY or TCP.


747560-5 : ASM REST: Unable to download Whitehat vulnerabilities

Component: Application Security Manager

Symptoms:
When using the Whitehat Sentinel scanner, the REST endpoint for importing vulnerabilities (/mgmt/tm/asm/tasks/import-vulnerabilities) does not download the vulnerabilities from the server automatically when no file is provided.

Conditions:
The ASM REST API (/mgmt/tm/asm/tasks/import-vulnerabilities) is used to download vulnerabilities from the server when a Whitehat Sentinel Scanner is configured.

Impact:
Vulnerabilities from the Whitehat server are not automatically downloaded when no file is provided, and it must be downloaded manually, or the GUI must be used.

Workaround:
The ASM GUI can be used to download the vulnerabilities from the Whitehat Server, or the file can be downloaded separately, and provided to the REST endpoint directly.

Fix:
The REST endpoint for importing Scanner Vulnerabilities for the Whitehat Scanner now correctly downloads the vulnerability file automatically when no file is provided.


747550-3 : Error 'This Logout URL already exists!' when updating logout page via GUI

Component: Application Security Manager

Symptoms:
When you try to update the Logout Page, you get an error about the URL existence: Error 'This Logout URL already exists!'

Conditions:
1. Create any Logout page.
2. Try to update it.

Impact:
The properties of the Logout Page cannot be updated.

Workaround:
Delete the logout page and create a new one.

Fix:
This release addresses the issue, so that no error is reported when updating the Logout Page.


747239-1 : TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection

Component: Local Traffic Manager

Symptoms:
TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection.

Conditions:
This might occur rarely when the HTTP/2 gateway is configured on a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fix:
TMM SIGABRT no longer occurs under these conditions.


747187-2 : SIP falsely detects media flow collision when SDP is in both 183 and 200 response

Component: Service Provider

Symptoms:
A spurious error message is logged ("MR SIP: Media flow creation (...) failed due to collision") and media does not flow.

Conditions:
A SIP server responds to an INVITE with both a 183 "Session Progress" and later a "200 OK" for a single SIP call, and both responses contain an SDP with the same media info.

Impact:
Media does not flow on pinholes for which a collision was detected and reported.

Workaround:
None

Fix:
No collision is detected or logged when multiple messages with SDP recreate the same flows in the same call.


747104-1 : LibSSH: CVE-2018-10933

Solution Article: K52868493

Component: Advanced Firewall Manager

Symptoms:
For more information see: https://support.f5.com/csp/article/K52868493

Conditions:
For more information see: https://support.f5.com/csp/article/K52868493

Impact:
For more information see: https://support.f5.com/csp/article/K52868493

Fix:
For more information see: https://support.f5.com/csp/article/K52868493


746941-2 : avrd memory leak when BIG-IQ fails to receive stats information

Component: Application Visibility and Reporting

Symptoms:
AVRD has memory leak when it is failing to send statistical information to BIG-IQ.

Conditions:
BIG-IP is used by BIG-IQ version 6.0.0 or higher, and stats collection is enabled.
Plus, BIG-IQ has some malfunction that prevents it from receiving the statistical information that BIG-IP is sending (for example: all DCDs are down, or not network connection between BIG-IP and BIG-IQ).

Impact:
avrd memory is increased over time, leading to avrd restart when it is getting too large

Workaround:
Connectivity issue between BIG-IP and BIG-IQ should be fixed, not just in order to prevent this memory leak, but for more important functionality such as visibility and alerts features in BIG-IQ.

Fix:
Memory leak is fixed.


746877-1 : Omitted check for success of memory allocation for DNSSEC resource record

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may panic from SIGABRT while logging this message:
./rdata.c:25: ldns_rdf_size: Assertion `rd != ((void *)0)' failed.

Conditions:
During memory stress while handling DNSSEC traffic.

Impact:
TMM panic and subsequent interruption of network traffic.

Workaround:
Keeping the workload within normal ranges reduces the probability of encounter.

Fix:
The system now checks for success of memory allocation for DNSSEC resource record, so this issue no longer occurs.


746873-1 : Non-admin users are not able to run the tmsh list command due to permissions error for LTM message-routing

Component: TMOS

Symptoms:
Any non-admin cannot use tmsh list commands. Running the command gives the following error:

Unexpected Error: Can't display all items, can't get object count from mcpd.

Conditions:
Run a tmsh list command when logged in as non-admin user.

Impact:
Error is posted. Non-admin users cannot use the tmsh list commands.

Workaround:
Log in as admin to execute the tmsh list command.

Fix:
Non-admin users can now run tmsh list commands, as appropriate for the Role associated with the type of user account.


746825-1 : MRF SIP ALG with SNAT: Ephemeral listeners not created for unsubscribed outgoing calls

Component: Service Provider

Symptoms:
When a temporary registration is created for an unsubscribed user making an outgoing call, an ephemeral listener to receive incoming messages is not created.

Conditions:
-- If nonregister-subscriber-callout attribute is enabled in the siprouter-alg profile.
-- An unregistered client device places an outgoing call. At this point, a temporary registration is created. This temporary registration lives for the life of the call.
-- During the lifetime of the temporary registration, if the connection from the client is closed, it is not possible for an external device to reach the client device.

Impact:
The callee of an outgoing call initiated by an unregistered SIP device cannot end the call.

Workaround:
There is no workaround at this time.

Fix:
When a temporary registration is created, an ephemeral listener is created to receive SIP commands to be forwarded to the client device.


746771-3 : APMD recreates config snapshots for all access profiles every minute

Component: Access Policy Manager

Symptoms:
When the access profile configurations in APMD and MCPD are out of sync, APMD detects that the config snapshot for one access profile is missing. This triggers AMPD to recreates the config snapshots for all access profiles. The detect-recreate cycle repeats every minute, posting log messages:

-- err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...

-- notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
...

-- err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...

-- notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.

Conditions:
The conditions under which the access profile configurations in APMD and MCPD become out of sync is unknown.

Impact:
TMM memory usage increases due to excessive config snapshots being created.

Workaround:
Restart APMD to clear the APMD and MCPD out-of-sync condition.

Fix:
This issue has been fixed.


746768-4 : APMD leaks memory if access policy policy contains variable/resource assign policy items

Component: Access Policy Manager

Symptoms:
If an access policy contains variable/resource assign policy items, APMD will leak memory every time the policy is modified and applied.

Conditions:
1. Access policy has variable/resource assign policy items.
2. The access policy is modified and applied.

Impact:
APMD's memory footprint will increase whenever the access policy is applied.

Workaround:
There is no workaround.

Fix:
Memory growth has been addressed.


746750-1 : Search Engine get Device ID challenge when using the predefined profiles

Component: Application Security Manager

Symptoms:
When using one of the pre-defined profiles, "bot-defense-device-id-generate-after-access" and "bot-defense-device-id-generate-after-access", Search Engines might get Device ID challenges (and will most likely get blocked since cannot run JS)

Conditions:
One of the pre-defined profiles ("bot-defense-device-id-generate-after-access" or "bot-defense-device-id-generate-after-access") are attached to vs, and a valid search engine sends requests.

Impact:
Search Engines may be blocked.

Workaround:
Change mitigation of "Trusted Bot" in the attached profile to "Alarm":
1. Go to
Security ›› Bot Defense : Bot Defense Profiles ›› bot-defense-device-id-generate-after-access
or
Security ›› Bot Defense : Bot Defense Profiles ›› bot-defense-device-id-generate-before-access
2. Go to tab "Mitigation Settings"
3. For "Trusted Bot" choose "Alarm".
4. Save profile.


746710-1 : Use of HTTP::cookie after HTTP:disable causes TMM core

Component: Local Traffic Manager

Symptoms:
When an iRule disables HTTP with HTTP:disable, subsequent use of HTTP::cookie for that request will cause a TMM core dump.

Conditions:
1) HTTP profile is configured on the virtual.
2) HTTP:disable is called on request.
3) HTTP:cookie is then called on that request.

Impact:
Use of iRules in the above mentioned order will result in a TMM core. Traffic disrupted while tmm restarts.

Workaround:
Do not call HTTP:cookie on requests that have had HTTP disabled by HTTP:disable


746657-1 : tmsh help for FQDN node or pool member shows incorrect default for fqdn interval

Component: TMOS

Symptoms:
The tmsh help text for LTM nodes and pools shows the incorrect default for the FQDN 'interval' value.

The default is indicated as the TTL, whereas the actual default value is 3600 seconds (1 hour).

The configured value is displayed correctly if the node or pool is displayed using the 'all-properties' keyword.

Conditions:
This occurs when viewing tmsh help text.

Impact:
FQDN nodes and pool members may be created with a different FQDN refresh interval than intended.

Workaround:
When creating an FQDN node or pool member, specify the desired FQDN 'interval' value (either TTL, or the desired number of seconds).

Fix:
The tmsh help text for LTM nodes and pools correctly shows the default value of 3600 seconds for the FQDN 'interval' value.


746424 : Patched Cloud-Init to support AliYun Datasource

Component: TMOS

Symptoms:
Shipped Cloud-Init in this version of VE has no support of Alibaba Cloud metadata service for having no support of AliYun Datasource.

Conditions:
VE for Alibaba Cloud

Impact:
Provisioning VE through Cloud-Init won't work on Alibaba cloud

Workaround:
N/A

Fix:
Patched Cloud-Init to support AliYun Datasource


746394-1 : With ASM CORS set to 'Disabled' it strips all CORS headers in response.

Component: Application Security Manager

Symptoms:
All access-control-* headers are removed by ASM, including Cross-Origin Resource Sharing (CORS) headers. This causes CORS-related JavaScript errors on the browser console, and blocks cross-domain requests that should be allowed.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Backend server sends CORS headers access-control-*.

Impact:
Any webapp that sends cross origin AJAX requests might not work.

Workaround:
Set up an iRule on a virtual server, for example:

when HTTP_RESPONSE {
    array set header_list { }
    foreach header_name [HTTP::header names] {
        if { [string tolower $header_name] starts_with "access-control-" } {
            set header_list($header_name) [HTTP::header $header_name]
        }
    }
}
when HTTP_RESPONSE_RELEASE {
    foreach header_name [array names header_list] {
        if {!([HTTP::header exists $header_name])} {
            HTTP::header insert $header_name $header_list($header_name)
        }
    }
}

Fix:
ASM no longer removes CORS headers when the feature is set to set to 'Disabled'. This is correct behavior.


746298-1 : Server Technologies logos all appear as default icon

Component: Application Security Manager

Symptoms:
Server Technologies logos all appear as the default icon.

Conditions:
Browsing the list of available Server Technologies in an ASM policy.

Impact:
Server Technologies logos all appear as the default icon.

Workaround:
Install the most recent Server Technologies update file.

Fix:
Server Technology-specific logos appear correctly.


746266-3 : Vcmp guest vlan mac mismatch across blades.

Component: TMOS

Symptoms:
Guests running on blades in a single chassis report different MAC addresses on a single vlan upon host reboot for vcmp guest.

Conditions:
This issue may be seen when all of the following conditions are met:

- One (or more) blade(s) are turned off completely via AOM.
- Create two vlans.
- Deploy a multi-slot guest with the higher lexicographic vlan.
- Now, assign the smaller vlan to the guest.
- Reboot the host

Impact:
Incorrect MAC addresses are reported by some blades.

Workaround:
There is no workaround at this time.


746131-4 : OpenSSL Vulnerability: CVE-2018-0732

Component: Local Traffic Manager

Symptoms:
OpenSSL RSA key generation was found to be vulnerable to cache side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover parts of the private key.

Conditions:
Advanced shell access.

Impact:
OpenSSL RSA key generation was found to be vulnerable to cache side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover parts of the private key.

Workaround:
None.

Fix:
Updated to OpenSSL 1.0.2p


745947-2 : Add log events for MRF SIP registration/deregistration and media flow creation/deletion

Component: Service Provider

Symptoms:
Generally, only error conditions are logged for SIP. More logging is needed around SIP registration/deregistration, media flow creation/deletion, to help with debugging operations.

Conditions:
log.mrsip.level notice or above.

Impact:
Only error conditions are logged. Events helpful for debugging are not available in the logs.

Workaround:
There is no workaround at this time.

Fix:
Log information logging is available around SIP registration/deregistration and media flow creation/deletion.


745851 : Changed Default Cloud-Init log level to INFO from DEBUG

Component: TMOS

Symptoms:
Cloud-Init services generate too many debug log lines that populate their systemd journal.

Conditions:
Any BIG-IP VE release with Cloud-Init enabled and using "systemd".

Impact:
There're too many debug log lines that might make VE admin miss any more important information and severe errors when reading it.

Workaround:
Manually change all Cloud-Init's log levels to INFO from DEBUG.

Fix:
Cloud-Init's log default levels have been changed to INFO from DEBUG.


745825-1 : The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading

Component: TMOS

Symptoms:
This message may be logged while the audit_forwarder is loading the configuration:

audit_forwarder is disabled as the configuration is incomplete. Please define the following db variables: config.auditing.forward.sharedsecret, config.auditing.forward.destination and config.auditing.forward.type. And make sure config.auditing.forward.destination is not set to "::".

These DB variables may all be actually configured correctly, but since the configuration has not loaded yet this message may be logged multiple times.

Conditions:
The audit_forwarder process is starting up and loading the configuration.

Impact:
Confusing error messages in /var/log/ltm. Logging will still work as configured.

Workaround:
There is no workaround.

Fix:
Message has been modified to indicate the possibility of loading the configuration. Message is now logged only once. A new messages is logged indicating when audit_forwarder is enabled.


745813-1 : Requests are reported to local log even if only Bot Defense remote log is configured

Component: Application Security Manager

Symptoms:
Requests are logged locally on the BIG-IP system while they supposed to be sent only to the remote logger.

Conditions:
- Bot Defense profile attached to a virtual server.
- Bot Defense remote logger profile attached to a virtual server.

Impact:
Requests logged locally on the BIG-IP system when they are not supposed to be.

Workaround:
None.

Fix:
Logging profile filter mechanism now honors remote and local logging configurations.


745809-2 : The /var partition may become 100% full requiring manual intervention to clear space

Component: Advanced Firewall Manager

Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free

Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open.

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition

Workaround:
This workaround is temporary in nature, and may need to be periodically performed either manually or from a script. While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:
 bigstart stop restjavad
 rm -rf /var/config/rest/storage*.zip
 rm -rf /var/config/rest/*.tmp
 bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.


745802-1 : Brute Force CAPTCHA response page truncates last digit in the support id

Component: Application Security Manager

Symptoms:
Brute Force CAPTCHA response page shown to an end-user has a support id and the last digit is truncated.

Conditions:
- ASM Provisioned
- ASM policy attached to a virtual server
- ASM Brute Force Protection enabled in the asm policy
- ASM Brute Force sends captcha mitigation page when a website is under brute force attack.

Impact:
The support id presented to an end-user won't be matched to the one shown in the asm logs

Workaround:
There is no workaround at this time.

Fix:
The code is fixed, correct support id is shown in the captcha response page.


745783-1 : Anti-fraud: remote logging of login attempts

Component: Fraud Protection Services

Symptoms:
There is no support for logging of login attempts to a remote service.

Conditions:
Using high speed logging (HSL) to log login attempts.

Impact:
There is no support for logging of login attempts.

Workaround:
None.

Fix:
FPS now uses HSL to report login attempts using configured templates, rate-limit, and publisher to a remote service.

To enable this feature:

# via tmsh only
tmsh modify sys db antifraud.riskengine.reportlogins value enable
 
# via tmsh or GUI
tmsh modify sys db antifraud.internalconfig.string1 value "<login attempt log template>"
tmsh modify sys db antifraud.internalconfig.string2 value "<log-rate-exceeded log template>"
tmsh modify sys db antifraud.internalconfig.number1 value "<log-rate-exceeded threshold>"
tmsh modify security anti-fraud profile <fps profile> risk-engine-publisher <publisher>
 
 
It is recommended that you use encoding when composing an HTTP template. The default encoding level is 0, meaning 'never encode'.

To change encoding level:

tmsh modify sys db antifraud.internalconfig.number2 value <0/1/2>

Behavior Change:
FPS now includes the ability to perform High Speed Logging (HSL) of all login attempts to specific protected URLs. These events can be forwarded to remote services (e.g. SIEM Server), and, when enabled, can help indicate whether applications are under attack.


745715-2 : MRF SIP ALG now supports reading SDP from a mime multipart payload

Component: Service Provider

Symptoms:
Previously all non-SDP SIP payloads were ignored. This would cause media pinhole flows to not be created.

Conditions:
An INVITE message or its response contained a SDP section in a mime multipart payload.

Impact:
Media pinhole flows were not created

Workaround:
None.

Fix:
The SIP ALG functions can now extract and process the SDP section of a mime multipart payload.


745713-4 : TMM may crash when processing HTTP/2 traffic

Solution Article: K94563344


745654-4 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server

Component: Access Policy Manager

Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.

Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.

Impact:
Low throughput and slow responses from Virtual server.

Workaround:
There is no workaround at this time.

Fix:
Increase the size of websso worker queue, so that tmm and websso process can communicate effectively. This eliminates VS slowness and hence increase throughput.


745629 : Ordering Symantec and Comodo certificates from BIG-IP

Component: TMOS

Symptoms:
This new feature enables ordering Symantec and Comodo certificates from the BIG-IP system.

Conditions:
You must have a Symantec or Comodo CA account to make certificate orders from the BIG-IP system.

Impact:
This new feature enables ordering of certificates from CAs Symantec and Comodo. CA-Approved certificates are automatically fetched and installed on the BIG-IP system.

Workaround:
None. This is a new feature.

Fix:
This release adds the capability to order/fetch and install certificates from CAs Symantec and Comodo.

Behavior Change:
You can now order/fetch and install certificates from the Symantec and Comodo Certificate Authorities.


745628-1 : MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message

Component: Service Provider

Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a NOTIFY message has been processed.

Conditions:
This occurs because the NOTIFY message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.

Impact:
Media addresses in the SDP payload are not translated.

Workaround:
There is no workaround.

Fix:
Hairpin mode is not entered when processing NOTIFY messages


745624-1 : Tooltips for OWASP Bot Categories and Anomalies were added

Component: Application Security Manager

Symptoms:
Tooltips for some OWASP Bot Categories and Anomalies are 'N/A' in GUI/REST.

Conditions:
- GUI page: Event Logs:: Bot Defense :: Bot Traffic.
- Bot classification is 'OWASP Automated Threat'.

Impact:
Tooltip shows 'N/A' instead of detailed description. You cannot see detailed description of Bot classification of traffic.

Workaround:
None.

Fix:
Tooltips for OWASP Bot Categories and Anomalies were added.


745607-1 : Bot Defense : Bot Traffic - 3 month/last year filter not displayed correctly

Component: Application Security Manager

Symptoms:
3 month/last year filters are not displayed correctly in the applied filter.

Conditions:
3 month/last year filter applied in Bot Defense : Bot Traffic.

Impact:
You cannot see which filter is currently applied.

Workaround:
None.

Fix:
3 month/last year filter is now displayed correctly in applied filter.


745590-1 : SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added

Component: Service Provider

Symptoms:
In MRF SIP ALG, the hairpin flag is part of the translation_details structure. Because a connection/translation might be used for multiple simultaneous calls, if any call is hairpinned, subsequent calls on the same connection will not translate SDP addresses.

Conditions:
-- A connection/translation using multiple simultaneous calls
-- A call is hairpinned.

Impact:
Subsequent calls on the same connection do not translate SDP addresses.

Workaround:
None.

Fix:
SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added.


745574-1 : URL is not removed from custom category when deleted

Component: Access Policy Manager

Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.

Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.

Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.

Workaround:
"bigstart restart tmm" will resolve the issue.

Fix:
Made sure that the deletion takes effect properly and SSL traffic is no longer miscategorized after removal of the URL from the custom category.


745533-6 : NodeJS Vulnerability: CVE-2016-5325

Component: Local Traffic Manager

Symptoms:
It was found that the reason argument in ServerResponse#writeHead() was not properly validated.

Conditions:
iRules LX is running at the BigIP.

Impact:
A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request.

Workaround:
N/A.

Fix:
NodeJS updated to patch for CVE-2016-5325


745531-2 : Puffin Browser gets blocked by Bot Defense

Component: Application Security Manager

Symptoms:
Users using the Puffin Browser are blocked when accessing the Virtual Server when it is protected with either Proactive Bot Defense (within DoSL7 profile) or with the Bot Defense profile.
This applies to all version of the Puffin Browsers: Desktop, Android, iOS.

Conditions:
- Users using the Puffin Browser on Desktop, Android, iOS
- Bot Defense Profile, or: DoSL7 profile with Proactive Bot Defense is used while the "Block Suspicious Browsers" checkbox is enabled

Impact:
Users of the Puffin Browser cannot access the website

Workaround:
None

Fix:
Users of the Puffin Browser can now access the website that is protected by Bot Defense without getting blocked.
For the fix to be applied, both BIG-IP Release and ASU must be installed which contain the fix. Also, it is recommended to enable the following DB variables:
tmsh modify sys db dosl7.proactive_defense_validate_ip value disable
tmsh modify sys db dosl7.cs_validate_ip value disable


745514-1 : MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message

Component: Service Provider

Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a SUBSCRIBE message has been processed.

Conditions:
This occurs because the SUBSCRIBE message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.

Impact:
Media addresses in the SDP payload are not translated.

Workaround:
There is no workaround.

Fix:
Hairpin mode is not entered when processing SUBSCRIBE messages


745404-4 : MRF SIP ALG does not reparse SDP payload if replaced

Component: Service Provider

Symptoms:
When a SIP message is loaded, the SDP is parsed. If modified or replaced, the system does not reparse the modified payload.

Conditions:
This occurs internally while processing SDP in a SIP message.

Impact:
Changes to the SDP are ignored when creating media pinhole flows

Workaround:
None.

Fix:
The SDP payload is now reparsed if modified or replaced.


745387-1 : Resource-admin user roles can no longer get bash access

Component: TMOS

Symptoms:
Resource-admin users with bash access may write to system files beyond the scope of their assigned access.

Conditions:
Resource-admin users configured with bash shell access.

Impact:
Resource-admin users with bash access may write to system files causing security risks.

Workaround:
Do not assign bash access for resource-admin users.

Fix:
Resource-admin users restricted to tmsh access now. If a resource-admin user had bash access in a prior version and upgrades to this version, that user will get converted to tmsh access automatically after the upgrade process.

Behavior Change:
Resource-admin roles can no longer have bash shell access. And upon upgrade, resource-admin users with bash access will get converted to tmsh shell access.


745371-1 : AFM GUI does not follow best security practices

Solution Article: K68151373


745257-1 : Linux kernel vulnerability: CVE-2018-14634

Solution Article: K20934447


745165-1 : Users without Advanced Shell Access are not allowed SFTP access

Solution Article: K38941195


745103-6 : NodeJS Vulnerability: CVE-2018-7159

Solution Article: K27228191


745027-2 : AVR is doing extra activity of DNS data collection even when it should not

Component: Application Visibility and Reporting

Symptoms:
When collecting DNS data, AVR generates data that is used only for BIG-IQ, even if not connected to BIG-IQ.

Conditions:
DNS Statistics collection or DNS-DoS is configured.

Impact:
avrd process is taking more CPU cycles for activity that is not needed. There is no impact to functionality.

Workaround:
None.

Fix:
The system no longer performs extra computation that is not needed in this case.


744949-1 : MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix

Component: Service Provider

Symptoms:
SIP response messages have the wrong IP address in the FROM header when using NAT64.

Conditions:
If the client's IPv6 address does not match the virtual server's configured IPv6 prefix, the FROM header on a response message will have a different IP address that the request message.

Impact:
The SIP ALG with SNAT system will be unable to establish a call for the client.

Workaround:
There is no workaround at this time.

Fix:
The FROM header will now contain the client's IP address.


744937-8 : BIG-IP DNS and GTM DNSSEC security exposure

Solution Article: K00724442

Component: Global Traffic Manager (DNS)

Symptoms:
For more information please see: https://support.f5.com/csp/article/K00724442

Conditions:
For more information please see: https://support.f5.com/csp/article/K00724442

Impact:
For more information please see: https://support.f5.com/csp/article/K00724442

Workaround:
None.

Fix:
For more information please see: https://support.f5.com/csp/article/K00724442

Behavior Change:
Note: After installing a version of the software that includes the fix for this issue, you must set the following db variables:

-- dnssec.nsec3apextypesbitmap
-- dnssec.nsec3underapextypesbitmap.

These two db variables are used globally (i.e., not per-DNSSEC zone) to configure the NSEC3 types bitmap returned in one-off NODATA responses for apex and under-apex responses, respectively.

When the BIG-IP system is queried for a DNS name in which the DNS name exists and is not of the RR type requested, the NSEC3 types bitmap on the response reflects what you configure for the db variable, minus the queried-for type.

When using these variables:

-- Configure type values as all lowercase.
-- Enclose multiple types in quotation marks (e.g., "txt rrsig").
-- Understand that there is likely no need to change the apex type setting; do so with extreme care. The under-apex settings are what you will find helpful in addressing the negative caching issue.


744707-2 : Crash related to DNSSEC key rollover

Component: Global Traffic Manager (DNS)

Symptoms:
When running out of memory, a DNSSKEY rollover event might cause a tmm crash and core dump.

Conditions:
-- System has low memory or is out of memory.
-- DNSSKEY rollover event occurs.

Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.

Fix:
Fixed an issue in DNSSEC Key Rollover event that could cause a crash.


744686-2 : Wrong certificate can be chosen during SSL handshake

Component: Local Traffic Manager

Symptoms:
If two certificates of the same type are configured in an SSL profile, one marked `usage CA' and the other not, the wrong one could be chosen during the handshake.

Conditions:
Two certificates of the same type are configured in an SSL profile.

Impact:
The wrong certificate could be chosen during the handshake.

Workaround:
Do not configure two certificates of the same type on an SSL profile.


744685-2 : BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension

Component: Local Traffic Manager

Symptoms:
An intermediate CA certificate should be considered invalid if the certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension. The BIG-IP system does not enforce this.

Conditions:
The SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop.

Impact:
The system might unexpectedly accept the SSL connection while the peer is using an inappropriate certificate.

Workaround:
None.

Fix:
With this fix, if the SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the SSL handshake if the peer's CA certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension.

Behavior Change:
When authenticating a peer's SSL certificate, the system requires a CA certificate to have the 'Basic Constraints' and 'CA:True' in its extension, like this:

            X509v3 Basic Constraints: critical
                CA:TRUE

If an SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the handshake if the peer's CA certificate does not satisfy this requirement.


744595-3 : DoS-related reports might not contain some of the activity that took place

Component: Application Visibility and Reporting

Symptoms:
Occasionally, some telemetry data of DoS related activity is lost.

Conditions:
No specific condition other than using the BIG-IP system anti-DDoS feature.

Impact:
DoS related reports might not contain some of the activity that takes place.

Workaround:
None.

Fix:
Issue was fixed, all telemetry data is collected without errors.


744589-3 : Missing data for Firewall Events Statistics

Component: Application Visibility and Reporting

Symptoms:
Statistical information that is collected for Firewall event, has some data that is getting lost and not reported.

When this is taking place, the following message appears at avrd log:
Some rows of load_stat_firewall_events_<some number> not loaded

Conditions:
AFM is used, no particular condition that leads to this situation of losing some of the stats, usually takes place under heavy activity.

Impact:
Statistical reports of Firewall Events are missing some the the activity that actually took place.

Workaround:
There is no workaround at this time.

Fix:
Issue with missing data was fixed.


744516-4 : TMM panics after a large number of LSN remote picks

Component: Carrier-Grade NAT

Symptoms:
TMM panics with the assertion 'nexthop ref valid' failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.

Conditions:
An LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.

Impact:
TMM restarts. Traffic is interrupted.

Workaround:
There is no workaround.

Fix:
TMM no longer panics regardless of the number of remote picks.


744347-4 : Protocol Security logging profiles cause slow ASM upgrade and apply policy

Component: Application Security Manager

Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.

Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.

Impact:
ASM upgrade and apply policy are delayed.

Workaround:
There is no workaround at this time.


744275-1 : BIG-IP system sends Product-Name AVP in CER with Mandatory bit set

Component: Service Provider

Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.

Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Product-Name AVP.

Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.

Workaround:
Configure an iRule in the MRF transport-config, for example:

ltm rule workaround {
    when DIAMETER_EGRESS {
        if {[serverside] && [DIAMETER::command] == "257" } {
            DIAMETER::avp flags set 269 0
        }
    }
}

Fix:
This release always clears the Mandatory bit for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.


744210-2 : DHCPv6 does not have the ability to override the hop limit from the client.

Component: Local Traffic Manager

Symptoms:
DHCPv6 packet may be dropped by a device after the DHCP relay if the client provided hop limit is 1.

Conditions:
DHCPv6 Relay configured on the BIG-IP.

Impact:
Loss of DHCPv6 service.

Workaround:
There is no workaround at this time.

Fix:
Configurable hop limit over-ride capabilities provided for client sent DHCPv6 packets.


744188-1 : First successful auth iControl REST requests will now be logged in audit and secure log files

Component: TMOS

Symptoms:
Previously, when making a REST request from a client for the first time and it is successful, this action was not logged.

Just subsequent REST calls were logged or initial failed REST calls from a client were logged.

Conditions:
Making a successfully auth-ed initial REST request from a new client to BIG-IP.

Impact:
BIG-IP admins would not know when a new client first made a successful REST call to BIG-IP.

Workaround:
None.

Fix:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.

Here's an example of what shows in audit log:

-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user bart2 - RAW: httpd(pam_audit): user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".

Here's an example of what shows in secure log:

-- info httpd(pam_audit)[26561]: user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user usr2 - RAW: httpd(pam_audit): user=usr2(usr2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".

Subsequent REST calls will continue to be logged normally.

Behavior Change:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.

Subsequent REST calls will continue to be logged normally.


744035-6 : APM Client Vulnerability: CVE-2018-15332

Solution Article: K12130880


743900-1 : Custom DIAMETER monitor requests do not have their 'request' flag set

Component: Local Traffic Manager

Symptoms:
Using the technique detailed in the Article: K14536: Customizing the BIG-IP Diameter monitor https://support.f5.com/csp/article/K14536 to create custom DIAMETER monitor requests fails for any request that uses the numeric form of a DIAMETER command code, because the 'request' flag is not set in the DIAMETER packet.

Conditions:
-- Using custom DIAMETER monitor requests.
-- Using numeric DIAMETER command codes.

Impact:
The monitor probes fail because the BIG-IP system does not set the DIAMETER 'request' flag for requests it sends when using a numeric value for the command code, so the DIAMETER server thinks it is a response

Workaround:
None.

Fix:
Ensured that the 'request' flag is set for all DIAMETER monitor requests.


743803-1 : IKEv2 potential double free of object when async request queueing fails

Component: TMOS

Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.

Conditions:
When an async IPsec crypto operation fails to queue.

Impact:
Restart of tmm. All tunnels lost must be re-established.

Workaround:
No workaround known at this time.


743437-3 : Portal Access: Issue with long 'data:' URL

Component: Access Policy Manager

Symptoms:
HTML page may contain a very long 'data:' URL. Portal Access cannot handle such URLs correctly.

Conditions:
HTML page with very long 'data:' similar to the following example:

    data:image/png;base64,...

Such URLs might be several megabytes long.

Impact:
The rewrite plugin cannot process HTML pages with very long URLs and restarts. The page is not sent to the end user client; web application may not work correctly.

Workaround:
There is no workaround at this time.

Fix:
Now Portal Access handles very long 'data:' URLs correctly.


742852-1 : Bot Defense protection blocks Safari browser requests while using cross site redirect protection by 'Location' header

Component: Application Security Manager

Symptoms:
Bot defense blocks a request containing a TSPD101 cookie in query string. TSPD101 is sent when using the Safari browser, and cross-site redirect protection is applied on a request.

Conditions:
- ASM provisioned.
- Bot Defense profile attached to a virtual server.
- Cross-site redirection is applied on a request.
- Using the Safari browser.

Impact:
Cross-site requests are blocked during the grace period configured on the bot defense profile.

Workaround:
Disable browser verification in the bot defense profile.

Fix:
Cross-site redirect protection now works as expected when cookie is sent via query string.


742829-1 : SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0

Component: Service Provider

Symptoms:
The BIG-IP system incorrectly handles SDP media ports. UAC sends SDP message body publishing capable of handling voice, text, and video. UAS responds, publishing voice, text and video not desired by setting video port to '0'. The BIG-IP system does not honor the fact that UAS does not want video, and translates video port '0' to an ephemeral port, causing the UAC to believe it must open a video channel. When the UAC sends a video connection request, the BIG-IP system sends the request to the wrong port, i.e., to the media port for text, which causes the connection to fail.

Conditions:
RTP media port defined in the SIP message is set to 0.

Impact:
Improper media channel creation.

Workaround:
You can use an iRule workaround to remove the media attributes with ports set to 0 at the ingress, and update the message body size accordingly.


742558-1 : Request Log export document fails to show some UTF-8 characters

Component: Application Security Manager

Symptoms:
After exporting an ASM security event log, the log file exists but the characters are not visible.

Conditions:
Decoding of UTF-8 characters fails in Request Log export on small range of characters.

Impact:
The contents of the log are not human readable.

Workaround:
None.

Fix:
Request Log export document now shows UTF-8 characters correctly.


742251-1 : Add Alibaba Cloud support to Qkview

Component: TMOS

Symptoms:
Qkview has been updated to support obtaining files relevant to the Alibaba Cloud.

Conditions:
Run Qkview.

Impact:
Files related to the Alibaba Cloud were not collected.

Workaround:
None

Fix:
Files related to Alibaba Cloud are now collected.


742237-4 : CPU spikes appear wider than actual in graphs

Component: Local Traffic Manager

Symptoms:
Graphs of CPU usage show spikes that are wider than actual CPU usage.

Conditions:
CPU usage has spikes.

Impact:
Graphs of CPU spikes appear to last longer than they actually last.

Workaround:
Perform the following procedure:

1. Run the following command to record the 5-second average rather than the 1-second average:

sed -i.bak 's/TMCOLNAME "ratio"/TMCOLNAME "five_sec_avg.ratio"/;s/TMCOLNAME "cpu_ratio_curr"/TMCOLNAME "cpu_ratio_5sec"/g' /config/statsd.conf

2. Restart statsd to load the new configuration:

bigstart restart statsd

Fix:
CPU samples for graphs are averaged over longer time to more closely represent actual time between samples.


742226-6 : TMSH platform_check utility does not follow best security practices

Solution Article: K11330536


742184-3 : TMM memory leak

Component: Local Traffic Manager

Symptoms:
-- High TMM memory utilization;
-- Aggressive sweeper activated;
-- the 'packet', 'xdata' and 'xhead' caches in the memory_usage_stat tmstat table have high 'allocated' and 'curr_allocs' numbers with a steadily increasing profile.

Conditions:
A fastL4 and a L7 profile (e.g. HTTP) are assigned to a virtual server.

Impact:
Degraded performance, possible TMM crash due to out-of-memory condition.

Workaround:
Do not add a L7 profile to a fastL4 virtual server.

Fix:
No memory leak in the TMM.


742078-6 : Incoming SYNs are dropped and the connection does not time out.

Component: Local Traffic Manager

Symptoms:
There is a hard-coded limit on the number of SYNs forwarded on a FastL4 connection. This might cause a problem when a connection is reused, for example, if a connection is not correctly closed.

Conditions:
-- SYN forwarding on FastL4 connections.
-- The number of SYNs on a single connection reaches the hard-coded limit.

Impact:
If the number of SYNs on a single connection reaches this limit, subsequent incoming SYNs are dropped and the connection might not time out.

Workaround:
There is no workaround.

Fix:
The following command enables the forwarding of an an unlimited number of SYNs:
tmsh modify sys db tm.dupsynenforce value disable


741503-1 : The BIG-IP system fails to load base config file when upgrading with static IPv4

Component: TMOS

Symptoms:
The BIG-IP system cannot load base config when upgrading with static IPv4. By default, the configuration is not moved on previous releases during the installation, but it moves mgmt address settings and the license.

Conditions:
This occurs during upgrade when a static mgmt IPv4 address is configured.

Impact:
Configuration does not load after upgrade.

Workaround:
Manually set the mgmt-dhcp value to 'disabled' in bigip_base.conf file.

Fix:
The BIG-IP system now loads the base config file as expected when upgrading with static IPv4 as mgmt address.


741449-3 : alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts

Component: Fraud Protection Services

Symptoms:
JAVASCRIPT_THRESHOLD alert should contain 2 timestamps:
1. component-validation cookie timestamp (set on cookie creation)
2. current BIG-IP timestamp

currently, these timestamps are not available in the alert details

Conditions:
JAVASCRIPT_THRESHOLD alert is triggered

Impact:
it is impossible to analyze the alert

Workaround:
There is no workaround at this time.

Fix:
FPS should always include both timestamps when triggering the JAVASCRIPT_THRESHOLD alert


741222-2 : Install epsec1.0.0 into software partition.

Component: Access Policy Manager

Symptoms:
On some hardware configurations, after the BIG-IP software upgrade, epsec1.0.0 install fails.

Conditions:
-- Upgrade from earlier versions to BIG-IP 14.1.0.
-- Attempting to install epsec1.0.0.

Note: This occurs on only some hardware platforms, including the following:
  + BIG-IP 4000
  + BIG-IP i2800 series
  + BIG-IP Virtual Edition
  + BIG-IP vCMP Guest

Impact:
Unable to install or use software check with APM endpoint inspection.

Workaround:
There is no workaround other than upgrading to a fixed version of the software.

Fix:
The epsec1.0.0 installation is now performed into active BIG-IP software volume (/var), so this issue no longer occurs.


741048-1 : iRule execution order could change after editing the scripts

Component: Local Traffic Manager

Symptoms:
iRule execution order might change. For example, you have the following iRules configured on a virtual server: rule1, rule2, rule3, and they all have CLIENT_ACCEPTED. If you do not specify their priority, or if you specify the same priority to each one, when you edit one, the execution order changes. For example, if you edit the rule2 script, the execution order changes to rule2, rule1, rule3.

Conditions:
Multiple events have the same priority.

Impact:
Execution order changes.

Workaround:
Specify different priorities for iRules containing the same event.

Fix:
iRule execution order is now maintained after editing the scripts.


740959-4 : User with manager rights cannot delete FQDN node on non-Common partition

Component: Local Traffic Manager

Symptoms:
A user that has manager rights for a non-Common partition, but not for the /Common partition, may be denied delete privileges for an FQDN template node that is created on the non-Common partition for which the user does have manager rights.

This occurs because ephemeral nodes created from the FQDN template node are 'shared' in the /Common partition, so the delete transaction fails because the user has insufficient permissions to delete the dependent ephemeral nodes on the /Common partition.

Conditions:
-- A user is created with manager rights for a non-Common partition.

-- That user does not have manager rights for the /Common partition;

-- At least one ephemeral node is created from that FQDN template node (due to DNS lookup), which is not also shared by other FQDN template nodes.

-- That user attempts to delete an FQDN template node on the non-Common partition for which the user has manager rights.

Impact:
The transaction to delete the FQDN template node fails due to insufficient permissions. No configuration changes occur as a result of the FQDN template node-delete attempt.

Workaround:
You can use either of the following workarounds:

-- Perform the FQDN template node-delete operation with a user that has manager rights to the /Common partition.

-- Create the FQDN template node on the /Common partition.

Fix:
A user with manager rights for a non-Common partition that has no manager rights to the /Common partition, is now able to successfully delete an FQDN template node created on that non-Common partition.


740543-1 : System hostname not display in console

Component: TMOS

Symptoms:
Hostname is not displayed in the shell prompt in bash and tmsh.

Conditions:
After reboot or upgrade, login to the host console, shell, or tmsh.

Impact:
Hostname is not displayed in the shell prompt.

Workaround:
Update hostname from GUI/TMSH.

Fix:
Hostname is now displayed in the shell prompt in bash and tmsh.


740345-3 : TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled.

Component: Local Traffic Manager

Symptoms:
TMM generates cores files on the device.

Conditions:
Issue is seen when connection mirroring, session mirroring and OCSP stapling is enabled.

Impact:
If a failover happens when a SSL handshake is in progress,
TMM restarts and a core file is generated on the standby device. Traffic disrupted while tmm restarts.

Workaround:
None.


739963-4 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup

Component: Local Traffic Manager

Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.

Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.

Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.

Workaround:
To restore the state of the member, remove it and add it back to the pool.


739945-4 : JavaScript challenge on POST with 307 breaks application

Component: Application Security Manager

Symptoms:
A JavaScript whitepage challenge does not reconstruct when the challenge is on a POST request and the response from the back-end server is 307 Redirect. This happens only if the challenged URL is on a different path than the redirected URL. This prevents the application flow from completing.

Conditions:
- JavaScript challenge / CAPTCHA is enabled from either Bot Defense, Proactive Bot Defense, Web Scraping, DoSL7 Mitigation or Brute Force Mitigation.
- The challenge is happening on a POST request on which the response from the server is a 307 Redirect to a different path.

Impact:
Server is not able to parse the request payload and application does not work. This issue occurs because the TS*75 cookie is set on the path of the challenged URL, so the redirected URL does not contain the cookie, and the payload is not reconstructed properly to the server.

Workaround:
As a workaround, you can construct an iRule to identify that the response from the server is 307 Redirect, retrieve the TS*75 cookie from the request, and add to the response a Set-Cookie header, setting the TS*75 cookie on the '/' path.

Fix:
Having a JavaScript challenge on a POST request with 307 Response no longer prevents the application from working.


739432 : F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems

Component: Access Policy Manager

Symptoms:
F5 Adaptive Auth Configuration is a configuration required on BIG-IP systems. This allows access to F5 Adaptive Authentication Service hosted on the cloud. As the reporting feature is deprecated, the Reports associated with feature are removed from the BIG-IP system. The associated reports are now shown in the F5 Adaptive Auth Service instead.

Conditions:
Admin attempts to view F5 Adaptive Auth reports on the BIG-IP system.

Impact:
Admin cannot use F5 Adaptive Auth Reports on the BIG-IP system. This is because F5 Adaptive Auth Reports functionality has been removed from BIG-IP systems, and is no longer supported.

Workaround:
View the associated reports in the F5 Adaptive Auth Service instead.

Fix:
F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems.

Behavior Change:
The reporting feature of the F5 Adaptive Auth Configuration, which allows access to F5 Adaptive Authentication Service hosted on the cloud, is deprecated with this release, so the Reports associated with feature are removed from the BIG-IP system. The associated reports are now shown in the F5 Adaptive Auth Service instead.


739349-3 : LRO segments might be erroneously VLAN-tagged.

Component: Local Traffic Manager

Symptoms:
Segments being processed for large receive offload (LRO) (the action the system performs to aggregate multiple incoming packets within a buffer before passing them up)
might be erroneously VLAN-tagged when LRO is enabled.

Conditions:
-- TCP LRO enabled.
-- Egress VLAN untagged.

Impact:
Egress traffic might sometimes be tagged.

Workaround:
Disable TCP LRO. To enable or disable LRO functionality, you can use the following command syntax:

tmsh modify sys db tm.tcplargereceiveoffload value <enable | disable>

Fix:
The system now ensures that fragment packet flags are correctly set.


738945-4 : SSL persistence does not work when there are multiple handshakes present in a single record

Component: Local Traffic Manager

Symptoms:
SSL persistence hangs while parsing SSL records comprising multiple handshake messages.

Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.

Impact:
SSL persistence parser fails to parse such messages correctly. The start of the record may be forwarded on to server but then connection will stall and eventually idle timeout.

Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.

After changing or disabling persistence, the transaction succeeds and no longer hangs.


738943-3 : imish command hangs when ospfd is enabled

Component: TMOS

Symptoms:
- dynamic routing enabled
- ospfd protocol enabled
- imish hangs

Conditions:
- running imish command

Impact:
ability to show dynamic routing state using imish

Workaround:
restart ospfd daemon


738891-1 : TLS 1.3: Server SSL fails to increment key exchange method statistics

Component: Local Traffic Manager

Symptoms:
When TLS 1.3 is negotiated with a server SSL profile, the key exchange method statistics do not increment.

Conditions:
-- TLS 1.3 is configured on a server SSL profile.
-- TLS 1.3 is the protocol version negotiated.

Impact:
Missing statistics.

Workaround:
None.

Fix:
The key exchange method statistics are now correctly incremented.

Behavior Change:
When TLS 1.3 is now supported for configuration on server SSL profiles, so these statistics are now present.


738677-1 : Configured name of wildcard parameter is not sent in data integrity alerts

Component: Fraud Protection Services

Symptoms:
FPS sends a data integrity alert when a parameter is configured with 'Check Data Manipulation' enabled.
the alert includes parameter's actual-name, actual-val-crc, and expected-val-crc.

For wildcard parameters, it is difficult to tell which parameter was found and triggered the data integrity alert, since FPS sends only the actual name that was found in the request.

Conditions:
Wildcard parameter defined for integrity check.

Impact:
Alert analysis is more difficult, as the actual matched parameter is not obvious.

Workaround:
None.

Fix:
FPS now includes wildcard parameter's configured-name in the data integrity alert.


738676-1 : Errors when trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests

Component: Application Security Manager

Symptoms:
When trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests

Delete fails with error and exceptions in restjavad.log:

[WARNING][593][30 Jul 2018 14:42:26 UTC][8100/mgmt ForwarderPassThroughWorker] URI:http://localhost:8100/mgmt/tm/asm/events/bot-defense-events?$top=200000, Referrer:https://<local_IP>/dms/bot_defense/bot_requests.php, Method:DELETE, Exception:java.util.concurrent.TimeoutException: remoteSender:<remote_IP>, method:DELETE

Conditions:
This can be encountered when deleting all bot requests while traffic is passing.

Impact:
Delete fails, and there is significant memory consumption in asm_config_server.

Workaround:
None.

Fix:
This release fixes the bot-requests deletion process to not fail with errors and not cause substantial memory consumption in asm_config_server.


738430-3 : APM is not able to do compliance check on iOS devices running F5 Access VPN client

Component: Access Policy Manager

Symptoms:
Compliance check against Microsoft Intune fails when an APM end user attempts a VPN connection from a managed iOS device running the F5 Access VPN client.

Conditions:
-- APM policy is configured to use Microsoft Intune for device compliance check.
-- APM end user is attempting VPN connection using the F5 Access VPN client on an iOS device.

Impact:
APM is not able to do compliance checks on the device, and VPN connection fails.

Workaround:
None.

Fix:
APM can now check iOS devices for compliance against Microsoft Intune.


738236-7 : UCS does not follow current best practices

Component: TMOS

Symptoms:
Under certain conditions,

Conditions:
Administrative access to system status data

Impact:
UCS save operations do not follow current best practices.

Workaround:
None.

Fix:
UCS save operations now follow current best practices.


738108-1 : SCTP multi-homing INIT address parameter doesn't include association's primary address

Component: TMOS

Symptoms:
When multihoming is enabled in an SCTP profile, the source-address of the INIT chunk was not added as an Address parameter in that INIT chunk.

Conditions:
Any SCTP profile where multi-homing is enabled.

Impact:
No impact for peers that implement SCTP in accordance with RFC 4960.

RFC does not require that the address either should or should not be included in the INIT chunk, but does require that an entity receiving an INIT chunk include the source-address in its list regardless of whether that is included in the INIT chunk.

Workaround:
No known workaround.

Fix:
BIG-IP now includes all relevant addresses in the INIT chunk.

Behavior Change:
When multihoming is enabled, the local address will now be added to the INIT chunk. Previously the local address (that is, the address that the datagram is sent from) was not listed as an Address parameter. This is permitted, but not required, by RFC 4960 section 3.3.2.1.


737985-2 : BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode.

Component: Local Traffic Manager

Symptoms:
Services that require Standard Proxy mode cannot be availed of.

Conditions:
A BIG-IP system deployed in an L2 transparent mode using VLAN groups.

Impact:
Prevents services that require Standard Proxy mode from being leveraged in an L2 transparent deployment.

Workaround:
None.

Fix:
Support standard proxy mode.


737910-4 : Security hardening on the following platforms

Solution Article: K18535734


737866-2 : Rare condition memory corruption

Component: Application Security Manager

Symptoms:
BD dameon core

Conditions:
Slow server and slow offload services.

Impact:
A bd crash, traffic distrubance

Workaround:
None.

Fix:
A memory corruption condition was solved.


737731-6 : iControl REST input sanitization

Solution Article: K44885536


737574-6 : iControl REST input sanitization

Solution Article: K20541896


737565-6 : iControl REST input sanitization

Solution Article: K20445457


737558-1 : Protocol Inspection user interface elements are active but do not work

Component: Protocol Inspection

Symptoms:
Protocol Inspection (PI) user interface options are present, but are not applied to traffic.

Protocol Inspection (PI) now requires the presence of either an add-on subscription or an AFM standalone license for any of the features to work. A 'Good' or 'Better' license does not activate the PI features. The Configuration Utility still allows you to configure inspection profiles, compliance checks, and signatures, but they are not applied to traffic. There is no feedback that they are not applied.

Conditions:
-- AFM licensed and provisioned through 'Good' or 'Better' license, but no add-on subscription license for Protocol Inspection. Alternately, AFM licensed as an add-on module to another module (typically LTM).

-- PI profile configured and applied to a virtual server or referenced in a firewall rule in an active firewall policy.

Impact:
If you previously had Protocol Inspection configured without the add-on license installed, the features are no longer applied to traffic until the add-on license is obtained. However, the GUI options remain active.

Workaround:
None.


737536-2 : Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.

Component: TMOS

Symptoms:
The use case is the following:
|OSPF 1|---|Network1|------[|OSPF process 1|---BIG-IP system---|OSPF process 2|]-----|Network2|---|OSPF 2|

Attempting to redistribute default route received from OSPF process that is peering with the Internet to OSPF process 2. However, if that route is removed (e.g., an Internet link goes down), OSPF process 2 removes the associated route and the 'default-information originate' command is the ideal choice, because as long as the OSPF process 1 default route is in the routing table, the default route is redistributed into OSPF process 2. If that route is gone, OSPF process 2 immediately removes it from routing table. Enabling 'default-information originate' on OSPF process 2 does not affect the outcome, and a default route is not injected like it should be.

Conditions:
-- On the BIG-IP system, OSPF routing protocol is enabled on a route-domain.
-- Routing configuration example:

OSPF router config examples:
***
OSPF 1:
!router ospf 1
 ospf router-id 10.13.0.7
 redistribute ospf
 network 10.13.0.0/16 area 0.0.0.1
 default-information originate

OSPF 2:
router ospf 1
 ospf router-id 10.14.0.5
 redistribute ospf
 network 10.14.0.0/16 area 0.0.0.1

BIG-IP system:
router ospf 1
 ospf router-id 10.13.0.2
 network 10.13.0.0/16 area 0.0.0.1
router ospf 2
 ospf router-id 10.14.0.9
 network 10.14.0.0/16 area 0.0.0.1
***

-- Enable 'default-information originate' on BIG-IP OSPF process 2 should allow OSPF process 2 to receive advertised default route from BIG-IP OSPF process 1 if such exists.

# expected OSPF routers configuration on the BIG-IP system:
router ospf 1
 ospf router-id 10.13.0.2
 network 10.13.0.0/16 area 0.0.0.1
router ospf 2
 ospf router-id 10.14.0.9
 network 10.14.0.0/16 area 0.0.0.1
 default-information originate

Impact:
A default route from OSPF process 1 is not advertised into OSPF process 2 routing table.

Workaround:
None.

Fix:
Enabling 'default-information originate' on OSPF process 2 forces OSPF process 2 to receive a default route from OSPF process 1 if such exists.


737423-2 : Binutils vulnerabilities: CVE-2018-7569 CVE-2018-10373 CVE-2018-13033

Component: TMOS

Symptoms:
An integer wraparound has been discovered in the Binary File Descriptor (BFD) library distributed in GNU Binutils up to version 2.30. An attacker could cause a crash by providing an ELF file with corrupted DWARF debug information.

concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by nm-new.

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file, as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc in libbfd.c. This can occur during execution of nm.

Conditions:
Command-line usage of binutils tools by users with Advanced Shell Access

Impact:
None in default, standard and recommended configurations.

Workaround:
None.

Fix:
Upgraded binutils to an unaffected version.


737035-2 : New and improved infrastructure for BDoS to share learned traffic characteristics within the device group/cluster setup.

Component: Advanced Firewall Manager

Symptoms:
BDoS feature (AFM/DHD) needs to share learned traffic characteristics across nodes (within a cluster) and across devices (within the device group).

Previous infrastructure used by BDOS could cause spikes in disk usage due to a large number of snapshot files being saved under /config/filestore/ partition (.trash_bin_d and files_d/Common_d/l4bdos_context_d sub-directories).

Conditions:
BDOS feature is enabled on at least 1 context (either at global context or at least 1 virtual server).

Impact:
The /config partition on the BIG-IP system consistently fills up with large numbers of directories/files under /config/filestore/, eventually causing system to run out of disk space under /config partition.

Workaround:
As a workaround, manually delete files/directories filling up under /config/filestore/ partition (.trash_bin_d and files_d/Common_d/l4bdos_context_d sub-directories) to free up disk space.

Fix:
BDOS now uses a new (and improved) infrastructure for sharing data across nodes/devices (within device group/cluster setup) that does not require snapshot files to be maintained under /config/filestore/ partition.


734551-3 : L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server

Component: Local Traffic Manager

Symptoms:
Configuration overhead that requires configuration of a virtual server per VLAN group.

Conditions:
A BIG-IP system deployed in an L2 transparent mode using VLAN groups.

Impact:
Configuration overhead to configure virtual server per VLAN group.

Workaround:
None.

Fix:
Prevent the need to configure a virtual server per VLAN group.


734291-1 : Logon page modification fails to sync to standby

Component: Access Policy Manager

Symptoms:
Changes in the login page of VPE do not sync to standby.

Conditions:
1. You make changes to the logon page on the active device, making changes to the username or any other field on the login page of VPE.
2. You sync to standby, and it succeeds.

Impact:
When you access in standby device, the customization error failure message appears, and the dialog fails to open in VPE. You cannot see the changes made on the active device from standby device.

Workaround:
Do not make changes to fields on the login page.

Fix:
Changes in the login page of VPE now sync to standby.


734228 : False-positive illegal-length violation can appear

Component: Application Security Manager

Symptoms:
A false-positive illegal-length violation.

Conditions:
A chunked request where the request length is more than half of the configured max-request length.

Impact:
False-positive illegal-length violation.

Workaround:
Configure a higher max request length violation.

Fix:
Fixed a false-positive request-length violation.


727136-1 : One dataset contains large number of variations of TLS hello messages on Chrome

Component: Anomaly Detection Services

Symptoms:
Dataset of TLS fingerprints of clients of a site can consume significantly more space than needed.

Conditions:
-- BADOS with TLS signatures.
-- AFM end user clients using the Mozilla Chrome browser.

Impact:
Dataset is full, so it does not contain a full TLS fingerprints set. As result there is a risk of creating false-positive TLS signatures.

Workaround:
Turn off TLS signatures.

Fix:
Dataset of TLS fingerprints contains unique TLC fingerprints regardless GREASE ciphers.


727107-4 : Request Logs are not stored locally due to shmem pipe blockage

Component: Application Security Manager

Symptoms:
An unknown issue causes the communication layer between pabnagd and asmlogd to be become stuck. Messages similar to the following appear in pabnagd.log:

----------------------------------------------------------------------
account |NOTICE|... src/Account.cpp:183|Skipped 36 repeated messages. Request Log protobuf subscription queue is full. Message dropped.
rqlgwriter |WARNIN|... src/RequestLogWriter.cpp:137|Skipped 599 repeated messages. No space to write in shmem.

Messages similar to the following appear in pabnagd.log:

Conditions:
Request Logs are not stored locally due to shmem pipe blockage.

Impact:
Event logs stop logging locally.

Workaround:
Restart policy builder with:
killall -s SIGHUP pabnagd

Fix:
The policy builder now detects the blockage, and restarts the connection with the request logger.


726647-5 : PEM content insertion in a compressed response may truncate some data

Component: Policy Enforcement Manager

Symptoms:
HTTP compressed response with content insert action can truncate data.

Conditions:
PEM content insertion action with compressed HTTP response.

Impact:
Data might be truncated.

Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.

Fix:
HTTP compressed response with content insert action no longer truncates data.


726487-4 : MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.

Component: TMOS

Symptoms:
The MCPD daemon on secondary VIPRION or vCMP blades exits and restarts, logging errors similar to the following:

-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.

-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.

Or:

--- err mcpd[8320]: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).

--- err mcpd[8320]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).... failed validation with error 17236027.

Or:

err mcpd[12620]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Invalid static route modification. A destination change from 172.25.0.1%500 to 172.25.0.1 is not supported... failed validation with error 17237812.

Conditions:
This issue occurs when all of the following conditions are met:

-- VIPRION or vCMP platform with more than one blade.
-- A partition with a non-default route domain.
-- Either:
   + Creating a pool member in that partition while a configuration save is taking place at the same time (either system- or user-initiated).
   + Modifying a route in that partition while a configuration save is taking place at the same time (either system- or user-initiated).

Impact:
If the system is Active, traffic is disrupted as the secondary blades restart. The capacity of the system will be reduced until all blades are on-line again. Additionally, depending on the system configuration, the system may fail over to its peer (if one exists).

Workaround:
There is no workaround other than not to create pool members or modify routes from one client while saving configuration changes in another client. However, this does not help if the configuration save operation was system-initiated.

Fix:
MCPD on secondary blades no longer restarts if a pool member is created or a route is modified in a partition that uses a non-default route domain at the same as the configuration is being saved.


726393-2 : DHCPRELAY6 can lead to a tmm crash

Solution Article: K36228121


726327 : NodeJS debugger accepts connections from any host

Solution Article: K37111863


726317-6 : Improved debugging output for mcpd

Component: TMOS

Symptoms:
In some cases, mcpd debugging output is insufficient for diagnosing a problem.

Conditions:
Using debugging in mcpd, specifically, setting log.mcpd.level to debug.

Impact:
None. Has no effect without log.mcpd.level set to debug.

Workaround:
None.

Fix:
New output helps F5 engineers diagnose mcpd problems more easily.


726240-1 : 'Cannot find disk information' message when running Configuration Utility

Component: TMOS

Symptoms:
When running the Configuration Utility in the GUI, after clicking Next on the License screen, the GUI reports an error and you are unable to proceed: Cannot find disk information.

Conditions:
The conditions that trigger this are unknown; in one scenario, it was observed after running 'tmsh load sys config default', suspending the BIG-IP Virtual Edition (VE) guest, and then restarting it and running the Configuration Utility.

Impact:
You are unable to proceed through the configuration utility.

Workaround:
If this occurs, reboot the device, and the error will fix itself.


726176-2 : Platforms using RSS and xor_fold DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve

Component: Local Traffic Manager

Symptoms:
The BIG-IP system running RSS and xor_fold DAG hash attempts to reuse ports while pool members remain in a TIME_WAIT state and are unable to process new connections.

Conditions:
This issue occurs when all of the following conditions are met:

-- You are running on a BIG-IP platform using RSS DAG hash, for instance, z100 and 2000 or 4000 series hardware platform or using xor_fold hash on i2000/i4000 platforms.
-- You have the FastL4 profile associated with a virtual server.
-- The virtual server is configured with source-port preserve.

Impact:
Traffic throughput may be degraded.

Workaround:
Set source-port to change.

Fix:
Platforms running RSS DAG and xor_fold hash now reuse source port at the correct rate when virtual server sets source-port preserve.


725791-6 : Potential HW/HSB issue detected

Component: TMOS

Symptoms:
There are a number of High-Speed Bridge (HSB) stats registers that monitor the errors in HSB SRAM that are critical for passing traffic, for example, RQM_CRC_ERROR Count 0, RQM_CRC_ERROR count 1, RQM_CRC_ERROR Count 2, etc. Any errors in any of these registers may indicate a hardware error in the HSB SRAM that impedes traffic through embedded Packet Velocity Acceleration (ePVA). In that case, ePVA-accelerated flow might fail.

With a burst of CRC errors in the SRAM for ePVA transformation cache, it does not trigger a failover and causes a silent traffic outage on the FastL4 VIP with hardware traffic acceleration. This occurs because the health check watchdog packets are still functioning correctly, and the current TMOS software primarily monitors watchdog packets tx/rx failures to trigger failover.

In these cases, there might be the following messages in /var/log/tmm*:

  Device error: hsb_lbb* tre2_crc_errs count *

Conditions:
Traffic is offloaded to HSB hardware for acceleration.

Impact:
Hardware accelerated traffic drop.

Workaround:
Switch traffic to software acceleration.

Fix:
Including traffic-critical registers in failover triggers, helps failover happen quickly with minimum disruption to traffic in the case of SRAM hardware failures.


725625-1 : BIG-IP VE Cryptographic Offload updated to Intel QAT 1.7 v4.4.0 SDK

Component: TMOS

Symptoms:
Data compression offload to QuickAssist devices is now enabled as part of BIG-IP Virtual Edition (VE) Cryptographic Offload feature.

BIG-IP VE Cryptographic Offload uses the Intel QAT 1.7 SDK. A newer QAT 1.7 SDK v4.4.0 provides code and firmware that fixes several known QAT defects, including a compression defect specific to Lewisburg/Lewis Hill QuickAssist devices.

Conditions:
-- BIG-IP VE SSL Offload is licensed
-- The BIG-IP VE VM has been assigned QAT Virtual Functions.

Impact:
BIG-IP VE Cryptographic and Compression offload are more reliable. The QAT 1.7 v4.4.0 SDK should be installed on the hypervisor host.

Workaround:
None.

Fix:
Several Intel QuickAssist defects have been fixed for
BIG-IP VE Cryptographic and Compression Offload by
upgrading BIG-IP VE to the Intel QAT 1.7 v4.4.0 SDK.

This newer QAT SDK introduces code and firmware support to fix several defects. A new Compress and Verify mode is introduced to work around a compression defect specific to Lewisburg/Lewis Hill QuickAssist devices.

See Intel's QuickAssist Release Notes for additional details:
https://01.org/sites/default/files/downloads//336211-009qatrelnotes.pdf.


725551-2 : ASM may consume excessive resources

Component: Application Security Manager

Symptoms:
While processing certain types of responses, ASM may consume excessive resources.

Conditions:
-- ASM provisioned and enabled.
-- Response-side features are enabled (e.g., the default learn from responses and learn server tech or data guard is Enforced, etc.).

Impact:
Excessive resource consumption, potentially leading to a delay in traffic processing or a failover event.

Workaround:
None.

Fix:
ASM now processes traffic as expected.


724680-6 : OpenSSL Vulnerability: CVE-2018-0732

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K21665601

Conditions:
For more information see: https://support.f5.com/csp/article/K21665601

Impact:
For more information see: https://support.f5.com/csp/article/K21665601

Workaround:
None.

Fix:
For more information see: https://support.f5.com/csp/article/K21665601


724327-2 : Changes to a cipher rule do not immediately have an effect

Component: Local Traffic Manager

Symptoms:
If a cipher rule is changed, and a cipher group that uses the rule is attached to an SSL profile, the change does not take effect until something else on the SSL profile changes.

Conditions:
-- A cipher group is used by an SSL profile.
-- One of its cipher rules changes.

Impact:
Unexpected behavior occurs because the cipher rule change does not take effect immediately.

Workaround:
After changing the cipher rule that's used by a cipher group, make a change to any SSL profile that uses the associated cipher group.

Fix:
Any changes to a cipher rule or cipher group now takes immediate effect.


724109-2 : Manual config-sync fails after pool with FQDN pool members is deleted

Component: TMOS

Symptoms:
If a user, deletes a fqdn pool on one BIG-IP in a cluster and then run a manual config sync with another BIG-IP, the change fails to sync with the other BIG-IPs in the cluster.

Conditions:
- Create fqdn pool in one BIG-IP
- Save sys config
- Run config sync
- Delete fqdn pool
- Save sys config
- Run config sync manually

Result: After deleting fqdn pool in BIG-IP and config sync with another BIG-IP, Manual config sync failed. Still, we can see the deleted fqdn pool in another BIG-IP

Impact:
FQDN pool delete failed in another BIG-IP and manual config sync operation is failed.

Workaround:
The workaround for this issue is to use auto-sync.


723790-3 : Idle asm_config_server handlers consumes a lot of memory

Component: Application Security Manager

Symptoms:
Idle asm_config_server handlers needlessly uses a large amount of memory.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a big XML ASM policy and then leaving the BIG-IP system idle. Relevant asm_config_server handler process increases its memory consumption and stays that way, holding on to the memory until it is released with a restart.

Impact:
Unnecessary memory consumption.

Workaround:
1) Lower the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server:
---------------
# perl -pi.bak -e 's/MaxMemorySize=471859200/MaxMemorySize=262144000/' /etc/ts/tools/asm_config_server.cfg
---------------

2) Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------

Notes:
-- The provided workaround does not permanently fix the issue. Instead it alleviates the symptoms of memory pressure, by (1) lowering the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server, and (2) freeing up all the memory that is currently taken by all asm_config_server processes.
-- This workaround does not cause any down time; the asm_config_server processes automatically start within ~30 seconds.


723288-4 : DNS cache replication between TMMs does not always work for net dns-resolver

Component: Global Traffic Manager (DNS)

Symptoms:
System DNS resolvers (net dns-resolver objects) do not share DNS reply information between the dns resolver instances across TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.

Conditions:
There are no LTM DNS *cache* objects present in the BIG-IP configuration.

Impact:
A performance impact resulting from each TMM having to perform unnecessary DNS lookups.

Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.

Note: This workaround is effective even without a DNS license (although in that case, the placeholder object must be created using tmsh, as the GUI menu would not be available without a DNS license.)


721741-4 : BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative

Component: Application Security Manager

Symptoms:
bd log spits this error.
-------
ECARD_POLICY|NOTICE|May 24 04:49:42.035|4143|table.h:2408|IPTableList::del_object key not found in table
ECARD|ERR |May 24 04:49:42.035|4143|table.h:0398|KEY_UPDATE: Failed to REMOVE data will continue to add
-------

Conditions:
Configuring IP Address Exceptions in certain order - w/ and w/o route domain.

Impact:
BD and BD_Agent out-of-sync for IP Address Exception, causes false positives / false negatives

Workaround:
There is no workaround at this time.

Fix:
System no longer generates these false positive/negative log entries.


721724-1 : LONG_REQUEST notice print incorrect in BD log

Component: Application Security Manager

Symptoms:
LONG_REQUEST notice print shows incorrect memory usage.

Conditions:
-- A long request is received.
-- View the LONG_REQUEST notice in the BD log.

Impact:
LONG_REQUEST notice is seen in BD logs containing an incorrect value for total memory used by long request buffers. Incorrect logging of total memory used by long request buffers.

Workaround:
None.

Fix:
LONG_REQUEST notice print in BD log now shows correct amount of memory used by long request buffers.


721585-1 : mcpd core processing ltm monitors with deep level of inheritance

Component: TMOS

Symptoms:
If the level of ltm monitor inheritance (defaults-from) is too large, i.e 9. then mcpd will fail to send sod a heartbeat within the heartbeat timeout; therefore sod will restart mcpd.

Conditions:
LTM monitors that have 9 levels of inheritance

i.e.

mon1 defaults from mon2, which defaults from mon3, which defaults from mon4 ... to mon10

Impact:
mcpd is restarted which will cause services to failover.

Workaround:
Rework the ltm monitors so that the level of inheritance is less than 9.


720219-3 : HSL::log command can fail to pick new pool member if last picked member is 'checking'

Solution Article: K13109068

Component: Local Traffic Manager

Symptoms:
This occurs in certain configurations where the HSL::log command is using a remote high speed log (HSL) pool with failing pool members. If a pool member goes into a 'checking' state and the command attempts to send the log via that pool member, it can fail to send and all future log commands from that iRule will also fail, if that pool member is actually unavailable.

Conditions:
-- Using HSL::log command.
-- iRule with a remote high speed logging configured.

Impact:
Failure to send log messages via HSL.

Workaround:
Follow this procedure:
1. Change the 'distribution' method of the remote high speed config to something else.
2. Save the configuration.
3. Change the method back.

Fix:
This issue no longer occurs. If a 'down' pool member is picked, it will eventually be bypassed to find an 'up' pool member, if possible.


719300-3 : ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address

Component: Local Traffic Manager

Symptoms:
ICMP unreachable packets sent by a server may be received by a client with the BIG-IP system's MAC address as the source MAC address.

Conditions:
BIG-IP deployed in an L2 transparent mode using VLAN groups.

Impact:
May impact services on the client that rely on source MAC address of incoming packets.

Workaround:
None.

Fix:
ICMP packets are now sent via the BIG-IP system in an L2 transparent mode.


718405-2 : RSA signature PAYLOAD_AUTH mismatch with certificates

Component: TMOS

Symptoms:
IPsec IKEv2 negotiation with other vendors may fail to establish tunnels when certificate authentication is configured, using either RSA signature or DSS.

The value of PAYLOAD_AUTH does not match when the BIG-IP system compares it with what the remote peer sends. The same certificate works when the BIG-IP system is the initiator, but not when another vendor is the initiator.

Conditions:
Interoperating with other vendors under IKEv2 while using certificates.

Impact:
IKEv2 tunnels fail to establish, failing the second IKE_AUTH exchange in the protocol.

Workaround:
Use pre-shared key authentication.

Fix:
BIG-IP systems now correctly build -- and verify -- AUTH payloads for RSA signatures and DSS, which should match other vendors and succeed, resulting in IKEv2 tunnels being created using certificates.

The DSS signature is no longer DER encoded, and the RSA signature now includes the 15-byte DER prefix (mandated by RFC3447, page 42) before the 20-byte SHA1 digest is signed by RSA.


717896-4 : Monitor instances deleted in peer unit after sync

Component: Local Traffic Manager

Symptoms:
An incremental-sync from a modified-node that was set to 'user-down' causes the target-node on the target-device to have only a single monitor instance, rather than the several monitor instances that were present on the from-node.

During the incremental sync, the system issues several messages similar to the following: err mcpd[6900]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 24913.

Conditions:
-- In high availability (HA) configurations.
-- A node is modified, and then manually set to 'user-down'.
-- That node has more than one associated monitor.
-- An incremental-sync occurs to the paired device.

Impact:
After incremental-sync, a single monitor instance exists for the node on a 'backup' unit in an HA configuration, rather than the several monitor instances that exist for that node on the 'active' unit; and that node session is 'enabled' (where the 'from-node' was 'disabled); and that node status may be 'up' (where the 'from-node' was 'user-down'), and later transition to 'down' from a monitor-fail.

Thus, after incremental-sync, the target-node may then be 'down', while the active unit in the HA configuration continues to function as expected.

Workaround:
There are several workarounds:
-- Perform a 'full-sync' (rather than an 'incremental-sync').
-- Ensure the node is 'user-up' (not 'user-down') before the incremental-sync.
-- Perform 'tmsh load sys config' on the target unit. In this case, the 'Invalid monitor rule instance identifier' messages will be seen, but the configuration will successfully load, and the target-unit will run correctly with the expected configuration.

Fix:
An incremental-sync from a modified-node that was set to 'user-down' successfully replicates the several monitor instances on that node to the target-node on the backup device in an HA configuration.


717100-1 : FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member

Component: Local Traffic Manager

Symptoms:
FQDN ephemeral pool members and corresponding FQDN ephemeral nodes may not be created if multiple FQDN template pool members are created rapidly, without the corresponding FQDN template nodes being created first.

The missing FQDN ephemeral pool members may be created an hour after initial operations.

Conditions:
This may occur when all of the following conditions are true:
-- Multiple FQDN template pool members are created rapidly, such as during config load or multiple FQDN template pool members created in a single tmsh cli transaction, without the corresponding FQDN template nodes being created first.
-- The FQDN names in the newly-created FQDN template nodes all resolve to the same IP address.

Impact:
One or more FQDN ephemeral pool members may not be created, which could result in a pool with no members, and any virtual servers using that pool to fail to pass traffic.

Workaround:
The following steps, alone or in combination, may help avoid this issue:

1. Avoid rapid creation of multiple FQDN template pool members (such as by creating multiple in a single tmsh CLI transaction).
2. Create the corresponding FQDN template nodes first, before creating the FQDN template pool members.

Once this issue occurs (such as, after a config load), you can recover from this condition by deleting and recreating the FQDN template pool members that have no corresponding FQDN ephemeral pool members.

In addition, creating the corresponding FQDN template nodes first, with an FQDN 'interval' value set to a shorter timeout than the default (3600 seconds) allows automatic recovery from this condition after the configured FQDN 'interval' period (instead of after the default period of one hour).

Fix:
Ephemeral pool members are now created for each pool under these conditions.


716714-4 : OCSP should be configured to avoid TMM crash.

Component: Local Traffic Manager

Symptoms:
TMM generates a core if OCSP is not configured in the SSL profile.

Conditions:
OCSP not configured in the SSL profile.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than configuring OCSP in SSL profiles.

Fix:
In this release, TMM skips processing OCSP if it is not enabled.


716167-2 : The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp

Component: Local Traffic Manager

Symptoms:
The MTU of the tmm_bp kernel interface may be out-of-sync with the value of sys db vlan.backplane.mtu as well as out-of-sync with the MTU displayed by the following command:
 tmsh show /net vlan all-properties -hidden.

Conditions:
This issue occurs on first-boot after upgrading to versions later than v12.1.1 HF1.

Impact:
From the data plane perspective, this issue can cause excessive IP fragmentation on tmm_bp VLAN and high CPU usage.

In some cases it also causes packet loss.

From the config perspective, this issue has a few smaller impacts:
-- Fragmented packets on the tmm_bp interface for those packets greater in length than the actual MTU of this interface as given by the kernel in response to the command:
 ip address list dev tmm_bp | egrep -i mtu or $ifconfig tmm_bp.

Note: This has no impact to the running system. Fragmented packets are reassembled in order for TCP clients of the tmm_bp interface.

-- The sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp as given by either of the following commands:
  ip address list dev tmm_bp
  ifconfig tmm_bp

-- Similarly, the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the Net::Vlan tmm_bp as returned by the command:
 tmsh show net vlan -hidden tmm_bp

Paraphrasing: The value of VLAN tmm_bp MTU (as found in vlan.backplane.MTU) is not applied to the corresponding kernel interface.

Workaround:
A series of subsequent restarts rolls the correct setting by issuing the following commands, in sequence:
  tmsh stop sys service all
  tmsh start sys service all

To verify the setting is correct, issue the command:
  ip addr show dev tmm_bp ; tmsh show net vlan -hidden tmm_bp \; list sys db vlan.backplane.mtu


715110-1 : AVR should report 'resolutions' in module GtmWideip

Component: Application Visibility and Reporting

Symptoms:
AVR does not report 'resolutions' in GtmWideip module.

Conditions:
One of the following modules is provisioned: AVR, AFM, or DNS/GTM.

Impact:
There are no statistics reported on 'resolutions' in GtmWideip module.

Workaround:
There is no workaround.

Fix:
AVR now reports 'resolutions' in GtmWideip module.


714292-3 : Transparent forwarding mode across multiple VLAN groups or virtual-wire

Component: Local Traffic Manager

Symptoms:
This is a virtual-wire or vlan-group deployment scenario in which there is a BIG-IP system connecting two networks with more than one link. This scenario is referred as 'asymmetric deployment'. In this case. the outgoing packet does not have the correct VLAN configured.

Conditions:
-- Virtual-wire or vlan-group configured.
-- BIG-IP system is connecting two networks with more than one link.
-- There is more than one virtual-wire/vlan-group to handle the traffic across multiple links.
-- Packets belonging to a flow arrive on any link with a valid VLAN.

Impact:
The connectivity between the endpoints fails.

Workaround:
None.

Fix:
Transparent forwarding mode now works across multiple VLAN groups or virtual-wire.

Behavior Change:
Transparent forwarding mode now works across multiple VLAN groups or virtual-wire.


713817-1 : BIG-IP images are available in Alibaba Cloud

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) images are now available in the Alibaba International Cloud Marketplace.

Conditions:
Create virtual server instance within Alibaba International Cloud environment and select BIG-IP from the list of available images.

Impact:
New offerings for BYOL and PAYG for BIG-IP VE are now available in the Alibaba International Cloud Marketplace.

Workaround:
BIG-IP VE images are now available in Alibaba Cloud.

Fix:
BIG-IP VE images are now available in Alibaba Cloud.

Behavior Change:
BIG-IP VE now supports the Alibaba International Cloud Marketplace.


713806-8 : CVE-2018-0739: OpenSSL Vulnerability

Solution Article: K08044291


712919-2 : Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server.

Component: Local Traffic Manager

Symptoms:
When an iRule is removed from a Virtual Server, especially one with explicitly specified high priority (with "priority" keyword), other iRules on the same Virtual Server may become "invisible" i.e. they are present but some of them are no longer executed. It may affect all the events or only certain types of them. Under certain conditions the defect may even disappear upon removing another iRule, particularly if it has low priority and handles the same event as the one which introduced the problem.

Conditions:
Removing an iRule from a Virtual Server.

Impact:
Some or all iRules on given Virtual Servers stop being executed.

Workaround:
Restart or reload the configuration. If removing iRules needs to be performed in run-time and it triggers the problem, it can be prevented by having any iRule (even an empty one) for the same event, as the iRule which is going to be removed, but with higher priority e.g. with attribute "priority 1".

Fix:
Corrected scanning of iRules stored behind the one which is being deleted.


710857-5 : iControl requests may cause excessive resource usage

Solution Article: K64855220


707013-3 : vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest

Component: TMOS

Symptoms:
-- clusterd restarts on secondary blade.

-- Messages similar to the following are logged in each secondary blade's /var/log/ltm file as clusterd restarts:

Management IP (<guest_management_ip>) already in use by (vcmp guest <guest_name>)

-- Messages similar to the following are logged in the primary blade's /var/log/ltm file when clusterd restarts on a secondary blade:

notice clusterd[3676]: 013a0006:5: Hello from slot 1.
notice clusterd[3676]: 013a0006:5: Informing MCP about slot ID 1 member status.
notice clusterd[3676]: 013a0006:5: Goodbye from slot 1.

Conditions:
-- Power-cycling a blade reproduces the issue most of the time.
-- Possibly specific to platform:
   + This issue has been seen multiple hardware platforms, including B2100, B2150, B2250, and PB300.
   + Issue does not reproduce under the same conditions on a VIPRION 4800.

Impact:
Secondary slot on VIPRION hypervisor is in 'INOPERATIVE' state.

Workaround:
On the vCMP Host, copy the file /shared/db/cluster.conf from the primary to each secondary cluster members. For each secondary blade's slot, use a command similar to the following:

scp /shared/db/cluster.conf slot<slot number>:/shared/db/cluster.conf

Note: Implementing the workaround does not prevent the issue from recurring. An upgrade to an unaffected version is recommended.


704450-5 : bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration

Component: Local Traffic Manager

Symptoms:
A rarely seen scenario exists where 'bigd' crashes when the BIG-IP system is under extremely heavy load, due to 'bigd' running with an incomplete configuration and attempting to interact with 'mcpd' prior to being fully configured by 'mcpd'. This may occur when 'mcpd' is sufficiently delayed in configuring 'bigd' upon 'bigd' process start (at system-start, or upon 'bigd' process re-start), such that 'bigd' attempts to report monitoring results to 'mcpd' prior to fully receiving its configuration (from 'mcpd').

Conditions:
BIG-IP is under heavy load; and 'bigd' process is (re-)started; and 'mcpd' is delayed in relaying the full configuration to 'bigd'; and 'bigd' attempts to report monitoring results to 'mcpd'.

Impact:
Monitoring is delayed while bigd is restarting. If the load lasts for a long enough period of time, bigd might repeatedly fail to start and monitoring will not resume. In some cases 'bigd' may run with an incomplete configuration.

Workaround:
Reduce the load on the system.

Fix:
'bigd' does not crash and runs with complete configuration when (re-)starting when BIG-IP runs under heavy configuration resulting in 'mcpd' delaying its configuration of 'bigd'.


703835-5 : When using SCP into BIG-IP systems, you must specify the target filename

Solution Article: K82814400


703593-1 : TMSH tab completion for adding profiles to virtual servers is not working as expected

Component: Local Traffic Manager

Symptoms:
TMSH tab completion for adding profiles to virtual servers does not work. The list of profiles is not displayed when tab is pressed.

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm virtual asdf profiles add {
Configuration Items:
  [enter profile name]

Conditions:
List of profiles is not displayed when trying to add profiles during creation of a virtual server.

Impact:
List of available profiles is not displayed.

Workaround:
None.

Fix:
TMSH tab completion for adding profiles to virtual servers now shows the list of profiles.


702472-7 : Appliance Mode Security Hardening

Solution Article: K87659521


702469-7 : Appliance mode hardening in scp

Solution Article: K73522927


699977-3 : CVE-2016-7055: OpenSSL Vulnerability in NodeJS ILX

Solution Article: K43570545


698376-5 : Non-admin users have limited bash commands and can only write to certain directories

Component: TMOS

Symptoms:
TMSH access to Linux utilities does not follow best security practices.

Conditions:
Users without Advanced Shell Access running Linux utilities from inside TMSH.

Impact:
TMSH does not follow best security practices

Workaround:
None.

Fix:
TMSH access to Linux utilities now follows best security practices.

Behavior Change:
Some tmsh util commands will be restricted to writing files to certain directories.


697590-2 : APM iRule ACCESS::session remove fails outside of Access events

Component: Access Policy Manager

Symptoms:
ACCESS::session remove fails

Conditions:
iRule calling ACCESS::session remove outside of Access events.

Impact:
APM iRule ACCESS::session remove fails to remove session

Workaround:
Use "ACCESS::session modify" and set the timeout/lifetime to something small, like 1 second. This should cause the session to be deleted due to timeout almost immediately, but note that it will show up in logs as timeout.


696755-3 : HTTP/2 may truncate a response body when served from cache

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide a client-side HTTP/2 Gateway protocol implementation in conjunction with HTTP 1.x on a server side. A response can be cached on the BIG-IP system with a web acceleration profile. Sometimes a response served from cache is prematurely marked with END_STREAM flag, causing the client to ignore the rest of the response body.

Conditions:
BIG-IP system has a virtual server for which HTTP/2 and Web Acceleration profiles are configured.

Impact:
Some clients' browsers do not retry a resource, causing incorrect rendering of an HTML page.

Workaround:
Adding the following iRule causes the body to be displayed:

when HTTP_RESPONSE_RELEASE {
    set con_len [string trim [HTTP::header value Content-Length]]
    HTTP::header remove Content-Length
    HTTP::header insert Content-Length "$con_len"
}

Fix:
With provided fix, HTTP/2 end users no longer experience the problem of incorrect page rendering due to this issue.


696735-2 : TCP ToS Passthrough mode does not work correctly

Component: Local Traffic Manager

Symptoms:
For Standard virtual server with a TCP profile, when using ToS passthough, the ToS value is not passed from the server to the client-side.

  ip-tos-to-client pass-through
  link-qos-to-client pass-through

Conditions:
- Standard virtual server.
- TCP profile configured with ToS passthrough.

Impact:
ToS is not passed to the client.

Workaround:
None.

Fix:
ToS is now passed correctly from the server to the client-side.


695985-4 : Access HUD filter has URL length limit (4096 bytes)

Component: Access Policy Manager

Symptoms:
Access HUD filter cannot process a URL if it is longer than 4096 bytes.

Conditions:
Any URL with a request consisting of more than 4096 bytes.

Impact:
The URL cannot be processed, and client gets a RST.

Workaround:
None.

Fix:
In this release, the URL length limit increased to 8192 bytes.


695878-2 : Signature enforcement issue on specific requests

Component: Application Security Manager

Symptoms:
Request payload does not get enforced by attack signatures on a certain policy configuration with specific traffic.

Conditions:
-- The violation 'Request exceeds max buffer size' is turned off.

-- The request is longer than the max buffer size (i.e., a request is larger than the internal long_request_buffer_size).

Impact:
Attack signatures are not enforced on the payload of this request at all.

Workaround:
Turn on the violation in blocking 'Request exceed max buffer size'.

Fix:
The operation now looks into part of the payload for the attack signatures enforcement.


689361-4 : Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)

Component: Local Traffic Manager

Symptoms:
It is possible for an overwrite-configsync to change an 'unchecked' monitor to 'up', when that unchecked monitor references a node that does not respond to ICMP requests. This may occur when a node does not respond to ICMP requests for exactly one of two paired devices, but a configuration change made to one device causes the 'up' status to be propagated to the 'unchecked' device.

Conditions:
Two pool members are monitored; and one references a node not responding to ICMP requests; and a gateway_icmp monitor is on both nodes; and an overwrite-configsync is initiated from a paired device, where the node does respond to ICMP requests from that paired device.

Impact:
The overwrite-configsync causes the 'unchecked' monitor to transition to 'up', when it should remain 'unchecked' for the device to which the node does not respond to ICMP requests.

Workaround:
Ensure network configuration such that a monitored node responds to ICMP requests from both (or neither) of each paired-device. Alternatively, initiate configuration changes only from the device to which the node will not respond to ICMP requests.

Fix:
An overwrite-configsync no longer replaces the 'unchecked' status with an 'up' status for a paired device, when the node does not respond to ICMP requests against the device that is the target of the overwrite-configsync.


687759-3 : bd crash

Component: Application Security Manager

Symptoms:
A bd crash.

Conditions:
-- A config change follows a bd crash.
-- There is a policy that is misconfigured, for example, a form-data parsing is applied on a non-form-data payload (such as XML or JSON).

Impact:
bd crashes; system fails over; traffic disturbance occurs.

Workaround:
Set the following internal parameter to 0: max_converted_length_to_cache


673842-6 : vCMP does not follow best security practices

Solution Article: K01413496


668041-4 : Config load fails when an iRule comment ends with backslash in a config where there is also a policy.

Solution Article: K27535157

Component: TMOS

Symptoms:
Config load fails when an iRule contains a commented line that ends with an escape character (backslash), and the config also contains an LTM policy. Depending on the iRule, you might also see the following error: Syntax Error:(/config/bigip.conf at line: 42078) double quotes are not balanced.

Conditions:
-- iRule contains commented line that ends with a backslash.
-- The config also contains a policy.

For example, an iRule similar to the first example, and a policy similar to the second:

ltm rule /Common/log_info {
  when HTTP_RESPONSE {
    #log local0. "Original Location header value: [HTTP::header value Location],\
     updated: [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]"
}
}

...

ltm policy /Common/Test_Policy {
    controls { forwarding }
    requires { http tcp }
    rules {
        TestPol_Rule1 {
            actions {
                0 {
                    forward
                    select
                    node 10.2.10.20
                }
            }
            conditions {
                0 {
                    tcp
                    address
                    matches
                    values { 10.1.10.20 }
                }
            }
        }
    }
    strategy /Common/first-match
}

Impact:
Config load fails.

Workaround:
You can use any of the following workarounds:
-- Delete the line of code with the comment.
-- Put the entire comment on one line of code.
-- Divide lengthy comments into a series of smaller ones, so that each comment fits within one line of code.
-- Move the iRule so that it is sequentially before the LTM policy in the config file.

Fix:
Config load no longer fails when an iRule comment ends with backslash in a config where there is also a policy.


663819-1 : APM NTLM Authentication for RDP Client Gateway and Microsoft Exchange Proxy are incompatible with Microsoft workaround for MS17-010 (Wannacry / Eternalblue)

Component: Access Policy Manager

Symptoms:
Microsoft recently released security bulletin MS17-010 (https://technet.microsoft.com/library/security/MS17-010). This bulletin announces a recommended software patch to fix multiple vulnerabilities in SMBv1. It suggests an alternate workaround to disable SMBv1. When this workaround is followed, NTLM Authentication does not work in the following APM configurations:

-- APM RDP Gateway and NTLM Auth.
-- APM Exchange (Outlook Anywhere/ActiveSync) and NTLM Auth.
-- SWG Explicit and NTLM Auth.

Conditions:
-- SMBv1 is disabled as described in the Microsoft workaround in MS17-010.

-- Together with one or more of the following APM/SWG configurations, which can be configured to use NTLM Authentication:

   + APM RDP Gateway and NTLM Auth.
   + APM Exchange (Outlook Anywhere/ActiveSync) and NTLM Auth.
   + SWG Explicit and NTLM Auth.

Impact:
Authentication for connecting clients fails.

Workaround:
Do one of the following:

-- Do not follow the Microsoft workaround to disable SMBv1; instead install the recommended security patch.

-- For Exchange: Reconfigure Exchange CAS pool to use Kerberos Constrained Delegation SSO rather than NTLM. This will ensure that NTLM Passthrough is not used.

-- For RDP Proxy: Instead of RDP Proxy, use the Native RDP resource mode in BIG-IP APM v13.0.0 and later.

-- For SWG Explicit: Reconfigure to use Kerberos Authentication.

Fix:
APM no longer uses SMBv1/v2 protocols. Beginning with BIG-IP software v15.0.0, NTLM passthrough authentication works using Netlogon protocol over TCP directly (MSRPC over TCP). All issues related to SMB protocol are not applicable anymore.

Note: The new functionality was ported to the v14.1.0.5 release as well.


653573-6 : ADMd not cleaning up child rsync processes

Component: Anomaly Detection Services

Symptoms:
ADMd daemon on the device is spinning up rsync processes and not cleaning them up properly, which can result in zombie processes.

Conditions:
The rsync process ends via exit (which might occur if there is an issue with the process).

Impact:
Although there is no technical impact, there are many zombie processes left behind.

Workaround:
Restart admd to remove all existing rsync zombies:
bigstart restart admd

Fix:
admd now handles the SIGCHLD signal from rsync, so the issue no longer occurs.


648621-6 : SCTP: Multihome connections may not expire

Component: TMOS

Symptoms:
SCTP: Multihome connections may not expire when forcibly deleted.

Conditions:
When the multi-homing connections have been forcibly deleted from tmsh command.

Impact:
The multi-homing connections won't be expired.

Workaround:
Don't manually deleted the multi-homing connections.


648270-1 : mcpd can crash if viewing a fast-growing log file through the GUI

Component: TMOS

Symptoms:
If the GUI tries to display a log file that is actively growing by thousands of log entries per second, the GUI might hang, and mcpd could run out of memory and crash.

Conditions:
The GUI tries to display a log file that is actively growing by thousands of log entries per second.

Impact:
mcpd crashes, and it and tmm restart. Traffic disrupted while tmm restarts.

Workaround:
Do not use the GUI to view a log file that is growing by thousands of log entries per second.


643935-4 : Rewriting may cause an infinite loop while processing some objects

Component: Access Policy Manager

Symptoms:
Browser might become unresponsive when the end user client attempts to access a page containing specific script constructions through Portal Access.

Conditions:
The client application code contains an object that includes a toString() method and property names similar to ones from the JavaScript builtin Location interface.

Impact:
Browser becomes unresponsive when accessing the page through Portal Access.

Workaround:
None.

Fix:
None.


639619-7 : UCS may fail to load due to Master key decryption failure on EEPROM-less systems

Component: TMOS

Symptoms:
The following error:
'Symmetric Unit Key decrypt failure - decrypt failure'
is logged to /var/log/ltm when attempting to load a UCS.
Configuration fails then to load due to a secure attribute decryption failure.

Conditions:
1. UCS contains secure attributes.
2. UCS contains a '/config/bigip/kstore/.unitkey' file.
3. The current '/config/bigip/kstore/.unitkey' file does not match the '.unitkey' file within UCS.
4. System does not utilize an EEPROM for storing its unitkey. (For more information, see K73034260: Overview of the BIG-IP system Secure Vault feature :: https://support.f5.com/csp/article/K73034260.)

Impact:
The configuration fails to load.

Workaround:
Perform the following procedure:

1. Stop the system:
# bigstart stop
2. Replace the '/config/bigip/kstore/.unitkey' file with the '.unitkey' file from the UCS
3. Replace the '/config/bigip/kstore/master' file with the 'master' file from the UCS
4. Remove the mcp db to forcibly reload the keys:
# rm -f /var/db/mcpd.bin
# rm -f /var/db/mcpd.info

5. Restart the system and reload the configuration:
# bigstart start
# tmsh load sys config
or
# reboot

Fix:
The system now always reload the .unitkey from storage when loading other keys, so the UCS loads as expected.


636400-3 : CPB (BIGIP->BIGIQ log node) Hardening

Solution Article: K26462555


621260-2 : mcpd core on iControl REST reference to non-existing pool

Component: TMOS

Symptoms:
MCPd cores when attempting to create a pool and a monitor reference by using a REST call such as:

curl -u admin:admin -H "Content-Type: application/json" -X POST http://localhost:8100/tm/ltm/pool -d'{"name":"test_pool","monitor":" "}'

Conditions:
The monitor reference in the REST call must be comprised of a single space character.

Impact:
MCPd restarts, causing many of the system daemons to restart as well.

Workaround:
Don't use spaces in the monitor reference name.


620301-1 : Policy import fails due to missing signature System in associated Signature Set

Component: Application Security Manager

Symptoms:
ASM policy import fails due to a missing System, used in an associated Signature Set.

Conditions:
ASM policy is imported using an export file from a device with a more recent ASM Signature Update.

Impact:
The ASM policy import fails.

Workaround:
Update the ASM Signature on the target device before importing the policy.


581921-5 : Required files under /etc/ssh are not moved during a UCS restore

Solution Article: K22327083

Component: TMOS

Symptoms:
The SSH files required for SSH sign on are not transferred when performing a UCS restore operation. Further, files are not transferred even during upgrade.

Conditions:
This can happen when performing a UCS restore operation, or when upgrading from one version to the next.

Impact:
This might impact SSH operations.

Workaround:
Add the /etc/ssh directory to the UCS backup configuration. This causes all subsequent UCS backup and restore operations will now include the /etc/ssh/ directory.

To complete this procedure, refer to K4422: Viewing and modifying the files that are configured for inclusion in a UCS archive :: https://support.f5.com/csp/article/K4422.

Fix:
The correct folder is now present when performing a UCS restore operation, so that all of the files required for the operation of SSH are transferred.


504522-4 : Trailing space present after 'tmsh ltm pool members monitor' attribute value

Component: Local Traffic Manager

Symptoms:
Values returned from the tmsh command 'ltm pool pool members monitor' have a trailing space, such as returning '/Common/myhttps ' (note the trailing-space). This trailing-space is also observed for the value returned from a REST call.

Conditions:
'tmsh' or a REST call is used to return the 'monitor' for pool members.

Impact:
Scripts or custom applications processing this returned output may wish to 'trim' whitespace on the value (as a trailing space is present); or should not assume the trailing space will be present in the future (as this behavior is not guaranteed).

Workaround:
Use a script or custom applications to 'trim' trailing whitespace for returned values.

Fix:
Values returned from the tmsh command 'ltm pool pool members monitor' no longer have a trailing space.



Known Issues in BIG-IP v14.1.x


TMOS Issues

ID Number Severity Solution Article(s) Description
809553 1-Blocking   ONAP Licensing - Cipher negotiation fails
778317-1 1-Blocking   IKEv2 HA after Standby restart has race condition with config startup
860517-3 2-Critical   MCPD may crash on startup with many thousands of monitors on a system with many CPUs.
856713-1 2-Critical   IPsec crash during rekey
845629-1 2-Critical   Hv_netvsc vmbus_17 timeout at boot causes reduced NIC performance
841953-5 2-Critical   A tunnel can be expired when going offline, causing tmm crash
841333-5 2-Critical   TMM may crash when tunnel used after returning from offline
837637-2 2-Critical   Orphaned bigip_gtm.conf can cause config load failure after upgrading
831821-3 2-Critical   Corrupted DAG packets causes bcm56xxd core on VCMP host
829677-1 2-Critical   .tmp files in /var/config/rest/ may cause /var directory exhaustion
819009-3 2-Critical   Dynamic routing daemon mribd crashes if 'mrib debug all' is enabled in high availability (HA) config with Floating Self IP configured for PIM protocol.
817709-2 2-Critical   IPsec: TMM cored with SIGFPE in racoon2
817085-4 2-Critical   Multicast Flood Can Cause the Host TMM to Restart
811701-1 2-Critical   AWS instance using xnet driver not receiving packets on an interface.
811149-1 2-Critical   Remote users are unable to authenticate via serial console.
810593-2 2-Critical   Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade
807453-1 2-Critical   IPsec works inefficiently with a second blade in one chassis
805417-1 2-Critical   Unable to enable LDAP system auth profile debug logging
797221-1 2-Critical   BCM daemon can be killed by watchdog timeout during blade-to-blade failover
796601-4 2-Critical   Invalid parameter in errdefsd while processing hostname db_variable
792285-2 2-Critical   TMM crashes if the queuing message to all HSL pool members fails
787285 2-Critical   Configuration fails to load after install of v14.1.0 on BIG-IP 800
785017-1 2-Critical   Secondary blades go offline after new primary is elected
780437-2 2-Critical   Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
777993-2 2-Critical   Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same
777229-1 2-Critical   IPsec improvements to internal pfkey messaging between TMMs on multi-blade
776393-2 2-Critical   Memory leak in restjavad causing restjavad to restart frequently with OOM
775897-1 2-Critical   High Availability failover restarts tmipsecd when tmm connections are closed
774361-2 2-Critical   IPsec High Availability sync during multiple failover via RFC6311 messages
770989 2-Critical   Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x.
769817-3 2-Critical   BFD fails to propagate sessions state change during blade restart
769581-1 2-Critical   Timeout when sending many large requests iControl Rest requests
769341-1 2-Critical   HA failover deletes outstanding IKEv2 SAs along with IKEv1 SAs
769169-3 2-Critical   BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring
767689-1 2-Critical   f5optics_install using different versions of RPM
767013-3 2-Critical   Reboot when B2150 and B2250 blades' HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch
758929-2 2-Critical   Bcm56xxd MIIM bus access failure after TMM crash
758604-2 2-Critical   Deleting a port from a single-port trunk does not work.
756830-1 2-Critical   BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'
755716-1 2-Critical   IPsec connection can fail if connflow expiration happens before IKE encryption
751924-2 2-Critical   TSO packet bit fails IPsec during ESP encryption
750588-1 2-Critical   While loading large configurations on BIG-IP systems, some daemons may core intermittently.
749388-3 2-Critical   'table delete' iRule command can cause TMM to crash
749249-1 2-Critical   IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP
748205-3 2-Critical   SSD bay identification incorrect for RAID drive replacement
747203-2 2-Critical   Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding
746464-1 2-Critical   MCPD sync errors and restart after multiple modifications to file object in chassis
746122-1 2-Critical   'load sys config verify' resets the active master key to the on-disk master key value
743946-2 2-Critical   Tmsh loads schema versions 12.x and earlier which are no longer supported
741676-2 2-Critical   Intermittent crash switching between tunnel mode and interface mode
737322-2 2-Critical   tmm may crash at startup if the configuration load fails
724556-3 2-Critical   icrd_child spawns more than maximum allowed times (zombie processes)
719597-3 2-Critical   HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0
717785-2 2-Critical   Interface-cos shows no egress stats for CoS configurations
699515-2 2-Critical   nsm cores during update of nexthop for ECMP recursive route
593536-7 2-Critical K64445052 Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations
860317-1 3-Major   JavaScript Obfuscator can hang indefinitely
860181-3 3-Major   After sync failure due to lack of local self-IP on the peer, adding in the self-IP does not resolve the sync error
858197-1 3-Major   Merged crash when memory exhausted
856953-2 3-Major   IPsec: TMM cored after ike-peer switched version from IKEv2 to IKEv1
853617-3 3-Major   Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles
852565-3 3-Major   On Device Management::Overview GUI page, device order changes
851789-3 3-Major   SSL monitors flap with client certs with private key stored in FIPS
851785-1 3-Major   BIG-IP 10350V-F platform reported page allocation failures in N3FIPS driver
851021-3 3-Major   Under certain conditions, 'load sys config verify file /config/bigip.conf' may result in a 'folder does not exist' error
850997-3 3-Major   'SNMPD' no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page
849405 3-Major   LTM v14.1.2.1 no log after upgrade
846141-3 3-Major   Unable to use Rest API to manage GTM pool members that have an pipe symbol '|' in the server name.
843661-3 3-Major   TMSH allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command
843597-3 3-Major   Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle
842901-3 3-Major   Improve fast failover of PIM-DM-based multicast traffic when BIG-IP is deployed as an Active/Standby HA pair.
842669-1 3-Major   Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log
842189-2 3-Major   Tunnels removed when going offline are not restored when going back online
841721-3 3-Major   BWC::policy detach appears to run, but BWC control is still enabled
841649-2 3-Major   Hardware accelerated connection mismatch resulting in tmm core
841277-5 3-Major   C4800 LCD fails to load after annunciator hot-swap
838901-2 3-Major   TMM receives invalid rx descriptor from HSB hardware
838337-3 3-Major   The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.
838297-1 3-Major   Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication
837481-5 3-Major   SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID
829821-3 3-Major   Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured
829317-3 3-Major   Memory leak observed when running ICRD child
829193-2 3-Major   REST system unavailable due to disk corruption
828873-2 3-Major   Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor
828789-3 3-Major   Certificate Subject Alternative Name (SAN) limited to 1023 characters
827209-2 3-Major   HSB transmit lockup on i4600
827021-2 3-Major   MCP update message may be lost when primary blade changes in chassis
826437 3-Major   CSR subject fields with comma(,) are truncated during certificate renewal via the GUI.
826313-4 3-Major   Error: Media type is incompatible with other trunk members
824809-4 3-Major   bcm56xxd watchdog restart
821309-3 3-Major   After an initial boot, mcpd has a defunct child "systemctl" process
820213-2 3-Major   'Application Service List' empty after UCS restore
819457-3 3-Major   LTM high availability (HA) sync should not sync GTM zone configuration
818505-3 3-Major   Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
817089-1 3-Major   Incorrect source MAC address with hardware acceleration (ePVA) and asymmetric routing
814585-3 3-Major   PPTP profile option not available when creating or modifying virtual servers in GUI
814353-3 3-Major   Pool member silently changed to user-disabled from monitor-disabled
814273-3 3-Major   Multicast route entries are not populating to tmm after failover
812981-4 3-Major   MCPD: memory leak on standby BIG-IP device
812929-2 3-Major   mcpd may core when resetting a DSC connection
812493-2 3-Major   When engineID is reconfigured, snmp and alert daemons must be restarted
811053-2 3-Major   REBOOT REQUIRED prompt appears after failover and clsh reboot
811041-5 3-Major   Out of shmem, increment amount in /etc/ha_table/ha_table.conf
810957-2 3-Major   Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core
810613-2 3-Major   GUI Login History hides informative message about max number of lines exceeded
810381-4 3-Major   The SNMP max message size check is being incorrectly applied.
810373-1 3-Major   Errors running 'config' command
809657-2 3-Major   HA Group score not computed correctly for an unmonitored pool when mcpd starts
809509-1 3-Major   Resource Admin User unable to download UCS using Rest API.
808485-2 3-Major   Add 'virtual-server' argument to 'tmsh help sys connection' for version 14.x
808277-4 3-Major   Root's crontab file may become empty
807945-2 3-Major   Loading UCS file for the first time not updating MCP DB
807337-3 3-Major   Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.
806985 3-Major   Installation issues when adding new blade v12.1.3 to VPR cluster v14.1.0.1 EHF
806881-2 3-Major   Loading the configuration may not set the virtual server enabled status correctly
806073-3 3-Major   MySQL monitor fails to connect to MySQL Server v8.0
804537-1 3-Major   Check SAs in context callbacks
804477-4 3-Major   Log HSB registers when parts of the device becomes unresponsive
803833-4 3-Major   On Upgrade or UCS Restore Decryption of the vCMP Guest sym-unit-key Field Fails on the Host
803457-2 3-Major   SNMP custom stats cannot access iStats
803237-4 3-Major   PVA does not validate interface MTU when setting MSS
803157-1 3-Major   LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots
802889 3-Major   Problems establishing HA connections on DAGv2 chassis platforms
802281-1 3-Major   Gossip shows active even when devices are missing
800185-4 3-Major   Saving a large encrypted UCS archive may fail and might trigger failover
799001-3 3-Major   Sflow agent does not handle disconnect from SNMPD manager correctly
798885-2 3-Major   SNMP response times may be long due to processing burden of requests
797953 3-Major   Workaround for SSLo deployment failure from BigIQ to BIG-IP
796985 3-Major   Default IPv4 IP address is assigned to Alt-Address in isolated vCMP guest; vCMP host or guest are upgraded and guest is 'Inoperative'
795685-2 3-Major   Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer
793121-3 3-Major   Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication
791365-2 3-Major   Bad encryption password error on UCS save
791061-2 3-Major   Config load in /Common removes routing protocols from other partitions
788645-4 3-Major   BGP does not function on static interfaces with vlan names longer than 16 characters.
786633-1 3-Major   Debug-level messages are being logged even when the system is not set up for debug logging
784733-3 3-Major   GUI LTM Stats page freezes for large number of pools
783293-1 3-Major   Special chars < > & displayed incorrectly in BIG-IP GUI logon banner window
783113-4 3-Major   BGP sessions remain down upon new primary slot election
782613-5 3-Major   Security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp
781733-2 3-Major   SNMPv3 user name configuration allows illegal names to be entered
778041-1 3-Major   tcpdump fails with an unclear message when the 'epva' option is used on non-epva platforms (directly or through 'all' option)
777389-1 3-Major   In a corner case, for PostgreSQL monitor MCP process restarts
776489-2 3-Major   Remote authentication attempts to resolve only LDAP host against the first three name servers configured.
775733-1 3-Major   /etc/qkview_obfuscate.conf not synced across blades
773577-2 3-Major   SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted
773333-2 3-Major   IPsec CLI help missing encryption algorithm descriptions
773173-1 3-Major   LTM Policy GUI is not working properly
772497-5 3-Major   When BIG-IP is configured to use a proxy server, updatecheck fails
771137 3-Major   vCMP host reports much larger 'Virtual-disk' usage than du reports on the guest
770657-2 3-Major   On hardware platforms with ePVA, some good traffic is blocked when in L2 transparent mode and syn cookies are enabled
769029-1 3-Major   Non-admin users fail to create tmp dir under /var/system/tmp/tmsh
767737-2 3-Major   Timing issues during startup may make an HA peer stay in the inoperative state
767341-3 3-Major   If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.
767305-2 3-Major   If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried
767009 3-Major   Halting the host does not power off the host
765969-1 3-Major   Not able to get HSB register dump from hsb_snapshot on B4450 blade
764873-2 3-Major   An accelerated flow transmits packets to a dated, down pool member.
762097 3-Major   BIG-IP v14.1.0.2, No swap memory available after upgrading to v14.1.0.2
762073-2 3-Major   Continuous TMM restarts when HSB drops off the PCI bus
761753-2 3-Major   BIG-IP system incorrectly flags UDP checksum as failed on x520 NICs
761321-2 3-Major   'Connection Rate Limit' is hidden, but 'Connection Rate Limit Mode' is not
760950-4 3-Major   Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment
760468 3-Major   Route domains cause diskmonitor errors in logs
760259-3 3-Major   Qkview silently fails to capture qkviews from other blades
759735-2 3-Major   OSPF ASE route calculation for new external-LSA delayed
759258-2 3-Major   Instances shows incorrect pools if the same members are used in other pools
759172-1 3-Major   Read Access Denied: user (gu, guest) type (Certificate Order Manager)
758517-1 3-Major   Callback for Diffie Hellman crypto is missing defensive coding
758516-1 3-Major   IKEv2 auth encryption is missing defensive coding that checks object validity
758387-2 3-Major   BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it
757862-1 3-Major   IKEv2 debug logging an uninitialized variable leading to core
757572 3-Major   Virtual Edition doesn't support forging MAC addresses with Mellanox ConnectX-3 virtual functions
756820-2 3-Major   Non-UTF8 characters returned from /bin/createmanifest
756153-3 3-Major   Add diskmonitor support for MySQL /var/lib/mysql
756139-1 3-Major   Inconsistent logging of hostname files when hostname contains periods
756088-2 3-Major   The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address
755197-3 3-Major   UCS creation might fail during frequent config save transactions
754335-1 3-Major   Install ISO does not boot on BIG-IP VE
753860-3 3-Major   Virtual server config changes causing incorrect route injection.
753423-6 3-Major   Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation
753001-1 3-Major   mcpd can be killed if the configuration contains a very high number of nested references
752994-1 3-Major   Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod
751581-3 3-Major   REST API Timeout while queriying large number of persistence profiles
751448-1 3-Major   TMM, ZebOS, and Linux routing table may lose dynamic routes on a tmm restart
751409-1 3-Major   MCP Validation does not detect when virtual servers differ only by overlapping VLANs
751024-4 3-Major   i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd
751021-1 3-Major   One or more TMM instances may be left without dynamic routes.
749785-2 3-Major   nsm can become unresponsive when processing recursive routes
748545-1 3-Major   Remove 'sys-unconfig' and 'rhel-configure' binaries and related systemd service
748295-1 3-Major   TMM crashes on shutdown when using virtio NICs for dataplane
748044 3-Major   RAID status in tmsh is not updated when disk is removed or rebuild finishes
747676-3 3-Major   Remote logging needs 'localip' to set source IP properly
746758-3 3-Major   Qkview produces core file if interrupted while exiting
745261-2 3-Major   The TMM process may crash in some tunnel cases
744924-1 3-Major   Unit goes offline after UCS install or secondary blades go offline after new primary is elected
744730-1 3-Major   Specifying a larger system disk during VE launch requires manual reboot for the increase to go into effect
744520-1 3-Major   virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface
744252-2 3-Major   BGP route map community value: either component cannot be set to 65535
743132-6 3-Major   mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile
742753-4 3-Major   Accessing the BIG-IP system's WebUI via special proxy solutions may fail
742170-2 3-Major   REST PUT command fails for data-group internal
740589-1 3-Major   mcpd crash with core after 'tmsh edit /sys syslog-all-properties'
739820-1 3-Major   Validation does not reject IPv6 address for TACACS auth configuration
739118-1 3-Major   Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration
738881-3 3-Major   Qkview does not collect any data under certain conditions that cause a timeout
738330-3 3-Major   /mgmt/toc endpoint issue after configuring remote authentication
737739-1 3-Major   Bash shell still accessible for admin even if disabled
737346-1 3-Major   After entering username and before password, the logging on user's failure count is incremented.
730852-3 3-Major   The tmrouted repeatedly crashes and produces core when new peer device is added
727191-1 3-Major   Invalid arguments to run sys failover do not return an error
721020-1 3-Major   Changes to the master key are reverted after full sync
720610-2 3-Major   Updatecheck logs bogus 'Update Server unavailable' on every run
719555-5 3-Major   Interface listed as 'disable' after SFP insertion and enable
718108-3 3-Major   It is not possible to core the icrd_child process if iControl REST requests were sent to the BIG-IP system using non-admin accounts
715379-3 3-Major   IKEv2 accepts asn1dn for peers-id only as file path of certificate file
705037-7 3-Major K32332000 System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
703090-5 3-Major   With many iApps configured, scriptd may fail to start
701341-4 3-Major K52941103 If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts
698933-6 3-Major   Setting metric-type via ospf redistribute command may not work correctly
690928-1 3-Major   System posts error message: 01010054:3: tmrouted connection closed
688399-2 3-Major   HSB failure results in continuous TMM restarts
688231-4 3-Major   Unable to set VET, AZOT, and AZOST timezones
683135-1 3-Major   Hardware syncookies number for virtual server stats is unrealistically high
680917-5 3-Major   Invalid monitor rule instance identifier
679901-5 3-Major   The iControl REST timeout value is not configurable.
671372-5 3-Major K01930721 When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.
661640-1 3-Major   Improve fast failover of PIM-based multicast traffic when BIG-IP is deployed as an Active/Standby high availability (HA) pair.
657834-5 3-Major K45005512 Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent
641450-7 3-Major K30053855 A transaction that deletes and recreates a virtual may result in an invalid configuration
606032-5 3-Major   Network Failover-based high availability (HA) in AWS may fail
605675-4 3-Major   Sync requests can be generated faster than they can be handled
601220-3 3-Major   Multi-blade trunks seem to leak packets ingressed via one blade to a different blade
591305-3 3-Major   Audit log messages with "user unknown" appear on install
587821-8 3-Major   vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
569859-5 3-Major   Password policy enforcement for root user when mcpd is not available
499348-9 3-Major   System statistics may fail to update, or report negative deltas due to delayed stats merging
486997-3 3-Major   The vCMP guest lost watchdog heartbeat, and the host restarted it.
486712-5 3-Major   GUI PVA connection maximum statistic is always zero
431503-3 3-Major K14838 TMSH crashes in rare initial tunnel configurations
291256-2 3-Major   Changing 'Minimum Length' and 'Required Characters' might result in an error
857045-3 4-Minor   LDAP system authentication may stop working
851393-3 4-Minor   tmipsecd leaves a zombie rm process running after starting up
848681-5 4-Minor   Disabling the LCD on a VIPRION causes blade status lights to turn amber
846521-5 4-Minor   Config script does not refresh management address entry properly when alternating between dynamic and static
838925-5 4-Minor   Rewrite URI translation profile can cause connection reset while processing malformed CSS content
832665-2 4-Minor   The version of open-vm-tools included with BIG-IP Virtual Edition is 10.0.5
832653 4-Minor   Azure scan table warnings can be ignored.
831293-3 4-Minor   SNMP get requests slow to respond.
828625-1 4-Minor   User shouldn't be able to configure two identical traffic selectors
826297-1 4-Minor   Address list as source/destination for virtual server cannot be changed from tmsh
826189-2 4-Minor   The WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.
824205-1 4-Minor   GUI displays error when a virtual server is modified if it is using an address-list
822253-3 4-Minor   After starting up, mcpd may have defunct child "run" and "xargs" processes
819429-3 4-Minor   Unable to scp to device after upgrade: path not allowed
819421-3 4-Minor   Unable to scp/sftp to device after upgrade
818737-1 4-Minor   Improve error message if user did not select a address-list or port list in the GUI
818417-2 4-Minor   Flowspecd starts with message: Shm segment not found in /etc/ha_table/ha_table.conf.
818297 4-Minor   OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure
816353-1 4-Minor   Unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1
807309 4-Minor   Incorrect Active/Standby status in CLI Prompt after failover test
805325-2 4-Minor   tmsh help text contains a reference to bigpipe, which is no longer supported
800189-1 4-Minor   Changing log level may not increase logging to the verbosity expected
795429-3 4-Minor   Unrelated iControl REST transaction error message is returned when committing a transaction without any tasks.
793077 4-Minor   Failed SSH logins no longer log entries into the audit log file
779857-1 4-Minor   Misleading GUI error when installing a new version in another partition
774617-1 4-Minor   SNMP daemon reports integer truncation error for values greater than 32 bits
761084-3 4-Minor   Custom monitor fields appear editable for Auditor, Operator, or Guest
760570 4-Minor   The BIG-IP installer fails to automatically detect installation media.
759852-1 4-Minor   SNMP configuration for trap destinations can cause a warning in the log
759606-2 4-Minor   REST error message is logged every five minutes on vCMP Guest
758348-1 4-Minor   Cannot access GUI via hostname when it contains _ (underscore character)
758105-3 4-Minor   Drive model WDC WD1005FBYZ-01YCBB2 must be added to pendsect drives.xml
757167-1 4-Minor   TMM logs 'MSIX is not supported' error on vCMP guests
756401-2 4-Minor   IKEv2 debug logging often omits SPI values that would identify the SAs involved
755018-2 4-Minor   Traffic processing may be stopped on VE trunk after tmm restart
746152-1 4-Minor   Bogus numbers in hsbe2_internal_pde_ring table's rqm_dma_drp_pkts column
743815-2 4-Minor   vCMP guest observes connflow reset when a CMP state change occurs.
724994-4 4-Minor   API requests with 'expandSubcollections=true' are very slow
723833-2 4-Minor   IPsec related routing changes can misfire, like changing tunnel mode to interface mode
722647-4 4-Minor   The configuration of some of the Nokia alerts is incorrect
722230-3 4-Minor   Cannot delete FQDN template node if another FQDN node resolves to same IP address
712241-2 4-Minor   A vCMP guest may not provide guest health stats to the vCMP host
706685-3 4-Minor   The web UI becomes unresponsive after certain commands
673573-3 4-Minor   tmsh logs boost assertion when running child process and reaches idle-timeout
591732-5 4-Minor   Local password policy not enforced when auth source is set to a remote type.
484683-2 4-Minor   Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer.
769145-2 5-Cosmetic   Syncookie threshold warning is logged when the threshold is disabled
761621-2 5-Cosmetic   Ephemeral FQDN pool members in Partition shown as Common under Local Traffic > Pools > "Members"
679431-4 5-Cosmetic   In routing module the 'sh ipv6 interface <interface> brief' command may not show header


Local Traffic Manager Issues

ID Number Severity Solution Article(s) Description
860881-1 2-Critical   TMM can crash when handling a compressed response from HTTP server
858429 2-Critical   BIG-IP system sending ICMP packets on both virtual wire interface
853329-4 2-Critical   HTTP explicit proxy can crash TMM when used with classification profile
851581-1 2-Critical   Server-side detach may crash TMM
846217-1 2-Critical   Translucent vlan-groups set local bit in destination MAC address
843809-2 2-Critical   Bigd cored due to high iowait
842937-4 2-Critical   TMM crash due to failed assertion 'valid node'
841469-4 2-Critical   Application traffic may fail after an internal interface failure on a VIPRION system.
839401-3 2-Critical   Moving a virtual-address from one floating traffic-group to another does not send GARPs out.
837617-3 2-Critical   Tmm may crash while processing a compression context
835505-2 2-Critical   Tmsh crash possibly related to NGFIPS SDK
827133 2-Critical   TMM crash due to failed assertion "sp->slab_cache == ((umem_cache_t *)(((char *)(&(ccp)[-((ccp)->cc_td)])) - __builtin_offsetof(umem_cache_t, cache_cpu)))"
824437-2 2-Critical   Chaining a standard virtual server and an ipother virtual server together can crash TMM.
817417-1 2-Critical   Blade software installation stalled at Waiting for product image
813561-3 2-Critical   MCPD crashes when assigning an iRule that uses a proc
811161-1 2-Critical   Tmm crash SIGSEGV - virtual_address_update() in ../mcp/db_vip.c:1992
799649-2 2-Critical   TMM crash
798893-3 2-Critical   Changes to a webacceleration profile are not instantly applied to virtual servers using the profile
788813-1 2-Critical   TMM crash when deleting virtual-wire config
766509-1 2-Critical   Strict internal checking might cause tmm crash
757391-2 2-Critical   Datagroup iRule command class can lead to memory corruption
751589-1 2-Critical   In BIG-IP VE, some IP rules may not be created during the first boot up.
745589-6 2-Critical   In very rare situations, some filters may cause data-corruption.
726900-1 2-Critical   Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters
726518-3 2-Critical   Tmsh show command terminated with CTRL-C can cause TMM to crash.
712534 2-Critical   DNSSEC keys are not generated when configured to use an external FIPS device
663925-3 2-Critical   Virtual server state not updated with pool- or node-based connection limiting
632553-4 2-Critical K14947100 DHCP: OFFER packets from server are intermittently dropped
625807-1 2-Critical   tmm cored in bigproto_cookie_buffer_to_server
474797-4 2-Critical   Nitrox crypto hardware may attempt soft reset while currently resetting
862069-3 3-Major   Using non-standard HTTPS and SSH ports will fail under certain conditions
860277-2 3-Major   Default value of TCP Profile Proxy Buffer High Low changed in 14.1
860005-3 3-Major   Ephemeral nodes/pool members may be created for wrong FQDN name
853613-2 3-Major   Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp
852873 3-Major   Proprietary Multicast PVST+ packets are forwarded instead of dropped
852325-3 3-Major   HTTP2 does not support Global SNAT
851477-3 3-Major   Memory allocation failures during proxy initialization are ignored leading to TMM cores
851101-2 3-Major   Unable to establish active FTP connection with custom FTP filter
851045-3 3-Major   LTM database monitor may hang when monitored DB server goes down
850873-1 3-Major   LTM global SNAT sets TTL to 255 on egress.
850145-3 3-Major   Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed
848777-1 3-Major   Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.
847325-1 3-Major   Changing a virtual server that uses a oneconnect profile can trigger persistence misbehavior.
846977-3 3-Major   TCP:collect validation changed in 12.0.0: the first argument can no longer be zero
846873-3 3-Major   Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure
846441-1 3-Major   Flow-control is reset to default for secondary blade's interface
845333-3 3-Major   An iRule with a proc referencing a datagroup cannot be assigned to Transport Config
844421 3-Major   Cipher ordering in cipher rules can be wrong
844085-3 3-Major   GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address
843317-1 3-Major   The iRules LX workspace imported with incorrect SELinux contexts
842425-3 3-Major   Mirrored connections on standby are never removed in certain configurations
841369-1 3-Major   HTTP monitor GUI displays incorrect green status information
841341-4 3-Major   IP forwarding virtual server does not pick up any traffic if destination address is shared.
840785-3 3-Major   Update documented examples for REST::send to use valid REST endpoints
838353-3 3-Major   MQTT monitor is not working in route domain.
832133-3 3-Major   In-TMM monitors fail to match certain binary data in the response from the server.
828601-3 3-Major   IPv6 Management route is preferred over IPv6 tmm route
827441-1 3-Major   Changing a UDP virtual server with an immediate timeout to a TCP virtual server can cause connections to fail
825245-2 3-Major   SSL::enable does not work for server side ssl
824433-1 3-Major   Added HTTP2 and HTTP3 request/response statistic fields to the HTTP profile
823921-2 3-Major   FTP profile causes memory leak
823825-5 3-Major   Renaming high availability (HA) VLAN can disrupt state-mirror connection
820333-3 3-Major   LACP working member state may be inconsistent when blade is forced offline
818853-3 3-Major   Duplicate MAC entries in FDB
818833-3 3-Major   TCP re-transmission during SYN Cookie activation results in high latency
818789-5 3-Major   Setting ssl profile to none in https monitor, not setting Ciphers to DEFAULT as in serverssl Profile
818097-4 3-Major   Plane CPU stats too high after primary blade failover in multi-blade chassis
816881-1 3-Major   Serverside conection may use wrong VLAN when virtual wire is configured
816205-3 3-Major   IPsec passthrough scenario may not forward ICMP unreachable messages from the server-side
815405-4 3-Major   GUI update of Child FastL4 profile overwrites CLI-only customized settings (options that are not available in GUI)
815089-3 3-Major   On a system with no VLANs, you can create virtual servers or SNATs that have identical address/port combinations
814761-2 3-Major   PostgreSQL monitor fails on second ping with count != 1
813701-3 3-Major   Proxy ARP failure
812497-1 3-Major   VE rate limit should not count packet that does not have a matched vlan or matched MAC address
810821-1 3-Major   Management interface flaps after rebooting the device
810533-4 3-Major   SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile
810445-2 3-Major   PEM: ftp-data not classified or reported
809729-2 3-Major   When HTTP/2 stream is reset by a client, BIG-IP may not respond properly
809597-3 3-Major   Memory leak observed when running ICRD child
808017-2 3-Major   When using a variable as the only parameter to the iRule persist command, the iRule validation fails
805017-2 3-Major   DB monitor marks pool member down if no send/recv strings are configured
803629-2 3-Major   SQL monitor fails with 'Analyze Response failure' message even if recv string is correct
803233-3 3-Major   Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
803109-2 3-Major   Source-port preserve-strict configured along with OneConnect may result in zombie forwarding flows
802245-1 3-Major   When HTTP/2 is negotiated, if the provided cipher suite list cannot be matched, then the last one will be selected.
800101-1 3-Major   BIG-IP chassis system may send out duplicated UDP packets to the server side
796993-1 3-Major   Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs
795933-2 3-Major   A pool member's cur_sessions stat may incorrectly not decrease for certain configurations
795501-3 3-Major   Possible SSL crash during config sync
795285 3-Major   Key creation on non-existing NetHSM partition stays in create-fail loop for CloudHSM
795261-2 3-Major   LTM policy does not properly evaluate condition when an operand is missing
794505-3 3-Major   OSPFv3 IPv4 address family route-map filtering does not work
794417-1 3-Major   Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not
793669-1 3-Major   FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value
790845-2 3-Major   An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default
789365-1 3-Major   pkcs11d CPU usage increases after running nethsm self validation test
788753-4 3-Major   GATEWAY_ICMP monitor marks node down with wrong error code
788741-2 3-Major   TMM cores in the MQTT proxy under rare conditions
787853-2 3-Major   BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps.
786517-3 3-Major   Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address
785877-2 3-Major   VLAN groups do not bridge non-link-local multicast traffic.
785481-2 3-Major   A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached
785361-1 3-Major   In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped
784565-2 3-Major   VLAN groups are incompatible with fast-forwarded flows
783617-1 3-Major   Virtual Server resets connections when all pool members are marked disabled
783145-4 3-Major   Pool gets disabled when one of its pool member with monitor session is disabled
781753-3 3-Major   WebSocket traffic is transmitted with unknown opcodes
781041-1 3-Major   SIP monitor in non default route domain is not working.
779633-1 3-Major   BIG-IP system reuses serverside TIME_WAIT connections irrespective of TMMs used
779137-2 3-Major   Using a source address list for a virtual server does not preserve the destination address prefix
778517-1 3-Major   Large number of in-TMM monitors results in delayed processing
777269-1 3-Major   Gratuitous ARP may be sent for self IPs from incorrect MAC address at startup
776229-2 3-Major   iRule 'pool' command no longer accepts pool members with ports that have a value of zero
773229-2 3-Major   Replacing a virtual server's FastL4 profile can cause traffic to fail in specific circumstances
770477-2 3-Major   SSL aborted when client_hello includes both renegotiation info extension and SCSV
767217-2 3-Major   Under certain conditions when deleting an iRule, an incorrect dependency error is seen
766601 3-Major   SSL statistics are updated even in forward proxy bypass
766593-1 3-Major   RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20
764969 3-Major   ILX no longer supports symlinks in workspaces as of v14.1.0
763093-3 3-Major   LRO packets are not taken into account for ifc_stats (VLAN stats)
761030-2 3-Major   tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route
760406-3 3-Major   HA connection might stall on Active device when the SSL session cache becomes out-of-sync
760050-2 3-Major   cwnd warning message in log
759056-2 3-Major   stpd memory leak on secondary blades in a multi-blade system
758631-4 3-Major   ec_point_formats extension might be included in the server hello even if not specified in the client hello
758599-1 3-Major   IPv6 Management route is preferred over IPv6 tmm route
758437-6 3-Major   SYN w/ data disrupts stat collection in Fast L4
758436-4 3-Major   Optimistic ACKs degrade Fast L4 statistics
757827-1 3-Major   Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution
757505-3 3-Major   peer-cert-mode set to 'always' does not work when client-ssl is enabled with session-ticket
757446-2 3-Major   Invoking the HTTP::respond iRule command when the HTTP2 profile is present can cause stalled or malformed responses.
757431-1 3-Major   mcpd process killed after upgrade from 12.1.3
757029-2 3-Major   Ephemeral pool members may not be created after config load or reboot
756313-2 3-Major   SSL monitor continues to mark pool member down after restoring services
755997-2 3-Major   Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address
755791-2 3-Major   UDP monitor not behaving properly on different ICMP reject codes.
755727-2 3-Major   Ephemeral pool members not created after DNS flap and address record changes
755631-1 3-Major   UDP / DNS monitor marking node down
754604-2 3-Major   iRule : [string first] returns incorrect results when string2 contains null
753805-3 3-Major   BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.
753594-2 3-Major   In-TMM monitors may have duplicate instances or stop monitoring
753526-1 3-Major   IP::addr iRule command does not allow single digit mask
753159-1 3-Major   Pool IP ToS/QoS settings are not preserved on mirrored FastL4 connections
752766-1 3-Major   The BIG-IP system might fail to read SFPs after a reboot
752530-1 3-Major   TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.
752334-1 3-Major   Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation
751052-1 3-Major   HTTP iRule event HTTP_REJECT broken
751036-1 3-Major   Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone
750473-4 3-Major   VA status change while 'disabled' are not taken into account after being 'enabled' again
750204-3 3-Major   Add support for P-521 curve in the X.509 chain to SSL LTM
749519-1 3-Major   Error messages seen while running "run sys crypto nethsm-test" tool
748529-1 3-Major   BIG-IP Virtual Edition with cloudhsm integration needs to restart tmm after a fresh install
748052-1 3-Major   pkcs11 test utility is failing when running nethsm-test on BIG-IP systems configured for AWS CloudHSM
746922-6 3-Major   When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
746078-1 3-Major   Upgrades break existing iRulesLX workspaces that use node version 6
745923-2 3-Major   Connection flow collision can cause packets to be sent from source port 0
745545-1 3-Major   CMP forwarded LRO host packets do not restore LRO flag
745291-2 3-Major   The BIG-IP HTTP2 filter makes inappropriate assumptions about requests and responses without content lengths
745285 3-Major   Virtual server configured with destination address list may not respond to ARP and ICMP echo
743257-3 3-Major   Fix block size insecurity init and assign
742838-1 3-Major   A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition
740977-1 3-Major   Tracert and traceroute from client does not display route path
738450-1 3-Major   Parsing pool members as variables with IP tuple syntax
723306-1 3-Major   Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
722707-2 3-Major   mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall
720440-4 3-Major   Radius monitor marks pool members down after 6 seconds
719304-1 3-Major   Inconsistent node ICMP monitor operation for IPv6 nodes
718790-1 3-Major   Traffic does not forward to fallback host when all pool members are marked down
718288-2 3-Major   MCPD might crash on secondary blades when DNSSEC client-facing SOA zone serial not updated
714502-2 3-Major   bigd restarts after loading a UCS for the first time
714372-3 3-Major   Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari
710930-3 3-Major   Enabling BigDB key bigd.tmm may cause SSL monitors to fail
709381-2 3-Major   iRules LX plugin imported from a system with a different version does not properly run, and the associated iRule times out.
705112-4 3-Major   DHCP server flows are not re-established after expiration
689089-7 3-Major   VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot
687887-3 3-Major   Unexpected result from multiple changes to a monitor-related object in a single transaction
686059-4 3-Major   FDB entries for existing VLANs may be flushed when creating a new VLAN.
646440-1 3-Major   TMSH allows mirror for persistence even when no mirroring configuration exists
636842-2 3-Major K51472519 A FastL4 virtual server may drop a FIN packet when mirroring is enabled
617929-2 3-Major   Support non-default route domains
608952-3 3-Major   MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2
601189-4 3-Major   The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode
599567-4 3-Major   APM assumes SNAT automap, does not use SNAT pool
512490-12 3-Major   Increased latency during connection setup when using FastL4 profile and connection mirroring.
505037-5 3-Major K01993279 Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop
859113-3 4-Minor   Using "reject" iRules command inside "after" may causes core
858309-1 4-Minor   Setting a self IP with an IPv6 Address with an embedded IPv4 address causes tmm to continually restart
852373-2 4-Minor   HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error
844337-2 4-Minor   Tcl error log improvement for node command
839245-1 4-Minor   IPother profile with SNAT sets egress TTL to 255
838405-1 4-Minor   Listener traffic-group may not be updated properly when spanning is in use.
838305-4 4-Minor   BIG-IP may create multiple connections for packets that should belong to a single flow.
834217-5 4-Minor   Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.
832233-3 4-Minor   The iRule regexp command issues an incorrect warning
830833-2 4-Minor   HTTP PSM blocking resets should have better log messages
822025-2 4-Minor   HTTP response not forwarded to client during an early response
818721-1 4-Minor   Virtual address can be deleted while it is in use by an address-list.
814037-4 4-Minor   No virtual server name in Hardware Syncookie activation logs.
808409-3 4-Minor   Unable to specify if giaddr will be modified in DHCP relay chain
802721-2 4-Minor   Virtual Server iRule does not match an External Data Group key that's 128 characters long
801705-4 4-Minor   When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC
791337-1 4-Minor   Traffic matching criteria fails when using shared port-list with virtual servers
787905-4 4-Minor   Improve initializing TCP analytics for FastL4
783969 4-Minor   An invalid SSL close_notify might be sent in some cases.
783073 4-Minor   Cookie Persistence profile is not showing up in the GUI
781113-1 4-Minor   Support to enable/disable reusing serverside TIME_WAIT connections
774261-1 4-Minor   PVA client-side current connections stat does not decrease properly
773253-3 4-Minor   The BIG-IP may send VLAN failsafe probes from a disabled blade
772297-2 4-Minor   LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade
760683-1 4-Minor   RST from non-floating self-ip may use floating self-ip source mac-address
758704 4-Minor   Excessive 'GuestInfoAddNicEntry: NIC limit (16) reached' logging
757777-3 4-Minor   bigtcp does not issue a RST in all circumstances
746077-4 4-Minor   If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified
738045-5 4-Minor   HTTP filter complains about invalid action in the LTM log file.
738032-1 4-Minor   BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed.
722534-1 4-Minor   load sys config merge not supported for iRulesLX
675911-6 4-Minor K13272442 Different sections of the WebUI can report incorrect CPU utilization
544958-1 4-Minor   Monitors packets are sent even when pool member is 'Forced Offline'.
666378-1 5-Cosmetic   A virtual server's connections per second (precision.last_value) is confusingly named.


Performance Issues

ID Number Severity Solution Article(s) Description
850193-2 3-Major   Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues
746620-3 3-Major   "source-port preserve" does not work on BIG-IP Virtual Edition
747960-2 4-Minor   BIG-IP VE with 1nic does not handle fragmented traffic to webui or ssh properly


Global Traffic Manager (DNS) Issues

ID Number Severity Solution Article(s) Description
807177-2 2-Critical   HTTPS monitoring is not caching SSL sessions correctly
788465-2 2-Critical   DNS cache idx synced across HA group could cause tmm crash
783125-2 2-Critical   iRule drop command on DNS traffic without Datagram-LB may cause TMM crash
744743-1 2-Critical   Rolling DNSSEC Keys may stop generating after BIG-IP restart
722741-1 2-Critical   Damaged tmm dns db file causes zxfrd/tmm core
704198-4 2-Critical K29403988 Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance
264701-3 2-Critical K10066 GTM: zrd exits on error from bind about .jnl file error (Formerly CR 68608)
858973-3 3-Major   DNS request matches less specific WideIP when adding new wildcard wideips
852101-3 3-Major   Monitor fails.
851341-2 3-Major   DNS cache responds with records exceeding cache-maximum-ttl for multiple TMMs
844689-3 3-Major   Possible temporary CPU usage increase with unusually large named.conf file
835209-1 3-Major   External monitors mark objects down
821589-2 3-Major   DNSSEC does not insert NSEC3 records for NXDOMAIN responses
813221-1 3-Major   Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync
803645-3 3-Major   GTMD daemon crashes
802961-2 3-Major   The 'any-available' prober selection is not as random as in earlier versions
800265-2 3-Major   Undefined subroutine in bigip_add_appliance_helper message
789421-2 3-Major   Resource-administrator cannot create GTM server object through GUI
781985-1 3-Major   DNSSEC zone SEPS records may be wiped out from running configuration
781829-1 3-Major   GTM TCP monitor does not check the RECV string if server response string not ending with \n
779793-2 3-Major   [LC] Error Message "Cannot modify the destination address of monitor" for destination * bigip_link monitor
779769-2 3-Major   [LC] [GUI] destination cannot be modified for bigip-link monitors
778365-2 3-Major   dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service
777245-1 3-Major   DNSSEC client-facing SOA zone serial does not update when DNSSEC related RR changes
774481-2 3-Major   DNS Virtual Server creation problem with Dependency List
774225-3 3-Major   mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting
772233-3 3-Major   IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.
769385-1 3-Major   GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message
760835-1 3-Major   Static generation of rolling DNSSEC keys may be missing when the key generator is changed
760833-1 3-Major   BIG-IP GTM might not always sync a generation of a DNSSEC key from its partner
760615-2 3-Major   Virtual Server discovery may not work after a GTM device is removed from the sync group
756177-2 3-Major   GTM marks pool members down across datacenters
754901-1 3-Major   Frequent zone update notifications may cause TMM to restart
751540-3 3-Major   GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server
750213-4 3-Major K25351434 DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.
746719-1 3-Major   SERVFAIL when attempting to view or edit NS resource records in zonerunner
746348-2 3-Major   On rare occasions, gtmd fails to process probe responses originating from the same system.
746137-1 3-Major   DNSSEC: Creating a new DNSSEC Zone can result in gtmd attempting to sync every 10 seconds
745035-2 3-Major   gtmd crash
744787-4 3-Major   Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias
739553-1 3-Major   Setting large number for Wide IP Persistence TTL breaks Wide IP persistence
726164-1 3-Major   Rolling DNSSEC Keys can stop regenerating after a length of time on the standby system
679316-7 3-Major   iQuery connections reset during SSL renegotiation
665117-7 3-Major K33318158 DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping
222220-4 3-Major   Distributed application statistics
839361-4 4-Minor   iRule 'drop' command does not drop packets when used in DNS_RESPONSE
790113-2 4-Minor   Cannot remove all wide IPs from GTM distributed application via iControl REST
775801-2 4-Minor   [GTM] [GUI] 'Route Advertisement' checked but not saved when creating GTM listener
760117-1 4-Minor   Duplicate error messages in log when updating a zone through ZoneRunner GUI
755282-1 4-Minor   [GTM] bigip_add password prompt for IPv4-mapped IPv6 address
752216-6 4-Minor K33587043 DNS queries without the RD bit set may generate responses with the RD bit set
744280-2 4-Minor   Enabling or disabling a Distributed Application results in a small memory leak
712335-3 4-Minor   GTMD may intermittently crash under unusual conditions.
774257-2 5-Cosmetic   tmsh show gtm pool and tmsh show gtm wideip print duplicate object types


Application Security Manager Issues

ID Number Severity Solution Article(s) Description
852437-1 2-Critical   Overly aggressive file cleanup causes failed ASU installation
843801-1 2-Critical   Like-named previous Signature Update installations block Live Update usage after upgrade
825413-2 2-Critical   /var/lib/mysql disk is full
854177-3 3-Major   ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality
853989-3 3-Major   DOSL7 Logs breaks CEF connector by populating strings into numeric fields
850677-2 3-Major   Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy
850673-3 3-Major   BD sends bad acks to the bd_agent for configuration
849349-3 3-Major   Adding a new option to disable CSP header modification in bot defense/dosl7 via sys db
846181-1 3-Major   Request samples for some of the learning suggestions are not visible
846057-2 3-Major   UCS backup archive may include unnecessary files
833685-3 3-Major   Idle async handlers can remain loaded for a long time doing nothing
829029-3 3-Major   Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error
809125-2 3-Major   CSRF false positive
799749-1 3-Major   Asm logrotate fails to rotate
793149-3 3-Major   Adding the Strict-transport-Policy header to internal responses
792341-2 3-Major   Google Analytics shows incorrect stats.
785529-1 3-Major   ASM unable to handle ICAP responses which length is greater then 10K
772165-1 3-Major   Sync Failed due to Bot Defense profile not found
761565-1 3-Major   ASM BD core when custom captcha page configured size more than 45K with %ASM.captcha.support_id% placeholder is at the end
759840-1 3-Major   False positive 'Null in request' violation or bare byte subviolations
748851-3 3-Major   Bot Detection injection include tags which may cause faulty display of application
742549-2 3-Major   Cannot create non-ASCII entities in non-UTF ASM policy using REST
739618-2 3-Major   When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy
726401-1 3-Major   ASM cannot complete initial startup with modified management interface on VE
640842-3 3-Major   ASM end user using mobile might be blocked when CSRF is enabled
841985-3 4-Minor   TSUI GUI stuck for the same session during long actions
824093-3 4-Minor   Parameters payload parser issue
758615-1 4-Minor   Reconstructed POST request is dropped after DID cookies are deleted
756998-1 4-Minor   DoSL7 Record Traffic feature is not recording traffic
752797-1 4-Minor   BD is not correctly closing a shared memory segment


Application Visibility and Reporting Issues

ID Number Severity Solution Article(s) Description
835381-1 3-Major   HTTP custom analytics profile 'not found' when default profile is modified
830073-3 3-Major   AVRD may core when restarting due to data collection device connection timeout
746837-2 3-Major   AVR JS injection can cause error on page if the JS was not injected


Access Policy Manager Issues

ID Number Severity Solution Article(s) Description
838861-2 2-Critical   TMM might crash once after upgrading SSL Orchestrator
789085-2 2-Critical   When executing the ACCESS::session iRule command under a serverside event, tmm may crash
783233-2 2-Critical   OAuth puts quotation marks around claim values that are not string type
760130-3 2-Critical   [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK
748572-2 2-Critical   Occasionally ramcache might crash when data is sent without the corresponding event.
725505-1 2-Critical   SNAT settings in network resource are not applied after FastL4 profile is updated
660913-3 2-Critical   For ActiveSync client type, browscap info provided is incorrect.
579219-3 2-Critical   Access keys missing from SessionDB after multi-blade reboot.
853325 3-Major   TMM Crash while parsing form parameters by SSO.
852313-2 3-Major   VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured
850277-3 3-Major   Memory leak when using OAuth
844781-1 3-Major   [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection
844573-3 3-Major   Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret.
844281-1 3-Major   [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files.
831517-1 3-Major   TMM may crash when Network Access tunnel is used
828761 3-Major   APM OAuth - Auth Server attached iRule works inconsistently
824121-1 3-Major   Using the Websocket profile prevents mouse wheel scroll function
815753-2 3-Major   TMM leaks memory when explicit SWG is configured with Kerberos authentication
803825-3 3-Major   WebSSO does not support large NTLM target info length
802381-2 3-Major   Localdb authentication fails
799149-2 3-Major   Authentication fails with empty password
798261-2 3-Major   APMD fails to create session variables if spanning is enabled on SWG transparent virtual server
774301-4 3-Major   Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList
771905-2 3-Major   JWT token rejected due to unknown JOSE header parameters
768025-4 3-Major   SAML requests/responses fail with "failed to find certificate"
761303-2 3-Major   Upgrade of standby BIG-IP system results in empty Local Database
759392-2 3-Major   HTTP_REQUEST iRule event triggered for internal APM request
758542-3 3-Major   OAuth database instance appears empty after upgrade from v13.x
757848-1 3-Major   F5 Adaptive Authentication feature has been removed
757822-1 3-Major   Subroutine name should use partition name and policy name
757781-3 3-Major   Portal Access: cookie exchange may be broken sometimes
755507-4 3-Major   [App Tunnel] 'URI sanitization' error
750631-2 3-Major   There may be a latency between session termination and deletion of its associated IP address mapping
749477-1 3-Major   Provisioning URLDB and SWG simultaneously produces a confusing error message if neither module was originally provisioned
749036-2 3-Major   Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM
748451-3 3-Major   Manager users cannot perform changes in per-request policy properties
748070 3-Major   API Protection feature inadvertently allows editing of associated access policy
747725-3 3-Major   Kerberos Auth agent may override settings that manually made to krb5.conf
744407-3 3-Major   While the client has been closed, iRule function should not try to check on a closed session
744316-4 3-Major   Config sync of APM policy fails with Cannot update_indexes validation error.
738547-3 3-Major   SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII
712857-3 3-Major   SWG-Explicit rejects large POST bodies during policy evaluation
711056-1 3-Major   License check VPE expression fails when access profile name contains dots
706782-3 3-Major   Inefficient APM processing in large configurations.
685593-3 3-Major   Access session iRules can fail with error 'Illegal argument'
673357-1 3-Major   SWG puts flow in intercept mode when session is not found
653210-2 3-Major   Rare resets during the login process
600985-1 3-Major   Network access tunnel data stalls
578989-9 3-Major   Maximum request body size is limited to 25 MB
534187-5 3-Major   Passphrase protected signing keys are not supported by SAML IDP/SP
470346-2 3-Major   Some IPv6 client connections get RST when connecting to APM virtual
833049-2 4-Minor   Category lookup tool in GUI may not match actual traffic categorization
819233-5 4-Minor   Ldbutil utility ignores '--instance' option if '--list' option is specified
810825 4-Minor   Export, then import of pool outside of a default route domain may fail
778333-3 4-Minor   GUI/CLI max-in-progress discrepancy occurs after upgrade from v11.x to v13.x or later
719589-2 4-Minor   GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic
602396-1 4-Minor   EPSEC Upload Package Button Is Greyed Out
826049-1 5-Cosmetic   French language spelling error in BIG-IP Edge Client message window
498926 5-Cosmetic   Client can fail to start a new session in multi-domain SSO.


WebAccelerator Issues

ID Number Severity Solution Article(s) Description
761027 3-Major   Web Browser Hang on Reading Compressed Data from BIG-IP
751383-1 4-Minor   Invalidation trigger parameter values are limited to 256 bytes
748031-1 4-Minor   Invalidation trigger parameter containing reserved XML characters does not create invalidation rule


Enterprise Manager Issues

ID Number Severity Solution Article(s) Description
807913 4-Minor   The word 'ceritifcate' is misspelled in an error message


Service Provider Issues

ID Number Severity Solution Article(s) Description
814097-2 2-Critical   Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.
811105-1 2-Critical   MRF SIP-ALG drops SIP 183 and 200 OK messages
781725-2 2-Critical   BIG-IP systems might not complete a short ICAP request with a body beyond the preview
853545-3 3-Major   MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event
842625-3 3-Major   SIP message routing remembers a 'no connection' failure state forever
825013-3 3-Major   GENERICMESSAGE::message's src and dst may get cleared in certain scenarios
824149-3 3-Major   SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured
815877-1 3-Major   Information Elements with zero-length value are rejected by the GTP parser
815529-2 3-Major   MRF outbound messages are dropped in per-peer mode
811033-2 3-Major   MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used
790949-2 3-Major   MRF Router Profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' Do Not Match Behavior.
788093 3-Major   MRF iRule command MR::restore with no argument causes tmm to crash
782353-6 3-Major   SIP MRF via header shows TCP Transport when TLS is enabled
767977 3-Major   Source port unexpectedly changes on message connections
759370-2 3-Major   FIX protocol messages parsed incorrectly when fragmented between the body and the trailer.
755311-1 3-Major   No DIAMETER Disconnect-Peer-Request message sent when TMM is shutting down
754617-2 3-Major   iRule 'DIAMETER::avp read' command does not work with 'source' option
753501-1 3-Major   iRule commands (such as relate_server) do not work with MRP SIP
749528-1 3-Major   IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap
749041-2 3-Major   MRSIP log of subscriber deletion outputs '(null)" for subscriber URI
748355-2 3-Major   MRF SIP curr_pending_calls statistic can show negative values.
746731-1 3-Major   BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set
859721-3 4-Minor   Using GENERICMESSAGE create together with reject inside periodic after may cause core
836357-3 4-Minor   SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2
788513-2 4-Minor   Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log
786981-3 4-Minor   Pending GTP iRule operation maybe aborted when connection is expired
793005-3 5-Cosmetic   'Current Sessions' statistic of MRF/Diameter pool may be incorrect


Advanced Firewall Manager Issues

ID Number Severity Solution Article(s) Description
802421 2-Critical   The /var partition may become 100% full requiring manual intervention to clear space
763121-3 2-Critical   Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM.
751292-1 2-Critical   mcpd core after changing parent netflow to use version9
747225-1 2-Critical   PCCD may get into crash-loop after BIG-IP upgrade or after BIG-IP restart
851745-1 3-Major   High cpu consumption due when enabling large number of virtual servers
844597-2 3-Major   AVR analytics is reporting null domain name for a dns query
837233-1 3-Major   "Application Security Administrator" user role cannot manage Dos Profile GUI
813969-3 3-Major   Network DoS reporting events as 'not dropped' while in fact, events are dropped
812481-2 3-Major   HSL logging may work unreliably for Management-IP firewall rules
811157-2 3-Major   Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself
808893-2 3-Major   DNS DoS profile vectors do not function correctly
808889-2 3-Major   DoS vector or signature stays hardware-accelerated even when traffic rate is lower than mitigation threshold
793217-2 3-Major   HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation
791361-1 3-Major   Configured management port rules can be lost after loading UCS file and rebooting
787969-1 3-Major   Validation error regarding disabling DoS Software Mode is unclear
781425 3-Major   Firewall rule list configuration causes config load failure
771173-3 3-Major   FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.
757555-2 3-Major   Network DoS Logging Profile does not work with other logging profiles together
757279-1 3-Major   LDAP authenticated Firewall Manager role cannot edit firewall policies
755721-1 3-Major   A UDP DNS packet may incorrectly match a BDoS signature if such a packet was queued up due to ingress shaper
751116-1 3-Major   DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring
749761-3 3-Major   AFM Policy with Send to Virtual and TMM crash in a specific scenario
738284-2 3-Major   Creating or deleting rule list results in warning message: Schema object encode failed
703165-4 3-Major   shared memory leakage
663946-6 3-Major   VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments
811045 4-Minor   Tmsh load sys config from-terminal merge: error for config embedded sub profile can have only a single object of any part enabled
756457-2 4-Minor   tmsh command 'show security' returning a parsing error


Policy Enforcement Manager Issues

ID Number Severity Solution Article(s) Description
845313 2-Critical   Tmm crash under heavy load
760518-4 2-Critical   PEM flow filter with DSCP attribute optimizes traffic resulting in some PEM action enforcement
750491-4 2-Critical   PEM Once-Every content insertion action may insert more than once during an interval
814941-1 3-Major   PEM drops new subscriber creation if historical aggregate creation count reaches the max limit
802977-2 3-Major   PEM iRule crashes when more than 10 policies are tried to be set for a subscriber
783289-1 3-Major   PEM actions not applied in VE bigTCP.
781485-4 3-Major   PEM with traffic group can lead to local cache leaks on STANDBY if there is an ACTIVE-ACTIVE transition
764901-2 3-Major   PEM policy filters rules memory gets leaked if policy is deleted before deleting the rules
753014-4 3-Major   PEM iRule action with RULE_INIT event fails to attach to PEM policy
752163-1 3-Major   PEM::session info cannot set subscriber type and ID
747065-2 3-Major   PEM iRule burst of session ADDs leads to missing sessions
741213-2 3-Major   Modifying disabled PEM policy causes coredump
726011-4 3-Major   PEM transaction-enabled policy action lookup optimization to be controlled by a sys db
670994-5 3-Major   There is no validation for IP address on the ip-address-list for static subscriber


Carrier-Grade NAT Issues

ID Number Severity Solution Article(s) Description
837269 3-Major   Processing ICMP unreachable packets causes FWNAT/CGNAT persistence issues with UDP traffic
812705-1 3-Major   'translate-address disabled' setting for LTM virtual server does not have any effect with iRules for NAT64 traffic
806825 3-Major   Align the behavior of NAT44 and NAT64 when translate-address is disabled under Virtual Configuration with LTM Pool and LSN Pool
761517-1 4-Minor   nat64 and ltm pool conflict


Fraud Protection Services Issues

ID Number Severity Solution Article(s) Description
857725 3-Major   Anti-Fraud/DataSafe Logging Settings page not found
660759-1 3-Major   Cookie hash persistence sends alerts to application server.


Traffic Classification Engine Issues

ID Number Severity Solution Article(s) Description
761199-1 2-Critical   Wr_urldbd might crash while system is in a restarting loop.
816529-2 3-Major   If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart.
787965-1 3-Major   URLCAT by URI does not work if it contains port number
754257-2 3-Major   URL lookup queries not working


Device Management Issues

ID Number Severity Solution Article(s) Description
720434-3 2-Critical   Multi-blade Chassis iAppLX Package upgrade sync is incomplete across blades
718796-3 2-Critical   IControl REST token issue after upgrade
710809-4 2-Critical   Restjavad hangs and causes GUI page timeouts
839597-4 3-Major   Restjavad fails to start if provision.extramb has large value
815649-1 3-Major   Named.config entry getting overwriting on SSL Orchestrator deployment
767613-2 3-Major   Restjavad can keep partially downloaded files open indefinitely
749383-1 3-Major   Audit Log: 'cmd_data=list cm device recursive' are being generated continuously even the command has not been executed
718033-4 3-Major   REST calls fail after installing BIG-IP software or changing admin passwords


iApp Technology Issues

ID Number Severity Solution Article(s) Description
842193-3 3-Major   Scriptd coring while running f5.automated_backup script
818069-4 3-Major   GUI hangs when iApp produces error message
829861 4-Minor   iApp UI broken when referencing to iApp profile /Common/_sys_radius_proto_imsi
802189-2 4-Minor   iApps: Calling 'Package Require <PKG>' in a template with a manager role is not supported


Protocol Inspection Issues

ID Number Severity Solution Article(s) Description
825501-1 3-Major   IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.
795329-2 3-Major   IM installation fails if 'auto-add-new-inspections' enabled on profile
778225-3 3-Major   vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host
760740-1 4-Minor   Mysql error is displayed when saving UCS configuration on BIG-IP system with only LTM provisioned

 

Known Issue details for BIG-IP v14.1.x

862069-3 : Using non-standard HTTPS and SSH ports will fail under certain conditions

Component: Local Traffic Manager

Symptoms:
On all versions 12.1.0 or above, if you try to change the HTTPS port (e.g. to 8443) and then expose the management UI via a self IP in a non-zero route domain, it won't work.

In versions 14.1.0 and above on VEs, attempting to manage a BIG-IP over a self IP can fail if all these conditions are met:
   - Non-standard HTTPS port used.
   - No TMM default route configured.
      - No route to the client IP configured.

Conditions:
-- Modify the default HTTPS and/or default SSH ports.

And either:

On 12.1.0 and above:
-- Expose the management UI and/or CLI via a self IP in a non-zero route domain.

... or:

On 14.1.0 and above:
-- No TMM default route configured.
-- No route to the client IP configured.

Impact:
Unable to access BIG-IP GUI on non-standard HTTPS port, and/or unable to access BIG_IP CLI on non-standard SSH port.


860881-1 : TMM can crash when handling a compressed response from HTTP server

Component: Local Traffic Manager

Symptoms:
TMM crashes while handling HTTP response

Conditions:
HTTP virtual server performing decompression of response data from a server, e.g. because a rewrite profile is attached to the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable compression on the server.


860517-3 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.

Component: TMOS

Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.

As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash

Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.

Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.

Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.


860317-1 : JavaScript Obfuscator can hang indefinitely

Component: TMOS

Symptoms:
High CPU usage by obfuscator for an extended period of time.

Conditions:
Occurs very rarely, when FPS or L7 DDoS protection are enabled.

Impact:
High CPU Usage.

Workaround:
Kill the obfuscator process


860277-2 : Default value of TCP Profile Proxy Buffer High Low changed in 14.1

Component: Local Traffic Manager

Symptoms:
Version: 13.1.3.1

# tmsh list ltm profile tcp tcp proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
    proxy-buffer-high 49152
    proxy-buffer-low 32768
}

       proxy-buffer-high
            Specifies the highest level at which the receive window is closed.
            The default value is 49152.

       proxy-buffer-low
            Specifies the lowest level at which the receive window is closed.
            The default value is 32768.

Version: 14.1.2.2

# list ltm profile tcp TCP proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
    proxy-buffer-high 65535
    proxy-buffer-low 32768
}


proxy-buffer-high
            Specifies the highest level at which the receive window is closed.
            The default value is 131072.

proxy-buffer-low
            Specifies the lowest level at which the receive window is closed.
            The default value is 98304.

Conditions:
Looking at the help for proxy-buffer-high and proxy-buffer-low in tmsh

Impact:
The default value for proxy-buffer-high is 65535 and the default value for proxy-buffer-low is 32768, but the help text indicates that the defaults are 13072 and 98304 respectively.


860181-3 : After sync failure due to lack of local self-IP on the peer, adding in the self-IP does not resolve the sync error

Component: TMOS

Symptoms:
If you have BIG-IPs in a Device Service Cluster, and you attempt to sync a new floating self-IP over to a standby on a VLAN that the standby does not currently have a non-floating self-IP on, you will get an error and the sync will fail. This is the correct behavior. The issue, though, is that if you subsequently create a non-floating self-IP on the standby in order to rectify this issue, the sync will still fail.

Conditions:
-- BIG-IPs configured in a Device Service Cluster.
-- Device group is configured to use Automatic Sync or Manual with Incremental sync.
-- Attempting to sync a floating self-IP to a system that does not have a non-floating self-IP on the same VLAN.

Impact:
You are unable to sync BIG-IPs. Both devices will be out of sync and you will see an error displayed:

01070355:3: Self IP <address> is declared as a floating address but there is no non-floating address defined for this network

Even after you add a non-floating self-IP on the affected device, a subsequent config sync does not fix the error.

Workaround:
If you make any other configuration change that generates a config sync, this will correct itself after the other device has added a non-floating Self-IP.

Otherwise, this can be corrected by doing a full config sync, and can be done via the GUI or via tmsh.

In the GUI, change the Sync Type for the device group to Manual with Full Sync, and then do a config sync.

In tmsh, the command is:
run cm config-sync force-full-load-push to-group <affected_device_group>


860005-3 : Ephemeral nodes/pool members may be created for wrong FQDN name

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, one or more ephemeral nodes and pool members may be created for the wrong FQDN name, resulting in one or more ephemeral pool members being created incorrectly for a given pool.

Conditions:
This problem occurs when a DNS Request is sent to resolve a particular FQDN name with the same DNS Transaction ID (TXID) as another DNS Request currently pending with the same DNS name server. When this occurs, the IP addresses returned in the first DNS Response received with that TXID may be incorrectly associated with a pending DNS Request with the same TXID, but for a different FQDN name which does not actually resolve to those IP addresses.

The timing conditions that produce such duplicate TXIDs may be produced by one or more of the following factors:
1. Many FQDN names to be resolved.
2. Short DNS query interval values configured for the FQDN template nodes (or short TTL values returned by the DNS name server with the query interval configured as 'ttl').
3. Delayed responses from the DNS name server causing DNS queries to remain pending for several seconds.

Impact:
When this issue occurs, traffic may be load-balanced to the wrong members for a given pool.

Workaround:
It may be possible to mitigate this issue by one or more of the following actions:

-- Ensuring that the DNS servers used to resolve FQDN node names have sufficient resources to respond quickly to DNS requests.

-- Reducing the number of FQDN template nodes (FQDN names to be resolved).

-- Reducing the frequency of DNS queries to resolve FQDN node names (FQDN names) by either increasing the 'interval' value configured for FQDN template nodes, or by increasing the TTL values for DNS zone records for FQDN names for FQDN nodes configured with an 'interval' value of 'ttl'.


859721-3 : Using GENERICMESSAGE create together with reject inside periodic after may cause core

Component: Service Provider

Symptoms:
In iRules, when "GENERICMESSAGE::message create" is called after "reject" command inside "after -periodic", it may cause core. Below is an example iRules.

when CLIENT_ACCEPTED {
    ... omitted ...
    after 1000 -periodic {
        ... omitted ...
        reject
        GENERICMESSAGE::message create "test"
    }
}

This relates to ID 859113.

Conditions:
GENERICMESSAGE::message create" is called after "reject" inside "after -periodic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event


859113-3 : Using "reject" iRules command inside "after" may causes core

Component: Local Traffic Manager

Symptoms:
In iRules, when "reject" is used inside "after -periodic" and it is followed by "GENERICMESSAGE::message create". It may trigger a tmm core. Below is an example iRule.

when CLIENT_ACCEPTED {
    ... omitted ...
    after 1000 -periodic {
        ... omitted ...
        reject
        GENERICMESSAGE::message create "test"
    }
}

This relates to ID 859721

Conditions:
- "reject" is used inside "after -periodic"
- it is followed by "GENERICMESSAGE::message create"

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event


858973-3 : DNS request matches less specific WideIP when adding new wildcard wideips

Component: Global Traffic Manager (DNS)

Symptoms:
After adding a new wildcard wideip, DNS requests start matching the wildcard even if a more specific wildcard wideip should match.

Conditions:
New less specific Wildcard WideIPs are created.

Impact:
DNS request matches less specific WideIP.

Workaround:
# tmsh load sys config gtm-only
or
restart tmm


858429 : BIG-IP system sending ICMP packets on both virtual wire interface

Component: Local Traffic Manager

Symptoms:
ICMP packets are forwarded to both virtual wire interface, which causes MAC-Flip on the connected switches.

Conditions:
-- Ingress ICMP packet is on one TMM.
-- Egress is on another TMM.

Impact:
Traffic is disrupted in the network.

Workaround:
None.


858309-1 : Setting a self IP with an IPv6 Address with an embedded IPv4 address causes tmm to continually restart

Component: Local Traffic Manager

Symptoms:
TMM keeps restarting after setting a self IP to an IPv6 address with an embedded IPv4 address in TMSH.

Conditions:
Set self IP to an IPv6 address with an embedded Ipv4 address using tmsh.

Impact:
Tmm restarts repeatedly. Traffic disrupted while tmm restarts.

Workaround:
Set self IP to IPv4 address.


858197-1 : Merged crash when memory exhausted

Component: TMOS

Symptoms:
Merged crashes when system memory is exhausted

Conditions:
System memory is is at 0% available.

Impact:
Merged crashes, stopping stats updates

Workaround:
Reduce the configuration on the system


857725 : Anti-Fraud/DataSafe Logging Settings page not found

Component: Fraud Protection Services

Symptoms:
When navigating to Security :: Fraud Protection Service : Anti-Fraud Logging Settings, a 404 error is shown instead of the actual page.

Conditions:
- Provision Fraud Protection Service.
- License DataSafe or Fraud Protection Service.
- Enable the 'antifraud.riskengine.reportlogins' database variable.

Impact:
'Anti-Fraud Logging Settings' page is not found.

Workaround:
Configure logging setting using the Traffic Management Shell (tmsh) utility.


857045-3 : LDAP system authentication may stop working

Component: TMOS

Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.

In /var/log/daemon.log, you may see the following:

warning systemd[1]: nslcd.service failed

Conditions:
Nslcd daemon crashed, and it fails to restart.

Impact:
System authentication stops working until nslcd is restarted.

Workaround:
Manually restart nslcd daemon:

tmsh start sys service nslcd


856953-2 : IPsec: TMM cored after ike-peer switched version from IKEv2 to IKEv1

Component: TMOS

Symptoms:
TMM cores.

Conditions:
Occured when IKE peer version changed from IKEv2 to IKEv1, leading to an attempt of renegotiating IPsec tunnel.

Impact:
Traffic disrupted while tmm restarts.


856713-1 : IPsec crash during rekey

Component: TMOS

Symptoms:
IPsec-related tmm crash and generated core file during rekey.

Conditions:
-- IPsec timeout occurs.
-- Some temporary SA's are created by racoon.

Impact:
Tmm crashes and creates core file. Traffic disrupted while tmm restarts.

Workaround:
None.


854177-3 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality

Component: Application Security Manager

Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.

Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.

Impact:
Latency is introduced to ASM handling.

Workaround:
Set the fast changing nodes to static updates every hour.


853989-3 : DOSL7 Logs breaks CEF connector by populating strings into numeric fields

Component: Application Security Manager

Symptoms:
Dosl7 remote logger messages breaks ArcSight CEF connector when using ArcSight destination format. CEF Logs are dropped.

Conditions:
- ASM provisioned
- Dos profile attached to a virtual server
- Dos application protection enabled
- Logging profile configured with ArcSight format attached to a virtual

Impact:
ArcSight server might be broken after getting dosl7 attack detection messages from the BIG-IP.

Workaround:
BIG-IP iRule or another proxy can be used to intercept ArcSight messages and strip the a string portion from ArcSight numeric type fields.


853617-3 : Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles

Component: TMOS

Symptoms:
Validation does not prevent specific configuration, but reports errors. In newer versions:

-- err tmm1[7019]: 01010008:3: Proxy initialization failed for /Common/vs_test. Defaulting to DENY.
-- err tmm1[7019]: 01010008:3: Listener config update failed for /Common/vs_test: ERR:ERR_ARG

In older versions:

-- err tmm[23118]: 01010007:3: Config error: virtual_server_profile no suitable hudchain
-- err tmm[23118]: 01010007:3: Config error: add virtual server profile error

Conditions:
Creating a virtual server with UDP, HTTP, SSL, (and OneConnect) profiles.

Impact:
Virtual server is defined and in configuration, but does not pass traffic.

On v12.1.x and v13.0.0, attempts to recover from this configuration can leave TMM in a bad state, which can then result in a TMM crash.

Workaround:
None.


853613-2 : Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp

Component: Local Traffic Manager

Symptoms:
A TCP connection hangs occasionally.

Conditions:
-- The TCP connection is on the clientside.
-- sys db tm.tcpsendrandomtimestamp is enabled.
-- A virtual server's TCP's Verified Accept and Timestamps are both enabled.

Impact:
TCP connections hangs, and data transfer cannot be completed.

Workaround:
-- Disable tm.tcpsendrandomtimestamp or
-- Disable either the TCP's Verified Accept or Timestamps option.


853545-3 : MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event

Component: Service Provider

Symptoms:
For each message dropped during GENERICMESSAGE_INGRESS, memory is leaked.

Conditions:
Usage of GENERICMESSAGE::message drop iRule command during GENERICMESSAGE_INGRESS event will leak memory.

Impact:
As more memory is leaked, less memory is available for message processing, eventually leading to a core.

Workaround:
Use MR::message drop during MR_INGRESS event instead to drop a message.


853329-4 : HTTP explicit proxy can crash TMM when used with classification profile

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may serve HTTP traffic as forward proxy and use DNS resolver objects to provide a server to connect to for request processing. When a classification profile is attached to the virtual server, it may result in a TMM crash with regards to some HTTP requests.

Conditions:
-- PEM is provisioned.
-- HTTP explicit proxy is configured on a virtual server.
-- A classification profile attached to the virtual server.

Impact:
TMM crashes, causing failover. Traffic disrupted while tmm restarts.

Workaround:
None.


853325 : TMM Crash while parsing form parameters by SSO.

Component: Access Policy Manager

Symptoms:
When a form is received in the response, TMM crashes when SSO identifies the form parameter, and logs the Form parameter value and type in SSOv2 form-based passthrough log.

Conditions:
-- When any of the form parameters that SSO receives in the response does not have a value.
-- Passthrough mode is enabled in SSO.

Impact:
TMM crash when Passthrough mode is enabled in SSO. Traffic disrupted while tmm restarts.

Workaround:
Do not use Passthrough mode with SSO.


852873 : Proprietary Multicast PVST+ packets are forwarded instead of dropped

Component: Local Traffic Manager

Symptoms:
Since BIG-IP does not recognize proprietary multicast MACs like PVST+ (01:00:0c:cc:cc:cd) when STP is disabled it won't be able to drop those frames. Instead it would treat those as L2 multicast frames and forward between 2 interfaces.

Conditions:
STP disabled
All platforms except 2000 series, 4000 series, i2000 series, i4000 series and i850

Impact:
PVST+ (01:00:0c:cc:cc:cd), a proprietary multicast MAC will be forwarded instead of discarded even though when STP is disabled

Workaround:
Not available


852565-3 : On Device Management::Overview GUI page, device order changes

Component: TMOS

Symptoms:
When manual device group sync is enabled, the device with the most recent change will be displayed at the top of the Device Management::Overview GUI page.

Conditions:
-- Multiple devices in a device group
-- Device group has manual config sync enabled
-- A change is made on a device

Impact:
When the list loads, the device with the most recent changes is displayed at the top. This can make the device order appear to be inconsistent, and can create confusion when doing manual config sync if you are expecting the order to be always consistent.


852437-1 : Overly aggressive file cleanup causes failed ASU installation

Component: Application Security Manager

Symptoms:
Directory cleanup for for failed Attack Signature Updates was too aggressive and may delete needed files in the middle of the installation itself and cause it to fail.

Conditions:
An Attack Signature Update runs at the same time as the file cleanup task.

Impact:
The Attack Signature Update fails to complete successfully.

Workaround:
The Attack Signature Update can be retried.


852373-2 : HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error

Component: Local Traffic Manager

Symptoms:
HTTP/2 connection breaks and Tcl error is logged in /var/log/ltm similar to the following:

TCL error: /Common/http2_disable <CLIENT_ACCEPTED> - Unknown error (line 1) (line 1) invoked from within "HTTP2::disable".

Conditions:
Any of the following Tcl commands are used in any iRule event: HTTP2::enable, HTTP2::enable clientside, HTTP2::disable, HTTP2::disable clientside.

Impact:
HTTP/2 traffic is not passed to the serverside.

Workaround:
Do not use the following Tcl commands: HTTP2::enable, HTTP2::enable clientside, HTTP2::disable, HTTP2::disable clientside


852325-3 : HTTP2 does not support Global SNAT

Component: Local Traffic Manager

Symptoms:
The Global SNAT feature does not work with HTTP2.

Conditions:
-- Global SNAT is used
-- HTTP2 is used.

Impact:
Traffic uses the incorrect IP addresses when sourced from the BIG-IP system.

Workaround:
Use an explicit SNAT setting: SNAT Auto-Map or a SNAT pool.


852313-2 : VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured

Component: Access Policy Manager

Symptoms:
VMware Horizon clients cannot ,connect to APM and /var/log/apm contains hte following error:
... err tmm3[12345]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_BOUNDS. File: ../modules/hudfilter/access/access.c, Function: access_do_internal_retry, Line: 16431

Conditions:
-- Access Policy has 'VMware View Logon Page' agent configured with 'Kerberos Authentication'.
-- The policy has been in use for some time.

Impact:
VMware Horizon client cannot connect to APM after some time.

Workaround:
None.


852101-3 : Monitor fails.

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d fails external monitor SIP_monitor because GTM SIP Monitors need to be running as privileged.

Conditions:
TLS SIP monitor on pool member requiring client auth.

Impact:
Big3d fails external monitor SIP_monitor.

Workaround:
The only workaround is to allow world reading of key files in the filestore, however, this is not ideal as it exposes potentially sensitive data.


851789-3 : SSL monitors flap with client certs with private key stored in FIPS

Component: TMOS

Symptoms:
Bigd reporting 'overload' or 'overloaded' in /var/log/ltm.
SSL monitors flapping while the servers are available.

Conditions:
-- FIPS-enabled platform.
-- HTTPS monitors using client-cert authentication where the key is stored in FIPS HSM.
-- Large number of monitors or low interval.

Impact:
Periodic service interruption depending on which monitors are flapping. Reduced number of available servers.

Workaround:
-- Increase the interval on the monitors.
-- Switch the monitors to use software keys.


851785-1 : BIG-IP 10350V-F platform reported page allocation failures in N3FIPS driver

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/13: page allocation failure: order:2, mode:0x204020

After that, a stack trace follows. The process name in the line ('swapper/16', in this example) . You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the appliance 10350V-F D112

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this to 128 MB (131072 KB ).
When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected system

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID 851785' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID851785' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on the BIG-IP appliance and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the BIG-IP appliance and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"


851745-1 : High cpu consumption due when enabling large number of virtual servers

Component: Advanced Firewall Manager

Symptoms:
Observed autodosd CPU burst

Conditions:
Enable autodosd and a large number of virtual servers

Impact:
High cpu utilization in autodosd

Workaround:
Disable autodosd


851581-1 : Server-side detach may crash TMM

Component: Local Traffic Manager

Symptoms:
TMM crash with 'server drained' panic string.

Conditions:
-- Server-side flow is detached while the proxy is still buffering data for the pool member and the client continues to send data.
-- The detach may be triggered by the LB::detach iRule commands or internally.

Impact:
TMM crash, failover, brief traffic outage. Traffic disrupted while tmm restarts.

Workaround:
-- In cases in which the detach is triggered internally, there is no workaround.

-- In cases in which the detach is triggered by LB::Detach, make sure the command is not executed when a request may still be in progress by using it in response events, for example HTTP_RESPONSE, USER_RESPONSE, etc.


851477-3 : Memory allocation failures during proxy initialization are ignored leading to TMM cores

Component: Local Traffic Manager

Symptoms:
Memory allocation failures during proxy initialization are ignored. TMM cores when trying to access uninitialized memory.

Conditions:
-- HTTP or HTTP/2 virtual server with httprouter profile.
-- Low memory or fragmented memory on the system when configuration is being loaded.

Impact:
TMM cores when accessing uninitialized memory.

Workaround:
No workaround.


851393-3 : tmipsecd leaves a zombie rm process running after starting up

Component: TMOS

Symptoms:
After booting the system, you notice zombie 'rm' processes:

$ top -b | awk '$8=="Z"'
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm

Restarting tmipsecd will kill the zombied process but will start a new one.

Conditions:
IPSEC is enabled

Impact:
A zombie 'rm' process exists. There should be no other impact.


851341-2 : DNS cache responds with records exceeding cache-maximum-ttl for multiple TMMs

Component: Global Traffic Manager (DNS)

Symptoms:
DNS cache respond with records exceeding cache-maximum-ttl.

Conditions:
1. Multiple TMMs compared with single TMM.
2. Reassembled DNS response from previous cached records.

Impact:
DNS cache responds with records exceeding cache-maximum-ttl for multiple TMMs, but not with single TMMs. Inconsistent behavior might lead to confusion.

Workaround:
None.


851101-2 : Unable to establish active FTP connection with custom FTP filter

Component: Local Traffic Manager

Symptoms:
Unable to establish active FTP connection with custom FTP filter.

Conditions:
All of the following conditions are true:
-- Virtual server using custom FTP filter.
-- FTP filter has port (port used for data channel) set to 0 (zero).
-- Virtual server has source-port set to preserve-strict.
-- Using active FTP through the virtual server.

Impact:
-- The active FTP data channel is reset.
-- Commands that require data channel in active mode fail.

Workaround:
-- Change source-port to change or preserve.
-- Set port on FTP filter to be used for data channel.
-- Use passive FTP.


851045-3 : LTM database monitor may hang when monitored DB server goes down

Component: Local Traffic Manager

Symptoms:
When multiple database servers are monitored by LTM database (MSSQL, MySQL, PostgreSQL, Oracle) monitors and one database server goes down (such by stopping the database server process), a deadlock may occur in the LTM database monitor daemon (DBDaemon) which causes an interruption in monitoring of other database servers.
When this occurs, one database server going down may cause all monitored database servers to be marked Down for several minutes until the blocking operation times out and normal monitoring can resume.

Conditions:
This may occur when:
1. Running a version of BIG-IP or an Engineering Hotfix which contains fixes for bugs ID769309 and ID775901.
2. Stopping a monitored database server process (such as by halting the database service).

Impact:
Monitoring of database servers may be interrupted for up to several minutes, causing monitored database servers to be marked Down. This may persist for several minutes until the blocking operation times out, the backlog of blocked DB monitor threads are processed to completion, and normal DB monitoring resumes.

Workaround:
You can prevent this issue from occurring by using a different LTM monitor type (such as a TCP monitor or external monitor) to monitor the database servers.


851021-3 : Under certain conditions, 'load sys config verify file /config/bigip.conf' may result in a 'folder does not exist' error

Component: TMOS

Symptoms:
TMSH error example:

Configuration error: Can't associate ASM device sync (/Common/testsync/staging.example.com) folder does not exist

Conditions:
The conditions under which this occurs are unknown.

Impact:
Load of config file fails with an error that the folder does not exist.

Workaround:
Use 'tmsh load sys config verify', without specifying a specific file.


850997-3 : 'SNMPD' no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page

Component: TMOS

Symptoms:
The SNMPD daemon no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page.

Conditions:
Viewing the page at:

System :: High Availability : Fail-safe : System

Impact:
Unable to configure the high availability (HA) settings for the snmpd high availability (HA) daemon through the GUI.

Workaround:
Use TMSH to modify the snmpd high availability (HA) settings.


850873-1 : LTM global SNAT sets TTL to 255 on egress.

Component: Local Traffic Manager

Symptoms:
When using the global SNAT feature on LTM, IPv4 TTL/IPv6 Hop-Limit values may be erroneously set to 255/64 on egress.

Conditions:
Traffic is handled by global SNAT.

Impact:
TTL on egress is set to 255/; Hop-Limit on egress is set to 64.

Workaround:
None.


850677-2 : Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy

Component: Application Security Manager

Symptoms:
Non-ASCII parameter static values are garbled when created in a non-UTF-8 policy using REST.

Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII parameter static values using REST.

Impact:
Parameter static values containing non-ASCII characters are garbled when created using REST.

Workaround:
Use UTF-8.


850673-3 : BD sends bad acks to the bd_agent for configuration

Component: Application Security Manager

Symptoms:
The bd_agents stops sending configuration in the middle of startup or a configuration change.
The policy maybe incomplete in the bd causing a wrong enforcement.

Conditions:
This is a rare issue and the exact conditions that trigger it are unknown.

Impact:
Bd_agent hangs or restarts which may cause a complete asm restart (and failover).
A partial policy may exist in bd causing improper enforcement.

Workaround:
Export and import the policy in case the policy is enforced incorrectly and un-assigning / re-assigning does not help.


850277-3 : Memory leak when using OAuth

Component: Access Policy Manager

Symptoms:
Tmm memory usage keeps going up when passing multiple HTTP requests through a kept-alive TCP connection carrying an OAuth token as bearer in the Authorization header.

Conditions:
-- Multiple HTTP requests through a kept-alive TCP connection.
-- Requests carry an OAuth token as bearer in the Authorization header.

Impact:
Memory leak occurs in which tmm memory usage increases.

Workaround:
None.


850193-2 : Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues

Component: Performance

Symptoms:
-- Uneven unic channel distribution and transmit errors (tx_errcnt) seen in /proc/unic.
-- Packet loss and increased retransmissions under load.

Conditions:
BIG-IP Virtual Edition (VE) in Hyper-V or Azure Cloud.

Impact:
-- Reduced throughput.
-- Packet loss and increased retransmissions under load.

Workaround:
None.


850145-3 : Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed

Component: Local Traffic Manager

Symptoms:
First HTTP request on a connection creates a connection to the server. Subsequent pipelined requests should be processed and use the established connection to the server. However, the requests were queued in the proxy and not processed resulting in connection hang.

Conditions:
- HTTP or HTTP/2 virtual server with httprouter profile.
- HTTP/1.1 connections with the client and server.
- Pipelined HTTP requests.

Impact:
Connection hangs and is eventually reset.

Workaround:
No workaround.


849405 : LTM v14.1.2.1 no log after upgrade

Component: TMOS

Symptoms:
After upgrading to v14.1.2.1, logs are not generated and also sysstat.service is not running.

Conditions:
The issue is momentary and is not always reproducible.
upgrade from BIG-IP 12.1.x(centos6) to bigip14.1.2.1(centos7)

Impact:
Logs are not generated and also sysstat.service is not running.

Workaround:
Once the BIG-IP starts up check for failed services

systemctl list-units --failed

If it shows sysstat.service as FAILED, then give below command

restorecon -Rv /var/log/sa6 && systemctl start sysstat


849349-3 : Adding a new option to disable CSP header modification in bot defense/dosl7 via sys db

Component: Application Security Manager

Symptoms:
Web app flow might fail resulting in JavaScript errors related to CSP policy

Conditions:
-- ASM provisioned.
-- Bot-Defense or DoS Application profile assigned to a virtual server.
-- The backend server sends CSP headers.

Impact:
Web application flow might fail.

Workaround:
Attach an iRule:

when HTTP_REQUEST {
    set csp 0
}
when HTTP_RESPONSE {
    if { [HTTP::header exists Content-Security-Policy] } {
        set csp "[HTTP::header values Content-Security-Policy]"
    }
}
when HTTP_RESPONSE_RELEASE {
    if { $csp != 0 } {
        HTTP::header replace Content-Security-Policy $csp
    }
    set csp 0
}


848777-1 : Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.

Component: Local Traffic Manager

Symptoms:
Shared object address-list in non-default partition in non-default route-domain does not sync to peer node. The system reports the following exceptions when such an issue occurs:

-- err mcpd[4941]: 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).

-- err mcpd[4941]: 01071488:3: Remote transaction for device group /Common/DG1 to commit id 500 6754270728594498269 /Common/bigiptest1 0 failed with error 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).

Conditions:
-- Create Custom partition.
-- Create Custom Route-domain.
-- Change custom partition.
-- Create address list in non-default route domain.
-- Create virtual server with previously created address list and any TCP port.
-- Now, try to Sync to high availability (HA) peer.

Impact:
Sync fails with error. Configuration will not sync to peer node.

Workaround:
None.


848681-5 : Disabling the LCD on a VIPRION causes blade status lights to turn amber

Component: TMOS

Symptoms:
When the LCD is disabled or turned off on a VIPRION system, the blade status lights turn amber.

Conditions:
You can cause this to occur by running the command:
tmsh modify sys db platform.chassis.lcd value disable

Impact:
Blade status lights change to amber, even if nothing is wrong with the system.

Workaround:
None.


847325-1 : Changing a virtual server that uses a oneconnect profile can trigger persistence misbehavior.

Component: Local Traffic Manager

Symptoms:
High tmm CPU utilization.
Stalled connection.
Incorrect persistence decisions

Conditions:
A oneconnect profile is combined with certain persist profiles on a virtual server.

The virtual server configuration is changed while there is an ongoing connection to the virtual server. Any connections that make a request after the configuration change can be affected.

The persistence types that are affected are
Source Address (but not hash-algorithm carp)
Destination Address (but not hash-algorithm carp)
Universal
Cookie (only cookie hash)
Host
SSL session
SIP
Hash (but not hash-algorithm carp)

Impact:
High tmm CPU utilization.
Stalled connection.
Incorrect persistence decisions


846977-3 : TCP:collect validation changed in 12.0.0: the first argument can no longer be zero

Component: Local Traffic Manager

Symptoms:
Validation for TCP::collect was changed in BIG-IP software v12.0.0 (with the introduction of JET specifications). Prior to 12.0.0, there were no restrictions on the values of the two arguments. As of 12.0.0, the first argument ('collect_bytes') must be a positive integer, and the second argument ('skip_bytes) must be a non-negative integer.

Occurrences of 'TCP::collect 0 0' in iRules experience issues when upgrading to a newer version, producing warnings in LTM log:

/Common/T_collect:9: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid argument 0; expected syntax spec:"136 17][TCP::collect 0 0].

Conditions:
-- Using a version of BIG-IP software earlier than 12.0.0, configure an iRule with a 'TCP::collect 0 0' command.
-- Upgrade to 12.0.0 or later.

Impact:
Warning in the LTM log file. The iRules containing 0 values do not function as expected. There is no other impact.

Workaround:
Change 'TCP::collect 0 0' to a value other than 0 (zero) in any iRules before or after upgrade.


846873-3 : Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure

Component: Local Traffic Manager

Symptoms:
Traffic fails to pass through a virtual server.

Conditions:
-- Virtual server is removed and a new one is added in a single transaction.
-- Virtual server references a plugin profile.

For example, create a CLI transaction:
- delete ltm virtual vs_http
- create ltm virtual vs_https destination 1.1.1.1:443 vlans-enabled profiles replace-all-with { http ntlm oneconnect }
- submit cli transaction

Impact:
Traffic failure on the new virtual server.

Workaround:
Create a virtual server that does not accept any traffic, but keeps the NTLM MPI plugin channel alive:

tmsh create ltm virtual workaround destination 1.1.1.1:1 profiles replace-all-with { http oneconnect ntlm } vlans-enabled vlans none && tmsh save sys config


846521-5 : Config script does not refresh management address entry properly when alternating between dynamic and static

Component: TMOS

Symptoms:
Config script does not refresh management address entry properly when alternating between dynamic (DHCP) and static configuration.

Conditions:
- Management IP assignment is changed from dynamic (DHCP) to static.
- Same IP address is configured, as previously received from DHCP server.

Impact:
Remote management access is lost after DHCP lease expires.

Workaround:
Restart BIG-IP after changing the management IP address.


846441-1 : Flow-control is reset to default for secondary blade's interface

Component: Local Traffic Manager

Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.

Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.

Impact:
The flow-control setting is reset to default (tx-rx).

Workaround:
Reload the configuration on the primary blade.


846217-1 : Translucent vlan-groups set local bit in destination MAC address

Component: Local Traffic Manager

Symptoms:
Translucent vlan-groups may set the locally-unique bit in a destination MAC address when sending traffic to a pool member/client.

Conditions:
On versions earlier than 15.0.0:
- Translucent vlan-group is in use.

On v15.0.0 and later:
-- Translucent vlan-group is in use.
-- The connection.vgl2transparent db variable is enabled.

Impact:
Traffic handled by translucent vlan-groups may not work properly.

Workaround:
On versions earlier than 15.0.0, there is no workaround.

-- On version 15.0.0 and later, you can disable the connection.vgl2transparent db variable to mitigate the problem:

tmsh modify sys db connection.vgl2transparent value disable

Note: connection.vgl2transparent is disabled by default.


846181-1 : Request samples for some of the learning suggestions are not visible

Component: Application Security Manager

Symptoms:
Learning suggestions created from single request do not show source 'request log' in the 'Suggestion' GUI section.

Conditions:
'Learning Suggestion' created from only one 'Request Log' record.

Impact:
Learning suggestions created from single request does not show source 'request log' in the 'Suggestion' GUI section

Workaround:
None.


846141-3 : Unable to use Rest API to manage GTM pool members that have an pipe symbol '|' in the server name.

Component: TMOS

Symptoms:
Rest API returns 404 'Object not found"' error when attempting direct access to pool member that has pipe symbol '|' in the server or virtual server name.

Conditions:
An iControl/REST call to a pool member that has a virtual server on the Server whose name contains a | character in the server or virtual server name.

Impact:
The iControl/REST call cannot manage a pool member associated with a virtual server or server whose name contains a | character.

Workaround:
Rename the server or virtual server to a name that does not contains the | character.


846057-2 : UCS backup archive may include unnecessary files

Component: Application Security Manager

Symptoms:
UCS backup archive file size is much larger than UCS files in previous releases.

Conditions:
-- UCS backup process finishes with failure and does not clean temporary files.
-- A second UCS backup is attempted.

Impact:
Those files are included in the UCS archive, which results in an unusually large UCS backup files.

Workaround:
Before running the UCS backup process, remove directories:

/var/tmp/ts_db.save_dir_*.cstmp/


845629-1 : Hv_netvsc vmbus_17 timeout at boot causes reduced NIC performance

Component: TMOS

Symptoms:
-- Uneven unic channel distribution and transmit errors seen in /proc/unic.
-- Packet loss and increased retransmissions under load.
-- Errors reported in dmesg:
hv_netvsc vmbus_17 (unregistered net_device): timeout before we got a set response....

Conditions:
BIG-IP Virtual Edition (VE) in Azure boots while the hypervisor is under high load.

Impact:
-- Reduced throughput.

-- Packet loss and increased retransmissions under load.

Workaround:
This condition occurs when a timeout occurs when booting, resulting in the NIC driver not getting necessary information from the hypervisor.

Rebooting the BIG-IP VE may clear the condition if the hypervisor load has reduced.


845333-3 : An iRule with a proc referencing a datagroup cannot be assigned to Transport Config

Component: Local Traffic Manager

Symptoms:
If you try to assign an iRule to a Transport Config, and if the iRule has a proc that references a datagroup, the assignment fails with an error:
01070151:3: Rule [/Common/test2] error: Unable to find value_list (datagroup) referenced at line 6: [class lookup "first" datagroup]

Conditions:
-- Assign an iRule to a Transport Config.
-- The iRule has a proc.
-- The proc references a datagroup.

Impact:
Validation fails. An iRule with a proc referencing a datagroup cannot be assigned to Transport Config objects.

Workaround:
Make the datagroup a Tcl variable to bypass validation.


845313 : Tmm crash under heavy load

Component: Policy Enforcement Manager

Symptoms:
Tmm crashes.

Conditions:
-- BIG-IP PEM is licensed and configured.
-- Heavy traffic is received by PEM virtual server.
-- The traffic pattern goes through subscriber add/delete frequently.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


844781-1 : [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection

Component: Access Policy Manager

Symptoms:
SELinux policy does not allow the rewrite plugin to create a directory and write troubleshooting data into /var/tmp/WebAppTrace.

Conditions:
Collecting Portal Access web applications traces per K13384: Performing a web applications trace (11.x - 14.x) :: https://support.f5.com/csp/article/K13384

Impact:
Cannot collect Portal Access web applications troubleshooting data as it described in in that AskF5 Article.

Workaround:
Connect via SSH using the root account and run this command:
restorecon -Rv /var/tmp/WebAppTrace/


844689-3 : Possible temporary CPU usage increase with unusually large named.conf file

Component: Global Traffic Manager (DNS)

Symptoms:
You might see occasional and temporary CPU usage increases when named.conf file is unusually large.

Conditions:
Unusually large named.conf file and zones are checked for updates (when the SOA expires).

Impact:
When a zone file is updated, a downstream effect is the ZoneRunner process to parse again the named.conf file. The parsing of an unusually large file may cause a temporary increase in CPU usage.

Workaround:
None.


844597-2 : AVR analytics is reporting null domain name for a dns query

Component: Advanced Firewall Manager

Symptoms:
AVR analytics is reporting null domain name for a DNS query if DNS DoS profile is attached to a virtual server, but the profile does not have the matching type vector enabled to the query type.

Conditions:
-- DNS DoS profile is attached to a virtual server.
-- The query type in the DNS query does not match an enabled DNS vector on the DNS profile.

Impact:
DNS domain name is reported as NULL

Workaround:
Enable the matching type vector on the DNS DoS profile.


844573-3 : Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret.

Component: Access Policy Manager

Symptoms:
The log message when OAuth client or resource server fails to generate the secret is assigned an incorrect log level, and is incorrectly logged at the emergency level.

Conditions:
This is encountered when this message is logged by mcpd.

Impact:
Log message cannot be grouped with messages at the correct log level.

Workaround:
None.


844421 : Cipher ordering in cipher rules can be wrong

Component: Local Traffic Manager

Symptoms:
With a cipher string such as ECDHE:ECDH_RSA:NATIVE is used, the expansion is done in the wrong order.

Conditions:
Cipher rules are used, and some are expanded.

Impact:
Cipher ordering can changes, so unexpected cipher suites are used.

Workaround:
None.


844337-2 : Tcl error log improvement for node command

Component: Local Traffic Manager

Symptoms:
Because of the Tcl error, connection gets reset and reports an error:

err tmm[18774]: 01220001:3: TCL error: /Common/test2- bad port in node <addr> <port> cmdTCL error (line 43) (line 43) invoked from within "node 172.x.x.x IP [LB::server port]"

Conditions:
Using node command under pre-load-balancing iRule events.

Impact:
Unclear port values in Tcl error message.

Workaround:
None.


844281-1 : [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files.

Component: Access Policy Manager

Symptoms:
Java applets are not patched when accessed through APM Portal Access.

/var/log/rewrite contains error messages similar to following:
-- notice rewrite - fm_patchers/java_patcher_engine/CryptoToolsManager.cpp:568 (0x1919ab0): CryptoToolsManager :: _ReadCA() - cannot open CA file.

/var/log/auditd/audit.log contains AVC denials for rewrite on attempt to read file under /config/filestore/.

Conditions:
Java patching is enabled via rewrite profile and Portal Access resource.

Impact:
Java applets cannot be patched by APM Portal Access rewriter.

Workaround:
None.


844085-3 : GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address

Component: Local Traffic Manager

Symptoms:
With multiple virtual servers that have the same destination address, changing all of them in the GUI to use an address list as their source address will result in the last one changed failing with an error similar to:

01070344:3: Cannot delete referenced virtual address /Common/1.2.3.4.

Conditions:
-- More than one virtual server with the same destination address.
-- Changing all the virtual servers that share the same destination address to use an address list for their source address.

Impact:
Unable to change the source address of a virtual server to an address list.

Workaround:
Use TMSH to manually create a traffic-matching criteria object and assign it to the virtual server:

tmsh create ltm traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination-address-inline <destination address of virtual server> destination-port-inline <destination port of virtual server> source-address-inline 0.0.0.0 source-address-list <address list name>
}

tmsh modify /ltm virtual <virtual server name>traffic-matching-criteria<virtual server name>_VS_TMC_OBJ destination 0.0.0.0:any


843809-2 : Bigd cored due to high iowait

Component: Local Traffic Manager

Symptoms:
Sod detected heartbeat failure and killed bigd daemon.
High number of probe_failures are also observed.

Conditions:
bigd (the BIG-IP monitoring daemon) is under heavy load

Impact:
Sod may kill bigd, and bigd may core.


843801-1 : Like-named previous Signature Update installations block Live Update usage after upgrade

Component: Application Security Manager

Symptoms:
Signature Update installations using ASU files with the same name on versions before 14.1.0 block Live Update usage after upgrade to 14.1.0 or later.

Conditions:
The same Signature Update file is installed multiple times on the device when running a version earlier than 14.1.0.

Impact:
Signature Update cannot be installed using Live Update, and errors appear in logs.

Workaround:
1. Delete the file: /var/lib/hsqldb/live-update/live-update-import.yaml.
2. Restart tomcat:
bigstart restart tomcat

This causes pre-upgrade records for Signature Update to be lost, but does not have any other functional impact.


843661-3 : TMSH allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command

Component: TMOS

Symptoms:
TMSH currently allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command, but the option is not honored and the entire license is revoked.

Conditions:
-- BIG-IP license and add-on license are installed.
-- Attempt to revoke the system license with 'add-on-keys' as an option.

Impact:
Add-on-keys option is ignored, and the entire license is revoked instead.

Workaround:
None.


843597-3 : Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle

Component: TMOS

Symptoms:
The vmxnet3 driver cannot handle MTUs larger than 9000 bytes.

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with the vmxnet3 driver.
-- Passing packets larger than 9000 bytes.

Impact:
Either packets are dropped, or the hypervisor may crash on some platforms that do not handle this condition gracefully.

Workaround:
Modify the tmm_init.tcl file, adding the following line:

ndal mtu 9000 15ad:07b0


843317-1 : The iRules LX workspace imported with incorrect SELinux contexts

Component: Local Traffic Manager

Symptoms:
Files imported from iRules LX workspace may have incorrect SELinux contexts such as abrt_var_cache_t.

This can cause reloading the workspace to fail with errors:

01070079: failed to create workspace archive ... Return code {2}

Conditions:
Importing the iRules LX workspace.

Impact:
Workspace cannot be imported

Workaround:
As a workaround you can run the following command on the folders to restore the context:
restorecon -R -v


842937-4 : TMM crash due to failed assertion 'valid node'

Component: Local Traffic Manager

Symptoms:
Under undetermined load pattern TMM may crash with message: Assertion 'valid node' fail.

Conditions:
This can occur while passing traffic with the Ram Cache profile enabled on a Virtual Server. Other conditions are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Refrain from using ramcache may mitigate the problem.


842901-3 : Improve fast failover of PIM-DM-based multicast traffic when BIG-IP is deployed as an Active/Standby HA pair.

Component: TMOS

Symptoms:
Although the effect differs for different topologies, in general, the multicast traffic is interrupted for 5-to-180 seconds after failover.

Conditions:
Fast failover of PIM-DM-based multicast traffic when the BIG-IP system is deployed as an Active/Standby high availability (HA) configuration.

Impact:
The multicast traffic is interrupted for 5-to-180 seconds after a failover event.

Workaround:
None. This is an improvement request.


842669-1 : Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log

Component: TMOS

Symptoms:
systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log. Bare ')' being logged to /var/log/user.log., for example:

cat /var/log/user.log
[...]: Deleting file /shared/core/*.core.*
[...]: Deleting file /shared/core/*.core.*
[...] )
[...] )

Conditions:
The cron process tries and fails to send an email because of output about a cron script.

Impact:
The logging subsystem accepts syslog messages with embedded newlines, and writes first part to the appropriate file, and the other lines to /var/log/user.log.

Workaround:
No known workaround.


842625-3 : SIP message routing remembers a 'no connection' failure state forever

Component: Service Provider

Symptoms:
When SIP message routing fails to route to a pool member (Triggering a MR_FAILED, MR::message status of 'no connection'), The BIG-IP system caches the failed state and continues to return this even after the pool member becomes reachable again.

Conditions:
When BIG-IP systen fails to route messages to the peer (server) due to unavailability of route or any other issues.

Impact:
The BIG-IP system is never be able to establish connection to the peer.

Workaround:
None.


842425-3 : Mirrored connections on standby are never removed in certain configurations

Component: Local Traffic Manager

Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.

Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.

Impact:
Leaking connections on the standby system.

Workaround:
You can use either of the following workarounds:

-- Use auto-lasthop with mirrored connections.

-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.


842193-3 : Scriptd coring while running f5.automated_backup script

Component: iApp Technology

Symptoms:
When the iApp, f5.automated_backup, script is terminated due to the max-script-run-time, the script still continues and finishes, sometimes with scriptd coring and posting error messages in /var/log/ltm:

-- info logger[17173]: f5.automated_backup iApp autobackup: STARTED
-- info logger[17175]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs GENERATING

-- err scriptd[13532]: 014f0004:3: script has exceeded its time to live, terminating the script <------ after 20 secs, it continues even after the scriptd core.

-- notice sod[3235]: 01140041:5: Killing /usr/bin/scriptd pid 13532.
-- warning sod[3235]: 01140029:4: high availability (HA) daemon_heartbeat scriptd fails action is restart.
-- info logger[19370]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs SAVED LOCALLY
(/var/local/ucs)
-- info logger[19372]: f5.automated_backup iApp autobackup: FINISHED

Conditions:
Configure the iApp application with f5.automated_backup template to do auto-backup at regular intervals.

Impact:
Scriptd core.

Workaround:
None.


842189-2 : Tunnels removed when going offline are not restored when going back online

Component: TMOS

Symptoms:
When a BIG-IP instance goes offline, any functioning tunnel is removed from the active configuration. Upon restoration to online operation, the tunnel is not automatically restored.

Conditions:
Configuration including tunnels.

Impact:
Failure of tunnel packet traffic.

Workaround:
Manually recreate the tunnel after the BIG-IP instance has been brought back online.


841985-3 : TSUI GUI stuck for the same session during long actions

Component: Application Security Manager

Symptoms:
The GUI becomes unresponsive when you perform an operation that takes a long time (e.g., Attack Signatures update).

Conditions:
Long-running task is performed, such as export/import/update signatures.

Impact:
GUI is unresponsive for that session.

Workaround:
If you need to continue working during long task is performed, you can log in via another browser.


841953-5 : A tunnel can be expired when going offline, causing tmm crash

Component: TMOS

Symptoms:
When the system transitions from active or next active (standby), e.g., to offline, the internal flow of a tunnel can be expired.

If the device returns to active or standby, and if the tunnel is modified, a double flow removal can cause a tmm crash.

Conditions:
-- System transitions from active or next active.
-- Tunnel is modified.
-- Device returns to active or next active mode.

Impact:
The tmm process restarts. Traffic disrupted while tmm restarts.

Workaround:
None.


841721-3 : BWC::policy detach appears to run, but BWC control is still enabled

Component: TMOS

Symptoms:
The dynamic BWC policy can be attached from iRules but not detached. No error occurs when BWC::policy detach is run, but the detached policy continues to work.

Conditions:
-- Dynamic BWC policy for a HTTP request URI during session.
-- Running BWC::policy detach.

Impact:
The detached policy continues to work.


841649-2 : Hardware accelerated connection mismatch resulting in tmm core

Component: TMOS

Symptoms:
Tmm receives an update from the ePVA for a hardware accelerated connection that is matched to the wrong correction. This can result in a tmm core, which is reported as a segment fault in the tmm log files.

Conditions:
A FastL4 virtual server that has hardware acceleration enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable hardware acceleration.


841469-4 : Application traffic may fail after an internal interface failure on a VIPRION system.

Component: Local Traffic Manager

Symptoms:
Blades in a VIPRION system connect with one another over a data backplane and a management backplane.

For more information on the manner in which blades interconnect over the data backplane, please refer to K13306: Overview of the manner in which the VIPRION chassis and blades interconnect :: https://support.f5.com/csp/article/K13306.

Should an internal interface fail and thus block communication over the data backplane between two distinct blades, an unusual situation arises where different blades compute different CMP states.

For example, if on a 4-slot chassis, blades 2 and 3 become disconnected with one another, the following is TMM's computation of which slots are on-line:

slot1: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
slot2: slots 1, 2, and 4 on-line (cmp state 0xb / 11)
slot3: slots 1, 3, and 4 on-line (cmp state 0xd / 13)
slot4: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)

As different slots are effectively operating under different assumptions of the state of the cluster, application traffic does not flow as expected. Some connections time out or are reset.

You can run the following command to inspect the CMP state of each slot:

clsh 'tmctl -d blade -s cmp_state tmm/cmp'

All slots should report the same state, for instance:

# clsh 'tmctl -d blade -s cmp_state tmm/cmp'
=== slot 2 addr 127.3.0.2 color green ===
cmp_state
---------
       15

=== slot 3 addr 127.3.0.3 color green ===
cmp_state
---------
       15

=== slot 4 addr 127.3.0.4 color green ===
cmp_state
---------
       15

=== slot 1 addr 127.3.0.1 color green ===
cmp_state
---------
       15

When this issue occurs, logs similar to the following example can be expected in the /var/log/ltm file:

-- info bcm56xxd[4276]: 012c0015:6: Link: 2/5.3 is DOWN
-- info bcm56xxd[4296]: 012c0015:6: Link: 3/5.1 is DOWN
-- info bcm56xxd[4296]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4339]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4214]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd

And a CMP transition will be visible in the /var/log/tmm file similar to the following example:

-- notice CDP: PG 2 timed out
-- notice CDP: New pending state 0f -> 0b
-- notice Immediately transitioning dissaggregator to state 0xb
-- notice cmp state: 0xb

For more information on troubleshooting VIPRION backplane hardware issues, please refer to K14764: Troubleshooting possible hardware issues on the VIPRION backplane :: https://support.f5.com/csp/article/K14764.

Conditions:
This issue arises after a very specific type of hardware failure. The condition is very unlikely to occur and is impossible to predict in advance.

Impact:
Application traffic is impacted and fails sporadically due to a mismatch in CMP states between the blades. Failures are likely to manifest as timeouts or resets from the BIG-IP system.

Workaround:
F5 recommends the following to minimize the impact of this potential issue:

1) For all highly available configurations (e.g., A/S, A/A, A/A/S, etc.).

The BIG-IP system has functionality, in all software versions, to enact a fast failover when the conditions described occur.

To ensure this functionality will trigger, the following configuration requirements must be met:

a) The mirroring strategy must be set to 'between'.
b) A mirroring channel to the next-active unit must be up.
c) The min-up-members option must be set to the number of blades in the chassis (e.g., 4 if there are 4 blades in the chassis).

Note: It is not required to actually configure connection mirroring on any virtual server; simply choosing the aforementioned strategy and ensuring a channel is up to the next-active unit will suffice. However, note that some configurations will benefit by also configuring connection mirroring on some virtual servers, as that can greatly reduce the number of affected connections during a failover.

2) For 'regular' standalone units.

If a VIPRION system is truly standalone (no kind of redundancy whatsoever), there is no applicable failsafe action, as you will want to keep that chassis online even if some traffic is impaired. Ensure suitable monitoring of the system is in place (e.g., remote syslog servers, SNMP traps, etc.), so that a BIG-IP Administrator can react quickly in the unlikely event this issue does occur.

3) For a standalone chassis which belongs to a pool on an upstream load-balancer.

If the virtual servers of a standalone VIPRION system are pool members on an upstream load-balancer, it makes sense for the virtual servers to report unavailable (e.g., by resetting all new connection attempts) so that the upstream load-balancer can select different pool members.

An Engineering Hotfix can be provided which introduces an enhancement for this particular use-case. A new DB key is made available under the Engineering Hotfix: tmm.cdp.requirematchingstates, which takes values 'enable' and 'disable'.

The default is 'disable', which makes the VIPRION system behave as in versions without the enhancement. When set to 'enable', the VIPRION system attempts to detect this failure and, if it does, resets all new connections. This should trigger some monitor failures on the upstream load-balancer and allow it to select different pool members.

Please note you should only request the Engineering Hotfix and enable this DB key when this specific use-case applies: a standalone VIPRION system which belongs to a pool on an upstream load-balancer.

When the new feature is enabled, the following log messages in the /var/log/ltm file indicate when this begins and stops triggering:

-- crit tmm[13733]: 01010366:2: CMP state discrepancy between blades detected, forcing maintenance mode. Unable to relinquish maintenance mode until event clears or feature (tmm.cdp.requirematchingstates) is disabled.

-- crit tmm[13262]: 01010367:2: CMP state discrepancy between blades cleared or feature (tmm.cdp.requirematchingstates) disabled, relinquishing maintenance mode.


841369-1 : HTTP monitor GUI displays incorrect green status information

Component: Local Traffic Manager

Symptoms:
LTM HTTP monitor GUI displays incorrect green status when related pool is down.

TMSH shows correct information

Conditions:
LTM HTTP monitor destination port does not match with pool member port.

Impact:
LTM HTTP marks the node down, but the Instances tab of the monitor in the GUI reports the status as green

Workaround:
You can use either of the following workarounds:
-- Use TMSH to get correct info.
-- Ensure that LTM HTTP monitor destination port does match pool member port.


841341-4 : IP forwarding virtual server does not pick up any traffic if destination address is shared.

Component: Local Traffic Manager

Symptoms:
Virtual servers do not forward any traffic but the SNAT does.

Conditions:
-- Multiple wildcard IP forwarding virtual servers with the same destination address.
-- SNAT is configured.

Impact:
IP forwarding virtual server does not pick up any traffic.

Workaround:
Delete and then re-create virtual servers.


841333-5 : TMM may crash when tunnel used after returning from offline

Component: TMOS

Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.

Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


841277-5 : C4800 LCD fails to load after annunciator hot-swap

Component: TMOS

Symptoms:
After following F5-recommended procedures for hot-swapping the left annunciator card on a C4800 chassis and replacing the top bezel, the LCD screen fails to load.

Conditions:
- C4800 chassis with 2 annunciator cards.
- Hot-swap the left annunciator card and replace the top bezel.

Impact:
-- Status light on the top bezel turns amber.
-- LCD becomes unresponsive, and continuously displays 'F5 Networks Loading...'.

Workaround:
1. Run the command:
tmsh modify sys db platform.chassis.lcd value disable

2. Wait 10 seconds.

3. Run the command:
tmsh modify sys db platform.chassis.lcd value enable.

This forces the LCD to sync back up with the VIPRION system and returns it to normal operation. The top bezel status light should turn green.


840785-3 : Update documented examples for REST::send to use valid REST endpoints

Component: Local Traffic Manager

Symptoms:
The documented examples for REST::send refers to REST endpoints that are not valid.

Conditions:
Viewing the documentation at https://clouddocs.f5.com/api/irules/REST__send.html.

Impact:
Invalid examples lead to potential confusion.

Workaround:
Use valid REST endpoints, documented at https://clouddocs.f5.com/api/icontrol-rest/APIRef.html.


839597-4 : Restjavad fails to start if provision.extramb has large value

Component: Device Management

Symptoms:
Rolling restarts of restjavad every few seconds typically due to failure to start and reports messages in daemon log:

daemon.log: emerg logger: Re-starting restjavad

The system reports similar message at the command line.

No obvious cause is logged in rest logs.

Conditions:
-- System DB variable provision.extramb has an unusually high value*:
  + above ~2700-2800MB for v12.1.0 and earlier.
  + above ~2900-3000MB for v13.0.0 and later.

-- On v13.0.0 and later, sys db variable restjavad.useextramb needs to have the value 'true'

*A range of values is shown. When the value is above the approximate range specified, constant restarts are extremely likely, and within tens of MB below that point may be less frequent.

To check the values of these system DB varaiables use:
tmsh list sys db provision.extramb

tmsh list sys db restjavad.useextramb

Impact:
This impacts the ability to use the REST API to manage the system

Workaround:
If needing sys db restjavad.useextramb to have the value 'true', keep sys db provision.extramb well below the values listed (e.g., 2000 MB work without issue).

To set that at command line:

tmsh modify sys db provision.extrammb value 2000


If continual restarts of restjavad are causing difficulties managing the unit on the command line:

1. Stop restjavad (you can copy this string and paste it into the command line on the BIG-IP system):
tmsh stop sys service restjavad

2. Reduce the large value of provision.extramb if necessary.

3. Restart the restjavad service:
tmsh start sys service restjavad


839401-3 : Moving a virtual-address from one floating traffic-group to another does not send GARPs out.

Component: Local Traffic Manager

Symptoms:
Gratuitous ARPs (GARPs) are not sent out when moving a virtual-address from one floating traffic-group to another (e.g., from traffic-group-1 to traffic-group-2).

Conditions:
-- Moving a virtual-address from one floating traffic-group to another.
-- The traffic-groups are active on different devices.

Impact:
Application traffic does not immediately resume after the virtual-address is moved. Instead, the surrounding network devices have to ARP out for the IP address after reaching a timeout condition.

Workaround:
After moving the virtual-address, disable and then re-enable the ARP setting for the virtual-address. This forces GARPs to be sent out.


839361-4 : iRule 'drop' command does not drop packets when used in DNS_RESPONSE

Component: Global Traffic Manager (DNS)

Symptoms:
The iRule 'drop' command may not drop a DNS response when called under DNS_RESPONSE event.

Conditions:
iRule drop is used under DNS_RESPONSE event.

Impact:
DNS response may be improperly forwarded to the client.

Workaround:
Use DNS::drop instead.


839245-1 : IPother profile with SNAT sets egress TTL to 255

Component: Local Traffic Manager

Symptoms:
BIG-IP may set TTL to 255 on forwarded packets.

Conditions:
Virtual-server with ipother profile and SNAT configured.

Impact:
Traffic leaves with egress TTL set to 255.

Workaround:
None.


838925-5 : Rewrite URI translation profile can cause connection reset while processing malformed CSS content

Component: TMOS

Symptoms:
Malformed CSS where one of the style rules is missing a closing brace could cause LTM Rewrite profile to stop processing file or reset connection.

Conditions:
-- LTM Rewrite (URI translation) profile is attached to virtual server.
-- Content rewriting is enabled in Rewrite profile settings.
-- CSS file contains style rule with missing closing brace.

Impact:
URLs are not modified within affected files, starting from the missing closing brace. Intermittent connection resets occur.

Workaround:
Before rewriting, insert the missing symbol into CSS content either directly on the backend server or with an iRule.


838901-2 : TMM receives invalid rx descriptor from HSB hardware

Component: TMOS

Symptoms:
The HSB hardware returns an invalid receive (rx) descriptor to TMM. This results in a TMM core and can be seen as a SIGSEGV in the TMM logs. This also might result in continuous restarts of TMM, resulting in subsequent SIGSEGVs reported in the TMM logs until the unit is manually recovered.

Conditions:
The exact conditions under which this occurs are unknown.

Impact:
Traffic disrupted while tmm restarts. This may result in continuous TMM restarts until the BIG-IP system is rebooted.

Workaround:
None.


838861-2 : TMM might crash once after upgrading SSL Orchestrator

Component: Access Policy Manager

Symptoms:
TMM might crash due to SIGABRT.

Conditions:
-- Session check agent is present in APM per-request policy.
-- APM Access Profile scope changes during SSL Orchestrator upgrade.
-- This issue can occur for SSL Orchestrator upgrades from 14.x to 15.x and above.

Impact:
TMM might crash once. Traffic disrupted while tmm restarts.

Workaround:
None.


838405-1 : Listener traffic-group may not be updated properly when spanning is in use.

Component: Local Traffic Manager

Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.

Conditions:
Spanning is disabled or enabled on a virtual address.

Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.

Depending on the configuration, virtual server may or may not forward the traffic when expected.

Workaround:
Enable/Disable spanning together with changing a traffic-group:

> modify ltm virtual-address 0.0.0.0 traffic-group none spanning enabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled


838353-3 : MQTT monitor is not working in route domain.

Component: Local Traffic Manager

Symptoms:
MQTT monitor fails when non-default route domains are used.

Conditions:
-When a non-default route domain is configured for a pool member
-mqtt monitor in use

Impact:
Mqtt monitor does not work in route domain.


838337-3 : The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.

Component: TMOS

Symptoms:
In 2019, Brazil cancelled DST (Daylight Saving Time) and is now on standard time indefinitely. The BIG-IP system's time zone database needs to be updated to reflect this change.

Conditions:
None.

Impact:
BIG-IP systems configured to use "America/Sao_Paul" (or other applicable Brazilian localities) will still apply DST. Hence time will spring forward and backward on previously designated dates.

This will have no impact to application traffic handled by the BIG-IP system. However, logs, alerts, reports, cron jobs, etc. will use incorrect time.

Note: You can inspect the time changes your system is due to apply by running the following command from the BIG-IP system's advanced shell (bash):

zdump -v <timezone>

For example:

zdump -v America/Sao_Paulo

Workaround:
As a workaround, you can set the BIG-IP system's time zone to that of a different country with the same UTC offset and already not observing DST.

For example, instead of using "America/Sao_Paul", you could use "America/Buenos_Aires" to obtain the same result.


838305-4 : BIG-IP may create multiple connections for packets that should belong to a single flow.

Component: Local Traffic Manager

Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.

Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.

Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.


838297-1 : Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication

Component: TMOS

Symptoms:
Under certain conditions, the BIG-IP system requires you to change your password on every login.

Furthermore, the login then fails, and loops endlessly asking for the password, even though the password has not expired.

Conditions:
-- BIG-IP 14.0.0 and later.
-- LDAP authentication is used for remote users.
-- Active Directory (AD) user account has shadowLastChange attribute with a value of 0 (or anything lower than the number of days since 1-1-1970).

Impact:
Remote AD BIG-IP users are unable to login to the BIG-IP system using remote LDAP authentication

Workaround:
Clear the value of shadowLastChange within AD.


837637-2 : Orphaned bigip_gtm.conf can cause config load failure after upgrading

Component: TMOS

Symptoms:
Configuration fails to load after upgrade with a message like
01420006:3: Can't find specified cli schema data for 13.1.1.4

Conditions:
Orphaned bigip_gtm.conf from an older-version.
This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade leaving behind a bigip_gtm.conf with the old schema.

Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.

Impact:
Configuration fails to load after upgrade.

Workaround:
After deprovisioning DNS, before upgrading run
rm -f /config bigip_gtm.conf
tmsh load sys config gtm-only


837617-3 : Tmm may crash while processing a compression context

Component: Local Traffic Manager

Symptoms:
Tmm crashes on segfault.

Conditions:
Conditions are unknown.

Impact:
Traffic disrupted while tmm restarts.


837481-5 : SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID

Component: TMOS

Symptoms:
SNMPv3 fails to read authenticated or encrypted messages to all but one of the members of a Config Sync group.

Conditions:
Using SNMPv3 to read or receive Traps from high availability (HA) pairs.

Impact:
SNMPv3 can only work for one member of a configsync group.
Configuring passwords on one device, makes that device work, but other members of the config sync group will now fail.

Workaround:
- check "Authoritative (security) engineID for SNMPv3" is not synced (mostly code released since 2019)
engineID needs to be unique per device

- Modify /defaults/config_base.conf to set sync to "no" and check that these do not sync
We must NOT sync these parameters as they need to match the individual device engineID

            display-name "Authoritative (security) engineID for SNMPv3"
            display-name "Authentication pass phrase for SNMPv3 messages"
            display-name "Privacy pass phrase used for encrypted SNMPV3 messages"
            display-name "User's passphrase"
            display-name "Privacy passphrase"

### Mount usr as rw see see K11302
mount -o remount,rw /usr
pico /defaults/config_base.conf
# use Control-w to search for the display names above
# change "configsyncd yes" to "configsyncd no" if necessary in each location
# use Control-x y to exit with saving
# Restore usr as ro
mount -o remount,ro /usr
tmsh load sys config

Then once they are not syncing over, you can create v3 on each device using the same pass phrase as your SNMPv3 manager is using

tmsh modify sys snmp users add { v3snmp { auth-protocol sha privacy-protocol aes username mikev3 auth-password password3 privacy-password password3} }
tmsh modify sys snmp users modify { v3snmp { security-level auth-privacy access rw } }

Then each device should respond OK to query for that same pass phrase

snmpwalk -v 3 localhost -a sha -x aes -A password3 -X password3 -u mikev3 -l authpriv


For more information about SNMP, see the following articles.
K15681: Customizing the SNMP v3 engineID
K6821: SNMP v3 fails if the SNMP engine ID is not unique
K3727: Configuring custom SNMP traps


837269 : Processing ICMP unreachable packets causes FWNAT/CGNAT persistence issues with UDP traffic

Component: Carrier-Grade NAT

Symptoms:
When hosts send ICMP unreachable error messages and processed by the BIG-IP system, subsequent good UDP packets do not get the persistence LSN translation address.

Conditions:
-- Virtual server with FW NAT or CGNAT configuration to accept UDP traffic.
-- Client or/and server randomly sends ICMP unreachable messages.

Impact:
LSN persistence issues. UDP packets from the same client IP address may not get the same translation address every time, even though there exists a persistence entry in the table

Workaround:
None.


837233-1 : "Application Security Administrator" user role cannot manage Dos Profile GUI

Component: Advanced Firewall Manager

Symptoms:
BIG-IP GUI users in "Application Security Administrator" role are not allowed to manage DoS profile page and settings.

Conditions:
This affects users logged in with the "Application Security Administrator" role

Impact:
DoS profiles cannot be edited from GUI

Workaround:
Either change user role to allow managing DoS profile or edit profiles from tmsh


836357-3 : SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2

Component: Service Provider

Symptoms:
In MBLB/SIP, if the BIG-IP system attempts to send messages to the destination over a TCP connection that is in FIN-wait2 stage, instead of returning a failure and silently dropping the message, the BIG-IP system attempts to create a new TCP connection by sending a SYN. Eventually, the attempt fails and causes the connection to be aborted.

Conditions:
-- This happens on MBLB/SIP deployment with TCP.
-- There is message sent from the server to the BIG-IP system.
-- The BIG-IP system forwards the message from the server-side to client-side.
-- The destination flow (for the BIG-IP system to forward the message to) is controlled by 'node <ip> <port>' and 'snat <ip> <port>' iRules command.
-- The destination flow is in the FIN-wait2 stage.

Impact:
This causes the BIG-IP system to abort the flow that originates the message.

Workaround:
None.


835505-2 : Tmsh crash possibly related to NGFIPS SDK

Component: Local Traffic Manager

Symptoms:
tmsh crashes

Conditions:
The conditions that trigger this are unknown, and it occurs rarely. The NGFIPS SDK may core dump as well.

Impact:
Tmsh may crash.


835381-1 : HTTP custom analytics profile 'not found' when default profile is modified

Component: Application Visibility and Reporting

Symptoms:
Adding SMTP config to default HTTP analytics profile results in config parsing failures for child profiles that are assigned to virtual servers. Removing SMTP config resolves the issue. The 'tmsh load sys config' command fails with the following error:

-- 01020036:3: The requested profile (/Common/child-analytics) was not found.
-- Unexpected Error: Validating configuration process failed.

Conditions:
-- Child analytics profile applied to virtual server.
-- Parent analytics profile contains SMTP config.

Impact:
Loading configuration might fail.

Workaround:
None.


835209-1 : External monitors mark objects down

Component: Global Traffic Manager (DNS)

Symptoms:
Object to which the external monitor is attached is marked down.

Conditions:
Executing external monitors trying to access something without appropriate permissions.

Impact:
Object to which the external monitor is attached is marked down.

Workaround:
None.


834217-5 : Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.

Component: Local Traffic Manager

Symptoms:
Due to a known issue BIG-IP may advertise sub-optimal window size.

Conditions:
Result of (init-rwnd * client-mss) is greater than maximum window size (65,535).

Impact:
Degraded TCP performance.

Workaround:
Do not use init-rwnd values that might result in values higher than maximum window size (65,535).

Assuming MSS of 1480, the maximum value of init-rwnd is:
65535/1480 = 44.


833685-3 : Idle async handlers can remain loaded for a long time doing nothing

Component: Application Security Manager

Symptoms:
Idle async handlers can remain loaded for a long time doing nothing becasue they do not have an idle timer. The sum of such idle async handlers can add unnecessary memory pressure.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a big XML ASM policy and then leaving the BIG-IP system idle. The relevant asm_config_server handler process increases its memory consumption and remains that way, holding on to the memory until it is released with a restart.

Impact:
Idle async handlers remain for a long time.

Workaround:
-- Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
-- Restart it periodically via cron, as idle handlers are soon created again.


833049-2 : Category lookup tool in GUI may not match actual traffic categorization

Component: Access Policy Manager

Symptoms:
Category Lookup agent has changed to include the IP in the categorization query. The BIG-IP TMUI does not do the same (Access Policy :: Secure Web Gateway : Database Settings : URL Category Lookup).

Conditions:
-- SWG or URLDB provisioned.
-- Run traffic with category lookup in the PRP and note the category produced.
-- Run the same URL through the GUI lookup tool or the command line tool.

Impact:
Some websites may be categorized differently depending on if the IP address is passed in or not.

Workaround:
None.


832665-2 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.0.5

Component: TMOS

Symptoms:
Features supported in newer versions of open-vm-tools will not be available.

Conditions:
This issue may be seen when running in VMware environments.

Impact:
Features that require a later version of open-vm-tools will not be available.

Workaround:
None.


832653 : Azure scan table warnings can be ignored.

Component: TMOS

Symptoms:
When running BIG-IP Virtual Edition (VE) in the Azure cloud environment, you may see warnings in daemon and user log files:
-- warning: tm_install::DosPtable::scan_table -- identification of /dev/sdb1 failed; ID is 7.
-- warning: tm_install::DosPtable::scan_table -- identification of /dev/sdb1 failed; ID is 7.

This warning is due to installer code that expects to be running on official F5 hardware. This warning can be ignored.

Conditions:
This warning may be seen when running BIG-IP VE in the Azure cloud environment.

Impact:
These are benigh warning messages that can be safely ignored.

Workaround:
None.


832233-3 : The iRule regexp command issues an incorrect warning

Component: Local Traffic Manager

Symptoms:
At validation time, mcpd issues a warning similar to the following:

warning mcpd[7175]: 01071859:4: Warning generated : /Common/test1:2: warning: ["\1" has no meaning. Did you mean "\\1" or "1"?][{(test) (\1)}]

Conditions:
Use arguments such as "\1", "\2", "\3" etc., in command regexp.

Impact:
A warning is generated, "\1" has no meaning, even though it is valid.

Workaround:
Ignore the warning.


832133-3 : In-TMM monitors fail to match certain binary data in the response from the server.

Component: Local Traffic Manager

Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system still marks them DOWN.

Conditions:
This issue occurs when all of the following conditions are met:

-- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).

-- One (or more) of your TCP or HTTP monitors specifies a receive string using HEX encoding, in order to match binary data in the server's response.

-- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.

Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.

Workaround:
You can use either of the following workarounds:

-- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.

-- Do not monitor the application through a binary response (if the application allows it).


831821-3 : Corrupted DAG packets causes bcm56xxd core on VCMP host

Component: TMOS

Symptoms:
On VCMP host, bcm56xxd crashes when it receives a corrupted DAG packets.

Conditions:
Unknown.

Impact:
Device goes offline, traffic disruption.


831517-1 : TMM may crash when Network Access tunnel is used

Component: Access Policy Manager

Symptoms:
TMM may crash.

Conditions:
-- APM session is established.
-- Network Access tunnel is established and used;

Impact:
APM end users experience Network Access tunnel disconnected. Traffic disrupted while tmm restarts.

Workaround:
None.


831293-3 : SNMP get requests slow to respond.

Component: TMOS

Symptoms:
SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical are slow to respond.

Conditions:
Using SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical.

Impact:
Slow performance.

Workaround:
None.


830833-2 : HTTP PSM blocking resets should have better log messages

Component: Local Traffic Manager

Symptoms:
When reset-cause logging is turned on, or when RST packet logging is used, the reset reason used when rejecting bad HTTP PSM traffic is not descriptive.

Conditions:
This occurs under either of these conditions:

-- HTTP PSM is used, and a request is blocked.
-- Reset cause or RST packet logging is enabled.

Impact:
The reset reason given is not descriptive, making troubleshooting difficult.

Workaround:
None.


830073-3 : AVRD may core when restarting due to data collection device connection timeout

Component: Application Visibility and Reporting

Symptoms:
Avrd crashes, one or more core avrd files exist in /var/core

Conditions:
-- A BIG-IP system is managed by BIG-IQ via secure channel
-- Avrd is restarted.

Impact:
Avrd cores as it is shutting down. During avrd shutdown, the BIG-IQ data collection device (DCD) is unreachable for 10 minutes

Workaround:
None.


829861 : iApp UI broken when referencing to iApp profile /Common/_sys_radius_proto_imsi

Component: iApp Technology

Symptoms:
When deploying a custom iApp template, the GUI says "An error has occurred while trying to process your request"

Conditions:
A custom iApp template is deployed that is derived from _sys_radius_proto_imsi

Impact:
UI display is impacted for the affected iApp.


829821-3 : Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured

Component: TMOS

Symptoms:
If a very large amount of pool members are configured (tens of thousands), mcpd may miss its high availability (HA) heartbeat and be killed by sod.

Conditions:
-- A large number of pool members.
-- Pool member validation occurs (such as when loading a configuration or doing a configsync operation).

Impact:
Mcpd is killed by sod. This causes a failover (when the BIG-IP is in a DSC) or outage (if standalone).

Workaround:
None.


829677-1 : .tmp files in /var/config/rest/ may cause /var directory exhaustion

Component: TMOS

Symptoms:
The /var partition might become completely full on the disk due to tmp files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemon restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open.

This issue is happening because a VIPRION process is not available because of a REST timeout.

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Manually run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/*.tmp
bigstart start restjavad


829317-3 : Memory leak observed when running ICRD child

Component: TMOS

Symptoms:
When ICRD child process is running and users are switching rapidly, memory may leak slowly in tms and APM.

Conditions:
[1] ICRD child process is running
[2] There are multiple users on the device
[3] The multiple users are fetching a web-page using curl, repeatedly and concurrently

Impact:
Memory slowly leaks in tmsh and APM.


829193-2 : REST system unavailable due to disk corruption

Component: TMOS

Symptoms:
-- The iControl REST commands respond with the following:

[INFO] Text: u'{"code":200,"message":"REST system unavailable due to disk corruption! See /var/log/restjavad.*.log for errors.","restOperationId":1472895,"kind":":resterrorresponse"}'

-- The GUI indicates that iAppLX sub-system is unresponsive.

-- On the BIG-IP device, /var/config/rest/storage/LOST-STORAGE.txt exists.

Conditions:
The conditions that trigger this are unknown. It might be due to a previous catastrophic event such as power loss or out-of-memory errors.

Manually creating the file /var/config/rest/storage/LOST-STORAGE.txt can also trigger this error.

Impact:
The iControl REST system is unavailable.

Workaround:
Run the following commands at the BIG-IP command prompt:

bigstart stop restjavad restnoded
rm -rf /var/config/rest/storage
rm -rf /var/config/rest/index
bigstart start restjavad restnoded
rm -f /var/config/rest/downloads/*.rpm
rm -f /var/config/rest/iapps/RPMS/*.rpm
tmsh restart sys service tomcat

Then, reinstall any iAppLX packages that were installed.


829029-3 : Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error

Component: Application Security Manager

Symptoms:
Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error.

Conditions:
At least two REST calls adding Attack Signatures and/or Attack Signature Sets which are sent in quick succession to the BIG-IP system.

Impact:
REST calls after the first may not be successful, resulting in failure to modify configuration as desired.

Workaround:
Retry the subsequent REST calls.


828873-2 : Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor

Component: TMOS

Symptoms:
In the deployment of BIG-IP 15.0.0 on Nutanix AHV Hypervisor, f5-label service is failing with inappropriate input device error.

Conditions:
Deployment of BIG-IP v15.0.0 on Nutanix AHV Hypervisor.

Impact:
Deployment of BIG-IP v15.0.0 is not stable to log into GUI or terminal on Nutanix AHV Hypervisor.

Workaround:
Steps:

1. Mount the drive:
mount -o rw,remount /usr

2. Add a comment below the line in the '/usr/lib/systemd/system/f5-label.service' service file:
#StandardInput=tty

3. Reload the daemon:
systemctl daemon-reload

4. Restart the service:
systemctl restart f5-label


828789-3 : Certificate Subject Alternative Name (SAN) limited to 1023 characters

Component: TMOS

Symptoms:
Certificate Subject Alternative Names are limited to 1023 characters.

Conditions:
Using a certificate with a Subject Alternative Name longer than 1023 characters.

Impact:
A certificate's Subject Alternative Name is not correct in the BIG-IP


828761 : APM OAuth - Auth Server attached iRule works inconsistently

Component: Access Policy Manager

Symptoms:
The iRule attached to the OAuth Resource Server (RS) is not triggered when the traffic hits the virtual server.

Conditions:
The issue occurs during a reboot of the BIG-IP device containing an OAuth server config and an attached iRule, or when the iRule is initially assigned to the OAuth Server.

Impact:
OAuth scope check agent fails with 'HTTP error 503': as the iRule attached to the RS virtual server is not triggered.

Workaround:
For existing OAuth servers with the iRule attached, modify the iRule, for example, adding a log. This makes the iRule trigger when it is initially attached or loaded.


828625-1 : User shouldn't be able to configure two identical traffic selectors

Component: TMOS

Symptoms:
Config load fails by issuing "tmsh load sys config verify"
01070734:3: Configuration error: Duplicate traffic selector is not allowed
Unexpected Error: Validating configuration process failed.

Conditions:
Duplicate IP addresses on multiple traffic-selectors attached to different ipsec-policies.

Impact:
Config load will fail after a reboot

Workaround:
Delete duplicate traffic-selectors.


828601-3 : IPv6 Management route is preferred over IPv6 tmm route

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metrics than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the management interface.

Conditions:
-- Create an IPv6 management route, which is going to be a default gateway.

-- Receive another default gateway from a configured peer using any of dynamic routing protocols (BGP, OSPF, etc.)

Impact:
The incorrect routing table sends the traffic that matches the default route to the management interface.

Workaround:
None.


827441-1 : Changing a UDP virtual server with an immediate timeout to a TCP virtual server can cause connections to fail

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends a TCP SYN to the back-end server, but ignores the server's SYN-ACK response.

Conditions:
A virtual server that contains a UDP profile with idle-timeout immediate is modified to replace the UDP profiles with TCP profiles.

Impact:
Connections from the BIG-IP system to backend servers fails.

Workaround:
Delete and recreate the virtual server.


827209-2 : HSB transmit lockup on i4600

Component: TMOS

Symptoms:
TMM shows HSB transmit lockup message and cored.

Conditions:
-- Using an i4600 platform.
-- Other conditions under which this occurs are unknown.

Impact:
Disruption to processing traffic on the BIG-IP system.

Workaround:
None.


827133 : TMM crash due to failed assertion "sp->slab_cache == ((umem_cache_t *)(((char *)(&(ccp)[-((ccp)->cc_td)])) - __builtin_offsetof(umem_cache_t, cache_cpu)))"

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
Exact conditions are not yet known. It is suspected it is related to using APM and/or SAML authentication protocol.

Impact:
Traffic disrupted while tmm restarts.


827021-2 : MCP update message may be lost when primary blade changes in chassis

Component: TMOS

Symptoms:
In a VIPRION chassis, when the Primary blade is disabled (intentionally or due to an unexpected loss of functionality) and a new Primary blade is selected, there is a brief window of time during which status messages forwarded from MCPD on a Secondary blade to MCPD on the Primary blade might be dropped, possibly resulting in an incorrect view of the state of configured objects.

Conditions:
This problem may occur under the following conditions:
-- The state of a blade-local object/resources (such as a network interface or trunk) changes.
-- There is a high load on MCPD (for example, due to configuration reload on the new Primary blade) which delays processing of some MCPD actions.

Impact:
This problem may result in the state of blade-local objects (such as interfaces or trunks) being seen and reported incorrectly across the blades in the chassis, or on one or more specific blades (Primary, Secondary) in the chassis.

For example, if loss of the Primary blade results in one or more interfaces in a trunk being marked down by LACPD on a specific blade, resulting changes in trunk/member status may not be propagated correctly to the Primary blade, and from there to other Secondary blades.

Workaround:
None.


826437 : CSR subject fields with comma(,) are truncated during certificate renewal via the GUI.

Component: TMOS

Symptoms:
CSR subject fields getting truncated during certificate renewal via the GUI.

Conditions:
-- Certificate subject field contains comma(,)
-- Renewing the certificate via the GUI.

Impact:
Invalid certificate signing requests are created. This may not be apparent until certificate validation occurs, or when the certificate authority denies the certificate signing request.

Workaround:
TMSH command line interface can be used to create the CSR when commas are present in subject field.


826313-4 : Error: Media type is incompatible with other trunk members

Component: TMOS

Symptoms:
Loading system configuration is failing after upgrade with an error message

01070619:3: Interface 5.0 media type is incompatible with other trunk members

Conditions:
-- Trunk interface created in BIG-IP version 12.3.4.
-- Trunk interfaces have different speeds (e.g. 100Mb interfaces and 1Gb interfaces)
-- Load the configuration after upgrading from v12.1.3.4 to v12.1.3.5.

Impact:
The system configuration is failing to load.

Workaround:
If you encounter this error, manually fix all trunks to only use interfaces of the same speed, and then load the configuration.


826297-1 : Address list as source/destination for virtual server cannot be changed from tmsh

Component: TMOS

Symptoms:
Address list as source/destination for virtual server cannot be changed from tmsh as it is applicable from GUI.

Conditions:
For an address created in tmsh:

# list security shared-objects address-list
security shared-objects address-list testAddressList {
    addresses {
        1.1.1.1/32 { }
        2.2.2.2/32 { }
    }
}


There is no Address list option shown in virtual server config:

# modify ltm virtual test source
Configuration Items:
  [enter address or address/prefixlen] <==!!

Impact:
Address list as source/destination for virtual server cannot be changed from tmsh.

Workaround:
Use the GUI to make changes to the Address list as source/destination for virtual server.


826189-2 : The WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.

Component: TMOS

Symptoms:
The input validation performed by the BIG-IP system WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.

The WebUI should allow users to specify only a prefix (for example, 2001:db8:0:0:0:0:0:0 or 2001:db8::); however, it incorrectly allows users to specify a subnet mask too (for example, 2001:db8:0:0:0:0:0:0/96 or 2001:db8::/96).

In contrast, the TMSH utility correctly enforces values for this option.

Conditions:
The BIG-IP Administrator creates or modifies a DNS profile using the WebUI, and specifies an IP/SM value for the dns64-prefix option.

Impact:
Upon performing DNS64, TMM returns incorrect DNS answers that do not use the specified prefix. For example, if the Administrator specifies 2001:db8:0:0:0:0:0:0/96 as the prefix, and if the IPv4 address of the requested resource is 198.51.100.1, DNS64 returns ::198.51.100.1 instead of 2001:db8::c633:6401. This prevents end-user clients from reaching the intended resource.

The impact described in this section only applies to BIG-IP versions 14.1.0 and later. Previous BIG-IP versions also had this WebUI validation issue, but despite this TMM still returned the correct DNS answer.

Workaround:
When configuring this option using the WebUI, do not specify a subnet mask.


826049-1 : French language spelling error in BIG-IP Edge Client message window

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client message window contains spelling error while displaying in French language:

En cour de Réinstallation du

Conditions:
Using the BIG-IP Edge Client in a French environment.

Impact:
The message should be: En cours de Réinstallation du

Workaround:
None.


825501-1 : IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.

Component: Protocol Inspection

Symptoms:
If the IPS IM package is installed on a multi-slot device, and one slot is offline, the IM package version might be different on the offline slot when it comes back online.

It also shows different versions of the Active IM package on different slots.

Conditions:
-- Multi-bladed clustered system.
-- One of the blades is offline.
-- The IPS IM package is installed to the primary blade.

Impact:
The primary blade syncs the IM package to all of the secondary blades that are online; however, when the offline blade comes back online, it does not have the updated IM package.

As a result, traffic being processed by different blades will be using different IPS libraries and might cause inconsistency in the functionality

Workaround:
Although there is no workaround, you can prevent the issue by ensuring that all blades are online when you install an IPS IM package.


825413-2 : /var/lib/mysql disk is full

Component: Application Security Manager

Symptoms:
PRX.BRUTE_FORCE_* db tables do not have a row_limit, so they can grow to consume all available disk space in /var/lib/mysql.

Conditions:
ASM provisioned

Impact:
/var/lib/mysql can run out of disk space

Workaround:
1. Truncate the two large tables. This clears all the row in those table and should make disk space.
   Note that existing brute force username and IPs reporting data will be lost.

# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "TRUNCATE TABLE PRX.BRUTE_FORCE_MITIGATED_USERNAMES"

# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "TRUNCATE TABLE PRX.BRUTE_FORCE_MITIGATED_IPS"

2. Add row_limit for the two tables to avoid the same issue in the future.

Add following lines in the bottom of this file, /etc/ts/tools/clean_db.yaml

  PRX.BRUTE_FORCE_MITIGATED_USERNAMES:
    row_limit: 100000
    order_by: brute_force_mitigated_username_id

  PRX.BRUTE_FORCE_MITIGATED_IPS:
    row_limit: 100000
    order_by: brute_force_mitigated_ip_id

Restart clean_db process (there is no impact of restarting this process)

# pkill -f clean_db

Wait 30 sec, and make sure the process came back

# ps aux | grep clean_db


825245-2 : SSL::enable does not work for server side ssl

Component: Local Traffic Manager

Symptoms:
When SSL::enable is issued in an iRule, for example in the HTTP Request event, it will not enable the server side profile if the server side profile is disabled.

Conditions:
An HTTP profile is configured on a virtual, and the server-ssl profile on the same virtual is disabled.

Impact:
The connection will close instead of completing.

Workaround:
Do not use a disabled server-ssl profile in this situation.


825013-3 : GENERICMESSAGE::message's src and dst may get cleared in certain scenarios

Component: Service Provider

Symptoms:
The "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands may not work properly if iRule processing changes to a different TMM. These commands may return an empty string rather than correct data.

Conditions:
-- Using "GENERICMESSAGE::message src" and/or "GENERICMESSAGE::message dst" iRule commands.
-- iRule processing moves from one TMM to another TMM.

Impact:
Incorrect data returned from "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands.


824809-4 : bcm56xxd watchdog restart

Component: TMOS

Symptoms:
During initialization of very large configurations it is possible that the watchdog timer will fire and reset the bcm56xxd driver.

Conditions:
System configuration with very large number of objects being loaded.

Impact:
The driver restarts.


824437-2 : Chaining a standard virtual server and an ipother virtual server together can crash TMM.

Component: Local Traffic Manager

Symptoms:
TMM crashes with a SIGFPE and restarts. The TMM logs contain the following panic message:

Assertion "xbuf_delete_until successful" failed.

Conditions:
This issue occurs when the following conditions are met:

-- The system has been configured with a standard virtual server and an Any IP (ipother) virtual server chained together. This can be done explicitly using an iRule that features the 'virtual' command to connect the two virtual servers, or implicitly with certain APM configurations.

-- The pool member on the server-side asks this specific virtual server configuration on the BIG-IP system to retransmit data.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure the target virtual server in the chain configuration does not use the ipother profile.


824433-1 : Added HTTP2 and HTTP3 request/response statistic fields to the HTTP profile

Component: Local Traffic Manager

Symptoms:
The HTTP/1.1 request/response statistic fields in the HTTP profile are incremented incorrectly when HTTP2 traffic is encountered.

There is not currently a way to view the HTTP2 and HTTP3 request/response stats on the HTTP profile.

Conditions:
-- Client or server sends HTTP2 request/response.
-- Using GUI, TMSH, iControl (SOAP), or SNMP.

Impact:
Incorrect HTTP/1.1 request/response statistic values are present in the HTTP profile when HTTP2 traffic is encountered.

Workaround:
None.


824205-1 : GUI displays error when a virtual server is modified if it is using an address-list

Component: TMOS

Symptoms:
When you modify a virtual server, the GUI returns an error similar to the following:

01b90011:3: Virtual Server /Common/vs2_udp's Traffic Matching Criteria /Common/vs2_udp_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs1_tcp destination address, source address, service port.

Conditions:
This occurs when either of the following occur:

-- When renaming the virtual server.
-- When changing the address-list attribute.

Impact:
Cannot update virtual configuration with new value.

Workaround:
None.


824149-3 : SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured

Component: Service Provider

Symptoms:
In SIP ALG virtual with source-nat-policy assigned, if traffic processed by the virtual server does not match source-nat-policy, or if it matches source-nat-policy that does not have source-translation configured, tmm cores and restarts.

Conditions:
-- SIP ALG virtual server with an assigned source-nat-policy.
-- Traffic does not match the source-nat-policy, or traffic matches a source-nat-policy that has no source-translation configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure SIP ALG virtual so that the condition never happens. For example, apply a source attribute to the virtual server that filters out traffic that will not match the source-nat-policy. Never use a source-nat-policy that has no source-translation.


824121-1 : Using the Websocket profile prevents mouse wheel scroll function

Component: Access Policy Manager

Symptoms:
Mouse wheel function does not work.

Conditions:
WebSSO and Websocket profiles are configured on a virtual server.

Impact:
Although there is no product functionality impact, it is an inconvenience to the BIG-IP administrator using the GUI.

Workaround:
To work around this issue, use an iRule that disables SSO for the Websocket request. For example, for remotespark (https://www.remotespark.com/html5.html) you can use the following iRule:

ltm rule sso_disable_ws {
  when HTTP_REQUEST {
   if {[HTTP::uri] starts_with "/RDP?" and [HTTP::header exists "Upgrade"] and [HTTP::header "Upgrade"] == "websocket" } {
    log "DISABLING WEBSSO"
    WEBSSO::disable
   }
  }
}


824093-3 : Parameters payload parser issue

Component: Application Security Manager

Symptoms:
Incorrect parameter parsing occurs under some conditions. For example, in a signature violation, the 'Actual Parameter Name' value appears as 'attachment; filename'.

Conditions:
-- ASM in use.
-- Request contains multipart headers.

Impact:
Incorrect policy enforcement.

Workaround:
None.


823921-2 : FTP profile causes memory leak

Component: Local Traffic Manager

Symptoms:
When a FTP profile is added to a virtual server, TMM runs with memory leak and eventually system has to terminate connections.

Conditions:
A FTP profile is installed on virtual server and the inherit-parent-profile parameter is enabled or isession is also included on the FTP virtual.

Impact:
TMM runs with memory leak and eventually system has to terminate connections.

Workaround:
Disable the inherit-parent-profile option if fastL4 data-channel is adequate.


823825-5 : Renaming high availability (HA) VLAN can disrupt state-mirror connection

Component: Local Traffic Manager

Symptoms:
If the VLAN that services the state mirror connection between BIG-IP systems is renamed, it can cause a disruption of the state mirror connection. It can also lead to an eventual crash.

Conditions:
Renaming the VLAN that services the state mirror connection between BIG-IP systems in an high availability (HA) configuration.

Impact:
System might crash eventually.

Workaround:
Do not rename the VLAN that services the state mirror connection between BIG-IP systems in an high availability (HA) configuration.


822253-3 : After starting up, mcpd may have defunct child "run" and "xargs" processes

Component: TMOS

Symptoms:
After starting up, mcpd may have defunct child "run" and "xargs" processes

Conditions:
Slow disk storage or large configuration files.

Impact:
Minimal; some zombie processes are created.


822025-2 : HTTP response not forwarded to client during an early response

Component: Local Traffic Manager

Symptoms:
In early server responses, the client does not receive the intended response from the HTTP::respond iRule. The client instead receives an unexpected 500 internal server error.

Conditions:
-- A slow client.
-- early server response with the HTTP::respond iRule.

Impact:
A client does not receive the redirect from the HTTP::respond iRule.

Workaround:
None.


821589-2 : DNSSEC does not insert NSEC3 records for NXDOMAIN responses

Component: Global Traffic Manager (DNS)

Symptoms:
DNSSEC does not insert NSEC3 records for NXDOMAIN responses.

Conditions:
-- "process-xfr yes" is set for the dns profile associated with the listener;
And
-- There is no "Zone Transfer Clients" nameserver configured for that zone.
And
-- There is no wideip configured.

Impact:
DNSSEC does not respond NSEC3 for non-existent domain.

Workaround:
1. Change this setting for dns profile from "process-xfr yes" to "process-xfr no";
Or
2. Add a nameserver for "Zone Transfer Clients" of that zone.
Or
3. Add a wideip.


821309-3 : After an initial boot, mcpd has a defunct child "systemctl" process

Component: TMOS

Symptoms:
Zombie "systemctl" process, as a child of mcpd.

Conditions:
Reboot of the BIG-IP.

Impact:
Minimal; a single zombie process is created.

Workaround:
To get rid of the process, you can restart mcpd.


820333-3 : LACP working member state may be inconsistent when blade is forced offline

Component: Local Traffic Manager

Symptoms:
Inconsistent (out-of-sync) LACP working member state.
Incorrect trunk high availability (HA) score.

Conditions:
LACP updates while blade is going offline.

Impact:
Incorrect high availability (HA) score may prevent the unit from automatically failing over.


820213-2 : 'Application Service List' empty after UCS restore

Component: TMOS

Symptoms:
The iApps :: Applications LX list does not display anything after restoring a UCS that was taken from a different device.

Conditions:
-- Restoring a UCS from a different device.
-- UCS includes the iAppLX package.

Impact:
Cannot see anything on 'Application Service List', and you are unable to configure the application.

Workaround:
Run the following command before restoring the UCS file:

clear-rest-storage


819457-3 : LTM high availability (HA) sync should not sync GTM zone configuration

Component: TMOS

Symptoms:
LTM high availability (HA) sync group are syncing GTM zone configuration changes.

Conditions:
1. BIG-IPs has both LTM and GTM provisioned.
2. The two BIG-IPs are inside one LTM sync group.

Impact:
GTM zone files are accidentally modified.


819429-3 : Unable to scp to device after upgrade: path not allowed

Component: TMOS

Symptoms:
SCP of file to the BIG-IP system results in error:
path not allowed

Conditions:
Issue occurs when both conditions are present:
-- The BIG-IP user has shell tmsh or shell none access.
-- The scp operation is performed on a non-symlink location present under scp whitelist (/config/ssh/scp.whitelist).

For example:
scp to /var/tmp succeeds
scp to /shared/tmp fails with 'path not allowed'.

Impact:
Cannot copy files to symlinks present under whitelist.

Workaround:
None.


819421-3 : Unable to scp/sftp to device after upgrade

Component: TMOS

Symptoms:
Users with numeric usernames are unable to log in via scp.

Conditions:
-- Logging in via scp/sftp.
-- User account with a numeric username.

Impact:
Unable to log in via scp.

Workaround:
Include alpha characters in username.


819233-5 : Ldbutil utility ignores '--instance' option if '--list' option is specified

Component: Access Policy Manager

Symptoms:
When running ldbutil utility, if the '--list' option is specified, then the '--instance' option has no effect. All the local users will be listed.

Conditions:
When both '--list' and '--instance' options are specified.

Impact:
The output lists all the local users and not limiting to the '--instance' option given.

Workaround:
None.


819009-3 : Dynamic routing daemon mribd crashes if 'mrib debug all' is enabled in high availability (HA) config with Floating Self IP configured for PIM protocol.

Component: TMOS

Symptoms:
The multicast routing protocols are implemented by pimd and mribd daemons. mribd daemon crashes in a specific configuration when debug logging is enabled for this daemon.

Conditions:
1) Dynamic Routing bundle is enabled and PIM protocol is enabled on a route domain.
2) High availability (HA) group/pair with floating self IP address is configured.
3) PIM neighbors are configured for each peer in high availability (HA) group/pair.
4) One of the peers in high availability (HA) is configured to use floating self IP address as an IP address for PIM protocol.

This is done using the 'ip pim use-floating-address' command in the PIM configuration in imish:
# ip pim use-floating-address

5) Multicast routing is configured in imish:
# ip multicast-routing

6) Debug logging for mribd is enabled:
# debug ip mrib all
# debug ipv6 mrib all
---
Note: Although steps 3 and 4 are optional, a practical configuration makes no sense without them.

Impact:
Dynamic routing daemon mribd crashes. Advanced routing not available while mribd restarts.

Workaround:
None.


818853-3 : Duplicate MAC entries in FDB

Component: Local Traffic Manager

Symptoms:
Forwarding DataBase (FDB) not updated when a MAC moves among interfaces.

Conditions:
-- Having multiple paths to a MAC in a given configuration.

Impact:
There are duplicate MAC address entries which come from multiple interfaces.

Workaround:
None.


818833-3 : TCP re-transmission during SYN Cookie activation results in high latency

Component: Local Traffic Manager

Symptoms:
Issue is reported at the following system setup:

client <-> BIG-IP <-> concentrator <-> proxy <-> BIG-IP nat gateway <-> Internet

-- SYN Cookie got activated on F5 nat gateway.
-- Latency from 'Internet' (public host) is observed at 'Proxy' device sitting before F5 nat gw.
-- During the latency issue, SYN Cookie was active and evicting connections.
-- When SYN Cookie is enabled, it switches to l7 delayed binding as expected but it is not sending ACK for HTTP request so the client sends it again and again.

Conditions:
Haredware SYN Cookie is enabled on FastL4 profile

Impact:
High latency is observed.

Workaround:
Disable the SYN Cookie on the FastL4 profile


818789-5 : Setting ssl profile to none in https monitor, not setting Ciphers to DEFAULT as in serverssl Profile

Component: Local Traffic Manager

Symptoms:
With in-tmm monitoring enabled (or sys db bigd tmm set to enable) and with https monitor's ssl-profile set to none, the expected behavior is to send ciphers in ClientHello based on default serverssl profile as mentioned in GUI help for https monitor.

Conditions:
Configure HTTPS Monitor with ssl-profile "None".

Impact:
Ciphers are not exchanged as expected in the ClientHello Packets

Workaround:
Configure HTTPS Monitor without ssl-profile option, default serverssl profile will be used


818737-1 : Improve error message if user did not select a address-list or port list in the GUI

Component: TMOS

Symptoms:
In the GUI, the Virtual Server screen displays the available address-lists or port lists for source address, but there is no clarity on whether the options are selected or available.

Conditions:
-- Virtual server's source address section.

Impact:
If you do not make a selection and try to create the Virtual Server, an error occurs: An error has occurred while trying to process your request.

Workaround:
Click to select the address-list of port-list displayed as source address for Virtual Server.


818721-1 : Virtual address can be deleted while it is in use by an address-list.

Component: Local Traffic Manager

Symptoms:
-- The virtual-address (and virtual server) will no longer work.

-- The BIG-IP won't answer ARP requests for it.

-- Loading the config again or performing similar operations will not re-create the virtual-address.

Conditions:
-- A virtual address is deleted while it is in use by an address list and virtual server.
-- MCPD is restarted (or the unit rebooted, etc.).

Impact:
Traffic processing is disrupted


818505-3 : Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Component: TMOS

Symptoms:
Using an iControl PUT command to modify a virtual address will change that address's netmask to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.

Conditions:
Modifying a virtual address using an iControl PUT command.

Impact:
An unintentional change to the virtual address's netmask.

Workaround:
Two options:
-- Use a PATCH command instead of a PUT command.
-- Always specify the netmask explicitly when making changes.


818417-2 : Flowspecd starts with message: Shm segment not found in /etc/ha_table/ha_table.conf.

Component: TMOS

Symptoms:
During system boot, the flowspecd daemon emits a message 'Shm segment not found in /etc/ha_table/ha_table.conf', and heartbeat monitoring is disabled for flowspecd.

Conditions:
Flowspecd daemon is running.

Impact:
No heartbeat monitoring for flowspecd daemon.

Workaround:
Manually edit the file /etc/ha_table/ha_table.conf and insert a line at the end:
ha segment path: /flowspecd


818297 : OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure

Component: TMOS

Symptoms:
OVSDB-server fails to make SSL connections when Selinux is enforced.

In /var/log/openvswitch/ovsdb-server.log:

...|00012|stream_ssl|ERR|/config/filestore/files_d/Common_d/certificate_d/:Common:myCert_2468_1: stat failed (Permission denied).

Conditions:
-- Navigate to System :: Configuration : OVSDB.
-- Add cert and keys.

Impact:
Permission denied, SSL connection failure.

Workaround:
Step 1: Check openvswitch SELinux denial:
# audit2allow -w -a
Example output:
type=AVC msg=audit(1566915298.607:32958): avc: denied { search } for pid=18966 comm="ovsdb-server" name="/" dev="dm-7" ino=2 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:f5config_t:s0 tclass=dir
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

Step 2: Find openvswitch components that need Linux policy additions:
# audit2allow -a
Example output:
#============= openvswitch_t ==============
allow openvswitch_t f5config_t:dir search;
allow openvswitch_t f5filestore_t:dir search;
allow openvswitch_t f5filestore_t:file { getattr open read };

Step 3: Modify the policy to allow access to the component openvswitch_t:
# audit2allow -a -M openvswitch_t

Step 4: Apply the policy:
# semodule -i openvswitch_t.pp


818097-4 : Plane CPU stats too high after primary blade failover in multi-blade chassis

Component: Local Traffic Manager

Symptoms:
The data, control, and analysis plane stats are too high as reported by tmsh show sys performance system detail.

Conditions:
The primary blade in a multi-blade chassis fails over to another blade.

Impact:
The plane CPU stats are too high.

Workaround:
Remove the /var/tmstat/blade/statsd file on the previous primary blade and restart merged on that blade.


818069-4 : GUI hangs when iApp produces error message

Component: iApp Technology

Symptoms:
If lengthy Tcl errors are displayed in the GUI while creating an iApp, the GUI can hang.

Conditions:
-- Creating an iApp that contains a syntax error.
-- A large error message is emitted.

Impact:
GUI hangs.

Workaround:
Restart the tomcat process:
tmsh restart sys service tomcat


817709-2 : IPsec: TMM cored with SIGFPE in racoon2

Component: TMOS

Symptoms:
TMM asserted and cored in racoon2 with this panic message:

panic: iked/ikev2_child.c:2858: Assertion "Invalid Child SA proposal" failed.

Conditions:
When IKEv2 Phase 2 SA has no peer proposal associated with it.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


817417-1 : Blade software installation stalled at Waiting for product image

Component: Local Traffic Manager

Symptoms:
On a chassis system where the active/primary blade is running version 14.1.0 or later and a new blade is inserted that has version 14.0.0 or lower, the secondary blades fail to receive the updated images and the installation stalls. The primary blade reports 'Waiting for product image' when running the tmsh show sys software status command.

Conditions:
Primary blade running version 14.1.0 or above.
Secondary running an earlier version is inserted.

Impact:
Newly inserted blade does not synchronize volumes with the primary blade and cannot be used.

The tmsh show sys software status command reports that one or more blades are in 'waiting for product image' status indefinitely.

Workaround:
Ensure all blades are running the same version. This can be accomplished manually by running the following command at the command prompt (this example is for new blade inserted at slot #3):

scp /shared/images/* slot3:/shared/images


817089-1 : Incorrect source MAC address with hardware acceleration (ePVA) and asymmetric routing

Component: TMOS

Symptoms:
Connections that are hardware accelerated and that use asymmetric routing may use the wrong MAC address for return traffic. This can be observed by looking at a packet capture.

Conditions:
Hardware acceleration is enabled (ePVA/fastL4) with asymmetric routing.

Impact:
The return traffic has the wrong source MAC address. This may affect packet forwarding depending on the configuration.

Workaround:
Disable HW acceleration.


817085-4 : Multicast Flood Can Cause the Host TMM to Restart

Component: TMOS

Symptoms:
A vCMP host tmm is restarted.

Conditions:
The vCMP host is processing heavy multicast traffic.

Impact:
The host TMM restarts and traffic stops for the guests.

Workaround:
An adjustment to the scheduling can be made by this setting of the vCMP Host configuration:

# echo "realtime yield 90" > /config/tmm_init.tcl
# bigstart restart tmm

The bigstart restart tmm must be performed individually on all blades on the vCMP host. These changes also must be done on all vCMP hosts with guests in a high availability (HA) setup.


816881-1 : Serverside conection may use wrong VLAN when virtual wire is configured

Component: Local Traffic Manager

Symptoms:
Server syn is flowing on the wrong VLAN, when tmm tries to establish a server connection. The BIG-IP system sends RST packets of unmatched VLAN/MAC combination

Conditions:
-- Virtual wire is configured .
-- Clientside data and handshake come in on different VLANs.

Impact:
Some client connections fail to establish

Workaround:
None.


816529-2 : If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart.

Component: Traffic Classification Engine

Symptoms:
URLCAT lookups to Custom DB return Unknown result.

Conditions:
-- URL is being looked up against Custom DB
-- wr_urldbd is restarted at the same time

Impact:
Queries will likely fail in highly loaded environments if wr_urldbd is restarted for any reason.

Workaround:
None.


816353-1 : Unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1

Component: TMOS

Symptoms:
During re-licensing or license reload, an unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1 may be sent.

Conditions:
Occurs during license reload or reactivation.

Impact:
After a license reload, the unknown trap can be seen like the following:

run "tcpdump -ni mgmt port 162 -vvvv &":

12:01:59.883331 IP (tos 0x0, ttl 64, id 47411, offset 0, flags [DF], proto UDP (17), length 101)
    10.248.136.179.55540 > 172.28.8.68.snmptrap: [bad udp cksum 0x486e -> 0xd7b8!] { SNMPv2c { V2Trap(58) R=1205683810 .1.3.6.1.2.1.1.3.0=1775555 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.2.1.47.2.0.1.0.1 } }


816205-3 : IPsec passthrough scenario may not forward ICMP unreachable messages from the server-side

Component: Local Traffic Manager

Symptoms:
ICMP protocol 50 unreachable messages are not forwarded from the server-side to the client-side when a SNAT Virtual Server handles ESP flows that are not encapsulated in UDP port 4500 (RFC 3948). Other ICMP messages related to the server-side ESP flow may be similarly affected.

Conditions:
-- BIG-IP system is forwarding ESP (protocol 50) packets.
-- Virtual Server is configured with a SNAT pool or automap.
-- The server-side IPsec peer sends ICMP protocol errors in response to the ESP packets.

Impact:
ICMP packets arriving on the server-side are not forwarded to the client-side.

Workaround:
Option 1:
-- Enable NAT Detection (RFC 3947) on the IPsec peers.

NOTE: NAT Detection (RFC 3947) is the correct way to implement IPsec peers when network address translation occurs between the two IPsec peers.

Option 2:
-- Remove NAT from the Virtual Server.
-- Set the following sys db values:

# tmsh modify sys db ipsec.lookupip value "enable"
# tmsh modify sys db ipsec.lookupspi value "disable"

NOTE: The sys db settings in option 2 do not resolve the ICMP issue if NAT is configured on the Virtual Server.


815877-1 : Information Elements with zero-length value are rejected by the GTP parser

Component: Service Provider

Symptoms:
When processing a GTP message containing zero-length IEs (which are allowed by the 3GPP Technical Specification), the message might get rejected.

Conditions:
Virtual server with GTP profile enabled processing GTP traffic.

Impact:
Well-formed GTP messages might get rejected.

Workaround:
Avoid sending GTP messages containing zero-length IEs.


815753-2 : TMM leaks memory when explicit SWG is configured with Kerberos authentication

Component: Access Policy Manager

Symptoms:
Memory usage of filter keeps increasing over time and becomes one of major consumers of the TMM memory.

Conditions:
This issue happens if the following conditions are met:
1. Access profile type is SWG-explicit.
2. Access policy contains HTTP 407 Response policy item with HTTP Auth Level being Negotiate.
3. Kerberos is used to authenticate a user.

Impact:
TMM sweeper enters aggressive mode and reaps connections.

Workaround:
None.


815649-1 : Named.config entry getting overwriting on SSL Orchestrator deployment

Component: Device Management

Symptoms:
When topology or general settings are re-deployed, named.config is modified, and entries which do not belong to SSL Orchestrator are overwritten.

Conditions:
This occurs when topology or system settings are re-deployed.

Impact:
Content of named.conf file is lost/overwritten.

Workaround:
Modify named.conf manually or using zoneRunner (DNS :: Zones : ZoneRunner : named Configuration) after SSL orchestrator deployment.


815529-2 : MRF outbound messages are dropped in per-peer mode

Component: Service Provider

Symptoms:
When a Message Routing profile is configured with a peer consisting of an outbound virtual server, transport config, no pool, and per-peer mode, messages may be dropped when the outgoing connection is persisted to a different tmm than the message was received on.

Conditions:
-- Message Routing Profile.
-- A peer configured for outbound traffic with a virtual server and transport config in per-peer mode, no pool.
-- Persistence is enabled.
-- Multiple outbound messages with the same destination address.

Impact:
Outbound traffic with the same destination address may be dropped at random.

Workaround:
Change the peer connection mode to 'Per TMM'.


815405-4 : GUI update of Child FastL4 profile overwrites CLI-only customized settings (options that are not available in GUI)

Component: Local Traffic Manager

Symptoms:
Child FastL4 profile is being reset after clicking Update from GUI.

Conditions:
-- Create child SSL FastL4, profile inheriting settings from a parent FastL4 profile.
-- From the command line, change any of the CLI-only visible settings in the child FastL4 profile (e.g., pva-acceleration, explicit-flow-migration, etc.), and save the changes.
-- In the GUI, click the Update button in the child FastL4 profile without making any change.

Impact:
The operation overwrites the CLI changes made in the child profile, and inherits those values from the parent settings instead.

Workaround:
None.


815089-3 : On a system with no VLANs, you can create virtual servers or SNATs that have identical address/port combinations

Component: Local Traffic Manager

Symptoms:
If you have a system with no VLANs configured, and you attempt to create virtual servers or SNATs that have the same address/port combinations, you will be able to do so without validation errors.

Conditions:
-- A BIG-IP system with no VLANs configured.
-- Creating virtual servers or SNATs that have identical address/port combinations.

Impact:
An invalid configuration is allowed.

Workaround:
None.


814941-1 : PEM drops new subscriber creation if historical aggregate creation count reaches the max limit

Component: Policy Enforcement Manager

Symptoms:
PEM subscriber create fails, usually seen across multiple high availability (HA) failover events

Conditions:
When the aggregate subscriber create reaches the maximum subscriber limit per tmm which is configured using sys db, sys db statemirror.mirrorsessions

Impact:
Unable to bringup any more subscribers

Workaround:
Restart tmm when the limits are reached


814761-2 : PostgreSQL monitor fails on second ping with count != 1

Component: Local Traffic Manager

Symptoms:
When using one of the DB monitors (Oracle, MSSQL, MySQL, PostgreSQL) to monitor the health of a server, the pool member may initially be marked UP, but then will be marked DOWN on the next and all subsequent pings.

When this occurs, an error message similar to the following appears in the monitor-instance log under /var/log/monitors:

Database down, see /var/log/DBDaemon.log for details.
Exception in thread "DBPinger-##" java.lang.AbstractMethodError: org.postgresql.jdbc3.Jdbc3Connection.isValid(I)Z
    at com.f5.eav.DB_Pinger.db_Connect(DBDaemon.java:1474)
    at com.f5.eav.DB_Pinger.db_Ping(DBDaemon.java:1428)
    at com.f5.eav.MonitorWorker.run(DBDaemon.java:772)
    at java.lang.Thread.run(Thread.java:748)

Conditions:
This may occur if all of the following conditions are true:
1. You are using a DB monitor (Oracle, MSSQL, MySQL, PostgreSQL) configured with a 'count' value of either '0' or a value of '2' or higher.
2. You are using a version of BIG-IP (including an Engineering Hotfix) which contains the fix for ID 775901.

Impact:
Unable to monitor the health of postgresql server pool members accurately.

Workaround:
To work around this issue, configure a 'count' value of '1' in the postgresql monitor configuration.


814585-3 : PPTP profile option not available when creating or modifying virtual servers in GUI

Component: TMOS

Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.

Conditions:
Creating or modifying a virtual server in the GUI.

Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.

Workaround:
Use TMSH to add a PPTP profile to the virtual server.


814353-3 : Pool member silently changed to user-disabled from monitor-disabled

Component: TMOS

Symptoms:
When a node (Disabled by Monitor) is updated via the member screen (no change to configuration required), the status changes from:

'Available (Disabled) pool members is available, monitor disabled'.

To:

'Available (Disabled), pool member is available, user disabled'.

Conditions:
-- A node disabled by Monitor.
-- Go to GUI LTM pool member and navigate into the monitor disabled member, then update without any configuration change.

Impact:
Pool member goes to 'user-disabled'.

Workaround:
To recover, re-enable the pool member.


814273-3 : Multicast route entries are not populating to tmm after failover

Component: TMOS

Symptoms:
Multicast route entries are not populating in tmm after failover. ZebOS has the multicast entries, but tmm does not.

Conditions:
-- High Availability (HA) configured, with multicast traffic.
-- A failover occurs.

Impact:
Multicast traffic does not pass through properly

Workaround:
Clear the multicast entries in ZebOS manually:
> clear ip mroute *
> clear ip igmp group


814097-2 : Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.

Component: Service Provider

Symptoms:
When using the Generic Message router to convert SIP messages from TCP to UDP, BIG-IP fails to raise the SERVER_CONNECTED iRule event.

Conditions:
Converting the transport of SIP messages with the Generic Message router.

Impact:
Any code that waits for the SERVER_CONNECTED event will not run.


814037-4 : No virtual server name in Hardware Syncookie activation logs.

Component: Local Traffic Manager

Symptoms:
Missing virtual server name in Hardware Syncookie activation logs. ltm/logs contains error messages:

notice tmm2[1150]: 01010240:5: Syncookie HW mode activated, server = 0.0.0.0:0, HSB modId = 2.

Conditions:
-- More than one virtual server with same Destination IP e.g., 'x.x.x.x'.
-- Port 'y' configured.
-- Hardware Syncookie activated.

Impact:
Difficult to determine which virtual server actually got the Syncookie activated.

Workaround:
None.


813969-3 : Network DoS reporting events as 'not dropped' while in fact, events are dropped

Component: Advanced Firewall Manager

Symptoms:
Logs/Tmctl shows packet dropped whereas AVR shows Action as 'Allowed' and not 'Dropped'.

Conditions:
-- AFM configured.
-- AFM passes the message to AVR for reporting.

Impact:
The operation does not update the drop flag. It appears from AVR Reporting that packets are allowed, but actually they are dropped

Workaround:
There is no workaround at this time.


813701-3 : Proxy ARP failure

Component: Local Traffic Manager

Symptoms:
In certain configurations, and when the BIG-IP system does not have a directly connected route to the request sender, proxy ARP may fail, leading to dropped ARP replies.

Conditions:
-- Running v12.1.4.1 or 12.1.3.7 with engineering hotfix 0.89.2.
-- ARP requests and replies are processed by different TMMs.
-- A directly connected route to the request sender is not available.

Impact:
ARP replies are dropped, leading to connection failures.

Workaround:
Create a self IP in the same subnet as the ARP request senders. This creates the necessary directly connected route.


813561-3 : MCPD crashes when assigning an iRule that uses a proc

Component: Local Traffic Manager

Symptoms:
MCPD crashes when assigning an iRule to a Virtual Server or loading a config with an iRule assigned.

Conditions:
The iRule must uses a proc that contains three statements associated with different feature flags.

Impact:
MCPD will crash, unable to use a desired iRule.

Workaround:
None


813221-1 : Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync

Component: Global Traffic Manager (DNS)

Symptoms:
The virtual server for an LTM redundant peer is continually updated with its IP/Port changing back and forth between two values, leading to perpetual GTM configuration syncs.

Conditions:
The destination IP:port of the virtual server on the LTM is not in sync between the LTM devices in the device-group.

Impact:
The virtual server is flapping status between "blue" and 'green', and its destination IP:port is changing between a correct value and an incorrect one. Traffic will be impacted.

Workaround:
Perform a configsync on the LTM device-group that owns the virtual server.


812981-4 : MCPD: memory leak on standby BIG-IP device

Component: TMOS

Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.

Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically

Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.


812929-2 : mcpd may core when resetting a DSC connection

Component: TMOS

Symptoms:
In rare circumstances mcpd may core when resetting its DSC connection.

Conditions:
The exact conditions are not known for this to occur. The BIG-IP system must be in a Device Service Cluster, and must have configuration sync enabled. It might be related to when an Administrative BIG-IP user makes manual changes to the device trust group that would cause the trust to be broken (and optionally, re-established).

Impact:
mcpd cores and restarts. This results in a failover to the next active peer.

Workaround:
None.


812705-1 : 'translate-address disabled' setting for LTM virtual server does not have any effect with iRules for NAT64 traffic

Component: Carrier-Grade NAT

Symptoms:
IPv4 Packets are forwarded to server-side with destination address changed to LTM pool member address even when 'translate-address disabled' is configured on a NAT64 virtual server.

Conditions:
-- Create iRules for LTM pool selection.
-- Configure the NAT64 virtual server with 'translate-address disabled'.
-- Send IPv6 client request accessing the NAT64 virtual server.

Impact:
Server-side IPv4 packets are forwarded with destination address modified. The server-side packets do not reach the intended destination, resulting in connection failures.

Workaround:
Use normal LTM pool selection instead of iRules-based, LTM pool selection.


812497-1 : VE rate limit should not count packet that does not have a matched vlan or matched MAC address

Component: Local Traffic Manager

Symptoms:
Virtual Edition (VE) Rate limit counts packets that are not intended for BIG-IP.

Conditions:
-- Rate-limited license in BIG-IP Virtual Edition (VE)
-- Promiscuous mode is enabled

Impact:
If you do not have an unlimited license for a Virtual Edition device, you cannot use VLAN tags or MAC Masquerading without a greatly increased risk of running out of licensed bandwidth. Even if you are not using any service, BIG-IP counts all traffic seen on the interface against the license. Due to VMWare's switch design you have to expose the device to all of the traffic to use those two features.


812493-2 : When engineID is reconfigured, snmp and alert daemons must be restarted

Component: TMOS

Symptoms:
The engineID, engineBoots, engineTime values in SNMPv3 traps are shared by both the SNMP and the Alert daemons and are included in traps raised by both daemons. When the engineID is reconfigured then both daemons must be restarted in order to resynchronize the new values.

Conditions:
Traps issued by the SNMP and Alert daemons may not have engine values that are in sync when the EngineID is first reconfigured. This can happen both with a configuration change and an upgrade.

Impact:
This may confuse the SNMP client receiving the trap.

Workaround:
Restart the snmp daemon and then the alert daemon when the engine ID is reconfigured for the first time and the first time after a software upgrade

tmsh restart sys service snmpd alertd


812481-2 : HSL logging may work unreliably for Management-IP firewall rules

Component: Advanced Firewall Manager

Symptoms:
HSL logging related to Management-IP firewall rules can periodically freeze and corresponding log messages can be lost.

Conditions:
No special conditions, this can happen intermittently on any setup.

Impact:
HSL log messages related to Management-IP firewall rules are missed.

Workaround:
None.


811701-1 : AWS instance using xnet driver not receiving packets on an interface.

Component: TMOS

Symptoms:
Packets are being sent to the AWS instance but no packets are seen on interface.

Conditions:
-- AWS instance using xnet driver.
-- Occurs when the instances are idle and then suddenly passes traffic again.
-- Other, more specific conditions are unknown at this time.

Impact:
Loss of packets in the interface, in turn, causing data loss.

Workaround:
A temporary way to avoid the problem is to configure BIG-IP Virtual Edition (VE) to use an alternative network driver in place of the default 'xnet' driver. In releases 14.1.0 and later, this would be the 'sock' driver; in releases 13.1.0 through 14.0.x, the 'unic' driver is the alternative.

Use one of the following command sequences from the BIG-IP instance's 'bash' prompt to configure the alternative driver. (Note the use of the 'greater-than' symbol.)

-- Commands for Releases 14.1.0 and later:

  # echo "device driver vendor_dev 1d0f:ec20 sock" > /config/tmm_init.tcl

[check that the file's contents are correct]

  # cat /config/tmm_init.tcl

[restart the BIG-IP's TMM processes]

  # bigstart restart tmm

[make certain that the 'driver_in_use' is 'sock']

  # tmctl -dblade -i tmm/device_probed


-- Commands for releases 13.1.0 through 14.0.0:

  # echo "device driver vendor_dev 1af4:1000 unic" > /config/tmm_init.tcl

[check that the file's contents are correct]

  # cat /config/tmm_init.tcl

[restart the BIG-IP's TMM processes]

  # bigstart restart tmm

[make certain that the 'driver_in_use' is 'unic']

  # tmctl -dblade -i tmm/device_probed


811161-1 : Tmm crash SIGSEGV - virtual_address_update() in ../mcp/db_vip.c:1992

Component: Local Traffic Manager

Symptoms:
TMM cores when creating a virtual server.

Conditions:
ISO build that includes the fix for ID 718790 or ID 783617.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


811157-2 : Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself

Component: Advanced Firewall Manager

Symptoms:
"Global Staged Default Action" message is logged into the firewall log for ICMP traffic targeted to Self-IP or Virtual Server destination address, even though this traffic can never be affected by Global Default Actions.

The "Global Staged Default Action" counter is also incremented.

Conditions:
Logging is enabled for Global Staged Default Action by setting the sys db tm.fw.stagedglobaldefaultrule.log to value "enabled" (this sys db has value "disabled" by default).

There are no special conditions for the "Global Staged Default Action" counter increment.

Impact:
Misleading messages are logged into the firewall log.
The "Global Staged Default Action" counter is incorrectly incremented.

The traffic itself is not affected and there are no other negative effects except the incorrect log message and counter update.

Workaround:
There is no workaround regarding the "Global Staged Default Action" counter increment.

For preventing the misleading log message disable logging of Global Staged Default Action by setting the sys db tm.fw.stagedglobaldefaultrule.log to value "disabled".


811149-1 : Remote users are unable to authenticate via serial console.

Component: TMOS

Symptoms:
Attempts to login to the serial console with remote user credentials (e.g., RADIUS, LDAP, TACACS remote auth) fail with one of the following error messages:

-- 'Cannot load user credentials for user' (v13.1.1.2)
-- 'Session setup problem, abort.' (v14.1.0.1)

Conditions:
Configure system for remote authentication and attempt authentication via serial console.

Impact:
Remote authentication users are unable to login via serial console.

Workaround:
There are two workarounds:
-- Remote authentication users can login using an SSH connection to the BIG-IP system's management IP address.

-- Use the credentials of a local user account to login to the serial console.


811105-1 : MRF SIP-ALG drops SIP 183 and 200 OK messages

Component: Service Provider

Symptoms:
SIP 183 and 200 OK messages are dropped after an INVITE in MRF SIP-ALG when media info is present in the Session Description Protocol.

Conditions:
- MRF SIP-ALG default configuration
- INVITE sent with media info in SDP
- Media info contains an rtcp without an IP address

Impact:
SIP calls are unable to establish media connections.

Workaround: